WebGoat This web application is designed to demonstrate web application security flaws for the purpose of educating developers and security professionals about web application security problems. Please contact Bruce Mayhew (webgoat@g2-inc.com) if you have any questions. email WebGoat@g2-inc.com The EMAIL address of the administrator to whom questions and comments about this application should be addressed. AxisServlet Apache-Axis Servlet org.apache.axis.transport.http.AxisServlet AdminServlet Axis Admin Servlet org.apache.axis.transport.http.AdminServlet 100 SOAPMonitorService SOAPMonitorService org.apache.axis.monitor.SOAPMonitorService SOAPMonitorPort 5001 100 WebGoat This servlet plays the "controller" role in the MVC architecture used in this application. The initialization parameter namess for this servlet are the "servlet path" that will be received by this servlet (after the filename extension is removed). The corresponding value is the name of the action class that will be used to process this request. org.owasp.webgoat.HammerHead debug false CookieDebug true DefuseOSCommands false Enterprise true FeedbackAddress <A HREF=mailto:WebGoat@g2-inc.com>WebGoat@g2-inc.com</A> DatabaseDriver org.enhydra.instantdb.jdbc.idbDriver DatabaseConnectionString jdbc:idb:PATH/database.prp 5 LessonSource This servlet returns the Java source of the current lesson. org.owasp.webgoat.LessonSource Catcher This servlet catches any posts and marks the appropriate lesson property. org.owasp.webgoat.Catcher conf /lessons/ConfManagement/config.jsp AxisServlet /servlet/AxisServlet AxisServlet *.jws AxisServlet /services/* SOAPMonitorService /SOAPMonitor WebGoat /attack LessonSource /source Catcher /catcher conf /conf 2880 wmv video/x-ms-wmv Link to the UserDatabase instance from which we request lists of defined role names. Typically, this will be connected to the global user database with a ResourceLink element in server.xml or the context configuration file for the Manager web application. users org.apache.catalina.UserDatabase WebGoat Application /* webgoat_user webgoat_admin webgoat_challenge WebGoat Application Source /JavaSource/* server_admin BASIC WebGoat Application The role that is required to administrate WebGoat webgoat_admin The role that is required to start the challenge log viewer webgoat_challenge The role that is required to use WebGoat webgoat_user This role is for admins only server_admin