In anticipation of getting a new job in software security, I was informed of the OWASP WebGoat project, and told I should run through some of the exercises. Naturally, the first thing involved is setting up an environment to work in.
Of course, I tried to use my work computer (setup as a Java dev environment in Win7 pro x64) but that quickly became complex. So I decided to create a Virtual Machine to simplify everything and sandbox the whole endeavor.
What follows are a journal of the steps I performed to get WebGoat running in Ubuntu 11.10 VirtualBox VM.
1. SetupVirtualBox + VM
Download/Install Oracle VirtualBox VM [link]
Download/Extract Ubuntu 11.10 prebuilt VirtualBox VM [link]
Run VirtualBox and import the Ubuntu VM
2. Setup Ubuntu root user
Login to as ubuntu with password [reverse]
Open a Terminal [ctrl+alt+t]
Activate root account [sudo passwd root]
Create a password [passwd]
Gain root access [su root]
Enter root password [passwd]
3. Setup Java
Download/Install Java7 JRE+JDK+Docs [apt-get install openjdk-7-jre openjdk-7-jdk openjdk-7-doc]
Download/Install Browser plugin to run Java Applets [apt-get install icedtea6-plugin]
4. Setup WebGoat
Download/Install .7z extractor [apt-get install p7zip-full rar arj lha]
Download Webgoat [link]
Right click the WebGoat.7z file, select [Open with Archive Manager]
Select the folder, extract to the Desktop
Close Archive Manager
(you can delete the .7z file if you want)
Move WebGoat folder [mv WebGoat-5.3_RC1 /usr/local]
Open the folder [cd /usr/local/WebGoat-5.3_RC1]
Change R-W-E settings on file [chmod 775 webgoat.sh]
Backup the file [cp webgoat.sh webgoat.sh.orig]
Open file for editing [vi webgoat.sh]
Add [a; export JAVA_HOME=/usr/lib/jvm/default-java] after the line with CATALINA_HOME
Save and exit vi [escape; :wq]
Type [exit]
Type [exit]
5. Setup WebScarab
Download WebScarab [link]
Go to the folder you downloaded it to
Open Terminal [ctrl+alt+t]
Type [su root]
Enter password [passwd]
Install WebScarab [java -jar ./webscarab-installer-20070504-1613.jar]
[Next]
[Next]
[Accept; Next]
[Next]
I added the shortcut to the desktop [Next]
[Done]
6. Setup FoxyProxy for FireFox
Download/Install FoxyProxy [link]
At this point, firefox wanted to 'install missing plugins.' Fine with me.
Tools>[blank]>Options (or ctrl+F2)
Create New Proxy
General Tab: Proxy Name=[WebScarab]
Proxy Details Tab: Host or IP Address=[127.0.0.1]; Port=[8080]
URL Patterns Tab: Add New Pattern: Pattern Name=[WebGoat]; URL Pattern=[http://*127.0.0.1/WebGoat/*]
[OK]
[OK]
Select Mode: [Use proxies based on their pre-defined patterns and Priorities]
[Close]
You should close all your windows/terminals at this point and cleanup any files if they bother you.
7. Starting All the Software
Open a Terminal [ctrl+alt+t]
Run WebScarab [java -jar /home/ubuntu/WebScarab/webscarab.jar] (case sensitive)
You should see WebScarab load up
Leave this Terminal open...
Open a Terminal [ctrl+alt+t]
Open WebGoat folder [cd /usr/local/WebGoat-5.3_RC1/]
Run WebGoat [./webgoat.sh start80]
When you see a line like this [INFO: Server startup in 7807 ms] the server is running
Leave this Terminal open...
DONE
Now you should be ready to access WebGoat via the link:
http://127.0.0.1/WebGoat/attack
login: guest
password: guest
Good luck playing with WebGoat. I do not intend to write any further guides on this subject. I would assume that this guide also applies to a VMWare virtual machine, however I used a prebuild VirtualBox VM so some user, package, and folder settings may be different if you are using a Vanilla installation.
Excellent resource. A few suggestions:
ReplyDelete1. Step 3 to set up Java: Java7 is not available. (likely to change in near futu) Java6 is likely installed already on BackTrack 5 or later system and it works fine.
2. Step 4 to set up WebGoat: the permission change on webgoat.sh could be “chmod +x webgoat.sh” to make it executable & that's all you need.
3. Step 4 to set up WebGoat: You should not need to edit webgoat.sh.
4. Important: Under the “DONE” section, it says to use http://127.0.0.1/WebGoat/attack and log in with username/pass of guest/guest. Note that the URL is incorrect. “WebGoat” should be “webgoat” (note lower case) so you would use http://127.0.0.1/webgoat/attack.