├── .gitignore
├── 404.html
├── Gemfile
├── _config.yml
├── assets
    └── images
    │   ├── README.md
    │   ├── assignment-example.png
    │   ├── assignment.png
    │   ├── files.png
    │   ├── lesson-overview.png
    │   ├── lesson.png
    │   ├── mailbox.png
    │   ├── mitigation-example.png
    │   ├── mitigation.png
    │   ├── requests.png
    │   ├── teach.png
    │   └── wolf-enabled.png
├── index.md
├── info.md
├── leaders.md
├── tab_goals.md
├── tab_lessons.md
├── tab_start.md
└── tab_webwolf.md


/.gitignore:
--------------------------------------------------------------------------------
1 | __pycache__
2 | env
3 | .vscode
4 | _site/
5 | 


--------------------------------------------------------------------------------
/404.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | title: 404 - Not Found
 4 | layout: col-generic
 5 | 
 6 | ---
 7 | 
 8 | <div class="container">
 9 |   <p><img src="/assets/images/web/404-old-owasp.png"></p>
10 |   <h2>WHOA THAT PAGE CANNOT BE FOUND</h2>
11 |   <p>Try the <strong>SEARCH</strong> function in the main navigation to find something. If you are looking for chapter information, please see <a href="/chapters/">Chapters</a> for the correct chapter. For information about OWASP projects see <a href="/projects/">Projects</a>. For common attacks, vulnerabilities, or information about other community-led contributions see <a href="/www-community/">Contributed Content</a>.</p>
12 |   
13 |   <hr>
14 |   <p><strong>If all else fails you can search our <a href="https://wiki.owasp.org/">historical site</a>.</strong></p>
15 | </div>
16 | 


--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org' 
2 | group :jekyll_plugins do
3 |     gem "github-pages"
4 | end


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | remote_theme: "owasp/www--site-theme@main"
2 | plugins:
3 |  - jekyll-include-cache-0.2.0


--------------------------------------------------------------------------------
/assets/images/README.md:
--------------------------------------------------------------------------------
1 | # placeholder
2 | 
3 | Put images you wish to link to in this folder
4 | 
5 | link would be in form /assets/images/<filename.ext>
6 | 


--------------------------------------------------------------------------------
/assets/images/assignment-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/assignment-example.png


--------------------------------------------------------------------------------
/assets/images/assignment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/assignment.png


--------------------------------------------------------------------------------
/assets/images/files.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/files.png


--------------------------------------------------------------------------------
/assets/images/lesson-overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/lesson-overview.png


--------------------------------------------------------------------------------
/assets/images/lesson.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/lesson.png


--------------------------------------------------------------------------------
/assets/images/mailbox.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/mailbox.png


--------------------------------------------------------------------------------
/assets/images/mitigation-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/mitigation-example.png


--------------------------------------------------------------------------------
/assets/images/mitigation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/mitigation.png


--------------------------------------------------------------------------------
/assets/images/requests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/requests.png


--------------------------------------------------------------------------------
/assets/images/teach.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/teach.png


--------------------------------------------------------------------------------
/assets/images/wolf-enabled.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-webgoat/7b6b71005005398e7e1539adc8b4ef1567c21a8f/assets/images/wolf-enabled.png


--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | layout: col-sidebar
 4 | title: OWASP WebGoat
 5 | tags: webgoat
 6 | level: 3
 7 | type: tool
 8 | 
 9 | ---
10 | ![WebGoat Loge](https://raw.githubusercontent.com/WebGoat/WebGoat/main/src/main/resources/lessons/challenges/images/webgoat2.png)
11 | 
12 | [![GitHub release](https://img.shields.io/github/v/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
13 | 
14 | 
15 | ## Learn the hack - Stop the attack
16 | 
17 | WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities 
18 | commonly found in Java-based applications that use common and popular open source components.
19 | 
20 | ## Description 
21 | 
22 | Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.
23 | 
24 | Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
25 | 
26 | **WARNING 1:** *While running this program your machine will be extremely
27 | vulnerable to attack. You should disconnect from the Internet while using
28 | this program.*  WebGoat's default configuration binds to localhost to minimize
29 | the exposure.
30 | 
31 | **WARNING 2:** *This program is for educational purposes only. If you attempt
32 | these techniques without authorization, you are very likely to get caught. If
33 | you are caught engaging in unauthorized hacking, most companies will fire you.
34 | Claiming that you were doing security research will not work as that is the
35 | first thing that all hackers claim.*
36 | 


