OWASP WebGoat

WebGoat Loge

GitHub release

Learn the hack - Stop the attack

WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.

Description

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.

Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.

WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.


Goals

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.

Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

Learn in three steps

Explain the vulnerability

Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of ‘just hacking’ we now focus on explaining from the beginning what for example a SQL injection is.

Learn by doing

During the explanation of a vulnerability we build assignments which will help you understand how it works.

Explain mitigation

At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.


Lessons

WebGoat 8 contains lesson for almost all OWASP Top 10 vulnerabilities and more…

Future lessons

The following lessons are on our wish list:

  • Lesson about cryptography (in progress)
  • Lesson about path traversal (in progress)
  • Session management
  • More password reset lessons
  • etc

See our Github page for more information.


Getting started

1. Standalone

Download the latest WebGoat release from https://github.com/WebGoat/WebGoat/releases

java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]

The latest version of WebGoat needs Java 11. By default WebGoat starts on port 8080 with --server.port you can specify a different port. With server.address you can bind it to a different address (default localhost)

2. Run using Docker

Every release is also published on DockerHub.

docker pull webgoat/webgoat-8.0
docker run -p 8080:8080 -t webgoat/webgoat-8.0

3. Using docker-compose

The easiest way to start WebGoat as a Docker container is to use the docker-compose.yml file from our Github repository. This will start both containers and it also takes care of setting up the connection between WebGoat and WebWolf.

curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up

Important: the current directory on your host will be mapped into the container for keeping state.

Using the docker-compose file will simplify getting WebGoat and WebWolf up and running.



WebWolf the small helper

WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to make a clear distinction between what takes place on the attacked website and the actions you need to do as an “attacker”. WebWolf was introduced after a couple of workshops where we received feedback that there was no clear distinction between what was part of the “attackers” role and what was part of the “users” role on the website. The following items are supported in WebWolf:

Host a file

Upload a file needed to be downloaded during an assignment

E-mail client

WebWolf serves a mail client with which we can easily simulate sending an e-mail.

Landing page for incoming requests

WebWolf can serve as a landing page to which you can make a call from inside an assignment, giving you as the attacker information about the complete request. Think of it as a very simple form of netcat.

Running

WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser http://localhost:9090/WebWolf to open WebWolf. It will

1. Standalone

If you want to use the standalone version, you will need to download the jar file and start it:

java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]

By default WebWolf starts on port 9090 with --server.port you can specify a different port. With server.address you can bind it to a different address (default localhost)

2. Run using Docker

Shell docker pull webgoat/webwolf docker run -p 9090:9090 -t webgoat/webwolf

Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well.