WEB-126 some additional grammer cleanup and tomcat configuration cleanup
This commit is contained in:
Bruce Mayhew
parent
63435393f8
commit
a0723fdbf5
@ -6,7 +6,7 @@ Welcome to a brief overview of WebGoat.<br>
|
|||||||
<h2>Environment Information</h2>
|
<h2>Environment Information</h2>
|
||||||
<p>
|
<p>
|
||||||
WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on
|
WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on
|
||||||
localhost although this can be easily changed, see the ""Tomcat Configuration"" section in the Introduction. </p>
|
localhost although this can be easily changed, see the "Tomcat Configuration" section in the Introduction. </p>
|
||||||
|
|
||||||
<h2>The WebGoat Interface</h2>
|
<h2>The WebGoat Interface</h2>
|
||||||
<p>
|
<p>
|
||||||
|
|||||||
@ -5,20 +5,16 @@
|
|||||||
and other possible configurations for Tomcat. This is just
|
and other possible configurations for Tomcat. This is just
|
||||||
a short description which should be enough in most cases. For more advanced tasks please
|
a short description which should be enough in most cases. For more advanced tasks please
|
||||||
refer to the Tomcat documentation. Please note that all solutions
|
refer to the Tomcat documentation. Please note that all solutions
|
||||||
are written for the standard configurations on port 80. If you use another port you have
|
are written for the standard configurations on port 80 or 8080. If you use another port you have
|
||||||
to adjust the solution to your configuration.</p>
|
to adjust the solution to your configuration.</p>
|
||||||
|
|
||||||
<h2>The Standard Configurations</h2>
|
<h2>The Standard Configurations</h2>
|
||||||
<p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
|
<p>WebGoat has multiple ways of being run. The <a href="https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0)">
|
||||||
Both are identically with the only difference
|
WebGoat Wiki</a> is the best place to find the latest configuration instructions.
|
||||||
that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have
|
By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost.
|
||||||
to start WebGoat as root or with sudo if you want to run it on port 80 and
|
In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and
|
||||||
443.
|
443. Running software as root is dangerous we strongly advice to use
|
||||||
As running software as root is dangerous we strongly advice to use
|
the port 8080 and 8443.
|
||||||
the port 8080 and 8443. In Windows you can
|
|
||||||
run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you
|
|
||||||
can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these
|
|
||||||
configurations is guest with password guest
|
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<h2>Server Configurations</h2>
|
<h2>Server Configurations</h2>
|
||||||
@ -31,46 +27,47 @@ the configurations we recommend doing a backup of the files you change.
|
|||||||
|
|
||||||
<h3>Change Ports</h3>
|
<h3>Change Ports</h3>
|
||||||
<p>
|
<p>
|
||||||
To change the ports open the server_80.xml which you find in tomcat/conf and change the
|
To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the
|
||||||
non-SSL port. If you want to use it on port 8079 for example:
|
non-SSL port. If you want to change your
|
||||||
|
Tomcat server to use it on port 8079 for example:
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<pre>
|
<pre>
|
||||||
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->
|
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->
|
||||||
<Connector address="127.0.0.1" port="8079"...
|
<Connector address="127.0.0.1" port="8079"...
|
||||||
</pre>
|
</pre>
|
||||||
<p>
|
<p>
|
||||||
You can also change the SSL connector to another port of course.
|
You can also change the SSL connector to another port of course.
|
||||||
In this example to port 8442:
|
In this example to port 8442:
|
||||||
</p>
|
</p>
|
||||||
<pre>
|
<pre>
|
||||||
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
||||||
<Connector address="127.0.0.1" port="8442"...
|
<Connector address="127.0.0.1" port="8442"...
|
||||||
</pre>
|
</pre>
|
||||||
|
</p>
|
||||||
|
You can also modify WebGoat's pom.xml file to change the port. You will need to modify
|
||||||
|
the tomcat7-maven-plugin plugin configuration.
|
||||||
|
</p>
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
<h3>Make WebGoat Reachable From Another Client</h3>
|
<h3>Make WebGoat Reachable From Another Client</h3>
|
||||||
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
||||||
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
|
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
|
||||||
SAFE NETWORKS!</p>
|
SAFE NETWORKS!</p>
|
||||||
<p>By its default configurations WebGoat is only
|
<p>By its default configuration, WebGoat is only
|
||||||
reachable within the localhost. In a laboratory or a class
|
reachable within the localhost. In a laboratory or a class
|
||||||
there is maybe the need of having a server and a few clients.
|
there is maybe the need of having a server and a few clients.
|
||||||
In this case it is possible to make WebGoat reachable.
|
In this case it is possible to make WebGoat reachable.
|
||||||
</p>
|
</p>
|
||||||
<p>The reason why WebGoat is only reachable within the localhost is
|
|
||||||
the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set
|
|
||||||
to 127.0.0.1. The applications only listens on the port of this address for
|
|
||||||
incoming connections if it is set. If you remove this parameter the server listens on all IPs on the
|
|
||||||
specific port.</p>
|
|
||||||
|
|
||||||
<h3>Permit Only Certain Clients Connection</h3>
|
<h3>Permit Only Certain Client Connection</h3>
|
||||||
<p>
|
<p>
|
||||||
If you have made WebGoat reachable it is reachable for
|
If you have made WebGoat reachable it is reachable for
|
||||||
all clients. If you want to make it reachable only for certain clients specified
|
all clients. If you want to make it reachable only for certain clients specified
|
||||||
by there IP you can archive this by using a 'Remote Address Filter'.
|
by their IP you can archive this by using a 'Remote Address Filter'.
|
||||||
The filter can be set in a whitebox or blackbox approach. Here is
|
The filter can be set in a whitebox or blackbox approach. Here is
|
||||||
only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml:
|
only discussed the whitebox approach. You have to add following lines to the
|
||||||
|
Host section of server.xml in your Tomcat server configuration:
|
||||||
</p>
|
</p>
|
||||||
<pre>
|
<pre>
|
||||||
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
|
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user