# WebGoat 8: A deliberately insecure Web Application
[](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
[](https://jdk.java.net/)
[](https://owasp.org/projects/)
[](https://github.com/WebGoat/WebGoat/releases/latest)
[](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
[](https://github.com/WebGoat/WebGoat/discussions)
# Introduction
WebGoat is a deliberately insecure web application maintained by [OWASP](http://www.owasp.org/) designed to teach web
application security lessons.
This program is a demonstration of common server-side application flaws. The
exercises are intended to be used by people to learn about application security and
penetration testing techniques.
**WARNING 1:** *While running this program your machine will be extremely
vulnerable to attack. You should disconnect from the Internet while using
this program.* WebGoat's default configuration binds to localhost to minimize
the exposure.
**WARNING 2:** *This program is for educational purposes only. If you attempt
these techniques without authorization, you are very likely to get caught. If
you are caught engaging in unauthorized hacking, most companies will fire you.
Claiming that you were doing security research will not work as that is the
first thing that all hackers claim.*
# Installation instructions:
For more details check [the Contribution guide](/CONTRIBUTING.md)
## 1. Run using Docker
Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
```shell
docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2
```
The landing page will be located at: http://localhost
WebGoat will be located at: http://localhost:8080/WebGoat
WebWolf will be located at: http://localhost:9090/WebWolf
**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`*
**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
## 2. Standalone
Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell
java -Dfile.encoding=UTF-8 -Dserver.port=8080 -Dserver.address=localhost -Dhsqldb.port=9001 -jar webgoat-server-8.2.2.jar
java -Dfile.encoding=UTF-8 -Dserver.port=9090 -Dserver.address=localhost -jar webwolf-8.2.2.jar
```
WebGoat will be located at: http://localhost:8080/WebGoat and
WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary)
## 3. Run from the sources
### Prerequisites:
* Java 17
* Your favorite IDE
* Git, or Git support in your IDE
Open a command shell/window:
```Shell
git clone git@github.com:WebGoat/WebGoat.git
```
Now let's start by compiling the project.
```Shell
cd WebGoat
git checkout <<branch_name>>
# On Linux/Mac:
./mvnw clean install
# On Windows:
./mvnw.cmd clean install
```
Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
```Shell
# On Linux/Mac:
./mvnw -pl webgoat-server spring-boot:run
# On Widows:
./mvnw.cmd -pl webgoat-server spring-boot:run
```
... you should be running WebGoat on localhost:8080/WebGoat momentarily
To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties file`:
```
server.address=x.x.x.x
```
## 4. Run with custom menu
For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.
For instance running as a jar on a Linux/macOS it will look like this:
```Shell
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like this:
```Shell
docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
```
webgoat靶场需要自行搭建
需积分: 39 92 浏览量
2022-01-19
11:57:08
上传
评论
收藏 13.71MB ZIP 举报
webgoat靶场需要自行搭建 (1122个子文件) 
JWT_refresh.adoc 5KB lesson-template-attack.adoc 5KB keystores.adoc 4KB PasswordReset_mitigation.adoc 4KB HijackSession_solution.adoc 3KB signing.adoc 3KB XXE_code.adoc 3KB SqlInjection_content6c.adoc 3KB more_logging.adoc 3KB PathTraversal_upload_mitigation.adoc 3KB XXE_changing_content_type_solution.adoc 3KB JWT_signing_solution.adoc 3KB IDOR_mitigation.adoc 3KB 9manual.adoc 3KB CSRF_JSON.adoc 3KB sensitive_logging_intro.adoc 3KB XXE_intro.adoc 3KB VulnerableComponents_content4.adoc 2KB SecurePasswords_2.adoc 2KB defaults.adoc 2KB SqlInjection_introduction_content8.adoc 2KB SqlInjection_introduction_content5_before.adoc 2KB SecurePasswords_4.adoc 2KB InsecureDeserialization_SimpleExploit.adoc 2KB encryption.adoc 2KB SqlInjection_introduction_content1.adoc 2KB 0overview.adoc 2KB JWT_storing.adoc 2KB SpoofCookie_solution.adoc 2KB XXE_simple_solution.adoc 2KB IntroductionWebWolf.adoc 2KB CSRF_Impact_Defense.adoc 2KB lesson-template-glue.adoc 2KB CrossSiteScripting_content9.adoc 2KB CrossSiteScripting_content8a.adoc 2KB JWT_plan.adoc 2KB IDOR_intro.adoc 2KB CrossSiteScripting_content8c.adoc 2KB XXE_simple_introduction.adoc 2KB 6assignment.adoc 2KB JWT_libraries_solution.adoc 2KB PathTraversal_zip_slip_solution.adoc 2KB PathTraversal_zip_slip.adoc 2KB XXE_blind.adoc 2KB 10burp.adoc 2KB CrossSiteScripting_content8b.adoc 2KB CSRF_Login.adoc 2KB CSRF_intro.adoc 2KB 7resend.adoc 2KB CSRF_Frameworks.adoc 2KB XXE_overflow.adoc 1KB SqlInjection_jdbc_newcode.adoc 1KB JWT_libraries.adoc 1KB hashing_plan.adoc 1KB 8httpsproxy.adoc 1KB SqlInjection_content13.adoc 1KB CrossSiteScripting_content1.adoc 1KB JWT_libraries_assignment.adoc 1KB PasswordReset_known_questions.adoc 1KB PathTraversal_intro.adoc 1KB CrossSiteScripting_content8.adoc 1KB InsecureDeserialization_WhatIs.adoc 1KB SqlInjection_content6a.adoc 1KB SqlInjection_introduction_content3.adoc 1KB HttpBasics_plan.adoc 1KB SqlInjection_content6.adoc 1KB encoding_plan.adoc 1KB SqlInjection_introduction_content2.adoc 1KB CIA_confidentiality.adoc 1KB lesson-template-database.adoc 1KB lesson-template-content.adoc 1KB SecurePasswords_3.adoc 1KB 3browsersetup.adoc 1KB ChromeDevTools_intro.adoc 1KB VulnerableComponents_plan.adoc 1KB VulnerableComponents_content5.adoc 1KB SpoofCookie_plan.adoc 1KB ChromeDevTools_elements.adoc 1KB PasswordReset_plan.adoc 1KB SqlInjection_introduction_content9.adoc 1KB encoding_plan2.adoc 1KB XXE_mitigation.adoc 1KB SqlInjection_content10.adoc 1KB PasswordReset_wrong_message.adoc 1KB Challenge_introduction.adoc 1KB CrossSiteScripting_content6a.adoc 1013B Landing_page.adoc 1004B VulnerableComponents_content3.adoc 987B IntroductionWebWolf.adoc 975B ChromeDevTools_console.adoc 965B PasswordReset_host_header.adoc 963B SqlInjection_introduction_content10.adoc 951B VulnerableComponents_content5a.adoc 944B CrossSiteScripting_content6.adoc 941B postquantum.adoc 934B JWT_libraries_assignment2.adoc 922B XXE_static_code_analysis.adoc 915B SecurePasswords_1.adoc 882B JWT_login_to_token.adoc 856B missing-function-ac-01-intro.adoc 856B共 1122 条
- 1
- 2
- 3
- 4
- 5
- 6
- 12
评论0