This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP WebGoat Project"

From OWASP
Jump to: navigation, search
(Migration to new website)
 
(34 intermediate revisions by 3 users not shown)
Line 1: Line 1:
=Main=
+
We have fully migrated to the new OWASP Website!
  
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
+
Please visit our new project page at https://www2.owasp.org/www-project-webgoat
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
 
 
==OWASP WebGoat Project==
 
 
 
[http://webgoat.github.io WebGoat 7.0]  is almost done.  The 6.0 release updated the UI and some infrastructure.  The 7.0 release separates the WebGoat Lessons from the WebGoat framework.  Lessons are now plugins that can be worked on without the code overhead of the WebGoat framework.  This change with more UI improvements was a significant achievement.  Thank you to all the volunteers!!
 
 
 
 
 
===Help Needed:===
 
 
 
* We have an immediate need for Lesson Testing.  We are using GitHub issue tracking, so jump in and give some of the lessons a try.  We accept bugs, productive comments, and enhancement requests.
 
 
 
* The new plugin architecture isolates the content to be translated to each lesson.  We could use some help with translating content and identifying quick wins for framework text that needs to be added to the translation properties.  Send email to the WebGoat mailing list if you wish to help out here.
 
 
 
* We also need UI developers with javascript (Backbone/Underscore/JQuery and/or Single Page Application ... preferred, not required) experience as well as someone with design experience.  Please send an email to Bruce Mayhew [email protected] and/or [email protected] if you are interested in helping.
 
 
 
* We need some new lessons.  If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community.  Instructions for creating a lesson are under the General menu in WebGoat.
 
 
 
==Introduction==
 
 
 
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
 
 
 
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
 
 
 
'''To get started:
 
* For the Latest WebGoat, go here: https://github.com/WebGoat/WebGoat
 
* For version 6.0, see the legacy repo at https://github.com/WebGoat/WebGoat-Legacy
 
 
 
==Description==
 
 
 
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
 
{|
 
|valign="top"|
 
* [[Cross-site Scripting (XSS)]]
 
* Access Control
 
* [[Race conditions|Thread Safety]]
 
* [[Unvalidated_Input|Hidden Form Field Manipulation]]
 
* Parameter Manipulation
 
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]
 
* Blind [[SQL injection|SQL Injection]]
 
|valign="top"| 
 
* Numeric SQL Injection
 
* String SQL Injection
 
* [[Web Services]]
 
* [[Improper_Error_Handling|Fail Open Authentication]]
 
* Dangers of HTML Comments
 
* ... and many more!
 
|}
 
 
 
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].
 
 
 
 
 
==Licensing==
 
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)
 
 
 
==Project Sponsors==
 
The WebGoat project is sponsored by
 
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
 
 
 
 
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
 
 
== What is WebGoat? ==
 
 
 
OWASP WebGoat Project provides:
 
 
 
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
 
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
 
 
 
 
 
== Presentation ==
 
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons.  These training movies can be viewed at  
 
 
 
http://yehg.net/lab/pr0js/training/webgoat.php
 
 
 
Feel free to contact him for any help with WebGoat.
 
 
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]
 
 
 
== Project Leaders ==
 
 
 
[mailto:[email protected] Bruce Mayhew]<br/>
 
[mailto:[email protected] Nanne Baars]<br/>
 
[mailto:[email protected] Jason White]
 
 
 
== Related Projects ==
 
 
 
 
 
 
 
== Ohloh ==
 
 
 
 
 
 
 
| valign="top"  style="padding-left:25px;width:200px;" |
 
 
 
== Quick Download ==
 
 
 
*Latest Release @ [https://github.com/WebGoat/WebGoat-Legacy/releases/latest WebGoat-Legacy]
 
 
 
*Source Code @ [https://github.com/WebGoat/WebGoat-Legacy WebGoat-Legacy on Github]
 
 
 
*Latest Info @ [http://webgoat.github.io/ WebGoat Project Home]
 
 
 
== Email List ==
 
 
 
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]
 
 
 
== News and Events ==
 
*WebGoat 6.1 to be released fall 2015
 
 
 
== In Print ==
 
*[http://www.lulu.com/shop/owasp/owasp-webgoat-and-webscarab/paperback/product-1889624.html Download or purchase on Lulu].
 
