[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows 10)

[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows 10)

2022-05-16

續這篇，上次安裝很不順，這次很順利，所以又補了這篇。

[研究]OWASP WebGoat 8.2.2、Webwolf 8.2.2滲透測試學習平台安安裝、啟動 (Windows 2019)
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822webwolf-822.html

WebGoat 是一個由 OWASP 維護的、故意不安全的 Web 應用程式，旨在教授 Web 應用程序安全課程。 

Category:OWASP WebGoat Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

8.2.2版是2021-09-05 釋出
https://github.com/WebGoat/WebGoat/releases
此處可下載到 webgoat-server-8.2.2.jar 和 webwolf-8.2.2.jar 檔案。

GitHub - WebGoat/WebGoat: WebGoat is a deliberately insecure application
https://github.com/WebGoat/WebGoat

網頁上說需要 Java 17，指令類似如下

java   -Dfile.encoding=UTF-8   -jar   webgoat-8.2.3.jar 

( 會執行失敗，有官方網頁沒說的問題，稍後說 )

Microsoft Build of OpenJDK

https://www.microsoft.com/openjdk

直接下載 (找格式為 .msi 的安裝方便些，此處 .msi 被翻譯成「微星」，看的很不習慣)

https://aka.ms/download-jdk/microsoft-jdk-17.0.2.8.1-windows-x64.msi

Oracle JDK下載

https://www.oracle.com/java/technologies/downloads/#jdk17-windows

直接下載

https://download.oracle.com/java/17/latest/jdk-17_windows-x64_bin.msi

Java 17 安裝後，隨便啟動個「命令提示字元」視窗，測試一下，確認版本。

C:\>java -version openjdk version "17.0.1" 2021-10-19 LTS OpenJDK Runtime Environment Microsoft-28056 (build 17.0.1+12-LTS) OpenJDK 64-Bit Server VM Microsoft-28056 (build 17.0.1+12-LTS, mixed mode, sharing) C:\>

啟動 WebGoat 其實只要下面即可，不用 -Dfile.encoding=UTF-8 參數

java -jar webgoat-server-8.2.2.jar

上次在 Windows Server 2019 會失敗，但這次在 Windows 10 會正常執行，所以又補了這篇。

C:\Users\user1>cd \webgoat C:\WebGoat>dir 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: 9EEF-3597 C:\WebGoat 的目錄 2022/05/16 下午 02:57 <DIR> . 2022/05/16 下午 02:57 <DIR> .. 2022/05/05 下午 01:39 96,411,569 webgoat-server-8.2.2.jar 2022/05/05 下午 01:40 53,814,896 webwolf-8.2.2.jar 2 個檔案 150,226,465 位元組 2 個目錄 85,111,803,904 位元組可用 C:\WebGoat>java -jar webgoat-server-8.2.2.jar 14:58:23.306 [main] INFO org.owasp.webgoat.StartWebGoat - Starting WebGoat with args: . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.4.3) 2022-05-16 14:58:25.342 INFO 4612 --- [ main] org.owasp.webgoat.StartWebGoat : Starting StartWebGoat v8.2.2 using Java 17.0.2 on DESKTOP-JRE0SVP with PID 4612 (C:\WebGoat\webgoat-server-8.2.2.jar started by user1 in C:\WebGoat) 2022-05-16 14:58:25.405 DEBUG 4612 --- [ main] org.owasp.webgoat.StartWebGoat : Running with Spring Boot v2.4.3, Spring v5.3.4 2022-05-16 14:58:25.452 INFO 4612 --- [ main] org.owasp.webgoat.StartWebGoat : No active profile set, falling back to default profiles: default 2022-05-16 14:58:30.276 INFO 4612 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode. 2022-05-16 14:58:55.420 INFO 4612 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 556 ms. Found 2 JPA repository interfaces. 2022-05-16 14:58:56.826 WARN 4612 --- [ main] io.undertow.websockets.jsr : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used 2022-05-16 14:58:56.842 INFO 4612 --- [ main] io.undertow.servlet : Initializing Spring embedded WebApplicationContext 2022-05-16 14:58:56.842 INFO 4612 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 31107 ms 2022-05-16 14:58:57.154 INFO 4612 --- [ main] org.owasp.webgoat.HSQLDBDatabaseConfig : Starting internal database on port 9001 ... [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) entered [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) exited [Server@1bdaa23d]: [Thread[main,5,main]]: setDatabaseName(0,webgoat) [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) entered [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) exited [Server@1bdaa23d]: [Thread[main,5,main]]: setDatabasePath(0,C:\Users\user1/.webgoat-8.2.2//data/webgoat) [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) entered [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) exited [Server@1bdaa23d]: [Thread[main,5,main]]: setDaemon(true) [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) entered [Server@1bdaa23d]: [Thread[main,5,main]]: checkRunning(false) exited [Server@1bdaa23d]: [Thread[main,5,main]]: setAddress(127.0.0.1) [Server@1bdaa23d]: [Thread[main,5,main]]: setTrace(false) [Server@1bdaa23d]: Initiating startup sequence... [Server@1bdaa23d]: Server socket opened successfully in 16 ms. 2022-05-16 14:58:57.660 INFO 4612 --- [erver @1bdaa23d] hsqldb.db.HSQLDB80CBA9B1AE.ENGINE : Checkpoint start 2022-05-16 14:58:57.675 INFO 4612 --- [erver @1bdaa23d] hsqldb.db.HSQLDB80CBA9B1AE.ENGINE : checkpointClose start 2022-05-16 14:58:57.675 INFO 4612 --- [erver @1bdaa23d] hsqldb.db.HSQLDB80CBA9B1AE.ENGINE : checkpointClose synched 2022-05-16 14:58:57.675 INFO 4612 --- [erver @1bdaa23d] hsqldb.db.HSQLDB80CBA9B1AE.ENGINE : checkpointClose script done 2022-05-16 14:58:57.723 INFO 4612 --- [erver @1bdaa23d] hsqldb.db.HSQLDB80CBA9B1AE.ENGINE : checkpointClose end 2022-05-16 14:58:57.730 INFO 4612 --- [erver @1bdaa23d] hsqldb.db.HSQLDB80CBA9B1AE.ENGINE : Checkpoint end - txts: 1 [Server@1bdaa23d]: Database [index=0, id=0, db=file:C:\Users\user1/.webgoat-8.2.2//data/webgoat, alias=webgoat] opened successfully in 467 ms. [Server@1bdaa23d]: Startup sequence completed in 498 ms. [Server@1bdaa23d]: 2022-05-16 06:58:57.746 HSQLDB server 2.5.1 is online on port 9001 [Server@1bdaa23d]: To close normally, connect and execute SHUTDOWN SQL [Server@1bdaa23d]: From command line, use [Ctrl]+[C] to abort abruptly 2022-05-16 14:58:57.918 INFO 4612 --- [ main] o.f.c.internal.license.VersionPrinter : Flyway Community Edition 7.1.1 by Redgate 2022-05-16 14:58:58.153 INFO 4612 --- [ main] o.f.c.i.database.base.DatabaseType : Database: jdbc:hsqldb:hsql://127.0.0.1:9001/webgoat (HSQL Database Engine 2.5) 2022-05-16 14:58:58.231 INFO 4612 --- [ main] o.f.core.internal.database.base.Schema : Creating schema "container" ... 2022-05-16 14:58:58.231 INFO 4612 --- [ main] o.f.c.i.s.JdbcTableSchemaHistory : Creating Schema History table "container"."flyway_schema_history" ... 2022-05-16 14:58:58.340 INFO 4612 --- [ main] o.f.core.internal.command.DbMigrate : Current version of schema "container": null 2022-05-16 14:58:58.371 INFO 4612 --- [ main] o.f.core.internal.command.DbMigrate : Migrating schema "container" to version "1 - init" 2022-05-16 14:58:58.418 INFO 4612 --- [ main] o.f.core.internal.command.DbMigrate : Migrating schema "container" to version "2 - version" 2022-05-16 14:58:58.450 INFO 4612 --- [ main] o.f.core.internal.command.DbMigrate : Successfully applied 2 migrations to schema "container" (execution time 00:00.138s) 2022-05-16 14:58:58.730 INFO 4612 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default] 2022-05-16 14:58:58.919 INFO 4612 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 5.4.28.Final 2022-05-16 14:58:59.184 INFO 4612 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.2.Final} 2022-05-16 14:58:59.519 INFO 4612 --- [ main] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.HSQLDialect 2022-05-16 14:59:00.770 INFO 4612 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform] 2022-05-16 14:59:00.801 INFO 4612 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default' 2022-05-16 14:59:02.340 WARN 4612 --- [ main] o.o.webgoat.lessons.CourseConfiguration : Lesson: webgoat.title has no endpoints, is this intentionally? 2022-05-16 14:59:02.528 WARN 4612 --- [ main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning 2022-05-16 14:59:02.888 INFO 4612 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7affc159, org.springframework.security.web.context.SecurityContextPersistenceFilter@39ffda4a, org.springframework.security.web.header.HeaderWriterFilter@3178219a, org.springframework.security.web.authentication.logout.LogoutFilter@465b38e6, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@72eb6200, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@56e9a474, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@38cedb7d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1682c08c, org.springframework.security.web.session.SessionManagementFilter@56476c16, org.springframework.security.web.access.ExceptionTranslationFilter@48a663e9, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@21a9a705] 2022-05-16T14:59:05.338+08:00 [main] WARN FilenoUtil : Native subprocess control requires open access to the JDK IO subsystem Pass '--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED' to enable. 2022-05-16 14:59:08.995 INFO 4612 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor' 2022-05-16 14:59:09.569 INFO 4612 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 2 endpoint(s) beneath base path '/actuator' 2022-05-16 14:59:09.629 INFO 4612 --- [ main] io.undertow : starting server: Undertow - 2.2.4.Final 2022-05-16 14:59:09.645 INFO 4612 --- [ main] org.xnio : XNIO version 3.8.0.Final 2022-05-16 14:59:09.661 INFO 4612 --- [ main] org.xnio.nio : XNIO NIO Implementation Version 3.8.0.Final 2022-05-16 14:59:09.848 INFO 4612 --- [ main] org.jboss.threads : JBoss Threads version 3.1.0.Final 2022-05-16 14:59:09.911 INFO 4612 --- [ main] o.s.b.w.e.undertow.UndertowWebServer : Undertow started on port(s) 8080 (http) with context path '/WebGoat' 2022-05-16 14:59:09.942 INFO 4612 --- [ main] org.owasp.webgoat.StartWebGoat : Started StartWebGoat in 46.175 seconds (JVM running for 49.806)

執行結果正常

(下圖) 連上
http://localhost:8080/WebGoat

或

http://127.0.0.1:8080/WebGoat
注意，是 HTTP，還有注意 WebGoat 的大小寫

檢查誰用了 Port 8080

C:\>netstat -nao | find "8080" TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 4612 TCP 127.0.0.1:8080 127.0.0.1:49753 FIN_WAIT_2 4612 TCP 127.0.0.1:8080 127.0.0.1:49754 FIN_WAIT_2 4612 TCP 127.0.0.1:8080 127.0.0.1:49761 FIN_WAIT_2 4612 TCP 127.0.0.1:8080 127.0.0.1:49765 FIN_WAIT_2 4612 TCP 127.0.0.1:49753 127.0.0.1:8080 CLOSE_WAIT 6380 TCP 127.0.0.1:49754 127.0.0.1:8080 CLOSE_WAIT 6380 TCP 127.0.0.1:49761 127.0.0.1:8080 CLOSE_WAIT 6380 TCP 127.0.0.1:49765 127.0.0.1:8080 CLOSE_WAIT 6380 C:\>tasklist /fi "pid eq 4612 映像名稱 PID 工作階段名稱 工作階段 # RAM使用量 ========================= ======== ================ =========== ============ java.exe 4612 Console 1 328,060 K C:\>

(下圖) 上圖登入畫面按下 Register New User，建立一個帳號就可以登入 

左邊選單是依照 OWASP Top 10:2017 的順序，但是目前最新版已經是 OWASP Top 10:2021，WebGoat 最新版 8.2.2 尚未更上腳步。

首頁 - OWASP Top 10:2021

https://owasp.org/Top10/

https://owasp.org/Top10/zh_TW/

要結束程式，「命令提示字元」中按下 Ctrl-C 中斷程式即可。

********************************************************************************

啟動 WebWolf

有些挑戰需要運行本地網絡服務器。 WebWolf 可當攻擊者，解決 WebGoat 中的一些任務和挑戰。例如，一項任務可能要求提供文件或連接回自己的環境或接收電子郵件。為了在不連接到 Internet 的情況下運行 WebGoat，此工具稱為 WebWolf。

請另外新開一個「命令提示字元」視窗，因為原來的仍在執行中，沒有回到提示字元狀態下，執行下面 ( WebGoat 網站 和 資料庫用的 Port 要和上面啟動時設定相同，免得 WebWolf 找不到資料庫系統 )

Microsoft Windows [版本 10.0.19044.1645] (c) Microsoft Corporation. 著作權所有，並保留一切權利。 C:\Users\user1>cd\webgoat C:\WebGoat>dir 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: 9EEF-3597 C:\WebGoat 的目錄 2022/05/16 下午 02:57 <DIR> . 2022/05/16 下午 02:57 <DIR> .. 2022/05/05 下午 01:39 96,411,569 webgoat-server-8.2.2.jar 2022/05/05 下午 01:40 53,814,896 webwolf-8.2.2.jar 2 個檔案 150,226,465 位元組 2 個目錄 85,090,594,816 位元組可用 C:\WebGoat>java -jar webwolf-8.2.2.jar It seems the application is startd on a OS with non default UTF-8 encoding:MS950 Please add: -Dfile.encoding=UTF-8 C:\WebGoat>java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.4.3) 2022-05-16 15:04:10.891 INFO 1532 --- [ main] org.owasp.webwolf.WebWolf : Starting WebWolf v8.2.2 using Java 17.0.2 on DESKTOP-JRE0SVP with PID 1532 (C:\WebGoat\webwolf-8.2.2.jar started by user1 in C:\WebGoat) 2022-05-16 15:04:10.894 DEBUG 1532 --- [ main] org.owasp.webwolf.WebWolf : Running with Spring Boot v2.4.3, Spring v5.3.4 2022-05-16 15:04:10.910 INFO 1532 --- [ main] org.owasp.webwolf.WebWolf : No active profile set, falling back to default profiles: default 2022-05-16 15:04:14.424 INFO 1532 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode. 2022-05-16 15:04:14.581 INFO 1532 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 137 ms. Found 2 JPA repository interfaces. 2022-05-16 15:04:15.846 WARN 1532 --- [ main] io.undertow.websockets.jsr : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used 2022-05-16 15:04:15.878 INFO 1532 --- [ main] io.undertow.servlet : Initializing Spring embedded WebApplicationContext 2022-05-16 15:04:15.878 INFO 1532 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4693 ms 2022-05-16 15:04:16.514 INFO 1532 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default] 2022-05-16 15:04:16.702 INFO 1532 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 5.4.28.Final 2022-05-16 15:04:16.998 INFO 1532 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.2.Final} 2022-05-16 15:04:17.554 INFO 1532 --- [ main] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.HSQLDialect 2022-05-16 15:04:18.889 INFO 1532 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform] 2022-05-16 15:04:18.905 INFO 1532 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default' 2022-05-16 15:04:19.602 WARN 1532 --- [ main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning 2022-05-16 15:04:20.206 INFO 1532 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1229a2b7, org.springframework.security.web.context.SecurityContextPersistenceFilter@38bb9d7a, org.springframework.security.web.header.HeaderWriterFilter@b606cb6, org.springframework.security.web.authentication.logout.LogoutFilter@8851ce1, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@66273da0, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@78d6447a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1f7076bc, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@e5cbff2, org.springframework.security.web.session.SessionManagementFilter@2819c460, org.springframework.security.web.access.ExceptionTranslationFilter@1292071f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6ede46f6] 2022-05-16 15:04:20.503 INFO 1532 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor' 2022-05-16 15:04:21.268 INFO 1532 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 2 endpoint(s) beneath base path '/actuator' 2022-05-16 15:04:21.331 INFO 1532 --- [ main] io.undertow : starting server: Undertow - 2.2.4.Final 2022-05-16 15:04:21.347 INFO 1532 --- [ main] org.xnio : XNIO version 3.8.0.Final 2022-05-16 15:04:21.378 INFO 1532 --- [ main] org.xnio.nio : XNIO NIO Implementation Version 3.8.0.Final 2022-05-16 15:04:21.597 INFO 1532 --- [ main] org.jboss.threads : JBoss Threads version 3.1.0.Final 2022-05-16 15:04:21.701 INFO 1532 --- [ main] o.s.b.w.e.undertow.UndertowWebServer : Undertow started on port(s) 9090 (http) 2022-05-16 15:04:21.717 INFO 1532 --- [ main] org.owasp.webwolf.WebWolf : Started WebWolf in 12.115 seconds (JVM running for 13.165)

訊息顯示 Undertow started on port(s) 9090 (http)

連上

http://localhost:9090/WebWolf

注意，是 HTTP，還有注意 WebWolf 的大小寫

會自動轉址到

http://localhost:9090/login

帳號、密碼用剛剛 WebGoat 註冊的就可以登入了。

結論：情況有些出乎預料，Windows 10上安裝很順利，上次 Windows Server 2019上安裝很不順利。

(完)

相關

[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows 10)

https://shaurong.blogspot.com/2022/05/owasp-webgoat-822-windows-10.html

[研究]OWASP WebGoat 8.2.2、Webwolf 8.2.2滲透測試學習平台安安裝、啟動 (Windows 2019)
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822webwolf-822.html

[研究] OWASP WebGoat 8.0 安裝
http://shaurong.blogspot.com/2018/06/owasp-webgoat-80.html

[研究] OWASP WebGoatFor.Net 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoatfornet.html

[研究] OWASP WebGoat 7.1 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoat-71.html

[研究] OWASP Zed Attack Proxy (ZAP) 2.4.2、2.6.0 滲透測試、弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2015/10/owasp-zed-attack-proxy-zap-242.html