Try Web Hacking on New Webgoat 2023.4

You can learn web penetration testing with Webgoat.

Just download the latest version, install Java with apt-get, set port and run.

Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws. My ethical hacking course teaches this.

Install Java and a Firewall

This article has been tested on Debian 12-Bookworm, but you can likely make it work on any Linux.

$ sudo apt-get update
$ sudo apt-get install openjdk-17-jre

This gives us the command 'java', so we can run Java archive files with 'java -jar foo.jar'. If you want, you can run 'java --version' to see that the command is installed. Mine printed "openjdk 17.0.9 2023-10-17".

To keep safe, you should have a firewall. Even when not installing highly vulnerable apps.

$ sudo apt-get install ufw
$ sudo ufw enable

Download WebGoat JAR

You can find latest WebGoat from projects releases page on Github. If it disappears, I have mirrored a local copy.

$ wget https://github.com/WebGoat/WebGoat/releases/download/v2023.4/webgoat-2023.4.jar

Run Webgoat, in an Alternative Port

You're probably running man-in-the-middle proxy, like OWASP ZAP, on port 8080. So we should change the port when starting WebGoat.

$ java -Dfile.encoding=UTF-8 -Dwebgoat.port=8888 -Dwebwolf.port=9090 -jar webgoat-2023.4.jar

The URL for Webgoat and admin password are printed on standard output.

Surf to http://127.0.0.1:8888/WebGoat

Profit

Did you get to WebGoat? Only use your new powers for good.

Happy hacking!

All Labs - WebGoat 2023.4 Table of Contents

  • Introduction
    • WebGoat
    • WebWolf
  • General
    • HTTP Basics
    • HTTP Proxies
    • Developer Tools
    • CIA Triad
    • Writing new lesson
  • (A1) Broken Access Control
    • Hijack a session
    • Insecure Direct Object References
    • Missing Function Level Access Control
    • Spoofing an Authentication Cookie
  • (A2) Cryptographic Failures
    • Crypto Basics
  • (A3) Injection
    • SQL Injection (intro)
    • SQL Injection (advanced)
    • SQL Injection (mitigation)
    • Path traversal
    • Cross Site Scripting
  • (A5) Security Misconfiguration
    • XXE
  • (A6) Vuln & Outdated Components
    • Vulnerable Components
  • (A7) Identity & Auth Failure
    • Authentication Bypasses
    • Insecure Login
    • JWT tokens
    • Password reset
    • Secure Passwords
  • (A8) Software & Data Integrity
    • Insecure Deserialization
  • (A9) Security Logging Failures
    • Logging Security
  • (A10) Server-side Request Forgery
    • Cross-Site Request Forgeries
    • Server-Side Request Forgery
  • Client side
    • Bypass front-end restrictions
    • Client side filtering
    • HTML tampering
  • Challenges
    • Admin lost password
    • Without password
    • Admin password reset
    • Without account

Troubleshooting

No trouble? No need for troubleshooting. Go hack your Webgoat.

Port 8080 was already in use - try -Dwebgoat.port=8888

Running just like the example on Webgoat Github page says, it says the port is not free.

$ java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.4.jar
...

***************************
APPLICATION FAILED TO START
***************************

Description:

Web server failed to start. Port 8080 was already in use.

Action:

Identify and stop the process that's listening on port 8080 or configure this application to listen on another port.

You're running something else listening on that port. Probably your MITM proxy, like OWASP ZAP. Run WebGoat in another port. Use command line parameter "-Dwebgoat.port=8888".

java -Dfile.encoding=UTF-8 -Dwebgoat.port=8888 -Dwebwolf.port=9090 -jar webgoat-2023.4.jar

WebGoat Blank Page - add /WebGoat

The correct URL is printed on standard output when you run WebGoat. It's http://127.0.0.1:8888/WebGoat

Without the path, you end up on the front page. Just like previous versions, it's only a blank page.

ZAP Proxy Does Not Work on Localhost

It's probably your browser bypassing proxies on localhost. For example, current version of Firefox bypasses proxy for localhost and all IPv4 numbers starting with 127, and similar IPv6 numbers.

Install Foxyproxy Standard Firefox addon. It allows you to proxy to localhost, too.