| @ -1,4 +1,4 @@ | ||||
| FROM openjdk:15-slim | ||||
| FROM openjdk:16-slim | ||||
|  | ||||
| ARG webgoat_version=8.2.1-SNAPSHOT | ||||
| ENV webgoat_version_env=${webgoat_version} | ||||
|  | ||||
| @ -8,9 +8,11 @@ echo "Starting WebGoat..." | ||||
| java \ | ||||
|  -Duser.home=/home/webgoat \ | ||||
|  -Dfile.encoding=UTF-8 \ | ||||
|  --add-opens java.base/java.lang=ALL-UNNAMED \ | ||||
|  --add-opens java.base/java.util=ALL-UNNAMED \ | ||||
|  --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ | ||||
|  --add-opens java.base/java.text=ALL-UNNAMED \ | ||||
|  --add-opens java.desktop/java.beans=ALL-UNNAMED \ | ||||
|  --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ | ||||
|  --add-opens java.base/sun.nio.ch=ALL-UNNAMED \ | ||||
|  --add-opens java.base/java.io=ALL-UNNAMED \ | ||||
|  | ||||
							
								
								
									
										21
									
								
								pom.xml
									
									
									
									
									
								
							
							
						
						
									
										21
									
								
								pom.xml
									
									
									
									
									
