main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindSqlInjection.html
BufferOverflow.html
CSRF.html
ChallengeScreen.html
ClientSideFiltering.html
ClientSideValidation.html
CommandInjection.html
ConcurrencyCart.html
CrossSiteScripting.html
DBCrossSiteScripting.html
DBSQLInjection.html
DOMInjection.html
DOMXSS.html
DOS_Login.html
DangerousEval.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HowToWork.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
InsecureLogin.html
JSONInjection.html
JavaScriptValidation.html
Lesson_Plan_Template.html
LogSpoofing.html
MultiLevelLogin1.html
MultiLevelLogin2.html
NewLesson.html
PasswordStrength.html
PathBasedAccessControl.html
Phishing.html
ReflectedXSS.html
RemoteAdminFlaw.html
RoleBasedAccessControl.html
SQLInjection.html
SameOriginPolicyProtection.html
SessionFixation.html
SilentTransactions.html
SoapRequest.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TomcatSetup.html
TraceXSS.html
UncheckedEmail.html
UsefulTools.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WelcomeScreeen.html
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
lesson_solutions
lessons
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
pom.xml
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@367 4033779f-a91e-0410-96ef-6bf7bf53c507
50 lines
2.7 KiB
HTML
50 lines
2.7 KiB
HTML
<!-- Start Instructions -->
|
|
<h1>How To Work With WebGoat</h1>
|
|
<p>
|
|
Welcome to a short introduction to WebGoat.<br>
|
|
Here you will learn how to use WebGoat and additional tools for the lessons.<br><br>
|
|
</p>
|
|
<h2>Environment Information</h2>
|
|
<p>
|
|
WebGoat uses the Apache Tomcat server. It is configured to run on localhost although this can be
|
|
easily changed. This
|
|
configuration is for single user, additional users can be added in the tomcat-users.xml file.
|
|
If you want to use WebGoat in a laboratory or in
|
|
class you might need to change this setup. Please refer to the Tomcat Configuration
|
|
in the Introduction section.</p>
|
|
|
|
<h2>The WebGoat Interface</h2>
|
|
<p>
|
|
<img src="images/introduction/interface.jpg"><br><br>
|
|
1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br>
|
|
2. This will show technical hints to solve the lesson.<br>
|
|
3. This will show the HTTP Request Parameters<br>
|
|
4. This will show the HTTP Request Cookies<br>
|
|
5. This will show goals and objectives of the lesson.<br>
|
|
6. This will show the underlying Java source code.<br>
|
|
7. This will show the complete solution of the selected lesson.<br>
|
|
8. If you want to restart a lesson you can use this link.</p>
|
|
<h2>Solve The Lesson</h2>
|
|
<p>
|
|
Always start with the lessons plan. Then try to solve the lesson and if necessary,
|
|
use the hints. The last hint is the solution text if applicable. If you cannot solve the lesson using the hints, you may view the
|
|
solution for complete details.</p>
|
|
<h2>Read And Edit Parameters</h2>
|
|
<p>
|
|
To read and edit Parameters you need a local proxy to intercept the HTTP request.
|
|
Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter.
|
|
After installing WebScarab and configuring your browser to use it as proxy on localhost we can start.<br><br>
|
|
<img src="images/introduction/HowToUse_1.jpg"><br><br>
|
|
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
|
|
<img src="images/introduction/HowToUse_2.jpg"><br><br>
|
|
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.
|
|
</p>
|
|
<h2>Read And Edit Cookies</h2>
|
|
<p>
|
|
Often it is not only necessary to change the value of the parameters but to change the value of cookies.
|
|
We can use WebScarab to intercept the request and change cookies values just like parameter data as explained in the last topic.<br><br>
|
|
<img src="images/introduction/HowToUse_3.jpg"><br><br>
|
|
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
|
|
</p>
|
|
<!-- Stop Instructions -->
|