OWASP’s WebGoat, first impression

I’ve finally found the time to check out OWASP‘s WebGoat. I have been putting this off for a while now, but it’s kept my interest enough to make me keep the zip-files on my desktop for a few weeks already.

My first impression wasn’t too good. I tried running it on Linux first (preferred platform for work/play/goofing around, yes anything) but installation failed miserably. The zip-file containing JDK1.5 only contains Java for Windows. Luckily I have Sun’s JDK1.5 on my Ubuntu machine already so I switched to using the StandAlone version. Now began the fun. There are numerous problems with the shell-scripts:

  • they are not executable
  • they have DOS line-endings
  • the main setup script has a wacky reference to JAVA_HOME
  • all files are read-only (not only the scripts, but all files)

So, after a call to ‘chmod’ to make everything writable, a few calls to dos2unix and chmod +x on the script files, a quick edit of webgoat.sh to set JAVA_HOME to something sane I thought I’d be off. Oh, no! Running webgoat.sh results in nothing. netstat -lpt reveals there is some java app listening on port 8005, but pointing my browser to it results in nothing. The total lack of documentation on how to use it didn’t help in my frustration.

After browsing the WebGoat Archives I turned off my Apache2 to free up port 80. Rerun webgost.sh, still nothing!

Some more browsing the archives revelead that I’m not only one having problems running WebGoat on Linux , the answer wasn’t too encouraging. I decided to try my luck on (yuck) Windows. Unzip, run the bat-file, point a browser to http://localhost/. Wow, worked perfectly!

Ok, on to the next problem, where are the lessons? Again, bitten by the lack of documentation it seems. Well, the archive has been saving me before… Again, I’m not the only one having problems the answer was there as well:

http://localhost/WebGoat/attack
Username: guest
Password: guest

Worked again, and now I can start taking the lessons. Not a great start, but after this bumpy ride I got to the destination. I do hope the WebGoat developers improve on the Linux support and documentation though!

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>