								
							| @ -8,6 +8,12 @@ | ||||
|     <packaging>pom</packaging> | ||||
|     <version>8.2.1-SNAPSHOT</version> | ||||
|  | ||||
|     <parent> | ||||
|         <groupId>org.springframework.boot</groupId> | ||||
|         <artifactId>spring-boot-starter-parent</artifactId> | ||||
|         <version>2.5.4</version> | ||||
|     </parent> | ||||
|  | ||||
|     <name>WebGoat Parent Pom</name> | ||||
|     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> | ||||
|     <inceptionYear>2006</inceptionYear> | ||||
| @ -22,12 +28,6 @@ | ||||
|         <url>https://github.com/WebGoat/WebGoat/</url> | ||||
|     </organization> | ||||
|  | ||||
|     <parent> | ||||
|         <groupId>org.springframework.boot</groupId> | ||||
|         <artifactId>spring-boot-starter-parent</artifactId> | ||||
|         <version>2.4.3</version> | ||||
|     </parent> | ||||
|  | ||||
|     <licenses> | ||||
|         <license> | ||||
|             <name>GNU General Public License, version 2</name> | ||||
| @ -122,22 +122,21 @@ | ||||
|         <maven.compiler.source>15</maven.compiler.source> | ||||
|         <maven.compiler.target>15</maven.compiler.target> | ||||
|  | ||||
|         <!-- This build number will be ubdated by Travis-CI --> | ||||
|         <build.number>build</build.number> | ||||
|  | ||||
|         <!-- Shared properties with plugins and version numbers across submodules--> | ||||
|         <activation.version>1.1.1</activation.version> | ||||
|         <asciidoctorj.version>2.5.2</asciidoctorj.version> | ||||
|         <commons-collections.version>3.2.1</commons-collections.version> | ||||
|         <commons-lang3.version>3.4</commons-lang3.version> | ||||
|         <commons-lang3.version>3.12.0</commons-lang3.version> | ||||
|         <commons-io.version>2.6</commons-io.version> | ||||
|         <guava.version>30.1-jre</guava.version> | ||||
|         <lombok.version>1.18.20</lombok.version> | ||||
|         <wiremock.version>2.27.2</wiremock.version> | ||||
|         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version> | ||||
|         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> | ||||
|         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version> | ||||
|         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> | ||||
|         <maven-source-plugin.version>3.1.0</maven-source-plugin.version> | ||||
|         <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version> | ||||
|         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version> | ||||
|         <java.version>15</java.version> | ||||
|     </properties> | ||||
|  | ||||
|  | ||||
| @ -17,13 +17,7 @@ | ||||
|             <plugin> | ||||
|                 <groupId>org.apache.maven.plugins</groupId> | ||||
|                 <artifactId>maven-surefire-plugin</artifactId> | ||||
|                 <configuration> | ||||
|                     <forkCount>0</forkCount> | ||||
|                     <reuseForks>true</reuseForks> | ||||
|                     <argLine> | ||||
|                         --illegal-access=permit | ||||
|                     </argLine> | ||||
|                 </configuration> | ||||
|                 <version>${maven-surefire-plugin.version}</version> | ||||
|             </plugin> | ||||
|             <plugin> | ||||
|                 <groupId>org.apache.maven.plugins</groupId> | ||||
| @ -70,7 +64,7 @@ | ||||
|         <dependency> | ||||
|             <groupId>org.asciidoctor</groupId> | ||||
|             <artifactId>asciidoctorj</artifactId> | ||||
|             <version>2.4.3</version> | ||||
|             <version>${asciidoctorj.version}</version> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.springframework.boot</groupId> | ||||
|  | ||||
| @ -62,14 +62,12 @@ | ||||
|                 <artifactId>maven-surefire-plugin</artifactId> | ||||
|                 <version>${maven-surefire-plugin.version}</version> | ||||
|                 <configuration> | ||||
|                     <forkCount>0</forkCount> | ||||
|                     <reuseForks>true</reuseForks> | ||||
|                     <!-- Otherwise test will fail with JDK16 --> | ||||
|                     <argLine> | ||||
|                         --illegal-access=permit | ||||
|                         --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED | ||||
|                     </argLine> | ||||
|                 </configuration> | ||||
|             </plugin> | ||||
|         </plugins> | ||||
|     </build> | ||||
|  | ||||
| </project> | ||||
|  | ||||
| @ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream; | ||||
| 
 | ||||
| import static org.junit.jupiter.api.DynamicTest.dynamicTest; | ||||
| 
 | ||||
| public class PathTraversalTest extends IntegrationTest { | ||||
| class PathTraversalITTest extends IntegrationTest { | ||||
| 
 | ||||
|     //the JUnit5 way | ||||
|     @TempDir | ||||
|     Path tempDir; | ||||
| 
 | ||||
| @ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|     @BeforeEach | ||||
|     @SneakyThrows | ||||
|     public void init() { | ||||
|         fileToUpload = Files.createFile( | ||||
|                 tempDir.resolve("test.jpg")).toFile(); | ||||
|         fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile(); | ||||
|         Files.write(fileToUpload.toPath(), "This is a test".getBytes()); | ||||
|         startLesson("PathTraversal"); | ||||
|     } | ||||
| @ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|         ); | ||||
|     } | ||||
| 
 | ||||
|     public void assignment1() throws IOException { | ||||
|     private void assignment1() throws IOException { | ||||
|         MatcherAssert.assertThat( | ||||
|                 RestAssured.given() | ||||
|                         .when() | ||||
| @ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||
