Merge branch 'next' into WEB-139

2014-09-15 15:52:57 +02:00 · 2014-09-15 15:52:57 +02:00 · 0da280c4f8
commit 0da280c4f8
parent a3bf6d0e6f 9bb1cb8d9c
11 changed files with 1715 additions and 256 deletions
--- a/pom.xml
+++ b/pom.xml
@ -1,5 +1,6 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <name>WebGoat</name>
    <modelVersion>4.0.0</modelVersion>
    <groupId>WebGoat</groupId>
    <artifactId>WebGoat</artifactId>
@ -19,6 +20,8 @@
        <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
        <spring.security.version>3.2.4.RELEASE</spring.security.version>
        <tiles.version>2.2.2</tiles.version>
        <!-- If run from Bamboo this will be replaced with the bamboo build number -->
        <build.number>local</build.number>
    </properties>
    <build>
@ -40,6 +43,22 @@
                    <encoding>ISO-8859-1</encoding>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-war-plugin</artifactId>
                <configuration>
                    <manifest>
                        <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                    </manifest>
                    <archive>
                        <manifestEntries>
                            <Specification-Title>${project.name}</Specification-Title>
                            <Specification-Version>${project.version}</Specification-Version>
                            <Implementation-Version>${build.number}</Implementation-Version>
                        </manifestEntries>
                    </archive>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.tomcat.maven</groupId>
                <artifactId>tomcat7-maven-plugin</artifactId>
--- a/src/main/java/org/owasp/webgoat/application/Application.java
+++ b/src/main/java/org/owasp/webgoat/application/Application.java
@ -0,0 +1,88 @@
 /*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */
 package org.owasp.webgoat.application;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.builder.ToStringBuilder;
 /**
 * Singleton which is created on context startup
 *
 * @author rlawson
 */
 public class Application {
    private static final Application INSTANCE = new Application();
    private Application() {
    }
    public static final Application getInstance() {
        return INSTANCE;
    }
    private String version = "SNAPSHOT";
    private String build = "local";
    private String name = "WebGoat";
    /**
     * @return the version
     */
    public String getVersion() {
        return version;
    }
    /**
     * @param version the version to set
     */
    public void setVersion(String version) {
        if (StringUtils.isNotBlank(version)) {
            this.version = version;
        }
    }
    /**
     * @return the build
     */
    public String getBuild() {
        return build;
    }
    /**
     * @param build the build to set
     */
    public void setBuild(String build) {
        if (StringUtils.isNotBlank(build)) {
            this.build = build;
        }
    }
    /**
     * @return the name
     */
    public String getName() {
        return name;
    }
    /**
     * @param name the name to set
     */
    public void setName(String name) {
        if (StringUtils.isNotBlank(name)) {
            this.name = name;
        }
    }
    @Override
    public String toString() {
        return new ToStringBuilder(this).
                append("name", name).
                append("version", version).
                append("build", build).
                toString();
    }
 }
--- a/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
+++ b/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
@ -0,0 +1,52 @@
 /*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */
 package org.owasp.webgoat.application;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.jar.Attributes;
 import java.util.jar.Manifest;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletContextListener;
 /**
 * Web application lifecycle listener.
