Difference between revisions of "Category:OWASP WebGoat Project"

From OWASP
Jump to: navigation, search
m (Newest Release)
(Previous Releases)
 
(48 intermediate revisions by 11 users not shown)
Line 1: Line 1:
[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]
+
<webgoat/>
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
+
{{OWASP Book|1416452}}
 +
 
 +
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]
 +
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [[http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net]] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
  
 
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
 
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
Line 12: Line 15:
 
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
 
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
  
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.
 
 
==Download==
 
 
You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.
 
 
You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].
 
 
The WebGoat distributions are now available at [http://code.google.com/p/webgoat/downloads/list Google code downloads].  The Windows WebGoat release (unzip, click, and run) is only available at Sourceforge due to file size limits.
 
  
 
== Overview ==
 
== Overview ==
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]
+
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
+
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
 
{|
 
{|
 
|valign="top"|
 
|valign="top"|
* [[Cross Site Scripting]]
+
* [[Cross-site Scripting (XSS)]]
 
* Access Control
 
* Access Control
* [[Race condition within a thread|Thread Safety]]
+
* [[Race conditions|Thread Safety]]
 
* [[Unvalidated_Input|Hidden Form Field Manipulation]]
 
* [[Unvalidated_Input|Hidden Form Field Manipulation]]
 
* Parameter Manipulation
 
* Parameter Manipulation
Line 45: Line 39:
 
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].
 
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].
  
== Newest Release ==
+
== Future Development ==
  
'''WebGoat 5.1 Release Candidate 1''' is availableThis new release is platform independent. This release features:
+
WebGoat has been fairly stable for a few yearsThe latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at [http://code.google.com/p/webgoat/ | the WebGoat Google repo]. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.
  
  * a new "show solution" feature
+
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited.  WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies.  I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed.  WebGoat could be used in organizations as a introduction to secure coding practices.
  * Phishing lesson
+
  * New database lessons - for Oracle and MS SQL Server databases only
+
  * Multi-stage architecture which allows random access to lab stages
+
  
 +
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.
  
 +
==Current Downloads==
  
'''WebGoat 5.0'''
+
===Latest Release @ [http://code.google.com/p/webgoat/ Google code]===
  
'''WebGoat 5.0''' has been released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release.  
+
WebGoat downloads from version 5.4 and later are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads].  
  
The 5.0 release would not have been possible without the efforts of Sherif Koussa and [http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 OWASP Autumn of Code 2006].
+
Or you can simply [https://webgoat.googlecode.com/files/WebGoat-5.4-OWASP_Standard_Win32.zip click here to download the WebGoat 5.4 for Windows - download, unzip, click to run version]
  
Please send all comments to '''webgoat AT owasp.org''' regarding this release candidate. A final release is scheduled for the end of January
+
You can sync to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].
  
== Future Development ==
+
There is also a Git clone: [https://github.com/OWASP/WebGoat available at GitHub]
  
WebGoat 5.1 - Estimated release date: Fall 2007
+
==Previous Releases (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge])==
  
WebGoat 5.1 - Is now available via svn at google code
+
You can download WebGoat version 5.2 and older from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.
  
If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''webgoat AT owasp.org'''.
+
===WebGoat 5.2 Standard===
 +
This release is a download, unzip, and click-to-run release.  It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.
 +
    * Double-click on webgoat.bat - a Tomcat command window starts
 +
    * Browse to http://localhost/WebGoat/attack
  
 +
===WebGoat 5.2 Developer===
  
'''New Features in 5.1'''
+
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs.  If you would like to develop lessons, synch to the baseline at Google code.
  
* Thanks to the OWASP Spring of Code project, Erwin Geirhart has provided a complete solutions guide that is avaliable via a new "show solution" button
+
The developer release includes the standard release with the addition of a configured eclipse environment.  The developer release is also a download, unzip, and click-to-run release.  It works exactly the same as the standard release if you only wish to explore the lessons.  However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment.  Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.
 +
    * Extract the Eclipse-Workspace.zip file to the working directory
 +
    * Double-click the eclipse.bat file
 +
    * In the Eclipse package explorer (top right), right click the WebGoat project and refresh
 +
    * In the Eclipse package explorer (top right), right click the Servers project and refresh
 +
    * In the Eclipse servers view (bottom), right click LocalHost server and start
 +
    * Browse to http://localhost/WebGoat/attack
 +
    * Any changes made to the source will automatically compile and redeploy when saved
  
* New database lessons
+
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.
  