--------------------------------------------------------------------------------
/info.md:
--------------------------------------------------------------------------------
 1 | ### Downloads
 2 | * [Standalone jars](https://github.com/WebGoat/WebGoat/releases)
 3 | * [Docker Image](https://hub.docker.com/r/webgoat/webgoat)
 4 | 
 5 | ### Code Repository
 6 | * [Source code](https://github.com/WebGoat/WebGoat)
 7 | 
 8 | ### Helping the Goat!
 9 | * [Report an issue](https://github.com/WebGoat/WebGoat/issues)
10 | * [Contributing to WebGoat](https://github.com/WebGoat/WebGoat/wiki/Contributing-to-WebGoat)
11 | * [Forking WebGoat in GitHub](https://github.com/WebGoat/WebGoat/wiki/Forking-WebGoat-in-GitHub)
12 | * [Solutions](https://github.com/WebGoat/WebGoat/wiki/Main-Exploits)
13 | 
14 | ### Around the Web
15 | * [Gitter](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
16 | * [Mail](mailto://webgoat@owasp.org)
17 | * [StackOverflow](https://stackoverflow.com/search?q=webgoat)
18 | * [Twitter](https://twitter.com/OWASP_WebGoat)
19 | * [Slack](https://owasp.slack.com/messages/#project-webgoat/)
20 | 
21 | 
22 | #### Classification
23 | 
24 | * <i class="fas fa-tools" style="color:#233e81;"></i> Tool
25 | 
26 | #### Audience
27 | 
28 | * <i class="fas fa-toolbox" style="color:#233e81;"></i> Builder
29 | * <i class="fas fa-hammer" style="color:#233e81;"></i> Breaker
30 | * <i class="fas fa-shield-alt" style="color:#233e81;"></i> Defender
31 | 


--------------------------------------------------------------------------------
/leaders.md:
--------------------------------------------------------------------------------
1 | ### Leaders
2 | * [Nanne Baars](mailto://nanne.baars@owasp.org)
3 | * [René Zubčević](mailto://rene.zubcevic@owasp.org)
4 | 
5 | 


--------------------------------------------------------------------------------
/tab_goals.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Goals
 3 | layout:  null
 4 | tab: true
 5 | order: 1
 6 | tags: webgoat
 7 | ---
 8 | 
 9 | ## Goals
10 | 
11 | Web application security is difficult to learn and practice. Not many people have full blown web applications like 
12 | online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals 
13 | frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. 
14 | All of this needs to happen in a safe and legal environment.
15 | 
16 | Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. 
17 | The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web 
18 | application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking 
19 | platform and a Java-based Web site Honeypot.
20 | 
21 | ## Learn in three steps
22 | 
23 | 
24 | <p> 
25 | <h3><img src="assets/images/teach.png" width="8%" heigth="8%">Explain the vulnerability</h3>
26 | </p>
27 | 
28 | 
29 | ![](https://webgoat.github.io/WebGoat/img/portfolio/lesson.png)
30 | 
31 | Teaching is now a first class citizen of WebGoat, we explain the vulnerability. Instead of 'just hacking' we now
32 | focus on explaining from the beginning what for example a SQL injection is. 
33 | 
34 | <p> 
35 | <h3><img src="assets/images/assignment.png" width="8%" heigth="8%">Learn by doing</h3>
36 | </p>
37 | 
38 | During the explanation of a vulnerability we build assignments which will help you understand how it works.
39 | 
40 | ![](https://webgoat.github.io/WebGoat/img/portfolio/assignment-example.png)
41 | 
42 | 
43 | <p> 
44 | <h3><img src="assets/images/mitigation.png" width="8%" heigth="8%">Explain mitigation</h3>
45 | </p>
46 | 
47 | At the end of each lesson you will receive an overview of possible mitigations which will help you during your 
48 | development work.
49 | 
50 | ![](https://webgoat.github.io/WebGoat/img/portfolio/mitigation-example.png)
51 | 
52 | 
53 | 
54 | 
55 | 


