Installing, Configuring, and Building WARD

NCSU Instance

 

The Web Application Reliability and Defense (WARD) framework is a two-part security solution that can be used during code development. WARD is composed of SecureUnit for vulnerability detection and SecureFilter for vulnerability protection. SecureUnit enables developers to write automated, reusable, and customizable JUnit tests to launch attacks on their system to reveal security vulnerabilities.  SecureFilter is a customizable server-side choke point containing a regular expression-based filter to match legal input according to system requirements.

 

These instructions have been tested in the following environment

 

NOTE: Instructions assume Operating System, JDK and Eclipse are installed and functioning properly.


 

0. Before you begin

Be sure (1) you are in the Eclipse workspace that contains your copy of iTrust. We recommend for both speed and compatibility that you place your Eclipse workspace in C:\eclipse\workspace_<unityid> where <unityid> is your unity id. Also be sure that (2) iTrust is compiling and that (3) it is successfully deployed onto your instance of Tomcat. (4) Start Tomcat and (5) start the iTrust application.

 

 

During the installation, if you get the following error:

 

Just click OK and your installation should proceed without further complications.

 


 

1. Installing Maven 2.0 integration 0.0.5 into Eclipse

WARD was implemented in the Maven environment to facilitate building and documentation. [http://maven.apache.org/ Maven is a software project management and comprehension tool.]

 

From the Eclipse menu bar,

  1. Help -> Software Updates -> Find and Install -> Search for new features to install -> New Remote Site
  2. Name: Maven 2; URL: http://m2eclipse.codehaus.org/
  3. Click OK. Verify that Maven 2 is checked.  Click Finish. 
  4. Under "0 of 5 selected," uncheck "Show the latest version of a feature only."
  5. Expand Maven 2 -> Maven 2.0 Integration -> Check "integration 0.0.5."
  6. Next. Accept the license agreement.
  7. Be sure "Install Location" is "C:\eclipse" [or your own eclipse directory, such as c:\Eclipse-3.1\eclipse.]. Finish.
  8. Install All. Restart the workbench. Select the same workspace.
  9. If you are doing this on your home machine, or you do not have the latest version of Subclipse, repeat the above steps but with the following parameters:

 


 

2. Configuring Maven

But now Maven needs to be correctly configured to work in your Java environment:

1.       Go to Start -> Run, and type in "C:\Documents and Settings\<unityid>", where <unityid> is your unity id.

2.       Create a new folder called "Maven."

3.       Back in Eclipse/MyEclipse, go to Window -> Preferences -> Maven2

4.       For local repository folder, click Browse . . .

5.       Find the folder you created in step 2.2 (in your C drive) and after selecting it, hit apply. OK.

6.       Window -> Preferences -> Java -> Build Path -> Classpath Variables.

7.       Click New . . . Name: M2_REPO. Next to Path, click Folder and select the folder you created in step 2.2. Click OK to add the variable.

8.       Click OK to close the preferences Window.

 


 

3. Installing WARD from the SVN repository at SourceForge.net

 

  1. In Eclipse/MyEclipse, File -> Import -> Checkout Projects from SVN Repository. Next.
  2. Create a new repository location. Next.
  3. URL https://svn.sourceforge.net/svnroot/ward/trunk .Next.
  4. When "Accept Digital Certificate" appears, click "Accept Permanently."
  5. Select the folders "ward", "ward-securefilter" and "ward-secureunit." Click Finish. This may take a minute.

 


 

4. Building WARD

  1. After the Subversion console window says "Checked out revision xx," click the arrow next to the External Tools window (to the right of the standard Run menu).
  2. Click "External Tools . . . "
  3. Select "ward_install_eclipse."
  4. Select the "JRE" tab. Choose the "Alternate JRE" radio button and point this to your JDK installation. (In the lab computers, you will need to click Installed JREs . . . and the installation is located in C:\Program Files\Java\jdk1.5.0_02)
  5. Click Apply. Click Run. 
  6. Right click on the ward project and choose Refresh.
  7. Repeat steps 1-5 for the configuration "ward-securefilter_clean_install_eclipse."
  8. Right click on the ward-securefilter project and choose Refresh.
  9. Repeat steps 1-5 for the configuration "ward-secureunit_clean_install_eclipse."
  10. Right click on the ward-secureunit project and choose Refresh.
  11.  In Package Explorer of Eclipse, expand iTrust -> WebRoot -> WEB-INF -> lib
  12. Right click on the lib directory
  13. Choose Import…
  14. Select File system
  15. Next
  16. Click Browse…
  17. Browse to C:\Documents and Settings\<unityid>\Maven\ward\securefilter\ward-securefilter and select the 1.0-SNAPSHOT folder
  18. OK
  19. Check ward-securefiler-1.0-SNAPSHOT.jar

 

 20.  Finish (Eclipse will rebuild your Eclipse workspace at this point automatically)


5. Deploying WARD

5.1 Type definitions

Now you will need to add the type definitions to your web.xml file. Follow these steps:

  1. Expand iTrust -> WebRoot -> WEB-INF. Open web.xml.
  2. Insert the following text in between the <web-app> tags.
  3. Save.

 

<filter>

 <filter-name>SecureFilter</filter-name>

 <filter-class>ward.securefilter.SecureFilter</filter-class>

</filter>

<filter-mapping>

 <filter-name>SecureFilter</filter-name>

 <url-pattern>/*</url-pattern>

</filter-mapping>

 

So your web.xml file looks like this:

 

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4"

      xmlns="http://java.sun.com/xml/ns/j2ee"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

      xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

      http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

   <filter>

    <filter-name>SecureFilter</filter-name>

    <filter-class>ward.securefilter.SecureFilter</filter-class>

   </filter>

   <filter-mapping>

    <filter-name>SecureFilter</filter-name>

    <url-pattern>/*</url-pattern>

   </filter-mapping>

</web-app>

 

 

3. Stop Tomcat.

4. Refresh the iTrust project (refresh the WEB-INF folder AND the WEB-INF/lib folder)

5. Start Tomcat.

6. In any input field, cookie, or header, insert "javascript:alert('hello')" and send the request to your Web application. You should receive a 403 response.

 

5.2 Running a SecureUnit test on iTrust

 

  1. Expand the ward-secureunit project -> src/main/java -> iTrustTests
  2. Right click on the iTrustHomePageTest.java
  3. Run As -> JUnit Test

 

 

NOTE: For your assignment, you will not have to run the external tool, ward-securefilter_clean_install_eclipse or ward-securefilter_install after the initial build, unless you want to make changes to the ward-securefilter project.  Once you deploy the ward-securefiler-1.0-SNAPSHOT.jar to the WEB-INF\lib directory you are done with SecureFilter.  Also, you will not have to rebuild the ward-secureunit project when you create new test cases.

 

 

 

 

The result of running iTrustHomePageTest.java