 *
 * @author rlawson
 */
 public class WebGoatServletListener implements ServletContextListener {
    @Override
    public void contextInitialized(ServletContextEvent sce) {
        ServletContext context = sce.getServletContext();
        context.log("WebGoat is starting");
        setApplicationVariables(context);
    }
    @Override
    public void contextDestroyed(ServletContextEvent sce) {
        ServletContext context = sce.getServletContext();
        context.log("WebGoat is stopping");
    }
    private void setApplicationVariables(ServletContext context) {
        Application app = Application.getInstance();
        try {
            InputStream inputStream = context.getResourceAsStream("/META-INF/MANIFEST.MF");
            Manifest manifest = new Manifest(inputStream);
            Attributes attr = manifest.getMainAttributes();
            String name = attr.getValue("Specification-Title");
            String version = attr.getValue("Specification-Version");
            String build = attr.getValue("Implementation-Version");
            app.setName(name);
            app.setVersion(version);
            app.setBuild(build);
        } catch (IOException ioe) {
            context.log("Error setting application variables", ioe);
        }
    }
 }
--- a/src/main/java/org/owasp/webgoat/controller/Start.java
+++ b/src/main/java/org/owasp/webgoat/controller/Start.java
@ -10,6 +10,7 @@ import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.application.Application;
 import org.owasp.webgoat.session.WebSession;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -55,6 +56,13 @@ public class Start {
        String contactEmail = servletContext.getInitParameter("email");
        model.addObject("contactEmail", contactEmail);
        String emailList = servletContext.getInitParameter("emaillist");
        model.addObject("emailList", emailList);
        Application app = Application.getInstance();
        logger.info("Setting application properties: " + app);
        model.addObject("version", app.getVersion());
        model.addObject("build", app.getBuild());
        // if everything ok then go to webgoat UI
        model.setViewName("main_new");
--- a/src/main/java/org/owasp/webgoat/service/ApplicationService.java
+++ b/src/main/java/org/owasp/webgoat/service/ApplicationService.java
@ -0,0 +1,59 @@
 /**
 * *************************************************************************************************
 *
 *
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 *
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 *
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Getting Source ==============
 *
 * Source for this application is maintained at
 * https://github.com/WebGoat/WebGoat, a repository for free software projects.
 *
 * For details, please see http://webgoat.github.io
 */
 package org.owasp.webgoat.service;
 import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.application.Application;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 /**
 *
 * @author rlawson
 */
@Controller
 public class ApplicationService extends BaseService {
    /**
     * Returns global application info
     *
     * @param session
     * @return
     */
    @RequestMapping(value = "/application.mvc", produces = "application/json")
    public @ResponseBody
    Application showApplication(HttpSession session) {
        Application app = Application.getInstance();
        return app;
    }
 }
--- a/src/main/webapp/WEB-INF/pages/about.jsp
+++ b/src/main/webapp/WEB-INF/pages/about.jsp
@ -17,13 +17,16 @@
        <p>From the entire WebGoat team, we appreciate your interest and efforts
            in making applications not just better, but safer and more secure for
            everyone. We, as well as our sacrificial goat, thank you.</p>
-        <p>Version: 6.0</p>
+        <p>
            Version: ${version},&nbsp;Build: ${build}
        </p>
        <div class="row">
            <div class="col-md-6">
                <p>Contact us:
                <ul>
-                  <li>WebGoat mailing list: owasp-webgoat@lists.owasp.org</li>
+                    <li>WebGoat mailing list: ${emailList}</li>
-                  <li>Bruce Mayhew:  webgoat@owasp.org</li>
+                    <li>Bruce Mayhew:  ${contactEmail}</li>
                </ul>
                </p>
            </div>
--- a/src/main/webapp/WEB-INF/pages/main_new.jsp
+++ b/src/main/webapp/WEB-INF/pages/main_new.jsp
@ -41,6 +41,7 @@
        <!--Global JS-->
        <script src="js/jquery/jquery-1.10.2.min.js"></script>
        <script src="js/jquery_form/jquery.form.js"></script>  
        <script src="plugins/bootstrap/js/bootstrap.min.js"></script>
        <script src="js/application.js"></script>
@ -76,16 +77,20 @@
                <div class="lessonTitle" >
                    <h1 id="lessonTitle">Lesson Title in here</h1>
                </div><!--lesson title end-->
-                <div class="user-nav pull-right" style="margin-right: 50px;">
+                <div class="user-nav pull-right" style="margin-right: 75px;">
