#1045: Run build with Java 16
This commit is contained in:
		| @ -1,4 +1,4 @@ | |||||||
| FROM openjdk:15-slim | FROM openjdk:16-slim | ||||||
|  |  | ||||||
| ARG webgoat_version=8.2.1-SNAPSHOT | ARG webgoat_version=8.2.1-SNAPSHOT | ||||||
| ENV webgoat_version_env=${webgoat_version} | ENV webgoat_version_env=${webgoat_version} | ||||||
|  | |||||||
| @ -8,9 +8,11 @@ echo "Starting WebGoat..." | |||||||
| java \ | java \ | ||||||
|  -Duser.home=/home/webgoat \ |  -Duser.home=/home/webgoat \ | ||||||
|  -Dfile.encoding=UTF-8 \ |  -Dfile.encoding=UTF-8 \ | ||||||
|  |  --add-opens java.base/java.lang=ALL-UNNAMED \ | ||||||
|  --add-opens java.base/java.util=ALL-UNNAMED \ |  --add-opens java.base/java.util=ALL-UNNAMED \ | ||||||
|  --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ |  --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ | ||||||
|  --add-opens java.base/java.text=ALL-UNNAMED \ |  --add-opens java.base/java.text=ALL-UNNAMED \ | ||||||
|  |  --add-opens java.desktop/java.beans=ALL-UNNAMED \ | ||||||
|  --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ |  --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ | ||||||
|  --add-opens java.base/sun.nio.ch=ALL-UNNAMED \ |  --add-opens java.base/sun.nio.ch=ALL-UNNAMED \ | ||||||
|  --add-opens java.base/java.io=ALL-UNNAMED \ |  --add-opens java.base/java.io=ALL-UNNAMED \ | ||||||
|  | |||||||
							
								
								
									
										21
									
								
								pom.xml
									
									
									
									
									
								
							
							
						
						
									
										21
									
								
								pom.xml
									
									
									
									
									
								
							| @ -8,6 +8,12 @@ | |||||||
|     <packaging>pom</packaging> |     <packaging>pom</packaging> | ||||||
|     <version>8.2.1-SNAPSHOT</version> |     <version>8.2.1-SNAPSHOT</version> | ||||||
|  |  | ||||||
|  |     <parent> | ||||||
|  |         <groupId>org.springframework.boot</groupId> | ||||||
|  |         <artifactId>spring-boot-starter-parent</artifactId> | ||||||
|  |         <version>2.5.4</version> | ||||||
|  |     </parent> | ||||||
|  |  | ||||||
|     <name>WebGoat Parent Pom</name> |     <name>WebGoat Parent Pom</name> | ||||||
|     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> |     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> | ||||||
|     <inceptionYear>2006</inceptionYear> |     <inceptionYear>2006</inceptionYear> | ||||||
| @ -22,12 +28,6 @@ | |||||||
|         <url>https://github.com/WebGoat/WebGoat/</url> |         <url>https://github.com/WebGoat/WebGoat/</url> | ||||||
|     </organization> |     </organization> | ||||||
|  |  | ||||||
|     <parent> |  | ||||||
|         <groupId>org.springframework.boot</groupId> |  | ||||||
|         <artifactId>spring-boot-starter-parent</artifactId> |  | ||||||
|         <version>2.4.3</version> |  | ||||||
|     </parent> |  | ||||||
|  |  | ||||||
|     <licenses> |     <licenses> | ||||||
|         <license> |         <license> | ||||||
|             <name>GNU General Public License, version 2</name> |             <name>GNU General Public License, version 2</name> | ||||||
| @ -122,22 +122,21 @@ | |||||||
|         <maven.compiler.source>15</maven.compiler.source> |         <maven.compiler.source>15</maven.compiler.source> | ||||||
|         <maven.compiler.target>15</maven.compiler.target> |         <maven.compiler.target>15</maven.compiler.target> | ||||||
|  |  | ||||||
|         <!-- This build number will be ubdated by Travis-CI --> |  | ||||||
|         <build.number>build</build.number> |  | ||||||
|  |  | ||||||
|         <!-- Shared properties with plugins and version numbers across submodules--> |         <!-- Shared properties with plugins and version numbers across submodules--> | ||||||
|         <activation.version>1.1.1</activation.version> |         <activation.version>1.1.1</activation.version> | ||||||
|  |         <asciidoctorj.version>2.5.2</asciidoctorj.version> | ||||||
|         <commons-collections.version>3.2.1</commons-collections.version> |         <commons-collections.version>3.2.1</commons-collections.version> | ||||||
|         <commons-lang3.version>3.4</commons-lang3.version> |         <commons-lang3.version>3.12.0</commons-lang3.version> | ||||||
|         <commons-io.version>2.6</commons-io.version> |         <commons-io.version>2.6</commons-io.version> | ||||||
|         <guava.version>30.1-jre</guava.version> |         <guava.version>30.1-jre</guava.version> | ||||||
|         <lombok.version>1.18.20</lombok.version> |         <lombok.version>1.18.20</lombok.version> | ||||||
|  |         <wiremock.version>2.27.2</wiremock.version> | ||||||
|         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version> |         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version> | ||||||
|         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> |         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> | ||||||
|         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version> |         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version> | ||||||
|         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> |         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> | ||||||
|         <maven-source-plugin.version>3.1.0</maven-source-plugin.version> |         <maven-source-plugin.version>3.1.0</maven-source-plugin.version> | ||||||
|         <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version> |         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version> | ||||||
|         <java.version>15</java.version> |         <java.version>15</java.version> | ||||||
|     </properties> |     </properties> | ||||||
|  |  | ||||||
|  | |||||||
| @ -17,13 +17,7 @@ | |||||||
|             <plugin> |             <plugin> | ||||||
|                 <groupId>org.apache.maven.plugins</groupId> |                 <groupId>org.apache.maven.plugins</groupId> | ||||||
|                 <artifactId>maven-surefire-plugin</artifactId> |                 <artifactId>maven-surefire-plugin</artifactId> | ||||||
|                 <configuration> |                 <version>${maven-surefire-plugin.version}</version> | ||||||
|                     <forkCount>0</forkCount> |  | ||||||
|                     <reuseForks>true</reuseForks> |  | ||||||
|                     <argLine> |  | ||||||
|                         --illegal-access=permit |  | ||||||
|                     </argLine> |  | ||||||
|                 </configuration> |  | ||||||
|             </plugin> |             </plugin> | ||||||
|             <plugin> |             <plugin> | ||||||
|                 <groupId>org.apache.maven.plugins</groupId> |                 <groupId>org.apache.maven.plugins</groupId> | ||||||
| @ -70,7 +64,7 @@ | |||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>org.asciidoctor</groupId> |             <groupId>org.asciidoctor</groupId> | ||||||
|             <artifactId>asciidoctorj</artifactId> |             <artifactId>asciidoctorj</artifactId> | ||||||
|             <version>2.4.3</version> |             <version>${asciidoctorj.version}</version> | ||||||
|         </dependency> |         </dependency> | ||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>org.springframework.boot</groupId> |             <groupId>org.springframework.boot</groupId> | ||||||
|  | |||||||
| @ -10,17 +10,17 @@ | |||||||
|     </parent> |     </parent> | ||||||
|  |  | ||||||
|     <dependencies> |     <dependencies> | ||||||
|     	<dependency> |         <dependency> | ||||||
|             <groupId>org.seleniumhq.selenium</groupId> |             <groupId>org.seleniumhq.selenium</groupId> | ||||||
| 	    <artifactId>selenium-java</artifactId> |             <artifactId>selenium-java</artifactId> | ||||||
| 	    <scope>test</scope> |             <scope>test</scope> | ||||||
| 	</dependency> |         </dependency> | ||||||
| 	<dependency> |         <dependency> | ||||||
|     	<groupId>io.github.bonigarcia</groupId> |             <groupId>io.github.bonigarcia</groupId> | ||||||
|     	<artifactId>webdrivermanager</artifactId> |             <artifactId>webdrivermanager</artifactId> | ||||||
|     	<version>4.3.1</version> |             <version>4.3.1</version> | ||||||
|     	<scope>test</scope> |             <scope>test</scope> | ||||||
| 	</dependency> |         </dependency> | ||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>org.owasp.webgoat</groupId> |             <groupId>org.owasp.webgoat</groupId> | ||||||
|             <artifactId>webgoat-server</artifactId> |             <artifactId>webgoat-server</artifactId> | ||||||
| @ -43,16 +43,16 @@ | |||||||
|             <artifactId>webwolf</artifactId> |             <artifactId>webwolf</artifactId> | ||||||
|             <version>${project.version}</version> |             <version>${project.version}</version> | ||||||
|         </dependency> |         </dependency> | ||||||
| 		<dependency> |         <dependency> | ||||||
| 			<groupId>org.springframework.boot</groupId> |             <groupId>org.springframework.boot</groupId> | ||||||
| 			<artifactId>spring-boot-starter-test</artifactId> |             <artifactId>spring-boot-starter-test</artifactId> | ||||||
| 			<scope>test</scope> |             <scope>test</scope> | ||||||
| 		</dependency> |         </dependency> | ||||||
| 		<dependency> |         <dependency> | ||||||
| 			<groupId>io.rest-assured</groupId> |             <groupId>io.rest-assured</groupId> | ||||||
| 			<artifactId>rest-assured</artifactId> |             <artifactId>rest-assured</artifactId> | ||||||
| 			<scope>test</scope> |             <scope>test</scope> | ||||||
| 		</dependency> |         </dependency> | ||||||
|     </dependencies> |     </dependencies> | ||||||
|  |  | ||||||
|     <build> |     <build> | ||||||
| @ -62,14 +62,12 @@ | |||||||
|                 <artifactId>maven-surefire-plugin</artifactId> |                 <artifactId>maven-surefire-plugin</artifactId> | ||||||
|                 <version>${maven-surefire-plugin.version}</version> |                 <version>${maven-surefire-plugin.version}</version> | ||||||
|                 <configuration> |                 <configuration> | ||||||
|                     <forkCount>0</forkCount> |                     <!-- Otherwise test will fail with JDK16 --> | ||||||
|                     <reuseForks>true</reuseForks> |  | ||||||
|                     <argLine> |                     <argLine> | ||||||
|                         --illegal-access=permit |                         --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED | ||||||
|                     </argLine> |                     </argLine> | ||||||
|                 </configuration> |                 </configuration> | ||||||
|             </plugin> |             </plugin> | ||||||
|         </plugins> |         </plugins> | ||||||
|     </build> |     </build> | ||||||
|  |  | ||||||
| </project> | </project> | ||||||
|  | |||||||
| @ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream; | |||||||
| 
 | 
 | ||||||
| import static org.junit.jupiter.api.DynamicTest.dynamicTest; | import static org.junit.jupiter.api.DynamicTest.dynamicTest; | ||||||
| 
 | 
 | ||||||
| public class PathTraversalTest extends IntegrationTest { | class PathTraversalITTest extends IntegrationTest { | ||||||
| 
 | 
 | ||||||
|     //the JUnit5 way |  | ||||||
|     @TempDir |     @TempDir | ||||||
|     Path tempDir; |     Path tempDir; | ||||||
| 
 | 
 | ||||||
| @ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|     @BeforeEach |     @BeforeEach | ||||||
|     @SneakyThrows |     @SneakyThrows | ||||||
|     public void init() { |     public void init() { | ||||||
|         fileToUpload = Files.createFile( |         fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile(); | ||||||
|                 tempDir.resolve("test.jpg")).toFile(); |  | ||||||
|         Files.write(fileToUpload.toPath(), "This is a test".getBytes()); |         Files.write(fileToUpload.toPath(), "This is a test".getBytes()); | ||||||
|         startLesson("PathTraversal"); |         startLesson("PathTraversal"); | ||||||
|     } |     } | ||||||
| @ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|         ); |         ); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     public void assignment1() throws IOException { |     private void assignment1() throws IOException { | ||||||
|         MatcherAssert.assertThat( |         MatcherAssert.assertThat( | ||||||
|                 RestAssured.given() |                 RestAssured.given() | ||||||
|                         .when() |                         .when() | ||||||
| @ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); |                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     public void assignment2() throws IOException { |     private void assignment2() throws IOException { | ||||||
|         MatcherAssert.assertThat( |         MatcherAssert.assertThat( | ||||||
|                 RestAssured.given() |                 RestAssured.given() | ||||||
|                         .when() |                         .when() | ||||||
| @ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); |                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     public void assignment3() throws IOException { |     private void assignment3() throws IOException { | ||||||
|         MatcherAssert.assertThat( |         MatcherAssert.assertThat( | ||||||
|                 RestAssured.given() |                 RestAssured.given() | ||||||
