< Back


Web Security : OWASP & WebGoat

Ʒ ȭǥ: 1 

 Lecture PDF Download


Table of Contents

-         OWASP

-         What is WebGoat

-         Installing WebGoat

-         Exercise) Buffer Overflow


Open Web Application Security Project (OWASP)


Introducing OWASP


The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks


One of the things that OWASP does is, it produces web-related information security vulnerabilities. This project is called OWASP TOP 10 project. It was updated 4 times (2004/2007/2010/2013). Documents are available at OWASP Top Ten Project Webpage (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Main). In WebGoat, another project of OWASP, users can test each of the vulnerabilities.


What is WebGoat


http://1.bp.blogspot.com/-_OVnLJhG3Dw/UjouADRRJCI/AAAAAAAAAmA/Qj655BdA084/s1600/Webgoat.pngWeb application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this need to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.






Installing WebGoat


1.      Download Tomcat, JDK, WebGoat.war from Internet

2.      Make directory for JDK and extract JDK tar file

3.      Make directory for Apache-Tomcat and extract Tomcat tar file

4.      Make link for installed java path

5.      Check if its installed properly with java –version command

6.      Export Environmental Variable export JAVA_HOME=[JDK path]

7.      Check if its properly set with echo $JAVA_HOME

8.      Write Bash script /etc/init.d/tomcat as below figure

9.      Change permission of script file to 755(rwx rw- rw-)

10.  Write below contents in <tomcat-users> tag in apache-tomcat-xx/conf/tomcat-users.xml file

11.  Move WebGoat.war file to Tomcats webapp directory

12.  Start tomcat with script written before (/etc/init.d/tomcat start);

13.  Able to access to WebGoat with browser. Write servers IP address:8080.

14.  Can log in with Tomcat accounts set before



Exercise) Buffer Overflow


Buffer Overflow


Most fundamental concept of Buffer Overflow is Overwriting. As meaning of Overflow is exceeding the limit, when input has larger size than given buffer size, it exceeds its limit, invade the border and overwrite other area.  


WebGoat - Buffer Overflow Exercise

    * Before starting the exercise there are 3 tools to prepare

          - BURPSUITE

          - Portable Firefox

          - JDK




BURPSUITE is a comprehensive web testing tool which supports proxy and other various web testing features. This tool runs on Java Machine, so we need JDK. In this exercise, we will use proxy feature which will let us intercept sent packet and modify the contents.



Portable Firefox


Portable Firefox is a Web browser Firefox that can be used without installation. In hackers Firefox, it has proxy setting menu that helps user change proxy settings easily. With this menu, packets sent from browser takes proxy server in its route. Below figure is appearance of the setting menu



Exercise – Buffer Overflow

Version 5.4 introduced nice Off-by-One Buffer Overflow vulnerability drill. Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language. For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte. As a result, further information is returned back to the user, due to the fact that no null byte was found. As of writing, this lesson has not been developed yet by WebGoat authors.

- http://webappsecmovies.sourceforge.net/webgoat/


 Solution is at http://webappsecmovies.sourceforge.net/webgoat/movies/WebGoat_Off-by-One-BufferOverflow/


Other WebGoat Solutions can be found in Youtube and http://webappsecmovies.sourceforge.net/webgoat/



 OWASP, https://www.owasp.org/index.php/Main_Page

 OWASP Top Ten Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

 WebGoat User and Install Guide, https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents

 WebGoat Solution, http://webappsecmovies.sourceforge.net/webgoat/


Copyright © 2014 ICS Lab. Ajou Univ. All rights reserved.