This gitter room can be used to discuss all things related to OWASP WebGoat. Normal issues are part of the GitHub repository.
René Zubcevic
@zubcevic
The latest WebGoat release is 8.1.0. Since than several improvements have been added. The latest version can be build from the develop branch.
avivmu
@avivmu
Hey @zubcevic , is this project still actively maintained? There are several PRs that are awaiting for merge
René Zubcevic
@zubcevic
Hi, yes this project has been around for many years and has had some significant improvements in the last year. However most commits as you can see are from Nanne Baars and myself. Sometimes also from other people who help change text and descriptions or even add lessons.
The latest major feature was that you can now start webgoat with a certain selection of categories and lessons. In order not to overwhelm people
René Zubcevic
@zubcevic
apparantly the lesson on SSRF now fails because the ifconfig.pro site is down, which also blocks pull requests and results in build failures
This most be something very recent
René Zubcevic
@zubcevic
a fix for the dependency in ifconfig.pro has been pushed to develop branch , see WebGoat/WebGoat#919
avivmu
@avivmu
In HttpBasicsInterceptRequest where does the trackProgress method come from? Intellij show compilation error EDIT: okay there are 2 modules named http-proxies, why?
René Zubcevic
@zubcevic
command-injection is no longer a supported lesson. it is a ledt over from older versions. if intellij uses the correct maven files, it should not include this module
please make a pull request to remove command-injection. there the pom file indeed uses an existing lesson artefact id
in SSRFTask2 - why do we need to show the ifconfig.pro website contens inside webgoat (we consume the html from the url and display it to ther user - I don't see any reason to do that)?
René Zubcevic
@zubcevic
the original author of the story probably wanted to show external content in the exercise and not just a simple reply that the exercise was correct. But I would also not have chosen this option
Ah, good one, didn't know that myself. But it is where the static content is kept for the application pages on the OWASP foundation: https://owasp.org/www-project-webgoat/