Labs

[aolle]

Hi @zubcevic , @nbaars ,

how are you? I hope everything is going well.

I'm thinking of expanding WebGoat by adding something like small labs, separate from the current top 10 lessons.

It's similar to what we have in the challenges section that talks about CTF but a bit more labor-intensive. In the sense that each lab simulates a series of vulnerabilities that can be chained together to achieve, for example, an RCE. No hints or help provided.

The motivation comes from issue #1555.

The lab would be restricted to the use of WebGoat in Docker, but I'm considering adding a disclaimer to deactivate this protection and be able to carry out the lab in a normal environment.

What do you think? If you like the idea, would you include it within Challenges, or create a new section in the menu?

Thank you!

[zubcevic]

Sounds interesting. If you put it in challenged you also would have to implement the codes for appearing on the scoreboard. So maybe a seperate category or even a sperate ui entry point? But maybe to start you can temporarily pick the challenges category. Would you leave it completely clueless? Or have at least some progress bar showing how much has been discovered? Or push vagues hints by suggesting lessons from WebGoat depending on the actions you try?

[aolle]

Hello @zubcevic ,

Thank you for your prompt response.

Certainly, the plan is to introduce codes that contribute to the scoreboard, akin to our existing challenge setup.

I appreciate the notion of a distinct category; any suggestions for a name? To delve further, I aim to concentrate on scenarios that present a challenge, somewhat resembling penetration tests on environments/machines, keeping in mind the constraints of operating within a web application. Your suggestion about incorporating a progress bar is well-received; moreover, I'm contemplating assigning unique CTF-style codes as participants progress through each scenario.

Regarding the absence of hints, it aligns with the established dynamics of our challenges, facilitating the use of WebGoat as a resource for internal CTF-style events or workshops. Nevertheless, this doesn't preclude the possibility of creating articles on the subject for my blog :-)

The constant influx of new CVEs serves as a compelling source for devising exploitation scenarios.

Expanding on my earlier point about running these scenarios in Docker; given that many likely involve obtaining Remote Code Execution (RCE), the labs would predominantly operate within Docker to safeguard users' machines. Ultimately, the responsibility lies with users for commands executed post-shell access. I'm considering implementing a feature whereby labs can be run in a Docker-less version, with users acknowledging a disclaimer and explicitly disabling protection via a designated button or a similar mechanism.

Best regards