WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
项目地址
环境描述
Linux: Ubuntu 16.04.6 LTS
Java版本:jdk-13.0.2
WebGoat:webgoat-server-8.0.0.M26
环境WebGoat
1.更新源
sudo -i
apt-get update && apt-get clean
apt install -y curl git
2.ubuntu安装Java环境
tar -xvf jdk-13.0.2_linux-x64_bin.tar.gz #解压
sudo mv jdk-13.0.2 /usr/bin/java13_64 #移动到安装位置
#配置当前用户ubuntu的Java环境变量
vim ~/.bashrc
#添加以下几行
#java env begin
exportJAVA_HOME=/usr/bin/java13_64
exportCLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH
exportPATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH
#java env end
source ~/.bashrc
java --version
javac --version
#配置root用户的Java环境变量
sudo -i
vim ~/.bashrc
#添加以下几行
#java env begin
exportJAVA_HOME=/usr/bin/java13_64
exportCLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH
exportPATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH
#java env end
source ~/.bashrc
java --version
javac --version
运行WebGoat
java -jar webgoat-server-8.0.0.M26.jar --server.port=8080 --server.address=0.0.0.0
如果需要后台运行可以使用nohup
nohup java -jar webgoat-server-8.0.0.M26.jar --server.address=0.0.0.0 &
The latest version of WebGoat needs Java 11. By default WebGoat starts on port 8080 with
--server.port
you can specify a different port. Withserver.address
you can bind it to a different address (default localhost)
访问WebGoat
在登录前务必确认WebGoat正确运行。进入页面,http://IP:8080/WebGoat(注意WebGoat的大小写),点击登录按钮下的,Register new user链接,注册一个用户。
然后登入。
自启WebGoat
1.启动脚本
vim /usr/local/webgoat/startwebgoat.sh
#!/bin/sh
sleep 30
nohup java -jar /usr/local/webgoat/webgoat-server-8.0.0.M25.jar --server.port=8080 --server.address=0.0.0.0 &
sleep 60
nohup java -jar /usr/local/webgoat/webwolf-8.0.0.M25.jar --server.port=9090 --server.address=0.0.0.0 &
2.开机自启
cp /usr/local/webgoat/startwebgoat.sh /etc/init.d/
chmod 755 /etc/init.d/startwebgoat.sh
cd /etc/init.d/
update-rc.d startwebgoat.sh defaults 95
解题思路
项目说明
Webgoat官方DockerHub:Official WebGoat Docker image release 8.0Webgoat官方GitHub:WebGoat/WebGoat