|     } | ||||
| 
 | ||||
|     public void assignment2() throws IOException { | ||||
|     private void assignment2() throws IOException { | ||||
|         MatcherAssert.assertThat( | ||||
|                 RestAssured.given() | ||||
|                         .when() | ||||
| @ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||
|     } | ||||
| 
 | ||||
|     public void assignment3() throws IOException { | ||||
|     private void assignment3() throws IOException { | ||||
|         MatcherAssert.assertThat( | ||||
|                 RestAssured.given() | ||||
|                         .when() | ||||
| @ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|                         .extract().path("lessonCompleted"), CoreMatchers.is(true)); | ||||
|     } | ||||
| 
 | ||||
|     public void assignment4() throws IOException { | ||||
|     private void assignment4() throws IOException { | ||||
|         var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"; | ||||
|         RestAssured.given().urlEncodingEnabled(false) | ||||
|                 .when() | ||||
| @ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|                 .get(uri) | ||||
|                 .then() | ||||
|                 .statusCode(200) | ||||
|                 .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); | ||||
|                 .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); | ||||
| 
 | ||||
|         checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); | ||||
|     } | ||||
| 
 | ||||
|     public void assignment5() throws IOException { | ||||
|         var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser(); | ||||
|     private void assignment5() throws IOException { | ||||
|         var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser(); | ||||
|         webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows | ||||
| 
 | ||||
|         var webGoatDirectory = new File(webGoatHome); | ||||
|         var zipFile = new File(webGoatDirectory, "upload.zip"); | ||||
|         var zipFile = new File(tempDir.toFile(), "upload.zip"); | ||||
|         try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) { | ||||
|             ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg"); | ||||
|             zos.putNextEntry(e); | ||||
| @ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest { | ||||
|     } | ||||
| 
 | ||||
|     @AfterEach | ||||
|     public void shutdown() { | ||||
|     void shutdown() { | ||||
|         //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete | ||||
|         checkResults("/PathTraversal"); | ||||
|     } | ||||
| @ -1,9 +1,9 @@ | ||||
| #In order to run tests a known temp directory is preferred | ||||
| #that is why these values are used | ||||
|  | ||||
| webgoat.user.directory=${user.dir}/target/.webgoat | ||||
| webgoat.server.directory=${user.dir}/target/.webgoat | ||||
| webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver | ||||
| webgoat.user.directory=${java.io.tmpdir}/webgoat | ||||
| webgoat.server.directory=${java.io.tmpdir}/webgoat | ||||
| webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver | ||||
|  | ||||
| #database will get deleted for every mvn clean install | ||||
| #as these extra properties are read by WebGoat and WebWolf the drop of the tables  | ||||
|  | ||||
| @ -16,28 +16,4 @@ | ||||
|             <version>1.14.2</version> | ||||
|         </dependency> | ||||
|     </dependencies> | ||||
|     <build> | ||||
|        <plugins> | ||||
|            <plugin> | ||||
|                <groupId>org.asciidoctor</groupId> | ||||
|                <artifactId>asciidoctor-maven-plugin</artifactId> | ||||
|                <version>1.5.3</version> | ||||
|  | ||||
|                <executions> | ||||
|                    <execution> | ||||
|                        <id>output-html</id> | ||||
|                        <phase>generate-resources</phase> | ||||
|                        <goals> | ||||
|                            <goal>process-asciidoc</goal> | ||||
|                        </goals> | ||||
|                        <configuration> | ||||
|                            <backend>html</backend> | ||||
|                            <sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory> | ||||
|                        </configuration> | ||||
|                    </execution> | ||||
|  | ||||
|                </executions> | ||||
|            </plugin> | ||||
|        </plugins> | ||||
|    </build> | ||||
| </project> | ||||
| @ -31,7 +31,7 @@ public class DeserializeTest extends AssignmentEndpointTest { | ||||
|  | ||||
|     @Test | ||||
|     public void success() throws Exception { | ||||
|     	if (OS.indexOf("win")>-1) { | ||||
|         if (OS.indexOf("win") > -1) { | ||||
|             mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") | ||||
|                     .header("x-request-intercepted", "true") | ||||
|                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")))) | ||||
| @ -75,7 +75,6 @@ public class DeserializeTest extends AssignmentEndpointTest { | ||||
|     } | ||||
|  | ||||
|  | ||||
|      | ||||
|     @Test | ||||
|     public void checkOtherObject() throws Exception { | ||||
|         String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l"; | ||||
| @ -88,5 +87,4 @@ public class DeserializeTest extends AssignmentEndpointTest { | ||||
|     } | ||||
|  | ||||
|  | ||||
|  | ||||
| } | ||||
| @ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Value; | ||||
| import org.springframework.http.ResponseEntity; | ||||
| import org.springframework.util.FileCopyUtils; | ||||
| import org.springframework.util.FileSystemUtils; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
| import org.springframework.web.multipart.MultipartFile; | ||||
