Add FAQ for running WebGoat on your host IP

git-svn-id: http://webgoat.googlecode.com/svn/trunk@118 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/readme.txt

@@ -1,152 +1,190 @@
-**********          WebGoat 5.0
+**********          WebGoat 5.0
-**********          01.31.2007
+**********          03.09.2007
-**********
+**********
-**
+**
-**  Source Code:  http://code.google.com/p/webgoat
+**  Source Code:  http://code.google.com/p/webgoat
-**  Download:     http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824
+**  Download:     http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824
-**  User Guide:   http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
+**  Download:     http://code.google.com/p/webgoat/downloads/list   (Does not have Windows release)
-**  Home Page:    http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
+**  User Guide:   http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
-**  Contact Info: webgoat@g2-inc.com
+**  Home Page:    http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
-**
+**  Contact Info: webgoat@g2-inc.com
-**********
+**
-
+**********
-Thank you for downloading WebGoat!
+
-
+Thank you for downloading WebGoat!
-This program is a demonstration of common server-side
+
-application flaws.  The exercises are intended to
+This program is a demonstration of common server-side
-be used by people to learn about application penetration
+application flaws.  The exercises are intended to
-testing techniques.
+be used by people to learn about application penetration
-
+testing techniques.
-
+
-WARNING 1: While running this program your machine will be 
+
-extremely vulnerable to attack. You should to disconnect
+WARNING 1: While running this program your machine will be 
-from the Internet while using this program.
+extremely vulnerable to attack. You should to disconnect
-
+from the Internet while using this program.
-WARNING 2: This program is for educational purposes only. If you
+
-attempt these techniques without authorization, you are very
+WARNING 2: This program is for educational purposes only. If you
-likely to get caught.  If you are caught engaging in unauthorized
+attempt these techniques without authorization, you are very
-hacking, most companies will fire you. Claiming that you were
+likely to get caught.  If you are caught engaging in unauthorized
-doing security research will not work as that is the first thing
+hacking, most companies will fire you. Claiming that you were
-that all hackers claim.
+doing security research will not work as that is the first thing
-
+that all hackers claim.
-You can find more information about WebGoat at:
+
-http://code.google.com/p/webgoat
+You can find more information about WebGoat at:
-
+http://code.google.com/p/webgoat
-CREDITS (Latest release)
+
-
+CREDITS (Latest release)
-	Bruce Mayhew (http://www.g2-inc.com)
+
-	Sherif Koussa (http://www.macadamian.com)
+	Bruce Mayhew (http://www.g2-inc.com)
-	Rogan Dawes (http://dawes.za.net/rogan)
+	Sherif Koussa (http://www.macadamian.com)
-	Eric Sheridan (http://www.aspectsecurity.com) 
+	Rogan Dawes (http://dawes.za.net/rogan)
-	Carlo Pelliccioni
+	Eric Sheridan (http://www.aspectsecurity.com) 
-	The many people who have sent comments and suggestions...
+	Carlo Pelliccioni
-        
+	The many people who have sent comments and suggestions...
-WHAT'S NEW
+        
-
+WHAT'S NEW
-	* WebGoat is now current at Google code. (http://code.google.com/p/webgoat)
+
-	* HTTP Splitting 
+	* WebGoat is now current at Google code. (http://code.google.com/p/webgoat)
-	* Cross-Site Request Forgery 
+	* HTTP Splitting 
-	* XPATH Injection 
+	* Cross-Site Request Forgery 
-	* AJAX Security 
+	* XPATH Injection 
-	* Log Spoofing 
+	* AJAX Security 
-	* Cache Poisoning 
+	* Log Spoofing 
-	* Back Doors via SQL Injection 
+	* Cache Poisoning 
-	* Many upgrades and minor fixes
+	* Back Doors via SQL Injection 
-
+	* Many upgrades and minor fixes
-INSTALLATION
+
-
+INSTALLATION
-Windows - (Download, Extract, Double Click Release)
+
-
+Windows - (Download, Extract, Double Click Release)
-1. unzip the Windows_WebGoat-x.x_Release.zip to your working environment 
+
-2. To start Tomcat, browse to the WebGoat directory unzipped above and 
+1. unzip the Windows_WebGoat-x.x_Release.zip to your working environment 
-     double click "webgoat.bat"
+2. To start Tomcat, browse to the WebGoat directory unzipped above and 
-3. start your browser and browse to... (Notice the capital 'W' and 'G')
+     double click "webgoat.bat"
-	 http://localhost/WebGoat/attack
+3. start your browser and browse to... (Notice the capital 'W' and 'G')
-4. login in as: user = guest, password = guest
+	 http://localhost/WebGoat/attack
-5. To stop WebGoat, simply close the window you launched it from.
