Wilson Mar bio photo

Wilson Mar


Calendar YouTube Github


Run the deliberately insecure Java app within Docker with a Contrast Security agent reporting issues and trends over time.

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This is a hands-on introduction to WebGoat, a deliberately insecure Java 11 Spring-Boot application maintained by volunteers affiliated with OWASP (Open Web Application Security Project).

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

WebGoat is used instead of sample apps which contain only unintended vulnerabilities, such as Microsoft’s Music Store .NET app, which is not updated anymore

WebGoat is one of the subjects in the VIDEO: CSSLP (Certified Secure Software Lifecycle Professional) exam.

WebGoat source is open sourced at:

NOTE: WebGoat uses almost 200 Java and JavaScript libraries.

Code for both Goat apps are being actively maintained up to the current time.


Other intentionally vulnerable apps are

  • WebSpoit learning environment within Kali Linux by Omar Santos (ohmrXr on redteamvillage.io/discord) https://github.com/The-Art-of-Hacking/h4cker (https://h4cker.org/learning-path)

    Medium) proxmox.com/en/ virtual environments

Tutorials within WebGoat


The WebGoat server presents a list of common vulnerabilities as classified by OWASP Top 10. Note the WebGoat menu is missing (A6) Security Misconfiguration and (A10) Insufficient Logging.

For each vulnerability, it provides coding tutorials along with a UI to initiatie penetration attacks on itself. For example, to prove that it can use an Insecure Deserialization vulnerability to take over the machine running, it opens that machine’s calculator app (which a well-behaved app would not be able to do).

The goat apps are used to train and benchmark appsec scanner tools such as Fortify, Contrast Assess/Protect, etc.

CAUTION: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program.

Get WebWolf GUI from Docker Hub

There is an all-in-one WebGoat container on Docker Hub, with WebGoat and WebWolf running inside:

    docker run -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf

NOTE: The lead contributor (nbaars), Googler Nanne Baars, lives in the Netherlands (where Amsterdam is the largest city).

The image contains a JRE.

HSQLDB server 2.5.0 is online on port 9001.

WebGoat’s default configuration binds to localhost to minimize the exposure.

  1. Open browser for:

  2. First time on the WebGoat GUI, click “Register as new user”.
  3. Check “Agree”.

  4. On the landing page, notice “your very own scapegoat”.

OWASP Benchmark App

The OWASP benchmark (at https://owasp.org/www-project-benchmark) is a sample Java application containing 1,415 vulnerabilities in 11 categories:

Injection vulnerabilities:

  • Command Injection (cmdi)
  • SQL Injection (sqli)
  • LDAP Injection (Idapi)
  • XPATH Injection (xpathi)

  • Cross Site Scripting - “Injection of javascript code” (xss)
  • Path Traversal - “Injection of file paths” (pathtraver)

Weak Algorithms:

  • Weak Cryptography (crypto)
  • Weak Randomness (hash)
  • Weak Randomization (weakrand)


  • Secure Cookie Flag (securecookie)
  • Trust Boundary Violation (trustbound)

Prioritize by Blast Radius

Vulnerability scanner vendor Snyck’s State of Open Source Security in DevSecOps Pipelines” 2020 report revealed this scatterplot of the number of vulnerabilities (CVEs) on the vertical scale compared against the number of projects impacted by them on the horizontal scale.


VIDEO: Alyssa “There is nothing in the upper-right quadrant, and that was shocking. …we can have hundreds and hundreds of cross-site scripting vulnerabilities reported in packages, but the number of projects that those packages impact is fairly small. On the flip side, you have deserialization and prototype pollution which are more complex … and later to the game. For prototype pollution there were 3 vulnerability reports but the reason they had such massive impact is they were found in open source packages* that are widely used (lodash CVE-2019-10744*, jQuery CVE-2019–11358).”

“Malicious packages are more targeted.”

Code samples

Counterparts written in other languages:



Ruby on Rails

C#/.Net/.Net Core






Swift/Obj C


Attack tools

There are several tools available to conduct penetration testing against the WebGoat app.

