WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. The project is available at Github and an official homepage.
This guide shows how to run WebGoat 8 container version on Azure Container Instances.
- An Azure subscription. To create a free account go here
- Azure Command Line (Azure CLI) installed on your machine. To install go here
- Azure DevOps account. To create account follow here
- Github account. To join Github go here
In Azure DevOps create the new project WebGoat
Clone WebGoat project to newly created project from the Github repository: https://github.com/WebGoat/WebGoat.git
Go to Repos from menu and choose or import a repository
When source code is imported to Azure Repos fix the Dockerfile with the proper WebGoat version's snapshot. To find the current snapshot version open pom.xml file located in the root directory and find line <version>v8.0.0.M25</version> (currently line is number 9 and Snapshot version is M25). After checking the proper version go to the directory webgoat-server and edit Dockerfile by replacing in line ARG webgoat_version=v8.0.0-SNAPSHOT SNAPSHOT to M25 (or other version pointed in pom.xml) so it should be ARG webgoat_version=v8.0.0.M25
Enable Multi-stage pipelines in Preview feautures by clicking on Azure DevOps user icon and choosing Preview feautures
This is important as Pipeline will be based fully on yml syntax for both: Build and Release pipelines.
Create an Azure container registry (ACR) to store WebGoat docker containers using Azure CLI. More information about ACR is here
Create Resource Group where all resources, including ACR will be located:
az group create --name webGoatRG --location westeurope
Create a container registry with admin user enabled:
az acr create --resource-group webGoatRG --name acrWebGoat --sku Basic --admin-enabled true --location westeurope
Create a Key Vault for storing sensitive keys and passwords like ACR username and password.
az keyvault create --name "webGoatKV" --resource-group "webGoatRG" --location westeurope
Open Key Vault and add ACR username and password as values:
- acrUsername - get ACR username from Access Keys tab in Azure portal
- acrPassword - get ACR password from Access Keys tab in Azure portal
Download azure-pipelines.yml from this repository: https://github.com/texnokot/WebGoatonAzureACI and upload it to the root directory of Azure Repos repository.
The pipeline contains two stages:
- Build - builds and pushes WebGoat container to the ACR
- DeployToDev - deploys pushed container from ACR to ACI. The first time running also creates ACI
CI/CD pipeline requires an access to ACR to be able to push containers and an access to Resource Group at least to create ACI. To allow this create 2 service connections.
Create Service connection for ACR by going Project settings and under Pipelines choose Service connections and New service connection. Choose Docker Registry and fill required lines under Azure Container Registry
Create Service connection for subscription by choosing Azure Resource Manager service connection. Choose proper subscription and resource group.
Open azure-pipelines.yml and replace variables with proper values:
- dockerRegistryServiceConnection - Connection name for ACR
- resourceGroup - Azure Resource Group where resources are located
- acrRegistry - FQDN name for ACR Registry (for example: acrwebgoat.azurecr.io)
- subscriptionConnection - Connection name for Azure subscription
- containerGroup - Container group name
- containerDNS - Contaner DNS label shall be unique
Add created Key Vault to Azure DevOps Project by creating new Variable group acrDetails under Pipelines -> Library.
Link to Key Vault and add required variables.
Go to Pipelines and check that pipeline has been automatically created. The first time it can fail and require manual authorization.
Authorize and Run pipeline. It will take some time for Maven task, but after it should create and deploy container to ACR and publish it to ACI.
Enjoy learning security issues with WebGoat solution.