dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'next' into WEB-139

Browse Source
This commit is contained in:
nbaars 2014-09-15 15:52:57 +02:00
commit 0da280c4f8
11 changed files with 1715 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pom.xml
View File

@ -1,5 +1,6 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>WebGoat</name>
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>WebGoat</groupId> <groupId>WebGoat</groupId>
<artifactId>WebGoat</artifactId> <artifactId>WebGoat</artifactId>
@ -19,6 +20,8 @@
<org.springframework.version>3.2.4.RELEASE</org.springframework.version> <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<spring.security.version>3.2.4.RELEASE</spring.security.version> <spring.security.version>3.2.4.RELEASE</spring.security.version>
<tiles.version>2.2.2</tiles.version> <tiles.version>2.2.2</tiles.version>
<!-- If run from Bamboo this will be replaced with the bamboo build number -->
<build.number>local</build.number>
</properties> </properties>
<build> <build>
@ -40,6 +43,22 @@
<encoding>ISO-8859-1</encoding> <encoding>ISO-8859-1</encoding>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
<archive>
<manifestEntries>
<Specification-Title>${project.name}</Specification-Title>
<Specification-Version>${project.version}</Specification-Version>
<Implementation-Version>${build.number}</Implementation-Version>
</manifestEntries>
</archive>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.tomcat.maven</groupId> <groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId> <artifactId>tomcat7-maven-plugin</artifactId>

88
src/main/java/org/owasp/webgoat/application/Application.java Normal file
View File

@ -0,0 +1,88 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.application;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.builder.ToStringBuilder;
/**
* Singleton which is created on context startup
*
* @author rlawson
*/
public class Application {
private static final Application INSTANCE = new Application();
private Application() {
}
public static final Application getInstance() {
return INSTANCE;
}
private String version = "SNAPSHOT";
private String build = "local";
private String name = "WebGoat";
/**
* @return the version
*/
public String getVersion() {
return version;
}
/**
* @param version the version to set
*/
public void setVersion(String version) {
if (StringUtils.isNotBlank(version)) {
this.version = version;
}
}
/**
* @return the build
*/
public String getBuild() {
return build;
}
/**
* @param build the build to set
*/
public void setBuild(String build) {
if (StringUtils.isNotBlank(build)) {
this.build = build;
}
}
/**
* @return the name
*/
public String getName() {
return name;
}
/**
* @param name the name to set
*/
public void setName(String name) {
if (StringUtils.isNotBlank(name)) {
this.name = name;
}
}
@Override
public String toString() {
return new ToStringBuilder(this).
append("name", name).
append("version", version).
append("build", build).
toString();
}
}

52
src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java Normal file
View File

@ -0,0 +1,52 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.application;
import java.io.IOException;
import java.io.InputStream;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
/**
* Web application lifecycle listener.
*
* @author rlawson
*/
public class WebGoatServletListener implements ServletContextListener {
@Override
public void contextInitialized(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is starting");
setApplicationVariables(context);
}
@Override
public void contextDestroyed(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is stopping");
}
private void setApplicationVariables(ServletContext context) {
Application app = Application.getInstance();
try {
InputStream inputStream = context.getResourceAsStream("/META-INF/MANIFEST.MF");
Manifest manifest = new Manifest(inputStream);
Attributes attr = manifest.getMainAttributes();
String name = attr.getValue("Specification-Title");
String version = attr.getValue("Specification-Version");
String build = attr.getValue("Implementation-Version");
app.setName(name);
app.setVersion(version);
app.setBuild(build);
} catch (IOException ioe) {
context.log("Error setting application variables", ioe);
}
}
}

8
src/main/java/org/owasp/webgoat/controller/Start.java
View File

@ -10,6 +10,7 @@ import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.application.Application;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -55,6 +56,13 @@ public class Start {
String contactEmail = servletContext.getInitParameter("email"); String contactEmail = servletContext.getInitParameter("email");
model.addObject("contactEmail", contactEmail); model.addObject("contactEmail", contactEmail);
String emailList = servletContext.getInitParameter("emaillist");
model.addObject("emailList", emailList);
Application app = Application.getInstance();
logger.info("Setting application properties: " + app);
model.addObject("version", app.getVersion());
model.addObject("build", app.getBuild());
// if everything ok then go to webgoat UI // if everything ok then go to webgoat UI
model.setViewName("main_new"); model.setViewName("main_new");

59
src/main/java/org/owasp/webgoat/service/ApplicationService.java Normal file
View File

@ -0,0 +1,59 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
* For details, please see http://webgoat.github.io
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.application.Application;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class ApplicationService extends BaseService {
/**
* Returns global application info
*
* @param session
* @return
*/
@RequestMapping(value = "/application.mvc", produces = "application/json")
public @ResponseBody
Application showApplication(HttpSession session) {
Application app = Application.getInstance();
return app;
}
}

41
src/main/webapp/WEB-INF/pages/about.jsp
View File

@ -10,24 +10,27 @@
</div> </div>
<div class="modal-body modal-scroll"> <div class="modal-body modal-scroll">
<p>Thanks for hacking The Goat!</p> <p>Thanks for hacking The Goat!</p>
<p>WebGoat is a demonstration of common web application flaws. The <p>WebGoat is a demonstration of common web application flaws. The
associated exercises are intended to provide hands-on experience with associated exercises are intended to provide hands-on experience with
techniques aimed at demonstrating and testing application penetration. techniques aimed at demonstrating and testing application penetration.
</p> </p>
<p>From the entire WebGoat team, we appreciate your interest and efforts <p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p> everyone. We, as well as our sacrificial goat, thank you.</p>
<p>Version: 6.0</p> <p>
Version: ${version},&nbsp;Build: ${build}
</p>
<div class="row"> <div class="row">
<div class="col-md-6"> <div class="col-md-6">
<p>Contact us: <p>Contact us:
<ul> <ul>
<li>WebGoat mailing list: owasp-webgoat@lists.owasp.org</li> <li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: webgoat@owasp.org</li> <li>Bruce Mayhew: ${contactEmail}</li>
</ul> </ul>
</p> </p>
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="col-md-6"> <div class="col-md-6">
<p>WebGoat Authors <p>WebGoat Authors
@ -86,9 +89,9 @@
</ul> </ul>
</p> </p>
<p>Did we miss you? Our sincere apologies, as we know there have <p>Did we miss you? Our sincere apologies, as we know there have
been many contributors over the years. If your name does not been many contributors over the years. If your name does not
appear in any of the lists above, please send us a note. We'll appear in any of the lists above, please send us a note. We'll
get you added with no further sacrifices required.</p> get you added with no further sacrifices required.</p>
</div> </div>
</div> </div>
</div> </div>

138
src/main/webapp/WEB-INF/pages/main_new.jsp
View File

@ -41,6 +41,7 @@
<!--Global JS--> <!--Global JS-->
<script src="js/jquery/jquery-1.10.2.min.js"></script> <script src="js/jquery/jquery-1.10.2.min.js"></script>
<script src="js/jquery_form/jquery.form.js"></script>
<script src="plugins/bootstrap/js/bootstrap.min.js"></script> <script src="plugins/bootstrap/js/bootstrap.min.js"></script>
<script src="js/application.js"></script> <script src="js/application.js"></script>
@ -76,16 +77,20 @@
<div class="lessonTitle" > <div class="lessonTitle" >
<h1 id="lessonTitle">Lesson Title in here</h1> <h1 id="lessonTitle">Lesson Title in here</h1>
</div><!--lesson title end--> </div><!--lesson title end-->
<div class="user-nav pull-right" style="margin-right: 50px;"> <div class="user-nav pull-right" style="margin-right: 75px;">
<div class="dropdown" style="display:inline"> <div class="dropdown" style="display:inline">
<button type="button" class="btn btn-default dropdown-toggle" id="dropdownMenu1" data-toggle="dropdown"> <button type="button" class="btn btn-default dropdown-toggle" id="dropdownMenu1" data-toggle="dropdown">
<i class="fa fa-user"></i> <span class="caret"></span> <i class="fa fa-user"></i> <span class="caret"></span>
</button> </button>
<ul class="dropdown-menu dropdown-menu-left" role="menu" aria-labelledby="dropdownMenu1"> <ul class="dropdown-menu dropdown-menu-left" role="menu" aria-labelledby="dropdownMenu1">
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li> <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li> <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li>
<li role="presentation" class="divider"></li> <li role="presentation" class="divider"></li>
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li> <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">${version}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build: ${build}</a></li>
</ul> </ul>
</div> </div>
<button type="button" class="btn btn-default right_nav_button" ng-click="showAbout()" data-toggle="tooltip" title="About WebGoat"> <button type="button" class="btn btn-default right_nav_button" ng-click="showAbout()" data-toggle="tooltip" title="About WebGoat">
@ -106,7 +111,7 @@
<div id="leftside-navigation" class="nano"> <div id="leftside-navigation" class="nano">
<ul class="nano-content"> <ul class="nano-content">
<li class="sub-menu" ng-repeat="item in menuTopics"> <li class="sub-menu" ng-repeat="item in menuTopics">
<a ng-click="expanded = !expanded" href=""><span>{{item.name}}</span><i class="fa {{item.class}}"></i></a> <a ng-click="expanded = !expanded" href=""><i class="fa {{item.class}}"></i><span>{{item.name}}</span></a>
<ul class="slideDown" ng-show="expanded"> <ul class="slideDown" ng-show="expanded">
<li ng-repeat="lesson in item.children"> <li ng-repeat="lesson in item.children">
<a ng-click="renderLesson(lesson.link)" title="link to {{lesson.name}}" href="">{{lesson.name}}</a> <a ng-click="renderLesson(lesson.link)" title="link to {{lesson.name}}" href="">{{lesson.name}}</a>
@ -277,81 +282,78 @@
</section> </section>
<!--main content end--> <!--main content end-->
</section> </section>
<!-- TODO pull source into project instead of loading from external -->
<script src="http://malsup.github.com/jquery.form.js"></script>
<script> <script>
//Load global functions //Load global functions
// set this to true if you want to see form submissions // set this to true if you want to see form submissions
// set to false once we get all the kinks worked out // set to false once we get all the kinks worked out
var DEBUG_FORM_SUBMISSION = false; var DEBUG_FORM_SUBMISSION = false;
$(document).ready(function() { $(document).ready(function() {
app.init(); app.init();
//can be augmented later to 'resume' for a given user ... currently kluged to start at fixed lesson //can be augmented later to 'resume' for a given user ... currently kluged to start at fixed lesson
var url = 'attack?Screen=32&menu=5'; var url = 'attack?Screen=32&menu=5';
angular.element($('#leftside-navigation')).scope().renderLesson(url); angular.element($('#leftside-navigation')).scope().renderLesson(url);
}); });
// make all forms ajax forms // make all forms ajax forms
var options = { var options = {
target: '#lesson_content', // target element(s) to be updated with server response target: '#lesson_content', // target element(s) to be updated with server response
