Introduction

In the era of information explosion, there much data generated on the web, such as searching history, browsing history, click stream history, and keystorke etc. Probably some of us would have account in shopping websites, social medias, such as Facebook, LinkedIn, Instagram, Github, and Google+. These accounts might contain personal information, such as cell phone, address, birthday, working place, and even credit card number. Privacy should be severely considered as a first prioity. But how may we pratice and learn about the possible attack? There is a nonprofit charitable progranization focused on improving the security of software called OWASP and they are maintaining a project called WebGoat. It's a fun insecure web application that is designed to teach web security lessons. Here, I'm installing a non-developer version on Windows and a developer version on Mac OS. The difference between the non-developer and developer version is that some of the lessons may require the user to modify the code to prevent an attack and new lessons may be created, compiled and runned on a developer version.

Install non-developer version of WebGoat

  1. Install Java from the offcial web site of orable.
    Orable
  2. Download WebGoat-6.0.1-war-exec.jar.
    WebGoat release
  3. Go to the directory where WebGoat-6.0.1-war-exec.jar has been downloaded in a command line (bash or terminal) and type in java -jar WebGoat-6.0.1-war.exec.jar.
    java -jar WebGoat-6.0.1-war.exec.jar
  4. Direct the url to http://localhost:8080/WebGoat.
    http://localhost:8080/WebGoat
  5. Start hacking!
    WebGoat picture

Install developer version of WebGoat on Mac OS (Deprecated)

  1. Make a directory at where you want to put the project.
    mkdir WebGoat-Workspace
  2. Change the directory into the workspace.
    cd WebGoat-Workspace
  3. Download a shell file, webgoat_developer_bootstrap.sh, from Google Drive.
  4. Install Homebrew (a package manager for OS X)
    /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  5. Install maven
    brew install maven
  6. The webgoat_developer_bootstrap.sh script will clone the necessary repositories, call the maven goals in order launch Tomcat listening on localhost:8080
    sh webgoat_developer_bootstrap.sh
  7. Start hacking!
    start using WebGoat picture
  8. Open localhost:8080/WebGoat/
    WebGoat picture

Conclusion

After installing WebGoat, we may start to explorer the lessons in this fantastic amazing project! The following posts would describe some of the methods of solving.

Hostory

  • 4th Feb, 2016: Initial version
  • 28th Sep, 2020: Mark Deprecated

Reference

  1. WebGoat README.MD
  2. WebGoat-Legacy
  3. OWASP