|                         .when() |                         .when() | ||||||
| @ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); |                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     public void assignment4() throws IOException { |     private void assignment4() throws IOException { | ||||||
|         var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"; |         var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"; | ||||||
|         RestAssured.given().urlEncodingEnabled(false) |         RestAssured.given().urlEncodingEnabled(false) | ||||||
|                 .when() |                 .when() | ||||||
| @ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|                 .get(uri) |                 .get(uri) | ||||||
|                 .then() |                 .then() | ||||||
|                 .statusCode(200) |                 .statusCode(200) | ||||||
|                 .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); |                 .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); | ||||||
| 
 | 
 | ||||||
|         checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); |         checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     public void assignment5() throws IOException { |     private void assignment5() throws IOException { | ||||||
|         var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser(); |         var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser(); | ||||||
|         webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows |         webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows | ||||||
| 
 | 
 | ||||||
|         var webGoatDirectory = new File(webGoatHome); |         var webGoatDirectory = new File(webGoatHome); | ||||||
|         var zipFile = new File(webGoatDirectory, "upload.zip"); |         var zipFile = new File(tempDir.toFile(), "upload.zip"); | ||||||
|         try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) { |         try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) { | ||||||
|             ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg"); |             ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg"); | ||||||
|             zos.putNextEntry(e); |             zos.putNextEntry(e); | ||||||
| @ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest { | |||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     @AfterEach |     @AfterEach | ||||||
|     public void shutdown() { |     void shutdown() { | ||||||
|         //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete |         //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete | ||||||
|         checkResults("/PathTraversal"); |         checkResults("/PathTraversal"); | ||||||
|     } |     } | ||||||
| @ -1,9 +1,9 @@ | |||||||
| #In order to run tests a known temp directory is preferred | #In order to run tests a known temp directory is preferred | ||||||
| #that is why these values are used | #that is why these values are used | ||||||
|  |  | ||||||
| webgoat.user.directory=${user.dir}/target/.webgoat | webgoat.user.directory=${java.io.tmpdir}/webgoat | ||||||
| webgoat.server.directory=${user.dir}/target/.webgoat | webgoat.server.directory=${java.io.tmpdir}/webgoat | ||||||
| webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver | webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver | ||||||
|  |  | ||||||
| #database will get deleted for every mvn clean install | #database will get deleted for every mvn clean install | ||||||
| #as these extra properties are read by WebGoat and WebWolf the drop of the tables  | #as these extra properties are read by WebGoat and WebWolf the drop of the tables  | ||||||
|  | |||||||
| @ -16,28 +16,4 @@ | |||||||
|             <version>1.14.2</version> |             <version>1.14.2</version> | ||||||
|         </dependency> |         </dependency> | ||||||
|     </dependencies> |     </dependencies> | ||||||
|     <build> |  | ||||||
|        <plugins> |  | ||||||
|            <plugin> |  | ||||||
|                <groupId>org.asciidoctor</groupId> |  | ||||||
|                <artifactId>asciidoctor-maven-plugin</artifactId> |  | ||||||
|                <version>1.5.3</version> |  | ||||||
|  |  | ||||||
|                <executions> |  | ||||||
|                    <execution> |  | ||||||
|                        <id>output-html</id> |  | ||||||
|                        <phase>generate-resources</phase> |  | ||||||
|                        <goals> |  | ||||||
