https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=BmayhewOWASP - User contributions [en]2026-04-26T09:23:31ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=208184Category:OWASP WebGoat Project2016-02-05T12:44:54Z<p>Bmayhew: /* Description */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[https://github.com/WebGoat/WebGoat/releases WebGoat 7.0] is done. The 6.0 release updated the UI and some infrastructure. WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.<br />
<br />
This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.. Thank you to all the volunteers!! <br />
<br />
<br />
===Help Needed:===<br />
<br />
* We have an immediate need for Lesson Solutions and Lesson Translations. There may be a little work involved with creating new strings for the translations but it is fairly easy work.<br />
<br />
* We also need UI developers with experience in any/all parts of the Web stack. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
* We'd love to update our content. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net]. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* For the Latest WebGoat (7.0, in development), go here: https://github.com/WebGoat/WebGoat<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Project Leaders ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br/><br />
[mailto:nanneb@gmail.com Nanne Baars]<br/><br />
[mailto:jason.white@owasp.org Jason White]<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat/releasest WebGoat]<br />
<br />
*Source Code @ [https://github.com/WebGoat WebGoat on Github]<br />
<br />
*Latest Info @ [https://github.com/WebGoat/WebGoat/wiki WebGoat Project Wiki]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 7 please February 1, 2016 <br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
'''Q:''' Are you aware that lesson X does not work? <br />
<br />
'''A:''' We may be. Head over to https://github.com/WebGoat/WebGoat-Lessons and log an issue if there is a specific, you have encountered on a lesson. Give us as much information as you can.<br />
<br />
<br />
'''Q:''' When will WebGoat 7 be 'released'?<br />
<br />
'''A:''' As soon as we can get a critical mass of lessons we feel are necessary. Current target is late January to Early Feb. 2016<br />
<br />
<br />
The rest are questions we hope people ask, but maybe haven't really yet ...<br />
<br />
<br />
'''Q:''' Do you need help?<br />
<br />
'''A:''' Of course we would always love help, especially with testing and feedback. Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.<br />
<br />
<br />
'''Q:''' How do I get involved?<br />
<br />
'''A:''' Fork the repo. (https://help.github.com/articles/fork-a-repo/) you want to work on and stay in sync with the mainstream development in master (https://help.github.com/articles/syncing-a-fork/)<br />
<br />
<br />
'''Q:''' What's the difference between the repo at https://github.com/WebGoat/WebGoat and the repo at https://github.com/WebGoat/WebGoat<br />
<br />
'''A:''' As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons. The WebGoat-Lessons repo. is for lesson development<br />
<br />
<br />
'''Q:''' How do I author a lesson for WebGoat?<br />
<br />
'''A:''' We are working on that. For WebGoat 8, we plan to make that much simpler (read, no more ECS!). We still hope/plan to provide a stripped down lesson template for 7.x<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [https://github.com/WebGoat GitHub]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
= Road Map and Getting Involved =<br />
<br />
== Road Map / Goals ==<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Translate all lessons to other languages<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Create a service layer (done)<br />
* Creater plugin architecture and port all lessons to plugins (done)<br />
* Remove dependencies on Tomcat (done)<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff (done)<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* XML attacks - Entity recursion, ...<br />
<br />
== Getting Involved ==<br />
For more information contact one of the project leads. Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
If you'd like to contribute coding-wise ...<br />
# Get on the WebGoat mailing list (http://lists.owasp.org/mailman/listinfo/owasp-webgoat)<br />
# Fork one of the repo's on github:<br />
## https://github.com/WebGoat/WebGoat << this is the WebGoat 'container'. Instructions on getting up and running are here as well.<br />
## https://github.com/WebGoat/WebGoat-Lessons << this is the Lesson repository<br />
# Keep you repo in sync (https://help.github.com/articles/syncing-a-fork/)<br />
# Issue pull requests as you fix bugs, add features etc.<br />
<br />
'''Testers are always welcome/needed'''. Again, log issues and features requests at https://github.com/WebGoat/WebGoat. If you are a college or university and would like to use WebGoat for classes, we'd especially love to hear your feedback and what content/lessons you would like to see added to the project.<br />
<br />
'''Adding content/lesssons''' We are working to make adding your own content easier and to integrate with other OWASP projects/content. We'd love to hear from you to move this forward.<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=208180Category:OWASP WebGoat Project2016-02-05T12:30:17Z<p>Bmayhew: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[https://github.com/WebGoat/WebGoat/releases WebGoat 7.0] is done. The 6.0 release updated the UI and some infrastructure. WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.<br />
<br />
This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.. Thank you to all the volunteers!! <br />
<br />
<br />
===Help Needed:===<br />
<br />
* We have an immediate need for Lesson Solutions and Lesson Translations. There may be a little work involved with creating new strings for the translations but it is fairly easy work.<br />
<br />
* We also need UI developers with experience in any/all parts of the Web stack. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
* We'd love to update our content. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net]. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* For the Latest WebGoat (7.0, in development), go here: https://github.com/WebGoat/WebGoat<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Project Leaders ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br/><br />
[mailto:nanneb@gmail.com Nanne Baars]<br/><br />
[mailto:jason.white@owasp.org Jason White]<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat/releasest WebGoat]<br />
<br />
*Source Code @ [https://github.com/WebGoat WebGoat on Github]<br />
<br />
*Latest Info @ [https://github.com/WebGoat/WebGoat/wiki WebGoat Project Wiki]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 7 please February 1, 2016 <br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
'''Q:''' Are you aware that lesson X does not work? <br />
<br />
'''A:''' We may be. Head over to https://github.com/WebGoat/WebGoat-Lessons and log an issue if there is a specific, you have encountered on a lesson. Give us as much information as you can.<br />
<br />
