Learn How to Set Up OWASP Webgoat and OWASP WebWolf with Java and Docker

Welcome to another session in our OWASP Top 10 training series! In today’s episode, you’ll be learning how to set up OWASP Webgoat and OWASP WebWolf with Java and Docker. As we go through the OWASP Top 10 training, we are gradually assembling our lab to begin honing our skills to exploit these vulnerabilities. Even if you’re only just joining us now, it’s not too late – just follow the steps on the OWASP Zap or Burp Suite set up blog posts, or you can view the OWASP Top 10 video training series. And don’t worry – there will be plenty more videos coming your way as we move through the training.

Why is this OWASP Top 10 course using OWASP Webgoat, and what is it?

OWASP WebGoat is an insecure web application purposely developed to assist with Java-based application testing against the most prevalent web application vulnerabilities, namely the OWASP Top 10. Along with OWASP WebGoat, the OWASP WebWolf application can be used to effectively simulate out-of-band attacks. WebGoat and WebWolf come as jar files, Docker images, and source code, which make them suitable for our OWASP Top 10 training purposes.

How to Set Up a Safe Environment for OWASP Webgoat and WebWolf

As such, this is an excellent way to become knowledgeable in web application hacking and Docker usage for lab set-up. Please bear in mind that this is a deliberately vulnerable web application, so it should never be installed on a host machine. To demonstrate the proper way of setting up a secure lab, I will begin with a Debian 9 Virtual Machine running on Virtualbox, as illustrated in my YouTube video. For now, we will assume that you already have a Debian 9 VM on your preferred virtualization software. I’m using VirtualBox in my situation.

How to set up Webgoat and WebWolf using the JAR for OWASP

If you want to utilize Docker in your OWASP Top 10 learning process, feel free to disregard this portion. I included it here so you would know how to set up Java on your computer. Possessing the ability to install packages is an invaluable aptitude in the process of becoming knowledgeable. It provides the opportunity to explore and experiment with new software, especially with the burgeoning amount of open-source programs released daily.

Setting up Java

After establishing a connection with your Debian 9 guest machine, execute the necessary commands. If you experience any difficulties, be sure to consult the blog.

Run the OWASP WebGoat program.

By default, WebGoat can only be accessed from localhost, however, you can configure it to listen on all interfaces by setting the server. address option to 0.0.0.0.

Run the OWASP WebWolf download

How to install Docker’s OWASP Webgoat

When it comes to OWASP Top 10 training and overall hacking exploration, Docker offers plentiful benefits in comparison to a traditional Java environment. Without any additional dependency setup and configuration, one simple command launches both Webgoat and Webwolf. Furthermore, this tool will enable an effortless setup for any other application you might come across.

Setup Docker

I strongly advise against installing Docker using a one-time script as outlined in its documentation. Developing an understanding of the code you are running on your machines is essential. This article is based on the official Docker documentation for Debian and offers the following steps as guidance.

You ought to receive an answer along these lines.

Run OWASP WebGoat for Docker after downloading it.

Execute both WebGoat and WebWolf simultaneously. Pay attention to setting the TZ environment variable correctly to ensure that the JWT challenges are properly functional. The timezone used should be determined by the location of the machine hosting these applications, and the following list of time zones should help with that.

OWASP WebGoat testing with our setup

Now that we have launched both OWASP WebGoat and WebWolf, we can test them to ensure that they are compatible with OWASP ZAP or Burp Suite. To do this, open either of these programs and select the FoxyProxy add-on as your proxy. For instructions on installing and configuring FoxyProxy, please follow this link. After this is completed, open up http://your-machine-ip:8080/WebGoat, using your machine’s IP address for ‘your-machine-ip.’ If everything went as planned, you should be presented with a login screen similar to the screenshot provided.

OWASP WebWolf configuration being tested

To get started, launch either OWASP Zap or BurpSuite, then select your proxy from the FoxyProxy add-on. If you are just joining us, the link to install and configure FoxyProxy can be found below. After everything is in place, you should be able to open http://your-machine-ip:9090/WebWolf (where your-machine-ip is the IP address of the Debian 9 VM), and you should be met with a login screen.

Well done! You’ve taken another stride in training yourself on the OWASP Top 10 vulnerabilities. In the following episode of the OWASP Top 10 training program, we’ll be installing and setting up OWASP Juice Shop.

If you liked this tutorial, sign up for the Newsletter to receive notifications from RECONCYBERSECURITY.COM. In the meantime, stay inquisitive, foster your thirst for knowledge, maintain an ethical approach, and spread the word!

For those of you who are fond of YouTube tutorials, I have a whole Owasp Top 10 series waiting for you.