Software and Web Security 2

Software and Web Security 2, NWI-IPC026, Spring 2014

For the lab assignments we use WebGoat 5.4 and WebScarab.

Installation instructions

Warning: de Tomcat server in WebGoat does not seem to work on Java 8, so use Java 7 instead. There is lots of additional info on installation and use at the WebGoat 5.4 and WebScarab websites, but you shouldn't need that.

Starting everything up after the installation

To keep an overview with all the tools and installation instructions above: once everything is installed, you have to
  1. start Webgoat,
  2. start WebScarab,
  3. start your browser - Firefox or Chrome, and
    1. configure the network connection settings to use localhost port 8008 as a proxy,
    2. surf to http://localhost:8080/WebGoat/attack - NB port 8080, not port 8008, and login as guest with password guest.
and you should be ready to start on the exercises below.


Below the WebGoat exercises that we will do, per category. You can simply start from the top; precisely which ones should be handed in by when will be announced as we go along. You should at least be able to get 1, 2, and 3 done in the first werkcollege, unless you run into serious installation difficulties.

The WebGoat maintains a score card, which shows which lessons you have done, and how many hints you used.
When you are done with an lesson, print this report card to a PDF file (because when you restart webgoat in a VM or terminal room this information might be lost).
Give this file a meaningful name, which should include the number of the lesson, the date and your names. We will sent email announcements on how and when you to hand in these report cards, via Blackboard assignments, so that we can find out which lessons typically requires more/fewer hints. (The number of hints you needed won't count towards a grade or anything, so there is no reason to cheat. Clearly, the whole report card can be faked anyway.) We changed the order but kept the original numbering, so the numbering below is not always consecutive.