Are you okay? I hope so.
Are you happy? I hope so.
On this day, with some free time, we will take a note for installing WebGoat on Linux system.
What is WebGoat?
Okay, this is a brief answer:
WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
For a novice user on hacking world, It's a good starting point. We can learn and practice with it to understanding basic skills. So, get start!
Firstly, we can download the latest version of WebGoat from website: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
In this case, I've got a compressed file named "WebGoat-OWASP_Standard-5.3_RC1.7z". WebGoat was bundled with Tomcat server that requires Java runtime to work. So you have to set Java environment variables for it.
Second step, unzip the 7zip file and modify the startup script. WebGoat 5.3 has a incorrect startup script configs. That is the checking Java environment with incorrect version. The script said that the program requires Java 1.5.x while it actually bundled with 1.6.x.
Take a look at top part of that webgoat.sh script:
#! /bin/sh
JAVA_HOME="/home/cuongpt/jdk1.6.0_31"
export JAVA_HOME
SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
chmod +x ./$CATALINA_HOME/bin/*.sh
if [ $SYSTEM = "Darwin" ]; then
JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home
export JAVA_HOME
else
is_java_1dot5() {
if [ "X$JAVA_HOME" != "X" -a -d $JAVA_HOME ]; then
$JAVA_HOME/bin/java -version 2>&1 | grep 'version \"1.5' >/dev/null
if [ $? -ne 0 ]; then
echo "Nothing to see"
#echo "The JVM in \$JAVA_HOME isn't version 1.5."
#exit 1
fi
else
echo "Nothing to see"
#echo "Please set JAVA_HOME to a Java 1.5 JDK install"
#exit 1
fi
}
is_java_1dot5
....
....
Just look at bold line above. I've added the JAVA_HOME variable that point to directory of JDK installation and I've disabled the JDK version check with comment out two line echo command (to dismiss the wrong notification) and exit command (to continue running program).
Third step is configure user for accessing Tomcat server and WebGoat application. By default, you can access it with user guest/guest, but you should change it to prevent your system to unmanaged access. Edit file tomcat-users.xml on this path WebGoat-5.2/tomcat/conf/tomcat-users.xml. For example, that is my configs:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="webgoat_basic"/>
<role rolename="manager"/>
<role rolename="standard"/>
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="server_admin"/>
<role rolename="role1"/>
<role rolename="webgoat_admin"/>
<role rolename="webgoat_user"/>
<user username="both" password="xxxxxxx" fullName=""/>
<user username="tomcat" password="xxxxxxxxx" roles="tomcat"/>
<user username="basic" password="xxxxxxxxx" roles="webgoat_user,webgoat_basic"/>
<user username="webgoat" password="xxxxxxxxxx" roles="webgoat_admin"/>
<user username="admin" password="xxxxxxxxxxx" roles="admin,manager"/>
<user username="guest" password="xxxxxxxxxx" roles="webgoat_user"/>
<user username="server_admin" password="xxxxxxxxxxxxx" roles="server_admin"/>
<user username="role1" password="xxxxxxxxxxxxx" roles="role1"/>
</tomcat-users>
Finally, run the webgoat.sh script to start Tomcat server and WebGoat application, open the browser and browse this address:
http://127.0.0.1:8080/WebGoat/attack
Enter your username and password
You will see this screen, press Start WebGoat to get in :)
No comments:
Post a Comment