Picking the short straw…aka WebGoat.
One of the assignments that the rookies got was to go through the various broken web applications, such as WebGoat, WebMaven, Hacme Casino, Hacme Bank, and Hacme books and complete them. While we worked through our various tasks we were to thoroughly document the steps, take screen captures and ensure that all steps necessary were shown on how to exploit these applications. Joe had asked for volunteers so I stepped up and picked WebGoat.
Prior to Joe handing out this task I had worked with WebGoat for about 15 minutes and I really liked it, hence why I choose it. What I did not realize at the time was the scope of WebGoat and just how large it was. Unlike the broken web applications like WebMaven, WebGoat covers a lot of content including: SQL injection, XSS, session cookie manipulation, hidden forms and fail open authentication just to name a few. Webgoat covers all of this in somewhere around 30 lessons.
Being able to get the WebGoat work done in a timely manner is very important to Joe and working on WebGoat was going to be a learning experience. In typical Joe fashion I got my deadline for this project; he wanted it done in two days, which in fact is better than his usual “I need this yesterday.” I start working on this project having no real experience with any of the covered concepts. After two very long days report balloons to over 45 pages of documentation outlining the steps. I winded up having to call in for some help on a few of the lessons due to some issues with WebScarab not working for me but we pulled it off.
After completing this task I was one, tired; two, sick of seeing WebGoat; and three, pretty well educated with the low level, fundamental hacks on web applications. While I do not think I could hack a website there is some significant value add in understanding the lessons contained in WebGoat. Also I will say that while I tried as much to avoid the built-in documentation, WebGoat has a very comprehensive built-in documentation guide for any beginners looking to learn these concepts. I have to say that the developers or this OWASP project did a fantastic job on building a system that can teach you how to hack web applications and more importantly how to help secure them through understanding. I would encourage anyone looking to get into the Infosec career field to check out WebGoat.
OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Maven Security WebMaven – http://www.mavensecurity.com/WebMaven/
McAfee Hacme Casino – http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx/
McAfee Hacme Books – http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
McAfee Hacme Bank – http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx/