WebGoat: Difference between revisions
Line 32: | Line 32: | ||
<pre> | <pre> | ||
# wget http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.3_RC1.7z | # wget http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.3_RC1.7z | ||
# /usr/bin/p7zip WebGoat-OWASP_Standard-5.3.7z | # /usr/bin/p7zip -d WebGoat-OWASP_Standard-5.3.7z | ||
# mv WebGoat-5.2/ /usr/local | # mv WebGoat-5.2/ /usr/local | ||
# cd /usr/local/WebGoat-5. | # cd /usr/local/WebGoat-5.3_RC1/ | ||
</pre> | </pre> | ||
---- | ---- |
Revision as of 11:43, 18 April 2010
Autor: Teet Raudsep, AK32
Info staatus
Pooleli.
WebGoat tutvustus
WebGoat program on loodud selleks, et tuvustada ning aidata õppida veebi aplikatsioonide turvalisust. Programm on J2EE baasil loodud ning töötab platvormist sõltumata.
--- WebGoat is a deliberately insecure J2EE web application designed to teach web application security concepts Details
Eelinfo
WebGoat paigaldamise ja programmiga käivad kaasas järgnevad programmid:
-7Zip
-Java -bin ja -jdk
Installeerimise juhend VMWare 1.0.10. + Ubuntu server 9.10 näitel
Installeerimiseks juhendun leheküljel läbi proovitud materjale.
[]
Käsureal toimetades alustame paigaldust:
1) Paigaldan Java (sun-java6-bin, sun-java6-jdk)
# apt-get-install sun-java6-bin sun-java6-jdk
2) Laeb alla WebGoati programmi ning pakib lahti ja tõstab /usr/local/ kausta.
# wget http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.3_RC1.7z # /usr/bin/p7zip -d WebGoat-OWASP_Standard-5.3.7z # mv WebGoat-5.2/ /usr/local # cd /usr/local/WebGoat-5.3_RC1/
The first step was to install java:
- apt-get-install sun-java6-bin sun-java6-jdk
Note that tomcat is now included with WebGoat, so there is no need to install it separately. The next step is to download WebGoat:
- wget http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.2.zip
- unzip WebGoat-OWASP_Standard-5.2.zip
- mv WebGoat-5.2/ /usr/local
- cd /usr/local/WebGoat-5.2/
You will need to edit the webgoat.sh file to set JAVA_HOME and change the java version from 1.5 to 1.6. I use 'vi', you can use your favorite editor.
- chmod 755 webgoat.sh
- cp webgoat.sh webgoat.sh.orig
- vi webgoat.sh
Add "export JAVA_HOME=/usr/lib/jvm/java-6-sun" at the start of file, after the line with CATALINA_HOME. And then change the "1.5" on lines 17, 19, and 23 to "1.6".
Next step was to install WebScarab, which is a proxy you'll need for WebGoat lessons. Download and install as follows:
- cd /tmp
- wget http://dawes.za.net/rogan/webscarab/webscarab-current.zip
- unzip webscarab-current.zip
- mv webscarab-* /usr/local/webscarab
Now, to make it easy to use WebScarab from FireFox, I installed FoxyProxy into FireFox. Visit the FoxyProxy web page, install it and restart FireFox.
When FireFox starts back up, configure FireProxy as follows:
Click on FoxyProxy icon in lower right and select Add New Proxy. The FireProxy window should appear. On the General tab, under Proxy Name enter "WebScarab". On the Proxy Details tab, select Manual Proxy Configuration. For Host or IP Address enter "127.0.0.1" For Port enter "8008" On the URL Patterns tab select Add New Pattern For Pattern Name enter "WebGoat" For Pattern URL enter "http://*127.0.0.1/WebGoat/*" (The first "*" here matches the "guest:guest" string for authentication.)
Click OK Close Proxy Settings Under Mode select Use proxies based on their pre-defined patterns and priorites. Close FoxyProxy Options
Now you probably want to open a couple of terminal windows (or tabs) one for WebScarab and one for WebGoat. In the first window fire up WebScarab:
- java -jar /usr/local/webscarab/webscarab.jar
You should see a WebScarab window open after a moment.
Then, in the other window, fire up WebGoat:
- cd /usr/local/WebGoat-5.2
- ./webgoat.sh start80
WebGoat will churn for a little bit, but then you should eventually see a message like "INFO: Server startup in 3546 ms". At this point you are ready to go by pointing your browser at http://guest:guest@127.0.0.1/WebGoat/attack
At this point you should see not only WebGoat appear in your browser, but WebScarab should start displaying bunch of requests. Click on the image at the top of this post for what things should look like.