diff --git a/.gitignore b/.gitignore index 32b59f04e..549b59a14 100644 --- a/.gitignore +++ b/.gitignore @@ -46,4 +46,8 @@ webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml **/.vscode/* **/.factorypath /.sonatype -**/bin/* \ No newline at end of file +**/bin/* +webgoat.lck +webgoat.log +webgoat.properties +webgoat.script \ No newline at end of file diff --git a/README.MD b/README.MD index e47961d5e..3290fbee4 100644 --- a/README.MD +++ b/README.MD @@ -34,7 +34,7 @@ first thing that all hackers claim.* Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) ```Shell -java -jar webgoat-server-<>.jar [--server.port=8080] [--server.address=localhost] +java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost] ``` By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you @@ -48,40 +48,21 @@ java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar ## 2. Run using Docker -From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version -[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/). -First install Docker, then open a command shell/window and type: +Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)). -```Shell -docker pull webgoat/webgoat-8.0 -docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh +### Using docker-compose + +The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) +from our Github repository. This will start both containers and it also takes care of setting up the +connection between WebGoat and WebWolf. + +```shell +curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up ``` -If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a -folder on the host system as follows: - -```Shell -docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh -``` - -where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system. - -Wait for the Docker container to start, and run `docker ps` to verify it's running. - -- If you are using `docker-machine`, verify the machine IP using `docker-machine env` -- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge` -- Otherwise, the host will be bound to localhost - -Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example: - -``` -http://192.168.99.100:8080/WebGoat -``` - -Here you'll be able to register a new user and get started. - -_Please note: this version may not be completely in sync with the develop branch._ +**Important**: the current directory on your host will be mapped into the container for keeping state. +Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running. ## 3. Run from the sources diff --git a/docker-compose-local.yml b/docker-compose-local.yml new file mode 100644 index 000000000..f65bea120 --- /dev/null +++ b/docker-compose-local.yml @@ -0,0 +1,18 @@ +version: '2.1' + +services: + webgoat: + image: webgoat/webgoat-v8.0.0.snapshot + environment: + - WEBWOLF_HOST=webwolf + - WEBWOLF_PORT=9090 + ports: + - "8080:8080" + volumes: + - .:/home/webgoat/.webgoat + command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0 --server.port=8080" + webwolf: + image: webgoat/webwolf-v8.0.0.snapshot + ports: + - "9090:9090" + command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat" diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml index 919cbd509..56c9a707c 100644 --- a/docker-compose-postgres.yml +++ b/docker-compose-postgres.yml @@ -12,6 +12,8 @@ services: - spring.datasource.password=webgoat - spring.datasource.driver-class-name=org.postgresql.Driver - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + - webgoat.server.directory=/home/webgoat/.webgoat/ + - webgoat.user.directory=/home/webgoat/.webgoat/ ports: - "8080:8080" webwolf: @@ -27,6 +29,9 @@ services: db: container_name: webgoat_db image: postgres:latest +# Uncomment to store the state of the database on the host. +# volumes: +# - ./database:/var/lib/postgresql environment: - POSTGRES_PASSWORD=webgoat - POSTGRES_USER=webgoat diff --git a/docker-compose.yml b/docker-compose.yml index 725195504..a4e888edb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,24 +6,13 @@ services: environment: - WEBWOLF_HOST=webwolf - WEBWOLF_PORT=9090 - - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "8080:8080" - depends_on: - - db + volumes: + - .:/home/webgoat/.webgoat + command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0" webwolf: image: webgoat/webwolf - environment: - - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "9090:9090" - depends_on: - - db - db: - image: blacklabelops/hsqldb - container_name: webgoat_db - environment: - - HSQLDB_TRACE=false - - HSQLDB_SILENT=true - - HSQLDB_DATABASE_NAME=webgoat - - HSQLDB_DATABASE_ALIAS=webgoat + command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat" diff --git a/pom.xml b/pom.xml index aa855b919..206ecb2ed 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent pom - v8.0.0.M20 + v8.0.0.SNAPSHOT WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application diff --git a/scripts/start.sh b/scripts/start.sh new file mode 100644 index 000000000..3380882af --- /dev/null +++ b/scripts/start.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +DATABASE_PORT=9001 + +checkDatabaseAvailable(){ + + #for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s) + local started = $(netstat -lnt | grep ${DATABASE_PORT}) + echo $? +} + +#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0 +$(checkDatabaseAvailable) + + +#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 + + diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 8821d469d..11edb880f 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index 460175912..6e63139a2 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index 0d81dd53a..29f56754c 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index 58f7f9daa..b8f9144c9 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index 7f37c3064..485e42b76 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index a18aa3720..b8c1021ff 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml index 49658a14c..cc8d429c5 100644 --- a/webgoat-lessons/csrf/pom.xml +++ b/webgoat-lessons/csrf/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml index 47cf3df7b..2c7fe60c0 100755 --- a/webgoat-lessons/html-tampering/pom.xml +++ b/webgoat-lessons/html-tampering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml index 9d112c91b..9fdf8d13b 100644 --- a/webgoat-lessons/http-basics/pom.xml +++ b/webgoat-lessons/http-basics/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml index 72aafac2f..a78c58090 100644 --- a/webgoat-lessons/http-proxies/pom.xml +++ b/webgoat-lessons/http-proxies/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index a147a7f9d..6620f6920 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml index cf9f62c28..68a95c885 100755 --- a/webgoat-lessons/insecure-deserialization/pom.xml +++ b/webgoat-lessons/insecure-deserialization/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml index 7e392e4d5..ed6bd358e 100755 --- a/webgoat-lessons/insecure-login/pom.xml +++ b/webgoat-lessons/insecure-login/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml index ce32296b1..ec6861190 100644 --- a/webgoat-lessons/jwt/pom.xml +++ b/webgoat-lessons/jwt/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml index 7ac4b0b5f..8b266b4c2 100644 --- a/webgoat-lessons/missing-function-ac/pom.xml +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml index ec760f813..5e78f3b0e 100644 --- a/webgoat-lessons/password-reset/pom.xml +++ b/webgoat-lessons/password-reset/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index e3e19e957..e5f66efdf 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -5,12 +5,12 @@ org.owasp.webgoat.lesson webgoat-lessons-parent pom - v8.0.0.M20 + v8.0.0.SNAPSHOT org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml index 32bc48b23..46677291d 100644 --- a/webgoat-lessons/sql-injection/pom.xml +++ b/webgoat-lessons/sql-injection/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index b38a8e124..df1c57c62 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml index 864d625a2..d4e2db171 100644 --- a/webgoat-lessons/webgoat-introduction/pom.xml +++ b/webgoat-lessons/webgoat-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml index ef1890980..22745b96a 100644 --- a/webgoat-lessons/webwolf-introduction/pom.xml +++ b/webgoat-lessons/webwolf-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index bf15f54c3..77f3f3452 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -23,8 +23,8 @@ website. The following items are supported in WebWolf: * Receiving email * Landing page for incoming requests -WebWolf runs as a separate web application and is started automatically when using the Docker image. If you -are not using the Docker image you will need to download the jar file and start it: +WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser webWolfLink:here[] to open WebWolf. +If you want to use the standalone version, you will need to download the jar file and start it: ``` java -jar webwolf-<>.jar [--server.port=9090] [--server.address=localhost] @@ -33,17 +33,7 @@ java -jar webwolf-<>.jar [--server.port=9090] [--server.address=localho By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you can bind it to a different address (default localhost) -WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need -to find out the ip address of the Docker container. - -``` -WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`) -docker pull webgoat/webwolf -docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 9090:9090 webgoat/webwolf /home/webwolf/run.sh -``` - -Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If -you start WebGoat as Docker container you need to start WebWolf as Docker container as well. +Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. This will start the application on port 9090, click webWolfLink:here[] to open WebWolf. diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 4351432b6..781f2cc36 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index 85562dba0..c5b43c961 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -10,5 +10,4 @@ USER webgoat RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version} COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar -ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"] EXPOSE 8080 \ No newline at end of file diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 2f4447c55..af9f6c6c1 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java index fe42f1c97..adcac776b 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java @@ -1,5 +1,6 @@ package org.owasp.webgoat; +import lombok.extern.slf4j.Slf4j; import org.hsqldb.server.Server; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; @@ -17,6 +18,7 @@ import javax.sql.DataSource; * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database */ @Configuration +@Slf4j @ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true") public class HSQLDBDatabaseConfig { @@ -27,7 +29,7 @@ public class HSQLDBDatabaseConfig { public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory, @Value("${hsqldb.silent:true}") boolean silent, @Value("${hsqldb.trace:false}") boolean trace) { - + log.info("Starting internal database on port {} ...", hsqldbPort); Server server = new Server(); server.setDatabaseName(0, "webgoat"); server.setDatabasePath(0, directory + "/data/webgoat"); diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java index 34bde941a..473114c0e 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java @@ -24,17 +24,22 @@ */ package org.owasp.webgoat; +import lombok.extern.slf4j.Slf4j; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; /** + * Main entry point, this project is here to get all the lesson jars included to the final jar file + * * @author nbaars * @date 2/21/17 */ @SpringBootApplication +@Slf4j public class StartWebGoat { public static void main(String[] args) { + log.info("Starting WebGoat with args: {}", args); SpringApplication.run(WebGoat.class, args); } } diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile index 060f6ee9a..2cdb1e708 100644 --- a/webwolf/Dockerfile +++ b/webwolf/Dockerfile @@ -9,6 +9,4 @@ RUN \ USER webwolf COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar -ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.port=9090", "--server.address=0.0.0.0"] - EXPOSE 9090 diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 8bcddea79..bc2d30f0a 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT