Version v2023.8

🚀 New functionality

• Consistent environment values and url references (#1677)
• Show directly requested file in requests overview
• Show creating time in file upload overview

🐞 Bug fixes

• Fix startup message (#1687)
• Fix/state of software supply chain links (#1683)
• Fix WebWolf UI (#1686)

🔄 Technical tasks

• bump actions/setup-java from 3 to 4 (#1690)
• bump commons-io:commons-io from 2.14.0 to 2.15.1 (#1689)
• bump com.diffplug.spotless:spotless-maven-plugin (#1688)

Full change log: v2023.5...v2023.8

Team WebGoat

Version 2023.5

New functionality

• Implement JWT jku example (#1552)
• Java 21 initial support (#1622)
• improve MFAC lesson hint texts for a better user experience (#1424)
• upgrade to Spring Boot version 3 (#1477)

Bug fixes

• typo in WebGoad.txt (#1667)
• search box moved and jwt encode/decode with little delay (#1664)
• skip validation for JWT (#1663)
• fixed issue in JWT test tool and added robot test (#1658)
• Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)
• fix servers id (#1619)
• potential NPE in the stored XSS assignment
• crypto basics broken links
• fixes the default change in trailing slash matching and address the affected assignments
• hint that was breaking the template, causing hints from different assignments to mix (#1424)
• HijackSession lesson template deprecated Tymeleaf attribute
• Fix NPE in IDOR lesson
• Add new assignment IT tests
• XSS mitigation
• Stored Cross-Site Scripting Lesson
• Add Assignment7 Tests
• Fix IDOR lesson
• remove steps from release script (#1509)
• robotframework fails due to updated dependencies (#1508)
• fix Java image inside Docker file The image now downloads the correct Java version based on the architecture.
• Fix typo of HijackSession_content0.adoc
• Restrict SSRF Regexes
• update challenge code - Flags are now wired through a Spring config - Introduced Flag class - Removed Flags from the FlagController

Full change log: v2023.4...v2023.5

Contributors

Special thanks to the following contributors providing us with a pull request:

• Àngel Ollé Blázquez
• Nanne Baars
• René Zubcevic
• Agustín Díaz
• François Capon
• Loris Sierra
• caputdraconis
• test2user-aqil

And everyone who provided feedback through Github.

Team WebGoat

Version 2023.4

New functionality

• #1422 Add Docker Linux Desktop variant with all tools installed. Thanks to the OWASP WrongSecrets project we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
• #1411 JWT: looks that buy as Tom also works with alg:none.

Bug fixes

• #1410 WebWolf: JWT decode is broken.
• #1396 password_reset return 500 Error.
• #1379 Move XXE to A05:2021-Security Misconfiguration.

Version 2023.3

With great pleasure, we present you with a new release of WebGoat 2023.3. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).

A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.

New functionality

• New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
• Move away from multi-project setup:
  • This has a huge performance benefit when building the application. Build time locally is now Total time: 42.469 s (depends on your local machine of course)
  • No longer add Maven dependencies in several places
  • H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
• More explicit paths in html files to reference adoc files, less magic.
• Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
• Add WebWolf button in WebGoat
• Move all lessons into src/main/resources
• WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
• WebGoat logs URL after startup: Please browse to http://127.0.0.1:8080/WebGoat to get started...
• Simplify Dockerfile as we no longer need a script to start everything
• Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
• Added Initializable interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See BlindSendFileAssignment for an example.
• Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
• Updated introduction lesson to WebWolf.
• Added language switch for support for multiple languages.
• Removed logic to start WebGoat on a random port when port 8080 is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
• Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
• Renaming of all packages and folders.
• #1039 New OWASP Top 10
• #1065 New lesson about logging

Bug fixes

• #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
• #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
• #1134 "Exploiting XStream" assignment does not work
• #1130 Typo: Using Indrect References
• #1101 SQL lesson not correct
• #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
• #1379 Move XXE to A05:2021-Security Misconfiguration
• #1298 SocketUtils is deprecated and will be removed in Spring Security 6
• #1248 Rewrite the WebWolf Introduction Lesson with the new changes
• #1200 Type cast error in sample code at JWT token section
• #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
• #1103 (A1) path traversel lesson 7 seems broken
• #986 - User registration not persistant

Full change log: v8.2.2...v2023.3

Contributors

Special thanks to the following contributors providing us with a pull request:

And everyone who provided feedback through Github.

