SIT704 Advanced Topics in Digital Security

Installation of WebGoat 5.4 and WebScarab

Objectives:
• Grab a basic understanding of WebGoat
• Learn to Install and setup the WebGoat environment
• Learn to set up the WebScarb intercepting proxy
• Review JavaScript coding

Introduction of WebGoat and WebScarab

Web application security is difficult to learn and practice. Not many people have full
blown web applications like online book stores or online banks that can be used to
scan for vulnerabilities. In addition, security professionals frequently need to test tools
against a platform known to be vulnerable to ensure that they perform as advertised.
All of this needs to happen in a safe and legal environment. Even if your intentions
are good, we believe you should never attempt to find vulnerabilities without
permission. WebGoat is a deliberately insecure web application maintained by
OWASP designed to teach web application security lessons. Its primary goal of the
WebGoat project is simple: create a de-facto interactive teaching environment for
web application security.

WebScarab is a framework for analysing applications that communicate using the

HTTP and HTTPS protocols. It is written in Java, and is thus portable to many
platforms. WebScarab has several modes of operation, implemented by a number of
plugins. In its most common usage, WebScarab operates as an intercepting proxy,
allowing the operator to review and modify requests created by the browser before
they are sent to the server, and to review and modify responses returned from the
server before they are received by the browser. WebScarab is able to intercept both
HTTP and HTTPS communication. The operator can also review the conversations
(requests and responses) that have passed through WebScarab. For more details,
please visit OWASP_WebScarab_Project.

Installation of WebGoat 5.4

1. The installation file is already in the CloudDeakin, you can find the file
WebGoat-5.4 -OWASP_Standard_Win32.zip. It is a complete package
which can be extracted and executed on any standalone machine. If there is a
previous version installed on your machine, make sure to remove it first.

2. You can use Winzip (or similar extraction program) to extract the installation
file to C:\ (C root). You must use “Extract file... ” option. This will install
WebGoat-5.4, in C:\WebGoat-5.4\
SIT704 Advanced Topics in Digital Security

3. Once you have installed Webgoat 5.4, you can find it Under C:\WebGoat-5.4,
there are two “.bat” files under the folder. Double Click “webgoat.bat”, and
you will see a window prompting like below. Please don’t close it, just keep it
running. Ignore any error about network or service blockage on university lab
machines.
SIT704 Advanced Topics in Digital Security

4. When the prompted window disappears, you can open one web browser either
“IE” or “FireFox”, and enter the address “http://localhost/WebGoat/attack”
into the address bar. Press enter, you will see a login window. You must login
as userid: guest and password: guest.

5. From now on, you have successfully log into Webgoat system. Click on “Start
WebGoat” button.
SIT704 Advanced Topics in Digital Security

NOTE: You need to do these steps every time you log off and log on to the
computers in the lab. This is because the C:\WebGoat-5.4 directory will be deleted
once you have logged off.

Trouble shooting: if you receive a bind address error use in Step 3, please choose to
double click “webgoat8080.bat” and browse to http://localhost:8080/WebGoat/attack.

Configuration of WebScarab

The WebScarab proxy is a self-executing java file. Double-click on webscarab-

selfcontained-20070504-1631.jar to launch the proxy. However, before you launch
WebScarab, you should configure your web browser first.

If you are using Internet Explorer, please follow the following instructions.
1. Click the Setting Button on the upper right corner when you open the IE, and
click “Internet Options”.
SIT704 Advanced Topics in Digital Security

2. You will see a window like below, choose the “Connections” tab and click
“LAN Settings”.
SIT704 Advanced Topics in Digital Security

3. Tick off the original “Automatically detect settings”, and choose “Use a proxy
server…”. Fill in 127.0.0.1 and 8008 for field “Address” and “Port”,
respectively. Click OK and save the settings.

If you are using Firefox, please follow these instructions.

1. Open Firefox, find the settings button at the top-left corner of the browser, and
click it.

2. You will see a window like below, choose the “Network” tab, and click
“Settings”.

3. In the “Connection Settings” tab, choose “Manual proxy configuration”, and

fill in 127.0.0.1 and 8008 for field “HTTP Proxy” and “Port”, respectively.
Click OK and save the settings.

