Webgoat is a dirty application, go through penetration testing.
gained access to the Owasp ZAP instance, you may run the scan by executing the shell script as follows:
After the WebGoat server has been prepared the student should use the terminal emulator of their choice to access the EC2 Instance that will be used to run the OWASP ZAP program. This can be done through the following command:
$ cat run-zap.sh
docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly:w2019-01-21 zap-baseline.py -I -j -t http://$1:8080/WebGoat -r zapreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=http://$1:8080/WebGoat/login.mvc auth.username="clouduser" auth.password="password" auth.auto=1"
*Note: You must pass the script to the PRIVATE IP ADDRESS of the WebGoat server as the first execution argument.
Running the shell:
$ sudo sh run-zap.sh 10.0.1.26
Will run that on the local Ip
When it's completed, we will see the two files gen.conf and zapreport.html
$ ls -l
total 20
-rw-r--r--. 1 cloud_user cloud_user 1 Aug 13 2021 init_pass
-rw-r--r--. 1 root root 286 May 5 21:15 run-zap.sh
-rw-r--r--. 1 cloud_user cloud_user 11872 May 5 23:20 zapreport.html
After the OWASP ZAP program has run, the student should copy the HTML report to the Apache Web Server root directory. This can be done with the command:
$ sudo cp zapreport.html /var/www/html
Report: