137 lines
4.8 KiB
Markdown
137 lines
4.8 KiB
Markdown
# WebGoat 8: A deliberately insecure Web Application
|
|
|
|
[](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
|
|
[](https://jdk.java.net/)
|
|
[](https://owasp.org/projects/)
|
|
[](https://github.com/WebGoat/WebGoat/releases/latest)
|
|
[](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
|
|
[](https://github.com/WebGoat/WebGoat/discussions)
|
|
|
|
# Introduction
|
|
|
|
WebGoat is a deliberately insecure web application maintained by [OWASP](http://www.owasp.org/) designed to teach web
|
|
application security lessons.
|
|
|
|
This program is a demonstration of common server-side application flaws. The
|
|
exercises are intended to be used by people to learn about application security and
|
|
penetration testing techniques.
|
|
|
|
**WARNING 1:** *While running this program your machine will be extremely
|
|
vulnerable to attack. You should disconnect from the Internet while using
|
|
this program.* WebGoat's default configuration binds to localhost to minimize
|
|
the exposure.
|
|
|
|
**WARNING 2:** *This program is for educational purposes only. If you attempt
|
|
these techniques without authorization, you are very likely to get caught. If
|
|
you are caught engaging in unauthorized hacking, most companies will fire you.
|
|
Claiming that you were doing security research will not work as that is the
|
|
first thing that all hackers claim.*
|
|
|
|
# Installation instructions:
|
|
|
|
For more details check [the Contribution guide](/CONTRIBUTING.md)
|
|
|
|
## 1. Run using Docker
|
|
|
|
Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/webgoat).
|
|
|
|
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
|
|
|
|
```shell
|
|
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
|
|
```
|
|
|
|
If you want to reuse the container, give it a name:
|
|
|
|
```shell
|
|
docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
|
|
```
|
|
|
|
As long as you don't remove the container you can use:
|
|
|
|
```shell
|
|
docker start webgoat
|
|
```
|
|
|
|
This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
|
|
|
|
**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
|
|
|
|
## 2. Standalone
|
|
|
|
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
|
|
|
|
```shell
|
|
java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.3.jar
|
|
```
|
|
|
|
Click the link in the log to start WebGoat.
|
|
|
|
## 3. Run from the sources
|
|
|
|
### Prerequisites:
|
|
|
|
* Java 17
|
|
* Your favorite IDE
|
|
* Git, or Git support in your IDE
|
|
|
|
Open a command shell/window:
|
|
|
|
```Shell
|
|
git clone git@github.com:WebGoat/WebGoat.git
|
|
```
|
|
|
|
Now let's start by compiling the project.
|
|
|
|
```Shell
|
|
cd WebGoat
|
|
git checkout <<branch_name>>
|
|
# On Linux/Mac:
|
|
./mvnw clean install
|
|
|
|
# On Windows:
|
|
./mvnw.cmd clean install
|
|
|
|
# Using docker or podman, you can than build the container locally
|
|
docker build -f Dockerfile . -t webgoat/webgoat
|
|
```
|
|
|
|
Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
|
|
|
|
```Shell
|
|
# On Linux/Mac:
|
|
./mvnw spring-boot:run
|
|
# On Windows:
|
|
./mvnw.cmd spring-boot:run
|
|
|
|
```
|
|
|
|
... you should be running WebGoat on http://localhost:8080/WebGoat momentarily.
|
|
|
|
Note: The above link will redirect you to login page if you are not logged in. LogIn/Create account to proceed.
|
|
|
|
To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties` file:
|
|
|
|
```
|
|
server.address=x.x.x.x
|
|
```
|
|
|
|
## 4. Run with custom menu
|
|
|
|
For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.
|
|
|
|
For instance running as a jar on a Linux/macOS it will look like this:
|
|
|
|
```Shell
|
|
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
|
|
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
|
|
java -jar target/webgoat-2023.3-SNAPSHOT.jar
|
|
```
|
|
|
|
Or in a docker run it would (once this version is pushed into docker hub) look like this:
|
|
|
|
```Shell
|
|
docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
|
|
```
|
|
|