+4. login in as: user = guest, password = guest
-
+5. To stop WebGoat, simply close the window you launched it from.
-Note: When intercepting request with IE7.  You must add a '.' to the
+
-      end of localhost.  i.e. 
+Note: When intercepting request with IE7.  You must add a '.' to the
-          http://localhost./WebGoat/attack        or
+      end of localhost.  i.e. 
-          http://localhost.8080/WebGoat/attack    if using a non standard port
+          http://localhost./WebGoat/attack        or
-
+          http://localhost.8080/WebGoat/attack    if using a non standard port
-
+
-Linux
+
-
+Linux
-1. Download and install Java JDK 1.5 from Sun (http://java.sun.com)
+
-2. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory
+1. Download and install Java JDK 1.5 from Sun (http://java.sun.com)
-3. Set JAVA_HOME to point to your JDK1.5 installation
+2. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory
-4. chmod +x webgoat.sh 
+3. Set JAVA_HOME to point to your JDK1.5 installation
-5. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
+4. chmod +x webgoat.sh 
-	sudo sh webgoat.sh start
+5. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
-	sudo sh webgoat.sh stop
+	sudo sh webgoat.sh start
-6. start your browser and browse to... (Notice the capital 'W' and 'G')
+	sudo sh webgoat.sh stop
-	http://localhost/WebGoat/attack
+6. start your browser and browse to... (Notice the capital 'W' and 'G')
-7. login in as: user = guest, password = guest
+	http://localhost/WebGoat/attack
-
+7. login in as: user = guest, password = guest
-
+
-OS X (Tiger 10.4+)
+
-
+OS X (Tiger 10.4+)
-1. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory
+
-2. chmod +x webgoat.sh
+1. Unzip the Unix_WebGoat-x.x_Release.zip to your working directory
-3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
+2. chmod +x webgoat.sh
-	sudo sh webgoat.sh start
+3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
-	sudo sh webgoat.sh stop
+	sudo sh webgoat.sh start
-4. start your browser and browse to... (Notice the capital 'W' and 'G')
+	sudo sh webgoat.sh stop
-	http://localhost/WebGoat/attack
+4. start your browser and browse to... (Notice the capital 'W' and 'G')
-5. login in as: user = guest, password = guest
+	http://localhost/WebGoat/attack
-
+5. login in as: user = guest, password = guest
-
+
-DEVELOPER INSTALLATION
+
-
+DEVELOPER INSTALLATION
-1. Download WebGoat-x.x_developer.zip source distribution
+
-2. Unzip the WebGoat-x.x_developer.zip to your working directory
+1. Download WebGoat-x.x_developer.zip source distribution
-3. Follow the directions in HOW TO create the WebGoat workspace.txt
+2. Unzip the WebGoat-x.x_developer.zip to your working directory
-
+3. Follow the directions in HOW TO create the WebGoat workspace.txt
-
+
-HOW WEBGOAT WORKS
+
-
+HOW WEBGOAT WORKS
-TROUBLESHOOTING/FAQs:
+
-Q. I put the OWASP downloaded war file in my tomcat/webapps directory and the 
+TROUBLESHOOTING/FAQs:
-   http://localhost/WebGoat/attack url doesn't work.
+Q. I put the OWASP downloaded war file in my tomcat/webapps directory and the 
-A. Rename the downloaded war file to WebGoat.war.  Delete the existing tomcat/webapps/*WebGoat* directories.
+   http://localhost/WebGoat/attack url doesn't work.
-
+A. Rename the downloaded war file to WebGoat.war.  Delete the existing tomcat/webapps/*WebGoat* directories.
-Q. I dropped the WebGoat war file into my non-Tomcat application server and WebGoat doesn't seem to work.
+
-A. WebGoat uses some of the internal Tomcat classes for user management.  Unfortunately, this makes 
+
-   WebGoat dependent on Tomcat.  Hopefully, this will be addressed in a future release.
+Q. I dropped the WebGoat war file into my non-Tomcat application server and WebGoat doesn't seem to work.
-
+A. WebGoat uses some of the internal Tomcat classes for user management.  Unfortunately, this makes 
-Q. Having problems with the ant file working properly. How do I configure my ant environment 
+   WebGoat dependent on Tomcat.  Hopefully, this will be addressed in a future release.
