Not too long ago I had a discussion with my colleague about the OWASP top ten [1]. About two years ago I followed a training at the summer event of TestNet [2], where we learned our basics in security with a tool. I couldn’t remember the name at the moment, later I saw that this was the Juice Shop [3]. It was an environment where you could learn about the way hackers think and learn the basics of the OWASP top ten.
My colleague then mentioned another tool: WebGoat. That tool could be downloaded and installed at home and then you could play with that. I looked for a way to do so: I’d like to have a Vagrant environment that I could set up fast – and destroy fast as well when I stopped looking at it. And, most important, it should be a save environment.
When I searched for this, I found a web page which looked like the maintainers of the WebGoat software [4]. When I started this Vagrant box, it started with errors (“default: Warning: Authentication failure. Retrying…”). I found other Vagrant boxes of other enthusiasts, but they were supplied as Vagrant box and not as a Vagrant file, so you couldn’t see what is happening when you start the box. When I would use a Vagrant box of someone I don’t know, I also don’t know if these people are trustworthy or that I introduced a new security hole in my environment by using that Vagrant box.
The original Vagrant box is also more than one year old and there are newer versions of WebGoat. New versions are distributed via Docker containers. For this reason, I searched for a way to create a virtual machine with Docker, where WebGoat and WebWolf are installed automatically and you can check in the code that I am just following the guidelines of the OWASP installation site [5].
To keep my introduction short(ish): you can find the solution in my github repository.
Installation
- Install Vagrant [6] if you didn’t do so before, when you use Chocolatey you can use choco install vagrant.
- Install Virtual Box [7] if you didn’t do so before, when you use Chocolatey you can use choco install virtualbox.
- Clone the github repository [8].
Start a CMD window, go to the cloned directory and use vagrant up to start the environment. When the command line re-appears a few minutes later you can browse to http://localhost:8080/WebGoat for WebGoat and http://localhost:9090 for WebWolf. As a bonus, I also started the docker container for the Juice Shop, you can reach it via http://localhost:3000. I would encourage you to change these numbers, you can do so in the following lines in the vagrant file, for example when you want to use 5000, 5001, 5002 and 5003 instead:
config.vm.network “forwarded_port”, guest: 8080, host: 5000
config.vm.network “forwarded_port”, guest: 9090, host: 5001
config.vm.network “forwarded_port”, guest: 8888, host: 5002
config.vm.network “forwarded_port”, guest: 3000, host: 5003
You don’t need to go into the virtual machine to use the tools. When you want to use the container for other purposes (for example, to play with Docker), you can enter the virtual machine from the command line via vagrant ssh.
When you want to pause your experimenting, you can switch off the virtual machine with vagrant halt. The virtual machine can be removed entirely with vagrant destroy.
Using the tools
After you installed WebGoat, you can register yourself as a new user. You will see a list of lessons after you logged in. The user id and password that you provide in WebGoat are used in WebWolf as well. In the Juice Shop, mind the small information windows in the top of the screen that will give you tasks.
Have fun!
Links
1) OWASP top ten: https://owasp.org/www-project-top-ten/
2) TestNet: https://www.testnet.org/testnet/home
3) Juice shop: https://owasp.org/www-project-juice-shop/
4) Vagrant boxes of OwaspWebGoat: https://app.vagrantup.com/owaspwebgoat
5) OWASP site of WebGoat and WebWolf: https://owasp.org/www-project-webgoat/
6) Download Vagrant: https://www.vagrantup.com/downloads
7) Download Virtual Box: https://www.virtualbox.org/wiki/Downloads
8) Github repository: https://github.com/FrederiqueRetsema/VagrantWebGoat