OWASP WebGoat
Learn the hack - Stop the attack
WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.
Description
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.
Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
Goals
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.
Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
Learn in three steps
Explain the vulnerability
Teaching is now a first class citizen of WebGoat, we explain the vulnerability. Instead of ‘just hacking’ we now focus on explaining from the beginning what for example a SQL injection is.
Learn by doing
During the explanation of a vulnerability we build assignments which will help you understand how it works.
Explain mitigation
At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.
Lessons
WebGoat 8 contains lesson for almost all OWASP Top 10 vulnerabilities and more…
Future lessons
The following lessons are on our wish list:
- Lesson about cryptography (in progress)
- Lesson about path traversal (in progress)
- Session management
- More password reset lessons
- etc
See our Github page for more information.
Getting started
1. Run using Docker
The easiest way to start WebGoat as a Docker container is to use the all-in-one Docker container. This is a Docker image that has WebGoat and WebWolf running inside.
docker run -p 8080:8080 -p 9090:9090 -p 80:8888 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
and browse to http://localhost:8080/WebGoat.
2. Standalone
Download the latest WebGoat and WebWolf release from https://github.com/WebGoat/WebGoat/releases
java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]
and browse to http://localhost:8080/WebGoat
The latest version of WebGoat needs Java 15 or above. By default, WebGoat uses port 8080, the database uses 9000 and WebWolf use port 9090 with the environment variable WEBGOAT_PORT, WEBWOLF_PORT and WEBGOAT_HSQLPORT you can set different values.
export WEBGOAT_PORT=18080
export WEBGOAT_HSQLPORT=19001
export WEBWOLF_PORT=19090
java -jar webgoat-server-8.1.0.jar
java -jar webwolf-8.1.0.jar
Use set instead of export on Windows cmd.
WebWolf the small helper
WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to make a clear distinction between what takes place on the attacked website and the actions you need to do as an “attacker”. WebWolf was introduced after a couple of workshops where we received feedback that there was no clear distinction between what was part of the “attackers” role and what was part of the “users” role on the website. The following items are supported in WebWolf:
Host a file
Upload a file needed to be downloaded during an assignment
E-mail client
WebWolf serves a mail client with which we can easily simulate sending an e-mail.
Landing page for incoming requests
WebWolf can serve as a landing page to which you can make a call from inside an assignment, giving you as the attacker
information about the complete request. Think of it as a very simple form of netcat.
Running
1. Docker
If you started the Docker image, WebWolf is already running. Please point your browser to: http://localhost:9090/WebWolf
2. Standalone
If you want to use the standalone version, you will need to download the jar file and start it:
java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]
By default, WebWolf starts on port 9090 with --server.port you can specify a different port. With server.address you
can bind it to a different address (default localhost)