-   so that I don't receive errors such as:
+
-	- "Specified VM install not found: type Standard VM, name j2sdk1.4.2.06"
+
-A. This usually indicates an Eclipse environment setting misconfiguration. Here are some possible solutions:
+Q. Having problems with the ant file working properly. How do I configure my ant environment 
-	i. Ant Runtime Configuration
+   so that I don't receive errors such as:
-		- Window > Preferences
+	- "Specified VM install not found: type Standard VM, name j2sdk1.4.2.06"
-		- Ant > Runtime
+A. This usually indicates an Eclipse environment setting misconfiguration. Here are some possible solutions:
-		- Under Classpath Tab check the "Global Entries"
+	i. Ant Runtime Configuration
-		- Remove any jre "tools.jar" references
+		- Window > Preferences
-		- Add the "\tomcat\servers\lib\catalina-ant.jar" file.
+		- Ant > Runtime
-		- Click Apply, Click OK.
+		- Under Classpath Tab check the "Global Entries"
-		- Return to the Ant View and refresh.
+		- Remove any jre "tools.jar" references
-
+		- Add the "\tomcat\servers\lib\catalina-ant.jar" file.
-Q. When I start up WebGoat it dies very quickly.
+		- Click Apply, Click OK.
-A. WebGoat is a Java application that runs on Tomcat using port 80.  If you have another 
+		- Return to the Ant View and refresh.
-   application listening on port 80 (like IIS), you will need to change WebGoat's port 
+
-   (to 8080 or something) in the tomcat_root/conf/server.xml file.
+
-
+Q. When I start up WebGoat it dies very quickly.
-Q. When I deploy the war file to the Tomcat wepapps directory, I can't login to WebGoat
+A. WebGoat is a Java application that runs on Tomcat using port 80.  If you have another 
-A. You need to add the webgoat users and roles to tomcat/conf/tomcat-users.xml
+   application listening on port 80 (like IIS), you will need to change WebGoat's port 
-
+   (to 8080 or something) in the tomcat_root/conf/server.xml file.
-    <?xml version="1.0" encoding="UTF-8"?>
+
-    <tomcat-users>
+
-      <role rolename="webgoat_basic"/>
+Q. When I deploy the war file to the Tomcat wepapps directory, I can't login to WebGoat
-      <role rolename="webgoat_admin"/>
+A. You need to add the webgoat users and roles to tomcat/conf/tomcat-users.xml
-      <role rolename="webgoat_user"/>
+
-      <role rolename="tomcat"/>
+    <?xml version="1.0" encoding="UTF-8"?>
-      <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
+    <tomcat-users>
-      <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
+      <role rolename="webgoat_basic"/>
-      <user password="tomcat" roles="tomcat" username="tomcat"/>
+      <role rolename="webgoat_admin"/>
-      <user password="guest" roles="webgoat_user" username="guest"/>
+      <role rolename="webgoat_user"/>
-    </tomcat-users>
+      <role rolename="tomcat"/>
-
+      <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
-
+      <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
+      <user password="tomcat" roles="tomcat" username="tomcat"/>
+      <user password="guest" roles="webgoat_user" username="guest"/>
+    </tomcat-users>
+
+
+Q. How do I get configure WebGoat to run on an IP other then localhost?
+A. In the webgoat.bat file, in the root directory, the following lines
+   are executed: 
+
+      delete .\tomcat\conf\server.xml 
+      copy .\tomcat\conf\server_80.xml .\tomcat\conf\server.xml 
+
+   This will overwrite any changes you may have made to server.xml 
+   file that addressed this issue.... 
+
+   By changing the server_80.xml file (or by removing the above code
+   from webgoat.bat, after making your changes) you can reflect your
+   changes to the Tomcat configuration. You will need to change the IP
+   address in the server_80.xml file to be the IP of the host machine.
+
+   The following connectors should be modified
+      <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> 
+      <Connector address="10.20.20.123" port="80" 
+      ... 
+      <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> 
+      <Connector address="10.20.20.123" port="443" 
+      .... 
+
+   where the 127.0.0.1 will be replaced by your IP. In this case
+   10.20.20.123
+
+
+Q. How do I solve lesson X?
+A. Subscribe to the WebGoat mailing list at owasp-webgoat@lists.owasp.org.
+   Post your question to owasp-webgoat@lists.owasp.org
+
+	
+
 Please send questions, comments, suggestions, bugs, etc to webgoat@g2-inc.com