Skip to content

Contrast-Security-OSS/demo-webgoat7

BranchesTags

Repository files navigation

Webgoat 7: A deliberately insecure Java web application

This sample application is downloaded from https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-container-7.1-exec.jar.

Warning: The computer running this application will be vulnerable to attacks, please take appropriate precautions.

Running standalone

You can run WebGoat locally on any machine with Java 1.8 RE installed.

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Place a contrast.jar into the application's root folder.
  3. Run the application using:
java -javaagent:contrast.jar -Dcontrast.config.path=contrast_security.yaml -jar webgoat-container-7.1-exec.jar [--server.port=8080] [--server.address=localhost]
  1. Browse the application at http://localhost:8080/WebGoat/

Running in Docker

You can run WebGoat within a Docker container.

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Build the WebGoat container image using ./1-Build-Docker-Image.sh. The Contrast agent is added automatically during the Docker build process.
  3. Run the container using docker run -v $PWD/contrast_security.yaml:/etc/contrast/java/contrast_security.yaml -p 8080:8080 webgoat:7.1
  4. Browse the application at http://localhost:8080/WebGoat/

Running in Azure (Azure Container Instance):

Pre-Requisites

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Install Terraform from here: https://www.terraform.io/downloads.html.
  3. Install PyYAML using pip install PyYAML.
  4. Install the Azure cli tools using brew update && brew install azure-cli.
  5. Log into Azure to make sure you cache your credentials using az login.
  6. Edit the variables.tf file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
  7. Run terraform init to download the required plugins.
  8. Run terraform plan and check the output for errors.
  9. Run terraform apply to build the infrastructure that you need in Azure, this will output the web address for the application. If you receive a HTTP 503 error when visiting the app then wait 30 seconds for the application to initialize.
  10. Run terraform destroy when you would like to stop the app service and release the resources.

Running automated tests

There is a test script which you can use to reveal vulnerabilities which requires node and puppeteer.

  1. Install NPM, Node, Chrome and Playwright npm i playwright
  2. Run BASEURL=<url> npx playwright test e2e/assess/*.ts

Updating the Docker Image

You can re-build the docker image (used by Terraform) by running two scripts in order:

  • 1-Build-Docker-Image.sh
  • 2-Deploy-Docker-Image-To-Docker-Hub.sh

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

10 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages