WebGoat / WebGoat

WebGoat is a deliberately insecure application
https://owasp.org/www-project-webgoat/
Other
7.03k stars 5.53k forks source link

Command injection lesson #1555

Open denandz opened 1 year ago

denandz commented 1 year ago

WebGoat doesn't include a simple command injection lesson any more, though older versions of WebGoat did. Was there a reason for no longer including an RCE lesson?

github-actions[bot] commented 1 year ago

Thanks for submitting your first issue, we will have a look as quickly as possible.

nbaars commented 1 year ago

There was a specific reason as we wanted to protect the users from not deleting their own complete file system.

We had that in place in WG 7 we just never got around porting the lesson.

If you like, feel free to submit a PR.

denandz commented 1 year ago

reaper-rce

denandz commented 1 year ago

In all seriousness though, given that WebGoat's current prefered installation method is via Docker and the general availability of free virtual machine hypervisor options, does this requirement for nerfing RCE labs still exist today?

I noticed the deserialization lab is similarly de-fanged. Limiting a vulnerability in this way doesn't seem particularly realistic, and seems to deprive the WebGoat learners from some teachable moments around practically testing things like reverse-shells triggered from a vulnerable application sink. Or like you mention, accidentally crashing a server they're testing.

Happy to submit a command-injection lesson, but I'm less comfortable submitting a defanged command-injection lesson that expects the learner to match a specific set of strings rather than achieve general RCE.

nbaars commented 1 year ago

@denandz indeed I tend to agree. We had a limited version in WG 7 which felt a bit weird for the same reason you describe. We have some other lessons which only runs on Docker, so we can limit it Docker only.