WebGoat and my loaptop
Results 1 to 8 of 8

Thread: WebGoat and my loaptop

  1. #1
    Member
    Join Date
    Dec 2001
    Posts
    84

    WebGoat and my loaptop

    I installed WebGoat on my laptop thats connected to my lan. was running it and.....
    Out of cuiosity I went to my desktop and connected to 192.168.0.3 and there was WebGoat....
    Laptop is running winxp pro sp2 and zonealarm... desktop ip win98....
    So I know that the server on webgoat is insecure by nature...the whole object is to find the security flaws....
    QUESTION....should I worry about my laptop being connected to the internet while I'm playing with WebGoat? Is the server open to the net like it is on my LAN?
    You can\'t squeeze cheese from a goat before it\'s hatched.............

  2. #2
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Well if you have a router then I think you should be able to configure it to drop all requests on the port that WebGoat is listening on... that way you have a good chance to avoid leaving it too much in the open.

    Otherwise I suppose you're taking a pretty big chance with it,
    /\\

  3. #3
    Member
    Join Date
    Dec 2001
    Posts
    84

    yeah....

    Thats my concern..... I thought that it was an apache server only accessable to my stand alone laptop.... I have no file sharing on...no remote access on..... and I thought a good firewall.
    Turns out that the Apache server is accessable through the LAN...( so accessable through the net?)..
    I dont know, I'm gonna do a security scan by sygate or another in the morning, see if any ports are open, mabey scan from another box, I need to go to bed now.
    I don't want to have an insecure apache server running on my **** that's open to the world......
    You can\'t squeeze cheese from a goat before it\'s hatched.............

  4. #4
    Banned
    Join Date
    Apr 2004
    Posts
    843
    Hey, this thing looks pretty fun... Why don't you just stop whatever services that might be running when you go online? You don't have to uninstall anything... (_)

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Well it's one thing to have it available on the LAN and quite another to be opened to the Internet. The LAN is the 'trusted zone' generally so you can have services that are selectively open.

    However it is possible to find out the address of the server and spoof a connection to make it seem as though coming from within the LAN.. it's true it's not the easiest thing ever but, theoretically, it's do-able.

    Just test it with as many online scans as you can and see what pops... also you could try fingerprinting yourself... look on Shrekkie's site, he has a NMap front-end you can use to test your local machine.
    /\\

  6. #6
    Member
    Join Date
    Dec 2001
    Posts
    84

    I guess I'm safe...

    I ran every online security scan I could find, scanned myself with nmap, scanned my laptop from my desktop.... all ports and sevices look to be stealthed or unavailable.
    So I guess I can stop worrying about running the Apache server while I'm connected to the internet and playing with WebGoat.

    Thanks for the replies.
    You can\'t squeeze cheese from a goat before it\'s hatched.............

  7. #7
    The WebGoat installation is inherently insecure, further along there are lessons on directory traversal and and anyone with access to the login will have root access on your box. Your integrity will get screwed by the command and parameter injection lessons if you allow the server to be over the internet.

    Don't let WebGoat have access to the internet. If you can reach the lessons outside of your lan, then you are wide open.

  8. #8
    Member
    Join Date
    Dec 2001
    Posts
    84

    outside the LAN

    it doesn'tlook like webgoat can be accessed outside of my lan, and I have my wireless router as locked down as it can get.......wep inabled with a strong string....mac filtered...password protected.....
    It wasnt the lan I was woried about, and every scan I did showed me that webgoat and the underlying apache server was not visible on the internet.
    I feel safe running this app now. No one seems to have have any security issuses that I havent thought of.

    Cheers/
    You can\'t squeeze cheese from a goat before it\'s hatched.............

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides