Changed mac_Logo.gif to macadamian.gif. Added forced browsing servlet to the appropriate web.xml files. Enhanced readme files

git-svn-id: http://webgoat.googlecode.com/svn/trunk@109 4033779f-a91e-0410-96ef-6bf7bf53c507
2007-01-31 15:44:38 +00:00 · 2007-01-31 15:44:38 +00:00 · e748aa0e90
commit e748aa0e90
parent ca46354077
19 changed files with 95 additions and 39 deletions
--- a/Instructions.txt
+++ b/Instructions.txt
@ -1,14 +1,28 @@
+===============================================================
 Installing WebGoat WAR file into a Standard Tomcat Installation
+
+    Help: Mail List - http://lists.owasp.org/mailman/listinfo/owasp-webgoat
+          Email     - webgoat@g2-inc.com 
 ===============================================================

-To do this, you'll need to configure server.xml and tomcat-users.xml a bit. Basically, you'll want to change the port number in server.xml to 80 (or just stick with 8080).  WebGoat also has some specific users and roles that it uses which are defined in tomcat-users.xml. 
+To do this, you'll need to configure server.xml and tomcat-users.xml a bit. 
+Basically, you'll want to change the port number in server.xml to 80 (or just stick with 8080).  
+WebGoat also has some specific users and roles that it uses which are defined in tomcat-users.xml. 

- Add the following users to tomcat-users.xml in tomcat/conf directory
+- Add the following users and roles to tomcat-users.xml in tomcat/conf directory
+
+<?xml version="1.0" encoding="UTF-8"?>
+<tomcat-users>
+  <role rolename="webgoat_basic"/>
+  <role rolename="webgoat_admin"/>
+  <role rolename="webgoat_user"/>
+  <role rolename="tomcat"/>
+  <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
+  <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
+  <user password="tomcat" roles="tomcat" username="tomcat"/>
+  <user password="guest" roles="webgoat_user" username="guest"/>
+</tomcat-users>

-<user username="webgoat" password="webgoat" roles="webgoat_admin"/>
-<user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/>
-<user username="guest" password="guest" roles="webgoat_user"/>
-<user username="admin" password="admin" roles="admin,manager"/>

 This is explained in the readme.txt file in the root directory.

@ -17,4 +31,5 @@ browse to:

 http://localhost/WebGoat-VERSION_NUM/attack

-Let us know if you are still having problems at the WebGoat mailing list: http://lists.sourceforge.net/lists/listinfo/owasp-webgoat.
+Let us know if you are still having problems at the WebGoat mailing list: http://lists.owasp.org/mailman/listinfo/owasp-webgoat
+or by sending email to WebGoat@g2-inc.com
--- a/webgoat/main/build.xml
+++ b/webgoat/main/build.xml
@ -56,7 +56,7 @@

  <property name="app.home"    		   value="${basedir}/project"/>
  <property name="app.name"    		   value="WebGoat"/>	<!-- MUST BE CONSISTENT WITH project/build.xml! -->
-  <property name="app.version"    		   value="5.0-RC1"/>		<!-- MUST BE CONSISTENT WITH project/build.xml! -->
+  <property name="app.version"    		   value="5.0"/>		<!-- MUST BE CONSISTENT WITH project/build.xml! -->
  <property name="catalina.home" 		   value="${basedir}/tomcat"/>
  <property name="dist.home"     		   value="${app.home}/dist"/>
  <property name="dist.owasp"     		   value="${app.home}/owasp_distributions"/>
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
@ -63,7 +63,7 @@ public class BackDoors extends LessonAdapter

    private final static String SELECT_ST = "select userid, password, ssn, salary from employee where userid=";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    protected Element createContent(WebSession s)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@ -68,7 +68,7 @@ public class CSRF extends LessonAdapter {
 	private static Connection connection = null;
 	private static int count = 1;
 	private final static int USER_COL = 4;	// Added by Chuck Willis - used to show user who posted message
-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
 	
 	/**
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
@ -56,7 +56,7 @@ public class DOMInjection extends LessonAdapter

    private final static String KEY = "key";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    protected Element createContent(WebSession s)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
@ -53,7 +53,7 @@ public class ForcedBrowsing extends LessonAdapter

    private final static String SUCCEEDED = "succeeded";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    /**
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
@ -55,7 +55,7 @@ public class HttpSplitting extends LessonAdapter

    private static String STAGE = "stage";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    /**
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
@ -60,7 +60,7 @@ public class JSONInjection extends LessonAdapter

    private final static String TRAVEL_TO = "travelTo";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    public void handleRequest(WebSession s)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
@ -58,7 +58,7 @@ public class LogSpoofing extends LessonAdapter

    private static final String PASSWORD = "password";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    protected Element createContent(WebSession s)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
@ -40,7 +40,7 @@ import org.owasp.webgoat.session.WebSession;
 */
 public class NewLesson extends LessonAdapter
 {
-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    /**
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
@ -60,7 +60,7 @@ public class SilentTransactions extends LessonAdapter

    private final static Double CURRENT_BALANCE = 11987.09;

