Add Webgoat install guide.

Author: marek-trtik

benchmarks/GENUINE/README.txt

@@ -18,6 +18,62 @@ For each benchmark there is a detailed installation guide and a short textual
 description of the application below.
 
 
+(0) WebGoat
+------------
+
+WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web 
+application security lessons.
+
+This program is a demonstration of common server-side application flaws. The exercises are 
+intended to be used by people to learn about application security and penetration testing 
+techniques.
+
+Repository: https://github.com/WebGoat/WebGoat
+
+Install guide for Ubuntu:
+
+  1. git clone [email protected]:WebGoat/WebGoat.git
+  2. cd WebGoat
+  3. git checkout develop
+  4. (optional) Open the file:
+        ./WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
+     and insert into the line 59 the following code:
+            static String makeTainted(String accountName) {
+                return accountName;
+            }
+
+            public void main() {
+                String test = makeTainted("dave");
+                completed(test);
+            }
+            
+     The code adds an artificial entry point (the function "main") and also
+     an artificial function "makeTainted" for making input to the function
+     "completed" tainted. The reason for "makeTainted" function is that the
+     WebGoat uses the Spring servlet framework which delivers the already 
+     potentially tainted data to the method "completed". But we do not have
+     any feature in our rules specification which would capture that.
+     
+     NOTE: the entry-point for the Python driver script should thus then be:
+         --entry-point org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.main
+
+  4. mvn clean install -DskipTests
+  5. cd ..
+  6. rm -rf ./webgoat-container
+  
+The WebGoat does not seam to have a deployment step. Fortunatelly, the whole
+app is relatively small, so we can load everything for each lesson. It means
+that we can pass to the Python driver script these options:
+    -I <security-scanner-root-dir>/benchmarks/GENUINE/WebGoat
+    -L <security-scanner-root-dir>/benchmarks/GENUINE/WebGoat
+  
+General notes: The project is set up in a relatively standard way, likely to allow people to
+understand easily what's going on if they look at the code. The main vulernerabilities are
+in the webgoat-lessons folder, which holds server web service endpoints that then test if
+the pupils have managed to exploit the particular issue they are highlighting.
+
+This makes the traces trivial to detect and analyze.'
+
 
 (1) Alfresco
 ------------