dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#1045: Run build with Java 16

Browse Source
This commit is contained in:
Nanne Baars 2021-09-23 14:04:53 +02:00
parent 9af514f3eb
commit 04d1293a33
No known key found for this signature in database
GPG Key ID: A6D6C06FE4EC14E7
15 changed files with 126 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/Dockerfile
View File

@ -1,4 +1,4 @@
FROM openjdk:15-slim
FROM openjdk:16-slim
ARG webgoat_version=8.2.1-SNAPSHOT
ENV webgoat_version_env=${webgoat_version}

2
docker/start.sh
View File

@ -8,9 +8,11 @@ echo "Starting WebGoat..."
java \
-Duser.home=/home/webgoat \
-Dfile.encoding=UTF-8 \
--add-opens java.base/java.lang=ALL-UNNAMED \
--add-opens java.base/java.util=ALL-UNNAMED \
--add-opens java.base/java.lang.reflect=ALL-UNNAMED \
--add-opens java.base/java.text=ALL-UNNAMED \
--add-opens java.desktop/java.beans=ALL-UNNAMED \
--add-opens java.desktop/java.awt.font=ALL-UNNAMED \
--add-opens java.base/sun.nio.ch=ALL-UNNAMED \
--add-opens java.base/java.io=ALL-UNNAMED \

21
pom.xml
View File

@ -8,6 +8,12 @@
<packaging>pom</packaging>
<version>8.2.1-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.4</version>
</parent>
<name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
<inceptionYear>2006</inceptionYear>
@ -22,12 +28,6 @@
<url>https://github.com/WebGoat/WebGoat/</url>
</organization>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.3</version>
</parent>
<licenses>
<license>
<name>GNU General Public License, version 2</name>
@ -122,22 +122,21 @@
<maven.compiler.source>15</maven.compiler.source>
<maven.compiler.target>15</maven.compiler.target>
<!-- This build number will be ubdated by Travis-CI -->
<build.number>build</build.number>
<!-- Shared properties with plugins and version numbers across submodules-->
<activation.version>1.1.1</activation.version>
<asciidoctorj.version>2.5.2</asciidoctorj.version>
<commons-collections.version>3.2.1</commons-collections.version>
<commons-lang3.version>3.4</commons-lang3.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<commons-io.version>2.6</commons-io.version>
<guava.version>30.1-jre</guava.version>
<lombok.version>1.18.20</lombok.version>
<wiremock.version>2.27.2</wiremock.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
<maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
<java.version>15</java.version>
</properties>

10
webgoat-container/pom.xml
View File

@ -17,13 +17,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<forkCount>0</forkCount>
<reuseForks>true</reuseForks>
<argLine>
--illegal-access=permit
</argLine>
</configuration>
<version>${maven-surefire-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@ -70,7 +64,7 @@
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
<version>2.4.3</version>
<version>${asciidoctorj.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>

46
webgoat-integration-tests/pom.xml
View File

@ -10,17 +10,17 @@
</parent>
<dependencies>
<dependency>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>4.3.1</version>
<scope>test</scope>
</dependency>
<artifactId>selenium-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>4.3.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-server</artifactId>
@ -43,16 +43,16 @@
<artifactId>webwolf</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
@ -62,14 +62,12 @@
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<forkCount>0</forkCount>
<reuseForks>true</reuseForks>
<!-- Otherwise test will fail with JDK16 -->
<argLine>
--illegal-access=permit
--add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
</argLine>
</configuration>
</plugin>
</plugins>
</build>
</project>

24
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java → webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
View File

@ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
public class PathTraversalTest extends IntegrationTest {
class PathTraversalITTest extends IntegrationTest {
//the JUnit5 way
@TempDir
Path tempDir;
@ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest {
@BeforeEach
@SneakyThrows
public void init() {
fileToUpload = Files.createFile(
tempDir.resolve("test.jpg")).toFile();
fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile();
Files.write(fileToUpload.toPath(), "This is a test".getBytes());
startLesson("PathTraversal");
}
@ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest {
);
}
public void assignment1() throws IOException {
private void assignment1() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
@ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(true));
}
public void assignment2() throws IOException {
private void assignment2() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
@ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(true));
}
public void assignment3() throws IOException {
private void assignment3() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
@ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(true));
}
public void assignment4() throws IOException {
private void assignment4() throws IOException {
var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
RestAssured.given().urlEncodingEnabled(false)
.when()
@ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest {
.get(uri)
.then()
.statusCode(200)
.content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
.body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
}
public void assignment5() throws IOException {
var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser();
private void assignment5() throws IOException {
var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser();
webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
var webGoatDirectory = new File(webGoatHome);
var zipFile = new File(webGoatDirectory, "upload.zip");
var zipFile = new File(tempDir.toFile(), "upload.zip");
try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
zos.putNextEntry(e);
@ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest {
}
@AfterEach
public void shutdown() {
void shutdown() {
//this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
checkResults("/PathTraversal");
}

