Search

How to quickly setup the Java agent on WebGoat

  • Updated

Objective

The following steps can be used to quickly spin up WebGoat (a purposefully vulnerable web app) with a Java agent attached. This can be especially useful to quickly test a new agent or demonstrate how Contrast works.

Process

  1. Download WebGoat.  You can find version 8.1 on GitHub here.
    Notes:
    • You can use wget on linux or your web browser to download.
    • This version requires Java 11 (current LTS version of Java at time of writing)
  2. Login to the Contrast UI
  3. Click Add Agent:
    mceclip5.png  
  4. Select Java and download the contrast_security.yaml configuration file and the Java Agent jar file:
    mceclip6.png
  5. Customize the configuration, if desired - for example you can change the reported application and server name by adding the following to the contrast_security.yaml file (more options detailed here):
agent:
  java:
    standalone_app_name: WebGoatDemo
application:
  path: "/WebGoat"
server:
  name: "My Server"
  1. To start up WebGoat with the Contrast agent, simply execute this command:
    java -javaagent:/path/to/contrast.jar -Dcontrast.config.path=/path/to/contrast_security.yaml -jar /path/to/webgoat-server-8.1.0.jar --server.port=8082
    Note: --server.port will optionally override the default Webgoat port of 8080
  2. Point your browser to http://localhost:8082/WebGoat, register a user, log in and complete some of the lessons in the the left navigation bar:
    mceclip2.png
    mceclip4.png

    mceclip1.png
    mceclip3.png
  3. Login to the Contrast UI
  4. Under Applications you should now see an entry called WebGoatDemo. Open this entry and select Vulnerabilities. You should see the vulnerabilities triggered by your actions within WebGoat:
    mceclip7.png

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request