WebGoat wasn't exactly what I was expecting though. On the project homepage it is described like this:
"WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application."
I began the first lesson, HTTP Splitting, and it states in the lesson plan that Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poinsoning. But I am at a loss to find the actual lesson! As far as I can tell it doesn't actually teach you how to perform the attack just gives you a platform to perform the attack.
The solution video shows you how to complete the attack but it doesn't explain why you are doing each stage. I'm not looking to be spoon fed but as a newbie to web application security I was hoping for a bit more information.
Am I missing something? An accompanying guide perhaps?