What is a WebGoat?
WebGoat is intentionally insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
There are currently over 30 lessons, including those dealing with the following issues:
- Cross-site Scripting (XSS)
- Access Control
- Thread Safety
- Hidden Form Field Manipulation
- Parameter Manipulation
- Weak Session Cookies
- Blind SQL Injection
- Numeric SQL Injection
- String SQL Injection
- Web Services
- Fail Open Authentication
- Dangers of HTML Comments
- … and many more!
How to install?
There are currently three available ways to run WebGoat
- Run using Docker
- Compile from Sources
- Run using Vagrant
Using Docker is probably the easiest so I’ll show it this way.
What is Docker?
Wikipedia defines Docker as an open-source project that automates the deployment of software applications inside containers. Provides an additional layer of abstraction and automation of OS-level virtualization on Linux.
To put it in simple way, Docker is a tool that allows developers, testers etc. to easily deploy their applications in a sandbox (called containers) to run on the host operating system i.e. Linux. The key benefit of Docker is that it allows users to package an application with all of its dependencies. Unlike virtual machines, containers do not have the high overhead and hence enable more efficient usage of the underlying system and resources.
How to start?
Download docker for windows from here:
* Requires Microsoft Windows 10 Professional or Enterprise 64-bit For previous versions get Docker Toolbox
Install Docker like you would any other windows application and follow on-screen instructions. Then open a command shell and type:
docker pull webgoat/webgoat-7.1
After successfull download run container with webgoat using:
docker run -d -p 8080:8080 webgoat/webgoat-7.1
8080 is the port that the server will use for communication with web browser. If it’s already in use, please choose any other, i.e 8081:8081
And verify if container is running
And finally you can open WebGoat page by going to address:
How to use?
After logging in, the main screen with all instructions needed to quick start with WebGoat are presented.
I suggest you to read that carefully. It will help.
On the left side menu, you’ll have a green ticker once you successfully complete a lesson.
Let’s proceed to General lesson about HTTP Basics.
This lesson’s purpose is to familiarize you with the lessons convention. Read the lesson description and then click “Show plan” to know how to complete this exercise.
You can also use OWASP Zed Attack Proxy here.
As soon as the lesson goal will be achieved, the message “Congratulations. You have successfully completed this lesson.” will appear under the hint buttons.
After completing this lesson you have still at least 70 exercises to clear. The challenge is waiting for you at the end. Your mission is to break the authentication scheme, steal all the credit cards from the database, and then deface the website. You will have to use many of the techniques you have learned in the other lessons.