I wanted to play with OWASP's WebGoat. So I created a Ubuntu Desktop VM, and installed Java and WebGoat. You also need a web proxy to do the lessons, so I installed WebScarab along with the FoxyProxy extension for FireFox to make using it easy. This post details all the steps I went through.
I did find these directions for doing this similar. They are outdated, but kudos to them for some basic concepts I followed.
[Update 11/30/2011: And there is now apparently a
I started with a fresh copy of a Ubuntu 8.0.4 Desktop image (I made my own, but you should be able to use an existing image). Fire up the image, login in, fire up a terminal (Applications, Accessories, Terminal) and become root ("sudo -i").
The first step was to install java:
# apt-get-install sun-java6-bin sun-java6-jdk
Note that tomcat is now included with WebGoat, so there is no need to install it separately. The next step is to download WebGoat:
# wget http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.2.zip
# unzip WebGoat-OWASP_Standard-5.2.zip
# mv WebGoat-5.2/ /usr/local
# cd /usr/local/WebGoat-5.2/
You will need to edit the webgoat.sh file to set JAVA_HOME and change the java version from 1.5 to 1.6. I use 'vi', you can use your favorite editor.
# chmod 755 webgoat.sh
# cp webgoat.sh webgoat.sh.orig
# vi webgoat.sh
Add "export JAVA_HOME=/usr/lib/jvm/java-6-sun" at the start of file, after the line with CATALINA_HOME. And then change the "1.5" on lines 17, 19, and 23 to "1.6".
Next step was to install WebScarab, which is a proxy you'll need for WebGoat lessons. Download and install as follows:
# cd /tmp
# wget http://dawes.za.net/rogan/webscarab/webscarab-current.zip
# unzip webscarab-current.zip
# mv webscarab-* /usr/local/webscarab
Now, to make it easy to use WebScarab from FireFox, I installed FoxyProxy into FireFox. Visit the FoxyProxy web page, install it and restart FireFox.
When FireFox starts back up, configure FireProxy as follows:
- Click on FoxyProxy icon in lower right and select Add New Proxy. The FireProxy window should appear.
- On the General tab, under Proxy Name enter "WebScarab".
- On the Proxy Details tab, select Manual Proxy Configuration.
- For Host or IP Address enter "127.0.0.1"
- For Port enter "8008"
- On the URL Patterns tab select Add New Pattern
- For Pattern Name enter "WebGoat"
- For Pattern URL enter "http://*127.0.0.1/WebGoat/*" (The first "*" here matches the "guest:guest" string for authentication.)
- Click OK
- Close Proxy Settings
- Under Mode select Use proxies based on their pre-defined patterns and priorites.
- Close FoxyProxy Options
# java -jar /usr/local/webscarab/webscarab.jar
You should see a WebScarab window open after a moment.
Then, in the other window, fire up WebGoat:
# cd /usr/local/WebGoat-5.2
# ./webgoat.sh start80
WebGoat will churn for a little bit, but then you should eventually see a message like "INFO: Server startup in 3546 ms". At this point you are ready to go by pointing your browser at http://guest:guest@127.0.0.1/WebGoat/attack
At this point you should see not only WebGoat appear in your browser, but WebScarab should start displaying bunch of requests. Click on the image at the top of this post for what things should look like.
That's as far as I've gotten. Next step will be to dive into WebGoat.
Thanks! They're up and running!
ReplyDeleteappreciate the help
ReplyDeletehi i an stuck at this point pls help
ReplyDeleteapt-get-install sun-java6-bin sun-java6-jdk
bash: apt-get-install: command not foun
sorry found that out myself
ReplyDeleteit was apt-get install sun-java6-bin sun-java6-jdk
it worked perfect.....thanks for the post sir
ReplyDeletethanx & wow its cool..................
ReplyDeleteI had to change 2 things to get mine to work.
ReplyDeleteStep 5 for FireProxy, I changed this:
'For Port enter "8008"'
to this:
'For Port enter "8080"'
and I also had to start8080 when firing up webgoat, so I changed this:
"./webgoat.sh start80"
to this:
"./webgoat.sh start8080"
I need to append my previous comments about it working for me when changing two items. I looked at the traffic on webscarab and there was nothing there when I changed starting webgoat from start80 to start8080 and then used port 8080 in foxyproxy. The webgoat was displayed like in the image, but all of my traffic was blank in webscarab.
ReplyDeleteThanks for the post!
ReplyDeleteI've used your info as a guide to setting up my own VM, and wrote my own guide from this and other internet sources. For anyone that comes here, an updated guide (2.5 years after this blog was written) can be found on my blog here: http://tostercrums.blogspot.com/2011/11/running-webgoat-owasp-in-ubuntu-vm.html
Hi,
ReplyDeleteI have followed your directions except for installing WebScarab (the link doesn't work), and I am getting an error.
When I try to use port 80 to try to use WebGoat I am getting, "Unable to load page"
When I use port 8080, I get an apache error saying, "HTTP Status 404 - /WebGoat/attack
type Status report
message /WebGoat/attack
description The requested resource (/WebGoat/attack) is not available."
Please help.
Thanks.
Hi All, running ./webgoat.sh start80 gives following messages:
ReplyDeleteusing JRE_HOME /usr/lib/jvm/java-6-openjdk/jre/bin/java
open http:
username:
password:
eval 1: /usr/lib/jvm/java-6-openjdk/jre/bin/java/bin/java
From last line it is evident that bin/java is repeating, please someone helpe me on this issue.
Thanks