<br />
'''Q:''' When will WebGoat 7 be 'released'?<br />
<br />
'''A:''' As soon as we can get a critical mass of lessons we feel are necessary. Current target is late January to Early Feb. 2016<br />
<br />
<br />
The rest are questions we hope people ask, but maybe haven't really yet ...<br />
<br />
<br />
'''Q:''' Do you need help?<br />
<br />
'''A:''' Of course we would always love help, especially with testing and feedback. Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.<br />
<br />
<br />
'''Q:''' How do I get involved?<br />
<br />
'''A:''' Fork the repo. (https://help.github.com/articles/fork-a-repo/) you want to work on and stay in sync with the mainstream development in master (https://help.github.com/articles/syncing-a-fork/)<br />
<br />
<br />
'''Q:''' What's the difference between the repo at https://github.com/WebGoat/WebGoat and the repo at https://github.com/WebGoat/WebGoat<br />
<br />
'''A:''' As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons. The WebGoat-Lessons repo. is for lesson development<br />
<br />
<br />
'''Q:''' How do I author a lesson for WebGoat?<br />
<br />
'''A:''' We are working on that. For WebGoat 8, we plan to make that much simpler (read, no more ECS!). We still hope/plan to provide a stripped down lesson template for 7.x<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [https://github.com/WebGoat GitHub]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
= Road Map and Getting Involved =<br />
<br />
== Road Map / Goals ==<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Translate all lessons to other languages<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Create a service layer (done)<br />
* Creater plugin architecture and port all lessons to plugins (done)<br />
* Remove dependencies on Tomcat (done)<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff (done)<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* XML attacks - Entity recursion, ...<br />
<br />
== Getting Involved ==<br />
For more information contact one of the project leads. Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
If you'd like to contribute coding-wise ...<br />
# Get on the WebGoat mailing list (http://lists.owasp.org/mailman/listinfo/owasp-webgoat)<br />
# Fork one of the repo's on github:<br />
## https://github.com/WebGoat/WebGoat << this is the WebGoat 'container'. Instructions on getting up and running are here as well.<br />
## https://github.com/WebGoat/WebGoat-Lessons << this is the Lesson repository<br />
# Keep you repo in sync (https://help.github.com/articles/syncing-a-fork/)<br />
# Issue pull requests as you fix bugs, add features etc.<br />
<br />
'''Testers are always welcome/needed'''. Again, log issues and features requests at https://github.com/WebGoat/WebGoat. If you are a college or university and would like to use WebGoat for classes, we'd especially love to hear your feedback and what content/lessons you would like to see added to the project.<br />
<br />
'''Adding content/lesssons''' We are working to make adding your own content easier and to integrate with other OWASP projects/content. We'd love to hear from you to move this forward.<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=199346Category:OWASP WebGoat Project2015-08-21T12:57:19Z<p>Bmayhew: /* Road Map and Getting Involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 7.0] is almost done. The 6.0 release updated the UI and some infrastructure. The 7.0 release separates the WebGoat Lessons from the WebGoat framework. Lessons are now plugins that can be worked on without the code overhead of the WebGoat framework. This change with more UI improvements was a significant achievement. Thank you to all the volunteers!! <br />
<br />
<br />
===Help Needed:===<br />
<br />
* We have an immediate need for Lesson Testing. We are using GitHub issue tracking, so jump in and give some of the lessons a try. We accept bugs, productive comments, and enhancement requests.<br />
<br />
* The new plugin architecture isolates the content to be translated to each lesson. We could use some help with translating content and identifying quick wins for framework text that needs to be added to the translation properties. Send email to the WebGoat mailing list if you wish to help out here.<br />
<br />
* We also need UI developers with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
* We need some new lessons. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat Latest: download and documentation are on [http://webgoat.github.io GitHub]''' or visit the WebGoat Wiki on Github<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]<br />
<br />
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6.1 to be released fall 2015<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [https://github.com/WebGoat GitHub]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Test all the lessons in WebGoat 7 <br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Translate all lessons to other languages<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Create a service layer (done)<br />
* Creater plugin architecture and port all lessons to plugins (done)<br />
* Remove dependencies on Tomcat (done)<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff (done)<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=199344Category:OWASP WebGoat Project2015-08-21T12:52:42Z<p>Bmayhew: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 7.0] is almost done. The 6.0 release updated the UI and some infrastructure. The 7.0 release separates the WebGoat Lessons from the WebGoat framework. Lessons are now plugins that can be worked on without the code overhead of the WebGoat framework. This change with more UI improvements was a significant achievement. Thank you to all the volunteers!! <br />
<br />
<br />
===Help Needed:===<br />
<br />
* We have an immediate need for Lesson Testing. We are using GitHub issue tracking, so jump in and give some of the lessons a try. We accept bugs, productive comments, and enhancement requests.<br />
<br />
* The new plugin architecture isolates the content to be translated to each lesson. We could use some help with translating content and identifying quick wins for framework text that needs to be added to the translation properties. Send email to the WebGoat mailing list if you wish to help out here.<br />
<br />
* We also need UI developers with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
* We need some new lessons. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat Latest: download and documentation are on [http://webgoat.github.io GitHub]''' or visit the WebGoat Wiki on Github<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]<br />
<br />
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6.1 to be released fall 2015<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [https://github.com/WebGoat GitHub]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=199320Category:OWASP WebGoat Project2015-08-21T03:21:34Z<p>Bmayhew: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 7.0] is almost done. The 6.0 release updated the UI and some infrastructure. The 7.0 release separates the WebGoat Lessons from the WebGoat framework. Lessons are now plugins that can be worked on without the code overhead of the WebGoat framework. This change with more UI improvements was a significant achievement. Thank you to all the volunteers!! <br />
