Today as a part of my Computer Scurity course I had to install WebGoat, which is platform for learning how to exploit vulnarabilities in web applications. It could be of great help in learning secure programming practices. It work on top of Java and Tomcat server. As I started the installation I had to face many problems associated with it. Mainly with the versions of JDK and JRE used. I had lost almost half a to solve this problem. So I thought I could share my experience if it could help someone to install WebGoat.
I downloaded WebGoat v5.2 from Sourceforge. Along with the WebGoat-OWASP_Standard-5.2.zip, we also require WebGoat-5.2.war file also. Unzip the WebGoat zip file to your curent directory.Change into the new unzipped directory. Then remove all the files name webgoat in ./tomcat/webapp/ and place the downloaded war file in this directory.
Find out the versions of jre and jdk installed in your system using: java -version
Also find the vakue for the environmental value JAVA_HOME: echo $JAVA_HOME
Open the webgoat.sh file from the root folder. In the function is_java_1dot6 change all the 1.6 to the your current version.
eg: $ java -version
java version “1.7.0_21”
OpenJDK Runtime Environment (IcedTea 2.3.9) (ArchLinux build 7.u21_2.3.9-4-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
$ echo $JAVA_HOME
Here java version is shown as 1.7.0_21. Therefore you can replace the older version number given in the shell script to the new version number “1.7“.You have to add below given two lines to the shell script:
Now start the tomcat server.
$ sh webgoat.sh start80 # works on default port of 80
$ sh webgoat.sh start8080 # works on port 8080
Go to http://127.0.0.1/webgoat/attack OR http://127.0.0.1:8080/webgoat/attack in any browser to start using WebGoat interface. If you get an ERROR 403 while starting on port 80, it may be due to IIS that is using that port.
And if it is ERROR 404, check the url you typped on the browser.
I suppose I have included most of the thing that I have done. If there is any change or additions that anyone has to inform me feel free to contact.
New link can be found at abijith-kp.github.io