He community, everyone scanned OWASP WebGoat with Qualys WAS? I've the prob, that the scan result only include XSS findings. Thanks a lot Conrad
I have asked our engineering team to do a scan and let us know what issues they may find.
If any other community members have scanning experience with the most recent version of WebGoat we'd love to hear from them.
Hi Will, thanks for your help. Could you send me the report if your colleagues executed the scan? You can see my scan "efforts" with medium scan intensity and with low scan intensity. Thanks!
The "low" intensity scan found some XSS and SQL injection vulns, but the "medium" only found the XSS. At first glance, this might indicate the WebGoat instance couldn't handle the traffic from the scan and possibly crashed. Note that QID 150018 in the "medium" scan indicated the scanner encountered several HTTP 500 errors during the crawl; this is another indicator that the WebGoat instance might have fallen over.
In general, apps like WebGoat are poor targets for testing scanners since such apps are designed for educational purposes and their design is more reflective of guiding a user rather than presenting the kind of large, complex apps on the web. It still has vulns that represent real problems found in real web apps, but WebGoat is (rightly) focused on teaching the concepts. We haven't done anything specific to tune our payloads against an app like WebGoat.
For a specific WebGoat target, you might also want to blacklist certain links that can reset or otherwise interfere with the session. Regexes for three such links are:
Hi Mike, thanks for your answer...I know that WebGoat is for educational things. The backgroud why I tried to scan WebGoat is, that I write at the moment my bachelor thesis and I would like to compare different Webapplication Scanner, to find a the best by the given requirements (reporting, scaling, etc) And to compare the different solutions, I need to scan the same WebApp as reference. I'll try to tune my scan settings to prohibit the application crash. So do you execute a Scan? Could you maybe upload your version of scan report?
Cool. Sounds like you're working on comprehensive approach to looking at scanners, Conrad.
The work I do produces raw output instead of the nicer PDF format. (I'm the lead dev on the engine; I'd be happy to answer other questions, too.) But I can produce a report for you in a day or so and provide you a copy by next Monday May 13th.
Yeah thats very nice. If that is not so a lot of work for you I would be happy if you can upload the raw output and the pdf report. I'm very happy about this community and to clarify questions directly with the qualys engineers. Thank you very much for that
how about WebGoat credential?? Define authentication. Please inform me what to do.
Retrieving data ...