[OWASP-WEBGOAT]WebGoat - in Windows or Linux?

Bruce Mayhew bruce.mayhew at aspectsecurity.com
Sat Nov 30 15:47:51 EST 2002


Mads

You are not doing anything wrong :)

The unchecked email may eventually send the email but it does not do so now.
Currently, we mimic what the user would see when opening the email message.
The exec'ing of a command should be commented out until the platform
independent sending of email is implemented.  I believe the results you see
on the screen are the same whether or not the exec succeeds.


The Parameter Injection page does not check the platform before issuing the
command.   You can either modify the source to execute a unix command:

ParameterInjection.java - line 43
    replace
       ec.addElement(exec("cmd.exe /c dir /b " + dir));
    with
       ec.addElement(exec("ls -l " + dir));

or put a platform check in the code to execute the appropriate command.  The
platform stuff should be fixed in the next release.

We noticed the Tomcat version problem a little too late....  Sounds like you
figured it out though.

bruce.

----- Original Message -----
From: "Mads Rasmussen" <mads at opencs.com.br>
To: <owasp-webgoat at lists.sourceforge.net>
Sent: Wednesday, November 27, 2002 2:18 PM
Subject: [OWASP-WEBGOAT]WebGoat - in Windows or Linux?



It seems that WebGoat only works with Tomcat 4.1.12 (maybe newer
versions as well).

I had problems with 4.0.6 but all went smoothly when I moved to 4.1.12

I encountered some oddities though

Here is a resume:

1) the 'Unchecked mail' page seems designed to run on a linux/unix
platform (you spawn sendmail). I haven't looked at the code but it calls
up cmd that is a windows shell. So that didn't work for me in windows.

And in windows you don't have the sendmail program :)

In linux:

ExecResults for 'cmd.exe /c sendmail mads at opencs.com.br'

Returncode: 0
Exception: java.io.IOException: cmd.exe: not found

In windows:

ExecResults for 'cmd.exe /c sendmail mads at opencs.com.br'

Returncode: 1
Bad return code (expected 0)


2) The parameter injection page that throws a dir listing does not work
in linux because it try to spawn the 'cmd' shell once again.

Maybe (most likely) I have misunderstood something

Do you have an idea of what I am doing wrong?

What would be the recommended machine architecture for running this?

Regards,

Mads Rasmussen
Open Communications Security
+55(11)3345-2525



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
OWASP-WEBGOAT mailing list
OWASP-WEBGOAT at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-webgoat





More information about the Owasp-webgoat mailing list