Installing WebGoat.net Using Apache on Ubuntu

At the recent OWASP Snowfroc conference in Denver, Jerry Hoff presented a new OWASP project called WebGoat.net, a .NET application designed for training classes.  It is designed to run on Linux using the Apache web server.  You can probably easily also run it on nginx or even IIS on Windows if you were so inclined.  I wanted to play with the application, and since setup instructions weren’t available on the site I had to figure it out.  It is really quite simple.  The following are basic instructions on how to get it running on Ubuntu Server 12.

  Install Ubuntu Server (Don’t add any packages during install.) Update the OS (all of the following instructions assume that you are logged-in with root permissions.)
apt-get update ; apt-get upgrade
And install any utilities you might want to use.  The unzip package isn’t installed by default and we will definitely need it later.
apt-get install openssh-server unzip
Install Mono and Apache:
apt-get install apache2 mono-apache-server2 libapache2-mod-mono
The above three packages are all that are needed, apt-get will resolve all of the dependencies. (At the point that apt tried to restart apache2, the  process hung because of the apache config … from another terminal I shutdown apache to get it continue.)
apache2ctl stop
Now, we can download the web application, and install it in the web root directory:
cd /var/www
wget http://github.com/jerryhoff/WebGoat.NET/zipball/master
mv master webgoat.net.zip
unzip webgoat.net.zip
mv jerryhoff-WebGoat.*/* .
rm -fr jerryhoff-WebGoat.* webgoat.net.zip
Don’t forget to update permissions so that the SQLite databases are writeable:
chown -R www-data:www-data /var/www/
Now, update the Apache configuration to pass the requests off to the Mono server:
vi /etc/apache2/sites-enabled/000-default
After the <Directory /var/www/> section, add the following lines:
MonoApplications "/WebGoat:/var/www/WebGoat"
<Location /WebGoat>
     DirectoryIndex "Default.aspx"
     SetHandler mono
</Location>
Almost done, restart Apache:
apache2ctl restart
With your web-browser visit the http://<your_IP_address>/WebGoat/Content/RebuildDatabase.aspx and rebuild the database. Congratulations, you should have a working webgoat.net installation!