My WebGoat experience

Webgoat is pretty cool! It’s a good idea, and to a large part it delivers what it promises. My main gripes:

  • Some of the lessons listed are actually not available, they aren’t implemented yet. A bit disappointing to first see the long list and then being cheated out of about 5 of them.
  • I didn’t get one of the lessons to complete, the one on dangerous XSS. I’m not sure but I think the reason was I’m not using a browser made by Microsoft.
  • One lesson, the one with the admin interface, I didn’t finish. The hints were utterly useless (what source should I follow?). After looking both in the source in WebGoat and in WebGoat’s CVS repo (you don’t have to play fair when breaking things you know) I was even more confused.

Many lessons are somewhat simplistic and naive, I don’t doubt people still make those mistakes though. I’d say WebGoat is a nice, short, introduction to hands-on playing with web vulnerabilities.

The maybe most valuable thing about WebGoat is that it suggests using WebScarab.


Use the Source! I found it…though it took me almost 45 seconds…it is there. Hint, for basic auth you use guest/guest. You have to login as a user with admin rights to see the admin menu, though its not as simple as admin/admin it is pretty easy….same word for login and password…here is a common type of hash against the answer:


Leave a comment