While studying for Security+ certification, I stumbled upon WebGoat. According to its creators, “WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.”

I quickly did a few terminal commands and was up and running with WebGoat. In this article, I will cover WebGoat and how to install it. In the following article, I will share a few attack samples and showcase the application.

Requirements

Let’s start with a few installations. First, here is a list of things you will need:

• Docker
  • What is Docker? It is a platform that delivers software in packages called containers. I can run an application written by a developer in one language with specific packages on an entirely different machine without worrying about missing packages or other problems.
• WebGoat

Installation

Once Docker is installed, pull the WebGoat image with this command:

docker pull webgoat/webgoat

It will take some time to get the files. Once you have finished it, run this command:

docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat

The vulnerable application will be reachable on https://127.0.0.1:8080/WebGoat/login

Once the app is running, create a username and password. However, before we continue, I want to address a bug I noticed. After each new docker application run, I lost the session data as if the username and password never existed. The situation is very annoying, and if you have the same problem, here is a workaround!

docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -v /tmp/webgoat-data:/home/webgoat/.webgoat-8.2.3-SNAPSHOT -e TZ=Europe/Amsterdam webgoat/webgoat

Run this command every time you start WebGoat app.

The new addition here is -v /tmp/webgoat-data:/home/webgoat/.webgoat-8.2.3-SNAPSHOT snippet part. 

The default mechanism behind WebGoat stores data in its container, according to nbaars in GitHub discussion, so we need to map it to our directory on a host instead. So /tmp/webgoat-data directory will keep our data safe.

With improved commands, you should be able to have a persistent session.

Next time I will showcase the app itself and go through a few attacks. See you soon!