WebGoat User Guide Introduction
The WebGoatV5 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.
A full Application Security Assessment testing methodology is being documented by http://www.owasp.org/index.php/OWASP_Testing_Project and this will provide a superset of the issues demonstrated within the WebGoat. It may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating to the Implementation Review phase of the OWASP Web Application Security Testing Methodology.
The WebGoatv5 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.
- The application is web based
- The attack simulations are remote
All of the described techniques may be performed from any connected location.
- The testing is black-box
Source code is not supplied, but it can be viewed and downloaded.
- Credentials and operational information is provided
Of course, the teaching aspect of WebGoat means that certain information will be revealed that would not typically be available. This makes it possible to guide the tester through an assessment process.
The current lesson plans provided in WebGoatv5 include:
|HTTP Splitting and Cache Poisining|
|How to Exploit Thread Safety Problems|
|How to Discover Clues in the HTML|
|How to Exploit Hidden Fields|
|How to Exploit Unchecked Email|
|How to Force Browser Web Resources|
|How to Bypass a Role Based Access Control Scheme|
|How to Bypass a Path Based Access Control Scheme|
|LAB: Role based Access Control|
|Using an Access Control Matrix|
|How to Exploit the Forgot Password Page|
|How to Spoof an Authentication Cookie|
|How to Hijack a Session|
|LAB: Cross Site Scripting|
|How to Perform Stored Cross Site Scripting (XSS)|
|How to Perform Reflected Cross Site Scripting (XSS)|
|How to Perform Cross Site Trace Attacks (XSS)|
|Buffer Overflow (TBD)|
|How to Perform Command Injection|
|How to Perform Parameter Injection|
|How to Perform Blind SQL Injection|
|How to Perform Numeric SQL Injection|
|How to Perform String SQL Injection|
|How to Perform Log Spoofing|
|How to Perform XPATH Injection Attacks|
|LAB: SQL Injection|
|How to Bypass a Fail Open Authentication Scheme|
|How to Peform Basic Encoding|
|Denial of Service from Multiple Logins|
|How to Create a SOAP Request|
|How to Perform WSDL Scanning|
|How to Perform Web Service SAX Injection|
|How to Perform Web Service SQL Injection|
|How to Perform DOM Injection Attack|
|How to Perform XML Injection Attacks|
|How to Perform JSON Injection Attack|
|How to Perform Silent Transactions Attacks|
|How to Add a New Lesson|
Future releases of WebGoat will include more lessons and functionality. Should you have any suggestions for improvement or new lessons please contact firstname.lastname@example.org with your ideas.