as promised, I have finally started WebGoat and want to share what I've seen so far with you guys. Being a complete newbie (especially on webapp security), don't take this as 'the truth'. It's all simply my interpretation.
Also: to my regret, I haven't finished all the lessons yet. There are quite a few, and since my gf and I have just moved in together, there is a lot of stuff going on But I hope it gives a nice first glance until I can finish the rest.
What is WebGoat
WebGoat is a J2EE web application, created by the OWASP community to provide a teaching environment for webapplication security.
It is a deliberately insecure program, where you must go through a number of lessons. In each lesson, you learn about a new sort of vulnerability, and in the same moment get a hands-on try at exploiting that vulnerability.
It's completely free, so that's a big up from the start.
The installation on Windows is very straight forward.
As explained at http://www.owasp.org/index.php/WebGoat_Installation, it is simply a matter of
- installing Java and Tomcat (very easy)
- download the WebGoat zipfile and exstract it (easier)
- double click the file "webgoat.bat" (well..)
- go to http://localhost/webgoat/attack
- give the credentials guest/guest
- you're ready to go.
The installation on Linux, OS X or FreeBSD seems just as easy, but I have not tried those.
As digitalcliff pointed out (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5243.msg26711/#msg26711), there is also a virtual image available if you find this easier. I gave this a quick shot through a live CD I got from OWASP at a conference, and it all worked fine.
I had a small problem though with the webgoat.bat. When I tried to run it, I got an error saying that the default port 80 was already bound. The same went for webgoat8080.bat (another install file), and I couldn't 'unbind' them.
Fortunately this was easy to remedy, so if you come across this:
- Go to the Webgoat folder, into /tomcat/conf/server_80.xml
- Look for the entry <Connector address="127.0.0.1" port="80" ...
- Change 80 to whatever (I made it 81)
- Then go to http://localhost:81/webgoat/attack
Note: on the wiki it says http://localhost/WebGoat/attack (capital W and G), but I had to use small letters to make it work.
I later installed it on a different Windows laptop aswell, and there it all went perfectly smooth.
All in all, even though I had a few small bumps, everything went just fine and easy. If you try it yourself, chances are you won't even have the bumps.
Please also note that (as is mentioned as well in the program itself) that, whiles running WebGoat, your own box is very vulnerable to attack.
So preferably, put your box offline during the excercises.
First lesson: Introduction
Once you have WebGoat up and running, you'll go through a little introduction.
It will explain its goal, structures, etc.. It will tell you how to deploy WebGoat in a class and how to make new WebGoat lessons.
Those last two things weren't of any relevance to me (yet), and I found them a bit oddly placed. But you can ofcourse skip them without worry.
You'll get a quick overview of some useful tools, namely
- WebScarab (an intercepting proxy, with which we can review and modify HTTP requests and responses)
- IEWatch (a tool to analyze HTTP and HTML for users of Internet Explorer)
- Wireshark (a network protocol analyzer)
- Nessus/Paros scanners.
In the lessons that I've done so far, I only really had to use WebScarab. You'll find it a very handy tool which seems to be used frequently (it's also created by OWASP). Further down the road those other tools might come into play ofcourse.
The real lessons
Finally, we're at the lessons themselves.
There are quite a few, as you can see at http://www.owasp.org/index.php/Lesson_Plans
What I can tell you so far:
Don't count on the application to give you all the knowledge you need.
I found that the best way to go through the lessons is to read the lesson plan that comes with each chapter, and then Google for more knowledge.
The lesson plan usually has a nice introduction about the vulnerability in question, and Google can help you get a little deeper once you know what it's about.
Once you've done that, you can try and exploit the vulnerability in the program. You can use the hints, but be careful: when you have clicked on the 'hint' button a few times, the solution pops up (as the last 'hint'), but without warning.
I found this a bit frustrating, since I much rather get all the hints and not stumble upon the solution.
But even if you stumble on the solution, or just don't find it yourself in your first try (as was mostly the case with me) you still will have learned what you set out to: you learn what the vulnerability is, what it looks like, and now that you've seen the solution you might apply it yourself with more ease.
As a bonus, there are video solutions available for every lesson, at http://yehg.net/lab/pr0js/training/webgoat.php. They are very nice to see as a 'double check', and sometimes contain a view of an extra tool or a little trick that you haven't though off. Very nice work on those.
Conclusion so far
Well, that's about all I have to say for now.
I do apologize that I haven't finished all the lessons already. My schedule for the next few weeks is a little more open, so I hope I can finish it all asap. When I do I can write a steady conclusion to the whole thing.
But for now, I hope this will convince my fellow newbies that WebGoat IS something worth looking at. It's a great hands-on way to get a little deeper into that big, curious world of webapp security, and it's free.
Imo, it's pretty awesome that tools and tutorials like this exist. Thank you OWASP! (and so many others)
As this is my first review ever, please spout criticism as much as you want, so that I can improve upon my writing skills.