webgoat_logo

Dun know about you guys but during my time (not that long ago lah), the only avenues for me to test my newly acquired skills and tools (most of the time to test the tools and scripts -yeah I used to be a script kiddie :P ) are servers, websites, routers belong to other people. Ahh forgot to mention that I used to test these tools on other PCs in the CyberCafe as well ;) . In that time also IRC chatrooms can be the testing ground and learning centre as well. Mind you that at that time, VMWare just founded and the first product (VMWare Workstation) only delivered a year later ;) Nowadays  you only need a PC/laptop, internet browser (for WIMP users, no worries on this part) and you dun even have to be connected. Thanks to OWASP’s WebGoat Project ;)

webhacking

So what is WebGoat? Let this lazy bum quote the Goal of this WebGoat project from its page.

“The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot”

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application”

What I can conclude is WebGoat is the right avenue for you to learn the Web application attack techniques (Nowadays most of the attacks are layer 7 attacks ;) ) Instead of performing the “try and error” (the old school) way on the applications belong to others, you can learn these techniques and why the application succumbed to those techniques without causing any damage to others belonging. Hey it also saves you from any entanglement with the Law as well. ;)

freebsd_300x300

With that spirit, I decided to have WebGoat installed onto one of our testing machines (virtual that is) in lab environment so the Analysts can learn and play around with the application.

One thing that I didn’t notice is the size of WebGoat is around 83MB and took some time for me to complete the download process as it seems that our line decided to drag its feet while transporting the data. Sigh.

java

WebGoat requires JDK to be installed first. So when I run the usual make install command at jdk15 port (/usr/ports/java/jdk15), I was presented by this message:

IMPORTANT: To build the JDK 1.5.0 port, you should have at least
2.5Gb of free disk space in the build area!

Due to licensing restrictions, certain files must be fetched manually.

Please open http://download.java.net/tiger/archive/tiger_u14/
in a web browser.  Download the
Update 14 Source, jdk-1_5_0_14-fcs-src-b03-jrl-05_oct_2007.jar and the
Source Binaries, jdk-1_5_0_14-fcs-bin-b03-jrl-05_oct_2007.jar .

Please open http://java.sun.com/javase/downloads/index_jdk5.jsp
in a web browser and follow the “Download” link for
“Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
Files 5.0″ to obtain the JCE policy file, jce_policy-1_5_0.zip.

Please open http://java.sun.com/javase/downloads/index.jsp
in a web browser and follow the “Download” link for
“JDK US DST Timezone Update Tool – 1_3_11″ to obtain the
time zone update file, tzupdater-1_3_11-2008i.zip.

Please download the patchset, bsd-jdk15-patches-8.tar.bz2, from

http://www.eyesbeyond.com/freebsddom/java/jdk15.html.

Please place the downloaded file(s) in /usr/ports/distfiles
and restart the build.
Whaaaa… I need to download those files manually. With the download “speed” that I have at that time, I have to download :

jdk-1_5_0_14-fcs-src-b03-jrl-05_oct_2007.jar = 55MB

jdk-1_5_0_14-fcs-bin-b03-jrl-05_oct_2007.jar  = 2.1 MB

jce_policy-1_5_0.zip = 10K  (Thank God)

tzupdater-1_3_11-2008i.zip = 288K (Fortunately)

bsd-jdk15-patches-8.tar.bz2 = 800K

So once finish downloading all those files, the installation process commenced immediately and after a looooooooooong while it completed.

Next is the process of extracting the WebGoat application onto my virtual server and some configuration performed:

a). Defining the JAVA_HOME

b). As by default WebGoat meant to be run on localhost, a simple configuration in sense of providing the listening IPs and Ports in the server_80.xml file within the tomcat/conf/ directory of the WebGoat folder.

pro-apache-tomcat-6

But the moment I execute webgoat.sh start80, I’ve been presented by this message:

Please set JAVA_HOME to a Java 1.5 JDK install

And it doesn’t matter how many times I define those fields (including symbolic link as well) the message keeps on appearing when I tried to start the application. So I search through google and discover this technique:

c0_electric3

Delete the check code of the java version, put export JAVA_HOME=to the installed jdk location at the top of the script which made my webgoat.sh look like this:

ayoi# less webgoat.sh
#! /bin/sh

SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
export JAVA_HOME=/usr/local/jdk-1.5.0
chmod +x ./$CATALINA_HOME/bin/*.sh

case “$1″ in
start80)
cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf “\n  Open http://127.0.0.1/WebGoat/attack”
printf “\n  Username: guest”
printf “\n  Password: guest”
printf “\n  Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r”
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
===============SNIP==================

So when I execute the webgoat.sh start80 command, voila..

ayoi# ./webgoat.sh start80
Using CATALINA_BASE:   ./tomcat
Using CATALINA_HOME:   ./tomcat
Using CATALINA_TMPDIR: ./tomcat/temp
Using JAVA_HOME:       /usr/local/jdk-1.5.0

Open http://127.0.0.1/WebGoat/attack
Username: guest
Password: guest
Or try http://guest:guest@127.0.0.1/WebGoat/attack
===============SNIP=========================

The WebGoat is now running and ready to be hacked ;)

webgoat_page