Team WebGoat

Version 2023.2

With great pleasure, we present you with a new release of WebGoat 2023.2. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).

A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.

New functionality

• New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
• Move away from multi-project setup:
  • This has a huge performance benefit when building the application. Build time locally is now Total time: 42.469 s (depends on your local machine of course)
  • No longer add Maven dependencies in several places
  • H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
• More explicit paths in html files to reference adoc files, less magic.
• Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
• Add WebWolf button in WebGoat
• Move all lessons into src/main/resources
• WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
• WebGoat logs URL after startup: Please browse to http://127.0.0.1:8080/WebGoat to get started...
• Simplify Dockerfile as we no longer need a script to start everything
• Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
• Added Initializable interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See BlindSendFileAssignment for an example.
• Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
• Updated introduction lesson to WebWolf.
• Added language switch for support for multiple languages.
• Removed logic to start WebGoat on a random port when port 8080 is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
• Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
• Renaming of all packages and folders.
• #1039 New OWASP Top 10
• #1065 New lesson about logging

Bug fixes

• #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
• #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
• #1134 "Exploiting XStream" assignment does not work
• #1130 Typo: Using Indrect References
• #1101 SQL lesson not correct
• #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
• #1379 Move XXE to A05:2021-Security Misconfiguration
• #1298 SocketUtils is deprecated and will be removed in Spring Security 6
• #1248 Rewrite the WebWolf Introduction Lesson with the new changes
• #1200 Type cast error in sample code at JWT token section
• #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
• #1103 (A1) path traversel lesson 7 seems broken
• #986 - User registration not persistant

Full change log: v8.2.2...v2023.2

Contributors

Special thanks to the following contributors providing us with a pull request:

And everyone who provided feedback through Github.

Team WebGoat

Version 8.2.2

New functionality

• Docker image now supports nginx when browsing to http://localhost a landing page is shown.

Bug fixes

• #1039 jwt-7-Code review
• #1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct
• #1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error

Version v8.2.1

New functionality

• New Docker image for arm64 architecture is now available (for Apple M1)

Version 8.2.0

New functionality

• Add new zip slip lesson (part of path traversal)
• SQL lessons are now separate for each user, database are now per user and no longer shared across users
• Moved to Java 15 & Spring Boot 2.4 & moved to JUnit 5

Bug fixes

• #974 SQL injection Intro 5 not solvable
• #962 SQL-Lesson 5 (Advanced) Solvable with wrong anwser
• #961 SQl-Injection lesson 4 not deleting created row
• #949 Challenge: Admin password reset always solvable
• #923 - Upgrade to Java 15
• #922 - Vulnerable components lesson
• #891 - Update the OWASP website with the new all-in-one Docker container
• #844 - Suggestion: Update navigation
• #843 - Bypass front-end restrictions: Field restrictions - confusing text in form
• #841 - XSS - Reflected XSS confusing instruction and success messages
• #839 - SQL Injection (mitigation) Order by clause confusing
• #838 - SQL mitigation (filtering) can only be passed by updating table

Contributors

Special thanks to the following contributors providing us with a pull request:

• nicholas-quirk
• VijoPlays
• aolle
• trollingHeifer
• maximmasiutin
• toshihue
• avivmu
• KellyMarchewa
• NatasG
• gabe-sky

Version 8.1.0

New functionality

• Added new lessons for cryptography and path-traversal
• Extra content added to the XXE lesson
• Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
• Docker improvements + docker stack for complete container with nginx
• Included JWT token decoding and generation, since jwt.io does not support None anymore

Bug fixes

• #743 - Character encoding errors
• #811 - Flag submission fails
• #810 - Scoreboard for challenges shows csrf users
• #788 - strange copy in constructor
• #760 - Execution of standalone jar fails (Flyway migration step
• #766 - Unclear objective of vulnerable components practical assignment
• #708 - Seems like the home directory of WebGoat always use @project.version@
• #719 - WebGoat: 'Contact Us' email link in header is not correctly set
• #715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful
• #725 - Vulnerable Components lesson 12 broken due to too new dependency
• #716 - On M26 @project.version@ is not "interpreted" #7
• #721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page
• #724 - Dead link in VulnerableComponents lesson 11

Contributors

Special thanks to the following contributors providing us with a pull request:

• Satoshi SAKAO
• Philippe Lafoucrière
• Cotonne
• Tiago Mussi
• thegoodcrumpets
• Atharva Vaidya
• torleif
• August Detlefsen
• Choe Hyeong Jin

And everyone who provided feedback through Github.

