OWASP WebGoat

WebGoat Loge

GitHub release

Learn the hack - Stop the attack

WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.

Description

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.

Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.

WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.


Goals

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.

Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

Learn in three steps

Explain the vulnerability

Teaching is now a first class citizen of WebGoat, we explain the vulnerability. Instead of ‘just hacking’ we now focus on explaining from the beginning what for example a SQL injection is.

Learn by doing

During the explanation of a vulnerability we build assignments which will help you understand how it works.

Explain mitigation

At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.


Lessons

WebGoat 8 contains lesson for almost all OWASP Top 10 vulnerabilities and more…

Future lessons

The following lessons are on our wish list:

  • Lesson about cryptography (in progress)
  • Lesson about path traversal (in progress)
  • Session management
  • More password reset lessons
  • etc

See our Github page for more information.


Getting started

1. Run using Docker

The easiest way to start WebGoat as a Docker container is to use the all-in-one Docker container. This is a Docker image that has WebGoat and WebWolf running inside.

docker run -p 8080:8080 -p 9090:9090 -p 80:8888 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest

and browse to http://localhost:8080/WebGoat.

2. Standalone

Download the latest WebGoat and WebWolf release from https://github.com/WebGoat/WebGoat/releases

java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]

and browse to http://localhost:8080/WebGoat

The latest version of WebGoat needs Java 15 or above. By default, WebGoat uses port 8080, the database uses 9000 and WebWolf use port 9090 with the environment variable WEBGOAT_PORT, WEBWOLF_PORT and WEBGOAT_HSQLPORT you can set different values.

export WEBGOAT_PORT=18080
export WEBGOAT_HSQLPORT=19001
export WEBWOLF_PORT=19090
java -jar webgoat-server-8.1.0.jar
java -jar webwolf-8.1.0.jar 

Use set instead of export on Windows cmd.



WebWolf the small helper

WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to make a clear distinction between what takes place on the attacked website and the actions you need to do as an “attacker”. WebWolf was introduced after a couple of workshops where we received feedback that there was no clear distinction between what was part of the “attackers” role and what was part of the “users” role on the website. The following items are supported in WebWolf:

Host a file

Upload a file needed to be downloaded during an assignment

E-mail client

WebWolf serves a mail client with which we can easily simulate sending an e-mail.

Landing page for incoming requests

WebWolf can serve as a landing page to which you can make a call from inside an assignment, giving you as the attacker information about the complete request. Think of it as a very simple form of netcat.

Running

1. Docker

If you started the Docker image, WebWolf is already running. Please point your browser to: http://localhost:9090/WebWolf

2. Standalone

If you want to use the standalone version, you will need to download the jar file and start it:

java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]

By default, WebWolf starts on port 9090 with --server.port you can specify a different port. With server.address you can bind it to a different address (default localhost)