It is for learning web security through modsecurity, which is a WAF tools.
This works with modsecurity and insecure app.
Therefore, you can try to protect against vulnerabilities by setting modsecurity rules.
Type below command so that you can run container.
docker compose up -d --build
After running containers, you need to restart nginx server(including modsecurity) so that it can integrate with WebGoat.
To enter and restart the nginx server, you type some commands.
Commands are as follows.
docker exec -it modsec bash
/etc/init.d/nginx restart
Then you can access the Webgoat via below URL. (please wait 30sec after typing above commands.)
http://localhost/WebGoat
If you want to change modsecurity rule, you needs to update ./conf.d/ruleset.conf .
Then, you will restart nginx server as I explained previously.
After entering WebGoat, you type 'or 1=1 as sql injection like the below image.
In this ModSecurity may not recognize the attack.
Then, you will remove comment out and enable the below command in ./conf.d/main.conf
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/main.conf;
After restarting nginx, when you retry 'or 1=1, Modsecurity recognize and block the attack.