                    <div class="dropdown" style="display:inline">
                        <button type="button" class="btn btn-default  dropdown-toggle" id="dropdownMenu1" data-toggle="dropdown">
                            <i class="fa fa-user"></i> <span class="caret"></span>
                        </button>                   
                        <ul class="dropdown-menu dropdown-menu-left" role="menu" aria-labelledby="dropdownMenu1">
                            <li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
                            <li role="presentation" class="divider"></li>     
                            <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
                            <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li>
                            <li role="presentation" class="divider"></li>   
-                            <li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
+                            <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">${version}</a></li>
                            <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build: ${build}</a></li>                            
                        </ul>
                    </div>
                    <button type="button" class="btn btn-default right_nav_button" ng-click="showAbout()" data-toggle="tooltip" title="About WebGoat">
@ -106,7 +111,7 @@
                <div id="leftside-navigation" class="nano">
                    <ul class="nano-content">
                        <li class="sub-menu" ng-repeat="item in menuTopics">
-                            <a ng-click="expanded = !expanded" href=""><span>{{item.name}}</span><i class="fa {{item.class}}"></i></a>
+                            <a ng-click="expanded = !expanded" href=""><i class="fa {{item.class}}"></i><span>{{item.name}}</span></a>
                            <ul class="slideDown" ng-show="expanded">
                                <li ng-repeat="lesson in item.children">
                                    <a ng-click="renderLesson(lesson.link)" title="link to {{lesson.name}}" href="">{{lesson.name}}</a>
@ -279,9 +284,6 @@
        <!--main content end-->
        </section>
        <!-- TODO pull source into project instead of loading from external -->
        <script src="http://malsup.github.com/jquery.form.js"></script>  
        <script>
            //Load global functions
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@ -1,10 +1,5 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml version="1.0" encoding="UTF-8"?>
-<web-app 
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">
    <!-- General description of your web application -->
    <display-name>WebGoat</display-name>
    <description>
@ -14,9 +9,6 @@
      application security problems. Please contact Bruce Mayhew 
      (webgoat@owasp.org) if you have any questions.
    </description>
    <!-- Context initialization parameters that define shared
         String constants used within your application, which
         can be customized by the system administrator who is
@ -33,16 +25,21 @@
         You can define any number of context initialization
         parameters, including zero.
    -->
    <context-param>
        <param-name>email</param-name>
-      <param-value>WebGoat@owasp.org</param-value>
+        <param-value>webgoat@owasp.org</param-value>
        <description>
            The EMAIL address of the administrator to whom questions
            and comments about this application should be addressed.
        </description>
    </context-param>
-    
+    <context-param>
         <param-name>emaillist</param-name>
        <param-value>owasp-webgoat@lists.owasp.org</param-value>
        <description>
            The EMAIL address of the webgoat email list
        </description>
    </context-param>
    <!-- spring MVC -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
@ -51,8 +48,6 @@
 			/WEB-INF/spring-security.xml
 		</param-value>
    </context-param>
    <!-- Servlet definitions for the servlets that make up
         your web application, including initialization
         parameters.  With Tomcat, you can also send requests
@ -77,7 +72,6 @@
         You can define any number of servlets, including zero.
    -->
    <servlet>
        <servlet-name>AxisServlet</servlet-name>
        <display-name>Apache-Axis Servlet</display-name>
@ -85,7 +79,6 @@
          org.apache.axis.transport.http.AxisServlet
      </servlet-class>
    </servlet>
    <servlet>
        <servlet-name>AdminServlet</servlet-name>
        <display-name>Axis Admin Servlet</display-name>
@ -94,7 +87,6 @@
      </servlet-class>
        <load-on-startup>100</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>SOAPMonitorService</servlet-name>
        <display-name>SOAPMonitorService</display-name>
@ -107,7 +99,6 @@
        </init-param>
        <load-on-startup>100</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>WebGoat</servlet-name>
        <description>
@ -120,41 +111,33 @@
        name of the action class that will be used to process this request.
