Professional Documents
Culture Documents
Objectives:
• Grab a basic understanding of WebGoat
• Learn to Install and setup the WebGoat environment
• Learn to set up the WebScarb intercepting proxy
• Review JavaScript coding
Web application security is difficult to learn and practice. Not many people have full
blown web applications like online book stores or online banks that can be used to
scan for vulnerabilities. In addition, security professionals frequently need to test tools
against a platform known to be vulnerable to ensure that they perform as advertised.
All of this needs to happen in a safe and legal environment. Even if your intentions
are good, we believe you should never attempt to find vulnerabilities without
permission. WebGoat is a deliberately insecure web application maintained by
OWASP designed to teach web application security lessons. Its primary goal of the
WebGoat project is simple: create a de-facto interactive teaching environment for
web application security.
1. The installation file is already in the CloudDeakin, you can find the file
WebGoat-5.4 -OWASP_Standard_Win32.zip. It is a complete package
which can be extracted and executed on any standalone machine. If there is a
previous version installed on your machine, make sure to remove it first.
2. You can use Winzip (or similar extraction program) to extract the installation
file to C:\ (C root). You must use “Extract file... ” option. This will install
WebGoat-5.4, in C:\WebGoat-5.4\
SIT704 Advanced Topics in Digital Security
3. Once you have installed Webgoat 5.4, you can find it Under C:\WebGoat-5.4,
there are two “.bat” files under the folder. Double Click “webgoat.bat”, and
you will see a window prompting like below. Please don’t close it, just keep it
running. Ignore any error about network or service blockage on university lab
machines.
SIT704 Advanced Topics in Digital Security
4. When the prompted window disappears, you can open one web browser either
“IE” or “FireFox”, and enter the address “http://localhost/WebGoat/attack”
into the address bar. Press enter, you will see a login window. You must login
as userid: guest and password: guest.
5. From now on, you have successfully log into Webgoat system. Click on “Start
WebGoat” button.
SIT704 Advanced Topics in Digital Security
NOTE: You need to do these steps every time you log off and log on to the
computers in the lab. This is because the C:\WebGoat-5.4 directory will be deleted
once you have logged off.
Trouble shooting: if you receive a bind address error use in Step 3, please choose to
double click “webgoat8080.bat” and browse to http://localhost:8080/WebGoat/attack.
Configuration of WebScarab
If you are using Internet Explorer, please follow the following instructions.
1. Click the Setting Button on the upper right corner when you open the IE, and
click “Internet Options”.
SIT704 Advanced Topics in Digital Security
2. You will see a window like below, choose the “Connections” tab and click
“LAN Settings”.
SIT704 Advanced Topics in Digital Security
3. Tick off the original “Automatically detect settings”, and choose “Use a proxy
server…”. Fill in 127.0.0.1 and 8008 for field “Address” and “Port”,
respectively. Click OK and save the settings.
2. You will see a window like below, choose the “Network” tab, and click
“Settings”.
Learn how to use the functionality of WebGoat and WebScarab. Look at the
WebScarab proxy to view the information that is collected from your browser. You
can intercept http communication between the browser and the WebGoat server.
On your browser, click on the General menu item. Click on “Http Basics” to learn
what parameters are used in http communication. You should use the WebScarab
proxy to view the http requests from the browser and http response from the server.
You can use the hints menu item to learn on how to use WebGoat and WebScarab.
1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in
it.
The hypertext markup language (HTML) is the standard language used to design a
web page. It is not a programming language, but a markup language used to help
users format information for presentation on a web page. Web developers do not
need to know HTML as there are visual applications that can convert a visual
design into html code and publish it on the Internet.
For this course, you will not require to know HTML, although you will need to
know a little JavaScript. You will need to insert JavaScript code into HTML forms
for most of the exercises. Please refer to the references given at the end of this
document for tutorials on JavaScript and HTML.
JavaScript is a scripting language that is most often used for client-side (web
browser) web development. It is a dynamic, weakly typed, prototype-based
language with first-class functions. It is different from the Java programming
language and should not be confused with it. JavaScript is an easier language to
program with as it was meant for web developers and non-programmers.
JavaScript Syntax
a. Variables
Variables in standard JavaScript have no type attached, and any value can be
stored in any variable. Variables declared outside a function is a global
variable. In addition to primitive datatypes (int, float, char, boolean),
JavaScript variables can include objects.
NOTE: JavaScript is case sensitive. var MyVehicle is not the same as var
myvehicle.
<script>document.write(“Hello World!”)</script>
c. Operators
JavaScript operators work the same way as C or Java operators. These
operators are
Comparison operators
= = Equal
!= Not equal
> Greater than
>= Greater than or equal to
< Less than
<= Less than or equal to
= = = Identical (equal and of the same type)
!= = Not identical
d. Control Structures
JavaScript uses the same control structures as C/C++ and Java. The
programmer can use if, if-else, switch, for loops, while loop and do while loop.
Please refer to reference materials for syntax of these control structures.
5. Functions
JavaScript can call codes from functions. A function is a block of code that
normally executes one task. A function can accept input and can return a value
as output to the JavaScript code that called the function. A user can call
predefined JavaScript library functions or create their own user-defined
functions. The syntax of a function is shown below.