Good day, web developers! Today, we are going to discuss about a super useful application that teaches you web application security lessons. Say hello to WebGoat, a deliberately insecure web application developed by OWASP, with the intention of teaching how to fix common web application flaws in real-time with hands-on exercises. This application can be quite useful for those who wants to learn about application security and penetration testing techniques.
A word of caution: WebGoat is PURELY FOR EDUCATIONAL PURPOSE. It turns your system extremely vulnerable to attackers. So, I insist you to use it in a virtual machine in your local area network. Don't connect your testing machine to Internet. You have been warned!
How to deploy WebGoat
WebGoat can be deployed either using Docker or as a standalone application. Since, it is purely for learning and educational purpose, I prefer to use it in Docker.
Install Webgoat using Docker
Refer the following links to install Docker if you haven't installed it already.
After installing Docker, run the following command to deploy WebGoat.
$ docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Asia/Kolkata webgoat/goatandwolf:v8.2.2
Replace the timezone with your own in the above command.
This command will pull the latest WebGoat docker image and start the WebGoat and webwolf instances in few minutes. Once it has started, you will see an output something like below.
[...] 2017-12-05 11:22:50,132 INFO - FrameworkServlet 'mvc-dispatcher': initialization completed in 533 ms 2017-12-05 11:22:50,171 INFO - Initializing main webgoat servlet 2017-12-05 11:22:50,173 INFO - Browse to http://localhost:8080/WebGoat and happy hacking! Dec 05, 2017 11:22:50 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting ProtocolHandler ["http-bio-8080"]
After docker image is launched, you can access landing page, WebGolf and WebWolf interfaces at the following URLs.
- The landing page -
- WebGoat dashboard -
- WebWolf interface -
Install Webgoat as a standalone application
Make sure you have installed Java. Then, download the latest WebGoat version from the releases page.
Finally, start WebGoat as shown below.
$ java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.2.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001] $ java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
Now it is time to fix the vulnerabilities. As I mentioned earlier, disconnect the Internet before start using it.
How To Fix Web Application Flaws In Real-time Using WebGoat
Open up your web browse and navigate to http://localhost:8080/WebGoat or http://IP-address:8080/WebGoat. You will see with the following screen.
Log in with: webgoat/webgoat. This is the administrative login. You can also use normal user account: guest/guest.
Now, you will be landed in the overview section of WebGoat where you various instructions on how to work with WebGoat to fix common flaws and vulnerabilities of a web application.
As you can see, there are many lesson categories at the left pane. Click on a category to view the included lessons.
For example, let me choose Injection Flaws -> Command Injection lesson plan.
As you can see, there are 5 tabs for the selected lesson.
- Show Source - This will show the underlying Java source code.
- Show Solution - This will show the complete solution of the selected lesson.
- Show Plan - This will show goals and objectives of the lesson.
- Show Hints - This will show technical hints to solve the lesson.
- Restart Lesson - If you want to restart a lesson you can use this link.
Click on each lesson and try to solve the lesson and if necessary, use the hints. If you cannot solve the lesson using the hints, view the solution for complete details.