WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on -localhost although this can be easily changed, see the ""Tomcat Configuration"" section in the Introduction.
+localhost although this can be easily changed, see the "Tomcat Configuration" section in the Introduction.diff --git a/src/main/webapp/lesson_plans/English/TomcatSetup.html b/src/main/webapp/lesson_plans/English/TomcatSetup.html index 66351b1ec..decbd49df 100644 --- a/src/main/webapp/lesson_plans/English/TomcatSetup.html +++ b/src/main/webapp/lesson_plans/English/TomcatSetup.html @@ -5,20 +5,16 @@ and other possible configurations for Tomcat. This is just a short description which should be enough in most cases. For more advanced tasks please refer to the Tomcat documentation. Please note that all solutions -are written for the standard configurations on port 80. If you use another port you have +are written for the standard configurations on port 80 or 8080. If you use another port you have to adjust the solution to your configuration.
There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost. - Both are identically with the only difference - that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have - to start WebGoat as root or with sudo if you want to run it on port 80 and - 443. - As running software as root is dangerous we strongly advice to use -the port 8080 and 8443. In Windows you can -run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you -can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these -configurations is guest with password guest +
WebGoat has multiple ways of being run. The +WebGoat Wiki is the best place to find the latest configuration instructions. +By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost. +In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and + 443. Running software as root is dangerous we strongly advice to use +the port 8080 and 8443.
-To change the ports open the server_80.xml which you find in tomcat/conf and change the -non-SSL port. If you want to use it on port 8079 for example: +To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the +non-SSL port. If you want to change your +Tomcat server to use it on port 8079 for example:
- <!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> - <Connector address="127.0.0.1" port="8079"... +<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> +<Connector address="127.0.0.1" port="8079"...
You can also change the SSL connector to another port of course. In this example to port 8442:
- <!-- Define a SSL HTTP/1.1 Connector on port 8442 --> - <Connector address="127.0.0.1" port="8442"... +<!-- Define a SSL HTTP/1.1 Connector on port 8442 --> +<Connector address="127.0.0.1" port="8442"...+ +You can also modify WebGoat's pom.xml file to change the port. You will need to modify +the tomcat7-maven-plugin plugin configuration. +
THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN SAFE NETWORKS!
-By its default configurations WebGoat is only +
By its default configuration, WebGoat is only reachable within the localhost. In a laboratory or a class there is maybe the need of having a server and a few clients. In this case it is possible to make WebGoat reachable.
-The reason why WebGoat is only reachable within the localhost is -the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set -to 127.0.0.1. The applications only listens on the port of this address for -incoming connections if it is set. If you remove this parameter the server listens on all IPs on the -specific port.
-If you have made WebGoat reachable it is reachable for all clients. If you want to make it reachable only for certain clients specified -by there IP you can archive this by using a 'Remote Address Filter'. +by their IP you can archive this by using a 'Remote Address Filter'. The filter can be set in a whitebox or blackbox approach. Here is -only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml: +only discussed the whitebox approach. You have to add following lines to the +Host section of server.xml in your Tomcat server configuration:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"