|                            <goal>process-asciidoc</goal> |  | ||||||
|                        </goals> |  | ||||||
|                        <configuration> |  | ||||||
|                            <backend>html</backend> |  | ||||||
|                            <sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory> |  | ||||||
|                        </configuration> |  | ||||||
|                    </execution> |  | ||||||
|  |  | ||||||
|                </executions> |  | ||||||
|            </plugin> |  | ||||||
|        </plugins> |  | ||||||
|    </build> |  | ||||||
| </project> | </project> | ||||||
| @ -18,11 +18,11 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal | |||||||
| @ExtendWith(MockitoExtension.class) | @ExtendWith(MockitoExtension.class) | ||||||
| public class DeserializeTest extends AssignmentEndpointTest { | public class DeserializeTest extends AssignmentEndpointTest { | ||||||
|  |  | ||||||
| 	private MockMvc mockMvc; |     private MockMvc mockMvc; | ||||||
| 	 |  | ||||||
| 	private static String OS = System.getProperty("os.name").toLowerCase(); |     private static String OS = System.getProperty("os.name").toLowerCase(); | ||||||
| 	 |  | ||||||
| 	@BeforeEach |     @BeforeEach | ||||||
|     public void setup() { |     public void setup() { | ||||||
|         InsecureDeserializationTask insecureTask = new InsecureDeserializationTask(); |         InsecureDeserializationTask insecureTask = new InsecureDeserializationTask(); | ||||||
|         init(insecureTask); |         init(insecureTask); | ||||||
| @ -31,62 +31,60 @@ public class DeserializeTest extends AssignmentEndpointTest { | |||||||
|  |  | ||||||
|     @Test |     @Test | ||||||
|     public void success() throws Exception { |     public void success() throws Exception { | ||||||
|     	if (OS.indexOf("win")>-1) { |         if (OS.indexOf("win") > -1) { | ||||||
|     		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") |             mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||||
|                     .header("x-request-intercepted", "true") |                     .header("x-request-intercepted", "true") | ||||||
|                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")))) |                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")))) | ||||||
|             		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); |                     .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); | ||||||
|     	} else { |         } else { | ||||||
|     		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") |             mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||||
|                 .header("x-request-intercepted", "true") |                     .header("x-request-intercepted", "true") | ||||||
|                 .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")))) |                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")))) | ||||||
|         		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); |                     .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); | ||||||
|     	} |         } | ||||||
|     } |     } | ||||||
|      |  | ||||||
|     @Test |     @Test | ||||||
|     public void fail() throws Exception { |     public void fail() throws Exception { | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") |         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||||
|                 .header("x-request-intercepted", "true") |                 .header("x-request-intercepted", "true") | ||||||
|                 .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *")))) |                 .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *")))) | ||||||
|         		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); |                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); | ||||||
|     } |     } | ||||||
|      |  | ||||||
|     @Test |     @Test | ||||||
|     public void wrongVersion() throws Exception { |     public void wrongVersion() throws Exception { | ||||||
|     	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; |         String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") |         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||||
|                 .header("x-request-intercepted", "true") |                 .header("x-request-intercepted", "true") | ||||||
|                 .param("token", token)) |                 .param("token", token)) | ||||||
