# WebGoat 8: A deliberately insecure Web Application
[![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
[![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
[![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
[![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
# Introduction
WebGoat is a deliberately insecure web application maintained by [OWASP](http://www.owasp.org/) designed to teach web
application security lessons.
This program is a demonstration of common server-side application flaws. The
exercises are intended to be used by people to learn about application security and
penetration testing techniques.
**WARNING 1:** *While running this program your machine will be extremely
vulnerable to attack. You should disconnect from the Internet while using
this program.* WebGoat's default configuration binds to localhost to minimize
the exposure.
**WARNING 2:** *This program is for educational purposes only. If you attempt
these techniques without authorization, you are very likely to get caught. If
you are caught engaging in unauthorized hacking, most companies will fire you.
Claiming that you were doing security research will not work as that is the
first thing that all hackers claim.*
# Installation instructions:
For more details check [the Contribution guide](/CONTRIBUTING.md)
## 1. Run using Docker
Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
```shell
docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2
```
The landing page will be located at: http://localhost
WebGoat will be located at: http://localhost:8080/WebGoat
WebWolf will be located at: http://localhost:9090/WebWolf
**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`*
**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
## 2. Standalone
Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell
java -Dfile.encoding=UTF-8 -Dserver.port=8080 -Dserver.address=localhost -Dhsqldb.port=9001 -jar webgoat-server-8.2.2.jar
java -Dfile.encoding=UTF-8 -Dserver.port=9090 -Dserver.address=localhost -jar webwolf-8.2.2.jar
```
WebGoat will be located at: http://localhost:8080/WebGoat and
WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary)
## 3. Run from the sources
### Prerequisites:
* Java 17
* Your favorite IDE
* Git, or Git support in your IDE
Open a command shell/window:
```Shell
git clone git@github.com:WebGoat/WebGoat.git
```
Now let's start by compiling the project.
```Shell
cd WebGoat
git checkout <<branch_name>>
# On Linux/Mac:
./mvnw clean install
# On Windows:
./mvnw.cmd clean install
```
Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
```Shell
# On Linux/Mac:
./mvnw -pl webgoat-server spring-boot:run
# On Widows:
./mvnw.cmd -pl webgoat-server spring-boot:run
```
... you should be running WebGoat on localhost:8080/WebGoat momentarily
To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties file`:
```
server.address=x.x.x.x
```
## 4. Run with custom menu
For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.
For instance running as a jar on a Linux/macOS it will look like this:
```Shell
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like this:
```Shell
docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
```
没有合适的资源?快使用搜索试试~ 我知道了~
webgoat靶场需要自行搭建
共1122个文件
java:350个
adoc:237个
js:94个
需积分: 39 3 下载量 92 浏览量
2022-01-19
11:57:08
上传
评论
收藏 13.71MB ZIP 举报
温馨提示
webgoat靶场需要自行搭建
资源详情
资源评论
资源推荐
收起资源包目录
webgoat靶场需要自行搭建 (1122个子文件)
JWT_refresh.adoc 5KB
lesson-template-attack.adoc 5KB
keystores.adoc 4KB
PasswordReset_mitigation.adoc 4KB
HijackSession_solution.adoc 3KB
signing.adoc 3KB
XXE_code.adoc 3KB
SqlInjection_content6c.adoc 3KB
more_logging.adoc 3KB
PathTraversal_upload_mitigation.adoc 3KB
XXE_changing_content_type_solution.adoc 3KB
JWT_signing_solution.adoc 3KB
IDOR_mitigation.adoc 3KB
9manual.adoc 3KB
CSRF_JSON.adoc 3KB
sensitive_logging_intro.adoc 3KB
XXE_intro.adoc 3KB
VulnerableComponents_content4.adoc 2KB
SecurePasswords_2.adoc 2KB
defaults.adoc 2KB
SqlInjection_introduction_content8.adoc 2KB
SqlInjection_introduction_content5_before.adoc 2KB
SecurePasswords_4.adoc 2KB
InsecureDeserialization_SimpleExploit.adoc 2KB
encryption.adoc 2KB
SqlInjection_introduction_content1.adoc 2KB
0overview.adoc 2KB
JWT_storing.adoc 2KB
SpoofCookie_solution.adoc 2KB
XXE_simple_solution.adoc 2KB
IntroductionWebWolf.adoc 2KB
CSRF_Impact_Defense.adoc 2KB
lesson-template-glue.adoc 2KB
CrossSiteScripting_content9.adoc 2KB
CrossSiteScripting_content8a.adoc 2KB
JWT_plan.adoc 2KB
IDOR_intro.adoc 2KB
CrossSiteScripting_content8c.adoc 2KB
XXE_simple_introduction.adoc 2KB
6assignment.adoc 2KB
JWT_libraries_solution.adoc 2KB
PathTraversal_zip_slip_solution.adoc 2KB
PathTraversal_zip_slip.adoc 2KB
XXE_blind.adoc 2KB
10burp.adoc 2KB
CrossSiteScripting_content8b.adoc 2KB
CSRF_Login.adoc 2KB
CSRF_intro.adoc 2KB
7resend.adoc 2KB
CSRF_Frameworks.adoc 2KB
XXE_overflow.adoc 1KB
SqlInjection_jdbc_newcode.adoc 1KB
JWT_libraries.adoc 1KB
hashing_plan.adoc 1KB
8httpsproxy.adoc 1KB
SqlInjection_content13.adoc 1KB
CrossSiteScripting_content1.adoc 1KB
JWT_libraries_assignment.adoc 1KB
PasswordReset_known_questions.adoc 1KB
PathTraversal_intro.adoc 1KB
CrossSiteScripting_content8.adoc 1KB
InsecureDeserialization_WhatIs.adoc 1KB
SqlInjection_content6a.adoc 1KB
SqlInjection_introduction_content3.adoc 1KB
HttpBasics_plan.adoc 1KB
SqlInjection_content6.adoc 1KB
encoding_plan.adoc 1KB
SqlInjection_introduction_content2.adoc 1KB
CIA_confidentiality.adoc 1KB
lesson-template-database.adoc 1KB
lesson-template-content.adoc 1KB
SecurePasswords_3.adoc 1KB
3browsersetup.adoc 1KB
ChromeDevTools_intro.adoc 1KB
VulnerableComponents_plan.adoc 1KB
VulnerableComponents_content5.adoc 1KB
SpoofCookie_plan.adoc 1KB
ChromeDevTools_elements.adoc 1KB
PasswordReset_plan.adoc 1KB
SqlInjection_introduction_content9.adoc 1KB
encoding_plan2.adoc 1KB
XXE_mitigation.adoc 1KB
SqlInjection_content10.adoc 1KB
PasswordReset_wrong_message.adoc 1KB
Challenge_introduction.adoc 1KB
CrossSiteScripting_content6a.adoc 1013B
Landing_page.adoc 1004B
VulnerableComponents_content3.adoc 987B
IntroductionWebWolf.adoc 975B
ChromeDevTools_console.adoc 965B
PasswordReset_host_header.adoc 963B
SqlInjection_introduction_content10.adoc 951B
VulnerableComponents_content5a.adoc 944B
CrossSiteScripting_content6.adoc 941B
postquantum.adoc 934B
JWT_libraries_assignment2.adoc 922B
XXE_static_code_analysis.adoc 915B
SecurePasswords_1.adoc 882B
JWT_login_to_token.adoc 856B
missing-function-ac-01-intro.adoc 856B
共 1122 条
- 1
- 2
- 3
- 4
- 5
- 6
- 12
诡墨佯
- 粉丝: 24
- 资源: 9
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0