EvilZone
Hacking and Security => Hacking and Security => : gr33n March 11, 2013, 02:02:55 PM
-
Hey guys I have recently come across webGOAT and I was wondering your thought on it? should I spend or "waste" my time on using it?
just a quick post guys thanks, Gr33n.
p.s I know I don't post much on other peoples posts, but that is just because I don't really know much about what other people are asking so sorry for that but will try to be more involved.
-
Yes give it a try, as the site says WebGoat is a J2EE web application, created by the OWASP community to provide a teaching environment for webapplication security. It is a deliberately insecure program, where you must go through a number of lessons. In each lesson, you learn about a new sort of vulnerability, and in the same moment get a hands-on try at exploiting that vulnerability.
From webgoat you can perform attacks and learn valuable things so is not a waste of time.
Here is a demo on using WebGoat
http://searchsoftwarequality.techtarget.com/Demo-Using-WebGoat-a-free-software-testing-tool (http://searchsoftwarequality.techtarget.com/Demo-Using-WebGoat-a-free-software-testing-tool)
-
Yes give it a try, as the site says WebGoat is a J2EE web application, created by the OWASP community to provide a teaching environment for webapplication security. It is a deliberately insecure program, where you must go through a number of lessons. In each lesson, you learn about a new sort of vulnerability, and in the same moment get a hands-on try at exploiting that vulnerability.
From webgoat you can perform attacks and learn valuable things so is not a waste of time.
Here is a demo on using WebGoat
http://searchsoftwarequality.techtarget.com/Demo-Using-WebGoat-a-free-software-testing-tool (http://searchsoftwarequality.techtarget.com/Demo-Using-WebGoat-a-free-software-testing-tool)
Thanks dude :D I will give it a try.
Gr33n
-
well gr33n, a lot of the "lessons" on webgoat are pretty old, but I mean if you still want to do it for the sake of learning it's not a bad choice. I think you might get more out of something like DVWA (damn vulnerable web app), or mutillidae. Here's some links :P
http://www.dvwa.co.uk/
https://www.owasp.org/index.php/Category:OWASP_Mutillidae
-
well gr33n, a lot of the "lessons" on webgoat are pretty old, but I mean if you still want to do it for the sake of learning it's not a bad choice. I think you might get more out of something like DVWA (damn vulnerable web app), or mutillidae. Here's some links :P
http://www.dvwa.co.uk/
https://www.owasp.org/index.php/Category:OWASP_Mutillidae
Thanks man this is awesome, I love this community you guys are so nice to me.
Gr33n.
-
Maybe this one is something for you too. This virtual machine has a lot of vulnerable web-applications installed.
Download: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project)
short Overview about included applications: http://owasp.blogspot.de/2012/07/owasp-bwa-vm-version-10-released.html (http://owasp.blogspot.de/2012/07/owasp-bwa-vm-version-10-released.html)
DVWA and mutillidae are both included
Have fun :)
-
woooh, hadn't used this yet. if DVWA and mutillidae are both included, its worth checking out. thanks.
-
you may need an overview of penetration testing practise apps:
http://www.amanhardikar.com/mindmaps/PracticewithURLs.html
ps:guys here are so nice.Share and Enjoy!
-
OWASP Bricks is relatively new, and they released a new version today
(http://1.bp.blogspot.com/-G-7anO3aJ1w/UUiABtshy8I/AAAAAAAAFy4/wePUp39C5hc/s500/feni.png)
Link: http://owaspbricks.blogspot.com/2013/03/owasp-bricks-12-feni-release.html (http://owaspbricks.blogspot.com/2013/03/owasp-bricks-12-feni-release.html)
-
About GameOver:
Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work.
GameOver has been broken down into two sections.
Section 1 consists of special web applications that are designed especially to teach the basics of Web Security. This seciton will cover
XSS
CSRF
RFI & LFI
BruteForce Authentication
Directory/Path traversal
Command execution
SQL injection
Section 2 is a collection of dileberately insecure Web applications. This section provides a legal platform to test your skills and to try and exploit the vulnerabilities and sharpen your skills before you pentest live sites.
We would advice newbies to try and exploit these web applications. These applications provide real life environments and will boost their confidence.
System Requirements :
In order to run the VM image, you need to have a VM Player 4.0.2 or higher.(We have not tested it in lower versions of VM Player). You may allocate 256MB or higher RAM to this instance. In case you do not have a VM Player installed or for some reason you prefer another virtualization software, you may download the .iso and run it in a 'Live' mode.
Getting Started :
In case you have chosen the Live CD, select 'Live' from the grub menu and Enter
Login with the following credentials.
username: root
password: gameover
Once you login, type 'ifconfig' in your GameOver machine command prompt and hit Enter.
This will give you the ip address of the GameOver machine (Server).
Now in your client browser enter this IP address and hit Enter.
You should be able to access GameOver now.
Credits:
Voyage Linu: GameOver has Voyage Linux as its base OS. Voyage is a minimilistic Linux distribution which is in turn based on Debian. For more information regarding Voyage Linux we encourage you to check out their website: http://linux.voyage.hk/ (http://linux.voyage.hk/).
Web Applications (section 1):
1. Damn Vulneable Web Application: (http://www.dvwa.co.uk/ (http://www.dvwa.co.uk/))
2. OWASP WebGoat:(https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project))
3. Ghost (http://www.gh0s7.net/ (http://www.gh0s7.net/))
4. Mutillidae (http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10))
5. Zap-Wave: (http://code.google.com/p/zaproxy/ (http://code.google.com/p/zaproxy/))
Web Applications (section 2):
1. Owasp Hacademic Challenges : (https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project))
2. Owasp Vicnum: (https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project))
3. WackoPicko: (http://www.aldeid.com/wiki/WackoPicko (http://www.aldeid.com/wiki/WackoPicko))
4. Owasp Insecure Web App: (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project))
5. BodgeIT: (http://code.google.com/p/bodgeit/ (http://code.google.com/p/bodgeit/))
6. PuzzleMall: (https://code.google.com/p/puzzlemall/ (https://code.google.com/p/puzzlemall/))
7. WAVSEP: (https://code.google.com/p/wavsep/ (https://code.google.com/p/wavsep/))
Known Bugs :(
The .iso cannot be installed on a Virtual machine, but works perfectly in the 'Live mode'.
Bug Report:
In case you encounter any bug or issue in this Project, you may report it to j0k3r@null.co.in (Jovin Lobo).
Conclusion:
We encourage users to tryout GameOver and learn more about Web security. There are tons of other deliberately insecure applications on the Internet. If you find any such interesting/useful application we would be glad to append it to this existing collection of insecure Apps. You can send your suggestions/improvements to j0k3r@null.co.in (Jovin Lobo).
Road Map:
We have currently only included Web based applications in this current release of GameOver.
In the future releases we plan to include system level CTF's along with Web based applications to give the users a complete hands-on experience.
NULLCON CHALLENGES:
You can also visit this link http://www.nullcon.net/challenge/archives.asp (http://www.nullcon.net/challenge/archives.asp) to play NULLCON challenges. The challenges are broadly categorized into Web , Cryptography, Trivia, Log, analysis, Reverse engineering, Forensics, System and Programming.
http://sourceforge.net/projects/null-gameover/files/