|  | ||||
| import java.io.File; | ||||
| import java.io.IOException; | ||||
| import java.io.InputStream; | ||||
| import java.nio.file.CopyOption; | ||||
| import java.nio.file.Files; | ||||
| import java.nio.file.StandardCopyOption; | ||||
| import java.util.Arrays; | ||||
| @ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase { | ||||
|  | ||||
|     @SneakyThrows | ||||
|     private AttackResult processZipUpload(MultipartFile file) { | ||||
|         var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName()); | ||||
|         var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName()); | ||||
|         var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName()); | ||||
|         FileSystemUtils.deleteRecursively(uploadDirectory); | ||||
|         Files.createDirectories(tmpZipDirectory.toPath()); | ||||
|         var currentImage = getProfilePictureAsBase64(); | ||||
|  | ||||
|         Files.createDirectories(uploadDirectory.toPath()); | ||||
|         byte[] currentImage = getProfilePictureAsBase64(); | ||||
|  | ||||
|         try { | ||||
|             var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename()); | ||||
|             FileCopyUtils.copy(file.getBytes(), uploadedZipFile); | ||||
|             var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename()); | ||||
|             FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile()); | ||||
|  | ||||
|             ZipFile zip = new ZipFile(uploadedZipFile); | ||||
|             ZipFile zip = new ZipFile(uploadedZipFile.toFile()); | ||||
|             Enumeration<? extends ZipEntry> entries = zip.entries(); | ||||
|             while (entries.hasMoreElements()) { | ||||
|                 ZipEntry e = entries.nextElement(); | ||||
|                 File f = new File(uploadDirectory, e.getName()); | ||||
|                 File f = new File(tmpZipDirectory.toFile(), e.getName()); | ||||
|                 InputStream is = zip.getInputStream(e); | ||||
|                 Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING); | ||||
|             } | ||||
|  | ||||
| @ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg | ||||
| zip profile.zip cat.jpg | ||||
| ---- | ||||
|  | ||||
| Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is: | ||||
| Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is: | ||||
|  | ||||
| [source] | ||||
| ---- | ||||
|  | ||||
| @ -35,4 +35,20 @@ | ||||
|             <version>1.2</version> | ||||
|         </dependency> | ||||
|     </dependencies> | ||||
|  | ||||
|     <build> | ||||
|         <plugins> | ||||
|             <plugin> | ||||
|                 <groupId>org.apache.maven.plugins</groupId> | ||||
|                 <artifactId>maven-surefire-plugin</artifactId> | ||||
|                 <version>${maven-surefire-plugin.version}</version> | ||||
|                 <configuration> | ||||
|                     <!-- Otherwise test will fail with JDK16 --> | ||||
|                     <argLine> | ||||
|                         --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED | ||||
|                     </argLine> | ||||
|                 </configuration> | ||||
|             </plugin> | ||||
|         </plugins> | ||||
|     </build> | ||||
| </project> | ||||
|  | ||||
| @ -11,21 +11,20 @@ | ||||
|  | ||||
|     <dependencies> | ||||
|         <dependency> | ||||
|             <groupId>commons-lang</groupId> | ||||
|             <artifactId>commons-lang</artifactId> | ||||
|             <version>2.6</version> | ||||
|             <groupId>org.apache.commons</groupId> | ||||
|             <artifactId>commons-lang3</artifactId> | ||||
|             <version>${commons-lang3.version}</version> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.glassfish.jaxb</groupId> | ||||
|             <artifactId>jaxb-runtime</artifactId> | ||||
|             <version>2.3.0</version> | ||||
|         </dependency> | ||||
|  | ||||
|         <dependency> | ||||
|             <groupId>com.github.tomakehurst</groupId> | ||||
|             <artifactId>wiremock</artifactId> | ||||
|             <version>2.27.2</version> | ||||
|             <scope>test</scope> | ||||
|             <version>${wiremock.version}</version> | ||||
|         </dependency> | ||||
|  | ||||
|     </dependencies> | ||||
|  | ||||
| @ -23,6 +23,7 @@ | ||||
| package org.owasp.webgoat.xxe; | ||||
|  | ||||
| import org.apache.commons.exec.OS; | ||||
| import org.apache.commons.lang3.exception.ExceptionUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| @ -77,7 +78,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint { | ||||
|                     attackResult = success(this).build(); | ||||
|                 } | ||||
|             } catch (Exception e) { | ||||
|                 error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); | ||||
|                 error = ExceptionUtils.getStackTrace(e); | ||||
|                 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); | ||||
|             } | ||||
|         } | ||||
|  | ||||
| @ -23,7 +23,7 @@ | ||||
| package org.owasp.webgoat.xxe; | ||||
|  | ||||
| import org.apache.commons.exec.OS; | ||||
| import org.apache.commons.lang.exception.ExceptionUtils; | ||||
| import org.apache.commons.lang3.exception.ExceptionUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| @ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint { | ||||
|                 return success(this).build(); | ||||
|             } | ||||
|         } catch (Exception e) { | ||||
|             error = ExceptionUtils.getFullStackTrace(e); | ||||
|             error = ExceptionUtils.getStackTrace(e); | ||||
|         } | ||||
|         return failed(this).output(error).build(); | ||||
|     } | ||||
|  | ||||
		Reference in New Issue
	
	Block a user