|
Title: Opinions on Webgoat Post by: Synquell on March 22, 2010, 05:51:36 AM Hi everyone,
For years I've mostly been reading about network security, but now I feel I want to dive into application security some (a lot) more. I've been chatting up with a friend of mine from a distant land, who does a lot of application security auditing, and who is quite active with OWASP. He recommended WebGoat to me, as a good starting point. It certainly seems an interesting piece of software to practice on, but just to make sure, I wanted to ask around here for opinions: did you do the lessons of WebGoat, and did you learn a thing or two from them? Remember: I am a complete newbie in the field of appsec, however I have a fair bit of programming experience, which I hope will help to get in the right state of mind. If it might be useful, I'm thinking of writing a little piece about my experiences with WebGoat once I'm going for it. As far as I can find, there is not such article on EHN yet? Thanks in advance, Dieter Title: Re: Opinions on Webgoat Post by: UNIX on March 22, 2010, 06:12:55 AM WebGoat is a great learning tool and I can recommend it especially to those who have only little or no experience in this area. Intermediates should be able to learn and practice some new techniques as well. The learning curve is manageable and the scenarios are legit. As there are solutions included as well, one should be able to get through it and understand the concepts. You also have the possibility to create your own scenarios too, which is a nice feature as well.
Setup is very straightforward, so just try it out and decide for yourself. ;) Title: Re: Opinions on Webgoat Post by: H1t M0nk3y on March 22, 2010, 06:50:58 AM Hi Anquilas,
Being a programmer too, I also think Webgoat is good for doing an one hour demo to the other developers. Once you have gone through the exercises and understood them, you can decide to put it on a laptop and and demonstrate the main attacks to the others. I found this very effective to make the other developers realize the importance of validating user input, etc. I personally think Webgoat is a good learning tool. Title: Re: Opinions on Webgoat Post by: Jhaddix on March 22, 2010, 05:13:05 PM Dieter,
To specifically answer your question, yes i think a write-up on working your way through the Webgoat vulnerabilities would be useful to many new comers to the site, even if it's just your experiences. Plus something i know for a fact is most people learn well by practical exposure, and the best way to retain the knowledge is teaching it to others =) Title: Re: Opinions on Webgoat Post by: Knb15 on March 22, 2010, 09:42:29 PM I've bookmarked that site, and have just been waiting to have enough time to go through WebGoat myself. I would love to read a write up of your experiences going through it.
Seems like a very useful learning tool. Title: Re: Opinions on Webgoat Post by: digitalcliff on March 22, 2010, 10:51:24 PM I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.
Title: Re: Opinions on Webgoat Post by: j0rDy on March 23, 2010, 03:49:16 AM I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae. good info! is this the same as the OWASP liveCD? or does this contain extra functionality? Title: Re: Opinions on Webgoat Post by: UNIX on March 23, 2010, 04:06:37 AM Similar but not the same. You can read here (http://code.google.com/p/owaspbwa/wiki/ProjectSummary) which applications are included in owaspbwa.
Title: Re: Opinions on Webgoat Post by: Synquell on March 23, 2010, 04:40:01 AM Thanks for the tip, I'll take a look at the virtual image option.
Kn15: same with the time-issue :-) But this week I finally have some, so I think I'll give it a shot. Writing about the experience is certainly an extra motivation to do it properly. I'll keep you guys informed! Thanks! Title: Re: Opinions on Webgoat Post by: n1p on March 23, 2010, 03:08:06 PM Additional VM images and LiveCDs to look at in addition to WebGoat
These contain both tools like w3af, burp suite, sqlmap and vulnerable apps such as DVWA, Mutillidae, HacMe Casino and others. Therefore providing both the tools and apps to get familiar with web app testing. Cheers, n1p Title: Re: Opinions on Webgoat Post by: Synquell on March 23, 2010, 04:47:44 PM I will take that to heart n1p, thanks!
I used this free evening to get starting with WebGoat, and I'm already getting hooked :-) I'll write my first little piece, concerning the first steps and the first lessons, asap. This way I can get some guidelines from you guys early in the process. InfoSecurity.be event tomorrow and the day after though, so not sure about the exact eta. It's turning out to be a magnificent security-oriented week for me, with getting to know EHN and going to my first conference :-) I love it!
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |