This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Category:OWASP WebGoat Project
OWASP WebGoat ProjectWebGoat 7.0 is done. The 6.0 release updated the UI and some infrastructure. WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server. This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.. Thank you to all the volunteers!!
Help Needed:
IntroductionWebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson. Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat! To get started:
DescriptionWebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
For more details, please see the WebGoat User and Install Guide.
LicensingOWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2) Project SponsorsThe WebGoat project is sponsored by
|
What is WebGoat?OWASP WebGoat Project provides: Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
Project LeadersBruce Mayhew Related ProjectsQuick Download
Email ListNews and Events
Classifications |
Q: Are you aware that lesson X does not work?
A: We may be. Head over to https://github.com/WebGoat/WebGoat-Lessons and log an issue if there is a specific, you have encountered on a lesson. Give us as much information as you can.
Q: When will WebGoat 7 be 'released'?
A: As soon as we can get a critical mass of lessons we feel are necessary. Current target is late January to Early Feb. 2016
The rest are questions we hope people ask, but maybe haven't really yet ...
Q: Do you need help?
A: Of course we would always love help, especially with testing and feedback. Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.
Q: How do I get involved?
A: Fork the repo. (https://help.github.com/articles/fork-a-repo/) you want to work on and stay in sync with the mainstream development in master (https://help.github.com/articles/syncing-a-fork/)
Q: What's the difference between the repo at https://github.com/WebGoat/WebGoat and the repo at https://github.com/WebGoat/WebGoat
A: As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons. The WebGoat-Lessons repo. is for lesson development
Q: How do I author a lesson for WebGoat?
A: We are working on that. For WebGoat 8, we plan to make that much simpler (read, no more ECS!). We still hope/plan to provide a stripped down lesson template for 7.x
Volunteers
The WebGoat project is run by Bruce Mayhew. He can be contacted at webgoat AT owasp.org. WebGoat distributions are currently maintained on GitHub. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat mailing list.
Road Map / Goals
The project's overall goal is to...
Be the defacto standard web application security training environment
In the near term, we are focused on the following tactical goals...
- Add educational support for secure coding practices
- Enhance enterprise lesson tracking
- Attract more contributions of lessons
- Translate all lessons to other languages
- Increase ease-of-use and expand user base
Here are the current tasks defined to help us achieve these goals
Architectural
- Create a service layer (done)
- Creater plugin architecture and port all lessons to plugins (done)
- Remove dependencies on Tomcat (done)
- Rewrite user administration to allow better user management (non-hackable)
- Fix Logoff (done)
- Defuse all lessons to disallow inadvertent harm to user's OS
General
- General security cleanup. Remove exploits that are not lesson specific
- Remove non working lessons
New Lessons
- Server side forward allows access to WEB-INF resources
- XML attacks - Entity recursion, ...
Getting Involved
For more information contact one of the project leads. Involvement in the development and promotion of WebGoat is actively encouraged! You do not have to be a security expert in order to contribute.
If you'd like to contribute coding-wise ...
- Get on the WebGoat mailing list (http://lists.owasp.org/mailman/listinfo/owasp-webgoat)
- Fork one of the repo's on github:
- https://github.com/WebGoat/WebGoat << this is the WebGoat 'container'. Instructions on getting up and running are here as well.
- https://github.com/WebGoat/WebGoat-Lessons << this is the Lesson repository
- Keep you repo in sync (https://help.github.com/articles/syncing-a-fork/)
- Issue pull requests as you fix bugs, add features etc.
Testers are always welcome/needed. Again, log issues and features requests at https://github.com/WebGoat/WebGoat. If you are a college or university and would like to use WebGoat for classes, we'd especially love to hear your feedback and what content/lessons you would like to see added to the project.
Adding content/lesssons We are working to make adding your own content easier and to integrate with other OWASP projects/content. We'd love to hear from you to move this forward.
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
Pages in category "OWASP WebGoat Project"
The following 17 pages are in this category, out of 17 total.