Command injection lesson

[denandz]

WebGoat doesn't include a simple command injection lesson any more, though older versions of WebGoat did. Was there a reason for no longer including an RCE lesson?

[github-actions[bot]]

Thanks for submitting your first issue, we will have a look as quickly as possible.

[nbaars]

There was a specific reason as we wanted to protect the users from not deleting their own complete file system.

We had that in place in WG 7 we just never got around porting the lesson.

If you like, feel free to submit a PR.

[denandz]

[denandz]

In all seriousness though, given that WebGoat's current prefered installation method is via Docker and the general availability of free virtual machine hypervisor options, does this requirement for nerfing RCE labs still exist today?

I noticed the deserialization lab is similarly de-fanged. Limiting a vulnerability in this way doesn't seem particularly realistic, and seems to deprive the WebGoat learners from some teachable moments around practically testing things like reverse-shells triggered from a vulnerable application sink. Or like you mention, accidentally crashing a server they're testing.

Happy to submit a command-injection lesson, but I'm less comfortable submitting a defanged command-injection lesson that expects the learner to match a specific set of strings rather than achieve general RCE.

[nbaars]

@denandz indeed I tend to agree. We had a limited version in WG 7 which felt a bit weird for the same reason you describe. We have some other lessons which only runs on Docker, so we can limit it Docker only.