CNIT 123 Project 14: WebGoat Intro (20 pts.)

Using WebGoat

What You Need

Purpose

WebGoat is a deliberately insecure Web application, with many excellent lessons in Web application security.

Tamper Data is a simple proxy server that runs in Firefox. It allows you to change data in HTTP requests, a common and easy way to hack Web applications.

Make Sure You Have Java Installed

Open a Web browser and go to java.com. Click the "Do I have Java?" link. On the next page, click the "Verify Java Version" button. If you don't have the recommended version, download and install it.

java (120K)

Downloading and Starting WebGoat

Open a Web browser (I recommend Chrome) and go to https://github.com/WebGoat/WebGoat-Legacy/wiki/Installation-(WebGoat-6.0)

In the "Quick Start -- Easy Run" section, in item 2, click the link to download WebGoat, as shown below.

Open a Command Prompt or Terminal window and execute the commands below. You may need to adjust them if your browser places files in some other folder, or if the WebGoat version has changed.

cd Downloads

java -jar WebGoat-6.0.1-war-exec.jar

A series of "INFO" messages scrolls by, as shown below.

When the scrolling stops, you should see "Starting ProtocolHandler", as shown below.

Starting Firefox

Start Firefox. If you don't have Firefox, get it here:

http://getfirefox.com

Logging In to WebGoat

In Firefox, go to
http://localhost:8080/WebGoat
You should see a login screen, as shown below.

Log in as guest with a password of guest.

Troubleshooting

If the WebGoat page won't open, make sure you have the capitalization correct. The page won't open unless the W and G are capitalized.

Installing Tamper Data

In Firefox, at the top right, click the icon with three lines on it.

Click Add-ons, as shown below.

In the "Add-ons Manager" page, search for "tamper data", as shown below.

In the "Tamper Data" line, click the Install button.

A box pops up. Click the "Accept and Install" button.

Close Firefox and restart it.

In Firefox, go to

http://localhost:8080/WebGoat

Log in as guest with a password of guest.

WebGoat Lesson 1: Introduction

Firefox should be open, showing the main WebGoat page.

At the upper left of the WebGoat window, click Introduction.

In the Introduction section, click "How to work with WebGoat", as shown below.

Read this whole page. There is no hands-on practice for this lesson, just reading material.

WebGoat Lesson 2: Http Basics

The goal of this lesson is to learn how HTTP requests and responses work.

At the upper left of the WebGoat window, click General.

In the General section, click "Http Basics".

Enter your name in the box and click Go!, as shown below.

The order of letters in your name reverses, as shown below

Now we'll view the HTTP request that did that.

Click in the Firefox window to make it active. If you are using Windows, press and release the Alt key on the keyboard, to make the menu bar visible.

From the Firefox menu, click Tools, "Tamper Data".

A "Tamper Data - Onging requests" window opens, as shown below. Resize the Firefox window and place it beside the Tamper Data window so both windows are visible, as shown below.

In the WebGoat page, type in your name again and click the Go! button.

GET and POST requests appear in the Tamper Data box, as shown above.

Make the Tamper Data box wider, and scroll to the top of the upper pane. Click the POST request, so the lower panes fill, as shown below.

The lower left pane shows the POST request sent to the server. Notice these components:

The lower right pane shows the response from the server, which has a Status: of OK-200 if everything is correct.

Saving the Screen Image

Make sure YOURNAME appears in the POSTDATA section in the lower left pane of the Tamper Data window, as shown above.

Save this screen shot with a filename of Proj 14 from Your Name.

Capture a whole-desktop image to get full credit.

Email the image to cnit.123@gmail.com with a subject of "Project 14 from YOUR NAME".

Last modified: 11-6-15