beforeSubmit: showRequest, // pre-submit callback, comment out after debugging beforeSubmit: showRequest, // pre-submit callback, comment out after debugging
success: showResponse // post-submit callback, comment out after debugging success: showResponse // post-submit callback, comment out after debugging
// other available options: // other available options:
//url: url // override for form's 'action' attribute //url: url // override for form's 'action' attribute
//type: type // 'get' or 'post', override for form's 'method' attribute //type: type // 'get' or 'post', override for form's 'method' attribute
//dataType: null // 'xml', 'script', or 'json' (expected server response type) //dataType: null // 'xml', 'script', or 'json' (expected server response type)
//clearForm: true // clear all form fields after successful submit //clearForm: true // clear all form fields after successful submit
//resetForm: true // reset the form after successful submit //resetForm: true // reset the form after successful submit
// $.ajax options can be used here too, for example: // $.ajax options can be used here too, for example:
//timeout: 3000 //timeout: 3000
}; };
// pre-submit callback // pre-submit callback
function showRequest(formData, jqForm, options) { function showRequest(formData, jqForm, options) {
if (DEBUG_FORM_SUBMISSION) { if (DEBUG_FORM_SUBMISSION) {
// formData is an array; here we use $.param to convert it to a string to display it // formData is an array; here we use $.param to convert it to a string to display it
// but the form plugin does this for you automatically when it submits the data // but the form plugin does this for you automatically when it submits the data
var queryString = $.param(formData); var queryString = $.param(formData);
// jqForm is a jQuery object encapsulating the form element. To access the // jqForm is a jQuery object encapsulating the form element. To access the
// DOM element for the form do this: // DOM element for the form do this:
// var formElement = jqForm[0]; // var formElement = jqForm[0];
alert('About to submit: \n\n' + queryString); alert('About to submit: \n\n' + queryString);
} }
// here we could return false to prevent the form from being submitted; // here we could return false to prevent the form from being submitted;
// returning anything other than false will allow the form submit to continue // returning anything other than false will allow the form submit to continue
return true; return true;
} }
// post-submit callback // post-submit callback
function showResponse(responseText, statusText, xhr, $form) { function showResponse(responseText, statusText, xhr, $form) {
// for normal html responses, the first argument to the success callback // for normal html responses, the first argument to the success callback
// is the XMLHttpRequest object's responseText property // is the XMLHttpRequest object's responseText property
// if the ajaxForm method was passed an Options Object with the dataType // if the ajaxForm method was passed an Options Object with the dataType
// property set to 'xml' then the first argument to the success callback // property set to 'xml' then the first argument to the success callback
// is the XMLHttpRequest object's responseXML property // is the XMLHttpRequest object's responseXML property
// if the ajaxForm method was passed an Options Object with the dataType // if the ajaxForm method was passed an Options Object with the dataType
// property set to 'json' then the first argument to the success callback // property set to 'json' then the first argument to the success callback
// is the json data object returned by the server // is the json data object returned by the server
if (DEBUG_FORM_SUBMISSION) { if (DEBUG_FORM_SUBMISSION) {
alert('status: ' + statusText + '\n\nresponseText: \n' + responseText + alert('status: ' + statusText + '\n\nresponseText: \n' + responseText +
'\n\nThe output div should have already been updated with the responseText.'); '\n\nThe output div should have already been updated with the responseText.');
} }
// JASON - SEE THIS HOOK // JASON - SEE THIS HOOK
// update lesson cookies and params // update lesson cookies and params
// make any embedded forms ajaxy // make any embedded forms ajaxy
goat.utils.showLessonCookiesAndParams(); goat.utils.showLessonCookiesAndParams();
goat.utils.makeFormsAjax(); goat.utils.makeFormsAjax();
} }
</script> </script>
<!-- About WebGoat Modal --> <!-- About WebGoat Modal -->

