Skip to content

CryptoHackz/WebGoat

Repository files navigation

WebGoat: A deliberately insecure Web Application

Build Status Coverage Status Codacy Badge Dependency Status OWASP Labs

Important Information

The WebGoat Lesson Server, is currently UNDER MAJOR DEVELOMENT.

As of February 1st 2016, the version "7.0.1" is considered the first STABLE version of a major architecture and UI changes.

Older/Legacy version of WebGoat an be found at: WebGoat-Legacy

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should to disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.

WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.

Easy Run ( For non-developers )

Every successful build of the WebGoat Lessons Container and the WebGoat Lessons in our Continuous Integration Server creates an "Easy Run" Executable JAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.

You can check for the "Last Modified" date of our "Easy Run" jar file HERE

The "Easy Run" JAR file offers a no hassle approach to testing and running WebGoat. Follow these instructions if you wish to simply try/test/run the current development version of WebGoat

Prerequisites:

  • Java VM 1.8

Easy Run Instructions:

1. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server:

https://s3.amazonaws.com/webgoat-war/webgoat-standalone-7.0.1-exec.jar

2. Run it using java:

Open a command shell/window, browse to where you downloaded the easy run jar and type:

java -jar webgoat-standalone-7.0.1-exec.jar [-p | --p <port>] [-a | --address <address>]

Using the --help option will show the allowed command line arguments.

3. Browse to the url shown in the console and happy hacking !

For Developers

Follow these instructions if you wish to run Webgoat and modify the source code as well.

Prerequisites:

  • Java 1.8
  • Maven > 2.0.9
  • Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
  • Git, or Git support in your IDE

The Easy Way: Developer Edition run using Linux or Mac

The webgoat_developer_bootstrap.sh script will clone the necessary repositories, call the maven goals in order launch Tomcat listening on localhost:8080

mkdir WebGoat-Workspace
cd WebGoat-Workspace
curl -o webgoat_developer_bootstrap.sh https://raw.githubusercontent.com/WebGoat/WebGoat/master/webgoat_developer_bootstrap.sh
./webgoat_developer_bootstrap.sh

The Manual Way: Developer Edition!

Cloning the Lesson Server and the Lessons project:

Open a command shell/window, navigate to where you wish to download the source and type:

git clone https://github.com/WebGoat/WebGoat.git
git clone https://github.com/WebGoat/WebGoat-Lessons.git

Now let's start by compiling the WebGoat Lessons server.

cd WebGoat
git checkout develop
mvn clean compile install
cd ..

Before you can run the project, we need to compile the lessons and copy them over:

If you don't run this step, you will not have any Lessons to work with!

cd WebGoat-Lessons
git checkout develop
mvn package
cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
cd ..

Now we are ready to run the project. There are 3 options you can choose from to run the project:

Then you can run the project with one of the steps below (From the WebGoat folder not WebGoat-Lessons):

Option #1: Using the Maven-Tomcat Plugin

The maven tomcat7:run-war goal runs the project in an embedded tomcat:

cd WebGoat
mvn -pl webgoat-container tomcat7:run-war

Browse to http://localhost:8080/WebGoat and happy hacking !

Option #2: Java executable JAR

The maven package goal generates an executable .jar file:

cd WebGoat
mvn package
cd webgoat-standalone/target
java -jar webgoat-standalone-7.1-SNAPSHOT-exec.jar [-p | --p <port>] [-a | --address <address>]

Browse to url shown in the console and happy hacking !

Option #3: Deploy the WebGoat WAR file in your local Tomcat or other Application Server:

The maven package goal generates a .war file that can deployed into an Application Server, such as Tomcat

cd WebGoat
mvn package
cp webgoat-container/target/webgoat-container-7.1-SNAPSHOT.war <your_tomcat_directory>/webapps/

Browse to http://localhost:8080/WebGoat and happy hacking !

Debugging and Troubleshooting

Reloading plugins and lessons

If you want to reload all the plugin and lessons, open a new browser tab and visit the following url:

http://localhost:8080/WebGoat/service/reloadplugins.mvc

After the plugin reload is complete, reloading a message will appear and you can refresh the main WebGoat browser tab.

Debugging label properties

To be able to see which labels are loaded through a property file, open a new browser tab and visit the following url:

http://localhost:8080/WebGoat/service/debug/labels.mvc

Switch back to the main WebGoat broswer tab and reload the main WebGoat browser tab.

After the reload is complete, all labels which where loaded from a property file will be marked green.

Packages

No packages published

Languages

  • JavaScript 47.5%
  • Java 36.0%
  • HTML 13.6%
  • CSS 2.6%
  • Shell 0.1%
  • Dockerfile 0.1%
  • Other 0.1%