Posts tagged ‘webscarab’

My WebGoat experience

2005-07-05, 11:09

Webgoat is pretty cool! It’s a good idea, and to a large part it delivers what it promises. My main gripes:

  • Some of the lessons listed are actually not available, they aren’t implemented yet. A bit disappointing to first see the long list and then being cheated out of about 5 of them.
  • I didn’t get one of the lessons to complete, the one on dangerous XSS. I’m not sure but I think the reason was I’m not using a browser made by Microsoft.
  • One lesson, the one with the admin interface, I didn’t finish. The hints were utterly useless (what source should I follow?). After looking both in the source in WebGoat and in WebGoat’s CVS repo (you don’t have to play fair when breaking things you know) I was even more confused.

Many lessons are somewhat simplistic and naive, I don’t doubt people still make those mistakes though. I’d say WebGoat is a nice, short, introduction to hands-on playing with web vulnerabilities.

The maybe most valuable thing about WebGoat is that it suggests using WebScarab.

Tags: ,
Category: Posts  |  1 Comment