Based on https://github.com/jerryhoff/WebGoat.NET with changes made to run this as an Azure App Service with the 'MySql in App' database.
Warning: The computer running this application will be vulnerable to attacks, please take appropriate precautions.
- Place a
contrast_security.yamlfile into the application's root folder. - Install Terraform from here: https://www.terraform.io/downloads.html.
- Install PyYAML using
pip install PyYAML. - Install the Azure cli tools using
brew update && brew install azure-cli. - Log into Azure to make sure you cache your credentials using
az login. - Edit the variables.tf file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
- Run
terraform initto download the required plugins. - Run
terraform planand check the output for errors. - Run
terraform applyto build the infrastructure that you need in Azure, this will output the web address for the application. If you receive a HTTP 503 error when visiting the app then wait 30 seconds for the application to initialize. - Use the 'Rebuild Database' option from within WebGoat.net, the MySql details will be pre-populated.
- Run
terraform destroywhen you would like to stop the app service and release the resources.
The terraform file will automatically add the Contrast .NET Azure site extension, so you will always get the latest version.
There is a test script which you can use to reveal vulnerabilities which requires node and puppeteer.
- Install Node, NPM and Chrome.
- From the app folder run
npm i puppeteer. - Run
BASEURL=https://<your service name>.azurewebsites.net node exercise.jsorBASEURL=https://<your service name>.azurewebsites.net DEBUG=true node exercise.jsto watch the automated script.
If you change the application you should run the Publish option in Visual Studio which will update the content in WebGoat/DeployToAzure