| License Type | SaaS & On-Premise |
| Agent Mode | Assess & Protect |
| Main Product Category | Java Agent |
| Sub Category | Deployment |
Objective
The following steps can be used to quickly spin up WebGoat (a purposefully vulnerable web app) with a Java agent attached. This can be especially useful to quickly test a new agent or demonstrate how Contrast works.
Process
- Download WebGoat. You can find version 7.1 on GitHub here.
Note: You can use wget on linux or your web browser to download. - Login to the Contrast UI
- Click Add Agent:
- Select Java and download the contrast.jar file
- Proceed to the second step in the agent download page and download the basic configuration file (contrast_security.yaml):
- Customize the configuration, if desired - for example you can change the reported application and server name by adding the following to the contrast_security.yaml file (more options detailed here):
- To start up WebGoat with the Contrast agent, simply execute this command:
java -javaagent:/path/to/contrast.jar -Dcontrast.config.path=/path/to/contrast_security.yaml -jar /path/to/webgoat-container-7.1-exec.jar -httpPort 8082
Note: -httpPort will optionally override the default Webgoat port of 8080 - Point your browser to http://localhost:8082/WebGoat, login and complete some of the lessons in the the left navigation bar:
- Login to the Contrast UI
- Under Applications you should now see an entry called WebGoatDemo. Open this entry and select Vulnerabilities. You should see the vulnerabilities triggered by your actions within WebGoat:
