OWASP Source Code Center Files

WebGoat 3.7
08.04.2005

Thank you for downloading WebGoat!

This program is a demonstration of common server-side
application flaws.  The exercises are intended to
be used by people to learn about application penetration
testing techniques.


WARNING 1: While running this program your machine will be 
extremely vulnerable to attack. You want to disconnect
from the Internet while using this program.

WARNING 2: This program is for educational purposes only. If you
attempt these techniques without authorization, you are very
likely to get caught.  If you are caught engaging in unauthorized
hacking, most companies will fire you. Claiming that you were
doing security research will not work as that is the first thing
that all hackers claim.

You can find more information about WebGoat at
http://www.owasp.org

CREDITS (Latest release)

	Laurence Casey (http://www.aspectsecurity.com)
	Bruce Mayhew (http://www.aspectsecurity.com)
	Jeremy Ferragamo (http://www.aspectsecurity.com)
	Alex Smolen (http://www.parasoft.com)
	Rogan Dawes (http://dawes.za.net/rogan)
	Chuck Willis (http://www.securityfoundry.com)

	The many people who have sent comments and suggestions...
        
WHAT'S NEW

	* Runs on Linux and OSX 10.4
	* WebGoat is now current in CVS. (http://cvs.sourceforge.net/viewcvs.py/owasp/webgoat/)
	* Improved ant build process and added Unix support 
	* Infrastructure changes to support multi-stage lessons
	* Eclipse development release 
	* Minor screen improvements

	* Web services lessons
	* Blind SQL lesson
	* Weak session identifier lesson
	* Split SQL lesson into numeric and string SQL lessons
	* Added parameterized query stage to SQL lessons
	* Additional stage for basic authentication lesson
	* Summary report card for multi-user environment

INSTALLATION

Windows

1. unzip the Windows_WebGoat-x.x.zip to your working environment 
2. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"
3. start your browser and browse to... (Notice the capital 'W' and 'G')
	http://localhost/WebGoat/attack
4. login in as: user = guest, password = guest
5. To stop WebGoat, simply close the window you launched it from.


Linux

1. Download and install Java JDK 1.5 from Sun (http://java.sun.com)
2. Unzip the Unix_WebGoat-x.x.zip to your working directory
3. Edit the following line in webgoat.sh, set JAVA_HOME to your JDK1.5 path.
	JAVA_HOME="SET ME TO YOUR JAVA 1.5 JDK PATH"
4. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
	sudo sh webgoat.sh start
	sudo sh webgoat.sh stop
5. start your browser and browse to... (Notice the capital 'W' and 'G')
	http://localhost/WebGoat/attack
6. login in as: user = guest, password = guest


OS X (Tiger 10.4+)

1. Unzip the Unix_WebGoat-x.x.zip to your working directory
2. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
	sudo sh webgoat.sh start
	sudo sh webgoat.sh stop
3. start your browser and browse to... (Notice the capital 'W' and 'G')
	http://localhost/WebGoat/attack
4. login in as: user = guest, password = guest


DEVELOPER INSTALLATION

1. Download WebGoat-x.x_developer.zip source distribution
2. install Tomcat 5 and JDK 1.5
3. install Eclipse from http://www.eclipse.org
4. Start Eclipse; import existing project, specify webgoat root as the project location
5. 	- add tomcat/server/lib/catalina-ant.jar to your ant runtime global entries
		- Eclipse Menu: window -> preferences -> ant -> runtime
		- Select "Global Entries", choose "add external jars.." button
5. Modify build.xml
	- modify catalina.home property in build.xml to specify tomcat installation directory
	- modify manager.* properties to match admin username and password of Tomcat installation
	- Add the following users to tomcat-users.xml in tomcat/conf directory
	<user username="webgoat" password="webgoat" roles="webgoat_admin"/>
	<user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/>
	<user username="guest" password="guest" roles="webgoat_user"/>
	<user username="admin" password="admin" roles="admin,manager"/>
6. Show the ant view from Eclipse
7. type 'ant dist' to create a new WebGoat .war file in the dist directory
8. type 'ant tomcat_install' to install the current build directory in tomcat. This
      does not install the application permanently -- you have to put the
      .war file in the webapps directory  for that.
9. type 'ant tomcat_reload' to reinstall the current build directory in tomcat

HOW WEBGOAT WORKS

TROUBLESHOOTING/FAQs:
Q. I put the OWASP downloaded war file in my tomcat/webapps directory and the 
   http://localhost/WebGoat/attack url doesn't work.
A. Rename the downloaded war file to WebGoat.war.  Delete the existing tomcat/webapps/*WebGoat* directories.

Q. I dropped the WebGoat war file into my non-Tomcat application server and WebGoat doesn't seem to work.
A. WebGoat uses some of the internal Tomcat classes for user management.  Unfortunately, this makes 
   WebGoat dependent on Tomcat.  Hopefully, this will be addressed in a future release.

Q. Having problems with the ant file working properly. How do I configure my ant environment 
   so that I don't receive errors such as:
	- "Specified VM install not found: type Standard VM, name j2sdk1.4.2.06"
A. This usually indicates an Eclipse environment setting misconfiguration. Here are some possible solutions:
	i. Ant Runtime Configuration
		- Window > Preferences
		- Ant > Runtime
		- Under Classpath Tab check the "Global Entries"
		- Remove any jre "tools.jar" references
		- Add the "\tomcat\servers\lib\catalina-ant.jar" file.
		- Click Apply, Click OK.
		- Return to the Ant View and refresh.

For more current FAQs, please visit http://www.owasp.org/software/webgoat/faq.html

Please send questions, comments, suggestions, bugs, etc to webgoat@owasp.org