<br />
<br />
===Help Needed:===<br />
<br />
* We have an immediate need for Lesson Testing. We are using GitHub issue tracking, so jump in and give some of the lessons a try. We accept bugs, productive comments, and enhancement requests.<br />
<br />
* The new plugin architecture isolates the content to be translated to each lesson. We could use some help with translating content and identifying quick wins for framework text that needs to be added to the translation properties. Send email to the WebGoat mailing list if you wish to help out here.<br />
<br />
* We also need UI developers with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
* We need some new lessons. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat Latest: download and documentation are on [http://webgoat.github.io GitHub]''' or visit the WebGoat Wiki on Github<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]<br />
<br />
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6.1 to be released fall 2015<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=197853Category:OWASP WebGoat Project2015-07-23T20:39:32Z<p>Bmayhew: /* OWASP WebGoat Project */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 6.1] is under way. The 6.0 release updated the UI and some infrastructure. The 6.1 release separates the WebGoat Lessons from the WebGoat framework. Lessons are now plugins that can be worked on without the code overhead of the WebGoat framework <br />
<br />
<br />
===Help Needed:===<br />
<br />
We have an immediate need for a UI developer with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat 6.X: download and documentation are on [http://webgoat.github.io GitHub]'''<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]<br />
<br />
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6.1 to be released fall 2015<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=197852Category:OWASP WebGoat Project2015-07-23T20:35:25Z<p>Bmayhew: /* News and Events */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 6] is under way. The 6.0 beta release is a major modernization of the UI and framework. <br />
<br />
The next release will migrate all the lessons to the new architecture. You can help us prioritize which lessons to port and define new lessons to create by taking the [https://www.surveymonkey.com/s/OWASP-WebGoat-Modernization WebGoat survey]<br />
<br />
===Help Needed:===<br />
<br />
We have an immediate need for a UI developer with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat 6.X: download and documentation are on [http://webgoat.github.io GitHub]'''<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]<br />
<br />
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6.1 to be released fall 2015<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=197851Category:OWASP WebGoat Project2015-07-23T20:34:26Z<p>Bmayhew: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 6] is under way. The 6.0 beta release is a major modernization of the UI and framework. <br />
<br />
The next release will migrate all the lessons to the new architecture. You can help us prioritize which lessons to port and define new lessons to create by taking the [https://www.surveymonkey.com/s/OWASP-WebGoat-Modernization WebGoat survey]<br />
<br />
===Help Needed:===<br />
<br />
We have an immediate need for a UI developer with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat 6.X: download and documentation are on [http://webgoat.github.io GitHub]'''<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]<br />
<br />
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6 to be released Sept 16 2014<br />
<br />
*Join us at AppSec USA in the project summit room Friday Sept 19th 9-12AM<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=197850Category:OWASP WebGoat Project2015-07-23T20:33:22Z<p>Bmayhew: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP WebGoat Project==<br />
<br />
[http://webgoat.github.io WebGoat 6] is under way. The 6.0 beta release is a major modernization of the UI and framework. <br />
<br />
The next release will migrate all the lessons to the new architecture. You can help us prioritize which lessons to port and define new lessons to create by taking the [https://www.surveymonkey.com/s/OWASP-WebGoat-Modernization WebGoat survey]<br />
<br />
===Help Needed:===<br />
<br />
We have an immediate need for a UI developer with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.<br />
<br />
==Introduction==<br />
<br />
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started:<br />
* WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]<br />
* WebGoat 6.X: download and documentation are on [http://webgoat.github.io GitHub]'''<br />
<br />
==Description==<br />
<br />
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Licensing==<br />
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)<br />
<br />
==Project Sponsors==<br />
The WebGoat project is sponsored by <br />
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is WebGoat? ==<br />
<br />
OWASP WebGoat Project provides:<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Presentation ==<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
<br />
== Project Leader ==<br />
<br />
[mailto:webgoat@owasp.org Bruce Mayhew]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest]<br />
<br />
*Source Code @ https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]<br />
<br />
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]<br />
<br />
== News and Events ==<br />
*WebGoat 6 to be released Sept 16 2014<br />
<br />
*Join us at AppSec USA in the project summit room Friday Sept 19th 9-12AM<br />
<br />
== In Print ==<br />
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
[[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]<br />
<br />
[[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
= Road Map and Getting Involved =<br />
The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
<br />
Involvement in the development and promotion of WebGoat is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
<br />
=Previous Releases and Future Development=<br />
==Previous Releases==<br />
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard===<br />
This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
==Future Development==<br />
WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_WebGoat_Project_Page}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Global_Industry_Committee_-_Application_10&diff=105085Global Industry Committee - Application 102011-02-14T22:28:43Z<p>Bmayhew: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Sherif Koussa<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Ottawa Chapter Leader - WebGoat 5.0<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Industry Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Dinis Cruz<br />
| style="width:20%; background:#cccccc" align="center"| [[O2 Platform]] Project Leader<br />
