WebGoat comes with a sane default setup for Tomcat. This page will explain the setup +and which further possibilites you have to setup Tomcat. This is just +a short description which should be enough in most cases. For more advanced tasks please +refer to the Tomcat documentation. Please note that all solutions +are written for the standard setup on port 80. If you use another configuration you have +to ajust the solution to your configuration.
+ +There are two standard Tomcat setups. In this setups WebGoat is only reachable from within + the localhost. + Both are identically with the only difference + that one is running on port 80 and 443 (SSL) and the other on 8080 and 8443. In Linux you have + to start WebGoat as root or with sudo if you want to run it on port 80 and + 443. + As running software as root is dangerous we strongly advice to use +the port 8080 and 8443. In Windows you can +run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you +can use webgoat.sh and run it with webgoat.sh start80 or wegoat.sh start8080. The user in these +setups is guest with password guest +
+ ++If you are a single user of WebGoat the standard setups should be +enough but if you want to use WebGoat in laboratory or in class there +might bee the need to change the configuration. Before changing +the configurations we recommend doing a backup of the files you change. +
+ ++To change the ports open the server_80.xml which you find in tomcat/conf and change the +non-SSL port. If you want to use it on port 8079 for example: +
+ ++ <!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> + <Connector address="127.0.0.1" port="8079"... ++
+You can also change the SSL connector to another port of course. +In this example to port 8442: +
++ <!-- Define a SSL HTTP/1.1 Connector on port 8442 --> + <Connector address="127.0.0.1" port="8442"... ++ +
THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS + UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN +SAVE NETWORKS!
+By its default configuration WebGoat is only +reachable within the localhost. In a laboratory or a class +there is maybe the need of having a server and a few clients. +In this case it is possible to make WebGoat reachable. +
+The reason why WebGoat is only reachable within the localhost is +the parameter address in the connectors in server_80.xml. It is set +to 127.0.0.1. The applications only listens on the port of this address for +incoming connections if it is set. If you remove this parameter the server listens on all IPs on the +specific port.
+ ++If you have made WebGoat reachable it is reachable for +all clients. If you want to make it reachable only for certain clients specified +by there IP you can archive this by using a 'Remote Address Filter'. +The filter can be set in a whitebox or blackbox approach. Here is +only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml: +
++ <Valve className="org.apache.catalina.valves.RemoteAddrValve" + allow="127.0.0.1,ip1,ip2"/> ++
In this case only localhost, ip1 and ip2 are permitted to connect.
+ ++Usually using WebGoat you just use the user guest with the password guest. +But maybe in laboratory you have made a configuration with one server and a lot of +clients. In this case you might want to have a user for every client + and you have to alter tomcat-users.xml +in tomcat/conf as the users are stored there. We recommend not to use real passwords +as the passwords are stored in plain text in this file! +
++Adding a user is straight forward. You can use the guest entry as an example. The added +users should have the same role as the guest user. Add lines like this to the file: +
++ <user name="user1" password="password1" roles="webgoat_user"/> + <user name="user2" password="password2" roles="webgoat_user"/> + ... ++ + \ No newline at end of file