[Owasp-webgoat] [Owasp-leaders] VMWare Image of Webgoat
lists at dawes.za.net
Thu Oct 23 09:05:24 EDT 2008
Bruce Mayhew wrote:
> I think this is a interesting idea. One of the ant build tags creates a
> "classroom" environment. The image would be quite large, but I'd be
> willing to put it on sourceforge (if it would allow it) if people think
> it is a good idea. The question I have is: Would you download a VM that
> you didn't create and run it on your machine?
> Anyone have any thoughts on this? I'm not that familiar with potential
> risks of running an "untrusted" VM.
I think that what people are missing (in the usual scenario, not the
classroom one) is that WebGoat no longer listens on all interfaces, but
Which effectively prevents anyone abusing WebGoat to gain access to the
machine on which it is running. Thinking along these lines, perhaps it
is time we updated the warning on the "splash page"?
For the classroom scenario, I think an image would be a pretty good
idea, making it a bit easer for a teacher to set up and operate a
> -----Original Message-----
> From: Brad Andrews [mailto:andrews at rbacomm.com]
> Sent: Wednesday, October 22, 2008 10:36 AM
> To: webgoat at owasp.org
> Subject: VMWare Image of Webgoat
> Has anyone thought of creating a VMWare Player image of Webgoat (on
> some kind of Linux) to allow people to be able to run Webgoat without
> exposing themselves to external attack? Networking could be setup to
> not connect to the host machine.
> I thought of this the other day and it would be worth doing, though I
> am not very knowledgeable on configuring Linux VMWare images,
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the Owasp-webgoat