| style="width:57%; background:#cccccc" align="center"| Sherif is an active OWASP leader and in the past has already made a number of bridges and connections with the Industry. I think he will be a great addition to this Committee <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| Bruce Mayhew<br />
| style="width:20%; background:#cccccc" align="center"|[[WebGoat]] Project Leader<br />
| style="width:57%; background:#cccccc" align="center"| Sherif is active in the security community, active in OWASP, and has made major contributions to WebGoat. Sherif will be an asset to this committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=98284Category:OWASP WebGoat Project2011-01-04T15:54:27Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
== Future Development ==<br />
<br />
WebGoat has been fairly stable for a few years. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Demonstration Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
==== Movie Links ====<br />
<br />
{|<br />
|valign="top"|<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
|valign="top"| <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
|}<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project|WebGoat Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=98283Category:OWASP WebGoat Project2011-01-04T15:53:06Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
== Future Development ==<br />
<br />
WebGoat has been fairly stable for a few years. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Demonstration Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
==== Movie Links ====<br />
<br />
{|<br />
|valign="top"|<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
|valign="top"| <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
|}<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project|WebGoat Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=OWASP_WebGoat_Project_Roadmap&diff=98282OWASP WebGoat Project Roadmap2011-01-04T15:50:36Z<p>Bmayhew: </p>
<hr />
<div><webgoat/>The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Add educational support for secure coding practices<br />
# Enhance enterprise lesson tracking<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
# Increase ease-of-use and expand user base<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Replace basic authentication with forms based authentication<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Remove non working lessons<br />
*<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=98279Category:OWASP WebGoat Project2011-01-04T15:41:53Z<p>Bmayhew: /* Future Development */</p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Demonstration Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
Feel free to contact him for any help with WebGoat.<br />
<br />
==== Movie Links ====<br />
<br />
{|<br />
|valign="top"|<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General] <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]<br />
|valign="top"| <br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]<br />
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]<br />
|}<br />
<br />
== Future Development ==<br />
<br />
WebGoat has been fairly stable for a few years. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.<br />
<br />
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project|WebGoat Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=69401Category:OWASP WebGoat Project2009-09-20T16:47:14Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.2 - Is now available via svn at google code<br />
<br />
WebGoat 5.3 - Estimated release date: TBD<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.2'''<br />
<br />
* Introduction and WebGoat instructions<br />
* Multi Level Login Lesson<br />
* Session Fixation Lesson<br />
* Insecure Login Lesson<br />
* Lesson Solution Videos<br />
* Bug Report Feature<br />
* Many upgrades and minor fixes<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=69400Category:OWASP WebGoat Project2009-09-20T16:46:27Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.2 - Is now available via svn at google code<br />
<br />
WebGoat 5.3 - Estimated release date: TBD<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.2'''<br />
<br />
* Introduction and WebGoat instructions<br />
* Multi Level Login Lesson<br />
* Session Fixation Lesson<br />
* Insecure Login Lesson<br />
* Lesson Solution Videos<br />
* Bug Report Feature<br />
* Many upgrades and minor fixes<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=69399Category:OWASP WebGoat Project2009-09-20T16:45:12Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.2 - Is now available via svn at google code<br />
<br />
WebGoat 5.3 - Estimated release date: TBD<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.2'''<br />
<br />
* Introduction and WebGoat instructions<br />
* Multi Level Login Lesson<br />
* Session Fixation Lesson<br />
* Insecure Login Lesson<br />
* Lesson Solution Videos<br />
* Bug Report Feature<br />
* Many upgrades and minor fixes<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=69398Category:OWASP WebGoat Project2009-09-20T16:33:24Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross-site Scripting (XSS)]]<br />
* Access Control<br />
* [[Race conditions|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Downloads==<br />
<br />
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads]. <br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
==Releases==<br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at <br />
<br />
http://yehg.net/lab/pr0js/training/webgoat.php<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.2 - Is now available via svn at google code<br />
<br />
WebGoat 5.3 - Estimated release date: TBD<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.2'''<br />
<br />
* Introduction and WebGoat instructions<br />
* Multi Level Login Lesson<br />
* Session Fixation Lesson<br />
* Insecure Login Lesson<br />
* Lesson Solution Videos<br />
* Bug Report Feature<br />
* Many upgrades and minor fixes<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=WebGoat_User_Guide_Introduction&diff=63621WebGoat User Guide Introduction2009-06-04T23:03:43Z<p>Bmayhew: </p>
<hr />
<div>[[WebGoat User and Install Guide Table of Contents]]<br />
<br />
==Overview ==<br />
The WebGoatV5 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.<br />
<br />
A full Application Security Assessment testing methodology is being documented by <u>http://www.owasp.org/index.php/OWASP_Testing_Project</u> and this will provide a superset of the issues demonstrated within the WebGoat. If may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating to the ''Implementation'' ''Review'' phase of the OWASP Web Application Security Testing Methodology.<br />
<br />
The WebGoatv5 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.<br />
* The application is web based<br />
* The attack simulations are remote <br />
All of the described techniques may be performed from any connected location.<br />
* The testing is black-box<br />
Source code is not supplied, but it can be viewed and downloaded.<br />
* Credentials and operational information is provided<br />
<br />