SecToolMarket.com ranks web application scanners’ pricing and features, as described in sectooladdict.blogspot.com, last updated Sep 18, 2016 by Shay Chen (@sectooladdict). http://sectooladdict.blogspot.com/2017/11/wavsep-2017-evaluating-dast-against.html


In this pdf, ShiftLeft.io notes that false positives found in just 3 snippets as due to “overtainting” collections and disabled branches of switch statements that are unreachable, which is a rare edge case.

ShiftLeft claims that the accuracy of its “NG SAST” (Next Generation) utility is greater than traditional code analysis tools. NG SAST queries binaries and source code modeled by Code Property Graph (CPG) which combines many graphs. It combines graphs from the compiler (e.g., the abstract syntax tree, the program dependence graph, the control flow graph, etc.) to generate a single graph that contains all possible routes from all sources to all sinks, including all security transforms and sanitization steps.

shiftleft io-vul-types

The table above* compares how ShiftLeft augments existing techniques to identify vulnerabilities:

  • Abstract Syntax Tree (AST) parsed from the stream of tokens scanned from source code
  • Control Flow Graph (CFG) transformed from AST
  • Program Dependency Graph (PDG) Data Flow Analysis operating on CFG

The combined Code Property Graph (CPG) provides a representation of app code under test (in a graph database) that is multifacted enough to deal with the complex combinations of program properties which can make it vulnerable.


CPG enables NG SAST to accurately determine when routes are actually vulnerable to dirty inputs vs. when the route is protected by sanitization.IEEE whitepaper “Modelling & Discovering Vulnerabilities with Code Property Graphs” by Fabian Yamaguchi.

ShiftLeft Security achieves less false positives in static SAST and less false negatives in dynamic DAST because it has a data-flow tracker which “is interprocedural, flow-sensitive, context-sensitive, field-sensitive, and operates on an intermediate code representation. The engine performs on-the-flypoints-to analysis to resolve call sites and is able to benefit from the results of constant propagation, control flow graph pruning, and framework analysis passes.”

Many CWE are for C/C++ code. Joern is a vulnerability research platform for robust analysis of C/C++ code.*

Back reference to underlying code enables ShiftLeft running in production to finely report on data inputs triggers and output destinations (variable names from code):


NOTE: The above is no longer sold.


Contrast Security can determine whether attacks are occurring on WebGoat (the “Protect” portion of its offering). It also can assess whether the app code is vulnerable to attacks.


You can run WebGoat from DockerHub with the Contrast Security agent added by quickly triple-clicking the command below and pasting it on your macOS or Linux server Terminal:

    bash -c "$(curl -fsSL https://raw.githubusercontent.com/wilsonmar/DevSecOps/master/bash/sample.sh)" -W -k -a -o -s -v -K -D -M

The script installs all that is needed, including Docker Desktop. It downloads docker-compose.yml from:

Contrast Security is what Gartner calls “RASP (Runtime Application Self-Protection)”. Fashionable in the era of “self-protecting” software (philosophy of “Zero Trust”).*

The Contrast agent intercepts all calls from the app, and analyzes the stream of calls to make sure they’re secure, and validates data requests directly inside the app. The continuous interception essentially provides a chance to “innoculate” apps from vulnerabilities such as struts2. Without it, apps are “sitting ducks” while time is taken to add CVEs to scanners, then more time to replace, retest app code.

At time of writing, the image contains OpenJDK 8 (not 11). The agent analyzes Java byte code. So it works with Scala as well as Java code. And it works with both custom code and libraries. It protects both web and non-web apps. From the inside out.

The agent emits issues found to a an on-prem. or SaaS collector by Contrast Security.

The Contrast server can then send alerts to Slack.

The Contrast dashboard visualizes the count of Vulnerabilities and Attacks seen over a period of time.


The Contrast Policy Management GUI enables specification of Protect Rules specific to an environment: Dev, or QA, or Prod.

The agent calculates the number of logical paths through the application code. So it knows when a library loaded by the app is not even used. And it provides context not understood by external blocking-mode WAF. Contrast enables database queries fully formed (not just the way it looks at the firewall).

