If you are a techie and interested in knowing about web vulnerabilities and *practice* them, this piece is for you. Recently, when I was skimming through the reference materials on Google Code University, I came to know about this project named 'WebGoat' from a community called 'The Open Web Application Security Project (OWASP)". Its an excellent application for learning web security. Lets know more about WebGoat.
What is 'WebGoat'?
A deliberately insecure J2EE web application to teach web application security lessons. Its something like a sandbox where in users can play around on a real vulnerability (more for learning front). It teaches a wide range of security lessons and the most interesting one being (atleast to me) the lesson where the user must use SQL injection to steal fake credit card numbers. And, the interested souls can even add lessons to 'WebGoat'.
I have just started with this. Shall post more on this once I get more exposure. To get started, click here.
Happy learning!! :-)
-- Varun
This is a great heads-up for anyone looking to get hands-on with web security! Thanks for sharing this discovery.
ReplyDeleteWebGoat is truly a classic and an absolutely essential tool for learning about web vulnerabilities by doing. As you rightly pointed out, it's a "deliberately insecure" application, which is exactly what you need when you're trying to understand how exploits work without doing anything illegal or harmful.
That idea of a "sandbox where users can play around on a real vulnerability" is perfectly stated. It's one thing to read about SQL injection or XSS, but it's a completely different (and much more effective) learning experience to actually execute those attacks yourself in a safe environment. The SQL injection lesson to steal fake credit card numbers is indeed a highlight for many, as it makes the impact very tangible.
It's awesome that you're diving into WebGoat, and I'm really looking forward to hearing more about your experiences once you get deeper into it. Happy learning indeed! This kind of practical approach is invaluable.
For anyone looking to set up their own WebGoat lab, or to discuss specific lessons and challenges within it, a hacking forum is an excellent community resource.