Finding WebGoat on Samurai WTF

The nature of my secure code review work over the last several years meant we rarely had a chance to do any pen testing to verify the issues we found could be reached by an attacker. It was just the nature of the beast. Because of that my pen testing skills have become very rusty.

I have been using WebGoat on Samurai WTF 2.0 to refresh my memory on hacking web applications. It has been a lot of fun but getting started was a might bit frustrating. Finding WebGoat on Samurai WTF was not straight forward. I knew WebGoat was part of the distribution and there is even a link to it on the start menu. The problem with that is it took me off to www.webgoat.com and one of those "this domain may be for sale pages." Not exactly what I was looking for.

Googling for starting webgoat on Samurai WTF wasn't a whole lot more help. Most references said to point my browser to http://localhost:8080/webgoat/attack which unfortunately did not work. There wasn't a site there.

I ended up having to poke around on the file system to find the configuration for WebGoat. In /etc/apache2/sites-enabled/webgoat (and /etc/apache2/sites-available/webgoat) I found WebGoat was running on a virtual server. Instead of 127.0.0.1, it was set up to run on 127.42.84.3.

I pointed my browser to http://127.42.84.3:8080/webgoat/attack and was in business. Frustration over at least as far as getting started was concerned. I still had to dig how to do all of the exercises out of the cobwebbed over corners of my brain.