Releases: WebGoat/WebGoat
Releases ยท WebGoat/WebGoat
v2025.3
Version 2025.3
๐ Bug fixes
๐ Technical tasks
- bump docker/setup-qemu-action from 3.4.0 to 3.6.0 (#2049)
- bump docker/build-push-action from 6.14.0 to 6.15.0 (#2050)
Full change log: v2025.2...v2025.3
Team WebGoat
v2025.2
Version 2025.2
Full change log: v2025.1...v2025.2
๐ Bug fixes
- Fix SQL advanced lesson assignment 5 (#2047)
Team WebGoat
v2025.1
Version 2025.1
Full change log: v2023.8...v2025.1
๐ New functionality
- Introduce Playwright for UI testing
- Refactoring of core code
๐ Bug fixes
- Introduce assignment progress (#2043)
- Add test case for multiple users solving lessons (#2043)
- Register user while already logged in as other user. (#2042)
- Small updates and improvements in HTTP Basic lesson (#2024)
- Improve HTTP basics lesson
- Solve compiler warnings
- Cleanup attack result and builder
- Format all code according to SPDX
- Fixed one invalid solution about CSRF attack (#2010)
- Reset a lesson no longer removes all assignments
- Hint labels showing default text regardless of localization (#1965)
- Automatically solve XSS mitigation (#1957)
- Remove implicit context path guessing (#1956)
- JWT kid/jku lessons (#1949)
- Fix password reset lesson (#1941)
- Fix passing command line arguments (#1933)
- Use banners correctly
- Show boolean operators priority on
where(#1902) - Remove WebGoat session object (#1929)
- Reset form and quiz color on reset lesson (#1903)
- XSS lesson typo
- Copying file using
transferTosometimes fails. (#1862) - Fix report card (#1845)
- Success if only Smith earn most salary (#1744)
- Update HttpBasics_plan.adoc - fix broken link to https://www.zaproxy.org/ (#1803)
- Move CSRF to A3 (#1776)
- Fix typo in SQLi blind case
- Use $ instead of jQuery which is undefined (#1736)
- Fix hidden links in MissingFunctionAC.html. (#1710)
๐ Technical tasks
- Lots of dependency updates
Contributors
Special thanks to the following contributors providing us with a pull request:
- Franรงois Capon
- GoogTech HackHuang
- Peter Potrowl
- cap-dev0x
- Benjamin Mouncer
- Jeong Rok Suh
- Rui Melo
- Vandeputte Brice
And everyone who provided feedback through Github.
Team WebGoat
v2023.8
Version v2023.8
๐ New functionality
- Consistent environment values and url references (#1677)
- Show directly requested file in requests overview
- Show creating time in file upload overview
๐ Bug fixes
๐ Technical tasks
- bump actions/setup-java from 3 to 4 (#1690)
- bump commons-io:commons-io from 2.14.0 to 2.15.1 (#1689)
- bump com.diffplug.spotless:spotless-maven-plugin (#1688)
Full change log: v2023.5...v2023.8
Team WebGoat
v2023.5
Version 2023.5
New functionality
- Implement JWT jku example (#1552)
- Java 21 initial support (#1622)
- improve MFAC lesson hint texts for a better user experience (#1424)
- upgrade to Spring Boot version 3 (#1477)
Bug fixes
- typo in WebGoad.txt (#1667)
- search box moved and jwt encode/decode with little delay (#1664)
- skip validation for JWT (#1663)
- fixed issue in JWT test tool and added robot test (#1658)
- Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)
- fix servers id (#1619)
- potential NPE in the stored XSS assignment
- crypto basics broken links
- fixes the default change in trailing slash matching and address the affected assignments
- hint that was breaking the template, causing hints from different assignments to mix (#1424)
- HijackSession lesson template deprecated Tymeleaf attribute
- Fix NPE in IDOR lesson
- Add new assignment IT tests
- XSS mitigation
- Stored Cross-Site Scripting Lesson
- Add Assignment7 Tests
- Fix IDOR lesson
- remove steps from release script (#1509)
- robotframework fails due to updated dependencies (#1508)
- fix Java image inside Docker file The image now downloads the correct Java version based on the architecture.
- Fix typo of HijackSession_content0.adoc
- Restrict SSRF Regexes
- update challenge code - Flags are now wired through a Spring config - Introduced Flag class - Removed Flags from the FlagController
Full change log: v2023.4...v2023.5
Contributors
Special thanks to the following contributors providing us with a pull request:
- รngel Ollรฉ Blรกzquez
- Nanne Baars
- Renรฉ Zubcevic
- Agustรญn Dรญaz
- Franรงois Capon
- Loris Sierra
- caputdraconis
- test2user-aqil
And everyone who provided feedback through Github.
Team WebGoat
v2023.4
Version 2023.4
New functionality
- #1422 Add Docker Linux Desktop variant with all tools installed. Thanks to the OWASP WrongSecrets project we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
- #1411 JWT: looks that buy as Tom also works with alg:none.
Bug fixes
2023.3
Version 2023.3
With great pleasure, we present you with a new release of WebGoat 2023.3. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
A big thanks to Renรฉ Zubcevic and รngel Ollรฉ Blรกzquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.
New functionality
- New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
- Move away from multi-project setup:
- This has a huge performance benefit when building the application. Build time locally is now
Total time: 42.469 s(depends on your local machine of course) - No longer add Maven dependencies in several places
- H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
- This has a huge performance benefit when building the application. Build time locally is now
- More explicit paths in html files to reference
adocfiles, less magic. - Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
- Add WebWolf button in WebGoat
- Move all lessons into
src/main/resources - WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
- WebGoat logs URL after startup:
Please browse to http://127.0.0.1:8080/WebGoat to get started... - Simplify
Dockerfileas we no longer need a script to start everything - Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
- Added
Initializableinterface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. SeeBlindSendFileAssignmentfor an example. - Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
- Updated introduction lesson to WebWolf.
- Added language switch for support for multiple languages.
- Removed logic to start WebGoat on a random port when port
8080is taken. We would loop until we found a free port. We simplified this to just start on the specified port. - Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
- Renaming of all packages and folders.
- #1039 New OWASP Top 10
- #1065 New lesson about logging
Bug fixes
- #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
- #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
- #1134 "Exploiting XStream" assignment does not work
- #1130 Typo: Using Indrect References
- #1101 SQL lesson not correct
- #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
- #1379 Move XXE to A05:2021-Security Misconfiguration
- #1298 SocketUtils is deprecated and will be removed in Spring Security 6
- #1248 Rewrite the WebWolf Introduction Lesson with the new changes
- #1200 Type cast error in sample code at JWT token section
- #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
- #1103 (A1) path traversel lesson 7 seems broken
- #986 - User registration not persistant
Full change log: v8.2.2...v2023.3
Contributors
Special thanks to the following contributors providing us with a pull request:
And everyone who provided feedback through Github.
Team WebGoat
2023.2
Version 2023.2
With great pleasure, we present you with a new release of WebGoat 2023.2. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
A big thanks to Renรฉ Zubcevic and รngel Ollรฉ Blรกzquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.
New functionality
- New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
- Move away from multi-project setup:
- This has a huge performance benefit when building the application. Build time locally is now
Total time: 42.469 s(depends on your local machine of course) - No longer add Maven dependencies in several places
- H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
- This has a huge performance benefit when building the application. Build time locally is now
- More explicit paths in html files to reference
adocfiles, less magic. - Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
- Add WebWolf button in WebGoat
- Move all lessons into
src/main/resources - WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
- WebGoat logs URL after startup:
Please browse to http://127.0.0.1:8080/WebGoat to get started... - Simplify
Dockerfileas we no longer need a script to start everything - Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
- Added
Initializableinterface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. SeeBlindSendFileAssignmentfor an example. - Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
- Updated introduction lesson to WebWolf.
- Added language switch for support for multiple languages.
- Removed logic to start WebGoat on a random port when port
8080is taken. We would loop until we found a free port. We simplified this to just start on the specified port. - Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
- Renaming of all packages and folders.
- #1039 New OWASP Top 10
- #1065 New lesson about logging
Bug fixes
- #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
- #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
- #1134 "Exploiting XStream" assignment does not work
- #1130 Typo: Using Indrect References
- #1101 SQL lesson not correct
- #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
- #1379 Move XXE to A05:2021-Security Misconfiguration
- #1298 SocketUtils is deprecated and will be removed in Spring Security 6
- #1248 Rewrite the WebWolf Introduction Lesson with the new changes
- #1200 Type cast error in sample code at JWT token section
- #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
- #1103 (A1) path traversel lesson 7 seems broken
- #986 - User registration not persistant
Full change log: v8.2.2...v2023.2
Contributors
Special thanks to the following contributors providing us with a pull request:
And everyone who provided feedback through Github.
Team WebGoat
v8.2.2
Version 8.2.2
New functionality
- Docker image now supports nginx when browsing to http://localhost a landing page is shown.
Bug fixes
v8.2.1
Version v8.2.1
New functionality
- New Docker image for arm64 architecture is now available (for Apple M1)