Mod Security & CRS

If you already discovered ways to pass the challenges in the WebGoat application, you might want to revisit the challenges with a Web Application Firewall in place. In this case OWASP ModSecurity with the Core Rule Set will be used as a Web Application Firewall.

The expectation is that it will block SQL Injection attempts on WebGoat. Currently there is a pull request for WebGoat so that it displays the 403 message correctly. A successful intervention of the web application firewall will then look like:

Setting up ModSecurity CRS using docker

docker run -dti \
--name apachecrsrp \
--env PARANOIA=1 \
--env ANOMALYIN=5 \
--env ANOMALYOUT=5 \
--env MAX_FILE_SIZE=5242880 \
--env PORT=8001 \
--publish 8001:8001 \
--env BACKEND= \
The BACKEND URL must be based on the IP address of the host.  
WebGoat must be running on this host and bound to that IP address (either as a Java executable or a docker container).

WebGoat can now be access on: but all requests go through the firewall and might be blocked. Depending if you use the WebGoat version from the pull request the 403 will be shown on the screen.