We're happy to announce that we added another great "vulnerable by design" resource from OWASP to our Free Arena. After Metasploitable and Security Shepherd, WebGoat is our choice for your free hands-on training.
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
Cross-site Scripting (XSS)
Hidden Form Field Manipulation
Weak Session Cookies
Blind SQL Injection
Numeric SQL Injection
String SQL Injection
Fail Open Authentication
Dangers of HTML Comments
... and many more!
In order to access our WebGoat server you will need to set up your VPN. Remember: No VPN, no WebGoat.
Once you connect to your CTF365 VPN, you can access WebGoat at http://10.195.0.12:8080/WebGoat/login