--------------------------------------------------------------------------------
/tab_lessons.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Lessons
 3 | layout:  null
 4 | tab: true
 5 | order: 1
 6 | tags: webgoat
 7 | ---
 8 | 
 9 | ## Lessons
10 | 
11 | WebGoat contains lesson for almost all OWASP Top 10 vulnerabilities and more... 
12 | 
13 | ![](assets/images/lesson-overview.png)
14 | 
15 | 
16 | ### Future lessons
17 | 
18 | The following lessons are on our wish list:
19 | 
20 | - Lesson about cryptography (in progress)
21 | - Lesson about path traversal (in progress)
22 | - Session management
23 | - More password reset lessons 
24 | - etc
25 | 
26 | See our [Github page](https://github.com/WebGoat/WebGoat/issues) for more information.
27 | 
28 | 
29 | 
30 | 


--------------------------------------------------------------------------------
/tab_start.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Start
 3 | layout:  null
 4 | tab: true
 5 | order: 1
 6 | tags: webgoat
 7 | ---
 8 | 
 9 | ## Getting started
10 | 
11 | 
12 | ### 1. Run using Docker
13 | 
14 | Already have a browser and ZAP and/or Burp installed on your machine in this case you can run the WebGoat image directly using Docker.
15 | 
16 | Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/webgoat).
17 | 
18 | ```shell
19 | docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
20 | ```
21 | 
22 | If you want to reuse the container, give it a name:
23 | 
24 | ```shell
25 | docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
26 | ```
27 | 
28 | As long as you don't remove the container you can use:
29 | 
30 | ```shell
31 | docker start webgoat
32 | ```
33 | 
34 | This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
35 | 
36 | 
37 | ### 2. Run using Docker with complete Linux Desktop
38 | 
39 | Instead of installing tools locally we have a complete Docker image based on running a desktop in your browser. This way you only have to run a Docker image which will give you the best user experience.
40 | 
41 | ```shell
42 | docker run -p 127.0.0.1:3000:3000 webgoat/webgoat-desktop
43 | ```
44 | 
45 | ### 3. Standalone
46 | 
47 | Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
48 | 
49 | ```shell
50 | java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.5.jar
51 | ```
52 | 
53 | Click the link in the log to start WebGoat.


--------------------------------------------------------------------------------
/tab_webwolf.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: WebWolf
 3 | layout:  null
 4 | tab: true
 5 | order: 1
 6 | tags: webgoat
 7 | ---
 8 | 
 9 | <p> 
10 | <img src="assets/images/wolf-enabled.png" width="8%" heigth="8%" align="right">
11 | <br/>
12 | </p>
13 | 
14 | 
15 | ## WebWolf the small helper
16 | 
17 | WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
18 | make a clear distinction between what takes place on the attacked website and the actions you need to do as
19 | an "attacker". WebWolf was introduced after a couple of workshops where we received feedback that there
20 | was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
21 | website. The following items are supported in WebWolf:
22 | 
23 | ### Host a file
24 | 
25 | Upload a file needed to be downloaded during an assignment
26 | 
27 | ![](assets/images/files.png "Uploading and serving a file")
28 | 
29 | ### E-mail client
30 | 
31 | WebWolf serves a mail client with which we can easily simulate sending an e-mail.
32 | 
33 | ![](assets/images/mailbox.png "Integrated e-mail client")
34 | 
35 | ### Landing page for incoming requests
36 | 
37 | WebWolf can serve as a landing page to which you can make a call from inside an assignment, giving you as the attacker
38 | information about the complete request. Think of it as a very simple form of `netcat`.
39 | 
40 | ![](assets/images/requests.png)
41 | 
42 | 
43 | ## Running
44 | 
45 | ### 1. Docker
46 | 
47 | If you started the Docker image, WebWolf is already running. Please point your browser to: http://localhost:9090/WebWolf
48 | 
49 | 
50 | ### 2. Standalone
51 | 
52 | If you want to use the standalone version, you will need to download the jar file and start it:
53 | 
54 | ```Shell
55 | java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]
56 | ```
57 | 
58 | By default, WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you
59 | can bind it to a different address (default localhost)
60 | 


--------------------------------------------------------------------------------