OWASP Tools hands on – using vagrant image

Learning about application security should be easy. OWASP the open web application security project, has several projects and applications that can be used to learn and test your skills in understanding the top OWASP top 10 security issues.

I have created a vagrant box that can be used to create a ready-to-use virtual machine where a selection of the OWASP tools is already installed.

The following picture shows what is in the box:

The virtual machine contains:

  • Linux CentOS 7.2 with GUI and Firefox
  • Docker
  • OWASP WebGoat & WebWolf
  • OWASP ZAP and Burpsuite community edition as intercepting proxies
  • OWASP ModSecurity and Core Rule Set as Web Application Firewall
  • OWASP JuiceShop

For Windows 10 and MacOS you can set up a VirtualBox virtual machine using the Vagrantfile in the following repository: https://github.com/zubcevic/vagrant/tree/master/owasptools-virtualbox

For Windows 10 with Hyper-V enabled you cannot use VirtualBox and can use the hyperv version: https://github.com/zubcevic/vagrant/tree/master/owasptools-hyperv

It just requires that you have some basic knowledge on how to install VirtualBox/Hyper-V and Vagrant.

WebGoat and ZAP

In the image on the desktop there are already links to open WebGoat. Firefox is configured in a way that all URL’s with http://www.webgoat.local and http://www.webwolf.local need to go through a running proxy server. For this you need to start either OWASP ZAP or BurpSuite using the desktop buttons. Firefox ignores the proxy for all links.

WebGoat is already running as a docker image.

After starting ZAP. Open the Firefox browser and go to: http://www.webgoat.local:8080/WebGoat

JuiceShop and ModSecurity CRS

If you have learned all about security using WebGoat and ZAP, you can now challenge yourself by trying to find al vulnerabilities in JuiceShop. Just point the browser to

Then as a next step, try to pass the same challenges when Mod Security is placed as a web application firewall between your browser and JuiceShop. Just point the browser to