Of course, the teaching aspect of WebGoat means that certain information will be revealed that would not typically be available. This makes it possible to guide the tester through an assessment process.<br />
<br />
<br />
The current lesson plans provided in WebGoatv5 include:<br />
<br />
{| border=1<br />
|| HTTP Basics<br />
|-<br />
|| HTTP Splitting and Cache Poisining<br />
|-<br />
|| How to Exploit Thread Safety Problems<br />
|-<br />
|| How to Discover Clues in the HTML<br />
|-<br />
|| How to Exploit Hidden Fields<br />
|-<br />
|| How to Exploit Unchecked Email<br />
|-<br />
|| How to Bypass Client Side JavaScript Validation<br />
|-<br />
|| How to Force Browser Web Resources<br />
|-<br />
|| How to Bypass a Role Based Access Control Scheme<br />
|-<br />
|| How to Bypass a Path Based Access Control Scheme<br />
|-<br />
|| LAB: Role based Access Control<br />
|-<br />
|| Using an Access Control Matrix<br />
|-<br />
|| How to Exploit the Forgot Password Page<br />
|-<br />
|| How to Spoof an Authentication Cookie<br />
|-<br />
|| How to Hijack a Session<br />
|-<br />
|| Basic Authentication<br />
|-<br />
|| LAB: Cross Site Scripting<br />
|-<br />
|| How to Perform Stored Cross Site Scripting (XSS)<br />
|-<br />
|| How to Perform Reflected Cross Site Scripting (XSS)<br />
|-<br />
|| How to Perform Cross Site Trace Attacks (XSS)<br />
|-<br />
|| Buffer Overflow (TBD)<br />
|-<br />
|| [[HTTPOnly]] Test<br />
|-<br />
|| How to Perform Command Injection<br />
|-<br />
|| How to Perform Parameter Injection<br />
|-<br />
|| How to Perform Blind SQL Injection<br />
|-<br />
|| How to Perform Numeric SQL Injection <br />
|-<br />
|| How to Perform String SQL Injection <br />
|-<br />
|| How to Perform Log Spoofing <br />
|-<br />
|| How to Perform XPATH Injection Attacks<br />
|-<br />
|| LAB: SQL Injection<br />
|-<br />
|| How to Bypass a Fail Open Authentication Scheme<br />
|-<br />
|| How to Peform Basic Encoding<br />
|-<br />
|| Denial of Service from Multiple Logins<br />
|-<br />
|| How to Create a SOAP Request<br />
|-<br />
|| How to Perform WSDL Scanning<br />
|-<br />
|| How to Perform Web Service SAX Injection<br />
|-<br />
|| How to Perform Web Service SQL Injection<br />
|-<br />
|| How to Perform DOM Injection Attack <br />
|-<br />
|| How to Perform XML Injection Attacks<br />
|-<br />
|| How to Perform JSON Injection Attack <br />
|-<br />
|| How to Perform Silent Transactions Attacks<br />
|-<br />
|| How to Add a New Lesson<br />
|-<br />
|| The Challenge <br />
|-<br />
|}<br />
<br />
<br />
<br />
Future releases of WebGoat will include more lessons and functionality. Should you have any suggestions for improvement or new lessons please contact [mailto:bill@owasp.org bill@owasp.org] with your ideas.<br />
<br />
<br />
[[WebGoat User and Install Guide Table of Contents]]<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=OWASP_WebGoat_Project_Roadmap&diff=33931OWASP WebGoat Project Roadmap2008-07-12T19:50:40Z<p>Bmayhew: </p>
<hr />
<div><webgoat/>The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Increase ease-of-use and expand userbase<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Convert lessons to struts framework (Major effort)<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Denial of service lesson rewrite<br />
* Bypass client side JavaScript lesson rewrite<br />
* Improve using an access control matrix lesson<br />
* Improve encoding basics lesson<br />
* Cross Site Trace (XST) only works in older browsers<br />
* Improve CSRF lesson<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* Buffer overflow<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=33930Category:OWASP WebGoat Project2008-07-12T19:48:28Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]]. <br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at http://yehg.net/lab/pr0js/training/webgoat.php .<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.2 - Is now available via svn at google code<br />
<br />
WebGoat 5.3 - Estimated release date: TBD<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.2'''<br />
<br />
* Introduction and WebGoat instructions<br />
* Multi Level Login Lesson<br />
* Session Fixation Lesson<br />
* Insecure Login Lesson<br />
* Lesson Solution Videos<br />
* Bug Report Feature<br />
* Many upgrades and minor fixes<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=33929Category:OWASP WebGoat Project2008-07-12T19:45:14Z<p>Bmayhew: /* Future Development */</p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]]. <br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at http://yehg.net/lab/pr0js/training/webgoat.php .<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.2 - Is now available via svn at google code<br />
<br />
WebGoat 5.3 - Estimated release date: TBD<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.2'''<br />
<br />
* Introduction and WebGoat instructions<br />
* Multi Level Login Lesson<br />
* Session Fixation Lesson<br />
* Insecure Login Lesson<br />
* Lesson Solution Videos<br />
* Bug Report Feature<br />
* Many upgrades and minor fixes<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=33928Category:OWASP WebGoat Project2008-07-12T19:42:25Z<p>Bmayhew: /* Releases */</p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]]. <br />
<br />
== Movie Solutions ==<br />
<br />
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at http://yehg.net/lab/pr0js/training/webgoat.php .<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=29339Category:OWASP WebGoat Project2008-05-13T12:40:54Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]]. <br />
<br />
== Movie Solutions ==<br />
<br />
YGN Ethical Hacker Group has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at http://yehg.net/lab/pr0js/training/webgoat.php .<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at[http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Beta 1 - For Beta Testers:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server. '''Please use Google Issues for WebGoat to report bugs unless you are on the beta test list.'''<br />
<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=29338Category:OWASP WebGoat Project2008-05-13T12:35:07Z<p>Bmayhew: /* Project Contributors */</p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]]. <br />
<br />
== Movie Solutions ==<br />
<br />
YGN Ethical Hacker Group has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at http://yehg.net/lab/pr0js/training/webgoat.php .<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at[http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Beta 1 - For Beta Testers:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server. '''Please use Google Issues for WebGoat to report bugs unless you are on the beta test list.'''<br />
<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (At SourceForge):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]] and [[http://code.google.com/p/webgoat/downloads/list Google]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=29337Category:OWASP WebGoat Project2008-05-13T12:31:28Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
{{OWASP Book|1416452}}<br />
<br />
<br />
