WebGoat

Summary

This is a tutorial and info site on the OWASP's vulnerable web application WebGoat.

OWASP WebGoat

The OWASP WebGoat project provides an insecure web application that demonstrates the most common client-side application flaws and explains and tests the vulnerabilities from the OWASP Top 10. Lessons, exercises and challenges are provided to give interested developers hands-on experience to test and better understand the material. When starting each lesson, the user is provided with content and interactive questions about the already explained material or demonstrations of the explained functionality through a dialog from different pages. The learning of the content is thus brought to the user in a playful, hands-on experience. The lessons are structured strictly according to the OWASP Top 10 and can be tested and reviewed individually.

Learning in three steps

1. Explanation of vulnerability

The platform begins by providing a comprehensive explanation of what a vulnerability is, rather than immediately delving into the act of hacking. This approach ensures that users have a solid understanding of the security issue they are dealing with before attempting to exploit it.

2. Learning by doing

Once an individual gains a comprehensive understanding of the vulnerability, WebGoat guides them through practical assignments to apply their knowledge. These assignments are integrated into the learning process, encouraging active engagement and experimentation on the platform. The program follows a 'learning by doing' approach. A 'doing' approach can reinforce understanding of the mechanics of a vulnerability.

3. Explanation of mitigation

At the conclusion of each lesson or exercise, WebGoat explains mitigation techniques. It provides a summary of potential strategies that are crucial for developers and security practitioners. These strategies help secure applications against the specific vulnerability explored, offering practical insights that can be applied. This information improves the resilience of applications to potential attacks in real-world development work.

Setup

There are three possible ways to install the programm: Standalone, Docker Image and cloning the repository (open source) ^[1]

Requirements

• Operating system:
  • Windows 8 or higher
  • Ubuntu Linux 20.04 LTS or higher
  • macOS 10.14 or higher
  • Or any other OS which is supported by Java 17
• Java 17 OR
• Docker Desktop
• Internet Browser of any type
• GIT

Installation Instructions

Run with Docker

Need to insall Docker first, then you can install WebGoat as Docker Image.

sudo apt install docker.io
sudo docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat

Standalone

Download .jar file (Java Archive file) from https://github.com/WebGoat/WebGoat/releases Make sure that you're downloading the latest version.

java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.8.jar

Run from the sources

Clone GitHub Repository (Open Source)

git clone git@github.com:WebGoat/WebGoat.git

Compile the Project using Java 17

cd WebGoat
git checkout <<branch_name>>
# On Linux/Mac:
./mvnw clean install 

# On Windows:
./mvnw.cmd clean install

When the priject is compiled successfully we are ready to run the project. WebGoat is using Spring Boot.

# On Linux/Mac:
./mvnw spring-boot:run
# On Windows:
./mvnw.cmd spring-boot:run

Access

• The landing page will be located at: http://localhost
• WebGoat will be located at: http://localhost:8080/WebGoat
• WebWolf will be located at: http://localhost:9090/WebWolf

To gain access to the lessons and challenges, you need to register.

WebGoat Lessons

The OWASP WebGoat Lessons are embedded in the WebGoat Tool. Here, various attack vectors are demonstrated using hands-on examples. In general, WebGoat contains lessons, exercises and challenges. These lessons are divided into different categories and contain several pages of information and exercises. The challenges are more demanding and do not contain any hints. The current version 2023.4 contains 9 lessons:

• (A1) Broken Access Control (Hijack a session, Insecure Direct Object References, Missing Function Level Access Control and Spoofing an Authenticate Cookie)
• (A2) Cryptographic Failures
• (A3) Injection (SQL Injections intro/advanced/mitigation, Path traversal, Cross Site Scripting)
• (A5) Security Misconfiguration (XXE)
• (A6) Vuln & Outdated Components (Vulnerable Components)
• (A7) Identity & Auth Failure (Authentication Bypasses, Insecure Login, JWT tokens, Password reset, Secure Passwords)
• (A8) Software & Data Integrity (Insecure Deserialization)
• (A9) Security Logging Failures (Logging Security)
• (A10) Server-side Request Forgery (Cross-Site Request Forgeries, Server-side Request Forgery)

Each lesson contains further sub-chapters which each contain several pages. In the first steps, the material is explained, and in the further steps it is explained by means of exercises.

In the future additional lessons corresponding to the following topics will be added:

• Lesson about cryptography (In Progress)
• Lesson about path traversal (in progress)
• Session Management
• More password reset lessons

OWASP WebWolf

Description

Since the lessons of WebGoat cover very extensive concepts of penetration testing and therefore build critical vulnerabilities into the local system to make lessons practically implementable as well, OWASP decided to provide its own local tool called WebWolf. WebWolf is automatically delivered with the installation of WebWolf. The tool acts as a locally hosted attacker machine. This is to highlight more clearly which operations need to be performed as the attacker and which need to be performed at the target in order to successfully execute an exploit. Some lessons use WebWolf, for example, to provide a file that must be loaded onto the target machine (e.g., for persistent XSS attacks, which will be discussed in more detail later in the thesis) or to provide a connection to the own environment (ReverseTCP). Since these services should not be provided in the open and connected Internet, WebWolf was developed.

Setup

WebWolf is an included tool that is directly in the repository (Git and DockerHub) and should already be on the machine after downloading WebGoat. If the tool has already been started via a Docker image, WebWolf is already running and should be accessible at http://localhost:9090/WebWolf. If the repository is cloned locally in standalone mode, the WebWolf Java Archive file still needs to be downloaded to start it locally. This can be done with the following command. If WebWolf has been started successfully, it will also be available under the above link.

java -jar webwolf<<version>>.jar [--server.port=9090][server.address=localhost]

Use

WebWolf in the current version (8.2.2) provides the following functionalities:

• File Hosting Service
• Landing Page for incoming requests
• Email Server with Client

References