• Some of the lessons listed are actually not available, they aren’t implemented yet. A bit disappointing to first see the long list and then being cheated out of about 5 of them.
• I didn’t get one of the lessons to complete, the one on dangerous XSS. I’m not sure but I think the reason was I’m not using a browser made by Microsoft.
• One lesson, the one with the admin interface, I didn’t finish. The hints were utterly useless (what source should I follow?). After looking both in the source in WebGoat and in WebGoat’s CVS repo (you don’t have to play fair when breaking things you know) I was even more confused.

Many lessons are somewhat simplistic and naive, I don’t doubt people still make those mistakes though. I’d say WebGoat is a nice, short, introduction to hands-on playing with web vulnerabilities.

The maybe most valuable thing about WebGoat is that it suggests using WebScarab.

Share/Bookmark

My first impression wasn’t too good. I tried running it on Linux first (preferred platform for work/play/goofing around, yes anything) but installation failed miserably. The zip-file containing JDK1.5 only contains Java for Windows. Luckily I have Sun’s JDK1.5 on my Ubuntu machine already so I switched to using the StandAlone version. Now began the fun. There are numerous problems with the shell-scripts:

• they are not executable
• they have DOS line-endings
• the main setup script has a wacky reference to JAVA_HOME
• all files are read-only (not only the scripts, but all files)

So, after a call to ‘chmod’ to make everything writable, a few calls to dos2unix and chmod +x on the script files, a quick edit of webgoat.sh to set JAVA_HOME to something sane I thought I’d be off. Oh, no! Running webgoat.sh results in nothing. netstat -lpt reveals there is some java app listening on port 8005, but pointing my browser to it results in nothing. The total lack of documentation on how to use it didn’t help in my frustration.

After browsing the WebGoat Archives I turned off my Apache2 to free up port 80. Rerun webgost.sh, still nothing!

Some more browsing the archives revelead that I’m not only one having problems running WebGoat on Linux , the answer wasn’t too encouraging. I decided to try my luck on (yuck) Windows. Unzip, run the bat-file, point a browser to http://localhost/. Wow, worked perfectly!

Ok, on to the next problem, where are the lessons? Again, bitten by the lack of documentation it seems. Well, the archive has been saving me before… Again, I’m not the only one having problems the answer was there as well:

http://localhost/WebGoat/attack
Username: guest
Password: guest

Worked again, and now I can start taking the lessons. Not a great start, but after this bumpy ride I got to the destination. I do hope the WebGoat developers improve on the Linux support and documentation though!

Share/Bookmark