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]]. <br />
<br />
== Movie Solutions ==<br />
<br />
YGN Ethical Hacker Group has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at http://yehg.net/lab/pr0js/training/webgoat.php .<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at[http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
===WebGoat 5.2 Beta 1 - For Beta Testers:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server. '''Please use Google Issues for WebGoat to report bugs unless you are on the beta test list.'''<br />
<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (At SourceForge):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]] and [[http://code.google.com/p/webgoat/downloads/list Google]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Using_WebGoat&diff=26087Using WebGoat2008-02-28T20:23:50Z<p>Bmayhew: </p>
<hr />
<div><webgoat/>Having identified the objectives and required tools, we may now get started with the WebGoat lessons.<br />
<br />
<br />
[[WebGoat User Guide Table of Contents]]<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=WebGoat_Getting_Started&diff=26086WebGoat Getting Started2008-02-28T20:22:39Z<p>Bmayhew: </p>
<hr />
<div><webgoat/>[[WebGoat User Guide Table of Contents]]<br />
__TOC__<br />
<br />
<br />
In order to start using WebGoat, Tomcat must be launched using the startup script/bat in the Tomcat bin directory. <br />
For WebGoat to operate it must have permission to run as a server and allow some uncommon web behavior. When WebGoat is running it will make the host machine vulnerable to attack.<br />
<br />
If the machine is connected to the internet it should be disconnected. <br />
<br />
Running a personal firewall may prevent WebGoat from operating correctly. Disable any personal firewall while running WebGoat.<br />
<br />
From a browser, the Tomcat server can be accessed on localhost port 80, e.g. <u>http://127.0.0.1</u><br />
<br />
WebGoat resides in the WebGoat directory, and the lessons can be found at: <u>http://127.0.0.1/WebGoat/attack</u>. <br />
<br />
The WebGoat application enforces role based security. A login dialog requests credentials. Login as userid=guest, password=guest.<br />
<br />
[[Image:WebGoat Sign In Page.gif|none|thumb|300px|Figure 1. Sign In Page]]<br />
<br />
After a successful login the Tomcat server will show the WebGoat welcome page.<br />
<br />
[[Image:WebGoat Welcome Page.gif|none|Figure 2. Welcome Page]]<br />
<br />
<br />
[[WebGoat User Guide Table of Contents]]<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=WebGoat_Installation&diff=26085WebGoat Installation2008-02-28T20:21:17Z<p>Bmayhew: </p>
<hr />
<div><webgoat/>[[WebGoat User Guide Table of Contents]]<br />
__TOC__<br />
<br />
WebGoat is a platform independent environment.<br />
It utilizes Apache Tomcat and the JAVA development environment.<br />
Installers are provided for Microsoft Windows and UN*X environments, together with notes for installation on other platforms.<br />
<br />
==Installing Java and Tomcat ==<br />
===Installing Java===<br />
# Install and deploy the approprite version from http://java.sun.com/downloads/ (1.4.1 or later)<br />
<br />
===Installing Tomcat===<br />
# Install and deploy core Tomcat from http://tomcat.apache.org/download-55.cgi<br />
<br />
==Installing to Windows ==<br />
# Unzip the Windows_WebGoat-x.x.zip to your working environment <br />
# To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"<br />
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u> This link is case-sensitive. Make sure to use a large ‘W’ and ‘G’.<br />
<br />
==Installing to Linux ==<br />
# Unzip the Unix_WebGoat-x.x.zip to your working directory<br />
# Edit the following line in webgoat.sh, set JAVA_HOME to your JDK1.5 path. <br />
JAVA_HOME="SET ME TO YOUR JAVA 1.5 JDK PATH"<br />
# Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.<br />
<br />
sudo sh webgoat.sh start<br />
sudo sh webgoat.sh stop<br />
<br />
==Installing to OS X (Tiger 10.4+) ==<br />
# Unzip the Unix_WebGoat-x.x.zip to your working directory<br />
# Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.<br />
<br />
sudo sh webgoat.sh start<br />
sudo sh webgoat.sh stop<br />
<br />
==Installing on FreeBSD ==<br />
# Install Tomcat and Java from the ports collection<br />
cd /usr/ports/www/tomcat55<br />
sudo make install<br />
# You will be required to manually download the Java JDK to install it. Instructions are given by the ports system about when and how to do this. The URL looks like this:<br />
http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2<br />
# Unzip the Unix_WebGoat-x.x.zip to your working directory<br />
# Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.<br />
<br />
sudo sh webgoat.sh start<br />
sudo sh webgoat.sh stop<br />
<br />
==Running ==<br />
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u>. Notice the capital 'W' and 'G'<br />
# Login in as: user = guest, password = guest<br />
<br />
==Building ==<br />
Skip these instructions if you are only interested in running WebGoat.<br />
<br />
WebGoat is built using eclipse WTP 1.5.x. Please read the instructions at [http://webgoat.googlecode.com/svn/trunk/%20webgoat/main/HOW%20TO%20create%20the%20WebGoat%20workspace.txt Goodle code] to build the WebGoat application.<br />
<br />
Return to the [[WebGoat User Guide Table of Contents]]<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=WebGoat_User_and_Install_Guide_Table_of_Contents&diff=26084WebGoat User and Install Guide Table of Contents2008-02-28T20:20:07Z<p>Bmayhew: </p>
<hr />
<div><webgoat/><br />
*'''Contents'''<br />
*#[[WebGoat User Guide Frontispiece |Frontispiece]]<br />
*#[[WebGoat User Guide Introduction |Introduction]]<br />
*#*[[WebGoat User Guide Introduction#Overview |Overview]]<br />
*#[[WebGoat User Guide Objectives | Objectives]]<br />
*#[[Tools required]]<br />
*#*[[Tools_required#Application Assessment Proxy | Application Assessment Proxy]]<br />
*#*[[Tools_required#Application Spider | Application Spider]]<br />
*# [[Using WebGoat]]<br />
*# [[WebGoat Installation | Installation]]<br />
*#* [[WebGoat Installation#Installing Java and Tomcat|Installing Java and Tomcat]]<br />
*#* [[WebGoat Installation#Installing to Windows|Installing to Windows]]<br />
*#* [[WebGoat Installation#Installing to Linux|Installing to Linux]]<br />
*#* [[WebGoat Installation#Installing to OS X|Installing to OS X]] (Tiger 10.4+)<br />
*#* [[WebGoat Installation#Installing on FreeBSD|Installing on FreeBSD]]<br />
*#* [[WebGoat Installation#Running |Running ]]<br />
*#* [[WebGoat Installation#Building |Building]]<br />
*# [[WebGoat Getting Started |Getting Started]]<br />
*# [[Lesson Plans]]<br />
*# [[Basic Operation]]<br />
*# [[Proxy Utilization]]<br />
*# [[Ready to Go!]]<br />
*# [[How to write a new WebGoat lesson]]<br />
*#*[[How to write a new WebGoat lesson#Step 1: Set up the framework|Step 1: Set up the framework]]<br />
*#*[[How to write a new WebGoat lesson#Step 2: Implement createContent|Step 2: Implement createContent]]<br />
*#*[[How to write a new WebGoat lesson#Step 3: Implement the other methods|Step 3: Implement the other methods]]<br />
