WebGoat is a deliberately insecure application

[+] arduinomancer|4 years ago|reply

Funny story related to WebGoat:

In my undergrad security class the prof posed a challenge that whoever could make themself an admin would get bonus marks.

Using one vulnerability I found there was an xml file on the server that defined the list of admins.

Once you find that you can use another vulnerability (something with file uploads + JSP) that let you run arbitrary Java code to modify the file on the server.

Problem is after adding myself to the file it didn’t have any effect. I figured okay that file is probably only read into memory once when the server first starts.

So I thought no problem, I’ll just run a piece of Java that exits the JVM process.

Unfortunately there was no process manager to restart the sever process so it took down WebGoat for the entire class.

Oops. People were pretty pissed on the class discussion board because they couldn’t even work on the regular assignment.

Eventually I emailed someone in university IT and got them to just reboot the Linux instance but it took a couple days.

When the server came back up I had admin privileges and ended up getting the bonus marks.

I still wonder to this day if “crashing the server” was the real way you were supposed to do that.

Sorry guys XD

[+] uzakov|4 years ago|reply

Useful resources to get started with application security: https://owasp.org/www-project-juice-shop/ https://www.secureflag.com/owasp.html https://hackerone.com/hacktivity https://owasp.org/www-project-zap/

[+] deptm|4 years ago|reply

My company makes fuzzing software to find security vulnerabilities. We use webgoat as a learning example as well. Feel free to have a look at our free readonly SaaS version with webgoat to see how it works. https://app.code-intelligence.com (GitHub login, not mobile friendly)

[+] Faelian2|4 years ago|reply

I work as a pentester, and if you want to learn web security, I would strongly recommend PortSwigger Web-Security labs over WebGoat (it's free too).

https://portswigger.net/web-security

Hackthebox with ippsec's videos is also a fantastic resource. Liveoverflow's youtube channel and pentesterlab are also really good.

[+] skneko|4 years ago|reply

Ah yes we used this and BadStore in the web security course of my university. Not very hard, but good for beginners.

[+] mattwilsonn888|4 years ago|reply

So is my intel chip.

[+] WhisperingShiba|4 years ago|reply

Severely underrated reply, my man

[+] sbmthakur|4 years ago|reply

I learned a lot with Webgoat. Can anyone recommend similar resources but with increased difficulty? I am specifically interested in XSS and SQL injection.

[+] amenghra|4 years ago|reply

Square’s past CTFs puzzles are all available as Docker images. I believe all the puzzles have published solutions.

Start here: https://squarectf.com/

If you want to submit fixes to the above site ping me or open a PR here: https://github.com/square/squarectf

[+] ABraidotti|4 years ago|reply

Check out Portswigger's Web Security Academy: https://portswigger.net/web-security

[+] Phil987|4 years ago|reply

This is aimed more at companies signing up rather than individuals, but a company called Security Innovation has a product that kind of gamify's (sp?) hacking vulnerable websites: https://www.securityinnovation.com/training/ (the cmd+ctrl training)

They have a couple of fake websites that have a bunch of vulnerabilities of varying difficulty and you get points for exploiting them.

I am not affiliated with them, but saw a demo once and thought it was cool.

[+] lormayna|4 years ago|reply

HackTheBox is a good resource to improve your pentesting skills

[+] pixl97|4 years ago|reply

There are multiple versions of WebGoat, for example WebGoat.Net, if Java isn't your language of choice to learn on.

[+] SpicyLemonZest|4 years ago|reply

This is a really neat idea.

[+] asjfj9|4 years ago|reply

Great share.

15 comments