      </description>
        <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
        <init-param>
            <param-name>email</param-name>
            <param-value>WebGoat@owasp.org</param-value>
-      		<description>
+            <description>The EMAIL address of the administrator to whom questions
        		The EMAIL address of the administrator to whom questions
        		and comments about this application should be addressed.
      		</description>
        </init-param>
        <init-param>
            <param-name>debug</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>CookieDebug</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>DefuseOSCommands</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>Enterprise</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>CodingExercises</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <!-- Specify an address where you would like comments to be sent.  -->
            <!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
@ -165,14 +148,12 @@
 		&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
            </param-value>
        </init-param>
        <init-param>
            <param-name>DatabaseDriver</param-name>
            <param-value>
 		    	org.hsqldb.jdbcDriver
            </param-value>
        </init-param>
        <init-param>
            <param-name>DatabaseConnectionString</param-name>
            <!-- 
@ -181,12 +162,9 @@
             -->
            <param-value>jdbc:hsqldb:mem:${USER}</param-value>
        </init-param>
        <!-- Load this servlet at server startup time -->
        <load-on-startup>5</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>LessonSource</servlet-name>
        <description>
@ -194,7 +172,6 @@
      </description>
        <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>Catcher</servlet-name>
        <description>
@ -202,45 +179,39 @@
      </description>
        <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>conf</servlet-name>
        <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
    </servlet>
    <!-- spring MVC -->
    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>*.mvc</url-pattern>
    </servlet-mapping>
    <listener>
-    <listener-class>
+        <description>Spring context init</description>
-      org.springframework.web.context.ContextLoaderListener
+        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
-    </listener-class>
+    </listener>
    <listener>
        <description>WebGoat application init</description>
        <listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class>
    </listener>
    <!-- end spring MVC -->
    <!-- spring security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <!-- end spring security -->
    <!-- Define mappings that are used by the servlet container to
         translate a particular request URI (context-relative) to a
         particular servlet.  The examples below correspond to the
@ -258,56 +229,43 @@
         It is also legal to define more than one mapping for the same
         servlet, if you wish to.
    -->
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/servlet/AxisServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>*.jws</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/services/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>SOAPMonitorService</servlet-name>
        <url-pattern>/SOAPMonitor</url-pattern>
    </servlet-mapping>
    <!-- uncomment this if you want the admin servlet -->
    <servlet-mapping>
        <servlet-name>AdminServlet</servlet-name>
        <url-pattern>/servlet/AdminServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>WebGoat</servlet-name>
        <url-pattern>/attack</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>LessonSource</servlet-name>
        <url-pattern>/source</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Catcher</servlet-name>
        <url-pattern>/catcher</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>conf</servlet-name>
        <url-pattern>/conf</url-pattern>
    </servlet-mapping>
    <!-- Define the default session timeout for your application,
    in minutes.  From a servlet or JSP page, you can modify
    the timeout for a particular session dynamically by using
@ -316,15 +274,11 @@
        <!-- 2 days -->
        <session-timeout>2880</session-timeout>
    </session-config>
    <mime-mapping>
        <extension>wmv</extension>
        <mime-type>video/x-ms-wmv</mime-type>
    </mime-mapping>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
 </web-app>
--- a/src/main/webapp/WEB-INF/webgoat.properties
+++ b/src/main/webapp/WEB-INF/webgoat.properties
@ -1,2 +1,3 @@
 #lesson.BufferOverflow.hidden=true
 lesson.BlindScript.hidden=true
 lesson.RemoteAdminFlaw.hidden=true
--- a/src/main/webapp/css/main.css
+++ b/src/main/webapp/css/main.css
@ -229,10 +229,6 @@ img {
  background-color: #16a086;
 }
 .sidebar > div > ul > li > ul > li > a {
    float:left; margin-left:1em;
 }
 .sidebar > div > ul > li > ul > li > span {
    float:left; margin-left:1.5em;
 }
--- a/src/main/webapp/js/jquery_form/jquery.form.js
+++ b/src/main/webapp/js/jquery_form/jquery.form.js