*#*[[How to write a new WebGoat lesson#Step 4: Build and test|Step 4: Build and test]] <this must have changed in v4><br />
*#*[[How to write a new WebGoat lesson#Step 5: Give back to the community|Step 5: Give back to the community]]<br />
<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=OWASP_WebGoat_Project_Roadmap&diff=26083OWASP WebGoat Project Roadmap2008-02-28T20:19:10Z<p>Bmayhew: </p>
<hr />
<div><webgoat/>The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Increase ease-of-use and expand userbase<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Convert lessons to struts framework (Major effort)<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Denial of service lesson rewrite<br />
* Bypass client side javascript lesson rewrite<br />
* Improve using an access control matrix lesson<br />
* Improve encoding basics lesson<br />
* Improve thread safety lesson<br />
* Cross site trace only works in older browsers<br />
* Improve CSRF lesson<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* Buffer overflow<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24564Category:OWASP WebGoat Project2008-01-18T18:18:15Z<p>Bmayhew: </p>
<hr />
<div>[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at[http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24563Category:OWASP WebGoat Project2008-01-18T18:15:33Z<p>Bmayhew: /* WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649): */</p>
<hr />
<div>[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at[http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
<br />
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.<br />
<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24562Category:OWASP WebGoat Project2008-01-18T18:10:22Z<p>Bmayhew: /* Releases */</p>
<hr />
<div>[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
<br />
You can synch to the current WebGoat source tree at[http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24561Category:OWASP WebGoat Project2008-01-18T18:08:59Z<p>Bmayhew: /* Download */</p>
<hr />
<div>[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24560Category:OWASP WebGoat Project2008-01-18T18:08:28Z<p>Bmayhew: /* Download */</p>
<hr />
<div>[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can synch to the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. <br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24481Category:OWASP WebGoat Project2008-01-15T00:49:36Z<p>Bmayhew: </p>
<hr />
<div>[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=File:WebGoat-Session-Hijack-Lesson.JPG&diff=24480File:WebGoat-Session-Hijack-Lesson.JPG2008-01-15T00:48:28Z<p>Bmayhew: WebGoat session hijack lesson</p>
<hr />
<div>WebGoat session hijack lesson</div>Bmayhewhttps://wiki.owasp.org/index.php?title=File:WebGoat-Bypass-Access-Control-Lesson.JPG&diff=24479File:WebGoat-Bypass-Access-Control-Lesson.JPG2008-01-15T00:44:50Z<p>Bmayhew: WebGoat path based access control</p>
<hr />
<div>WebGoat path based access control</div>Bmayhewhttps://wiki.owasp.org/index.php?title=File:WebGoat-Phishing-XSS-Lesson.JPG&diff=24478File:WebGoat-Phishing-XSS-Lesson.JPG2008-01-15T00:36:32Z<p>Bmayhew: uploaded a new version of "Image:WebGoat-Phishing-XSS-Lesson.JPG": WebGoat phishing lessons with hints</p>
<hr />
<div>WebGoat Phishing example with hints</div>Bmayhewhttps://wiki.owasp.org/index.php?title=File:WebGoat-Phishing-XSS-Lesson.JPG&diff=24477File:WebGoat-Phishing-XSS-Lesson.JPG2008-01-15T00:32:47Z<p>Bmayhew: WebGoat Phishing example with hints</p>
<hr />
<div>WebGoat Phishing example with hints</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24476Category:OWASP WebGoat Project2008-01-15T00:07:27Z<p>Bmayhew: /* Future Development */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
WebGoat 5.2 - Estimated release date: Spring 2008<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24475Category:OWASP WebGoat Project2008-01-15T00:06:04Z<p>Bmayhew: /* WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649): */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Estimated release date: Fall 2007<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=24474Category:OWASP WebGoat Project2008-01-15T00:03:08Z<p>Bmayhew: /* Newest Release */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
==Releases==<br />
===WebGoat 5.1 Standard:===<br />
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.<br />
* Double-click on webgoat.bat - a Tomcat command window starts<br />
* Browse to http://localhost/WebGoat/attack<br />
<br />
===WebGoat 5.1 Developer (Waiting for Google disk quota approval issue 649):===<br />
The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.<br />
* Extract the Eclipse-Workspace.zip file to the working directory<br />
* Double-click the eclipse.bat file<br />
* In the Eclipse package explorer (top right), right click the WebGoat project and refresh<br />
* In the Eclipse package explorer (top right), right click the Servers project and refresh<br />
* In the Eclipse servers view (bottom), right click LocalHost server and start<br />
* Browse to http://localhost/WebGoat/attack<br />
* Any changes made to the source will automatically compile and redeploy when saved<br />
<br />
<br />
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Estimated release date: Fall 2007<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=22547Category:OWASP WebGoat Project2007-10-22T16:27:04Z<p>Bmayhew: /* Newest Release */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
== Newest Release ==<br />
<br />
'''WebGoat 5.1 Release Candidate 1''' is available. This new release is platform independent. This release features:<br />
<br />
* a new "show solution" feature<br />
* Phishing lesson<br />
* New database lessons - for Oracle database only<br />
* Multi-stage architecture which allows random access to lab stages<br />
<br />
<br />
<br />
'''WebGoat 5.0'''<br />
<br />
'''WebGoat 5.0''' has been released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release. <br />
<br />
The 5.0 release would not have been possible without the efforts of Sherif Koussa and [http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 OWASP Autumn of Code 2006].<br />
<br />
Please send all comments to '''webgoat AT owasp.org''' regarding this release candidate. A final release is scheduled for the end of January<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Estimated release date: Fall 2007<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=OWASP_WebGoat_Project_Roadmap&diff=22245OWASP WebGoat Project Roadmap2007-10-08T20:33:53Z<p>Bmayhew: </p>
<hr />
<div>The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Increase ease-of-use and expand userbase<br />
# Attract more contributions of lessons<br />
# Revisit existing lesson base to standardize lesson theme.<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Convert lessons to struts framework (Major effort)<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Denial of service lesson rewrite<br />
* Bypass client side javascript lesson rewrite<br />
* Improve using an access control matrix lesson<br />
* Improve encoding basics lesson<br />
* Improve thread safety lesson<br />
* Cross site trace only works in older browsers<br />
