Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Securing WebGoat with modsecurity - Help needed
Posted by: bin4ry
Date: May 19, 2009 02:16AM

Hi together,

i've seen this "securing webgoat with modsecurity" project (http://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project) and this is exactly what i am looking for:

I'ld like to have a vulnerable web-app with a waf in front of it. Now i'd like to do some assessment tests.

However, unfortunately there are very few tips on how to set up the environment.

Since i couldnt get webgoat up and running on my ubuntu 9.04, i installed it on virtual xp machine. Same for apache and mod_jk.

First i tried to install mod_jk by downloading it and putting it to {APACHE_INSTALL}/modules/mod_jk.so. I edited {APACHE_INSTALL}/conf/httpd.conf and added:

LoadModule jk_module modules/mod_jk.so

I now tried to use the auto-config method (as described here http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html) by adding the following line at the end of {APACHE_INSTALL}/conf/httpd.conf:

Include C:/Programme/WebGoat-5.2/tomcat/conf/auto/mod_jk.conf

Now I edited {TOMCAT_INSTALL}/conf/server.xml (and server_8080.xml since i didnt know which one would be the correct one because i always use webgoat_8080.bat to start tomcat on port 8080 since apache is already listening on port 80) and after

<Engine name="Catalina" defaultHost="localhost">

i added

<Listener className="org.apache.jk.config.ApacheConfig" modJk="modules/mod_jk.so" />

After a restart of tomcat it generated "mod_jk.conf" in {TOMCAT_INSTALL}/conf/auto/

but it is empty!

My questions are:

What am i doing wrong? Do i have to manually set the mod_jk.conf-directives in httpd.conf?

How do i proceed? How do i setup mod_proxy?


Thanks for help

Options: ReplyQuote
Re: Securing WebGoat with modsecurity - Help needed
Posted by: wireghoul
Date: May 19, 2009 02:39AM

Uhm, last time I used webgoat on windows it was a simple install and then run procedure.

There are far better venues for Apache technical support than these forums.

[www.justanotherhacker.com]

Options: ReplyQuote
Re: Securing WebGoat with modsecurity - Help needed
Posted by: nEUrOO
Date: May 25, 2009 10:46AM

i think i remember that webgoat needs to be installed in C:/webgoatit-5.2 coz some predefined/hardcoded environment paths. otherwise, grep for the path on different files and look if there are hardcoded paths

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote


Sorry, only registered users may post in this forum.