diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..90e78f5 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,31 @@ +FROM tomcat:7.0.63-jre8 + +# Download WAVSEP +WORKDIR /tmp/ + +RUN wget https://github.com/sectooladdict/wavsep/archive/wavsep-v1.5-war.zip + +RUN unzip wavsep-v1.5-war.zip +RUN rm wavsep-v1.5-war.zip +RUN mv wavsep-wavsep-v1.5-war wavsep + +# http://stackoverflow.com/questions/1858463/java-error-only-a-type-can-be-imported-xyz-resolves-to-a-package +RUN cp -rf wavsep/build/classes/ wavsep/WebContent/WEB-INF/classes/ + +# The war contains garbage +RUN rm -rf wavsep/WebContent/WEB-INF.* +RUN rm -rf "wavsep/WebContent/WEB-INF - Copy" +RUN rm -rf "wavsep/WebContent/Copy of WEB-INF" +RUN rm -rf "wavsep/WebContent/WEB-INF (copy)" + +# Copy WAVSEP to Tomcat's directory +WORKDIR /usr/local/tomcat/webapps/ +RUN cp -rf /tmp/wavsep/WebContent/ wavsep + +# We need these tools to configure WAVSEP +RUN apt-get update +RUN apt-get install -y curl netcat mysql-client + +# Configure MySQL and run Tomcat +ADD docker/run.sh /usr/local/tomcat/bin/wavsep.sh +CMD ["/usr/local/tomcat/bin/wavsep.sh"] diff --git a/README-docker.md b/README-docker.md new file mode 100644 index 0000000..6c60856 --- /dev/null +++ b/README-docker.md @@ -0,0 +1 @@ +http://127.0.0.1:8080/wavsep/ \ No newline at end of file diff --git a/README.md b/README.md index 86ad095..55a065a 100644 --- a/README.md +++ b/README.md @@ -1,36 +1,49 @@ -
+# WAVSEP +The Web Application Vulnerability Scanner Evaluation Project -

WAVSEP

-

The Web Application Vulnerability Scanner Evaluation Project

-

Alternate Source Code Repository

+## Introduction +WAVSEP is vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. -

-WAVSEP is vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.
-This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
-

+This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. -WAVSEP Home Page    WAVSEP Builds

+## Usage -

-

Previous benchmarks performed using the platform:

-SecToolMarket - A Dynamic Security Benchmark Presentation Platform
-The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SAAS and open source scanners
-The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners
-The 2011 comparison of 60 commercial & open source scanners
-The 2010 comparison of 42 open source scanners
-

+`WAVSEP` provides a Docker image and `docker-compose` configuration which allows everyone to run WAVSEP with one command: -

-

Copyright

-

-

WAVSEP - The Web Application Vulnerability Scanner Evaluation Project.

+```bash +docker-compose up +``` -

Copyright (C) 2014, Shay Chen.

+After a couple of seconds the database will be setup and WAVSEP will be running at [http://127.0.0.1:8098/wavsep/](http://127.0.0.1:8098/wavsep/) -

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

+## References + * [WAVSEP Home Page](https://code.google.com/p/wavsep/) + * [WAVSEP Builds](https://sourceforge.net/projects/wavsep/) -

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

+## Benchmarks performed using WAVSEP + * [SecToolMarket - A Dynamic Security Benchmark Presentation Platform](http://www.sectoolmarket.com) + * [The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SaaS and open source scanners](http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html) + * [The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2012/07/2012-web-application-scanner-benchmark.html) + * [The 2011 comparison of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html) + * [The 2010 comparison of 42 open source scanners](http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html) -

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses.

-
\ No newline at end of file +## Copyright + +```text +WAVSEP - The Web Application Vulnerability Scanner Evaluation Project. + +Copyright (C) 2014, Shay Chen. + +This program is free software: you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation, either version 3 of the License, or (at your option) +any later version. + +This program is distributed in the hope that it will be useful, but WITHOUT +ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with +this program. If not, see http://www.gnu.org/licenses/ +``` diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f2a49b7 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,11 @@ +wavsep: + image: andresriancho/wavsep:latest + ports: + - "8098:8080" + links: + - wavsepdb + +wavsepdb: + image: mysql + environment: + - MYSQL_ROOT_PASSWORD=wavsep diff --git a/docker/run.sh b/docker/run.sh new file mode 100755 index 0000000..a225896 --- /dev/null +++ b/docker/run.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -e + +# Wait for database to get available +MYSQL_LOOPS="20" +MYSQL_HOST="wavsepdb" +MYSQL_PORT="3306" + +# Wait for mysql +i=0 +while ! nc ${MYSQL_HOST} ${MYSQL_PORT} >/dev/null 2>&1 < /dev/null; do + i=`expr ${i} + 1` + if [ ${i} -ge ${MYSQL_LOOPS} ]; then + echo "$(date) - ${MYSQL_HOST}:${MYSQL_PORT} still not reachable, giving up" + exit 1 + fi + echo "$(date) - waiting for ${MYSQL_HOST}:${MYSQL_PORT}..." + sleep 1 +done + +echo +echo "Start the daemon to process the configuration requests" +/usr/local/tomcat/bin/catalina.sh run & + +WAVSEP_LOOPS="20" +WAVSEP_HOST="127.0.0.1" +WAVSEP_PORT="8080" + +# Wait for WAVSEP +i=0 +while ! nc ${WAVSEP_HOST} ${WAVSEP_PORT} >/dev/null 2>&1 < /dev/null; do + i=`expr ${i} + 1` + if [ ${i} -ge ${WAVSEP_LOOPS} ]; then + echo "$(date) - ${WAVSEP_HOST}:${WAVSEP_PORT} still not reachable, giving up" + exit 1 + fi + echo "$(date) - waiting for ${WAVSEP_HOST}:${WAVSEP_PORT}..." + sleep 1 +done + +echo +echo "Configure the WAVSEP database settings" +curl --data "username=root&password=wavsep&host=wavsepdb&port=3306&wavsep_username=wavsep&wavsep_password=wavsepPass782" http://localhost:8080/wavsep/wavsep-install/install.jsp + +echo +echo "Re-creating WAVSEP db user" +echo "drop user 'wavsep'@'wavsepdb';" > grant.sql +echo "GRANT ALL PRIVILEGES ON *.* TO 'wavsep'@'%' IDENTIFIED BY 'wavsepPass782';" >> grant.sql +echo "FLUSH PRIVILEGES;" >> grant.sql +mysql -u root -h ${MYSQL_HOST} -pwavsep < grant.sql + +echo +echo "Killing configuration daemon" +pkill -f java + +echo +echo "Start the daemon" +/usr/local/tomcat/bin/catalina.sh run \ No newline at end of file