-Welcome to a short introduction to WebGoat.
-Here you will learn how to use WebGoat and additional tools for the lessons.
+Welcome to a brief overview of WebGoat.
-WebGoat uses the Apache Tomcat server. It is configured to run on localhost although this can be -easily changed. This -configuration is for single user, additional users can be added in the tomcat-users.xml file. -If you want to use WebGoat in a laboratory or in -class you might need to change this setup. Please refer to the Tomcat Configuration -in the Introduction section.
+WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on +localhost although this can be easily changed.
-
+
1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.
-2. This will show technical hints to solve the lesson.
-3. This will show the HTTP Request Parameters
-4. This will show the HTTP Request Cookies
-5. This will show goals and objectives of the lesson.
-6. This will show the underlying Java source code.
-7. This will show the complete solution of the selected lesson.
-8. If you want to restart a lesson you can use this link.
Always start with the lessons plan. Then try to solve the lesson and if necessary, @@ -32,12 +26,48 @@ solution for complete details.
To read and edit Parameters you need a local proxy to intercept the HTTP request. -Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter. +Here we use OWASP ZAP. More information on ZAP can be found in the "Useful Tools" Chapter.
Often it is not only necessary to change the value of the parameters but to change the value of cookies. -WebScarab has functionality for this as well. +OWASP ZAP has functionality for this as well.
+ +
+WebGoat uses spring-security.xml to configure users.
+
+
+<!-- Authentication Manager --> +<authentication-manager alias="authenticationManager"> + <authentication-provider> + <user-service> + <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /> + <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /> + <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /> + </user-service> + </authentication-provider> +</authentication-manager> ++ +
+Usually using WebGoat you just use the user guest with the password guest. +But maybe in laboratory you have made a setup with one server and a lot of +clients. In this case you might want to have a user for every client + and you have to alter /WEB-INF/spring-security.xml as the users are stored there. We recommend not to use real passwords +as the passwords are stored in plain text in this file! +
++Adding a user is straight forward. You can use the guest entry as an example. The added +users should have the same role as the guest user. The new user/password will not show on the login page. +Add lines like this to the file: +
++<user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /> +... +diff --git a/src/main/webapp/lesson_plans/English/TomcatSetup.html b/src/main/webapp/lesson_plans/English/TomcatSetup.html index 79999b46d..66351b1ec 100644 --- a/src/main/webapp/lesson_plans/English/TomcatSetup.html +++ b/src/main/webapp/lesson_plans/English/TomcatSetup.html @@ -78,41 +78,6 @@ only discussed the whitebox approach. You have to add following lines to the Hos
In this case only localhost, ip1 and ip2 are permitted to connect.
-
-WebGoat uses spring-security.xml to configure users.
-
-
- <!-- Authentication Manager --> - <authentication-manager alias="authenticationManager"> - <authentication-provider> - <user-service> - <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> - <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /> - <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /> - <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /> - </user-service> - </authentication-provider> - </authentication-manager> -- -
-Usually using WebGoat you just use the user guest with the password guest. -But maybe in laboratory you have made a setup with one server and a lot of -clients. In this case you might want to have a user for every client - and you have to alter /WEB-INF/spring-security.xml as the users are stored there. We recommend not to use real passwords -as the passwords are stored in plain text in this file! -
--Adding a user is straight forward. You can use the guest entry as an example. The added -users should have the same role as the guest user. The new user/password will not show on the login page. -Add lines like this to the file: -
-- <user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /> - ... -+ \ No newline at end of file