WebGoat User Guide Introduction

Revision as of 12:41, 8 September 2006 by Jattridge (talk | contribs) (Overview)

Jump to: navigation, search

WebGoat User and Install Guide Table of Contents


The WebGoatv4 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.

A full Application Security Assessment testing methodology is being documented by http://www.owasp.org/testing/ and this will provide a superset of the issues demonstrated within the WebGoat. If may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating to the Implementation Review phase of the OWASP Web Application Security Testing Methodology.

The WebGoatv4 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.

  • The application is web based
  • The attack simulations are remote

All of the described techniques may be performed from any connected location.

  • The testing is black-box

Source code is not supplied, but it can be viewed and downloaded.

  • Credentials and operational information is provided

Of course, the teaching aspect of WebGoat means that certain information will be revealed that would not typically be available. This makes it possible to guide the tester through an assessment process.

The current lesson plans provided in WebGoatv4 include:

Http Basics
How to Exploit Thread Safety Problems
How to Discover Clues in the HTML
How to Exploit Hidden Fields
How to Exploit Unchecked Email
How to Bypass Client Side JavaScript Validation
Remote Admin Access
How to Bypass a Path Based Access Control Scheme
LAB: Role based Access Control
Using an Access Control Matrix
Forgot Password
How to Spoof an Authentication Cookie
How to Hijack a Session
Basic Authentication
LAB: Cross Site Scripting
How to Perform Stored Cross Site Scripting (XSS)
How to Perform Reflected Cross Site Scripting (XSS)
How to Perform Cross Site Trace Attacks (XSS)
Buffer Overflow (TBD)
How to Perform Command Injection
How to Perform Parameter Injection
How to Perform Blind SQL Injection
How to Perform Numeric SQL Injection
How to Perform String SQL Injection
LAB: SQL Injection
How to Bypass a Fail Open Authentication Scheme
Encoding Basics
Denial of Service from Multiple Logins
Forced Browsing
How to Create a Soap Request
WSDL Scanning
Web Service SQL Injection
The Challenge

Future releases of WebGoat will include more lessons and functionality. Should you have any suggestions for improvement or new lessons please contact bill@owasp.org with your ideas.

WebGoat User and Install Guide Table of Contents