* Improve CSRF lesson<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* Buffer overflow<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=22244Category:OWASP WebGoat Project2007-10-08T20:33:07Z<p>Bmayhew: /* Future Development */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
== Newest Release ==<br />
'''WebGoat 5.0'''<br />
<br />
'''WebGoat 5.0''' has been released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release. <br />
<br />
The 5.0 release would not have been possible without the efforts of Sherif Koussa and [http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 OWASP Autumn of Code 2006].<br />
<br />
Please send all comments to '''webgoat AT owasp.org''' regarding this release candidate. A final release is scheduled for the end of January<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.1 - Estimated release date: Fall 2007<br />
<br />
WebGoat 5.1 - Is now available via svn at google code<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.<br />
<br />
<br />
'''New Features in 5.1'''<br />
<br />
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button<br />
<br />
* New database lessons<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=OWASP_WebGoat_Project_Roadmap&diff=22239OWASP WebGoat Project Roadmap2007-10-08T14:00:30Z<p>Bmayhew: </p>
<hr />
<div>The project's overall goal is to...<br />
<br />
Be the defacto standard web application security training environment<br />
<br />
In the near term, we are focused on the following tactical goals...<br />
<br />
# Demonstrate most common web application security vulnerabilities<br />
# Increase ease-of-use and expand userbase<br />
# Attract more contributions of lessons<br />
<br />
# Revisit existing lesson base to standardize lesson theme.<br />
<br />
Here are the current tasks defined to help us achieve these goals<br />
<br />
'''Architectural'''<br />
* Convert lessons to struts framework (Major effort)<br />
* Rewrite all lessons to follow common theme using common database<br />
* Rewrite user administration to allow better user management (non-hackable)<br />
* Fix Logoff<br />
* Defuse all lessons to disallow inadvertent harm to user's OS <br />
<br />
'''General'''<br />
* General security cleanup. Remove exploits that are not lesson specific<br />
* Denial of service lesson rewrite<br />
* Bypass client side javascript lesson rewrite<br />
* Improve using an access control matrix lesson<br />
* Improve encoding basics lesson<br />
* Improve thread safety lesson<br />
* Cross site trace only works in older browsers<br />
* Improve CSRF lesson<br />
<br />
'''New Lessons'''<br />
* Server side forward allows access to WEB-INF resources<br />
* Account enumeration using webscarab<br />
* Buffer overflow<br />
* SQLException lesson - could tie into overall error handling<br />
* XML attacks - Entity recursion, ...<br />
<br />
For more information contact Bruce Mayhew at webgoat at owasp dot org<br />
<br />
[[Category:OWASP WebGoat Project]]</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=17414Category:OWASP WebGoat Project2007-03-26T13:01:34Z<p>Bmayhew: /* Future Development */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
== Newest Release ==<br />
'''WebGoat 5.0'''<br />
<br />
'''WebGoat 5.0''' has been released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release. <br />
<br />
The 5.0 release would not have been possible without the efforts of Sherif Koussa and [http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 OWASP Autumn of Code 2006].<br />
<br />
Please send all comments to '''webgoat AT g2-inc DOT com''' regarding this release candidate. A final release is scheduled for the end of January<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.x - Estimated release date: Summer 2007<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''bruce DOT mayhew AT g2-inc.com'''.<br />
<br />
<br />
'''New Features in 5.x'''<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew of G2. He can be contacted at '''bruce DOT mayhew AT g2-inc.com'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhewhttps://wiki.owasp.org/index.php?title=Category:OWASP_WebGoat_Project&diff=17404Category:OWASP WebGoat Project2007-03-24T11:50:46Z<p>Bmayhew: /* Future Development */</p>
<hr />
<div>[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]<br />
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.<br />
<br />
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!<br />
<br />
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''<br />
<br />
==Goals==<br />
<br />
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.<br />
<br />
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.<br />
<br />
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.<br />
<br />
==Download==<br />
<br />
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.<br />
<br />
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].<br />
<br />
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.<br />
<br />
== Overview ==<br />
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]<br />
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:<br />
{|<br />
|valign="top"|<br />
* [[Cross Site Scripting]]<br />
* Access Control<br />
* [[Race condition within a thread|Thread Safety]]<br />
* [[Unvalidated_Input|Hidden Form Field Manipulation]]<br />
* Parameter Manipulation<br />
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]<br />
* Blind [[SQL injection|SQL Injection]]<br />
|valign="top"| <br />
* Numeric SQL Injection<br />
* String SQL Injection<br />
* [[Web Services]]<br />
* [[Improper_Error_Handling|Fail Open Authentication]]<br />
* Dangers of HTML Comments<br />
* ... and many more!<br />
|}<br />
<br />
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].<br />
<br />
== Newest Release ==<br />
'''WebGoat 5.0'''<br />
<br />
'''WebGoat 5.0''' has been released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release. <br />
<br />
The 5.0 release would not have been possible without the efforts of Sherif Koussa and [http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 OWASP Autumn of Code 2006].<br />
<br />
Please send all comments to '''webgoat AT g2-inc DOT com''' regarding this release candidate. A final release is scheduled for the end of January<br />
<br />
== Future Development ==<br />
<br />
WebGoat 5.x - Estimated release date: Summer 2007<br />
<br />
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''bruce DOT mayhew AT g2-inc.com'''.<br />
<br />
<br />
'''New Features in 5.x'''<br />
<br />
* XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.<br />
<br />
* Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.<br />
<br />
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]<br />
<br />
== Project Contributors ==<br />
<br />
The WebGoat project is run by Bruce Mayhew of G2. He can be contacted at '''bruce DOT mayhew AT g2-inc.com'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].<br />
<br />
== Project Sponsors ==<br />
<br />
The WebGoat project is sponsored by <br />
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]<br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
<br />
__NOTOC__</div>Bmayhew