WebGoat 5.0部署指南说明书

Author: Vikas Johari
Date: 16 January 2020 Document Version: v0.1
WebGoat 5.0 Deployment
Guide
Fortify SCA 19.x
Deployment Guide
Contents
Contents (2)
Introduction (3)
Environment (3)
Building the war file (4)
Deploying the war file (4)
Testing the war file (5)
Tomcat Startup Logs (6)
Micro Focus Trademark Information (8)
Company Details (8)
Introduction
Using the below steps, the sample code of WebGoat 5.0 can be deployed on tomcat and using WebInspect a DAST scan can be initiated. This will be a good application to configure offline and showcase Fortify features. Fortify SCA comes with WebGoat 5.0 sample source code in
“C:\Program Files\Fortify\Fortify_SCA_and_Apps_19.2.0\Samples\advanced\webgoat” folder. This document is written as step by step guide to build the war file and deploy on tomcat server on windows. Environment
I have used two Windows 2016 VMs to build and deploy. First machine is used to build the war file, the SCA machine can be used and second machine is used to deploy & test the war file.
Build Machine
This machine will be the having the Build Tools installed and configured to build the war file, the SCA machine can be used as well.
One Windows 2016 – 64 bit VM running SCA 19.2.0 along with JDK 1.8.0_212 and ANT 1.10.7.
Make sure environment variable JAVA_HOME is set to “C:\Program Files\Java\jdk1.8.0_212” and
ANT_HOME is set to “C:\apache-ant”
Assuming JDK 1.8.0_212 is installed on default location and ANT is extracted to “c:\apache-ant”.
Make sure “C:\Program Files\Java\jdk1.8.0_212\bin” and “C:\apache-ant\bin” is added in PATH.
Runtime Machine
In the machine WebGoat war file will be deployed.
A Windows 2016 – 64 bit VM along with –
•JDK 1.7.0_80 i586 (32bit edition) which can be downloaded from
https:///technetwork/java/javase/downloads/java-archive-downloads-javase7-
521261.html. It has to be installed on its default location i.e. C:\Program Files (x86)\Java\jdk1.7.0_80.
Set the JAVA_HOME environment variable to “C:\Program Files (x86)\Java\jdk1.7.0_80”.
•Download Tomcat 5.0.28 from https:///dist/tomcat/tomcat-5/v5.0.28/bin/jakarta-tomcat-5.0.28.zip and extract to “C:\Tomcat5” folder.
Start the tomcat using cmd, run startup.bat file in “C:\Tomcat5\bin”. Validate using Chrome to
connect http://localhost:8080. Shutdown the tomcat using shutdown.bat file in “C:\Tomcat5\bin”.
Building the war file
To build the file open CMD and change the folder to “C:\Program
Files\Fortify\Fortify_SCA_and_Apps_19.2.0\Samples\advanced\webgoat\WebGoat5.0” Run the command –
ant -Dant.build.javac.target=1.7 clean BuildWindowsWar
It will give few warnings but the build will be successful. It will generate the “WebGoat-5.0.war” file in “C:\Program
Files\Fortify\Fortify_SCA_and_Apps_19.2.0\Samples\advanced\webgoat\WebGoat5.0\dist\” folder.
Rename the “WebGoat-5.0.war” file to “WebGoat.war”. Now the war file is ready to deploy. Deploying the war file
Copy the WebGoat.war file in runtime machine on C:\Tomcat5\webapps folder and start tomcat. Validate that the war file is extracted, and then shutdown the tomcat.
Open C:\Tomcat5\conf\tomcat-users.xml in NotePad++, remove all its content and paste the below in it, then save the xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="webgoat_basic"/>
<role rolename="manager"/>
<role rolename="tomcat"/>
<role rolename="manager-script"/>
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<role rolename="webgoat_admin"/>
<role rolename="webgoat_user"/>
<user username="tomcat" password="tomcat" roles="admin,manager,tomcat,manager-gui,admin-gui,manager-script"/>
<user username="webgoat" password="webgoat" roles="webgoat_admin"/>
<user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/>
<user username="guest" password="guest" roles="webgoat_user"/>
</tomcat-users>
This configuration change will create a few users –
•Username “tomcat” with the password “tomcat”, it will be used for accessing tomcat’s admin & manager pages also will be used via Jenkins’s CD to deploy the war file remotely.
