Opinions on Webgoat

Viewing 10 reply threads
  • Author
    Posts
    • #4837
      Anquilas
      Participant

      Hi everyone,

      For years I’ve mostly been reading about network security, but now I feel I want to dive into application security some (a lot) more.

      I’ve been chatting up with a friend of mine from a distant land, who does a lot of application security auditing, and who is quite active with OWASP.
      He recommended WebGoat to me, as a good starting point.

      It certainly seems an interesting piece of software to practice on, but just to make sure, I wanted to ask around here for opinions: did you do the lessons of WebGoat, and did you learn a thing or two from them?
      Remember: I am a complete newbie in the field of appsec, however I have a fair bit of programming experience, which I hope will help to get in the right state of mind.

      If it might be useful, I’m thinking of writing a little piece about my experiences with WebGoat once I’m going for it. As far as I can find, there is not such article on EHN yet?

      Thanks in advance,

      Dieter

    • #30435
      UNIX
      Participant

      WebGoat is a great learning tool and I can recommend it especially to those who have only little or no experience in this area. Intermediates should be able to learn and practice some new techniques as well. The learning curve is manageable and the scenarios are legit. As there are solutions included as well, one should be able to get through it and understand the concepts. You also have the possibility to create your own scenarios too, which is a nice feature as well.

      Setup is very straightforward, so just try it out and decide for yourself. πŸ˜‰

    • #30436
      caissyd
      Participant

      Hi Anquilas,

      Being a programmer too, I also think Webgoat is good for doing an one hour demo to the other developers. Once you have gone through the exercises and understood them, you can decide to put it on a laptop and and demonstrate the main attacks to the others. I found this very effective to make the other developers realize the importance of validating user input, etc.

      I personally think Webgoat is a good learning tool.

    • #30437
      Jhaddix
      Participant

      Dieter,

      To specifically answer your question, yes i think a write-up on working your way through the Webgoat vulnerabilities would be useful to many new comers to the site, even if it’s just your experiences.

      Plus something i know for a fact is most people learn well by practical exposure, and the best way to retain the knowledge is teaching it to others =)

    • #30438
      Knb15
      Participant

      I’ve bookmarked that site, and have just been waiting to have enough time to go through WebGoat myself. I would love to read a write up of your experiences going through it.

      Seems like a very useful learning tool.

    • #30439
      digitalcliff
      Participant

      I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.

    • #30440
      j0rDy
      Participant

      @digitalcliff wrote:

      I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.

      good info! is this the same as the OWASP liveCD? or does this contain extra functionality?

    • #30441
      UNIX
      Participant

      Similar but not the same. You can read here which applications are included in owaspbwa.

    • #30442
      Anquilas
      Participant

      Thanks for the tip, I’ll take a look at the virtual image option.

      Kn15: same with the time-issue πŸ™‚ But this week I finally have some, so I think I’ll give it a shot.

      Writing about the experience is certainly an extra motivation to do it properly. I’ll keep you guys informed! Thanks!

    • #30443
      n1p
      Participant

      Additional VM images and LiveCDs to look at in addition to WebGoat

      • Samrai WTF
      • Moth
      • Web Security Dojo

      These contain both tools like w3af, burp suite, sqlmap and vulnerable apps such as DVWA, Mutillidae, HacMe Casino and others. Therefore providing both the tools and apps to get familiar with web app testing.

      Cheers,
      n1p

    • #30444
      Anquilas
      Participant

      I will take that to heart n1p, thanks!

      I used this free evening to get starting with WebGoat, and I’m already getting hooked πŸ™‚
      I’ll write my first little piece, concerning the first steps and the first lessons, asap. This way I can get some guidelines from you guys early in the process.
      InfoSecurity.be event tomorrow and the day after though, so not sure about the exact eta.

      It’s turning out to be a magnificent security-oriented week for me, with getting to know EHN and going to my first conference πŸ™‚ I love it!

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright Β©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?