This is the first entry in a series of posts that will be focused on my working through the OWASP Project’s WebGoat.
I intend to work my way through all of the challenges in WebGoat over the course of the next few months after work and in my spare time. I will try to make enough progress to post meaningful updates to this blog on a daily to weekly basis.
What is WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
A little about my Setup
I am running WebGoat and WebWolf on docker.
OWASP has published their image on https://hub.docker.com/r/webgoat/goatandwolf
To pull the image
docker pull webgoat/goatandwolf
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container.
This is a docker image that has WebGoat and WebWolf running inside.
docker run -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
Important: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it important for the validity of JWT tokens used in certain exercises.
WebGoat will be located at: http://127.0.0.1:8080/WebGoat
WebWolf will be located at: http://127.0.0.1:9090/WebWolf
You will then be presented with the WebGoat login screen:
To access the lessons and challenges you will need to select ‘Register new user’ and create a login.
Once you are logged in, then it’s time to get started: