Everyday Answers

    Getting Started with WebGoat: A Hands-On Guide to OWASP…

    Close-up view of a mouse cursor over digital security text on display.

    Written by

    golosov070

    in

    Getting Started with WebGoat: A Hands-On Guide to OWASP Web Security Training

    This guide provides a step-by-step setup for WebGoat, a valuable tool for hands-on OWASP web security training. We’ll cover the prerequisites, installation process, and walk through key labs to illustrate common vulnerabilities.

    Prerequisites

    Before you begin, ensure you have the following:

    • Java 11+ (OpenJDK)
    • Docker Desktop
    • A modern browser (Chrome, Edge, or Firefox)

    Step-by-Step Setup

    1. Install Docker Desktop: Install and verify Docker Desktop is running on your operating system.
    2. Pull the WebGoat Image: Open your terminal and run: docker pull webgoat/webgoat:latest
    3. Run WebGoat: Execute the following command in your terminal: docker run -d -p 8080:8080 --name webgoat webgoat/webgoat:latest
    4. Access WebGoat: Open your browser and navigate to http://localhost:8080/WebGoat/. Click “Sign In” to begin.
    5. Getting Started Lab: Upon first login, complete the “Getting Started” lab to familiarize yourself with the interface and safety guidelines.

    Safety Note: Run WebGoat on localhost or an isolated network. Never expose port 8080 to the public internet. Monitor resource usage.

    Hands-On Labs

    The following labs provide practical-guide-to-secure-web-communication/”>practical experience with common web vulnerabilities:

    Lab 1: XSS – Reflected XSS in a Search Field

    This lab demonstrates how a simple input field can reflect user data, leading to XSS vulnerabilities.

    Steps:

    1. Navigate to WebGoat → XSS → Reflected XSS lab activity.
    2. Enter the following payload into the search input and submit: <script>alert('XSS')</script>
    3. Observation: If the input is not encoded, the script will execute. If encoded, it will not.
    4. Remediation: Implement HTML entity escaping (e.g., <, >) and content security policies.

    Lab 2: SQL Injection – Authentication Bypass

    This lab showcases how a vulnerable login form can be bypassed without valid credentials if user input isn’t handled securely.

    Steps:

    1. Open the login lab under SQL Injection.
    2. Enter ' OR '1'='1 in the username field (leave the password blank).
    3. Observation: If string concatenation is used instead of parameterized queries, authentication may be bypassed.
    4. Remediation: Use prepared statements/parameterized queries, input validation, and robust error handling.

    Lab 3: CSRF – Unauthenticated Action

    This lab explores Cross-Site Request Forgery (CSRF), where a site’s trust in a logged-in browser session is exploited.

    Steps:

    1. Navigate to a state-changing lab action (e.g., purchase or profile update) without re-authentication.
    2. Attempt to trigger the action via a crafted HTML form from another page/domain without explicit user interaction.
    3. Observation: If CSRF protections are absent, the action may be triggered by an attacker.
    4. Remediation: Implement anti-CSRF tokens, same-site cookies, and state validation.

    Note: Only perform CSRF testing in a controlled environment. Never test on production systems without explicit authorization.

    Lab 4: Insecure Direct Object Reference (IDOR)

    IDOR occurs when the server trusts the identifier provided by the client.

    Steps:

    1. Access a resource URL with a direct object parameter (e.g., /WebGoat/resource?userId=123).
    2. Modify the parameter (e.g., userId=124) to attempt accessing another user’s data.
    3. Observation: Lack of server-side authorization checks can lead to data exposure.
    4. Remediation: Enforce authorization at each request and validate user context against the target resource.

    Takeaway: Proper access control is crucial. Always verify the requester’s identity and access permissions.

    Deployment Options: Docker vs. Native WebGoat Setup

    Aspect Docker-based Deployment Native/JAR Installation
    Quick Start Quick and easy setup with minimal configuration. Requires Java runtime and manual server setup.
    OS and Environment Works on Windows, macOS, and Linux via Docker. Depends on host OS and Java environment.
    Resource Usage Generally 1-2 GB RAM and 1 CPU core. Containerization helps manage resource usage. Depends on host; may consume more resources.
    Upgrade Path Regularly pull the latest image. Manual update of JARs, dependencies, and server configuration.

    Pros and Cons

    Pros

    • Hands-on practice in a safe environment.
    • Reproducible and resettable labs.
    • Clear structure for building skills.

    Cons

    • Some content may reference older OWASP Top 10 editions. Supplement with up-to-date references.
    • Focus on exploitation; ensure defensive best practices are included.
    • Requires basic Docker familiarity.

    Mitigation: Update OWASP Top 10 mappings and add a defense-focused appendix.

    Watch the Official Trailer

    Comments

    Leave a Reply

    More posts

    Discover more from Everyday Answers

    Subscribe now to keep reading and get access to the full archive.

    Continue reading