|         		.andExpect(status().isOk()) |                 .andExpect(status().isOk()) | ||||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion")))) |                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion")))) | ||||||
|         		.andExpect(jsonPath("$.lessonCompleted", is(false))); |                 .andExpect(jsonPath("$.lessonCompleted", is(false))); | ||||||
|     } |     } | ||||||
|      |  | ||||||
|     @Test |     @Test | ||||||
|     public void expiredTask() throws Exception { |     public void expiredTask() throws Exception { | ||||||
|     	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; |         String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") |         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||||
|                 .header("x-request-intercepted", "true") |                 .header("x-request-intercepted", "true") | ||||||
|                 .param("token", token)) |                 .param("token", token)) | ||||||
|         		.andExpect(status().isOk()) |                 .andExpect(status().isOk()) | ||||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired")))) |                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired")))) | ||||||
|         		.andExpect(jsonPath("$.lessonCompleted", is(false))); |                 .andExpect(jsonPath("$.lessonCompleted", is(false))); | ||||||
|     } |     } | ||||||
|      |  | ||||||
|  |  | ||||||
|      |  | ||||||
|     @Test |     @Test | ||||||
|     public void checkOtherObject() throws Exception { |     public void checkOtherObject() throws Exception { | ||||||
|     	String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l"; |         String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l"; | ||||||
|     	mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") |         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||||
|                 .header("x-request-intercepted", "true") |                 .header("x-request-intercepted", "true") | ||||||
|                 .param("token", token)) |                 .param("token", token)) | ||||||
|         		.andExpect(status().isOk()) |                 .andExpect(status().isOk()) | ||||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject")))) |                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject")))) | ||||||
|         		.andExpect(jsonPath("$.lessonCompleted", is(false))); |                 .andExpect(jsonPath("$.lessonCompleted", is(false))); | ||||||
|     } |     } | ||||||
|      |  | ||||||
|      |  | ||||||
|  |  | ||||||
| } | } | ||||||
| @ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession; | |||||||
| import org.springframework.beans.factory.annotation.Value; | import org.springframework.beans.factory.annotation.Value; | ||||||
| import org.springframework.http.ResponseEntity; | import org.springframework.http.ResponseEntity; | ||||||
| import org.springframework.util.FileCopyUtils; | import org.springframework.util.FileCopyUtils; | ||||||
| import org.springframework.util.FileSystemUtils; |  | ||||||
| import org.springframework.web.bind.annotation.*; | import org.springframework.web.bind.annotation.*; | ||||||
| import org.springframework.web.multipart.MultipartFile; | import org.springframework.web.multipart.MultipartFile; | ||||||
|  |  | ||||||
| import java.io.File; | import java.io.File; | ||||||
| import java.io.IOException; | import java.io.IOException; | ||||||
| import java.io.InputStream; | import java.io.InputStream; | ||||||
| import java.nio.file.CopyOption; |  | ||||||
| import java.nio.file.Files; | import java.nio.file.Files; | ||||||
| import java.nio.file.StandardCopyOption; | import java.nio.file.StandardCopyOption; | ||||||
| import java.util.Arrays; | import java.util.Arrays; | ||||||
| @ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase { | |||||||
|  |  | ||||||
|     @SneakyThrows |     @SneakyThrows | ||||||
|     private AttackResult processZipUpload(MultipartFile file) { |     private AttackResult processZipUpload(MultipartFile file) { | ||||||
|         var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName()); |         var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName()); | ||||||
|         var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName()); |         var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName()); | ||||||
|         FileSystemUtils.deleteRecursively(uploadDirectory); |         var currentImage = getProfilePictureAsBase64(); | ||||||
|         Files.createDirectories(tmpZipDirectory.toPath()); |  | ||||||
