OWASP WebGoat

Selected solutions for OWASP WebGoat (8.0.0.M26).

• (A1) Injection
  • SQL Injection (advanced)
  • SQL Injection (mitigation)
  • Path traversal
• (A2) Broken Authentication
  • Authentication bypasses
  • JWT tokens
  • Password reset
• (A4) XML External Entities (XXE)
• (A5) Broken Access Control
  • Insecure Direct Object References
• (A7) Cross-Site Scripting (XSS)
• (A8) Insecure Deserialization
• (A9) Vulnerable Components
• (A8:2013) Request Forgeries
  • Cross-Site Request Forgeries
• Client side
  • Client side filtering

General tips

• Check out source code
  • WebGoat container
  • Lessons
• Peek into database, and if necessary (for example to overcome a bug), you can modify it
  • Database is saved onto your disk under c:\Users\USER\.webgoat-v8.0.0-SNAPSHOT\data\