The Web Goat Project

Ultimately, all information security is about protecting the application. As Bill Cheswick said in his classic book on firewalls: "The firewall is the network's response to poor host security". So in turn is what we are doing in other arenas a response to poor application security.

Application security, good and bad, comes in many forms. The Web Goat Project tries to teach some absics of good application security.

Web application security is difficult to learn and practice. Very few people have full blown web applications like online book stores or online banks that can be used to search for vulnerabilities. In addition, security professionals frequently need to test tools against a known vulnerable platform to ensure they perform as advertised. All of this needs to happen in a safe and legal environment; we believe you should never attempt to find vulnerabilities without permission, even if your intentions are good.

WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.

WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are automated installers for Linux and Windows. Current lessons include:

• Cross Site Scripting
• SQL Injection
• Thread Safety
• Hidden Form Field Manipulation
• Parameter Manipulation
• Weak Session Cookies
• Fail Open Authentication
• Dangers of HTML Comments
• and many more...

See http://www.owasp.org/software/webgoat.html for full details.

-- AntonAylward - 29 Nov 2004