Installing WebGoat.net Using Apache on Ubuntu
At the recent OWASP Snowfroc conference in Denver, Jerry Hoff presented a new OWASP project called WebGoat.net, a .NET application designed for training classes. It is designed to run on Linux using the Apache web server. You can probably easily also run it on nginx or even IIS on Windows if you were so inclined. I wanted to play with the application, and since setup instructions weren’t available on the site I had to figure it out. It is really quite simple. The following are basic instructions on how to get it running on Ubuntu Server 12.
Install Ubuntu Server (Don’t add any packages during install.) Update the OS (all of the following instructions assume that you are logged-in with root permissions.)
apt-get update ; apt-get upgradeAnd install any utilities you might want to use. The unzip package isn’t installed by default and we will definitely need it later.
apt-get install openssh-server unzipInstall Mono and Apache:
apt-get install apache2 mono-apache-server2 libapache2-mod-monoThe above three packages are all that are needed, apt-get will resolve all of the dependencies. (At the point that apt tried to restart apache2, the process hung because of the apache config … from another terminal I shutdown apache to get it continue.)
apache2ctl stopNow, we can download the web application, and install it in the web root directory:
cd /var/www wget http://github.com/jerryhoff/WebGoat.NET/zipball/master mv master webgoat.net.zip unzip webgoat.net.zip mv jerryhoff-WebGoat.*/* . rm -fr jerryhoff-WebGoat.* webgoat.net.zipDon’t forget to update permissions so that the SQLite databases are writeable:
chown -R www-data:www-data /var/www/Now, update the Apache configuration to pass the requests off to the Mono server:
vi /etc/apache2/sites-enabled/000-defaultAfter the <Directory /var/www/> section, add the following lines:
MonoApplications "/WebGoat:/var/www/WebGoat" <Location /WebGoat> DirectoryIndex "Default.aspx" SetHandler mono </Location>Almost done, restart Apache:
apache2ctl restartWith your web-browser visit the http://<your_IP_address>/WebGoat/Content/RebuildDatabase.aspx and rebuild the database. Congratulations, you should have a working webgoat.net installation!