Team WebGoat

The WebGoat 7.1 Release is comprised 104 commits from 16 different contributors a over a period of 9 months.

This is a release ta include many bug fixes and is intended to be the last release of the 7.X branch, as the WebGoat team have big plans for next release.

For a glimpse of what has been implemented, check our change log:

Change Log

7.1 (2016-11-18)

Full Changelog

Implemented enhancements:

• i8n highlighting #96
• Improve uniqueness of menu item Id's #45

Fixed bugs:

• Stored XSS Lesson does not render message and attack does not fire #141
• Source code is not available for this lesson. #137

Closed issues:

• Fix lesson client side filtering #272
• Reset lesson does not work anymore #271
• Lesson plans not loading with manual build and easy-run jar (standalone jar) not running at all #268
• Unable to download webgoat jar file #261
• Developer edition build isn't working in its entirety #260
• Amazon S3 downloadable JAR is missing #259
• Code does not compile on dev branch #258
• Executable jar crashes if empty .extract folder exist #251
• Java Error Message in Lesson "How to Bypass a Path Based Access Control Scheme" #240
• developer bootstrap says git is missing when it is installed #236
• Application Won't Start #234
• Restart lesson button isn't working #226
• Navigation to start page is broken after login #218
• Links in menu missing pointer cursor #216
• Restart lesson button not working #213
• WebGoat stops at DEBUG - Exit: getEngine() #211
• Labs: Remnant files and solved stages #208
• Labs: Navigating to Instructor java examples #206
• WebGoat 7.0 and ZAP 2.4.3 will not proxy #204
• Failing Build #201
• Missing mvn package of webgoat-container in README.MD #200
• Seems translation to Russian for "Congratulations. You have successfully completed this lesson." phrase is broken. #199
• HtmlEncoder uses static methods but must be instantiated #195
• webgoat-container should unpack all the lessons #192
• Access Control Flaws, LAB stage 3: Remove the FindProfile screen #186
• Injection Flaws | XPath Injection date file path issue #184
• hints don't appear to work on labs #183
• Session Management Flaws - Spoof an Authentication Cookie render issue #181
• Challenge - Show* buttons show on initial lesson load #180
• Http Basics - minor edits and change completion state #178
• Lab Cross-Site Scripting Stage 1 solution #176
• Backdoor lesson breaks menu CSS #175
• Redirect localhost:8080 to localhost:8080/WebGoat #173
• Session Fixation link in stage 2 does not work #170
• A failure occurred when execute the command "sh webgoat_developer_bootstrap.sh" #145
• Copy lessons into plugin_lessons #254
• WebGoat // Lesson Plan and Solution are note available #242
• Lab: Client side filtering - broken path #232
• AXIS class not found error in Web Services / WSDL Scanning #222
• WSDL link in SOAP Request Lesson crashing with AXIS error #221
• Labs: RBAC stage 1 and 3 not working #209
• How to create a Legacy Lesson - instruction edit #177
• Can't tell when WebGoat has actually started when using: webgoat_developer_bootstrap.sh #75

Merged pull requests:

• Add VMware fusion #264 (akiernan)
• Remove Exception from method signature #257 (RubieV)
• Code cleanup using @test(expected = Exception) #256 (RubieV)
• Added OWASP Labs badge #252 (psiinon)
• updates from day 1 @appsec EU #246 (misfir3)
• Update java required version as stated in #234 #243 (span)
• Updates to Dev Bootstrap #239 (dilshanraja)
• Fix broken start/home link on logo #229 (span)
• Developer controls #228 (span)
• Admin should also be able to see the solution, source and lesson plan. #224 (nbaars)
• Fixed the classnames in the wsdd config file (moved to different pack… #223 (nbaars)
• Feature/169 #220 (nbaars)
• Update README.MD #219 (muzir)
• Fix #213 by changing the id of the restart button to the correct id #214 (span)
• Fixed #184 #212 (nbaars)
• Fix shebang #210 (nxadm)
• Enable weak authentication cookie lesson #207 (span)
• -- Remove raw type usage, add type check parameter. #205 (muzir)
• Update package references in readme #203 (span)
• Develop #202 (misfir3)
• Fixes #195 by adding static initialisation of the maps #197 (span)
• Add stage parameter in the session to keep track of current stage #196 (span)
• webgoat-container should unpack all the lessons #192 #193 (nbaars)