WebGoat Lab

In this post I’m going to demonstrate how to create a new virtual machine which will be used for assessing your web application security skills. At a high-level this will consist of the following compontents:

Go lets get started….

  1. Download CentOS virtual machine

    • All commands are executed as root untill otherwise noted.
    • Machine settings work best with Bridge Networking & DHCP Enabled.
  2. Upgrade operating system with latest software patches and operating system.

# yum update
# yum upgrade
  1. Change Hostname and keyboard layouts
# /etc/sysconfig/keyboard
# /etc/sysconfig/network
# hostname <insert hostname> 
# reboot
  1. Install Java
# yum install java7
  1. Download and install Tomcat 7
# wget http://apache.spinellicreations.com/tomcat/tomcat-7/v7.0.47/bin/apache-tomcat-7.0.47.tar.gz
# tar -zcvf apache-tomcat-7.0.47.tar.gz
  1. Download the WebgGoat files
# wget https://webgoat.googlecode.com/files/WebGoat-5.4.war
# wget https://webgoat.googlecode.com/files/README-5.4.txt
  1. Copy the previously download WebGoat05.4.war to your tomcat webapps directory
# cp WebGoat-5.4 apache-tomcat-7.0.47/webapps/WebGoat.war
  1. Modify the tomcat-users.xml and insert WebGoat users and roles as displayed below:
# vi apache-tomcat-7.0.47/conf/tomcat-users.xml
      <role rolename="webgoat_basic"/>
      <role rolename="webgoat_admin"/>
      <role rolename="webgoat_user"/>
      <role rolename="tomcat"/>
      <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
      <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
      <user password="tomcat" roles="tomcat" username="tomcat"/>
      <user password="guest" roles="webgoat_user" username="guest"/>
  1. Start your Tomcat instance
# apache-tomcat-7.0.47/bin/startup.sh

On your local machine, open your preferred browser and point to http://localhost:8080/WebGoat/attack

comments powered by Disqus