6
webgoat-integration-tests/src/test/resources/application-inttest.properties
View File

@ -1,9 +1,9 @@
#In order to run tests a known temp directory is preferred
#that is why these values are used
webgoat.user.directory=${user.dir}/target/.webgoat
webgoat.server.directory=${user.dir}/target/.webgoat
webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
webgoat.user.directory=${java.io.tmpdir}/webgoat
webgoat.server.directory=${java.io.tmpdir}/webgoat
webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
#database will get deleted for every mvn clean install
#as these extra properties are read by WebGoat and WebWolf the drop of the tables

24
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -16,28 +16,4 @@
<version>1.14.2</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctor-maven-plugin</artifactId>
<version>1.5.3</version>
<executions>
<execution>
<id>output-html</id>
<phase>generate-resources</phase>
<goals>
<goal>process-asciidoc</goal>
</goals>
<configuration>
<backend>html</backend>
<sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>

62
webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
View File

@ -18,11 +18,11 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
@ExtendWith(MockitoExtension.class)
public class DeserializeTest extends AssignmentEndpointTest {
private MockMvc mockMvc;
private static String OS = System.getProperty("os.name").toLowerCase();
@BeforeEach
private MockMvc mockMvc;
private static String OS = System.getProperty("os.name").toLowerCase();
@BeforeEach
public void setup() {
InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
init(insecureTask);
@ -31,62 +31,60 @@ public class DeserializeTest extends AssignmentEndpointTest {
@Test
public void success() throws Exception {
if (OS.indexOf("win")>-1) {
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
if (OS.indexOf("win") > -1) {
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
} else {
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
}
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
} else {
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
}
}
@Test
public void fail() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@Test
public void wrongVersion() throws Exception {
String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", token))
.andExpect(status().isOk())
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@Test
public void expiredTask() throws Exception {
String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", token))
.andExpect(status().isOk())
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@Test
public void checkOtherObject() throws Exception {
String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", token))
.andExpect(status().isOk())
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
}

17
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
View File

@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
import org.springframework.util.FileCopyUtils;
import org.springframework.util.FileSystemUtils;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.StandardCopyOption;
import java.util.Arrays;
@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase {
@SneakyThrows
private AttackResult processZipUpload(MultipartFile file) {
var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName());
var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
FileSystemUtils.deleteRecursively(uploadDirectory);
Files.createDirectories(tmpZipDirectory.toPath());
var currentImage = getProfilePictureAsBase64();
Files.createDirectories(uploadDirectory.toPath());
byte[] currentImage = getProfilePictureAsBase64();
try {
var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename());
FileCopyUtils.copy(file.getBytes(), uploadedZipFile);
var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
ZipFile zip = new ZipFile(uploadedZipFile);
ZipFile zip = new ZipFile(uploadedZipFile.toFile());
Enumeration<? extends ZipEntry> entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(uploadDirectory, e.getName());
File f = new File(tmpZipDirectory.toFile(), e.getName());
InputStream is = zip.getInputStream(e);
Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
}

2
webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
View File

@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
zip profile.zip cat.jpg
----
Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is:
Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
[source]
----

16
webgoat-lessons/vulnerable-components/pom.xml
View File

@ -35,4 +35,20 @@
<version>1.2</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<!-- Otherwise test will fail with JDK16 -->
<argLine>
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
</argLine>
</configuration>
</plugin>
</plugins>
</build>
</project>

11
webgoat-lessons/xxe/pom.xml
View File

@ -11,21 +11,20 @@
<dependencies>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
<version>2.27.2</version>
<scope>test</scope>
<scope>test</scope>
<version>${wiremock.version}</version>
</dependency>
</dependencies>

27
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
View File

@ -23,6 +23,7 @@
package org.owasp.webgoat.xxe;
import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
@ -67,17 +68,17 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
String error = "";
try {
boolean secure = false;
if (null != request.getSession().getAttribute("applySecurity")) {
secure = true;
}
boolean secure = false;
if (null != request.getSession().getAttribute("applySecurity")) {
secure = true;
}
Comment comment = comments.parseXml(commentStr, secure);
comments.addComment(comment, false);
if (checkSolution(comment)) {
attackResult = success(this).build();
}
} catch (Exception e) {
error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
error = ExceptionUtils.getStackTrace(e);
attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
}
}
@ -85,13 +86,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
return attackResult;
}
private boolean checkSolution(Comment comment) {
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = false;
for (String directory : directoriesToCheck) {
success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
}
return success;
}
private boolean checkSolution(Comment comment) {
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = false;
for (String directory : directoriesToCheck) {
success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
}
return success;
}
}

4
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
View File

@ -23,7 +23,7 @@
package org.owasp.webgoat.xxe;
import org.apache.commons.exec.OS;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
@ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint {
return success(this).build();
}
} catch (Exception e) {
error = ExceptionUtils.getFullStackTrace(e);
error = ExceptionUtils.getStackTrace(e);
}
return failed(this).output(error).build();
}