WebGoat Notes

WebGoat is a deliberately vulnerable Web application, now including helpful hints and videos to guide you into hacking it.

I am using Windows 7 Beta. I think the process is similar on other Windows versions.

Part 1: Getting WebGoat and WebScarab Running on Windows

Make Sure You Have Java Installed

Open Firefox and go to java.com. Click the "Do I have Java?" link. If you don't have it, download and install it.

Downloading and Installing WebGoat

Go here and download WebGoat-OWASP_Standard-5.2.zip. Also download the Solving the WebGoat Labs Draft V2.pdf file.

Extract the zip file. A folder named WebGoat-OWASP_Standard-5.2 appears. Double-click the subfolder named WebGoat-5.2. Double-click the webgoat.bat file. A Command Prompt opens and vanishes instantly, and another Command Prompt window opens titled "Tomcat". The Tomcat window fills with text and stays open, as shown below. This is the Apache Tomcat Web server listening on the localhost, port 80. Leave that window open.

tomcat (58K)

In Firefox, go to http://localhost/WebGoat/attack. A box pops up asking for a name and password. Use guest for both the name and the password.

The main WebGoat page opens. Click the "Start WebGoat" button. The "How to work with WebGoat" page opens, as shown below.

webgoat-main (279K)

Installing WebScarab

You need WebScarab to complete the lessons. Go to this link. On the left side, click the Download link. In the first sentence in the Download section, click the word "here". Save the webscarab-current.zip file. Extract it. A folder named webscarab-current appears. Double-click the subfolder named webscarab-20090222-2217. Double-click the webscarab.jar file. Webscarab opens. This is the Lite Interface. From the menu bar, click Tools, Use Full-Featured Interface. Close WebScarab and restart it. Now you should see many more options, as shpwn below.

webscarab1 (37K)

Configuring Firefox to Use WebScarab as a Proxy

In Firefox, click Tools, Options. In the Options box, click the Advanced button. Click the Network tab. Click the Settings button. Click the "Manual proxy configuration" radio button. Enter a HTTP Proxy server of localhost and port 8008.

Near the bottom of the "Connection Settings" window, empty the "No Proxy for:" box. This is very important! If you don't clear that box, WebScarab won't intercept traffic to and from WebGoat!

The "Connections Settings" box should look like the image below. Click OK. In the Options box, click OK.

firefox-proxy (43K)

On the left side of the WebGoat page, click "Introduction". Click the "Tomcat Configuration" link. In the WebScarab window, on the "Summary" tab, you shoud see a list of each HTTP request and response, as shown below.

webscarab2 (64K)

Links

WebGoat FAQ

Last modified: 7-17-09