Scribd
Upload
31 views5 pages

FLCC - CSC-270 - LAB - Install WebGoat

lab guide

Uploaded by

mikiast329
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views5 pages

FLCC - CSC-270 - LAB - Install WebGoat

lab guide

Uploaded by

mikiast329
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Install WebGoat

BACKGROUND

WebGoat is an open source tool used to demonstrate common


website security vulnerabilities.

DESCRIPTION

This exercise will walk through the installation of WebGoat.

REQUIREMENTS

Java 15 or newer (installation of JDK 17 is covered earlier in this


chapter). A web browser (preferably Chrome) is also needed.
This exercise assumes you’re running an instance of Linux (either virtualized or other). This
exercise will run in Google Cloud Shell.

PART I: Download and Run WebGoat

1. WebGoat is distributed as a runnable JAR file. JAR files are Java ARchive files. A JAR
file is similar to the more commonly known ZIP file, but does have a specific internal
structure. The file can be downloaded from the command line, using wget:

wget
https://github.com/WebGoat/WebGoat/releases/download/v8.2.2/webgoat-ser
ver-8.2.2.jar

2. The WebGoat JAR file is runnable; once started, a web server will be launched on your
machine. If you are using the Google Cloud Shell you are much safer. This warning
comes directly from the WebGoat creators and should not be taken lightly:

WARNING
While running this program your machine will be extremely vulnerable to
attack. You should disconnect from the Internet while using this program.
WebGoat’s default configuration binds to localhost to minimize the
exposure.
Note that while Google Cloud Shell provides protection from unauthorized users, Google
Cloud Shell users should still be judicious with their use of WebGoat.

Start the web server by issuing this command:

java -Dfile.encoding=UTF-8 -Dserver.port=8080 -Dhsqldb.port=9001


-jar webgoat-server-8.2.2.jar

EVIDENCE #1

PASTE AN IMAGE OF WebGoat RUNNING

PART 2: Create a user account

1. Open a browser and create an account. The URL will be different depending on your
setup, but here are some guidelines:
○ Traditional Linux systems will be reachable via: http://localhost:8080/WebGoat
○ Google Cloud Shell systems are a bit different; a "web preview" will need to be
opened. Click the "Web Preview" button:
Next, make sure that the web preview port matches the port that WebGoat was
launched from (Part 1, step 2). The default is 8080.

With Google Cloud Shell, you will need to alter the URL that is launched. The
default URL will be something like:

https://8080-cs-65291530751-default.cs-us-east1-pkhd.cloudshell.dev/?authuser
=0

You MUST change the last part (the part in bold) of the URL to "WebGoat".
Continuing the example, this is what a Google Cloud Shell URL would look like:

https://8080-cs-65291530751-default.cs-us-east1-pkhd.cloudshell.dev/WebGoat

3. Click the "Register new user" and create a user. Note that the user is local to your
machine

4. Fill in the new user form:


EVIDENCE #2

PASTE AN IMAGE OF THE WebGoat HOME PAGE FOR LOGGED IN USERS


PART 3: Walk through a lesson

1. WebGoat provides a number of lessons, each illustrating one aspect of security. Each
lesson has one or more steps. Note the different colors:

The GRAY steps denote a LEARNING step. These steps often have some reading or a
link to additional information.

The RED steps denote an INCOMPLETE ACTION step. These steps have specific
actions that need to be completed but the actions have not been successfully completed.

The GREEN steps denote a COMPLETE ACTION step. The actions on these steps
have been completed satisfactorily.

CAREFULLY READ the instructions for subsequent lab exercises as not all steps will
need to be completed in order to get full credit.

2. Select the "(A2) Broken Authentication" topic on the left navigation bar.
3. Complete this lesson. There is one ACTION step (step 4).

EVIDENCE #3

PASTE THE IMAGE OF THE SECURE PASSWORDS EXERCISE WITH A GREEN STEP 4

You might also like