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    public void handleRequest(WebSession s)
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
@ -60,7 +60,7 @@ public class XMLInjection extends LessonAdapter

    public static HashMap rewardsMap = new HashMap();

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    protected static HashMap init()
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
@ -78,7 +78,7 @@ public class XPATHInjection extends LessonAdapter

    private final static String PASSWORD = "Password";

-    private final static IMG MAC_LOGO = new IMG("images/logos/mac_Logo.gif").setAlt(
+    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    protected Element createContent(WebSession s)
--- a/webgoat/main/project/WebContent/WEB-INF/web-unix.xml
+++ b/webgoat/main/project/WebContent/WEB-INF/web-unix.xml
@ -174,6 +174,10 @@
      <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
    </servlet>

+    <servlet>
+	 <servlet-name>conf</servlet-name>
+	 <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
+    </servlet>
    <!-- Define mappings that are used by the servlet container to
         translate a particular request URI (context-relative) to a
         particular servlet.  The examples below correspond to the
@ -231,6 +235,10 @@
      <url-pattern>/source</url-pattern>
    </servlet-mapping>

+    <servlet-mapping>
+      <servlet-name>conf</servlet-name>
+      <url-pattern>/conf</url-pattern>
+    </servlet-mapping>
    
    <!-- Define the default session timeout for your application,
         in minutes.  From a servlet or JSP page, you can modify
--- a/webgoat/main/project/WebContent/WEB-INF/web-windows.xml
+++ b/webgoat/main/project/WebContent/WEB-INF/web-windows.xml
@ -174,6 +174,10 @@
      <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
    </servlet>

+    <servlet>
+	 <servlet-name>conf</servlet-name>
+	 <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
+    </servlet>
    <!-- Define mappings that are used by the servlet container to
         translate a particular request URI (context-relative) to a
         particular servlet.  The examples below correspond to the
@ -231,7 +235,11 @@
      <url-pattern>/source</url-pattern>
    </servlet-mapping>

-    
+    <servlet-mapping>
+      <servlet-name>conf</servlet-name>
+      <url-pattern>/conf</url-pattern>
+    </servlet-mapping>
+
    <!-- Define the default session timeout for your application,
         in minutes.  From a servlet or JSP page, you can modify
         the timeout for a particular session dynamically by using
@ -308,7 +316,7 @@
 	    <role-name>webgoat_user</role-name>
 	</security-role>
 	
-		<security-role>
+	<security-role>
 	    <description>This role is for admins only</description>
 	    <role-name>server_admin</role-name>
 	</security-role>
--- a/webgoat/main/project/WebContent/WEB-INF/web.xml
+++ b/webgoat/main/project/WebContent/WEB-INF/web.xml
@ -316,7 +316,7 @@
 	    <role-name>webgoat_user</role-name>
 	</security-role>
 	
-		<security-role>
+	<security-role>
 	    <description>This role is for admins only</description>
 	    <role-name>server_admin</role-name>
 	</security-role>
--- a/webgoat/main/project/WebContent/images/logos/macadamian.gif
+++ b/webgoat/main/project/WebContent/images/logos/macadamian.gif
--- a/webgoat/main/project/build.xml
+++ b/webgoat/main/project/build.xml
@ -74,7 +74,7 @@

  <property name="app.name"      		   value="WebGoat"/>
  <property name="app.path"      		   value="/${app.name}"/>
-  <property name="app.version"   		   value="5.0-RC1"/> <!-- UPDATE THIS! -->
+  <property name="app.version"   		   value="5.0"/> <!-- UPDATE THIS! -->
  <property name="build.home"    		   value="${basedir}/build"/>
  <property name="catalina.home" 		   value="${basedir}/../tomcat"/> <!-- UPDATE THIS! -->
  <property name="dist.home"     		   value="${basedir}/dist"/>
--- a/webgoat/main/readme.txt
+++ b/webgoat/main/readme.txt
@ -1,10 +1,11 @@
 **********          WebGoat 5.0
-**********          01.17.2007
+**********          01.31.2007
 **********
 **
-**  Source Code: http://code.google.com/p/webgoat
-**  User Guide: http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
-**  Home Page: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
+**  Source Code:  http://code.google.com/p/webgoat
+**  Download:     http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824
+**  User Guide:   http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
+**  Home Page:    http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
 **  Contact Info: webgoat@g2-inc.com
 **
 **********
@ -18,7 +19,7 @@ testing techniques.


