WebGoat.NET/WebGoat/Web.config at e87b5ab312b43bfbb71ea7c48a27f3c2704c7903 · jerryhoff/WebGoat.NET · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<?xml version="1.0"?>
<!--
Web.config file for DotNetGoat.

The settings that can be used in this file are documented at
http://www.mono-project.com/Config_system.web and
http://msdn2.microsoft.com/en-us/library/b5ysx397.aspx
-->
<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
  </configSections>
  <log4net debug="true">
    <appender name="RollingLogFileAppender" type="log4net.Appender.RollingFileAppender">
      <file value="App_Data/log.txt"/>
      <appendToFile value="true"/>
      <rollingStyle value="Size"/>
      <maxSizeRollBackups value="10"/>
      <maximumFileSize value="10MB"/>
      <staticLogFileName value="true"/>
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%-5p %d %5rms %-22.22c{1} %-18.18M - %m%n"/>
      </layout>
    </appender>
    <root>
      <level value="DEBUG"/>
      <appender-ref ref="RollingLogFileAppender"/>
    </root>
  </log4net>
  <!--
    For a description of web.config changes see http://go.microsoft.com/fwlink/?LinkId=235367.

    The following attributes can be set on the <httpRuntime> tag.
      <system.Web>
        <httpRuntime targetFramework="4.7.2" />
      </system.Web>
  -->
  <system.web>
    <siteMap>
      <providers>
        <remove name="MySqlSiteMapProvider"/>
      </providers>
    </siteMap>
    <!-- this disables header checking -->
    <httpRuntime enableHeaderChecking="false"/>
    <!-- this is how you would set secure and http only on session cookies -->
    <httpCookies httpOnlyCookies="false" requireSSL="false"/>
    <compilation defaultLanguage="C#" debug="true" targetFramework="4.7.2">
      <assemblies>
        <!--add assembly="System.Web.Mobile, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /-->
        <add assembly="Mono.Data.Sqlite, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756"/>
      </assemblies>
    </compilation>
    <!-- show detailed error messages -->
    <customErrors mode="Off"/>
    <!-- set up users -->
    <authentication mode="Forms">
      <forms name="customer_login" timeout="30" loginUrl="~/WebGoatCoins/CustomerLogin.aspx" requireSSL="false" protection="All" path="/">
        <credentials passwordFormat="Clear">
          <user name="admin" password="admin"/>
          <user name="mario" password="luigi"/>
          <user name="bob" password="password"/>
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <allow users="*"/>
    </authorization>
    <trace enabled="false" localOnly="true" pageOutput="false" requestLimit="10" traceMode="SortByTime"/>
    <sessionState mode="InProc" cookieless="false" timeout="20000"/>
    <!-- setting cookieless = true breaks app -->
    <globalization requestEncoding="utf-8" responseEncoding="utf-8"/>
    <pages styleSheetTheme="Default" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
      <namespaces>
        <clear/>
        <add namespace="System"/>
        <add namespace="System.Collections"/>
        <add namespace="System.Collections.Generic"/>
        <add namespace="System.Collections.Specialized"/>
        <add namespace="System.Configuration"/>
        <add namespace="System.Text"/>
        <add namespace="System.Text.RegularExpressions"/>
        <add namespace="System.Web"/>
        <add namespace="System.Web.Caching"/>
        <add namespace="System.Web.SessionState"/>
        <add namespace="System.Web.Security"/>
        <add namespace="System.Web.Profile"/>
        <add namespace="System.Web.UI"/>
        <add namespace="System.Web.UI.WebControls"/>
        <add namespace="System.Web.UI.WebControls.WebParts"/>
        <add namespace="System.Web.UI.HtmlControls"/>
      </namespaces>
    </pages>
  </system.web>
  <!--
    <location path="Login.aspx">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

    <location path="App_Themes">
        <system.web>
            <authorization>
                <deny users="*" />
            </authorization>
        </system.web>
    </location>

    <location path="resources">
        <system.web>
            <authorization>
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    -->
  <location path="Content/VerbTamperingAttack.aspx">
    <system.web>
      <authorization>
        <allow verbs="GET" users="Admin"/>
        <deny verbs="POST,GET" users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>