Webgoat is a web-based application that explains the typical Web vulnerability based on the Java EE architecture, designed and updated by the renowned Web application Security research organization OWASP, with the current version of 5.0. Webgoat itself is a series of tutorials that design a number of web bugs, step-by-step instructions on how to exploit these vulnerabilities, and how to avoid these vulnerabilities in programming and coding. Web application designers and testers can find parts of themselves that are interesting in webgoat.
Although there are a lot of explanations for how to exploit vulnerabilities in webgoat, but still relatively limited, especially for beginners, but feel that this is what it features: Each of Webgoat's tutorials clearly tell you what vulnerabilities exist, but how to break it to yourself to access the data, understand the principle of the vulnerability, Features and attack methods, even to find their own attack aids, when you succeed, Webgoat will give a red congratulation, so that you have a sense of accomplishment. (This is what I call technology?)
Webgoat even support to add their own tutorials, specific ways to view their documentation;
The vulnerability tutorials included in Webgoat are mainly
Cross-site Scripting (XSS)
Access Control
Thread Safety
Hidden Form Field Manipulation
Parameter manipulation
Weak Session Cookies
Blind SQL Injection
Numeric SQL Injection
String SQL Injection
Web Services
Fail Open Authentication
Dangers of HTML Comments
It is recommended that when using Webgoat, the following three are useful compared to the owasp documents:
OWASP Testing Guide 3.0
OWASP Code Review Guide 1.1
OWASP Development Guide 2.0
If you've never had contact with owasp before, you should have a feeling of excitement when you see these documents.
Here's a quick look at the installation method (under Windows):
First download webscarab-current.zip (this self-tomcat, there is also a way to download the war file, you need to install Tomcat, recommended to use the first), the address is http://www.owasp.org/index.php/ Category:owasp_webgoat_project, extract to a folder, run Webgoat.bat can start its own tomcat, by accessing Http://localhost/WebGoat/attack, Enter user name guest, password guest can enter. If there are 404 errors, please edit the "tomcat\webapps\webgoat\batabase\" in Webgoat.bat to remove the databse . As shown in the following figure:
It is worth noting that the default Tomcat is only open on the 127.0.0.1 80 port, other machines do not have access, which is also for security reasons, because there are so many vulnerabilities in the webgoat. If it is to learn, it is recommended to open it on the 0.0.0.0, modify Tomcat under Server-80.xml, all of which 127.0.0.1 to 0.0.0.0 and rerun Webgoat.bat. Server-8080.xml can also be changed, but to run webgoat_8080.bat only effect,
Know that there is webgoat this good dongdong benefited from a contact with the fortify vendors, fortify is also Owasp's main sponsor, their program Tracking Analyzer (PTA) and Static Code Analyzer (SCA) often take Webgoat to do the demo. But unfortunately, did not save fortify analysis results, fortify also does not provide a demo version, had to take IBM (acquired from Watchfire) AppScan to see if there are so many vulnerabilities in the webgoat, the following is the results of the scan:
There are indeed numerous loopholes. OK, let's start studying.