Extract the zip file. It's a 7-zip file, so you will need to download and install 7-zip if you don't already have it. A folder named WebGoat-OWASP_Standard-5.3_RC1 appears. Double-click the subfolder named WebGoat-5.3_RC1. Double-click the webgoat_8080.bat file. A Command Prompt opens and vanishes instantly, and another Command Prompt window opens titled "Tomcat". The Tomcat window fills with text and stays open, as shown below. This is the Apache Tomcat Web server listening on the localhost, port 8080. Leave that window open.
In Firefox, go to http://localhost:8080/webgoat/attack. A box pops up asking for a name and password. Use guest for both the name and the password.
The main WebGoat page opens. Click the "Start WebGoat" button. The "How to work with WebGoat" page opens, as shown below.
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Scroll down to the "Downloads" section, as shown below.
In the first sentence in the Download section, click the word "here". On the next page, in the "Snapshots" section, click the "the current development snapshot" link. When I did it, I got a file named webscarab-one-20100820-1632.jar.
Double-click the webscarab-one-20100820-1632.jar file. A "Webscarab Lite" window opens. This is the Lite Interface. From the menu bar, click Tools, Use Full-Featured Interface. Close WebScarab and restart it. Now you should see many more options, as shown below.
Near the bottom of the "Connection Settings" window, empty the "No Proxy for:" box. This is very important! If you don't clear that box, WebScarab won't intercept traffic to and from WebGoat!
The "Connections Settings" box should look like the image below. Click OK. In the Options box, click OK.
On the left side of the WebGoat page, click "Introduction". Click the "Tomcat Configuration" link. In the WebScarab window, on the "Summary" tab, you shoud see a list of each HTTP request and response, in the lower pane, as shown below. You can also expand the tree in the upper pane to see the structure of the Web page you are viewing.
Save this image with a filename of Proj_14a_from_Your_Name.
Start WebScarab and Webgoat as you did before, so you can see the WebGoat main page in Firefox.
At the upper left of the WebGoat window, click Introduction.
In the Introduction section, click "How to work with WebGoat", as shown below.
Read this whole page, to the bottom. It will explain how to use WebScarab together with WebGoat. There is no hands-on practice for this lesson, just reading material.
In the General section, click "Http Basics". In the top center, click Lesson Plan button. A box opens explaining the purpose of this lesson, as shown below. Read it. Then click the gray "Close this window" text at the bottom of the box.
Enter your name in the form, as shown below, and click the Go! button.
The name in the form changes so the letters are in reverse order.
In the WebScarab window, in the lower pane, find the POST item, as shown below. Double-click the POST item.
The POST request opens in a new box, showing all the details of the HTTP request. In the top pane, click the Raw tab. In the lower pane, click the Raw tab. This shows the HTTP request in the top pane as it went to the Web server, and the HTTP response as it came from the Web server. The request has this structure: First, 14 lines of HTTP header; then a blank line, and then the POST parameters like this:
person=Your+Name&SUBMIT=Go%21
Make sure the line showing your name is visible, as shown below.
Save this screen shot with a filename of Proj 14b from Your Name.
Email the images to [email protected] with a subject of "Project 14 from YOUR NAME".