Webgoat TutorialDate: Sep 17, 2009
Kevin Beaver demonstrates the versatility of Webgoat.
Read the full transcript from this video below:
Hello, I'm Kevin Beaver, independent information security
consultant, expert witness and speaker with Atlanta-based Principle Logic. I write for
SearchSoftwareQuality.com and I'm also author of the book Hacking for Dummies as well
as the Security on Wheels audio programs.
Now, is it just me, or is the old saying, "Out of sight, out of mind" the mantra that so many people appear to live by when it comes to web security? The general assumption is that if there are no visible security holes, like cross-site scripting, SQL injection, things like that, then everything must be running smoothly. Well, based on what I'm seeing in my work, that's hardly the case, especially with Web 2.0.
So how can you learn about the power that these rich internet applications place in the hands of users? Well, there's a great tool out there called WebGoat that you can use to learn about these risks and many others to boot. I'd like to show you just how neat this program is and how quickly you can take your web security expertise to the next level.
First, you need to download WebGoat from the OWASP site that you can see here. A quick Google or Bing search of WebGoat will take you right to it. Next, you simply unzip the program into a folder on your system, like I have here, and then run WebGoat.bat. It'll take a minute for it to load up, but once it's completed, you just go back to your browser, load up a new session, and you go to "localhost/webgoat/attack". You'll log in as "guest" for the username and "guest" for the password. Talk about good web security. You click on start WebGoat on the next page and there you have it, the main WebGoat interface.
Now, WebGoat has labs and lessons you can work through on just about anything you can think of related to web application security. For instance, here are the AJAX security components that you can step through to learn about real world application security scenarios related to AJAX. You click on one of the labs at the top here. It'll actually give you hints. It'll let you see the parameters, cookies, even source code. It'll also give you the solution to the specific lesson that you're working on.
There are other rich application exercises within WebGoat. If you go down here in the lower left to web services, you can see a few more here; and as you can see, there are a lot more topic areas to delve into related to web security. Now if you're up to it, you can even create your own lessons in WebGoat to share with others. You just click introduction and create a WebGoat lesson.