@@ -18,6 +18,62 @@ For each benchmark there is a detailed installation guide and a short textual
1818description of the application below.
1919
2020
21+ (0) WebGoat
22+ ------------
23+
24+ WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web
25+ application security lessons.
26+
27+ This program is a demonstration of common server-side application flaws. The exercises are
28+ intended to be used by people to learn about application security and penetration testing
29+ techniques.
30+
31+ Repository: https://github.com/WebGoat/WebGoat
32+
33+ Install guide for Ubuntu:
34+
35+ 1. git clone
[email protected] :WebGoat/WebGoat.git
36+ 2. cd WebGoat
37+ 3. git checkout develop
38+ 4. (optional) Open the file:
39+ ./WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
40+ and insert into the line 59 the following code:
41+ static String makeTainted(String accountName) {
42+ return accountName;
43+ }
44+
45+ public void main() {
46+ String test = makeTainted("dave");
47+ completed(test);
48+ }
49+
50+ The code adds an artificial entry point (the function "main") and also
51+ an artificial function "makeTainted" for making input to the function
52+ "completed" tainted. The reason for "makeTainted" function is that the
53+ WebGoat uses the Spring servlet framework which delivers the already
54+ potentially tainted data to the method "completed". But we do not have
55+ any feature in our rules specification which would capture that.
56+
57+ NOTE: the entry-point for the Python driver script should thus then be:
58+ --entry-point org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.main
59+
60+ 4. mvn clean install -DskipTests
61+ 5. cd ..
62+ 6. rm -rf ./webgoat-container
63+
64+ The WebGoat does not seem to have a deployment step. Fortunately, the whole
65+ app is relatively small, so we can load everything for each lesson. It means
66+ that we can pass to the Python driver script these options:
67+ -I <security-scanner-root-dir>/benchmarks/GENUINE/WebGoat
68+ -L <security-scanner-root-dir>/benchmarks/GENUINE/WebGoat
69+
70+ General notes: The project is set up in a relatively standard way, likely to allow people to
71+ understand easily what's going on if they look at the code. The main vulnerabilities are
72+ in the webgoat-lessons folder, which holds server web service endpoints that then test if
73+ the pupils have managed to exploit the particular issue they are highlighting.
74+
75+ This makes the traces trivial to detect and analyze.'
76+
2177
2278(1) Alfresco
2379------------
0 commit comments