 
 
 
 
==Classifications==
 
 
 
  {| width="200" cellpadding="2"
 
  |-
 
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 
  |-
 
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 
  |-
 
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
  |-
 
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 
  |}
 
 
 
|}
 
 
 
=FAQs=
 
'''Q:''' Are you aware that lesson X does not work? 
 
 
 
'''A:''' We may be.  Head over to https://github.com/WebGoat/WebGoat-Lessons and log an issue if there is a specific, you have encountered on a lesson. Give us as much information as you can.
 
 
 
 
'''Q:''' When will WebGoat 7 be 'released'?
 
 
 
'''A:''' As soon as we can get a critical mass of lessons we feel are necessary. Current target is late January to Early Feb. 2016
 
 
 
 
 
The rest are questions we hope people ask, but maybe haven't really yet ...
 
 
 
 
 
'''Q:''' Do you need help?
 
 
 
'''A:''' Of course we would always love help, especially with testing and feedback.  Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.
 
 
 
 
 
'''Q:''' How do I get involved?
 
 
 
'''A:''' Fork the repo. (https://help.github.com/articles/fork-a-repo/) you want to work on and stay in sync with the mainstream development in master (https://help.github.com/articles/syncing-a-fork/)
 
 
 
 
 
'''Q:''' What's the difference between the repo at https://github.com/WebGoat/WebGoat and the repo at https://github.com/WebGoat/WebGoat
 
 
 
'''A:''' As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons.  The WebGoat-Lessons repo. is for lesson development
 
 
 
 
 
'''Q:''' How do I author a lesson for WebGoat?
 
 
 
'''A:''' We are working on that.  For WebGoat 8, we plan to make that much simpler (read, no more ECS!). We still hope/plan to provide a stripped down lesson template for 7.x
 
 
 
= Acknowledgements =
 
==Volunteers==
 
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''.  WebGoat distributions are currently maintained on [https://github.com/WebGoat GitHub]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].
 
 
 
= Road Map and Getting Involved =
 
The project's overall goal is to...
 
 
 
  Be the defacto standard web application security training environment
 
 
 
In the near term, we are focused on the following tactical goals...
 
 
 
# Test all the lessons in WebGoat 7
 
# Add educational support for secure coding practices
 
# Enhance enterprise lesson tracking
 
# Attract more contributions of lessons
 
# Translate all lessons to other languages
 
# Increase ease-of-use and expand user base
 
 
 
Here are the current tasks defined to help us achieve these goals
 
 
 
'''Architectural'''
 
* Create a service layer (done)
 
* Creater plugin architecture and port all lessons to plugins (done)
 
* Remove dependencies on Tomcat (done)
 
* Rewrite user administration to allow better user management (non-hackable)
 
* Fix Logoff (done)
 
* Defuse all lessons to disallow inadvertent harm to user's OS
 
 
 
'''General'''
 
* General security cleanup. Remove exploits that are not lesson specific
 
* Remove non working lessons
 
*
 
 
 
'''New Lessons'''
 
* Server side forward allows access to WEB-INF resources
 
* XML attacks - Entity recursion, ...
 
 
 
For more information contact Bruce Mayhew at webgoat at owasp dot org
 
 
 
 
 
Involvement in the development and promotion of WebGoat is actively encouraged!
 
You do not have to be a security expert in order to contribute.
 
 
 
=Project About=
 
{{:Projects/OWASP_WebGoat_Project_Page}}
 
 
 
__NOTOC__ <headertabs />
 
 
 
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]][[Category:SAMM-EG-1]]
 

Latest revision as of 20:43, 17 November 2019

We have fully migrated to the new OWASP Website!

Please visit our new project page at https://www2.owasp.org/www-project-webgoat