My WebGoat experience

Webgoat is pretty cool! It’s a good idea, and to a large part it delivers what it promises. My main gripes:

  • Some of the lessons listed are actually not available, they aren’t implemented yet. A bit disappointing to first see the long list and then being cheated out of about 5 of them.
  • I didn’t get one of the lessons to complete, the one on dangerous XSS. I’m not sure but I think the reason was I’m not using a browser made by Microsoft.
  • One lesson, the one with the admin interface, I didn’t finish. The hints were utterly useless (what source should I follow?). After looking both in the source in WebGoat and in WebGoat’s CVS repo (you don’t have to play fair when breaking things you know) I was even more confused.

Many lessons are somewhat simplistic and naive, I don’t doubt people still make those mistakes though. I’d say WebGoat is a nice, short, introduction to hands-on playing with web vulnerabilities.

The maybe most valuable thing about WebGoat is that it suggests using WebScarab.

Share

One Comment

  1. Use the Source! I found it…though it took me almost 45 seconds…it is there. Hint, for basic auth you use guest/guest. You have to login as a user with admin rights to see the admin menu, though its not as simple as admin/admin it is pretty easy….same word for login and password…here is a common type of hash against the answer:

    009c02eb4abe20099075355689fc5a0a

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>