4. The WebScarab proxy is a self-executing java file. Double-click on

webscarab-selfcontained-20070504-1631.jar to launch the proxy. Under
“Intercept” tab, please tick the box of “Intercept requests:”, and select both
“GET” and “POST”.
SIT704 Advanced Topics in Digital Security

5. Till now, the configuration of WebScarab is successfully configured. Open the

browser, enter whichever website you want, you will see a prompt window
like this. For example, this is an interception of a visit to www.deakin.edu.au
site. (Note: To intercept traffic to localhost which is needed in some WebGoat
labs, you will need to add a dot ‘.’ after localhost into the URL such as
http://localhost./WebGoat/attack)
SIT704 Advanced Topics in Digital Security

WebGoat and WebScarab Functionality

Learn how to use the functionality of WebGoat and WebScarab. Look at the
WebScarab proxy to view the information that is collected from your browser. You
can intercept http communication between the browser and the WebGoat server.

On your browser, click on the General menu item. Click on “Http Basics” to learn
what parameters are used in http communication. You should use the WebScarab
proxy to view the http requests from the browser and http response from the server.
You can use the hints menu item to learn on how to use WebGoat and WebScarab.

1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in
it.

2. This will show technical hints to solve the lesson.

3. This will show the HTTP Request Parameters

4. This will show the HTTP Request Cookies

5. This will show goals and objectives of the lesson.

6. This will show the underlying Java source code.

7. This will show the complete solution of the selected lesson.

8. If you want to restart a lesson you can use this link.

SIT704 Advanced Topics in Digital Security

Appendix A: Review HTML and JavaScript

HTML Syntax

The hypertext markup language (HTML) is the standard language used to design a
web page. It is not a programming language, but a markup language used to help
users format information for presentation on a web page. Web developers do not
need to know HTML as there are visual applications that can convert a visual
design into html code and publish it on the Internet.

For this course, you will not require to know HTML, although you will need to
know a little JavaScript. You will need to insert JavaScript code into HTML forms
for most of the exercises. Please refer to the references given at the end of this
document for tutorials on JavaScript and HTML.

JavaScript is a scripting language that is most often used for client-side (web
browser) web development. It is a dynamic, weakly typed, prototype-based
language with first-class functions. It is different from the Java programming
language and should not be confused with it. JavaScript is an easier language to
program with as it was meant for web developers and non-programmers.

JavaScript Syntax

a. Variables
Variables in standard JavaScript have no type attached, and any value can be
stored in any variable. Variables declared outside a function is a global
variable. In addition to primitive datatypes (int, float, char, boolean),
JavaScript variables can include objects.

var x = 0; // An integer variable

var y = 'Hello!'; // A string variable
var myVehicle = new Car(“Commodore”, 4, “red”); // An object
declaration

NOTE: JavaScript is case sensitive. var MyVehicle is not the same as var
myvehicle.

b. JavaScript Code Body

JavaScript code comprises of two segments, the script tag to inform the
browser that this is JavaScript code and the code itself. A simple JavaScript
code is defined as shown below.

<script type="text/javascript"> // script tag to show that the

code below is JavaScript
<!--
document.write("Hello World!") // JavaScript code
//-->
</script> // end of script tag
JavaScript is meant to be easy to program with, so it can be written in many
ways. The code above can be written as
SIT704 Advanced Topics in Digital Security

<script>document.write(“Hello World!”)</script>

c. Operators
JavaScript operators work the same way as C or Java operators. These
operators are

Arithmetic operators Assignment operators

+ Addition (concatenation for string) = Assign
- Subtraction += Add and assign
* Multiplication -= Subtract and assign
/ Division (returns a floating-point value) *= Multiply and assign
% Modulus (returns the integer remainder) /= Divide and assign
%= Modulus and assign

Comparison operators
= = Equal
!= Not equal
> Greater than
>= Greater than or equal to
< Less than
<= Less than or equal to
= = = Identical (equal and of the same type)
!= = Not identical

d. Control Structures
JavaScript uses the same control structures as C/C++ and Java. The
programmer can use if, if-else, switch, for loops, while loop and do while loop.
Please refer to reference materials for syntax of these control structures.

5. Functions
JavaScript can call codes from functions. A function is a block of code that
normally executes one task. A function can accept input and can return a value
as output to the JavaScript code that called the function. A user can call
predefined JavaScript library functions or create their own user-defined
functions. The syntax of a function is shown below.

function function-name (arg1, arg2, arg3) {

statements;
return expression;
}
To learn more about JavaScript, please visit http://www.codecademy.com/tracks/javascript