The down side of this approach is that business process (end-to-end) test automation scripts are needed to exercise the app fully. So scripts written for running by WebInspect, Burp Suite, and other Dynamic (DAST) pentration testing tools are still useful.

-s among shell script parameters specifies that the script read secrets from the default file secrets.env on your $HOME user folder. But before running the script, populate values for variables after you get a trial account at Contrast Security.com:


-o opens the web page to show the WebGoat GUI.

The port (8080) is hard-coded in variable APP1_PORT in the sample.sh script.





https://find-sec-bugs.github.io is the SpotBugs plugin for security audits of Java web applications. It claims to detect 135 different vulnerability types with over 816 unique API signatures.





There are several:


In General > HTTP Basics page, it mentions installing and running the Zed Attack Proxy (ZAP) the latest using (on a Mac):

brew install --cask owasp-zap

Burp Suite

Burp Suite from https://portswigger.net/burp has a Community Edition.

Installing Burp Suite And WebGoat [10:01, turn off volume] on Windows.

Dependency Check Lab

John Marx has 1 hour hands-on video course about how to run the OWASP Dependency Check Lab (run-depchedk.sh) as example of a SAST (Static Application Security Test) for both build-time and run-time use against the webgoat.jar file from the Linux command line (after get-webgoat.sh).

The Dependency Check is run from a Docker Container containing an Apache Web Server. The run outputs HTML reports. It is reviewed and methods for use of these reports by production monitoring applications.

  1. Run the get-webgoat.sh shell script
  2. Run the run-depcheck.sh shell script
  3. Copy the HTML reports produced to the Apache Web Server root Directory
  4. Use the Browser to view the Dependency Check Reports which links to the National Vulnerabilities Database at https://nvd.nist.gov.

$ ls -l

Once you have verified that the instance is fully operational, use the get-webgoat.sh shell script to pull the webgoat .jar file from github.com

$ sh get-webgoat.sh

Once the .jar file is downloaded to the cloud_user home directory, run the shell script that uses docker to pull the OWASP Dependency Check program from Docker Hub and execute it.

$ sudo sh run-depcheck.sh

*Note: You will need the cloud_user password to run as a sudo user.

After the Dependency Check program has completed, you can use an ls command to view the reports created.

$ ls -l owreport/*

Once created, use the copy.sh script to copy the .html reports to the apache web server root.

$ sudo sh copy.sh

After the files have been copied to the apach root, check that they are there with an ls command.

$ ls -l /var/www/html

Now view the reports from your browser usiing the following URL addresses:

HTTP://[Public IP Address]/dependency-check-report.html


HTTP://[Public IP Address]/dependency-check-vulnerability.html

YouTube Videos

krypt0mux of https://github.com/ethicalhackingplayground


OWASP Webgoat 8 : Setting up the environment Jan 30, 2019 [5:14]

  1. Identify the latest version:


  2. Download

    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M23/webgoat-server-8.0.0.M23.jar
  3. Within Docker, WebGoat is started by:

    java -jar webgoat-server-8.0.0.M23.jar [--server.port=8080] [--server.address=localhost]

OWASP Webgoat 8 : SQL Injection Attack / Mitigations Jan 31, 2019 [11:13]


https://soundcloud.com/owasp-podcast/2016-appsec-usa-an-update-on-the-webgoat-project 2016 AppSec USA - An Update on the WebGoat Project Bruce Mayhew, Nanne Baars and Jason White,


  1. Open another browser for:

  2. Register as new user.


Cross-Site Scripting (XSS) Web Attack (Demo for AppSec) Fortify Unplugged 1 year ago

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators
  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling
  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft
  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering

More on Security

This is one of a series on Security in DevSecOps:

  1. Security actions for teamwork and SLSA
  2. DevSecOps

  3. Code Signing on macOS
  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security
  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp
  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)
  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)
  16. Chaos Engineering

  17. SOC2
  18. FedRAMP
  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform
  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners
  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications
  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing
  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)