New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Command injection lesson #1555
Comments
Thanks for submitting your first issue, we will have a look as quickly as possible. |
There was a specific reason as we wanted to protect the users from not deleting their own complete file system. We had that in place in WG 7 we just never got around porting the lesson. If you like, feel free to submit a PR. |
In all seriousness though, given that WebGoat's current prefered installation method is via Docker and the general availability of free virtual machine hypervisor options, does this requirement for nerfing RCE labs still exist today? I noticed the deserialization lab is similarly de-fanged. Limiting a vulnerability in this way doesn't seem particularly realistic, and seems to deprive the WebGoat learners from some teachable moments around practically testing things like reverse-shells triggered from a vulnerable application sink. Or like you mention, accidentally crashing a server they're testing. Happy to submit a command-injection lesson, but I'm less comfortable submitting a defanged command-injection lesson that expects the learner to match a specific set of strings rather than achieve general RCE. |
@denandz indeed I tend to agree. We had a limited version in WG 7 which felt a bit weird for the same reason you describe. We have some other lessons which only runs on Docker, so we can limit it Docker only. |
WebGoat doesn't include a simple command injection lesson any more, though older versions of WebGoat did. Was there a reason for no longer including an RCE lesson?
The text was updated successfully, but these errors were encountered: