dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Startup scripts, changes to make offbyone more sequential

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@446 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64@gmail.com 2012-04-21 17:18:08 +00:00
parent 5f786e77a6
commit 40329271eb
9 changed files with 230 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.txt
View File

@ -73,6 +73,7 @@ delete artifacts from previous build:
Building the Eclipse project files
----------------------------------
> mvn eclipse:clean
> mvn eclipse:eclipse
Afterward the project can be imported within Eclipse:

126
build.xml
View File

@ -54,14 +54,21 @@
project is bound to this path.
-->
<property name="app.home" value="${basedir}/project"/>
<property name="app.name" value="WebGoat"/> <!-- MUST BE CONSISTENT WITH project/build.xml! -->
<property name="app.version" value="5.1"/> <!-- MUST BE CONSISTENT WITH project/build.xml! -->
<property name="catalina.home" value="${basedir}/tomcat"/>
<property name="dist.home" value="${app.home}/dist"/>
<property name="dist.owasp" value="${app.home}/owasp_distributions"/>
<property name="install.home" value="WebGoat-${app.version}"/>
<property name="app.home" value="${basedir}"/>
<property name="app.name" value="WebGoat"/> <!-- MUST BE CONSISTENT WITH src/main/build.xml! -->
<property name="app.version" value="5.4"/> <!-- MUST BE CONSISTENT WITH src/main/build.xml! -->
<property name="catalina.home" value="${basedir}/../apache-tomcat-7.0.27"/>
<property name="dist.home" value="${app.home}/dist"/>
<property name="dist.owasp" value="${app.home}/owasp_distributions"/>
<property name="install.home" value="WebGoat-${app.version}"/>
<property name="maven.war" value="${basedir}/target/webgoat-5.4-SNAPSHOT.war"/> <!-- UPDATE THIS! -->
<property name="maven.target" value="${basedir}/target/webgoat-5.4-SNAPSHOT"/> <!-- UPDATE THIS! -->
<property name="java32.home" value="C:/Program Files (x86)/Java/jre7"/> <!-- UPDATE THIS! -->
<property name="java64.home" value="C:/Program Files/Java/jdk1.6.0_26"/> <!-- UPDATE THIS! -->
<property name="tomcat32.home" value="C:/RTC/WebGoat/apache-tomcat-7.0.27-x86/"/> <!-- UPDATE THIS! -->
<property name="tomcat64.home" value="C:/RTC/WebGoat/apache-tomcat-7.0.27"/> <!-- UPDATE THIS! -->
<!-- ==================== Clean Target ==================================== -->
<!--
@ -90,47 +97,6 @@
<mkdir dir="${dist.owasp}"/>
</target>
<!-- ==================== Compile Target ===================================== -->
<target name="compile" depends="Compile-WebGoat"
description="Build all dependency applications">
</target>
<target name="Compile-WebGoat"
description="Build the WebGoat application">
<ant dir="${app.home}" target="BuildWar" inheritAll="false"/>
</target>
<!--
<target name="DELETE_ME_Compile-WebGoat-Unix"
description="Build the WebGoat application">
<ant dir="${app.home}" target="BuildUnixWar" inheritAll="false"/>
</target>
-->
<target name="Compile-WebGoat-LAB"
description="Build the WebGoat application">
<ant dir="${app.home}" inheritAll="false">
<target name="-WebGoatPropertiesLAB"/>
<target name="BuildWar"/>
</ant>
</target>
<target name="Compile-WebGoat-Class"
description="Build the WebGoat application">
<ant dir="${app.home}" inheritAll="false">
<target name="-WebGoatPropertiesClass"/>
<target name="BuildWar"/>
</ant>
</target>
<target name="Compile-WebGoat-OWASP"
description="Build the WebGoat application">
<ant dir="${app.home}" inheritAll="false">
<target name="-WebGoatPropertiesOWASP"/>
<target name="BuildWar"/>
</ant>
</target>
<!-- ==================== Dist Target ===================================== -->
@ -143,8 +109,27 @@
dependencies) will have been assembled
-->
<target name="ZipProject"
<target name="DeployWar32"
description="Copy existing war to Tomcat - Does not rebuild">
<!-- Install war to Tomcat -->
<delete dir="${tomcat32.home}/webapps/${app.name}"/>
<delete file="${tomcat32.home}/webapps/${app.name}.war"/>
<copy file="${maven.war}" tofile="${tomcat32.home}/webapps/${app.name}.war"/>
</target>
<target name="DeployWar64"
description="Copy existing war to Tomcat - Does not rebuild">
<!-- Install war to Tomcat -->
<delete dir="${tomcat64.home}/webapps/${app.name}"/>
<delete file="${tomcat65.home}/webapps/${app.name}.war"/>
<copy file="${maven.war}" tofile="${catalina.home}/webapps/${app.name}.war"/>
</target>
<target name="ZipProject-Win64"
description="Create a zip archive of all Eclipse project files from C:\WebGoatClassCD">
<!-- Put a copy of the keystore into the WTP dynamic deployment area -->
@ -155,23 +140,12 @@
includes="project/.project, project/.classpath, project/.settings/**, workspace/**"/>
</target>
<target name="DeployWar"
description="Copy existing war to Tomcat - Does not rebuild">
<!-- Install war to Tomcat -->
<delete dir="${catalina.home}/webapps/${app.name}"/>
<delete file="${catalina.home}/webapps/${app.name}.war"/>
<copy file="${app.home}/dist/${app.name}-${app.version}.war" tofile="${catalina.home}/webapps/${app.name}.war"/>
</target>
<!--Build patch release -->
<target name="BuildPatch_release" depends="clean, compile"
<target name="BuildPatch_release" depends="clean"
description="Creates patch release of class files for WebGoat">
<zip destfile="${dist.home}/${app.name}-${app.version}_patch.zip">
<zipfileset dir="build/WEB-INF/classes" prefix="WEB-INF/classes"/>
<zipfileset dir="${maven.target}/WEB-INF/classes" prefix="WEB-INF/classes"/>
<zipfileset dir="." includes="readme_patch.txt"/>
</zip>
</target>
@ -236,18 +210,26 @@
</zip>
</target>
<target name="Build_OWASP_Standard_Release" depends="clean"
<target name="Build_OWASP_Standard_Release_32" depends="clean"
description="Builds WebGoat OWASP release">
<antcall target="DeployWar32"> </antcall>
<!-- Build the CD image -->
<zip destfile="${dist.home}/${ant.project.name}-OWASP_Standard_32-${app.version}.zip">
<zipfileset dir="." prefix="${install.home}"
includes=", READ*.txt, webgoat.*, webgoat_8080.*"
excludes=".*, .settings/**,dist/**, owasp_distributions/**, bin/**, build/**"/>
<zipfileset dir="${java32.home}" prefix="${install.home}/java"/>
<zipfileset dir="${tomcat32.home}" prefix="${install.home}/tomcat"/>
</zip>
</target>
<target name="Build_OWASP_Standard_Release_64" depends="clean"
description="Builds WebGoat OWASP release">
<!-- Build the WebGoat WAR with the desired properties file -->
<ant dir="${app.home}" inheritAll="false">
<target name="WebGoatPropertiesOWASP"/>
<target name="BuildWar"/>
</ant>
<antcall target="DeployWar"> </antcall>
<!-- Build the CD image -->
<zip destfile="${dist.home}/${ant.project.name}-OWASP_Standard-${app.version}.zip">
<zip destfile="${dist.home}/${ant.project.name}-OWASP_Standard_64-${app.version}.zip">
<zipfileset dir="." prefix="${install.home}"
includes="java/, tomcat/, read*.txt, webgoat.bat, webgoat_8080.bat"
includes="java/, tomcat/, read*.txt, webgoat.*, webgoat_8080.*"
excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
</zip>
</target>

2
pom.xml
View File

@ -4,7 +4,7 @@
<groupId>webgoat</groupId>
<artifactId>webgoat</artifactId>
<packaging>war</packaging>
<version>5.41-SNAPSHOT</version>
<version>5.4-SNAPSHOT</version>
<repositories>
<repository>

34
src/main/java/org/owasp/webgoat/lessons/OffByOne.java
View File

@ -130,6 +130,8 @@ public class OffByOne extends LessonAdapter
hints.add("See which fields during the registration process, allow for really long input to be submitted.");
hints.add("Check for hidden form fields during registration");
hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
hints.add("Overflow the room number field with 4096+1 characters and look for hidden fields");
hints.add("Enter the VIP name in the first and last naem fields");
return hints;
}
@ -405,7 +407,9 @@ public class OffByOne extends LessonAdapter
private Element makeThirdStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
String param1 = "";
String param2 = "";
String param3 = "";
// Header
ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
@ -453,23 +457,23 @@ public class OffByOne extends LessonAdapter
ec.addElement("\r\n");
// Hidden Form Fields
param = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, "a", param);
param1 = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, "a", param1);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, "b", param);
param2 = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, "b", param2);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, "c", param);
param3 = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, "c", param3);
ec.addElement(input);
ec.addElement("\r\n");
// And finally the check...
if(param.length() > 4096)
if(param3.length() > 4096)
{
ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
ec.addElement("\r\n");
@ -498,9 +502,18 @@ public class OffByOne extends LessonAdapter
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "o", "9901"));
ec.addElement("\r\n");
// :)
makeSuccess(s);
s.setMessage("To complete the lesson, restart lesson and enter VIP first/last name");
}
if (("Johnathan".equalsIgnoreCase(param2) || "John".equalsIgnoreCase(param2)
|| "Ana".equalsIgnoreCase(param2) ||"Lewis".equalsIgnoreCase(param2))
&& ("Ravern".equalsIgnoreCase(param1) || "Smith".equalsIgnoreCase(param1)
|| "Arneta".equalsIgnoreCase(param1) ||"Hamilton".equalsIgnoreCase(param1)))
{
// :)
// Allows for mixed VIP names, but that's not really the point
makeSuccess(s);
}
// Footer
@ -510,7 +523,6 @@ public class OffByOne extends LessonAdapter
ec.addElement(new br());
ec.addElement(new br());
return ec;
}

34
webgoat for SQL Server.bat Normal file
View File

@ -0,0 +1,34 @@
@echo on
@REM Clear the lib env var as it can hose tomcat
SET lib=
@REM Make sure the webgoat DB is writable
attrib -R .\tomcat\webapps\WebGoat\database\*.*
@REM Set env vars for tomcat and java, use PWD as some machines don't have
@REM \. on their path
set PWD=%cd%
set CATALINA_HOME=%PWD%\tomcat
set JAVA_HOME=%PWD%\java
@REM Configure environment variables to override web.xml
SET DatabaseDriver=net.sourceforge.jtds.jdbc.Driver
SET DatabaseConnectionString=jdbc:jtds:sqlserver://./webgoat;namedPipe=true;INSTANCE=WEBGOAT
SET DatabaseUser=webgoat
SET DtabasePassword=_webgoat
delete .\tomcat\conf\server.xml
copy .\tomcat\conf\server_80.xml .\tomcat\conf\server.xml
@REM Run tomcat: must have quotes incase var has spaces in it
call "%CATALINA_HOME%\bin\startup.bat" start
echo
echo If the Tomcat DOS shell quit immediately, it is likely that
echo there is another service listening on port 80.
echo

25
webgoat.bat Normal file
View File

@ -0,0 +1,25 @@
@echo on
@REM Clear the lib env var as it can hose tomcat
SET lib=
@REM Make sure the webgoat DB is writable
attrib -R .\tomcat\webapps\WebGoat\database\*.*
@REM Set env vars for tomcat and java, use PWD as some machines don't have
@REM \. on their path
set PWD=%cd%
set CATALINA_HOME=%PWD%\tomcat
set JAVA_HOME=%PWD%\java
delete .\tomcat\conf\server.xml
copy .\tomcat\conf\server_80.xml .\tomcat\conf\server.xml
@REM Run tomcat: must have quotes incase var has spaces in it
call "%CATALINA_HOME%\bin\startup.bat" start
echo
echo If the Tomcat DOS shell quit immediately, it is likely that
echo there is another service listening on port 80.
echo

60
webgoat.sh Normal file
View File

@ -0,0 +1,60 @@
#! /bin/sh
SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
chmod +x ./$CATALINA_HOME/bin/*.sh
if [ $SYSTEM = "Darwin" ]; then
JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home
export JAVA_HOME
else
is_java_1dot5() {
if [ "X$JAVA_HOME" != "X" -a -d $JAVA_HOME ]; then
$JAVA_HOME/bin/java -version 2>&1 | grep 'version \"1.5' >/dev/null
if [ $? -ne 0 ]; then
echo "The JVM in \$JAVA_HOME isn't version 1.5."
exit 1
fi
else
echo "Please set JAVA_HOME to a Java 1.5 JDK install"
exit 1
fi
}
is_java_1dot5
fi
case "$1" in
start80)
cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
start8080)
cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1:8080/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
stop)
$CATALINA_HOME/bin/shutdown.sh
;;
*)
echo $"Usage: $prog {start8080|start80|stop}"
exit 1
;;
esac

25
webgoat_8080.bat Normal file
View File

@ -0,0 +1,25 @@
@echo on
@REM Clear the lib env var as it can hose tomcat
SET lib=
@REM Make sure the webgoat DB is writable
attrib -R .\tomcat\webapps\WebGoat\database\*.*
@REM Set env vars for tomcat and java, use PWD as some machines don't have
@REM \. on their path
set PWD=%cd%
set CATALINA_HOME=%PWD%\tomcat
set JAVA_HOME=%PWD%\java
delete .\tomcat\conf\server.xml
copy .\tomcat\conf\server_8080.xml .\tomcat\conf\server.xml
@REM Run tomcat: must have quotes incase var has spaces in it
call "%CATALINA_HOME%\bin\startup.bat" start
echo
echo If the Tomcat DOS shell quit immediately, it is likely that
echo there is another service listening on port 80.
echo

7
webscarab.bat Normal file
View File

@ -0,0 +1,7 @@
@echo off
@REM Run webscarab
@REM - Assumes webscarab.properties file is in webscarab directory
cd webscarab
..\java\bin\javaw -Duser.home=.\ -jar webscarab.jar