diff --git a/docker/Dockerfile b/docker/Dockerfile
index 3047632a2..1437def53 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:15-slim
+FROM openjdk:16-slim
ARG webgoat_version=8.2.1-SNAPSHOT
ENV webgoat_version_env=${webgoat_version}
diff --git a/docker/start.sh b/docker/start.sh
index 6f6b27ee7..c167d419b 100644
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -8,9 +8,11 @@ echo "Starting WebGoat..."
java \
-Duser.home=/home/webgoat \
-Dfile.encoding=UTF-8 \
+ --add-opens java.base/java.lang=ALL-UNNAMED \
--add-opens java.base/java.util=ALL-UNNAMED \
--add-opens java.base/java.lang.reflect=ALL-UNNAMED \
--add-opens java.base/java.text=ALL-UNNAMED \
+ --add-opens java.desktop/java.beans=ALL-UNNAMED \
--add-opens java.desktop/java.awt.font=ALL-UNNAMED \
--add-opens java.base/sun.nio.ch=ALL-UNNAMED \
--add-opens java.base/java.io=ALL-UNNAMED \
diff --git a/pom.xml b/pom.xml
index 893e45538..4a337bdda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -8,6 +8,12 @@
pom
8.2.1-SNAPSHOT
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.5.4
+
+
WebGoat Parent Pom
Parent Pom for the WebGoat Project. A deliberately insecure Web Application
2006
@@ -22,12 +28,6 @@
https://github.com/WebGoat/WebGoat/
-
- org.springframework.boot
- spring-boot-starter-parent
- 2.4.3
-
-
GNU General Public License, version 2
@@ -122,22 +122,21 @@
15
15
-
- build
-
1.1.1
+ 2.5.2
3.2.1
- 3.4
+ 3.12.0
2.6
30.1-jre
1.18.20
+ 2.27.2
3.8.0
2.22.0
3.1.2
3.1.1
3.1.0
- 3.0.0-M4
+ 3.0.0-M5
15
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index ea83551ce..25cd764a3 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -17,13 +17,7 @@
org.apache.maven.plugins
maven-surefire-plugin
-
- 0
- true
-
- --illegal-access=permit
-
-
+ ${maven-surefire-plugin.version}
org.apache.maven.plugins
@@ -70,7 +64,7 @@
org.asciidoctor
asciidoctorj
- 2.4.3
+ ${asciidoctorj.version}
org.springframework.boot
diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml
index abd0f8e10..ff665b923 100644
--- a/webgoat-integration-tests/pom.xml
+++ b/webgoat-integration-tests/pom.xml
@@ -10,17 +10,17 @@
-
+
org.seleniumhq.selenium
- selenium-java
- test
-
-
- io.github.bonigarcia
- webdrivermanager
- 4.3.1
- test
-
+ selenium-java
+ test
+
+
+ io.github.bonigarcia
+ webdrivermanager
+ 4.3.1
+ test
+
org.owasp.webgoat
webgoat-server
@@ -43,16 +43,16 @@
webwolf
${project.version}
-
- org.springframework.boot
- spring-boot-starter-test
- test
-
-
- io.rest-assured
- rest-assured
- test
-
+
+ org.springframework.boot
+ spring-boot-starter-test
+ test
+
+
+ io.rest-assured
+ rest-assured
+ test
+
@@ -62,14 +62,12 @@
maven-surefire-plugin
${maven-surefire-plugin.version}
- 0
- true
+
- --illegal-access=permit
+ --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
-
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
similarity index 87%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java
rename to webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
index d32ce336e..753b193d3 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
@@ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
-public class PathTraversalTest extends IntegrationTest {
+class PathTraversalITTest extends IntegrationTest {
- //the JUnit5 way
@TempDir
Path tempDir;
@@ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest {
@BeforeEach
@SneakyThrows
public void init() {
- fileToUpload = Files.createFile(
- tempDir.resolve("test.jpg")).toFile();
+ fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile();
Files.write(fileToUpload.toPath(), "This is a test".getBytes());
startLesson("PathTraversal");
}
@@ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest {
);
}
- public void assignment1() throws IOException {
+ private void assignment1() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
@@ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(true));
}
- public void assignment2() throws IOException {
+ private void assignment2() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
@@ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(true));
}
- public void assignment3() throws IOException {
+ private void assignment3() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
@@ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(true));
}
- public void assignment4() throws IOException {
+ private void assignment4() throws IOException {
var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
RestAssured.given().urlEncodingEnabled(false)
.when()
@@ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest {
.get(uri)
.then()
.statusCode(200)
- .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
+ .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
}
- public void assignment5() throws IOException {
- var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser();
+ private void assignment5() throws IOException {
+ var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser();
webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
var webGoatDirectory = new File(webGoatHome);
- var zipFile = new File(webGoatDirectory, "upload.zip");
+ var zipFile = new File(tempDir.toFile(), "upload.zip");
try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
zos.putNextEntry(e);
@@ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest {
}
@AfterEach
- public void shutdown() {
+ void shutdown() {
//this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
checkResults("/PathTraversal");
}
diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties
index 4286e914f..a694bd592 100644
--- a/webgoat-integration-tests/src/test/resources/application-inttest.properties
+++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties
@@ -1,9 +1,9 @@
#In order to run tests a known temp directory is preferred
#that is why these values are used
-webgoat.user.directory=${user.dir}/target/.webgoat
-webgoat.server.directory=${user.dir}/target/.webgoat
-webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
+webgoat.user.directory=${java.io.tmpdir}/webgoat
+webgoat.server.directory=${java.io.tmpdir}/webgoat
+webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
#database will get deleted for every mvn clean install
#as these extra properties are read by WebGoat and WebWolf the drop of the tables
diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml
index bc82c23fa..5bb02a9f2 100644
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ b/webgoat-lessons/cross-site-scripting/pom.xml
@@ -16,28 +16,4 @@
1.14.2
-
-
-
- org.asciidoctor
- asciidoctor-maven-plugin
- 1.5.3
-
-
-
- output-html
- generate-resources
-
- process-asciidoc
-
-
- html
- src/main/resources/lessonPlans/en/
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
index 9a2ecec94..35ba51976 100644
--- a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
+++ b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
@@ -18,11 +18,11 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
@ExtendWith(MockitoExtension.class)
public class DeserializeTest extends AssignmentEndpointTest {
- private MockMvc mockMvc;
-
- private static String OS = System.getProperty("os.name").toLowerCase();
-
- @BeforeEach
+ private MockMvc mockMvc;
+
+ private static String OS = System.getProperty("os.name").toLowerCase();
+
+ @BeforeEach
public void setup() {
InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
init(insecureTask);
@@ -31,62 +31,60 @@ public class DeserializeTest extends AssignmentEndpointTest {
@Test
public void success() throws Exception {
- if (OS.indexOf("win")>-1) {
- mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+ if (OS.indexOf("win") > -1) {
+ mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
- .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
- } else {
- mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
- .header("x-request-intercepted", "true")
- .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
- .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
- }
+ .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+ } else {
+ mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+ .header("x-request-intercepted", "true")
+ .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
+ .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+ }
}
-
+
@Test
public void fail() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
- .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+ .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
}
-
+
@Test
public void wrongVersion() throws Exception {
- String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+ String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", token))
- .andExpect(status().isOk())
+ .andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
- .andExpect(jsonPath("$.lessonCompleted", is(false)));
+ .andExpect(jsonPath("$.lessonCompleted", is(false)));
}
-
+
@Test
public void expiredTask() throws Exception {
- String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+ String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", token))
- .andExpect(status().isOk())
+ .andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
- .andExpect(jsonPath("$.lessonCompleted", is(false)));
+ .andExpect(jsonPath("$.lessonCompleted", is(false)));
}
-
-
+
@Test
public void checkOtherObject() throws Exception {
- String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
- mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+ String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
+ mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
.header("x-request-intercepted", "true")
.param("token", token))
- .andExpect(status().isOk())
+ .andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
- .andExpect(jsonPath("$.lessonCompleted", is(false)));
+ .andExpect(jsonPath("$.lessonCompleted", is(false)));
}
-
-
+
}
\ No newline at end of file
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
index 7bf9239bf..e119a1f4e 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
+++ b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
@@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
import org.springframework.util.FileCopyUtils;
-import org.springframework.util.FileSystemUtils;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
-import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.StandardCopyOption;
import java.util.Arrays;
@@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase {
@SneakyThrows
private AttackResult processZipUpload(MultipartFile file) {
- var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName());
+ var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
- FileSystemUtils.deleteRecursively(uploadDirectory);
- Files.createDirectories(tmpZipDirectory.toPath());
+ var currentImage = getProfilePictureAsBase64();
+
Files.createDirectories(uploadDirectory.toPath());
- byte[] currentImage = getProfilePictureAsBase64();
try {
- var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename());
- FileCopyUtils.copy(file.getBytes(), uploadedZipFile);
+ var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
+ FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
- ZipFile zip = new ZipFile(uploadedZipFile);
+ ZipFile zip = new ZipFile(uploadedZipFile.toFile());
Enumeration entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
- File f = new File(uploadDirectory, e.getName());
+ File f = new File(tmpZipDirectory.toFile(), e.getName());
InputStream is = zip.getInputStream(e);
Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
}
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
index dc55affce..bb909b1d8 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
@@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
zip profile.zip cat.jpg
----
-Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is:
+Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
[source]
----
diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml
index f16525506..7bc052d21 100644
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ b/webgoat-lessons/vulnerable-components/pom.xml
@@ -35,4 +35,20 @@
1.2
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+ ${maven-surefire-plugin.version}
+
+
+
+ --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+
+
+
+
+
diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml
index 758b560f1..856f225c4 100644
--- a/webgoat-lessons/xxe/pom.xml
+++ b/webgoat-lessons/xxe/pom.xml
@@ -11,21 +11,20 @@
- commons-lang
- commons-lang
- 2.6
+ org.apache.commons
+ commons-lang3
+ ${commons-lang3.version}
org.glassfish.jaxb
jaxb-runtime
- 2.3.0
com.github.tomakehurst
wiremock
- 2.27.2
- test
+ test
+ ${wiremock.version}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
index c627d727f..4283c2895 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.xxe;
import org.apache.commons.exec.OS;
+import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
@@ -67,17 +68,17 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
String error = "";
try {
- boolean secure = false;
- if (null != request.getSession().getAttribute("applySecurity")) {
- secure = true;
- }
+ boolean secure = false;
+ if (null != request.getSession().getAttribute("applySecurity")) {
+ secure = true;
+ }
Comment comment = comments.parseXml(commentStr, secure);
comments.addComment(comment, false);
if (checkSolution(comment)) {
attackResult = success(this).build();
}
} catch (Exception e) {
- error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
+ error = ExceptionUtils.getStackTrace(e);
attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
}
}
@@ -85,13 +86,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
return attackResult;
}
- private boolean checkSolution(Comment comment) {
- String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
- boolean success = false;
- for (String directory : directoriesToCheck) {
- success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
- }
- return success;
- }
+ private boolean checkSolution(Comment comment) {
+ String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
+ boolean success = false;
+ for (String directory : directoriesToCheck) {
+ success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
+ }
+ return success;
+ }
}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
index 30930c97d..888bb25d3 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
@@ -23,7 +23,7 @@
package org.owasp.webgoat.xxe;
import org.apache.commons.exec.OS;
-import org.apache.commons.lang.exception.ExceptionUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
@@ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint {
return success(this).build();
}
} catch (Exception e) {
- error = ExceptionUtils.getFullStackTrace(e);
+ error = ExceptionUtils.getStackTrace(e);
}
return failed(this).output(error).build();
}