|
|
| (183 intermediate revisions by 23 users not shown) |
| Line 1: |
Line 1: |
| − | '''WebGoat''' is a fully-fledged J2EE web application maintained by [[OWASP]] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
| + | We have fully migrated to the new OWASP Website! |
| | | | |
| − | Why the name WebGoat? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the Goat!
| + | Please visit our new project page at https://www2.owasp.org/www-project-webgoat |
| − | | |
| − | ==Goals==
| |
| − | | |
| − | Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
| |
| − | | |
| − | The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
| |
| − | | |
| − | ==Download==
| |
| − | | |
| − | You can download WebGoat from the [[:Category:OWASP_Download|OWASP Download page]]. There are versions with and without Java, and installation only requires unzipping the download and running start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your application server.
| |
| − | | |
| − | == Overview ==
| |
| − | WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are automated installers for Linux, OS X Tiger and Windows. Current lessons include:
| |
| − | | |
| − | * [[Cross Site Scripting]]
| |
| − | * [[Race condition within a thread|Thread Safety]]
| |
| − | * [[Unvalidated_Input|Hidden Form Field Manipulation]]
| |
| − | * Parameter Manipulation
| |
| − | * [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]
| |
| − | * Blind [[SQL injection|SQL Injection]]
| |
| − | * Numeric SQL Injection
| |
| − | * String SQL Injection
| |
| − | * [[Web Services]]
| |
| − | * [[Improper_Error_Handling|Fail Open Authentication]]
| |
| − | * Dangers of HTML Comments
| |
| − | * ... and many more!
| |
| − | | |
| − | Click here to view the screenshots!
| |
| − | | |
| − | == Newest Release ==
| |
| − |
| |
| − | On Thursday, May 25th, OWASP was pleased to announce the release of '''WebGoat 4.0'''. OWASP would like to thank Laurence Casey, Jeremy Ferragamo, Alex Smolen, Rogan Dawes, Chuck Willis and the many people who have sent comments and suggestions.
| |
| − | | |
| − | == New Key Features ==
| |
| − | | |
| − | The new key features of WebGoat 4.0 include:
| |
| − | * Complete visual overhaul using CSS
| |
| − | * New lesson architecture
| |
| − | * New lessons
| |
| − | | |
| − | | |
| − | Key features added in recent versions include:
| |
| − | * Now runs on Linux and OSX 10.4
| |
| − | * Is now current in CVS
| |
| − | * Improved ant build process and Unix support
| |
| − | * Infrastructure changes to support multi-stage lessons
| |
| − | * Eclipse development release
| |
| − | * Minor screen improvements
| |
| − | * Web services lessons
| |
| − | * Blind SQL injection lesson
| |
| − | * Weak session identifier lesson
| |
| − | * Split SQL injection lesson into numeric and string SQL injection lessons
| |
| − | * Added parameterized query stage to SQL injection lessons
| |
| − | * Additional stage for Basic Authentication lesson
| |
| − | * Summary report card for multi-user environment
| |
| − | | |
| − | == Project Contributors ==
| |
| − | | |
| − | The WebGoat project was conceived by Jeff Williams, who developed the initial version. Bruce Mayhew now leads the project. The WebGoat framework is extremely easy to extend with additional lessons. We are actively seeking developers to add new lessons. Please contact Bruce or send a message to the owasp-webgoat mailing list. Thanks!
| |
| − | | |
| − | == Project Sponsors ==
| |
| − | | |
| − | The WebGoat project is sponsored by [[Aspect Security]].
| |
| − | | |
| − | ==Feedback and Participation==
| |
| − | | |
| − | WebGoat is currently maintained on [[http://www.sourceforge.net SourceForge]]. Comments, questions and suggestions are always welcome on the WebGoat [[http://lists.sourceforge.net/lists/listinfo/owasp-webgoat mailing list]]. Thanks, and blame it on the Goat!
| |
| − | | |
| − | [[Category:OWASP Project|OWASP Project]]
| |
| − | [[Category:OWASP Tool|OWASP Tools]]
| |
| − | [[Category:OWASP Download|OWASP Downloads]]
| |
