jerryhoff / webgoat.net Goto Github PK

OWASP WebGoat.NET

ASP 16.82% C# 72.52% CSS 7.14% JavaScript 3.52%

webgoat.net's Introduction

***************************** Webgoat.NET **********************************
* Source Code: https://github.com/jerryhoff/WebGoat.NET
* Download zip: https://github.com/jerryhoff/WebGoat.NET/zipball/master
****************************************************************************

This web application is a learning platform that attempts to teach about
common web security flaws. It contains generic security flaws that apply to
most web applications. It also contains lessons that specifically pertain to
the .NET framework. The excercises in this app are intented to teach about 
web security attacks and how developers can overcome them.

WARNING: THIS WEB APPLICATION CONTAINS NUMEROUS SECURITY VULNERABILITIES 
WHICH WILL RENDER YOUR COMPUTER VERY INSECURURE WHILE RUNNING! IT IS HIGHLY
RECOMMENDED TO COMPLETELY DISCONNECT YOUR COMPUTER FROM ALL NETWORKS WHILE
RUNNING!

Notes:
 - Google Chrome performs filtering for reflected XSS attacks. These attacks
   will not work unless chrome is run with the argument 
   --disable-xss-auditor. 
- Some (but not all!) of the lessons require a working SQL database. Setup
  guidelines are shown below.

How To Build And Run under Mac OS X and Linux:
  1. Prerequisites
     a. Mono framework for your respective OS. It can be downloaded at
        http://www.go-mono.com/mono-downloads/download.html. Make sure
        that ALL components get installed, including GTK and xsp.
     b. A DB for some of the lessions. Sqlite3 is recommended as it's
        faster and easier to use for the purposes of these lessions.
        Binaries can be found here: http://www.sqlite.org/download.html
  2. Install the mono framework and sqlite3 binaries.
  3. IMPORTANT: Make sure that the the mono executable is in your PATH.
  4. Grab WebGoat.NET and cd into the root dir.
  5. Run 'xbuild'. There may be a few warnings but there should be no 
     errors! If there are please let us know.
  6. cd into the WebGoat project and run 'xsp4'. Then open your favorite
     browser and go to http://localhost:8080 (or whatever port your
     xsp4 is using if you're not using the default). Note: The first run
     may take take some time as it's compiling everything on the fly.
  7. If you see the WebGoat.NET page that means you're almost there! Next
     step is to click on 'Set Up Database!'
  8. You should see a form with a bunch of setup information for the
     database. For 'Data Provider' choose Sqlite. For 'Data File Path' put
     in 'db.sqlite3' and for 'Client Executable' put in the sqlite3
     executable of your OS (usually /usr/bin/sqlite3).
  9. Click on 'Test Configuration', followed by 'Rebuild Database' and
     hopefully you should be good go! Enjoy your hackathon!

How to build and run under Windows:
  1. Prerequisites:
     a. Visual Studio 2010 and above.
     b. Mysql database that's up and running with at least one user
        aleady setup with full permissions.
  2. Open WebGoat.sln file via Visual Studio, and click on debug.
  3. You should see the WebGoat.NET page at which point click on
     'Set Up Database'.
  3. You should see a form with a bunch of setup information for the
     database. For 'Data Provider' choose MySql. You'll need to fill in
     the respective data entries for your mysql db. 'Client Executable'
     and 'Data File Path' are not necessary for MySql so you can leave
     them empty.
  4. Click on 'Test Configuration', followed by 'Rebuild Database' and
     hopefully you should be good go! Enjoy your hackathon!

