dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update instructions to use docker-compose only

Browse Source
This commit is contained in:
Nanne Baars 2018-07-17 20:17:35 +02:00
parent 63a50df7a1
commit 1252e3dc21
36 changed files with 99 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -46,4 +46,8 @@ webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
**/.vscode/*
**/.factorypath
/.sonatype
**/bin/*
**/bin/*
webgoat.lck
webgoat.log
webgoat.properties
webgoat.script

43
README.MD
View File

@ -34,7 +34,7 @@ first thing that all hackers claim.*
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-<<version>>.jar [--server.port=8080] [--server.address=localhost]
java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
```
By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
@ -48,40 +48,21 @@ java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
## 2. Run using Docker
From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
First install Docker, then open a command shell/window and type:
Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
```Shell
docker pull webgoat/webgoat-8.0
docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh
### Using docker-compose
The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml)
from our Github repository. This will start both containers and it also takes care of setting up the
connection between WebGoat and WebWolf.
```shell
curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
```
If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a
folder on the host system as follows:
```Shell
docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh
```
where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system.
Wait for the Docker container to start, and run `docker ps` to verify it's running.
- If you are using `docker-machine`, verify the machine IP using `docker-machine env`
- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge`
- Otherwise, the host will be bound to localhost
Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example:
```
http://192.168.99.100:8080/WebGoat
```
Here you'll be able to register a new user and get started.
_Please note: this version may not be completely in sync with the develop branch._
**Important**: the current directory on your host will be mapped into the container for keeping state.
Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running.
## 3. Run from the sources

18
docker-compose-local.yml Normal file
View File

@ -0,0 +1,18 @@
version: '2.1'
services:
webgoat:
image: webgoat/webgoat-v8.0.0.snapshot
environment:
- WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
ports:
- "8080:8080"
volumes:
- .:/home/webgoat/.webgoat
command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0 --server.port=8080"
webwolf:
image: webgoat/webwolf-v8.0.0.snapshot
ports:
- "9090:9090"
command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat"

5
docker-compose-postgres.yml
View File

@ -12,6 +12,8 @@ services:
- spring.datasource.password=webgoat
- spring.datasource.driver-class-name=org.postgresql.Driver
- spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
- webgoat.server.directory=/home/webgoat/.webgoat/
- webgoat.user.directory=/home/webgoat/.webgoat/
ports:
- "8080:8080"
webwolf:
@ -27,6 +29,9 @@ services:
db:
container_name: webgoat_db
image: postgres:latest
# Uncomment to store the state of the database on the host.
# volumes:
# - ./database:/var/lib/postgresql
environment:
- POSTGRES_PASSWORD=webgoat
- POSTGRES_USER=webgoat

19
docker-compose.yml
View File

@ -6,24 +6,13 @@ services:
environment:
- WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports:
- "8080:8080"
depends_on:
- db
volumes:
- .:/home/webgoat/.webgoat
command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0"
webwolf:
image: webgoat/webwolf
environment:
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports:
- "9090:9090"
depends_on:
- db
db:
image: blacklabelops/hsqldb
container_name: webgoat_db
environment:
- HSQLDB_TRACE=false
- HSQLDB_SILENT=true
- HSQLDB_DATABASE_NAME=webgoat
- HSQLDB_DATABASE_ALIAS=webgoat
command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat"

2
pom.xml
View File

@ -6,7 +6,7 @@
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
<name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>

18
scripts/start.sh Normal file
View File

@ -0,0 +1,18 @@
#!/usr/bin/env bash
DATABASE_PORT=9001
checkDatabaseAvailable(){
#for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s)
local started = $(netstat -lnt | grep ${DATABASE_PORT})
echo $?
}
#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0
$(checkDatabaseAvailable)
#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0

2
webgoat-container/pom.xml
View File

@ -10,7 +10,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<profiles>

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<build>
<plugins>

2
webgoat-lessons/csrf/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/html-tampering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

2
webgoat-lessons/http-basics/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/http-proxies/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

2
webgoat-lessons/idor/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/insecure-deserialization/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

2
webgoat-lessons/insecure-login/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

2
webgoat-lessons/jwt/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

2
webgoat-lessons/missing-function-ac/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/password-reset/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

4
webgoat-lessons/pom.xml
View File

@ -5,12 +5,12 @@
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<packaging>pom</packaging>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<modules>

2
webgoat-lessons/sql-injection/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/vulnerable-components/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>
<dependency>

2
webgoat-lessons/webgoat-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

2
webgoat-lessons/webwolf-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
</project>

16
webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
View File

@ -23,8 +23,8 @@ website. The following items are supported in WebWolf:
* Receiving email
* Landing page for incoming requests
WebWolf runs as a separate web application and is started automatically when using the Docker image. If you
are not using the Docker image you will need to download the jar file and start it:
WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser webWolfLink:here[] to open WebWolf.
If you want to use the standalone version, you will need to download the jar file and start it:
```
java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]
@ -33,17 +33,7 @@ java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localho
By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you
can bind it to a different address (default localhost)
WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need
to find out the ip address of the Docker container.
```
WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`)
docker pull webgoat/webwolf
docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 9090:9090 webgoat/webwolf /home/webwolf/run.sh
```
Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If
you start WebGoat as Docker container you need to start WebWolf as Docker container as well.
Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well.
This will start the application on port 9090, click webWolfLink:here[] to open WebWolf.

2
webgoat-lessons/xxe/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>

1
webgoat-server/Dockerfile
View File

@ -10,5 +10,4 @@ USER webgoat
RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"]
EXPOSE 8080

2
webgoat-server/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<properties>

4
webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java
View File

@ -1,5 +1,6 @@
package org.owasp.webgoat;
import lombok.extern.slf4j.Slf4j;
import org.hsqldb.server.Server;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@ -17,6 +18,7 @@ import javax.sql.DataSource;
* JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database
*/
@Configuration
@Slf4j
@ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true")
public class HSQLDBDatabaseConfig {
@ -27,7 +29,7 @@ public class HSQLDBDatabaseConfig {
public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory,
@Value("${hsqldb.silent:true}") boolean silent,
@Value("${hsqldb.trace:false}") boolean trace) {
log.info("Starting internal database on port {} ...", hsqldbPort);
Server server = new Server();
server.setDatabaseName(0, "webgoat");
server.setDatabasePath(0, directory + "/data/webgoat");

5
webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
View File

@ -24,17 +24,22 @@
*/
package org.owasp.webgoat;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
/**
* Main entry point, this project is here to get all the lesson jars included to the final jar file
*
* @author nbaars
* @date 2/21/17
*/
@SpringBootApplication
@Slf4j
public class StartWebGoat {
public static void main(String[] args) {
log.info("Starting WebGoat with args: {}", args);
SpringApplication.run(WebGoat.class, args);
}
}

2
webwolf/Dockerfile
View File

@ -9,6 +9,4 @@ RUN \
USER webwolf
COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.port=9090", "--server.address=0.0.0.0"]
EXPOSE 9090

2
webwolf/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M20</version>
<version>v8.0.0.SNAPSHOT</version>
</parent>
<dependencies>