How to quickly setup the Java agent on WebGoat

Agent Deployment Knowledge:

License Type SaaS & On-Premise
Agent Mode Assess & Protect
Main Product Category    Java Agent
Sub Category Deployment 

 

Objective

The following steps can be used to quickly spin up WebGoat (a purposefully vulnerable web app) with a Java agent attached. This can be especially useful to quickly test a new agent or demonstrate how Contrast works.

Process

  1. Download Webgoat 7.1 from this GitHub link.
    Note: You can use wget on linux or your web browser to download.
  2. Login to the Contrast UI
  3. Click Add Agent:
       
  4. Select Java  and download the contrast.jar file
  5. To start up the Webgoat with the Contrast agent, simply execute this command:
    java -javaagent:/path/to/contrast.jar -jar /path/to/webgoat-container-7.1-exec.jar -Dcontrast.override.appname=WebGoatDemo -httpPort 8083
    Note: -Dcontrast.override.appname=<name> is an optional argument, and controls the name of the application as it will be displayed in the Contrast UI
    Note: -httpPort will optionally override the default Webgoat port of 8080
  6. Point your browser to http://localhost:8083/WebGoat, login and complete some of the lessons in the the left navigation bar:





  7. Login to the Contrast UI
  8. Under Applications you should now see an entry called WebGoatDemo. Open this entry and select Vulnerabilities. You should see the vulnerabilities triggered by your actions within WebGoat:
    image2018-2-12_11-37-43.png
    image2018-2-12_11-36-20.png
Powered by Zendesk