.

A first view at WebGoat

<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Mon Mar 29, 2010 5:11 pm

A first view at WebGoat

Hi everyone,

as promised, I have finally started WebGoat and want to share what I've seen so far with you guys. Being a complete newbie (especially on webapp security), don't take this as 'the truth'. It's all simply my interpretation.
Also: to my regret, I haven't finished all the lessons yet. There are quite a few, and since my gf and I have just moved in together, there is a lot of stuff going on :) But I hope it gives a nice first glance until I can finish the rest.

What is WebGoat
WebGoat is a J2EE web application, created by the OWASP community to provide a teaching environment for webapplication security.
It is a deliberately insecure program, where you must go through a number of lessons. In each lesson, you learn about a new sort of vulnerability, and in the same moment get a hands-on try at exploiting that vulnerability.
It's completely free, so that's a big up from the start.

Installation
The installation on Windows is very straight forward.
As explained at http://www.owasp.org/index.php/WebGoat_Installation, it is simply a matter of
- installing Java and Tomcat (very easy)
- download the WebGoat zipfile and exstract it (easier)
- double click the file "webgoat.bat" (well..)
- go to http://localhost/webgoat/attack
- give the credentials guest/guest
- you're ready to go.

The installation on Linux, OS X or FreeBSD seems just as easy, but I have not tried those.

As digitalcliff pointed out (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5243.msg26711/#msg26711), there is also a virtual image available if you find this easier. I gave this a quick shot through a live CD I got from OWASP at a conference, and it all worked fine.

I had a small problem though with the webgoat.bat. When I tried to run it, I got an error saying that the default port 80 was already bound. The same went for webgoat8080.bat (another install file), and I couldn't 'unbind' them.
Fortunately this was easy to remedy, so if you come across this:
- Go to the Webgoat folder, into /tomcat/conf/server_80.xml
- Look for the entry <Connector address="127.0.0.1" port="80" ...
- Change 80 to whatever (I made it 81)
- Then go to http://localhost:81/webgoat/attack

Note: on the wiki it says http://localhost/WebGoat/attack (capital W and G), but I had to use small letters to make it work.

I later installed it on a different Windows laptop aswell, and there it all went perfectly smooth.
All in all, even though I had a few small bumps, everything went just fine and easy. If you try it yourself, chances are you won't even have the bumps.

Please also note that (as is mentioned as well in the program itself) that, whiles running WebGoat, your own box is very vulnerable to attack.
So preferably, put your box offline during the excercises.

First lesson: Introduction
Once you have WebGoat up and running, you'll go through a little introduction.
It will explain its goal, structures, etc.. It will tell you how to deploy WebGoat in a class and how to make new WebGoat lessons.
Those last two things weren't of any relevance to me (yet), and I found them a bit oddly placed. But you can ofcourse skip them without worry.

You'll get a quick overview of some useful tools, namely
  • WebScarab (an intercepting proxy, with which we can review and modify HTTP requests and responses)
  • Firebug (an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript)
  • IEWatch (a tool to analyze HTTP and HTML for users of Internet Explorer)
  • Wireshark (a network protocol analyzer)
  • Nessus/Paros scanners.

In the lessons that I've done so far, I only really had to use WebScarab. You'll find it a very handy tool which seems to be used frequently (it's also created by OWASP). Further down the road those other tools might come into play ofcourse.

The real lessons
Finally, we're at the lessons themselves.
There are quite a few, as you can see at http://www.owasp.org/index.php/Lesson_Plans

What I can tell you so far:
Don't count on the application to give you all the knowledge you need.
I found that the best way to go through the lessons is to read the lesson plan that comes with each chapter, and then Google for more knowledge.
The lesson plan usually has a nice introduction about the vulnerability in question, and Google can help you get a little deeper once you know what it's about.

Once you've done that, you can try and exploit the vulnerability in the program. You can use the hints, but be careful: when you have clicked on the 'hint' button a few times, the solution pops up (as the last 'hint'), but without warning.
I found this a bit frustrating, since I much rather get all the hints and not stumble upon the solution.

But even if you stumble on the solution, or just don't find it yourself in your first try (as was mostly the case with me) you still will have learned what you set out to: you learn what the vulnerability is, what it looks like, and now that you've seen the solution you might apply it yourself with more ease.

As a bonus, there are video solutions available for every lesson, at http://yehg.net/lab/pr0js/training/webgoat.php. They are very nice to see as a 'double check', and sometimes contain a view of an extra tool or a little trick that you haven't though off. Very nice work on those.

Conclusion so far
Well, that's about all I have to say for now.
I do apologize that I haven't finished all the lessons already. My schedule for the next few weeks is a little more open, so I hope I can finish it all asap. When I do I can write a steady conclusion to the whole thing.

But for now, I hope this will convince my fellow newbies that WebGoat IS something worth looking at. It's a great hands-on way to get a little deeper into that big, curious world of webapp security, and it's free.
Imo, it's pretty awesome that tools and tutorials like this exist. Thank you OWASP! (and so many others)

As this is my first review ever, please spout criticism as much as you want, so that I can improve upon my writing skills.

Cheers!

Dieter
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Tue Mar 30, 2010 4:54 pm

Re: A first view at WebGoat

To make sure: is this quite ok?
No feedback at all is far worse then hard criticism  :P
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 31, 2010 6:56 am

Re: A first view at WebGoat

just read the article, didnt have time for it yesterday so apologies for that. the setup is good, next time try to go a little bit more in depth (i dont know if this is available already) with step by step installation instructions with screenshots and expand the lessons a little bit (overview of the lessons, a little explanaition with each lesson etc.) its a good start for a first review, thats for sure! keep up the good work!

i found an interesting site while i was adding WebGoat to my pentest lab:

http://yehg.org/lab/pr0js/training/webgoat.php

some of the lessons have been covered with video's, but there is still much to add. give it a try!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Wed Mar 31, 2010 7:39 am

Re: A first view at WebGoat

Thanks Jordy, I appreciate the feedback alot.

I kept it pretty superficial out of fear that I would make it to boring/long, but I'll change that intention next time.

Thanks for the link m8, but I'm afraid I beat you too it in the review ;-) (last paragraph of 'the real lessons')
I might however take the opportunity to add some video's, nice suggestion!
Last edited by Anquilas on Wed Mar 31, 2010 7:40 am, edited 1 time in total.
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 31, 2010 8:21 am

Re: A first view at WebGoat

woops, but i never claimed i read the article thoroughly  ;)
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Wed Mar 31, 2010 8:29 am

Re: A first view at WebGoat

That is perfectly forgivable ;)
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

digitalcliff

Newbie
Newbie

Posts: 4

Joined: Mon Mar 22, 2010 10:34 pm

Post Wed Mar 31, 2010 11:01 pm

Re: A first view at WebGoat

A nice summary with some good tips.

Good luck with the rest of the lessons.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Thu Apr 01, 2010 2:38 am

Re: A first view at WebGoat

Thanks m8!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software