 WARNING 1: While running this program your machine will be 
-extremely vulnerable to attack. You want to disconnect
+extremely vulnerable to attack. You should to disconnect
 from the Internet while using this program.

 WARNING 2: This program is for educational purposes only. If you
@ -28,14 +29,15 @@ hacking, most companies will fire you. Claiming that you were
 doing security research will not work as that is the first thing
 that all hackers claim.

-You can find more information about WebGoat at
-http://www.owasp.org
+You can find more information about WebGoat at:
+http://code.google.com/p/webgoat

 CREDITS (Latest release)

 	Bruce Mayhew (http://www.g2-inc.com)
 	Sherif Koussa (http://www.macadamian.com)
 	Rogan Dawes (http://dawes.za.net/rogan)
+	Eric Sheridan (http://www.aspectsecurity.com) 
 	Carlo Pelliccioni
 	The many people who have sent comments and suggestions...
        
@ -49,23 +51,30 @@ WHAT'S NEW
 	* Log Spoofing 
 	* Cache Poisoning 
 	* Back Doors via SQL Injection 
+	* Many upgrades and minor fixes

 INSTALLATION

-Windows
+Windows - (Download, Extract, Double Click Release)

-1. unzip the Windows_WebGoat-x.x.zip to your working environment 
-2. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"
+1. unzip the Windows_WebGoat-x.x_Release.zip to your working environment 
+2. To start Tomcat, browse to the WebGoat directory unzipped above and 
+     double click "webgoat.bat"
 3. start your browser and browse to... (Notice the capital 'W' and 'G')
-	http://localhost/WebGoat/attack
+	 http://localhost/WebGoat/attack
 4. login in as: user = guest, password = guest
 5. To stop WebGoat, simply close the window you launched it from.

+Note: When intercepting request with IE7.  You must add a '.' to the
+      end of localhost.  i.e. 
+          http://localhost./WebGoat/attack        or
+          http://localhost.8080/WebGoat/attack    if using a non standard port
+

 Linux

 1. Download and install Java JDK 1.5 from Sun (http://java.sun.com)
-2. Unzip the Unix_WebGoat-x.x.zip to your working directory
+2. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory
 3. Set JAVA_HOME to point to your JDK1.5 installation
 4. chmod +x webgoat.sh 
 5. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
@ -78,7 +87,7 @@ Linux

 OS X (Tiger 10.4+)

-1. Unzip the Unix_WebGoat-x.x.zip to your working directory
+1. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory
 2. chmod +x webgoat.sh
 3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
 	sudo sh webgoat.sh start
@ -120,8 +129,24 @@ A. This usually indicates an Eclipse environment setting misconfiguration. Here
 		- Return to the Ant View and refresh.

 Q. When I start up WebGoat it dies very quickly.
-A. WebGoat is a Java application that runs on Tomcat using port 80.  If you have another application listening on port 80 (like IIS), you will need to change WebGoat's port (to 8080 or something) in the tomcat_root/conf/server.xml file.
+A. WebGoat is a Java application that runs on Tomcat using port 80.  If you have another 
+   application listening on port 80 (like IIS), you will need to change WebGoat's port 
+   (to 8080 or something) in the tomcat_root/conf/server.xml file.

-For more current FAQs, please visit http://www.owasp.org/software/webgoat/faq.html
+Q. When I deploy the war file to the Tomcat wepapps directory, I can't login to WebGoat
+A. You need to add the webgoat users and roles to tomcat/conf/tomcat-users.xml

-Please send questions, comments, suggestions, bugs, etc to webgoat@owasp.org
+    <?xml version="1.0" encoding="UTF-8"?>
+    <tomcat-users>
+      <role rolename="webgoat_basic"/>
+      <role rolename="webgoat_admin"/>
+      <role rolename="webgoat_user"/>
+      <role rolename="tomcat"/>
+      <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
+      <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
+      <user password="tomcat" roles="tomcat" username="tomcat"/>
+      <user password="guest" roles="webgoat_user" username="guest"/>
+    </tomcat-users>
+
+
+Please send questions, comments, suggestions, bugs, etc to webgoat@g2-inc.com