WebGoat
WebGoat is a deliberately insecure J2EE web application designed to teach web application security concepts
WebGoat is java web application which can show you a lot of the web attacks that can be performed on your website. It is a must have for all web developers.
You can download it from sourceforge or from google
The package contains a tomcat server and you can run it from the distribution. But in my case there was only windows configuration files so I have to take the war file and put in the standalone tomcat installation. Also move the permissions for the roles/users to my tomcat installation.
After manage to run it you will need some sniffer/proxy to monitor the requests. I have tried it with WebScarab but there is another one here and this one here
- Run WebGoat in tomcat
- Run you proxy/sniffer/pluging or what ever monitoring tool.
- Start your browser
- Setup your browser to use the proxy in case you choose to use proxy
- Redirect your browser to WebGoat application (http://127.0.0.1:8080/WebGoat/attack )
You are ready to pass all the tests. Here are the options extracted from the lates WebGoat version:
- Admin Functions
- General
- Code Quality
- Concurrency
- Unvalidated Parameters
- Access Control Flaws
- Authentication Flaws
- Session Management Flaws
- Cross-Site Scripting (XSS)
- Phishing with XSS
- LAB: Cross Site Scripting
- Stage 1: Stored XSS
- Stage 2: Block Stored XSS using Input Validation
- Stage 3: Stored XSS Revisited
- Stage 4: Block Stored XSS using Output Encoding
- Stage 5: Reflected XSS
- Stage 6: Block Reflected XSS
- Stored XSS Attacks
- Cross Site Request Forgery (CSRF)
- Reflected XSS Attacks
- HTTPOnly Test
- Cross Site Tracing (XST) Attacks
- Buffer Overflows
- Injection Flaws
- Command Injection
- Blind SQL Injection
- Numeric SQL Injection
- Log Spoofing
- XPATH Injection
- LAB: SQL Injection
- Stage 1: String SQL Injection
- Stage 2: Parameterized Query #1
- Stage 3: Numeric SQL Injection
- Stage 4: Parameterized Query #2
- String SQL Injection
- Database Backdoors
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration
- Web Services
- AJAX Security
- Challenge