jerryhoff / webgoat.net Goto Github PK
View Code? Open in Web Editor NEWOWASP WebGoat.NET
OWASP WebGoat.NET
***************************** Webgoat.NET ********************************** * Source Code: https://github.com/jerryhoff/WebGoat.NET * Download zip: https://github.com/jerryhoff/WebGoat.NET/zipball/master **************************************************************************** This web application is a learning platform that attempts to teach about common web security flaws. It contains generic security flaws that apply to most web applications. It also contains lessons that specifically pertain to the .NET framework. The excercises in this app are intented to teach about web security attacks and how developers can overcome them. WARNING: THIS WEB APPLICATION CONTAINS NUMEROUS SECURITY VULNERABILITIES WHICH WILL RENDER YOUR COMPUTER VERY INSECURURE WHILE RUNNING! IT IS HIGHLY RECOMMENDED TO COMPLETELY DISCONNECT YOUR COMPUTER FROM ALL NETWORKS WHILE RUNNING! Notes: - Google Chrome performs filtering for reflected XSS attacks. These attacks will not work unless chrome is run with the argument --disable-xss-auditor. - Some (but not all!) of the lessons require a working SQL database. Setup guidelines are shown below. How To Build And Run under Mac OS X and Linux: 1. Prerequisites a. Mono framework for your respective OS. It can be downloaded at http://www.go-mono.com/mono-downloads/download.html. Make sure that ALL components get installed, including GTK and xsp. b. A DB for some of the lessions. Sqlite3 is recommended as it's faster and easier to use for the purposes of these lessions. Binaries can be found here: http://www.sqlite.org/download.html 2. Install the mono framework and sqlite3 binaries. 3. IMPORTANT: Make sure that the the mono executable is in your PATH. 4. Grab WebGoat.NET and cd into the root dir. 5. Run 'xbuild'. There may be a few warnings but there should be no errors! If there are please let us know. 6. cd into the WebGoat project and run 'xsp4'. Then open your favorite browser and go to http://localhost:8080 (or whatever port your xsp4 is using if you're not using the default). Note: The first run may take take some time as it's compiling everything on the fly. 7. If you see the WebGoat.NET page that means you're almost there! Next step is to click on 'Set Up Database!' 8. You should see a form with a bunch of setup information for the database. For 'Data Provider' choose Sqlite. For 'Data File Path' put in 'db.sqlite3' and for 'Client Executable' put in the sqlite3 executable of your OS (usually /usr/bin/sqlite3). 9. Click on 'Test Configuration', followed by 'Rebuild Database' and hopefully you should be good go! Enjoy your hackathon! How to build and run under Windows: 1. Prerequisites: a. Visual Studio 2010 and above. b. Mysql database that's up and running with at least one user aleady setup with full permissions. 2. Open WebGoat.sln file via Visual Studio, and click on debug. 3. You should see the WebGoat.NET page at which point click on 'Set Up Database'. 3. You should see a form with a bunch of setup information for the database. For 'Data Provider' choose MySql. You'll need to fill in the respective data entries for your mysql db. 'Client Executable' and 'Data File Path' are not necessary for MySql so you can leave them empty. 4. Click on 'Test Configuration', followed by 'Rebuild Database' and hopefully you should be good go! Enjoy your hackathon!
The stored XSS lesson is also vulnerable to SQL injection. I don't know if this is by design or not (bonus vulnerabilities!) but if not we should move to a prepared statement in MySqlDbProvider.cs
Can someone please give a detailed tutorial/guide from start to end to how to get it to run properly.
Like:
The stored XSS lesson doesn't work. The table comment has a column called commentNumber which is NOT NULL but isn't set when a new comment is added. To fix this, I think commentNumber should be set to auto_increment (at least that worked for me).
Where can I turn off validation request? Thanks!
The ASP.Net_SessionID cookie is httponly. While this is good for security, it's bad for webgoat. It would be nice to be able to demonstrate cookie stealing with the XSS attacks. Let's set it to not be that way initially, and part of the job of fixing webgoat is to change it to be httponly.
Hello All,
I have followed the steps written here and got the application running, but I am struggling to run the application through IIS directly. Is there a way to do that?
Hi, I am trying to scan the project's source code with the Sonar Cloud by forking the project to my repo.
But, when I used dotnet build
, I encountered the build failure, and I checked the log, getting the error like the following:
error MSB3644: The reference assemblies for .NETFramework,Version=v3.5 were not found. To resolve this, install the Developer Pack (SDK/Targeting Pack) for this framework version or retarget your application.
I am fresh in the dotnet project, so I don't know how to fix it.
Is it an issue about the environment, i.e., Sonar Cloud? Or is it caused by the reason that this project is out of date?
Thank!
Hi Jerry,
Any way to turn on trace.axd?
I noticed it is disabled in web.config. I tried changing the values there with no luck. Wondering if you know how to turn it on.
Thanks.
is there documentation on how to run webgoat.net?
Hello,
I downloaded the zip and tried to install in IIS5.1 XP with .NET 4.0 and I get this error:
http://localhost/WebGoat.NET/Default.aspx ->
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Could not load file or assembly 'Mono.Data.Sqlite, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756' or one of its dependencies. The system cannot find the file specified.
Source Error:
Line 64: connectionStringName="SQLiteDbConnection"
Line 65: name="SQLiteRoleProvider"
Line 66: type="TechInfoSystems.Data.SQLite.SQLiteRoleProvider, TechInfoSystems.Data.SQLiteProvider" />
Line 67:
Line 68:
Should I install Mono also?
Hi
Webgoat.net from Visual studio with MySql. I have installed My SQl community version and import Webgoat.net from yours portal. Set up Database i am getting error.
Data Provider: | MySql
Data File Path: |
Client Executable: |
Server: | localhost
Port: | 3306
Database: | mysql
User Name: | root
Password: | Admin@123
Showing error:
Error testing database. Please see logs.
Hi,
I have the system up on Kali and can get the Sqlite working, but I want to test with Mysql. What are the value I need to put in the Client Executable and Data File Path to get this to work?
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.