Sheepdog
Sheepdog is a simple tool to generate normal and attack traffic for OWASP WebGoat. It can be used with security technologies like WAF and RASP in demonstrations and to verify that they are doing a tiny piece of what they are supposed to do. Sheepdog is not intended to be an exhaustive set of security tests. It has some basic SQL injection, XSS, path traversal, and that kind of thing.
Simply start WebGoat with:
java -jar webgoat-container-7.0.1-war-exec.jar
Then in another window start sheepdog with:
java -jar sheepdog-1.0.jar
There are several configurable properties that you can use to simulate a variety of crawls/attacks. Note that SheepDog sends an X-Forwarded-For header with random IP address for each attack thread.
Usage: java -jar sheepdog.jar
-t threads (default 3)
-s seconds (default 60)
-d delay milliseconds between requests (default -1)
-a attack percentage (default 50)
-p port for WebGoat (default 8080)
-v verbose
Sample usage
$ java -jar target/sheepdog-1.0-SNAPSHOT.jar -t 3 -s 3600 -d 1000 -a 50
Usage: java -jar sheepdog.jar [-t -s -d -a -p -v]
Using default value for flag 'p', using 8080
Starting 3 attack threads, each with:
3600 seconds
1000ms delay between requests
50% attack parameters
target: http://localhost:8080/WebGoat/
Starting AttackThread (110.104.52.59)
Starting AttackThread (93.65.24.224)
Starting AttackThread (161.144.64.146)
POST from 238.20.254.102 to http://localhost:8080/WebGoat/j_spring_security_check
[username=guest, password=guest]
HTTP/1.1 302 Found
POST from 93.65.24.224 to http://localhost:8080/WebGoat/j_spring_security_check
[username=guest, password=guest]
HTTP/1.1 302 Found
POST from 161.144.64.146 to http://localhost:8080/WebGoat/j_spring_security_check
[username=guest, password=guest]
HTTP/1.1 302 Found
POST from 161.144.64.146 to http://localhost:8080/WebGoat/attack?Screen=733&menu=1200
[SUBMIT=zoees822]
HTTP/1.1 200 OK
POST from 93.65.24.224 to http://localhost:8080/WebGoat/attack?Screen=534&menu=1900
[id=sztol903, SUBMIT=rjeee272]
HTTP/1.1 200 OK
POST from 161.144.64.146 to http://localhost:8080/WebGoat/attack?Screen=726&menu=200&stage=1
[action=' or 112=112--]
HTTP/1.1 200 OK
POST from 161.144.64.146 to http://localhost:8080/WebGoat/attack?Screen=737&menu=1100&stage=3
[action=' or 1+2=3 --]
HTTP/1.1 200 OK
POST from 93.65.24.224 to http://localhost:8080/WebGoat/attack?Screen=498&menu=1300
[clear_user=><script>alert(1)</script>, clear_pass=><script>alert(1)</script>, Submit=ctyna446]
HTTP/1.1 200 OK
Who made this?
This project is sponsored by Contrast Security and released under the MIT license.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent