파일용량 제한때문에 분할압축으로 올리겠습니다.
다운받은 파일을 같은 폴더에 넣으시고 압축 풀어주시면 됩니다.
Windows_WebGoat-3.7_Release.vol1.egg
이번에 소개해 드릴 프로그램은
웹 고트(Web Goat) 입니다.
웹고트는 해킹,보안 공부시 여러가지 취약점에 대한 내용을
습득할수 있게 만들어놓은 웹페이지입니다.
서버가 따로 존재하는것이 아니기에
파일 다운로드후 Tomcat서버를 이용하여 시작하게 됩니다.
다운로드 받은 파일을 압축풀기를 하게되면
webgoat.bat 이라는 패치파일이 있는데
서버를 가동시키는 배치파일입니다.
이 배치파일을 실행시키면 커맨드창이뜨고 서버가 실행됩니다.
여기서
http://192.168.0.2:8664/WebGoat/attack
이런식으로
IP주소 포트 / WebGoat/attack 로 접속하면
인증창이나옵니다.
기본 계정 비번
ID : guest
Pass : guest
입니다.
웹고트 실행 모습입니다.
왼쪽 커맨드 창은 서버입니다.
웹고트 서버에서 요청되는 페이지 , IP주소 , 파라미터등 여러가지 정보를 제공합니다.
오른쪽이 웹고트 웹페이지의 모습입니다.
그러나 혹시 IIS 나 APM등 서버를 가동시켜 80번 포트를 사용중인 컴퓨터는
서버의 포트를 변경하거나 웹고트 즉 톰캣서버의 포트를 변경하여 사용하시면 됩니다.
저또한 변경하여 사용하고 있구요.
포트 변경은
Tomcat 폴더 들어가서 Conf 폴더에 server.xml에서
찾기 기능을 이용하여 port 를 찾아보면 여러가지가 나오는데
기본 80으로 설정되어있는것을 바꾸시고 싶은 포트로 변경해 주시면 됩니다.
---------------------------------------------------------------------------------------------------------------------------
WebGoat 3.7
08.04.2005
Thank you for downloading WebGoat!
This program is a demonstration of common server-side
application flaws. The exercises are intended to
be used by people to learn about application penetration
testing techniques.
WARNING 1: While running this program your machine will be
extremely vulnerable to attack. You want to disconnect
from the Internet while using this program.
WARNING 2: This program is for educational purposes only. If you
attempt these techniques without authorization, you are very
likely to get caught. If you are caught engaging in unauthorized
hacking, most companies will fire you. Claiming that you were
doing security research will not work as that is the first thing
that all hackers claim.
You can find more information about WebGoat at
http://www.owasp.org
CREDITS (Latest release)
Laurence Casey
(http://www.aspectsecurity.com)
Bruce Mayhew
(http://www.aspectsecurity.com)
Jeremy
Ferragamo (http://www.aspectsecurity.com)
Alex Smolen
(http://www.parasoft.com)
Rogan Dawes
(http://dawes.za.net/rogan)
Chuck Willis
(http://www.securityfoundry.com)
The many people
who have sent comments and suggestions...
WHAT'S NEW
* Runs on Linux
and OSX 10.4
* WebGoat is
now current in CVS. (http://cvs.sourceforge.net/viewcvs.py/owasp/webgoat/)
* Improved ant
build process and added Unix support
*
Infrastructure changes to support multi-stage lessons
* Eclipse
development release
* Minor screen
improvements
* Web services
lessons
* Blind SQL
lesson
* Weak session
identifier lesson
* Split SQL
lesson into numeric and string SQL lessons
* Added
parameterized query stage to SQL lessons
* Additional
stage for basic authentication lesson
* Summary
report card for multi-user environment
INSTALLATION
Windows
1. unzip the Windows_WebGoat-x.x.zip to your working environment
2. To start Tomcat, browse to the WebGoat directory unzipped above and
double click "webgoat.bat"
3. start your browser and browse to... (Notice the capital 'W' and
'G')
http://localhost/WebGoat/attack
4. login in as: user = guest, password = guest
5. To stop WebGoat, simply close the window you launched it from.
Linux
1. Download and install Java JDK 1.5 from Sun (http://java.sun.com)
2. Unzip the Unix_WebGoat-x.x.zip to your working directory
3. Edit the following line in webgoat.sh, set JAVA_HOME to your JDK1.5
path.
JAVA_HOME="SET
ME TO YOUR JAVA 1.5 JDK PATH"
4. Since the latest version runs on a privileged port, you will need to
start/stop WebGoat as root.
sudo sh
webgoat.sh start
sudo sh
webgoat.sh stop
5. start your browser and browse to... (Notice the capital 'W' and
'G')
http://localhost/WebGoat/attack
6. login in as: user = guest, password = guest
OS X (Tiger 10.4+)
1. Unzip the Unix_WebGoat-x.x.zip to your working directory
2. Since the latest version runs on a privileged port, you will need to
start/stop WebGoat as root.
sudo sh
webgoat.sh start
sudo sh
webgoat.sh stop
3. start your browser and browse to... (Notice the capital 'W' and
'G')
http://localhost/WebGoat/attack
4. login in as: user = guest, password = guest
DEVELOPER INSTALLATION
1. Download WebGoat-x.x_developer.zip source distribution
2. install Tomcat 5 and JDK 1.5
3. install Eclipse from http://www.eclipse.org
4. Start Eclipse; import existing project, specify webgoat root as the
project location
5. - add
tomcat/server/lib/catalina-ant.jar to your ant runtime global entries
- Eclipse
Menu: window -> preferences -> ant -> runtime
- Select
"Global Entries", choose "add external jars.." button
5. Modify build.xml
- modify
catalina.home property in build.xml to specify tomcat installation
directory
- modify
manager.* properties to match admin username and password of Tomcat
installation
- Add the
following users to tomcat-users.xml in tomcat/conf directory
<user
username="webgoat" password="webgoat" roles="webgoat_admin"/>
<user
username="basic" password="basic" roles="webgoat_user,webgoat_basic"/>
<user
username="guest" password="guest" roles="webgoat_user"/>
<user
username="admin" password="admin" roles="admin,manager"/>
6. Show the ant view from Eclipse
7. type 'ant dist' to create a new WebGoat .war file in the dist
directory
8. type 'ant tomcat_install' to install the current build directory in
tomcat. This
does not install the application permanently -- you have to put
the
.war file in the webapps directory for that.
9. type 'ant tomcat_reload' to reinstall the current build directory in
tomcat
HOW WEBGOAT WORKS
TROUBLESHOOTING/FAQs:
Q. I put the OWASP downloaded war file in my tomcat/webapps directory and
the
http://localhost/WebGoat/attack url doesn't work.
A. Rename the downloaded war file to WebGoat.war. Delete the existing
tomcat/webapps/*WebGoat* directories.
Q. I dropped the WebGoat war file into my non-Tomcat application server and
WebGoat doesn't seem to work.
A. WebGoat uses some of the internal Tomcat classes for user management.
Unfortunately, this makes
WebGoat dependent on Tomcat. Hopefully, this will be addressed in a
future release.
Q. Having problems with the ant file working properly. How do I configure
my ant environment
so that I don't receive errors such as:
- "Specified VM
install not found: type Standard VM, name j2sdk1.4.2.06"
A. This usually indicates an Eclipse environment setting misconfiguration.
Here are some possible solutions:
i. Ant Runtime
Configuration
- Window >
Preferences
- Ant >
Runtime
- Under
Classpath Tab check the "Global Entries"
- Remove any
jre "tools.jar" references
- Add the
"\tomcat\servers\lib\catalina-ant.jar" file.
- Click Apply,
Click OK.
- Return to
the Ant View and refresh.
For more current FAQs, please visit
http://www.owasp.org/software/webgoat/faq.html
$Id: RUNNING.txt,v 1.9 2004/09/03 17:50:34 yoavs Exp $
============================================
Running The Tomcat 5.5 Servlet/JSP Container
============================================
Out of the box, Tomcat 5.5 requires the Java 2 Standard Edition
Runtime
Environment (JRE) version 5.0 or later. However, you can also run
Tomcat
5.5 on earlier versions of the JRE, as detailed below.
=============================
Running With JRE 5.0 Or Later
=============================
(1) Download and Install the J2SE Runtime Environment (JRE)
(1.1) Download the Java 2 Standard Edition Runtime Environment (JRE),
release version 5.0 or later, from http://java.sun.com/j2se.
(1.2) Install the JRE according to the instructions included with the
release.
(1.3) Set an environment variable named JAVA_HOME to the pathname of
the directory into which you installed the JRE, e.g.
c:\j2sdk5.0
or /usr/local/java/j2sdk5.0.
(2) Download and Install the Tomcat Binary Distribution
NOTE: As an alternative to downloading a binary distribution, you can
create
your own from the Tomcat source repository, as described in
"BUILDING.txt".
If you do this, the value to use for "${catalina.home}" will be the
"dist"
subdirectory of your source distribution.
(2.1) Download a binary distribution of Tomcat from:
http://jakarta.apache.org/site/binindex.cgi
(2.2) Unpack the binary distribution into a convenient location so that
the
distribution resides in its own directory (conventionally named
"jakarta-tomcat-5"). For the purposes of the remainder of this
document,
the symbolic name "$CATALINA_HOME" is used to refer to the full
pathname of the release directory.
(3) Start Up Tomcat
(3.1) Tomcat can be started by executing the following commands:
$CATALINA_HOME\bin\startup.bat (Windows)
$CATALINA_HOME/bin/startup.sh (Unix)
(3.2) After startup, the default web applications included with Tomcat will
be
available by visiting:
http://localhost:8080/
(3.3) Further information about configuring and running Tomcat can be found
in
the documentation included here, as well as on the Tomcat web
site:
http://jakarta.apache.org/tomcat/
(4) Shut Down Tomcat
(4.1) Tomcat can be shut down by executing the following command:
$CATALINA_HOME\bin\shutdown (Windows)
$CATALINA_HOME/bin/shutdown.sh (Unix)
===========================================
Running Tomcat With J2SE Version 1.4 or 1.3
===========================================
(1) Obtain the compat package:
(1.1) Download the compat package from the binary download site:
http://jakarta.apache.org/site/binindex.cgi
* Or build this package yourself from the source code: see
"BUILDING.txt" in this directory.
(2) Unzip the package in $CATALINA_HOME. It will place the XML
parser APIs and Xerces implementation in the common/endorsed
directory, and the JMX API jar (jmx.jar from Sun) in the bin
directory.
(3) Follow the same directions for starting and stopping the
server as if you were using J2SE 5.0.
====================================================
Advanced Configuration - Multiple Tomcat Instances
====================================================
In many circumstances, it is desirable to have a single copy of a
Tomcat
binary distribution shared among multiple users on the same server. To
make
this possible, you can pass a "-Dcatalina.base=$CATALINA_BASE" argument
when
executing the startup command (see (2)). In this
"-Dcatalina.base=$CATALINA_BASE" argument, replace $CATALINA_BASE with
the
directory that contains the files for your 'personal' Tomcat
instance.
When you use this "-Dcatalina.base=$CATALINA_BASE" argument, Tomcat
will
calculate all relative references for files in the following directories
based
on the value of $CATALINA_BASE instead of $CATALINA_HOME:
* conf - Server configuration files (including server.xml)
* logs - Log and output files
* shared - For classes and resources that must be shared across all
web
applications
* webapps - Automatically loaded web applications
* work - Temporary working directories for web applications
* temp - Directory used by the JVM for temporary files
(java.io.tmpdir)
If you do not pass the "-Dcatalina.base=$CATALINA_BASE" argument to
the
startup command, $CATALINA_BASE will default to the same value as
$CATALINA_HOME,
which means that the same directory is used for all relative path
resolutions.
The administration and manager web applications, which are defined in
the
$CATALINA_BASE/conf/Catalina/localhost/admin.xml
and
$CATALINA_BASE/conf/Catalina/localhost/manager.xml files, will
not run in that configuration, unless either:
- The path specified in the docBase attribute of the Context element is
made
absolute, and replaced respectively by
$CATALINA_HOME/server/webapps/admin
and $CATALINA_HOME/server/webapps/manager
- Both web applications are copied or moved to $CATALINA_BASE,
and the path specified in the docBase attribute of the Context
element is modified appropriately.
- Both web applications are disabled by removing
$CATALINA_BASE/conf/Catalina/localhost/admin.xml
and
$CATALINA_BASE/conf/Catalina/localhost/manager.xml.
================
Troubleshooting
================
There are only really 3 things likely to go wrong during the
stand-alone
Tomcat install:
(1) The most common hiccup is when another web server (or any process for
that
matter) has laid claim to port 8080. This is the default HTTP port
that
Tomcat attempts to bind to at startup. To change this, open the
file:
$CATALINA_HOME/conf/server.xml
and search for '8080'. Change it to a port that isn't in use, and
is
greater than 1024, as ports less than or equal to 1024 require
superuser
access to bind under UNIX.
Restart Tomcat and you're in business. Be sure that you replace the
"8080"
in the URL you're using to access Tomcat. For example, if you change
the
port to 1977, you would request the URL http://localhost:1977/ in your
browser.
(2) An "out of environment space" error when running the batch files
in
Windows 95, 98, or ME operating systems.
Right-click on the STARTUP.BAT and SHUTDOWN.BAT files. Click on
"Properties", then on the "Memory" tab. For the "Initial environment"
field,
enter in something like 4096.
After you click apply, Windows will create shortcuts which you can
use
to start and stop the container.
(3) The 'localhost' machine isn't found. This could happen if you're
behind a
proxy. If that's the case, make sure the proxy configuration for
your
browser knows that you shouldn't be going through the proxy to access
the
"localhost".
In Netscape, this is under Edit/Preferences -> Advanced/Proxies, and
in
Internet Explorer, Tools -> Internet Options -> Connections ->
LAN Settings.
'프로그램 > web server' 카테고리의 다른 글
| wwwroot 디렉터리 및 저장소 위치 (0) | 2015.01.08 |
|---|---|
| IIS 웹사이트 만들기 (0) | 2012.10.14 |
| IIS 에서 JSP 실행 하기 (jsp on iis) (0) | 2012.10.14 |
| IIS + JSP 연동 (0) | 2012.10.12 |
| IIS 웹 페이지 만들기 (0) | 2012.10.04 |
| Web server 와 WAS(web application server) (0) | 2011.09.20 |
| Web server 의 종류 (0) | 2011.09.20 |
| Apache Windows용 설명서 (0) | 2011.07.25 |
| MS 윈도우에 subversion 서버 설치하기 -http 환경으로 만들기 (0) | 2011.02.19 |
