From 01421ca822663fa885caac9e2f52efaa9eea0ea2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Smol=C3=ADk?= <michalsmolik2@gmail.com>
Date: Fri, 2 Jun 2017 16:32:10 +0200
Subject: [PATCH] html restrictions lesson

---
 webgoat-lessons/html-tampering/pom.xml        | 34 +++++++
 .../owasp/webgoat/plugin/HtmlTampering.java   | 63 +++++++++++++
 .../webgoat/plugin/HtmlTamperingTask.java     | 59 ++++++++++++
 .../main/resources/html/HtmlTampering.html    | 91 +++++++++++++++++++
 .../resources/i18n/WebGoatLabels.properties   |  5 +
 .../lessonPlans/en/HtmlTampering_Intro.adoc   |  7 ++
 .../lessonPlans/en/HtmlTampering_Task.adoc    |  2 +
 webgoat-lessons/pom.xml                       |  1 +
 webgoat-server/pom.xml                        |  5 +
 9 files changed, 267 insertions(+)
 create mode 100755 webgoat-lessons/html-tampering/pom.xml
 create mode 100755 webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java
 create mode 100755 webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
 create mode 100755 webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
 create mode 100755 webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
 create mode 100755 webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
 create mode 100755 webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc

diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml
new file mode 100755
index 000000000..44d24a8ce
--- /dev/null
+++ b/webgoat-lessons/html-tampering/pom.xml
@@ -0,0 +1,34 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>html-tampering</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java
new file mode 100755
index 000000000..86223963c
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTampering.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class HtmlTampering extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.PARAMETER_TAMPERING;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 3;
+    }
+
+    @Override
+    public String getTitle() {
+        return "html-tampering.title";
+    }
+
+    @Override
+    public String getId() {
+        return "HtmlTampering";
+    }
+}
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
new file mode 100755
index 000000000..a89ba294a
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
@@ -0,0 +1,59 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/HtmlTampering/task")
+public class HtmlTamperingTask extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String QTY, @RequestParam String Total) throws IOException {
+    	if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
+    		return trackProgress(success().feedback("html-tampering.tamper.success").build());
+    	}
+        return trackProgress(failed().feedback("html-tampering.tamper.failure").build());
+    }
+}
diff --git a/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html b/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
new file mode 100755
index 000000000..552fc8e1b
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HtmlTampering_Intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <!-- stripped down without extra comments -->
+        <div class="adoc-content" th:replace="doc:HtmlTampering_Task.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN" name="task"
+                  method="POST"
+                  action="/WebGoat/HtmlTampering/task"
+                  enctype="application/json;charset=UTF-8">
+                <script>
+                    let regex=/^2999.99$/
+                    let price = 2999.99
+                    document.getElementById("total").innerHTML =  '$' + price.toString()
+                    document.task.Total.value = price * document.task.QTY.value
+
+                    $('#task').submit(function() {
+                      if (!regex.test(price.toString())) {
+                          alert('Data tampering is disallowed')
+                          price = 2999.99
+                          return false
+                      }
+                      else {
+                        return true
+                      }
+                    })
+
+                    function update() {
+                      let total = price * document.task.QTY.value
+                      document.getElementById("total").innerHTML = total.toString()
+                      document.task.Total.value = total
+                    }
+                </script>
+                <center>
+                    <h1>Shopping Cart </h1>
+                </center>
+                <br />
+                <table align="center" cellspacing="0" width="90%" border="1" cellpadding="2">
+                    <tbody>
+                        <tr>
+                            <th width="80%">Shopping Cart Items  To Buy Now</th>
+                            <th width="10%">Price</th>
+                            <th width="3%">Quantity</th>
+                            <th width="7%">Total</th>
+                        </tr>
+                        <tr>
+                            <td>56 inch HDTV (model KTV-551)</td>
+                            <td align="right">2999.99</td>
+                            <td align="right">
+                                <input size="6" value="1" name="QTY" type="TEXT" id="QTY"/>
+                            </td>
+                            <td id="total"></td>
+                        </tr>
+                    </tbody>
+                </table>
+                <br />
+                <table align="center" cellspacing="0" width="90%" border="0" cellpadding="2">
+                    <tbody>
+                        <tr>
+                            <td>The total charged to your credit card:</td>
+                            <td>$2999,99</td>
+                            <td>
+                                <input name="UPDATE" type="button" value="UpdateCart" onclick="update()"/>
+                            </td>
+                            <td>
+                                <input value="Purchase" name="SUBMIT" type="submit" />
+                            </td>
+                        </tr>
+                    </tbody>
+                </table>
+                <input name="Total" type="HIDDEN" value="2999.99" />
+                <br />
+
+
+            </form>
+            <br></br>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+</html>
diff --git a/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100755
index 000000000..8084fcf71
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,5 @@
+html-tampering.title=HTML tampering
+
+
+html-tampering.tamper.success=Well done, you just bought a TV at a discount
+html-tampering.tamper.failure=This is too expensive... You need to buy at a cheaper cost!
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
new file mode 100755
index 000000000..d2dd4b243
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
@@ -0,0 +1,7 @@
+
+== Concept
+Browsers generally offer many options of editing the displayed content. Developers
+therefore must be aware that the values sent by the user may have been tampered with.
+== Goals
+* The user should have a basic understanding of HTML
+* The user will be able to exploit editing front end of website
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc
new file mode 100755
index 000000000..60b07989d
--- /dev/null
+++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc
@@ -0,0 +1,2 @@
+=== Try it yourself
+This is an internet store. Try to buy TV-s for a lower price.
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index c0bd2241a..79d287f30 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -17,6 +17,7 @@
         <module>challenge</module>
         <module>client-side-filtering</module>
         <module>cross-site-scripting</module>
+        <module>html-tampering</module>
         <module>http-basics</module>
         <module>http-proxies</module>
         <module>insecure-login</module>
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 2708a0055..bce375377 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -101,6 +101,11 @@
             <artifactId>cross-site-scripting</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>html-tampering</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat.lesson</groupId>
             <artifactId>http-basics</artifactId>