WEB-126 some additional grammer cleanup and tomcat configuration cleanup
This commit is contained in:
Bruce Mayhew
parent
63435393f8
commit
a0723fdbf5
@ -6,7 +6,7 @@ Welcome to a brief overview of WebGoat.<br>
|
||||
<h2>Environment Information</h2>
|
||||
<p>
|
||||
WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on
|
||||
localhost although this can be easily changed, see the ""Tomcat Configuration"" section in the Introduction. </p>
|
||||
localhost although this can be easily changed, see the "Tomcat Configuration" section in the Introduction. </p>
|
||||
|
||||
<h2>The WebGoat Interface</h2>
|
||||
<p>
|
||||
|
||||
@ -5,20 +5,16 @@
|
||||
and other possible configurations for Tomcat. This is just
|
||||
a short description which should be enough in most cases. For more advanced tasks please
|
||||
refer to the Tomcat documentation. Please note that all solutions
|
||||
are written for the standard configurations on port 80. If you use another port you have
|
||||
are written for the standard configurations on port 80 or 8080. If you use another port you have
|
||||
to adjust the solution to your configuration.</p>
|
||||
|
||||
<h2>The Standard Configurations</h2>
|
||||
<p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
|
||||
Both are identically with the only difference
|
||||
that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have
|
||||
to start WebGoat as root or with sudo if you want to run it on port 80 and
|
||||
443.
|
||||
As running software as root is dangerous we strongly advice to use
|
||||
the port 8080 and 8443. In Windows you can
|
||||
run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you
|
||||
can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these
|
||||
configurations is guest with password guest
|
||||
<p>WebGoat has multiple ways of being run. The <a href="https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0)">
|
||||
WebGoat Wiki</a> is the best place to find the latest configuration instructions.
|
||||
By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost.
|
||||
In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and
|
||||
443. Running software as root is dangerous we strongly advice to use
|
||||
the port 8080 and 8443.
|
||||
</p>
|
||||
|
||||
<h2>Server Configurations</h2>
|
||||
@ -31,46 +27,47 @@ the configurations we recommend doing a backup of the files you change.
|
||||
|
||||
<h3>Change Ports</h3>
|
||||
<p>
|
||||
To change the ports open the server_80.xml which you find in tomcat/conf and change the
|
||||
non-SSL port. If you want to use it on port 8079 for example:
|
||||
To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the
|
||||
non-SSL port. If you want to change your
|
||||
Tomcat server to use it on port 8079 for example:
|
||||
</p>
|
||||
|
||||
<pre>
|
||||
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->
|
||||
<Connector address="127.0.0.1" port="8079"...
|
||||
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->
|
||||
<Connector address="127.0.0.1" port="8079"...
|
||||
</pre>
|
||||
<p>
|
||||
You can also change the SSL connector to another port of course.
|
||||
In this example to port 8442:
|
||||
</p>
|
||||
<pre>
|
||||
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
||||
<Connector address="127.0.0.1" port="8442"...
|
||||
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
||||
<Connector address="127.0.0.1" port="8442"...
|
||||
</pre>
|
||||
</p>
|
||||
You can also modify WebGoat's pom.xml file to change the port. You will need to modify
|
||||
the tomcat7-maven-plugin plugin configuration.
|
||||
</p>
|
||||
<br>
|
||||
|
||||
<h3>Make WebGoat Reachable From Another Client</h3>
|
||||
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
||||
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
|
||||
SAFE NETWORKS!</p>
|
||||
<p>By its default configurations WebGoat is only
|
||||
<p>By its default configuration, WebGoat is only
|
||||
reachable within the localhost. In a laboratory or a class
|
||||
there is maybe the need of having a server and a few clients.
|
||||
In this case it is possible to make WebGoat reachable.
|
||||
</p>
|
||||
<p>The reason why WebGoat is only reachable within the localhost is
|
||||
the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set
|
||||
to 127.0.0.1. The applications only listens on the port of this address for
|
||||
incoming connections if it is set. If you remove this parameter the server listens on all IPs on the
|
||||
specific port.</p>
|
||||
|
||||
<h3>Permit Only Certain Clients Connection</h3>
|
||||
<h3>Permit Only Certain Client Connection</h3>
|
||||
<p>
|
||||
If you have made WebGoat reachable it is reachable for
|
||||
all clients. If you want to make it reachable only for certain clients specified
|
||||
by there IP you can archive this by using a 'Remote Address Filter'.
|
||||
by their IP you can archive this by using a 'Remote Address Filter'.
|
||||
The filter can be set in a whitebox or blackbox approach. Here is
|
||||
only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml:
|
||||
only discussed the whitebox approach. You have to add following lines to the
|
||||
Host section of server.xml in your Tomcat server configuration:
|
||||
</p>
|
||||
<pre>
|
||||
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user