This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Section 2: WebGoat

From OWASP
Revision as of 04:12, 24 July 2008 by Stephen Evans (talk | contribs) (How it works)

Jump to: navigation, search

Overview

From the WebGoat home page at OWASP: "WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson."

WebGoat can be downloaded from http://code.google.com/p/webgoat/downloads/list. It runs within Tomcat and can either be used stand-alone "out-of-the-box" with a version of Tomcat that is packaged with it, or a WebGoat.war file can be dropped onto an existing Tomcat installation.

Explaining WebGoat and the WebGoat lessons in detail is beyond the scope of this document. Each sublesson has a solution - available from the menu at the top of each lesson - that explains the purpose of the lesson. The motivation of the WebGoat solution (which is exploiting the vulnerability) is often accompanied by screenshots of WebGoat and WebScarab, the web proxy that is used in the solutions. If the reader does not wish to go through the WebGoat lessons themselves, the solutions are the "cheat sheets" for WebGoat, and because of that the solutions are provided in this project's documentation as is. If this is insufficient, installing and using WebGoat may be necessary to gain a complete understanding of the lessons.

How it works

WebGoat users are configured in the tomcat-users.xml configuration file.

Here is the WebGoat login page, which uses Basic Authentication:

OWASP ModSecurity Securing WebGoat Section 2 SS1.jpg


Next is the entrance/start page; a JSESSIONID cookie is set for the session variable:

(screenshot)


Here is an overview of the lesson menu on the left side of the page that is used for navigation:

(screenshot)


Each WebGoat lesson is designated by the 'menu' parameter in the query string. In the above example, the 'screen' parameter will vary but the 'menu' paramater will always be xx for this lesson. There is no similar way of easily identifying sublessons within a lesson or stages within a sublesson.

(screenshot)

When a WebGoat lesson is completed successfully, there are 3 different areas that denote this:

  1. A message in red in the body of the HTML page and a green check mark beside the lesson in the menu on the left side:

(screenshot)

  1. A report card in Section 18 of WebGoat:

(screenshot)

Lesson Table Of Contents

Overview of lesson results

Retrieved from "https://wiki.owasp.org/index.php?title=Section_2:_WebGoat&oldid=34524"