|
|
(47 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
− | =Main=
| + | We have fully migrated to the new OWASP Website! |
| | | |
− | <div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
| + | Please visit our new project page at https://www2.owasp.org/www-project-webgoat |
− | | |
− | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| |
− | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
| |
− | | |
− | ==OWASP WebGoat Project==
| |
− | | |
− | [http://webgoat.github.io WebGoat 6] is under way. The 6.0 beta release is a major modernization of the UI and framework.
| |
− | | |
− | The next release will migrate all the lessons to the new architecture. You can help us prioritize which lessons to port and define new lessons to create by taking the [https://www.surveymonkey.com/s/OWASP-WebGoat-Modernization WebGoat survey]
| |
− | | |
− | ===Help Needed:===
| |
− | | |
− | We have an immediate need for a UI developer with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience. Please send an email to Bruce Mayhew [email protected] and/or [email protected] if you are interested in helping. | |
− | | |
− | ==Introduction==
| |
− | | |
− | '''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
| |
− | | |
− | Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
| |
− | | |
− | '''To get started:
| |
− | * WebGoat 5.X: read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]
| |
− | * WebGoat 6.X: download and documentation are on [http://webgoat.github.io GitHub]'''
| |
− | | |
− | ==Description==
| |
− | | |
− | WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
| |
− | {|
| |
− | |valign="top"|
| |
− | * [[Cross-site Scripting (XSS)]]
| |
− | * Access Control
| |
− | * [[Race conditions|Thread Safety]]
| |
− | * [[Unvalidated_Input|Hidden Form Field Manipulation]]
| |
− | * Parameter Manipulation
| |
− | * [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]
| |
− | * Blind [[SQL injection|SQL Injection]]
| |
− | |valign="top"|
| |
− | * Numeric SQL Injection
| |
− | * String SQL Injection
| |
− | * [[Web Services]]
| |
− | * [[Improper_Error_Handling|Fail Open Authentication]]
| |
− | * Dangers of HTML Comments
| |
− | * ... and many more!
| |
− | |}
| |
− | | |
− | For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].
| |
− | | |
− | | |
− | ==Licensing==
| |
− | OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)
| |
− | | |
− | ==Project Sponsors==
| |
− | The WebGoat project is sponsored by
| |
− | {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
| |
− | | |
− | | |
− | | valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
| |
− | | |
− | == What is WebGoat? ==
| |
− | | |
− | OWASP WebGoat Project provides:
| |
− | | |
− | Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
| |
− | The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
| |
− | | |
− | | |
− | == Presentation ==
| |
− | Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at
| |
− | | |
− | http://yehg.net/lab/pr0js/training/webgoat.php
| |
− | | |
− | Feel free to contact him for any help with WebGoat.
| |
− | | |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#General General]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]
| |
− | * [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]
| |
− | | |
− | == Project Leader ==
| |
− | | |
− | | |
− | | |
− | | |
− | == Related Projects ==
| |
− | | |
− | | |
− | | |
− | == Ohloh ==
| |
− | | |
− | | |
− | | |
− | | valign="top" style="padding-left:25px;width:200px;" |
| |
− | | |
− | == Quick Download ==
| |
− | | |
− | *Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest]
| |
− | | |
− | *Source Code @ https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]
| |
− | | |
− | *Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]
| |
− | | |
− | == Email List ==
| |
− | | |
− | [https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]
| |
− | | |
− | == News and Events ==
| |
− | *WebGoat 6 to be released Sept 16 2014
| |
− | | |
− | *Join us at AppSec USA in the project summit room Friday Sept 19th 9-12AM
| |
− | | |
− | == In Print ==
| |
− | *[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].
| |
− | | |
− | | |
− | ==Classifications==
| |
− | | |
− | {| width="200" cellpadding="2"
| |
− | |-
| |
− | | align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| |
− | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
| |
− | |-
| |
− | | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
| |
− | |-
| |
− | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
| |
− | |-
| |
− | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
| |
− | |}
| |
− | | |
− | |}
| |
− | | |
− | =FAQs=
| |
− | | |
− | [[File:WebGoat-Phishing-XSS-Lesson.JPG|500px]] [[File:WebGoat-Bypass-Access-Control-Lesson.JPG|500px]]
| |
− | | |
− | [[File:WebGoat-Session-Hijack-Lesson.JPG|500px]]
| |
− | | |
− | = Acknowledgements =
| |
− | ==Volunteers==
| |
− | The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].
| |
− | | |
− | Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!
| |
− | | |
− | = Road Map and Getting Involved =
| |
− | The project's overall goal is to...
| |
− | | |
− | Be the defacto standard web application security training environment
| |
− | | |
− | In the near term, we are focused on the following tactical goals...
| |
− | | |
− | # Demonstrate most common web application security vulnerabilities
| |
− | # Add educational support for secure coding practices
| |
− | # Enhance enterprise lesson tracking
| |
− | # Attract more contributions of lessons
| |
− | # Revisit existing lesson base to standardize lesson theme.
| |
− | # Increase ease-of-use and expand user base
| |
− | | |
− | Here are the current tasks defined to help us achieve these goals
| |
− | | |
− | '''Architectural'''
| |
− | * Replace basic authentication with forms based authentication
| |
− | * Rewrite all lessons to follow common theme using common database
| |
− | * Rewrite user administration to allow better user management (non-hackable)
| |
− | * Fix Logoff
| |
− | * Defuse all lessons to disallow inadvertent harm to user's OS
| |
− | | |
− | '''General'''
| |
− | * General security cleanup. Remove exploits that are not lesson specific
| |
− | * Remove non working lessons
| |
− | *
| |
− | | |
− | '''New Lessons'''
| |
− | * Server side forward allows access to WEB-INF resources
| |
− | * Account enumeration using webscarab
| |
− | * SQLException lesson - could tie into overall error handling
| |
− | * XML attacks - Entity recursion, ...
| |
− | | |
− | For more information contact Bruce Mayhew at webgoat at owasp dot org
| |
− | | |
− | | |
− | Involvement in the development and promotion of WebGoat is actively encouraged!
| |
− | You do not have to be a security expert in order to contribute.
| |
− | | |
− | =Previous Releases and Future Development=
| |
− | ==Previous Releases==
| |
− | You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.
| |
− | | |
− | ===WebGoat 5.2 Standard===
| |
− | This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.
| |
− | * Double-click on webgoat.bat - a Tomcat command window starts
| |
− | * Browse to http://localhost/WebGoat/attack
| |
− | | |
− | ===WebGoat 5.2 Developer===
| |
− | | |
− | '''Note:''' This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.
| |
− | | |
− | The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.
| |
− | * Extract the Eclipse-Workspace.zip file to the working directory
| |
− | * Double-click the eclipse.bat file
| |
− | * In the Eclipse package explorer (top right), right click the WebGoat project and refresh
| |
− | * In the Eclipse package explorer (top right), right click the Servers project and refresh
| |
− | * In the Eclipse servers view (bottom), right click LocalHost server and start
| |
− | * Browse to http://localhost/WebGoat/attack
| |
− | * Any changes made to the source will automatically compile and redeploy when saved
| |
− | | |
− | Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.
| |
− | | |
− | ==Future Development==
| |
− | WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.
| |
− | | |
− | Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.
| |
− | | |
− | Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.
| |
− | | |
− | | |
− | =Project About=
| |
− | {{:Projects/OWASP_WebGoat_Project_Page}}
| |
− | | |
− | __NOTOC__ <headertabs />
| |
− | | |
− | [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]][[Category:SAMM-EG-1]]
| |