.

Opinions on Webgoat

<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Mon Mar 22, 2010 5:51 am

Opinions on Webgoat

Hi everyone,

For years I've mostly been reading about network security, but now I feel I want to dive into application security some (a lot) more.

I've been chatting up with a friend of mine from a distant land, who does a lot of application security auditing, and who is quite active with OWASP.
He recommended WebGoat to me, as a good starting point.

It certainly seems an interesting piece of software to practice on, but just to make sure, I wanted to ask around here for opinions: did you do the lessons of WebGoat, and did you learn a thing or two from them?
Remember: I am a complete newbie in the field of appsec, however I have a fair bit of programming experience, which I hope will help to get in the right state of mind.

If it might be useful, I'm thinking of writing a little piece about my experiences with WebGoat once I'm going for it. As far as I can find, there is not such article on EHN yet?

Thanks in advance,

Dieter
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Mar 22, 2010 6:12 am

Re: Opinions on Webgoat

WebGoat is a great learning tool and I can recommend it especially to those who have only little or no experience in this area. Intermediates should be able to learn and practice some new techniques as well. The learning curve is manageable and the scenarios are legit. As there are solutions included as well, one should be able to get through it and understand the concepts. You also have the possibility to create your own scenarios too, which is a nice feature as well.

Setup is very straightforward, so just try it out and decide for yourself. ;)
Last edited by UNIX on Mon Mar 22, 2010 6:17 am, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Mar 22, 2010 6:50 am

Re: Opinions on Webgoat

Hi Anquilas,

Being a programmer too, I also think Webgoat is good for doing an one hour demo to the other developers. Once you have gone through the exercises and understood them, you can decide to put it on a laptop and and demonstrate the main attacks to the others. I found this very effective to make the other developers realize the importance of validating user input, etc.

I personally think Webgoat is a good learning tool.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 22, 2010 5:13 pm

Re: Opinions on Webgoat

Dieter,

To specifically answer your question, yes i think a write-up on working your way through the Webgoat vulnerabilities would be useful to many new comers to the site, even if it's just your experiences.

Plus something i know for a fact is most people learn well by practical exposure, and the best way to retain the knowledge is teaching it to others =)
<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Mon Mar 22, 2010 9:42 pm

Re: Opinions on Webgoat

I've bookmarked that site, and have just been waiting to have enough time to go through WebGoat myself. I would love to read a write up of your experiences going through it.

Seems like a very useful learning tool.
<<

digitalcliff

Newbie
Newbie

Posts: 4

Joined: Mon Mar 22, 2010 10:34 pm

Post Mon Mar 22, 2010 10:51 pm

Re: Opinions on Webgoat

I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Mar 23, 2010 3:49 am

Re: Opinions on Webgoat

digitalcliff wrote:I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.


good info! is this the same as the OWASP liveCD? or does this contain extra functionality?
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Mar 23, 2010 4:06 am

Re: Opinions on Webgoat

Similar but not the same. You can read here which applications are included in owaspbwa.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Tue Mar 23, 2010 4:40 am

Re: Opinions on Webgoat

Thanks for the tip, I'll take a look at the virtual image option.

Kn15: same with the time-issue :-) But this week I finally have some, so I think I'll give it a shot.

Writing about the experience is certainly an extra motivation to do it properly. I'll keep you guys informed! Thanks!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Tue Mar 23, 2010 3:08 pm

Re: Opinions on Webgoat

Additional VM images and LiveCDs to look at in addition to WebGoat

  • Samrai WTF
  • Moth
  • Web Security Dojo

These contain both tools like w3af, burp suite, sqlmap and vulnerable apps such as DVWA, Mutillidae, HacMe Casino and others. Therefore providing both the tools and apps to get familiar with web app testing.

Cheers,
n1p
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Tue Mar 23, 2010 4:47 pm

Re: Opinions on Webgoat

I will take that to heart n1p, thanks!

I used this free evening to get starting with WebGoat, and I'm already getting hooked :-)
I'll write my first little piece, concerning the first steps and the first lessons, asap. This way I can get some guidelines from you guys early in the process.
InfoSecurity.be event tomorrow and the day after though, so not sure about the exact eta.

It's turning out to be a magnificent security-oriented week for me, with getting to know EHN and going to my first conference :-) I love it!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.

Return to Opinions

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software