Startup scripts, changes to make offbyone more sequential

git-svn-id: http://webgoat.googlecode.com/svn/trunk@446 4033779f-a91e-0410-96ef-6bf7bf53c507
2012-04-21 17:18:08 +00:00
parent 8066774fd4
commit 3d0af3143e
9 changed files with 230 additions and 84 deletions
--- a/webgoat/README.txt
+++ b/webgoat/README.txt
@ -73,6 +73,7 @@ delete artifacts from previous build:
 Building the Eclipse project files
 ----------------------------------

+> mvn eclipse:clean
 > mvn eclipse:eclipse

 Afterward the project can be imported within Eclipse:
--- a/webgoat/build.xml
+++ b/webgoat/build.xml
@ -54,14 +54,21 @@
 			     project is bound to this path.
 -->

-  <property name="app.home"    		   value="${basedir}/project"/>
-  <property name="app.name"    		   value="WebGoat"/>	<!-- MUST BE CONSISTENT WITH project/build.xml! -->
-  <property name="app.version"    		   value="5.1"/>		<!-- MUST BE CONSISTENT WITH project/build.xml! -->
-  <property name="catalina.home" 		   value="${basedir}/tomcat"/>
-  <property name="dist.home"     		   value="${app.home}/dist"/>
-  <property name="dist.owasp"     		   value="${app.home}/owasp_distributions"/>
-  <property name="install.home"     	   value="WebGoat-${app.version}"/>
+  	<property name="app.home"    		   value="${basedir}"/>
+  	<property name="app.name"    		   value="WebGoat"/>	<!-- MUST BE CONSISTENT WITH src/main/build.xml! -->
+  	<property name="app.version"    		   value="5.4"/>		<!-- MUST BE CONSISTENT WITH src/main/build.xml! -->
+  	<property name="catalina.home" 		   value="${basedir}/../apache-tomcat-7.0.27"/>
+  	<property name="dist.home"     		   value="${app.home}/dist"/>
+  	<property name="dist.owasp"     		   value="${app.home}/owasp_distributions"/>
+  	<property name="install.home"     	   value="WebGoat-${app.version}"/>
+  	<property name="maven.war"     	   value="${basedir}/target/webgoat-5.4-SNAPSHOT.war"/> <!-- UPDATE THIS! -->
+	<property name="maven.target"     	   value="${basedir}/target/webgoat-5.4-SNAPSHOT"/> <!-- UPDATE THIS! -->
+	 <property name="java32.home"     	   value="C:/Program Files (x86)/Java/jre7"/> <!-- UPDATE THIS! -->
+	 <property name="java64.home"     	   value="C:/Program Files/Java/jdk1.6.0_26"/> <!-- UPDATE THIS! -->
+	 <property name="tomcat32.home"     	   value="C:/RTC/WebGoat/apache-tomcat-7.0.27-x86/"/> <!-- UPDATE THIS! -->
+	 <property name="tomcat64.home"     	   value="C:/RTC/WebGoat/apache-tomcat-7.0.27"/> <!-- UPDATE THIS! -->

+	
 <!-- ==================== Clean Target ==================================== -->

 <!--
@ -90,47 +97,6 @@
 	<mkdir dir="${dist.owasp}"/>
  </target>

-<!-- ==================== Compile Target ===================================== -->
-	
-  <target name="compile" depends="Compile-WebGoat"
-	description="Build all dependency applications">
-  </target>
-
-  <target name="Compile-WebGoat"
-	description="Build the WebGoat application">
-		<ant dir="${app.home}" target="BuildWar" inheritAll="false"/>
-  </target>
-
-<!--
-  <target name="DELETE_ME_Compile-WebGoat-Unix"
-	description="Build the WebGoat application">
-		<ant dir="${app.home}" target="BuildUnixWar" inheritAll="false"/>
-  </target>
-->
-	
-  <target name="Compile-WebGoat-LAB"
-	description="Build the WebGoat application">
-		<ant dir="${app.home}" inheritAll="false">
-			<target name="-WebGoatPropertiesLAB"/>
-			<target name="BuildWar"/>
-		</ant>
-  </target>
-
-  <target name="Compile-WebGoat-Class"
-	description="Build the WebGoat application">
-		<ant dir="${app.home}" inheritAll="false">
-			<target name="-WebGoatPropertiesClass"/>
-			<target name="BuildWar"/>
-		</ant>
-  </target>
-
-  <target name="Compile-WebGoat-OWASP"
-	description="Build the WebGoat application">
-		<ant dir="${app.home}" inheritAll="false">
-			<target name="-WebGoatPropertiesOWASP"/>
-			<target name="BuildWar"/>
-		</ant>
-  </target>

 <!-- ==================== Dist Target ===================================== -->

@ -143,8 +109,27 @@
    dependencies) will have been assembled
 -->

-  
-  <target name="ZipProject"
+	  <target name="DeployWar32" 
+	   	description="Copy existing war to Tomcat - Does not rebuild">
+
+	    <!-- Install war to Tomcat -->
+	    <delete dir="${tomcat32.home}/webapps/${app.name}"/>
+	    <delete file="${tomcat32.home}/webapps/${app.name}.war"/>
+	    <copy file="${maven.war}" tofile="${tomcat32.home}/webapps/${app.name}.war"/>
+		 
+	  </target> 
+	  <target name="DeployWar64" 
+	   	description="Copy existing war to Tomcat - Does not rebuild">
+
+	    <!-- Install war to Tomcat -->
+	    <delete dir="${tomcat64.home}/webapps/${app.name}"/>
+	    <delete file="${tomcat65.home}/webapps/${app.name}.war"/>
+	    <copy file="${maven.war}" tofile="${catalina.home}/webapps/${app.name}.war"/>
+		 
+	  </target> 
+	
+
+  <target name="ZipProject-Win64"
   	description="Create a zip archive of all Eclipse project files from C:\WebGoatClassCD">

 		<!-- Put a copy of the keystore into the WTP dynamic deployment area -->
@ -155,23 +140,12 @@
 		   	includes="project/.project, project/.classpath, project/.settings/**, workspace/**"/>		
  </target> 

-
-  <target name="DeployWar" 
-   	description="Copy existing war to Tomcat - Does not rebuild">
-
-    <!-- Install war to Tomcat -->
-    <delete dir="${catalina.home}/webapps/${app.name}"/>
-    <delete file="${catalina.home}/webapps/${app.name}.war"/>
-    <copy file="${app.home}/dist/${app.name}-${app.version}.war" tofile="${catalina.home}/webapps/${app.name}.war"/>
-	 
-  </target> 
-	
-
+ 
 	<!--Build patch release -->
-	<target name="BuildPatch_release" depends="clean, compile"
+	<target name="BuildPatch_release" depends="clean"
 	   description="Creates patch release of class files for WebGoat"> 
 		<zip destfile="${dist.home}/${app.name}-${app.version}_patch.zip">
-	    		<zipfileset dir="build/WEB-INF/classes" prefix="WEB-INF/classes"/>
+	    		<zipfileset dir="${maven.target}/WEB-INF/classes" prefix="WEB-INF/classes"/>
 			<zipfileset dir="." includes="readme_patch.txt"/>
 		</zip>
 	</target>
@ -236,18 +210,26 @@
 		</zip>
 	</target> 	

-	<target name="Build_OWASP_Standard_Release" depends="clean"
+	<target name="Build_OWASP_Standard_Release_32" depends="clean"
+			description="Builds WebGoat OWASP release">
+		<antcall target="DeployWar32"> </antcall> 
+		<!-- Build the CD image -->
+		<zip destfile="${dist.home}/${ant.project.name}-OWASP_Standard_32-${app.version}.zip">
+			<zipfileset dir="." prefix="${install.home}"
+				includes=", READ*.txt, webgoat.*, webgoat_8080.*"
+				excludes=".*, .settings/**,dist/**, owasp_distributions/**, bin/**, build/**"/>
+			<zipfileset dir="${java32.home}" prefix="${install.home}/java"/>
+			<zipfileset dir="${tomcat32.home}" prefix="${install.home}/tomcat"/>
+		</zip>
+	</target> 	
+	
+	<target name="Build_OWASP_Standard_Release_64" depends="clean"
 			description="Builds WebGoat OWASP release">
-		<!-- Build the WebGoat WAR with the desired properties file -->
-		<ant dir="${app.home}" inheritAll="false">
-			<target name="WebGoatPropertiesOWASP"/>
-			<target name="BuildWar"/>
-		</ant>
 		<antcall target="DeployWar"> </antcall> 
 		<!-- Build the CD image -->
-		<zip destfile="${dist.home}/${ant.project.name}-OWASP_Standard-${app.version}.zip">
+		<zip destfile="${dist.home}/${ant.project.name}-OWASP_Standard_64-${app.version}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="java/, tomcat/, read*.txt, webgoat.bat, webgoat_8080.bat"
+				includes="java/, tomcat/, read*.txt, webgoat.*, webgoat_8080.*"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
--- a/webgoat/pom.xml
+++ b/webgoat/pom.xml
@ -4,7 +4,7 @@
 	<groupId>webgoat</groupId>
 	<artifactId>webgoat</artifactId>
 	<packaging>war</packaging>
-	<version>5.41-SNAPSHOT</version>
+	<version>5.4-SNAPSHOT</version>
 	
 	<repositories>
 		<repository>
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java
@ -130,6 +130,8 @@ public class OffByOne extends LessonAdapter
 		hints.add("See which fields during the registration process, allow for really long input to be submitted.");
 		hints.add("Check for hidden form fields during registration");
 		hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
+		hints.add("Overflow the room number field with 4096+1 characters and look for hidden fields");
+		hints.add("Enter the VIP name in the first and last naem fields");
 		return hints;
 	}

@ -405,7 +407,9 @@ public class OffByOne extends LessonAdapter
 	private Element makeThirdStep(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
-		String param = "";
+		String param1 = "";
+		String param2 = "";
+		String param3 = "";

 		// Header
 		ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
@ -453,23 +457,23 @@ public class OffByOne extends LessonAdapter
 		ec.addElement("\r\n");

 		// Hidden Form Fields
-		param = s.getParser().getStringParameter(LAST_NAME, "");
-		Input input = new Input(Input.HIDDEN, "a", param);
+		param1 = s.getParser().getStringParameter(LAST_NAME, "");
+		Input input = new Input(Input.HIDDEN, "a", param1);
 		ec.addElement(input);
 		ec.addElement("\r\n");

-		param = s.getParser().getStringParameter(FIRST_NAME, "");
-		input = new Input(Input.HIDDEN, "b", param);
+		param2 = s.getParser().getStringParameter(FIRST_NAME, "");
+		input = new Input(Input.HIDDEN, "b", param2);
 		ec.addElement(input);
 		ec.addElement("\r\n");

-		param = s.getParser().getStringParameter(ROOM_NUMBER, "");
-		input = new Input(Input.HIDDEN, "c", param);
+		param3 = s.getParser().getStringParameter(ROOM_NUMBER, "");
+		input = new Input(Input.HIDDEN, "c", param3);
 		ec.addElement(input);
 		ec.addElement("\r\n");

 		// And finally the check...
-		if(param.length() > 4096)
+		if(param3.length() > 4096)
 		{
 			ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
 			ec.addElement("\r\n");
@ -498,9 +502,18 @@ public class OffByOne extends LessonAdapter
 			ec.addElement("\r\n");
 			ec.addElement(new Input(Input.hidden, "o", "9901"));
 			ec.addElement("\r\n");
-			// :)
-			makeSuccess(s);

+			s.setMessage("To complete the lesson, restart lesson and enter VIP first/last name");
+
+		}
+		if (("Johnathan".equalsIgnoreCase(param2) || "John".equalsIgnoreCase(param2)
+				|| "Ana".equalsIgnoreCase(param2) ||"Lewis".equalsIgnoreCase(param2))
+				&& ("Ravern".equalsIgnoreCase(param1) || "Smith".equalsIgnoreCase(param1)
+						|| "Arneta".equalsIgnoreCase(param1) ||"Hamilton".equalsIgnoreCase(param1)))
+		{
+			// :)
+			// Allows for mixed VIP names, but that's not really the point
+			makeSuccess(s);
 		}
 		
 		// Footer
@ -510,7 +523,6 @@ public class OffByOne extends LessonAdapter
 		ec.addElement(new br());
 		ec.addElement(new br());
 		
-		
 		return ec;
 	}
 		
--- a/webgoat/webgoat
+++ b/webgoat/webgoat
@ -0,0 +1,34 @@
+@echo on
+
+
+@REM Clear the lib env var as it can hose tomcat
+SET lib= 
+
+@REM Make sure the webgoat DB is writable
+attrib -R .\tomcat\webapps\WebGoat\database\*.*
+
+@REM Set env vars for tomcat and java, use PWD as some machines don't have
+@REM \. on their path
+set PWD=%cd%
+set CATALINA_HOME=%PWD%\tomcat
+set JAVA_HOME=%PWD%\java
+
+@REM Configure environment variables to override web.xml
+SET DatabaseDriver=net.sourceforge.jtds.jdbc.Driver
+SET DatabaseConnectionString=jdbc:jtds:sqlserver://./webgoat;namedPipe=true;INSTANCE=WEBGOAT
+SET DatabaseUser=webgoat
+SET DtabasePassword=_webgoat
+
+delete .\tomcat\conf\server.xml
+copy .\tomcat\conf\server_80.xml .\tomcat\conf\server.xml
+
+@REM Run tomcat: must have quotes incase var has spaces in it
+call "%CATALINA_HOME%\bin\startup.bat" start
+
+echo 
+echo If the Tomcat DOS shell quit immediately, it is likely that 
+echo there is another service listening on port 80.
+echo
+
+
+
--- a/webgoat/webgoat.bat
+++ b/webgoat/webgoat.bat
@ -0,0 +1,25 @@
+@echo on
+
+
+@REM Clear the lib env var as it can hose tomcat
+SET lib= 
+
+@REM Make sure the webgoat DB is writable
+attrib -R .\tomcat\webapps\WebGoat\database\*.*
+
+@REM Set env vars for tomcat and java, use PWD as some machines don't have
+@REM \. on their path
+set PWD=%cd%
+set CATALINA_HOME=%PWD%\tomcat
+set JAVA_HOME=%PWD%\java
+
+delete .\tomcat\conf\server.xml
+copy .\tomcat\conf\server_80.xml .\tomcat\conf\server.xml
+
+@REM Run tomcat: must have quotes incase var has spaces in it
+call "%CATALINA_HOME%\bin\startup.bat" start
+
+echo 
+echo If the Tomcat DOS shell quit immediately, it is likely that 
+echo there is another service listening on port 80.
+echo
--- a/webgoat/webgoat.sh
+++ b/webgoat/webgoat.sh
@ -0,0 +1,60 @@
+#! /bin/sh
+
+SYSTEM=`uname -s`
+CATALINA_HOME=./tomcat
+PATH=${PATH}:./tomcat/bin
+export CATALINA_HOME PATH
+
+chmod +x ./$CATALINA_HOME/bin/*.sh
+if [ $SYSTEM = "Darwin" ]; then
+        JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home
+        export JAVA_HOME
+
+else
+
+is_java_1dot5() {
+        if [ "X$JAVA_HOME" != "X" -a -d $JAVA_HOME ]; then
+                $JAVA_HOME/bin/java -version 2>&1 | grep 'version \"1.5' >/dev/null
+                if [ $? -ne 0 ]; then
+                        echo "The JVM in \$JAVA_HOME isn't version 1.5."
+                        exit 1
+                fi
+        else
+                echo "Please set JAVA_HOME to a Java 1.5 JDK install"
+                exit 1
+        fi
+}
+
+is_java_1dot5
+
+fi
+
+case "$1" in
+	start80)
+		cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml 
+		$CATALINA_HOME/bin/startup.sh
+		printf "\n  Open http://127.0.0.1/WebGoat/attack"
+		printf "\n  Username: guest"
+		printf "\n  Password: guest"
+		printf "\n  Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r"
+		sleep 2
+		tail -f $CATALINA_HOME/logs/catalina.out
+	;;
+	start8080)
+		cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml 
+		$CATALINA_HOME/bin/startup.sh
+		printf "\n  Open http://127.0.0.1:8080/WebGoat/attack"
+		printf "\n  Username: guest"
+		printf "\n  Password: guest"
+		printf "\n  Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack \n\n\r"
+		sleep 2
+		tail -f $CATALINA_HOME/logs/catalina.out
+	;;
+	stop)
+		$CATALINA_HOME/bin/shutdown.sh
+	;;
+	*)
+		echo $"Usage: $prog {start8080|start80|stop}"
+		exit 1
+	;;
+esac
--- a/webgoat/webgoat_8080.bat
+++ b/webgoat/webgoat_8080.bat
@ -0,0 +1,25 @@
+@echo on
+
+
+@REM Clear the lib env var as it can hose tomcat
+SET lib= 
+
+@REM Make sure the webgoat DB is writable
+attrib -R .\tomcat\webapps\WebGoat\database\*.*
+
+@REM Set env vars for tomcat and java, use PWD as some machines don't have
+@REM \. on their path
+set PWD=%cd%
+set CATALINA_HOME=%PWD%\tomcat
+set JAVA_HOME=%PWD%\java
+
+delete .\tomcat\conf\server.xml
+copy .\tomcat\conf\server_8080.xml .\tomcat\conf\server.xml
+
+@REM Run tomcat: must have quotes incase var has spaces in it
+call "%CATALINA_HOME%\bin\startup.bat" start
+
+echo 
+echo If the Tomcat DOS shell quit immediately, it is likely that 
+echo there is another service listening on port 80.
+echo
--- a/webgoat/webscarab.bat
+++ b/webgoat/webscarab.bat
@ -0,0 +1,7 @@
+@echo off
+
+
+@REM Run webscarab
+@REM    - Assumes webscarab.properties file is in webscarab directory
+cd webscarab
+..\java\bin\javaw -Duser.home=.\ -jar webscarab.jar