•Username “guest” with the password “guest” will be used in WebGoat application’s basic authentication popup to login as a normal user in WebGoat.
•Username “webgoat” with the password “webgoat” will be used in WebGoat application's basic authentication popup to login as admin of WebGoat application.
•Username “basic” with the password “basic” will be a normal user in WebGoat.
Testing the war file
Start tomcat5 and open the url http://localhost:8080/WebGoat/attack in the browser.
Enter the credentials as guest / guest then click Sign In.
In the Welcome Screen, click on “Start WebGoat” button.
Tomcat Startup Logs
Tomcat starup logs will be as below –
Jan 16, 2020 12:53:51 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jan 16, 2020 12:53:51 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 380 ms
Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.0.28
Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardHost getDeployer
INFO: Create Host deployer for direct deployment ( non-jmx )
Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL file:C:\Tomcat5\conf\Catalina\localhost\admin.xml Jan 16, 2020 12:53:52 PM org.apache.struts.util.PropertyMessageResources <init>
INFO: Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true
Jan 16, 2020 12:53:52 PM org.apache.struts.util.PropertyMessageResources <init>
INFO: Initializing, config='org.apache.struts.action.ActionResources', returnNull=true
Jan 16, 2020 12:53:52 PM org.apache.struts.util.PropertyMessageResources <init>
INFO: Initializing, config='org.apache.webapp.admin.ApplicationResources', returnNull=true
Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL file:C:\Tomcat5\conf\Catalina\localhost\balancer.xml Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL file:C:\Tomcat5\conf\Catalina\localhost\manager.xml Jan 16, 2020 12:53:52 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /WebGoat from URL file:C:/Tomcat5/webapps/WebGoat Jan 16, 2020 12:53:52 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(C:\Tomcat5\webapps\WebGoat\WEB-INF\lib\j2ee.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
- Unable to find required classes (javax.activation.DataHandler and
javax.mail.internet.MimeMultipart). Attachment support is disabled.
Jan 16, 2020 12:53:53 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /jsp-examples from URL file:C:\Tomcat5\webapps\jsp-examples
Jan 16, 2020 12:53:53 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path from URL file:C:\Tomcat5\webapps\ROOT
Jan 16, 2020 12:53:53 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /servlets-examples from URL
file:C:\Tomcat5\webapps\servlets-examples
Jan 16, 2020 12:53:53 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /tomcat-docs from URL
file:C:\Tomcat5\webapps\tomcat-docs
Jan 16, 2020 12:53:53 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /webdav from URL file:C:\Tomcat5\webapps\webdav
Jan 16, 2020 12:53:53 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jan 16, 2020 12:53:53 PM mon.ChannelSocket init
INFO: JK2: ajp13 listening on /0.0.0.0:8009
Jan 16, 2020 12:53:53 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/8 config=C:\Tomcat5\conf\jk2.properties
Jan 16, 2020 12:53:53 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1661 ms
Context Path: C:\Tomcat5\webapps\WebGoat\
PATH: C:/Tomcat5/webapps/WebGoat/database
Database Connection String: jdbc:odbc:;DRIVER=Microsoft Access Driver
(*.mdb);DBQ=C:/Tomcat5/webapps/WebGoat/database/webgoat.mdb;PWD=webgoat"
Successful connection to database
Success: creating tables.
Successfully refreshed the database.
Thu Jan 16 12:54:07 IST 2020 | 172.17.5.236:172.17.5.236 | org.owasp.webgoat.lessons.HttpBasics | [] Thu Jan 16 12:54:14 IST 2020 | 172.17.5.236:172.17.5.236 | org.owasp.webgoat.lessons.HttpBasics | [start=Start WebGoat]
PATH: C:/Tomcat5/webapps/WebGoat/database
Database Connection String: jdbc:odbc:;DRIVER=Microsoft Access Driver
(*.mdb);DBQ=C:/Tomcat5/webapps/WebGoat/database/webgoat.mdb;PWD=webgoat"
Thu Jan 16 12:54:23 IST 2020 | 172.17.5.236:172.17.5.236 | org.owasp.webgoat.lessons.HttpBasics | [person=Vikas,SUBMIT=Go!,menu=50]
<End of the Document>
Micro Focus Trademark Information
MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.
Company Details
Company name: Micro Focus International plc
Place of registration: England and Wales
Registered number: 5134647
Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q
Note:This guide is not an official documentation by Micro Focus. Please read and refer to the official product documentation for additional information.。