Mod Security & CRS

If you already discovered ways to pass the challenges in the WebGoat application, you might want to revisit the challenges with a Web Application Firewall in place. In this case OWASP ModSecurity with the Core Rule Set will be used as a Web Application Firewall.

The expectation is that it will block SQL Injection attempts on WebGoat. Currently there is a pull request for WebGoat so that it displays the 403 message correctly. A successful intervention of the web application firewall will then look like:

Setting up ModSecurity CRS using docker

docker run -dti \
--name apachecrsrp \
--env PARANOIA=1 \
--env ANOMALYIN=5 \
--env ANOMALYOUT=5 \
--env ALLOWED_METHODS="GET POST" \
--env MAX_FILE_SIZE=5242880 \
--env RESTRICTED_EXTENSIONS=".conf/" \
--env PORT=8001 \
--publish 8001:8001 \
--env BACKEND=http://10.56.14.8:8080 \
franbuehler/modsecurity-crs-rp
The BACKEND URL must be based on the IP address of the host.  
WebGoat must be running on this host and bound to that IP address (either as a Java executable or a docker container).

WebGoat can now be access on: http://127.0.0.1:8001/WebGoat but all requests go through the firewall and might be blocked. Depending if you use the WebGoat version from the pull request the 403 will be shown on the screen.