Paranoid Penguin - Get a Clue with WebGoat

Hack, analyze and learn from an intentionally insecure Web application.
Conclusion

The OWASP Web site contains much more information about WebGoat, WebScarab and Web security in general. You may find the WebGoat User and Install Guide, located in the WebGoat section, especially useful. Be safe!

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

sudo and root password

waynorthny's picture

Mick ---

Thanks for a good hands-on article on securing web apps. As you point out, this is one of the most important security challenges facing Web sites (and Web users) today.

One quibble, though. In the "Starting WebGoat" section, you twice mention that invoking sudo requires knowledge of the root password. Not so! The various *buntu distributions are a case in point: the root password is randomly assigned by the installer and not made available. However, the /etc/sudoers file is configured so any user in the "admin" group can use sudo to perform administration --- by supplying their own password, not root's.

Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

Webcast
8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
On Demand
Moderated by Linux Journal Contributor Mike Diehl

Sign up and watch now

Sponsored by Skybot