* XSS phishing lesson is available via the source code project at Google.  Using a standard search feature, your mission is to create a "login" form on the page, steal the user credentials, and post the credentials to the WebGoat Catcher servlet.
+
== Movie Demonstration Solutions ==
  
* Catcher servlet.  Want to prove your attack works?  You can now write lessons where the attack can send sensitive information to the Catcher servletThe Catcher servlet will write the posted values into the originating lesson's properties file.
+
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons.  These training movies can be viewed at
  
* Documentation. A draft version of how to solve the WebGoat Labs is available at [http://webgoat.googlecode.com/files/Solving%20the%20WebGoat%20Labs%20Draft%20V2.pdf WebGoat Google Code Downloads]
+
http://yehg.net/lab/pr0js/training/webgoat.php
 +
 
 +
Feel free to contact him for any help with WebGoat.
 +
 
 +
==== Movie Links ====
 +
 
 +
{|
 +
|valign="top"|
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]
 +
|valign="top"| 
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]
 +
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]
 +
|}
  
 
== Project Contributors ==
 
== Project Contributors ==
  
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''.  WebGoat distributions are currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].
+
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''.  WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].
 +
 
 +
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!
  
 
== Project Sponsors ==
 
== Project Sponsors ==
  
 
The WebGoat project is sponsored by  
 
The WebGoat project is sponsored by  
[http://www.aspectsecurity.com https://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]
+
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
  
[[Category:OWASP Project]]
+
[[Category:OWASP Project|WebGoat Project]]
 
[[Category:OWASP Download]]
 
[[Category:OWASP Download]]
 
[[Category:OWASP Tool]]
 
[[Category:OWASP Tool]]
 +
[[Category:OWASP Release Quality Tool]]
  
 
__NOTOC__
 
__NOTOC__

Latest revision as of 18:31, 7 October 2013

OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.
Detailed solution hints
WebGoat in action

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

To get started, read the WebGoat User and Install Guide

Goals

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.

The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.


Overview

Performing session hijacking

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:

For more details, please see the WebGoat User and Install Guide.

Future Development

WebGoat has been fairly stable for a few years. The latest stable release as of Oct 7, 2013 is 5.4, and the development for 6.0 is underway at | the WebGoat Google repo. There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.

Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies. I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed. WebGoat could be used in organizations as a introduction to secure coding practices.

Check out the project roadmap and find some tasks that you can help with right away.

Current Downloads

Latest Release @ Google code

WebGoat downloads from version 5.4 and later are available at WebGoat Google code downloads.

Or you can simply click here to download the WebGoat 5.4 for Windows - download, unzip, click to run version

You can sync to the current WebGoat source tree at Google code.

There is also a Git clone: available at GitHub

Previous Releases (At SourceForge)

You can download WebGoat version 5.2 and older from the OWASP Source Code Center at Sourceforge. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.

WebGoat 5.2 Standard

This release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.

   * Double-click on webgoat.bat - a Tomcat command window starts
   * Browse to http://localhost/WebGoat/attack

WebGoat 5.2 Developer

Note: This release is intended to provide an environment for working on the WebGoat labs. If you would like to develop lessons, synch to the baseline at Google code.

The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.

   * Extract the Eclipse-Workspace.zip file to the working directory
   * Double-click the eclipse.bat file
   * In the Eclipse package explorer (top right), right click the WebGoat project and refresh
   * In the Eclipse package explorer (top right), right click the Servers project and refresh
   * In the Eclipse servers view (bottom), right click LocalHost server and start
   * Browse to http://localhost/WebGoat/attack
   * Any changes made to the source will automatically compile and redeploy when saved

Please send all comments to Bruce Mayhew at webgoat AT owasp.org regarding this release.

Movie Demonstration Solutions

Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at

http://yehg.net/lab/pr0js/training/webgoat.php

Feel free to contact him for any help with WebGoat.

Movie Links

Project Contributors

The WebGoat project is run by Bruce Mayhew. He can be contacted at webgoat AT owasp.org. WebGoat distributions are currently maintained on SourceForge and Google. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat mailing list.

Thanks to Ounce Labs for allowing me time to work on and run the WebGoat project during my day job!

Project Sponsors

The WebGoat project is sponsored by Aspect_logo_owasp.jpg