webgoat.net's People

Contributors

Stargazers

Watchers

Forkers

jclark434175 appsecmartin jkuemerle davislg owasp githubunittest joshherman modesth2 deedubsau raybeorn spoint42 brennantom yuske bachrach44 prozachj sudeip sternze carolrogers bbatty zsmahi gazlu ashishmgupta ashhher3 eoftedal arksutw ldemidov yonglehou phillipnordwall curehsu djtc1 priya72 jmcclenon flowryan1 ed303 talk2noob susanstdemos ll2b niallmerrigan tardummy01 roengrit paralax dougmorato infosecusers renepauli nalcorpallhat bryonglodencissp zjwjj newborn3 hax0rg1rl vulna-felickz madhuakula nullpointers2000 arunm201192 ankitmalviyans goswamivijay fredyfx seancasey08 ajaymayar ey-parthenon r0flc0pt4 shraddhasinghal secappaudit wittmannj danieladacruz brinsby sl1msh2d13 offxec anthturner chris-fs-wang sk219 nikkibarros yj0930 fragney teste-jpg rroman81 modulexcite rudy-marquez gubraun shraddhapandya saifullahdabir wdemeijer leelarao joris-snyk suleymanpetek defenistrator codecheckdemo bilalk88 arunpillai6 jg8481 securecodeninja mprashant24 pabloatleap synopsystest brooqs nthpixel douglasnbk fjsnogueira smallkid cx-demo srinivasadotnet

webgoat.net's Issues

stored XSS lesson vuln to SQLi

The stored XSS lesson is also vulnerable to SQL injection. I don't know if this is by design or not (bonus vulnerabilities!) but if not we should move to a prepared statement in MySqlDbProvider.cs

UNABLE TO RUN IT

Can someone please give a detailed tutorial/guide from start to end to how to get it to run properly.

Like:

Setting Up MySql
etc

stored XSS doesn't work because commentnumber isn't set

The stored XSS lesson doesn't work. The table comment has a column called commentNumber which is NOT NULL but isn't set when a new comment is added. To fix this, I think commentNumber should be set to auto_increment (at least that worked for me).

A Question :)

Where can I turn off validation request? Thanks!

can't steal session ID cookie

The ASP.Net_SessionID cookie is httponly. While this is good for security, it's bad for webgoat. It would be nice to be able to demonstrate cookie stealing with the XSS attacks. Let's set it to not be that way initially, and part of the job of fixing webgoat is to change it to be httponly.

Struggling to Get it running without Visual Studio

Hello All,
I have followed the steps written here and got the application running, but I am struggling to run the application through IIS directly. Is there a way to do that?

Build Failure when scanning the project with sonar cloud

Hi, I am trying to scan the project's source code with the Sonar Cloud by forking the project to my repo.

But, when I used dotnet build, I encountered the build failure, and I checked the log, getting the error like the following:
error MSB3644: The reference assemblies for .NETFramework,Version=v3.5 were not found. To resolve this, install the Developer Pack (SDK/Targeting Pack) for this framework version or retarget your application.

I am fresh in the dotnet project, so I don't know how to fix it.
Is it an issue about the environment, i.e., Sonar Cloud? Or is it caused by the reason that this project is out of date?

Thank!

trace.axd

Hi Jerry,

Any way to turn on trace.axd?

I noticed it is disabled in web.config. I tried changing the values there with no luck. Wondering if you know how to turn it on.

Thanks.

how to run webgoat.net

is there documentation on how to run webgoat.net?

Unable to deploy

Hello,
I downloaded the zip and tried to install in IIS5.1 XP with .NET 4.0 and I get this error:
http://localhost/WebGoat.NET/Default.aspx ->
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not load file or assembly 'Mono.Data.Sqlite, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756' or one of its dependencies. The system cannot find the file specified.

Source Error:

Line 64: connectionStringName="SQLiteDbConnection"
Line 65: name="SQLiteRoleProvider"
Line 66: type="TechInfoSystems.Data.SQLite.SQLiteRoleProvider, TechInfoSystems.Data.SQLiteProvider" />
Line 67:
Line 68:

Should I install Mono also?

Error testing database. Please see logs.

Webgoat.net from Visual studio with MySql. I have installed My SQl community version and import Webgoat.net from yours portal. Set up Database i am getting error.

Data Provider: | MySql

Password: | Admin@123

Showing error:
Error testing database. Please see logs.

RebuildDatabase

Hi,

I have the system up on Kali and can get the Sqlite working, but I want to test with Mysql. What are the value I need to put in the Client Executable and Data File Path to get this to work?