Scribd
Upload
251 views

Solving The WebGoat Labs Draft V2

The document provides an overview of the architecture and structure of the WebGoat labs, which use custom action handlers to execute business logic, load data into a session object, and then pass control to the view. It explains that code for each lab should be placed in folders corresponding to the lab name, and that lessons are designed with a method to fix alongside a backup method containing the original code. The document also includes sections on the database schema and organization chart used for WebGoat.

Uploaded by

vishalscribd77
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
251 views

Solving The WebGoat Labs Draft V2

The document provides an overview of the architecture and structure of the WebGoat labs, which use custom action handlers to execute business logic, load data into a session object, and then pass control to the view. It explains that code for each lab should be placed in folders corresponding to the lab name, and that lessons are designed with a method to fix alongside a backup method containing the original code. The document also includes sections on the database schema and organization chart used for WebGoat.

Uploaded by

vishalscribd77
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Solving the WebGoat Labs (DRAFT)

1) Labs are programming exercises


2) All user login passwords are the same as the first name.

Architecture Overview
1) All labs use a custom Action Handler that is invoked from the main WebGoat servlet
HammerHead.java

Controller
HammerHead
Servlet
Delegate
Request

Model
ActionHandlers
Browser &
Forward WebSession Database

Response
View
main.jsp

2) The Action Handler (lesson objects) will execute their business logic, load the data
into the WebGoat WebSession object, and then turn control over to the view
component (JSP)
3) The WebGoat presentation only allows for a lesson to write into the Lesson Content
portion of the webpage.
Main Header main.jsp

Navigation
Bar Lesson Page
Lesson Header CrossSiteScripting.jsp
RoleBasedAccessControl.jsp
SQLInjection.jsp

Sub-view Page
Lesson Content EditProfile.jsp
ListStaff
Login
SearchStaff
ViewProfile

Where to put your code


1) After identifying the ActionHandler for your lesson all the classes involved for
that lesson will be in that folder.
a. For Example: RoleBasedAccessControl java files would be in the
org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl folder
inside the Eclipse Package Explorer view.
The action handler for RoleBasedAccessControl would be
RoleBasedAccessControl.java. This is entry point into WebGoat for this
Lab

b. For Example: RoleBasedAccesControl JSPs would be in the


WebContent/Lessons/RoleBasedAccessControl folder inside the Eclipse
Package Explorer

Except for the CrossSiteScripting lab the JSPs do not require modification

2) All the labs are designed so the Method to be fixed has a _BACKUP method
which contains the original source code.
a. For Example: RoleBasedAccessControl/ListStaff.java has one method
where the developer is supposed to make their changes.
ListStaff.getAllEmployees( WebSession s, int userID) it also has a
corresponding ListStaff.getAllEmployees_BACKUP( …) method
b. The getAllEmployees method is the method you are supposed to fix in
order to solve the lesson.
3) RoleBasedAccessControl

WebGoat Access Control Policy


WebGoat Lab Database Schema
WebGoat Lab Organization Chart

You might also like