From ee6ed2e978569bc7e4fcc04e0f96c95cec58379c Mon Sep 17 00:00:00 2001 From: mayhew64 Date: Fri, 9 Mar 2007 17:25:55 +0000 Subject: [PATCH] Add FAQ for running WebGoat on your host IP git-svn-id: http://webgoat.googlecode.com/svn/trunk@118 4033779f-a91e-0410-96ef-6bf7bf53c507 --- webgoat/main/readme.txt | 340 ++++++++++++++++++++++----------------- 1 file changed, 189 insertions(+), 151 deletions(-) diff --git a/ webgoat/main/readme.txt b/ webgoat/main/readme.txt index 811aee7f5..18c37a018 100644 --- a/ webgoat/main/readme.txt +++ b/ webgoat/main/readme.txt @@ -1,152 +1,190 @@ -********** WebGoat 5.0 -********** 01.31.2007 -********** -** -** Source Code: http://code.google.com/p/webgoat -** Download: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 -** User Guide: http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents -** Home Page: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project -** Contact Info: webgoat@g2-inc.com -** -********** - -Thank you for downloading WebGoat! - -This program is a demonstration of common server-side -application flaws. The exercises are intended to -be used by people to learn about application penetration -testing techniques. - - -WARNING 1: While running this program your machine will be -extremely vulnerable to attack. You should to disconnect -from the Internet while using this program. - -WARNING 2: This program is for educational purposes only. If you -attempt these techniques without authorization, you are very -likely to get caught. If you are caught engaging in unauthorized -hacking, most companies will fire you. Claiming that you were -doing security research will not work as that is the first thing -that all hackers claim. - -You can find more information about WebGoat at: -http://code.google.com/p/webgoat - -CREDITS (Latest release) - - Bruce Mayhew (http://www.g2-inc.com) - Sherif Koussa (http://www.macadamian.com) - Rogan Dawes (http://dawes.za.net/rogan) - Eric Sheridan (http://www.aspectsecurity.com) - Carlo Pelliccioni - The many people who have sent comments and suggestions... - -WHAT'S NEW - - * WebGoat is now current at Google code. (http://code.google.com/p/webgoat) - * HTTP Splitting - * Cross-Site Request Forgery - * XPATH Injection - * AJAX Security - * Log Spoofing - * Cache Poisoning - * Back Doors via SQL Injection - * Many upgrades and minor fixes - -INSTALLATION - -Windows - (Download, Extract, Double Click Release) - -1. unzip the Windows_WebGoat-x.x_Release.zip to your working environment -2. To start Tomcat, browse to the WebGoat directory unzipped above and - double click "webgoat.bat" -3. start your browser and browse to... (Notice the capital 'W' and 'G') - http://localhost/WebGoat/attack -4. login in as: user = guest, password = guest -5. To stop WebGoat, simply close the window you launched it from. - -Note: When intercepting request with IE7. You must add a '.' to the - end of localhost. i.e. - http://localhost./WebGoat/attack or - http://localhost.8080/WebGoat/attack if using a non standard port - - -Linux - -1. Download and install Java JDK 1.5 from Sun (http://java.sun.com) -2. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory -3. Set JAVA_HOME to point to your JDK1.5 installation -4. chmod +x webgoat.sh -5. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root. - sudo sh webgoat.sh start - sudo sh webgoat.sh stop -6. start your browser and browse to... (Notice the capital 'W' and 'G') - http://localhost/WebGoat/attack -7. login in as: user = guest, password = guest - - -OS X (Tiger 10.4+) - -1. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory -2. chmod +x webgoat.sh -3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root. - sudo sh webgoat.sh start - sudo sh webgoat.sh stop -4. start your browser and browse to... (Notice the capital 'W' and 'G') - http://localhost/WebGoat/attack -5. login in as: user = guest, password = guest - - -DEVELOPER INSTALLATION - -1. Download WebGoat-x.x_developer.zip source distribution -2. Unzip the WebGoat-x.x_developer.zip to your working directory -3. Follow the directions in HOW TO create the WebGoat workspace.txt - - -HOW WEBGOAT WORKS - -TROUBLESHOOTING/FAQs: -Q. I put the OWASP downloaded war file in my tomcat/webapps directory and the - http://localhost/WebGoat/attack url doesn't work. -A. Rename the downloaded war file to WebGoat.war. Delete the existing tomcat/webapps/*WebGoat* directories. - -Q. I dropped the WebGoat war file into my non-Tomcat application server and WebGoat doesn't seem to work. -A. WebGoat uses some of the internal Tomcat classes for user management. Unfortunately, this makes - WebGoat dependent on Tomcat. Hopefully, this will be addressed in a future release. - -Q. Having problems with the ant file working properly. How do I configure my ant environment - so that I don't receive errors such as: - - "Specified VM install not found: type Standard VM, name j2sdk1.4.2.06" -A. This usually indicates an Eclipse environment setting misconfiguration. Here are some possible solutions: - i. Ant Runtime Configuration - - Window > Preferences - - Ant > Runtime - - Under Classpath Tab check the "Global Entries" - - Remove any jre "tools.jar" references - - Add the "\tomcat\servers\lib\catalina-ant.jar" file. - - Click Apply, Click OK. - - Return to the Ant View and refresh. - -Q. When I start up WebGoat it dies very quickly. -A. WebGoat is a Java application that runs on Tomcat using port 80. If you have another - application listening on port 80 (like IIS), you will need to change WebGoat's port - (to 8080 or something) in the tomcat_root/conf/server.xml file. - -Q. When I deploy the war file to the Tomcat wepapps directory, I can't login to WebGoat -A. You need to add the webgoat users and roles to tomcat/conf/tomcat-users.xml - - - - - - - - - - - - - - +********** WebGoat 5.0 +********** 03.09.2007 +********** +** +** Source Code: http://code.google.com/p/webgoat +** Download: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 +** Download: http://code.google.com/p/webgoat/downloads/list (Does not have Windows release) +** User Guide: http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents +** Home Page: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project +** Contact Info: webgoat@g2-inc.com +** +********** + +Thank you for downloading WebGoat! + +This program is a demonstration of common server-side +application flaws. The exercises are intended to +be used by people to learn about application penetration +testing techniques. + + +WARNING 1: While running this program your machine will be +extremely vulnerable to attack. You should to disconnect +from the Internet while using this program. + +WARNING 2: This program is for educational purposes only. If you +attempt these techniques without authorization, you are very +likely to get caught. If you are caught engaging in unauthorized +hacking, most companies will fire you. Claiming that you were +doing security research will not work as that is the first thing +that all hackers claim. + +You can find more information about WebGoat at: +http://code.google.com/p/webgoat + +CREDITS (Latest release) + + Bruce Mayhew (http://www.g2-inc.com) + Sherif Koussa (http://www.macadamian.com) + Rogan Dawes (http://dawes.za.net/rogan) + Eric Sheridan (http://www.aspectsecurity.com) + Carlo Pelliccioni + The many people who have sent comments and suggestions... + +WHAT'S NEW + + * WebGoat is now current at Google code. (http://code.google.com/p/webgoat) + * HTTP Splitting + * Cross-Site Request Forgery + * XPATH Injection + * AJAX Security + * Log Spoofing + * Cache Poisoning + * Back Doors via SQL Injection + * Many upgrades and minor fixes + +INSTALLATION + +Windows - (Download, Extract, Double Click Release) + +1. unzip the Windows_WebGoat-x.x_Release.zip to your working environment +2. To start Tomcat, browse to the WebGoat directory unzipped above and + double click "webgoat.bat" +3. start your browser and browse to... (Notice the capital 'W' and 'G') + http://localhost/WebGoat/attack +4. login in as: user = guest, password = guest +5. To stop WebGoat, simply close the window you launched it from. + +Note: When intercepting request with IE7. You must add a '.' to the + end of localhost. i.e. + http://localhost./WebGoat/attack or + http://localhost.8080/WebGoat/attack if using a non standard port + + +Linux + +1. Download and install Java JDK 1.5 from Sun (http://java.sun.com) +2. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory +3. Set JAVA_HOME to point to your JDK1.5 installation +4. chmod +x webgoat.sh +5. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root. + sudo sh webgoat.sh start + sudo sh webgoat.sh stop +6. start your browser and browse to... (Notice the capital 'W' and 'G') + http://localhost/WebGoat/attack +7. login in as: user = guest, password = guest + + +OS X (Tiger 10.4+) + +1. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory +2. chmod +x webgoat.sh +3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root. + sudo sh webgoat.sh start + sudo sh webgoat.sh stop +4. start your browser and browse to... (Notice the capital 'W' and 'G') + http://localhost/WebGoat/attack +5. login in as: user = guest, password = guest + + +DEVELOPER INSTALLATION + +1. Download WebGoat-x.x_developer.zip source distribution +2. Unzip the WebGoat-x.x_developer.zip to your working directory +3. Follow the directions in HOW TO create the WebGoat workspace.txt + + +HOW WEBGOAT WORKS + +TROUBLESHOOTING/FAQs: +Q. I put the OWASP downloaded war file in my tomcat/webapps directory and the + http://localhost/WebGoat/attack url doesn't work. +A. Rename the downloaded war file to WebGoat.war. Delete the existing tomcat/webapps/*WebGoat* directories. + + +Q. I dropped the WebGoat war file into my non-Tomcat application server and WebGoat doesn't seem to work. +A. WebGoat uses some of the internal Tomcat classes for user management. Unfortunately, this makes + WebGoat dependent on Tomcat. Hopefully, this will be addressed in a future release. + + +Q. Having problems with the ant file working properly. How do I configure my ant environment + so that I don't receive errors such as: + - "Specified VM install not found: type Standard VM, name j2sdk1.4.2.06" +A. This usually indicates an Eclipse environment setting misconfiguration. Here are some possible solutions: + i. Ant Runtime Configuration + - Window > Preferences + - Ant > Runtime + - Under Classpath Tab check the "Global Entries" + - Remove any jre "tools.jar" references + - Add the "\tomcat\servers\lib\catalina-ant.jar" file. + - Click Apply, Click OK. + - Return to the Ant View and refresh. + + +Q. When I start up WebGoat it dies very quickly. +A. WebGoat is a Java application that runs on Tomcat using port 80. If you have another + application listening on port 80 (like IIS), you will need to change WebGoat's port + (to 8080 or something) in the tomcat_root/conf/server.xml file. + + +Q. When I deploy the war file to the Tomcat wepapps directory, I can't login to WebGoat +A. You need to add the webgoat users and roles to tomcat/conf/tomcat-users.xml + + + + + + + + + + + + + + +Q. How do I get configure WebGoat to run on an IP other then localhost? +A. In the webgoat.bat file, in the root directory, the following lines + are executed: + + delete .\tomcat\conf\server.xml + copy .\tomcat\conf\server_80.xml .\tomcat\conf\server.xml + + This will overwrite any changes you may have made to server.xml + file that addressed this issue.... + + By changing the server_80.xml file (or by removing the above code + from webgoat.bat, after making your changes) you can reflect your + changes to the Tomcat configuration. You will need to change the IP + address in the server_80.xml file to be the IP of the host machine. + + The following connectors should be modified + + +