|
|
(117 intermediate revisions by 19 users not shown) |
Line 1: |
Line 1: |
− | [[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]
| + | We have fully migrated to the new OWASP Website! |
− | '''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
| |
| | | |
− | Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
| + | Please visit our new project page at https://www2.owasp.org/www-project-webgoat |
− | | |
− | '''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''
| |
− | | |
− | ==Goals==
| |
− | | |
− | Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
| |
− | | |
− | The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
| |
− | | |
− | Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.
| |
− | | |
− | ==Download==
| |
− | | |
− | You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.
| |
− | | |
− | You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].
| |
− | | |
− | The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads]. The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.
| |
− | | |
− | == Overview ==
| |
− | [[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]
| |
− | WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
| |
− | {|
| |
− | |valign="top"|
| |
− | * [[Cross Site Scripting]]
| |
− | * Access Control
| |
− | * [[Race condition within a thread|Thread Safety]]
| |
− | * [[Unvalidated_Input|Hidden Form Field Manipulation]]
| |
− | * Parameter Manipulation
| |
− | * [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]
| |
− | * Blind [[SQL injection|SQL Injection]]
| |
− | |valign="top"|
| |
− | * Numeric SQL Injection
| |
− | * String SQL Injection
| |
− | * [[Web Services]]
| |
− | * [[Improper_Error_Handling|Fail Open Authentication]]
| |
− | * Dangers of HTML Comments
| |
− | * ... and many more!
| |
− | |}
| |
− | | |
− | For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].
| |
− | | |
− | == Newest Release ==
| |
− | | |
− | '''WebGoat 5.1 Release Candidate 1''' is available. This new release is platform independent. This release features:
| |
− | | |
− | * a new "show solution" feature
| |
− | * Phishing lesson
| |
− | * New database lessons - for Oracle database only
| |
− | * Multi-stage architecture which allows random access to lab stages
| |
− | | |
− | | |
− | | |
− | '''WebGoat 5.0'''
| |
− | | |
− | '''WebGoat 5.0''' has been released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release.
| |
− | | |
− | The 5.0 release would not have been possible without the efforts of Sherif Koussa and [http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 OWASP Autumn of Code 2006].
| |
− | | |
− | Please send all comments to '''webgoat AT owasp.org''' regarding this release candidate. A final release is scheduled for the end of January | |
− | | |
− | == Future Development ==
| |
− | | |
− | WebGoat 5.1 - Estimated release date: Fall 2007
| |
− | | |
− | WebGoat 5.1 - Is now available via svn at google code
| |
− | | |
− | If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.
| |
− | | |
− | | |
− | '''New Features in 5.1'''
| |
− | | |
− | * Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button
| |
− | | |
− | * New database lessons
| |
− | | |
− | * XSS phishing lesson is available via the source code project at Google. Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.
| |
− | | |
− | * Catcher servlet. Want to prove your attack works? You can now write lessons where the attack can send sensitive information to the Catcher servlet. The Catcher servlet will write the posted values into the originating lesson's properties file.
| |
− | | |
− | * Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]
| |
− | | |
− | == Project Contributors ==
| |
− | | |
− | The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''. WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].
| |
− | | |
− | == Project Sponsors ==
| |
− | | |
− | The WebGoat project is sponsored by
| |
− | [http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]
| |
− | | |
− | [[Category:OWASP Project]]
| |
− | [[Category:OWASP Download]]
| |
− | [[Category:OWASP Tool]]
| |
− | | |
− | __NOTOC__
| |