|         Files.createDirectories(uploadDirectory.toPath()); |         Files.createDirectories(uploadDirectory.toPath()); | ||||||
|         byte[] currentImage = getProfilePictureAsBase64(); |  | ||||||
|  |  | ||||||
|         try { |         try { | ||||||
|             var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename()); |             var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename()); | ||||||
|             FileCopyUtils.copy(file.getBytes(), uploadedZipFile); |             FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile()); | ||||||
|  |  | ||||||
|             ZipFile zip = new ZipFile(uploadedZipFile); |             ZipFile zip = new ZipFile(uploadedZipFile.toFile()); | ||||||
|             Enumeration<? extends ZipEntry> entries = zip.entries(); |             Enumeration<? extends ZipEntry> entries = zip.entries(); | ||||||
|             while (entries.hasMoreElements()) { |             while (entries.hasMoreElements()) { | ||||||
|                 ZipEntry e = entries.nextElement(); |                 ZipEntry e = entries.nextElement(); | ||||||
|                 File f = new File(uploadDirectory, e.getName()); |                 File f = new File(tmpZipDirectory.toFile(), e.getName()); | ||||||
|                 InputStream is = zip.getInputStream(e); |                 InputStream is = zip.getInputStream(e); | ||||||
|                 Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING); |                 Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING); | ||||||
|             } |             } | ||||||
|  | |||||||
| @ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg | |||||||
| zip profile.zip cat.jpg | zip profile.zip cat.jpg | ||||||
| ---- | ---- | ||||||
|  |  | ||||||
| Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is: | Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is: | ||||||
|  |  | ||||||
| [source] | [source] | ||||||
| ---- | ---- | ||||||
|  | |||||||
| @ -35,4 +35,20 @@ | |||||||
|             <version>1.2</version> |             <version>1.2</version> | ||||||
|         </dependency> |         </dependency> | ||||||
|     </dependencies> |     </dependencies> | ||||||
|  |  | ||||||
|  |     <build> | ||||||
|  |         <plugins> | ||||||
|  |             <plugin> | ||||||
|  |                 <groupId>org.apache.maven.plugins</groupId> | ||||||
|  |                 <artifactId>maven-surefire-plugin</artifactId> | ||||||
|  |                 <version>${maven-surefire-plugin.version}</version> | ||||||
|  |                 <configuration> | ||||||
|  |                     <!-- Otherwise test will fail with JDK16 --> | ||||||
|  |                     <argLine> | ||||||
|  |                         --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED | ||||||
|  |                     </argLine> | ||||||
|  |                 </configuration> | ||||||
|  |             </plugin> | ||||||
|  |         </plugins> | ||||||
|  |     </build> | ||||||
| </project> | </project> | ||||||
|  | |||||||
| @ -11,21 +11,20 @@ | |||||||
|  |  | ||||||
|     <dependencies> |     <dependencies> | ||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>commons-lang</groupId> |             <groupId>org.apache.commons</groupId> | ||||||
|             <artifactId>commons-lang</artifactId> |             <artifactId>commons-lang3</artifactId> | ||||||
|             <version>2.6</version> |             <version>${commons-lang3.version}</version> | ||||||
|         </dependency> |         </dependency> | ||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>org.glassfish.jaxb</groupId> |             <groupId>org.glassfish.jaxb</groupId> | ||||||
|             <artifactId>jaxb-runtime</artifactId> |             <artifactId>jaxb-runtime</artifactId> | ||||||
|             <version>2.3.0</version> |  | ||||||
|         </dependency> |         </dependency> | ||||||
|  |  | ||||||
|         <dependency> |         <dependency> | ||||||
|             <groupId>com.github.tomakehurst</groupId> |             <groupId>com.github.tomakehurst</groupId> | ||||||
|             <artifactId>wiremock</artifactId> |             <artifactId>wiremock</artifactId> | ||||||
|             <version>2.27.2</version> |             <scope>test</scope> | ||||||
|         <scope>test</scope> |             <version>${wiremock.version}</version> | ||||||
|         </dependency> |         </dependency> | ||||||
|  |  | ||||||
|     </dependencies> |     </dependencies> | ||||||
|  | |||||||
| @ -23,6 +23,7 @@ | |||||||
