From b7afefda0410830f66e0f6bfcf32ba5af67c4ff8 Mon Sep 17 00:00:00 2001 From: Andres Riancho Date: Fri, 11 Sep 2015 15:07:14 -0300 Subject: [PATCH 1/6] Initial working version of WAVSEP with tomcat (missing: sql DB setup) --- Dockerfile | 24 ++++++++++++++++++++++++ README-docker.md | 1 + 2 files changed, 25 insertions(+) create mode 100644 Dockerfile create mode 100644 README-docker.md diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7b87f28 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +FROM tomcat:7.0.63-jre8 + +# Download WAVSEP +WORKDIR /tmp/ + +RUN wget https://github.com/sectooladdict/wavsep/archive/wavsep-v1.5-war.zip + +RUN unzip wavsep-v1.5-war.zip +RUN rm wavsep-v1.5-war.zip +RUN mv wavsep-wavsep-v1.5-war wavsep + +# http://stackoverflow.com/questions/1858463/java-error-only-a-type-can-be-imported-xyz-resolves-to-a-package +RUN cp -rf wavsep/build/classes/ wavsep/WebContent/WEB-INF/classes/ + +# The war contains garbage +RUN rm -rf wavsep/WebContent/WEB-INF.* +RUN rm -rf "wavsep/WebContent/WEB-INF - Copy" +RUN rm -rf "wavsep/WebContent/Copy of WEB-INF" +RUN rm -rf "wavsep/WebContent/WEB-INF (copy)" + + +# Copy WAVSEP to Tomcat's directory +WORKDIR /usr/local/tomcat/webapps/ +RUN cp -rf /tmp/wavsep/WebContent/ wavsep diff --git a/README-docker.md b/README-docker.md new file mode 100644 index 0000000..6c60856 --- /dev/null +++ b/README-docker.md @@ -0,0 +1 @@ +http://127.0.0.1:8080/wavsep/ \ No newline at end of file From 392e6c660244b453e007fdc6c90ee35715bcdba7 Mon Sep 17 00:00:00 2001 From: Andres Riancho Date: Fri, 11 Sep 2015 15:37:59 -0300 Subject: [PATCH 2/6] Adding docker-compose --- Dockerfile | 9 ++++++- docker-compose.yml | 11 +++++++++ docker/run.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 docker-compose.yml create mode 100755 docker/run.sh diff --git a/Dockerfile b/Dockerfile index 7b87f28..90e78f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,14 @@ RUN rm -rf "wavsep/WebContent/WEB-INF - Copy" RUN rm -rf "wavsep/WebContent/Copy of WEB-INF" RUN rm -rf "wavsep/WebContent/WEB-INF (copy)" - # Copy WAVSEP to Tomcat's directory WORKDIR /usr/local/tomcat/webapps/ RUN cp -rf /tmp/wavsep/WebContent/ wavsep + +# We need these tools to configure WAVSEP +RUN apt-get update +RUN apt-get install -y curl netcat mysql-client + +# Configure MySQL and run Tomcat +ADD docker/run.sh /usr/local/tomcat/bin/wavsep.sh +CMD ["/usr/local/tomcat/bin/wavsep.sh"] diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f2a49b7 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,11 @@ +wavsep: + image: andresriancho/wavsep:latest + ports: + - "8098:8080" + links: + - wavsepdb + +wavsepdb: + image: mysql + environment: + - MYSQL_ROOT_PASSWORD=wavsep diff --git a/docker/run.sh b/docker/run.sh new file mode 100755 index 0000000..a225896 --- /dev/null +++ b/docker/run.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -e + +# Wait for database to get available +MYSQL_LOOPS="20" +MYSQL_HOST="wavsepdb" +MYSQL_PORT="3306" + +# Wait for mysql +i=0 +while ! nc ${MYSQL_HOST} ${MYSQL_PORT} >/dev/null 2>&1 < /dev/null; do + i=`expr ${i} + 1` + if [ ${i} -ge ${MYSQL_LOOPS} ]; then + echo "$(date) - ${MYSQL_HOST}:${MYSQL_PORT} still not reachable, giving up" + exit 1 + fi + echo "$(date) - waiting for ${MYSQL_HOST}:${MYSQL_PORT}..." + sleep 1 +done + +echo +echo "Start the daemon to process the configuration requests" +/usr/local/tomcat/bin/catalina.sh run & + +WAVSEP_LOOPS="20" +WAVSEP_HOST="127.0.0.1" +WAVSEP_PORT="8080" + +# Wait for WAVSEP +i=0 +while ! nc ${WAVSEP_HOST} ${WAVSEP_PORT} >/dev/null 2>&1 < /dev/null; do + i=`expr ${i} + 1` + if [ ${i} -ge ${WAVSEP_LOOPS} ]; then + echo "$(date) - ${WAVSEP_HOST}:${WAVSEP_PORT} still not reachable, giving up" + exit 1 + fi + echo "$(date) - waiting for ${WAVSEP_HOST}:${WAVSEP_PORT}..." + sleep 1 +done + +echo +echo "Configure the WAVSEP database settings" +curl --data "username=root&password=wavsep&host=wavsepdb&port=3306&wavsep_username=wavsep&wavsep_password=wavsepPass782" http://localhost:8080/wavsep/wavsep-install/install.jsp + +echo +echo "Re-creating WAVSEP db user" +echo "drop user 'wavsep'@'wavsepdb';" > grant.sql +echo "GRANT ALL PRIVILEGES ON *.* TO 'wavsep'@'%' IDENTIFIED BY 'wavsepPass782';" >> grant.sql +echo "FLUSH PRIVILEGES;" >> grant.sql +mysql -u root -h ${MYSQL_HOST} -pwavsep < grant.sql + +echo +echo "Killing configuration daemon" +pkill -f java + +echo +echo "Start the daemon" +/usr/local/tomcat/bin/catalina.sh run \ No newline at end of file From 12094aa1e4a48707ceda91d45166b21f4937529e Mon Sep 17 00:00:00 2001 From: Andres Riancho Date: Fri, 11 Sep 2015 15:50:39 -0300 Subject: [PATCH 3/6] Now it's markdown! --- README.md | 55 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 86ad095..db7b54a 100644 --- a/README.md +++ b/README.md @@ -1,36 +1,39 @@ -
+# WAVSEP +The Web Application Vulnerability Scanner Evaluation Project -

WAVSEP

-

The Web Application Vulnerability Scanner Evaluation Project

-

Alternate Source Code Repository

+## Introduction +WAVSEP is vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. -

-WAVSEP is vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.
-This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
-

+This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. -WAVSEP Home Page    WAVSEP Builds

+## References + * [WAVSEP Home Page](https://code.google.com/p/wavsep/) + * [WAVSEP Builds](https://sourceforge.net/projects/wavsep/) -

-

Previous benchmarks performed using the platform:

-SecToolMarket - A Dynamic Security Benchmark Presentation Platform
-The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SAAS and open source scanners
-The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners
-The 2011 comparison of 60 commercial & open source scanners
-The 2010 comparison of 42 open source scanners
-

+## Previous benchmarks performed using the platform + * [SecToolMarket - A Dynamic Security Benchmark Presentation Platform](http://www.sectoolmarket.com) + * [The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SAAS and open source scanners](http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html) + * [The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2012/07/2012-web-application-scanner-benchmark.html) + * [The 2011 comparison of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html) + * [The 2010 comparison of 42 open source scanners](http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html) + * []() -

-

Copyright

-

-

WAVSEP - The Web Application Vulnerability Scanner Evaluation Project.

+## Copyright -

Copyright (C) 2014, Shay Chen.

+```text +WAVSEP - The Web Application Vulnerability Scanner Evaluation Project. -

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

+Copyright (C) 2014, Shay Chen. -

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

+This program is free software: you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation, either version 3 of the License, or (at your option) +any later version. -

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses.

+This program is distributed in the hope that it will be useful, but WITHOUT +ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -
\ No newline at end of file +You should have received a copy of the GNU General Public License along with +this program. If not, see [http://www.gnu.org/licenses](http://www.gnu.org/licenses/) +``` From cbc2c4312d9c7dafef09572cb6dbb3cd8c2bac8f Mon Sep 17 00:00:00 2001 From: Andres Riancho Date: Fri, 11 Sep 2015 15:51:25 -0300 Subject: [PATCH 4/6] Cosmetic --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index db7b54a..69b7666 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ This evaluation platform contains a collection of unique vulnerable web pages th * [The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2012/07/2012-web-application-scanner-benchmark.html) * [The 2011 comparison of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html) * [The 2010 comparison of 42 open source scanners](http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html) - * []() + ## Copyright @@ -35,5 +35,5 @@ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with -this program. If not, see [http://www.gnu.org/licenses](http://www.gnu.org/licenses/) +this program. If not, see http://www.gnu.org/licenses/ ``` From f6c011754c38d9d5d0e099d703ce8a2cb41674b1 Mon Sep 17 00:00:00 2001 From: Andres Riancho Date: Fri, 11 Sep 2015 15:55:09 -0300 Subject: [PATCH 5/6] Docker help --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 69b7666..3f4be89 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,23 @@ WAVSEP is vulnerable web application designed to help assessing the features, qu This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. +## Usage + +`WAVSEP` provides a Docker image and `docker-compose` configuration which allows everyone to run WAVSEP with one command: + +```bash +docker-compose up +``` + +After a couple of seconds WAVSEP will be running at [http://127.0.0.1:8098/wavsep/](http://127.0.0.1:8098/wavsep/) + ## References * [WAVSEP Home Page](https://code.google.com/p/wavsep/) * [WAVSEP Builds](https://sourceforge.net/projects/wavsep/) ## Previous benchmarks performed using the platform * [SecToolMarket - A Dynamic Security Benchmark Presentation Platform](http://www.sectoolmarket.com) - * [The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SAAS and open source scanners](http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html) + * [The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SaaS and open source scanners](http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html) * [The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2012/07/2012-web-application-scanner-benchmark.html) * [The 2011 comparison of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html) * [The 2010 comparison of 42 open source scanners](http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html) From f2ac414472a2ca5185d8d075f65af1346d2aee0d Mon Sep 17 00:00:00 2001 From: Andres Riancho Date: Fri, 11 Sep 2015 15:56:36 -0300 Subject: [PATCH 6/6] Cosmetic --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3f4be89..55a065a 100644 --- a/README.md +++ b/README.md @@ -14,13 +14,13 @@ This evaluation platform contains a collection of unique vulnerable web pages th docker-compose up ``` -After a couple of seconds WAVSEP will be running at [http://127.0.0.1:8098/wavsep/](http://127.0.0.1:8098/wavsep/) +After a couple of seconds the database will be setup and WAVSEP will be running at [http://127.0.0.1:8098/wavsep/](http://127.0.0.1:8098/wavsep/) ## References * [WAVSEP Home Page](https://code.google.com/p/wavsep/) * [WAVSEP Builds](https://sourceforge.net/projects/wavsep/) -## Previous benchmarks performed using the platform +## Benchmarks performed using WAVSEP * [SecToolMarket - A Dynamic Security Benchmark Presentation Platform](http://www.sectoolmarket.com) * [The 2013/2014 comparison of 12 crucial aspects of 63 commercial, SaaS and open source scanners](http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html) * [The 2012 comparison of 10 crucial aspects of 60 commercial & open source scanners](http://sectooladdict.blogspot.com/2012/07/2012-web-application-scanner-benchmark.html)