[Owasp-webgoat] [Owasp-leaders] VMWare Image of Webgoat

[Rogan Dawes]

Bruce Mayhew wrote:
> I think this is a interesting idea.  One of the ant build tags creates a
> "classroom" environment.  The image would be quite large, but I'd be
> willing to put it on sourceforge (if it would allow it) if people think
> it is a good idea.  The question I have is: Would you download a VM that
> you didn't create and run it on your machine?  
> 
> Anyone have any thoughts on this?  I'm not that familiar with potential
> risks of running an "untrusted" VM.
> 
> Bruce


I think that what people are missing (in the usual scenario, not the 
classroom one) is that WebGoat no longer listens on all interfaces, but 
only loopback.

Which effectively prevents anyone abusing WebGoat to gain access to the 
machine on which it is running. Thinking along these lines, perhaps it 
is time we updated the warning on the "splash page"?

For the classroom scenario, I think an image would be a pretty good 
idea, making it a bit easer for a teacher to set up and operate a 
WebGoat instance.

Rogan

> -----Original Message-----
> From: Brad Andrews [mailto:andrews at rbacomm.com] 
> Sent: Wednesday, October 22, 2008 10:36 AM
> To: webgoat at owasp.org
> Subject: VMWare Image of Webgoat
> 
> 
> Has anyone thought of creating a VMWare Player image of Webgoat (on  
> some kind of Linux) to allow people to be able to run Webgoat without  
> exposing themselves to external attack?  Networking could be setup to  
> not connect to the host machine.
> 
> I thought of this the other day and it would be worth doing, though I  
> am not very knowledgeable on configuring Linux VMWare images,  
> unfortunately.
> 
> Brad
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>