Difference between revisions of "WebGoat Installation"

From OWASP
Jump to: navigation, search
(Installing to OS X (Tiger 10.4+))
(16 intermediate revisions by 6 users not shown)
Line 14: Line 14:
 
===Installing Tomcat===
 
===Installing Tomcat===
 
# Install and deploy core Tomcat from http://tomcat.apache.org/download-55.cgi
 
# Install and deploy core Tomcat from http://tomcat.apache.org/download-55.cgi
 +
 +
  NOTE: WebGoat includes a very old version of catalina-4.1.9.jar.
 +
  To run WebGoat on Tomcat 7, you'll need to expand the war file
 +
  and delete this file from WEB-INF/lib
  
 
==Installing to Windows ==
 
==Installing to Windows ==
# Unzip the Windows_WebGoat-x.x.zip to your working environment  
+
# Unzip WebGoat-OWASP_Standard-5.2.zip to your working environment.
 
# To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"
 
# To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"
 
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u> This link is case-sensitive. Make sure to use a large ‘W’ and ‘G’.
 
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u> This link is case-sensitive. Make sure to use a large ‘W’ and ‘G’.
  
 
==Installing to Linux ==
 
==Installing to Linux ==
# Download WebGoat-x.x.war.
+
<ol>
# Deploy WebGoat-x.x.war.
+
<li>Unzip WebGoat-OWASP_Standard-x.x.zip to your working directory.</li>
## Go to Tomcat default home page (likely http://localhost:port, where port may be 80, 8080, or 8180).
+
<li>Change "1.5" on lines 17, 19, and 23 of webgoat.sh to "1.6".</li>
## Click on Tomcat Manager.
+
<li>Since the latest version runs on a privileged port, you will need to start/stop WebGoat & Tomcat either:</li>
## Select WebGoat-x.x.war as the application to deploy.
+
<ol type="a">
 +
<li>on port 80 as root:<pre>
 +
sudo sh webgoat.sh start80
 +
sudo sh webgoat.sh stop
 +
</pre></li>
 +
<li>or on port 8080:<pre>
 +
sh webgoat.sh start8080
 +
sh webgoat.sh stop
 +
</pre></li>
 +
</ol>
 +
</li>
 +
</ol>
  
 
==Installing to OS X (Tiger 10.4+) ==
 
==Installing to OS X (Tiger 10.4+) ==
# Unzip the Unix_WebGoat-x.x.zip to your working directory
+
<ol>
# Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
+
<li>Unzip WebGoat-OWASP_Standard-x.x.zip to your working directory.</li>
 
+
<li>Change "1.5" on line 10 of webgoat.sh to "1.6".</li>
sudo sh webgoat.sh start80
+
<li>Since the latest version runs on a privileged port, you will need to start/stop WebGoat & Tomcat either:</li>
sudo sh webgoat.sh stop
+
<ol type="a">
 
+
<li>on port 80 as root:<pre>
an alternative would be to start it with "sh webgoat.sh start8080" that will start the tomcat on TCP-PORT 8080
+
sudo sh webgoat.sh start80
 
+
sudo sh webgoat.sh stop
IMPORTANT NOTICE:
+
</pre></li>
If youre running WebGoat v5.2 (which is built with Java v1.6) you have to change the webgoat.sh in line 10 from
+
<li>or on port 8080:<pre>
 
+
sh webgoat.sh start8080
#AVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home
+
sh webgoat.sh stop
to
+
</pre></li>
#AVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.6/Home
+
</ol>
if you dont do so the Tomcat will fail to deploy the WebGoat.war and you will receive a HTTP-404-Error-Code when trying to start the App. (same issue on linux/other *nixes) I tested this with OSX Leopard 10.5.2 and now it works.
+
</li>
 +
</ol>
  
 
==Installing on FreeBSD ==
 
==Installing on FreeBSD ==
# Install Tomcat and Java from the ports collection
+
<ol>
  cd /usr/ports/www/tomcat55
+
<li>Install Tomcat and Java from the ports collection:<pre>
  sudo make install
+
cd /usr/ports/www/tomcat55
# You will be required to manually download the Java JDK to install it.  Instructions are given by the ports system about when and how to do this.  The URL looks like this:
+
sudo make install
http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2
+
</pre></li>
# Unzip the Unix_WebGoat-x.x.zip to your working directory
+
<li>You will be required to manually [http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2 download the Java JDK] to install it.  Instructions are given by the ports system about when and how to do this.</li>
# Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
+
<li>Unzip WebGoat-OWASP_Standard-x.x.zip to your working directory.</li>
 
+
<li>Change "1.5" on lines 17, 19, and 23 of webgoat.sh to "1.6".</li>
sudo sh webgoat.sh start
+
<li>Since the latest version runs on a privileged port, you will need to start/stop WebGoat & Tomcat either:</li>
sudo sh webgoat.sh stop
+
<ol type="a">
 +
<li>on port 80 as root:<pre>
 +
sudo sh webgoat.sh start80
 +
sudo sh webgoat.sh stop
 +
</pre></li>
 +
<li>or on port 8080:<pre>
 +
sh webgoat.sh start8080
 +
sh webgoat.sh stop
 +
</pre></li>
 +
</ol>
 +
</li>
 +
</ol>
  
 
==Running ==
 
==Running ==
 
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u>. Notice the capital 'W' and 'G'
 
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u>. Notice the capital 'W' and 'G'
 +
 +
Warning: The "WebGoat" part of the path (the "context root") should exactly match (case-sensitive) the
 +
war (web archive) that gets deployed. When you launch WebGoat, the console will have a line like:
 +
 +
INFO: Deploying web application archive webgoat.war
 +
 +
This means that your URL will be <u>http://localhost/webgoat/attack</u> -- note the lowercase "webgoat"
 +
 
# Login in as: user = guest, password = guest
 
# Login in as: user = guest, password = guest
  
Line 63: Line 98:
 
Skip these instructions if you are only interested in running WebGoat.
 
Skip these instructions if you are only interested in running WebGoat.
  
WebGoat is built using eclipse WTP 1.5.x.  Please read the instructions at [http://webgoat.googlecode.com/svn/trunk/%20webgoat/main/HOW%20TO%20create%20the%20WebGoat%20workspace.txt Goodle code] to build the WebGoat application.
+
WebGoat is built using eclipse WTP 1.5.x.  Please read the instructions at [http://webgoat.googlecode.com/svn/trunk/webgoat/README.txt Goodle code] to build the WebGoat application.
 +
 
 +
==Installing WAR file to existing Tomcat server==
 +
Place the .war file in your Tomcat webapps directory (it will self extract).  You'll need to resolve several issues that are outlined in the [http://code.google.com/p/webgoat/wiki/FAQ Webgoat FAQ].
 +
 
  
 
Return to the [[WebGoat User Guide Table of Contents]]
 
Return to the [[WebGoat User Guide Table of Contents]]
 
[[Category:OWASP WebGoat Project]]
 
[[Category:OWASP WebGoat Project]]

Revision as of 21:40, 23 March 2012

WebGoat User Guide Table of Contents

Contents


WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA development environment. Installers are provided for Microsoft Windows and UN*X environments, together with notes for installation on other platforms.

Installing Java and Tomcat

Note: This may no longer be necessary for v5.

Installing Java

  1. Install and deploy the approprite version from http://java.sun.com/downloads/ (1.4.1 or later)

Installing Tomcat

  1. Install and deploy core Tomcat from http://tomcat.apache.org/download-55.cgi
 NOTE: WebGoat includes a very old version of catalina-4.1.9.jar.
 To run WebGoat on Tomcat 7, you'll need to expand the war file
 and delete this file from WEB-INF/lib

Installing to Windows

  1. Unzip WebGoat-OWASP_Standard-5.2.zip to your working environment.
  2. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"
  3. Start your browser and browse to: http://localhost/WebGoat/attack This link is case-sensitive. Make sure to use a large ‘W’ and ‘G’.

Installing to Linux

  1. Unzip WebGoat-OWASP_Standard-x.x.zip to your working directory.
  2. Change "1.5" on lines 17, 19, and 23 of webgoat.sh to "1.6".
  3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat & Tomcat either:
    1. on port 80 as root:
      sudo sh webgoat.sh start80
      sudo sh webgoat.sh stop
      
    2. or on port 8080:
      sh webgoat.sh start8080
      sh webgoat.sh stop
      

Installing to OS X (Tiger 10.4+)

  1. Unzip WebGoat-OWASP_Standard-x.x.zip to your working directory.
  2. Change "1.5" on line 10 of webgoat.sh to "1.6".
  3. Since the latest version runs on a privileged port, you will need to start/stop WebGoat & Tomcat either:
    1. on port 80 as root:
      sudo sh webgoat.sh start80
      sudo sh webgoat.sh stop
      
    2. or on port 8080:
      sh webgoat.sh start8080
      sh webgoat.sh stop
      

Installing on FreeBSD

  1. Install Tomcat and Java from the ports collection:
    cd /usr/ports/www/tomcat55
    sudo make install
    
  2. You will be required to manually download the Java JDK to install it. Instructions are given by the ports system about when and how to do this.
  3. Unzip WebGoat-OWASP_Standard-x.x.zip to your working directory.
  4. Change "1.5" on lines 17, 19, and 23 of webgoat.sh to "1.6".
  5. Since the latest version runs on a privileged port, you will need to start/stop WebGoat & Tomcat either:
    1. on port 80 as root:
      sudo sh webgoat.sh start80
      sudo sh webgoat.sh stop
      
    2. or on port 8080:
      sh webgoat.sh start8080
      sh webgoat.sh stop
      

Running

  1. Start your browser and browse to: http://localhost/WebGoat/attack. Notice the capital 'W' and 'G'
Warning: The "WebGoat" part of the path (the "context root") should exactly match (case-sensitive) the 
war (web archive) that gets deployed. When you launch WebGoat, the console will have a line like:

INFO: Deploying web application archive webgoat.war

This means that your URL will be http://localhost/webgoat/attack -- note the lowercase "webgoat"
  1. Login in as: user = guest, password = guest

Building

Skip these instructions if you are only interested in running WebGoat.

WebGoat is built using eclipse WTP 1.5.x. Please read the instructions at Goodle code to build the WebGoat application.

Installing WAR file to existing Tomcat server

Place the .war file in your Tomcat webapps directory (it will self extract). You'll need to resolve several issues that are outlined in the Webgoat FAQ.


Return to the WebGoat User Guide Table of Contents