You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without starting WebWolf. If you need to do an exercise with WebWolf make sure it is running along side with WebGoat. Lessons where you can use WebWolf are marked with the following icon (top right in assignment):

Even if the icon the present your are not obliged to use WebWolf, you can also use any intercepting tool you like, like netcat etc.

WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to make a clear distinction between what takes place on the attacked website and the actions you need to do as an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the website. The following items are supported in WebWolf:

  • Hosting a file

  • Receiving email

  • Landing page for incoming requests