| package org.owasp.webgoat.xxe; | package org.owasp.webgoat.xxe; | ||||||
|  |  | ||||||
| import org.apache.commons.exec.OS; | import org.apache.commons.exec.OS; | ||||||
|  | import org.apache.commons.lang3.exception.ExceptionUtils; | ||||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||||
| import org.owasp.webgoat.assignments.AssignmentHints; | import org.owasp.webgoat.assignments.AssignmentHints; | ||||||
| import org.owasp.webgoat.assignments.AttackResult; | import org.owasp.webgoat.assignments.AttackResult; | ||||||
| @ -67,17 +68,17 @@ public class ContentTypeAssignment extends AssignmentEndpoint { | |||||||
|         if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) { |         if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) { | ||||||
|             String error = ""; |             String error = ""; | ||||||
|             try { |             try { | ||||||
|             	boolean secure = false; |                 boolean secure = false; | ||||||
|             	if (null != request.getSession().getAttribute("applySecurity")) { |                 if (null != request.getSession().getAttribute("applySecurity")) { | ||||||
|             		secure = true; |                     secure = true; | ||||||
|             	} |                 } | ||||||
|                 Comment comment = comments.parseXml(commentStr, secure); |                 Comment comment = comments.parseXml(commentStr, secure); | ||||||
|                 comments.addComment(comment, false); |                 comments.addComment(comment, false); | ||||||
|                 if (checkSolution(comment)) { |                 if (checkSolution(comment)) { | ||||||
|                     attackResult = success(this).build(); |                     attackResult = success(this).build(); | ||||||
|                 } |                 } | ||||||
|             } catch (Exception e) { |             } catch (Exception e) { | ||||||
|                 error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); |                 error = ExceptionUtils.getStackTrace(e); | ||||||
|                 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); |                 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); | ||||||
|             } |             } | ||||||
|         } |         } | ||||||
| @ -85,13 +86,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint { | |||||||
|         return attackResult; |         return attackResult; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|    private boolean checkSolution(Comment comment) { |     private boolean checkSolution(Comment comment) { | ||||||
|        String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; |         String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; | ||||||
|        boolean success = false; |         boolean success = false; | ||||||
|        for (String directory : directoriesToCheck) { |         for (String directory : directoriesToCheck) { | ||||||
|            success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory); |             success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory); | ||||||
|        } |         } | ||||||
|        return success; |         return success; | ||||||
|    }  |     } | ||||||
|  |  | ||||||
| } | } | ||||||
|  | |||||||
| @ -23,7 +23,7 @@ | |||||||
| package org.owasp.webgoat.xxe; | package org.owasp.webgoat.xxe; | ||||||
|  |  | ||||||
| import org.apache.commons.exec.OS; | import org.apache.commons.exec.OS; | ||||||
| import org.apache.commons.lang.exception.ExceptionUtils; | import org.apache.commons.lang3.exception.ExceptionUtils; | ||||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||||
| import org.owasp.webgoat.assignments.AssignmentHints; | import org.owasp.webgoat.assignments.AssignmentHints; | ||||||
| import org.owasp.webgoat.assignments.AttackResult; | import org.owasp.webgoat.assignments.AttackResult; | ||||||
| @ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint { | |||||||
|                 return success(this).build(); |                 return success(this).build(); | ||||||
|             } |             } | ||||||
|         } catch (Exception e) { |         } catch (Exception e) { | ||||||
|             error = ExceptionUtils.getFullStackTrace(e); |             error = ExceptionUtils.getStackTrace(e); | ||||||
|         } |         } | ||||||
|         return failed(this).output(error).build(); |         return failed(this).output(error).build(); | ||||||
|     } |     } | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user