I’ve finally found the time to check out OWASP‘s WebGoat. I have been putting this off for a while now, but it’s kept my interest enough to make me keep the zip-files on my desktop for a few weeks already.
My first impression wasn’t too good. I tried running it on Linux first (preferred platform for work/play/goofing around, yes anything) but installation failed miserably. The zip-file containing JDK1.5 only contains Java for Windows. Luckily I have Sun’s JDK1.5 on my Ubuntu machine already so I switched to using the StandAlone version. Now began the fun. There are numerous problems with the shell-scripts:
- they are not executable
- they have DOS line-endings
- the main setup script has a wacky reference to
- all files are read-only (not only the scripts, but all files)
So, after a call to ‘chmod’ to make everything writable, a few calls to
chmod +x on the script files, a quick edit of
webgoat.sh to set
JAVA_HOME to something sane I thought I’d be off. Oh, no! Running
webgoat.sh results in nothing.
netstat -lpt reveals there is some java app listening on port 8005, but pointing my browser to it results in nothing. The total lack of documentation on how to use it didn’t help in my frustration.
After browsing the WebGoat Archives I turned off my Apache2 to free up port 80. Rerun
webgost.sh, still nothing!
Some more browsing the archives revelead that I’m not only one having problems
running WebGoat on Linux , the answer wasn’t too encouraging. I decided to try my luck on (yuck) Windows. Unzip, run the bat-file, point a browser to
http://localhost/. Wow, worked perfectly!
Ok, on to the next problem, where are the lessons? Again, bitten by the lack of documentation it seems. Well, the archive has been saving me before… Again, I’m not the only one having problems the answer was there as well:
http://localhost/WebGoat/attack Username: guest Password: guest
Worked again, and now I can start taking the lessons. Not a great start, but after this bumpy ride I got to the destination. I do hope the WebGoat developers improve on the Linux support and documentation though!