https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Josef+MeixnerOWASP - User contributions [en]2026-05-31T13:02:24ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=WebGoat_Installation&diff=10896WebGoat Installation2006-10-21T11:45:30Z<p>Josef Meixner: /* Installing to Linux */ Formatting of start and stop command was off</p>
<hr />
<div>[[WebGoat User Guide Table of Contents]]<br />
__TOC__<br />
<br />
WebGoat is a platform independent environment.<br />
It utilizes Apache Tomcat and the JAVA development environment.<br />
Installers are provided for Microsoft Windows and UN*X environments, together with notes for installation on other platforms.<br />
<br />
==Installing Java and Tomcat ==<br />
# <This section may not be needed, update for v4> <br />
<br />
==Installing to Windows ==<br />
# Unzip the Windows_WebGoat-x.x.zip to your working environment <br />
# To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat"<br />
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u> This link is case-sensitive. Make sure to use a large ‘W’ and ‘G’.<br />
<br />
==Installing to Linux ==<br />
* 1. Download and install Java JDK 1.5 from Sun (http://java.sun.com)<br />
* 2. Unzip the Unix_WebGoat-x.x.zip to your working directory<br />
* 3. Edit the following line in webgoat.sh, set JAVA_HOME to your JDK1.5 path. <br />
JAVA_HOME="SET ME TO YOUR JAVA 1.5 JDK PATH"<br />
* 4. Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.<br />
<br />
sudo sh webgoat.sh start<br />
sudo sh webgoat.sh stop<br />
<br />
==Installing to OS X (Tiger 10.4+) ==<br />
# Unzip the Unix_WebGoat-x.x.zip to your working directory<br />
# Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.<br />
<br />
sudo sh webgoat.sh start<br />
sudo sh webgoat.sh stop<br />
<br />
==Running ==<br />
# Start your browser and browse to: <u>http://localhost/WebGoat/attack</u>. Notice the capital 'W' and 'G'<br />
# Login in as: user = guest, password = guest<br />
<br />
==Building ==<br />
Skip these steps if you just want to run WebGoat<br />
<this section is incomplete><br />
<br />
<br />
[[WebGoat User Guide Table of Contents]]<br />
[[Category:OWASP WebGoat Project]]<br />
{{Template:Stub}}</div>Josef Meixnerhttps://wiki.owasp.org/index.php?title=Tools_required&diff=10895Tools required2006-10-21T11:19:49Z<p>Josef Meixner: Missed second link at last edit</p>
<hr />
<div>[[WebGoat User Guide Table of Contents]]<br />
__TOC__<br />
<br />
There are a number of tools to aid the wily application security assessor. By far the most relevant to this type of security assessment are local proxies and web/application spiders. To complete the full set of WebGoat lessons a web-proxy will be required. <br />
<br />
==Application Assessment Proxy ==<br />
A normal web-proxy typically receives, processes and forwards HTTP and HTTPS traffic between the client and server. This is normally to provide a single point through which all web traffic passes – for example to monitor usage, improve performance through caching or apply security policies.<br />
<br />
An application proxy tool is designed to intercept all HTTP and HTTPS communication between the local client browser and the server-side. It acts as a man-in-the-middle where all interaction may be monitored, reviewed and (importantly) modified.<br />
<br />
Through such a tool, the assessor can determine exactly what data is passed between the Client and Server. Furthermore, they may analyze and modify the data in order to test the impact of the application.<br />
<br />
It is essential for many of the lessons within WebGoat that an application assessment proxy, or software with equivalent functionality be used.<br />
<br />
The following is recommended:<br />
WebScarab: <u>[[:Category:OWASP_WebScarab_Project|WebScarab Project]]</u><br />
<br />
==Application Spider ==<br />
Spidering or crawling a site should identify and follow all of the intended pages and links within a web site & application, and optionally store a local copy.<br />
<br />
The results can then be analyzed to define a comprehensive list of target scripts, forms, pages and fields within the application for use in later testing.<br />
<br />
Mirrored content can also be analyzed for relevant information far more quickly than through a manual or ‘on the wire’ analysis.<br />
<br />
The following are recommended:<br />
* HHTrack – <u>http://www.httrack.com</u><br />
* Form Scalpel – <u>http://www.ugc-labs.co.uk/tools/formscalpel/</u><br />
* WebScarab – <u>[[:Category:OWASP_WebScarab_Project|WebScarab Project]]</u><br />
<br />
<br />
[[WebGoat User Guide Table of Contents]]<br />
[[Category:OWASP WebGoat Project]]</div>Josef Meixnerhttps://wiki.owasp.org/index.php?title=Tools_required&diff=10894Tools required2006-10-21T11:19:03Z<p>Josef Meixner: http://www.owasp.org/webscarab does no longer work, so substituted with category page</p>
<hr />
<div>[[WebGoat User Guide Table of Contents]]<br />
__TOC__<br />
<br />
There are a number of tools to aid the wily application security assessor. By far the most relevant to this type of security assessment are local proxies and web/application spiders. To complete the full set of WebGoat lessons a web-proxy will be required. <br />
<br />
==Application Assessment Proxy ==<br />
A normal web-proxy typically receives, processes and forwards HTTP and HTTPS traffic between the client and server. This is normally to provide a single point through which all web traffic passes – for example to monitor usage, improve performance through caching or apply security policies.<br />
<br />
An application proxy tool is designed to intercept all HTTP and HTTPS communication between the local client browser and the server-side. It acts as a man-in-the-middle where all interaction may be monitored, reviewed and (importantly) modified.<br />
<br />
Through such a tool, the assessor can determine exactly what data is passed between the Client and Server. Furthermore, they may analyze and modify the data in order to test the impact of the application.<br />
<br />
It is essential for many of the lessons within WebGoat that an application assessment proxy, or software with equivalent functionality be used.<br />
<br />
The following is recommended:<br />
WebScarab: <u>[[:Category:OWASP_WebScarab_Project|WebScarab Project]]</u><br />
<br />
==Application Spider ==<br />
Spidering or crawling a site should identify and follow all of the intended pages and links within a web site & application, and optionally store a local copy.<br />
<br />
The results can then be analyzed to define a comprehensive list of target scripts, forms, pages and fields within the application for use in later testing.<br />
<br />
Mirrored content can also be analyzed for relevant information far more quickly than through a manual or ‘on the wire’ analysis.<br />
<br />
The following are recommended:<br />
* HHTrack – <u>http://www.httrack.com</u><br />
* Form Scalpel – <u>http://www.ugc-labs.co.uk/tools/formscalpel/</u><br />
* WebScarab – <u>http://www.owasp.org/webscarab</u><br />
<br />
<br />
[[WebGoat User Guide Table of Contents]]<br />
[[Category:OWASP WebGoat Project]]</div>Josef Meixner