WebGoat comes with default configurations for Tomcat. This page will explain these configurations and other possible configurations for Tomcat. This is just a short description which should be enough in most cases. For more advanced tasks please refer to the Tomcat documentation. Please note that all solutions are written for the standard configurations on port 80 or 8080. If you use another port you have to adjust the solution to your configuration.
WebGoat has multiple ways of being run. The WebGoat Wiki is the best place to find the latest configuration instructions. By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost. In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and 443. Running software as root is dangerous we strongly advice to use the port 8080 and 8443.
If you are a single user of WebGoat the standard configurations should be enough but if you want to use WebGoat in laboratory or in class there might be the need to change the configurations. Before changing the configurations we recommend doing a backup of the files you change.
To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the non-SSL port. If you want to change your Tomcat server to use it on port 8079 for example:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> <Connector address="127.0.0.1" port="8079"...
You can also change the SSL connector to another port of course. In this example to port 8442:
<!-- Define a SSL HTTP/1.1 Connector on port 8442 --> <Connector address="127.0.0.1" port="8442"...You can also modify WebGoat's pom.xml file to change the port. You will need to modify the tomcat7-maven-plugin plugin configuration.
THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN SAFE NETWORKS!
By its default configuration, WebGoat is only reachable within the localhost. In a laboratory or a class there is maybe the need of having a server and a few clients. In this case it is possible to make WebGoat reachable.
If you have made WebGoat reachable it is reachable for all clients. If you want to make it reachable only for certain clients specified by their IP you can archive this by using a 'Remote Address Filter'. The filter can be set in a whitebox or blackbox approach. Here is only discussed the whitebox approach. You have to add following lines to the Host section of server.xml in your Tomcat server configuration:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,ip1,ip2"/>
In this case only localhost, ip1 and ip2 are permitted to connect.