284
src/main/webapp/WEB-INF/web.xml
View File

@ -1,10 +1,5 @@
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml version="1.0" encoding="UTF-8"?>
<web-app <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<!-- General description of your web application --> <!-- General description of your web application -->
<display-name>WebGoat</display-name> <display-name>WebGoat</display-name>
<description> <description>
@ -14,10 +9,7 @@
application security problems. Please contact Bruce Mayhew application security problems. Please contact Bruce Mayhew
(webgoat@owasp.org) if you have any questions. (webgoat@owasp.org) if you have any questions.
</description> </description>
<!-- Context initialization parameters that define shared
<!-- Context initialization parameters that define shared
String constants used within your application, which String constants used within your application, which
can be customized by the system administrator who is can be customized by the system administrator who is
installing your application. The values actually installing your application. The values actually
@ -33,26 +25,29 @@
You can define any number of context initialization You can define any number of context initialization
parameters, including zero. parameters, including zero.
--> -->
<context-param> <context-param>
<param-name>email</param-name> <param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value> <param-value>webgoat@owasp.org</param-value>
<description> <description>
The EMAIL address of the administrator to whom questions The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</context-param>
<context-param>
<param-name>emaillist</param-name>
<param-value>owasp-webgoat@lists.owasp.org</param-value>
<description>
The EMAIL address of the webgoat email list
</description>
</context-param> </context-param>
<!-- spring MVC --> <!-- spring MVC -->
<context-param> <context-param>
<param-name>contextConfigLocation</param-name> <param-name>contextConfigLocation</param-name>
<param-value> <param-value>
/WEB-INF/mvc-dispatcher-servlet.xml, /WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml /WEB-INF/spring-security.xml
</param-value> </param-value>
</context-param> </context-param>
<!-- Servlet definitions for the servlets that make up <!-- Servlet definitions for the servlets that make up
your web application, including initialization your web application, including initialization
parameters. With Tomcat, you can also send requests parameters. With Tomcat, you can also send requests
@ -77,40 +72,36 @@
You can define any number of servlets, including zero. You can define any number of servlets, including zero.
--> -->
<servlet> <servlet>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<display-name>Apache-Axis Servlet</display-name> <display-name>Apache-Axis Servlet</display-name>
<servlet-class> <servlet-class>
org.apache.axis.transport.http.AxisServlet org.apache.axis.transport.http.AxisServlet
</servlet-class> </servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>AdminServlet</servlet-name> <servlet-name>AdminServlet</servlet-name>
<display-name>Axis Admin Servlet</display-name> <display-name>Axis Admin Servlet</display-name>
<servlet-class> <servlet-class>
org.apache.axis.transport.http.AdminServlet org.apache.axis.transport.http.AdminServlet
</servlet-class> </servlet-class>
<load-on-startup>100</load-on-startup> <load-on-startup>100</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>SOAPMonitorService</servlet-name> <servlet-name>SOAPMonitorService</servlet-name>
<display-name>SOAPMonitorService</display-name> <display-name>SOAPMonitorService</display-name>
<servlet-class> <servlet-class>
org.apache.axis.monitor.SOAPMonitorService org.apache.axis.monitor.SOAPMonitorService
</servlet-class> </servlet-class>
<init-param> <init-param>
<param-name>SOAPMonitorPort</param-name> <param-name>SOAPMonitorPort</param-name>
<param-value>5001</param-value> <param-value>5001</param-value>
</init-param> </init-param>
<load-on-startup>100</load-on-startup> <load-on-startup>100</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>WebGoat</servlet-name> <servlet-name>WebGoat</servlet-name>
<description> <description>
This servlet plays the "controller" role in the MVC architecture This servlet plays the "controller" role in the MVC architecture
used in this application. used in this application.
@ -119,43 +110,35 @@
filename extension is removed). The corresponding value is the filename extension is removed). The corresponding value is the
name of the action class that will be used to process this request. name of the action class that will be used to process this request.
</description> </description>
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class> <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<init-param>
<init-param> <param-name>email</param-name>
<param-name>email</param-name> <param-value>WebGoat@owasp.org</param-value>
<param-value>WebGoat@owasp.org</param-value> <description>The EMAIL address of the administrator to whom questions
<description>
The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>debug</param-name> <param-name>debug</param-name>
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>CookieDebug</param-name> <param-name>CookieDebug</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>DefuseOSCommands</param-name> <param-name>DefuseOSCommands</param-name>
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>Enterprise</param-name> <param-name>Enterprise</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>CodingExercises</param-name> <param-name>CodingExercises</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param>
<init-param>
<!-- Specify an address where you would like comments to be sent. --> <!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages --> <!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For <!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For
@ -164,83 +147,71 @@
<param-value> <param-value>
&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt; &lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
</param-value> </param-value>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>DatabaseDriver</param-name> <param-name>DatabaseDriver</param-name>
<param-value> <param-value>
org.hsqldb.jdbcDriver org.hsqldb.jdbcDriver
</param-value> </param-value>
</init-param> </init-param>
<init-param>
<init-param>
<param-name>DatabaseConnectionString</param-name> <param-name>DatabaseConnectionString</param-name>
<!-- <!--
The string "${USER}" in the connection string will be replaced by the active username The string "${USER}" in the connection string will be replaced by the active username
when making a connection. when making a connection.
--> -->
<param-value>jdbc:hsqldb:mem:${USER}</param-value> <param-value>jdbc:hsqldb:mem:${USER}</param-value>
</init-param> </init-param>
<!-- Load this servlet at server startup time -->
<!-- Load this servlet at server startup time --> <load-on-startup>5</load-on-startup>
<load-on-startup>5</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>LessonSource</servlet-name> <servlet-name>LessonSource</servlet-name>
<description> <description>
This servlet returns the Java source of the current lesson. This servlet returns the Java source of the current lesson.
</description> </description>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class> <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>Catcher</servlet-name> <servlet-name>Catcher</servlet-name>
<description> <description>
This servlet catches any posts and marks the appropriate lesson property. This servlet catches any posts and marks the appropriate lesson property.
</description> </description>
<servlet-class>org.owasp.webgoat.Catcher</servlet-class> <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>conf</servlet-name> <servlet-name>conf</servlet-name>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file> <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
</servlet> </servlet>
<!-- spring MVC --> <!-- spring MVC -->
<servlet> <servlet>
<servlet-name>mvc-dispatcher</servlet-name> <servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup> <load-on-startup>1</load-on-startup>
</servlet> </servlet>
<servlet-mapping>
<servlet-mapping> <servlet-name>mvc-dispatcher</servlet-name>
<servlet-name>mvc-dispatcher</servlet-name> <url-pattern>*.mvc</url-pattern>
<url-pattern>*.mvc</url-pattern> </servlet-mapping>
</servlet-mapping> <listener>
<description>Spring context init</description>
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
<listener-class> </listener>
org.springframework.web.context.ContextLoaderListener <listener>
</listener-class> <description>WebGoat application init</description>
</listener> <listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class>
<!-- end spring MVC --> </listener>
<!-- end spring MVC -->
<!-- spring security --> <!-- spring security -->
<filter> <filter>
<filter-name>springSecurityFilterChain</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter> </filter>
<filter-mapping>
<filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
<filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern>
<url-pattern>/*</url-pattern> </filter-mapping>
</filter-mapping> <!-- end spring security -->
<!-- end spring security -->
<!-- Define mappings that are used by the servlet container to <!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the particular servlet. The examples below correspond to the
@ -258,73 +229,56 @@
It is also legal to define more than one mapping for the same It is also legal to define more than one mapping for the same
servlet, if you wish to. servlet, if you wish to.
--> -->
<servlet-mapping> <servlet-mapping>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern> <url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern> <url-pattern>*.jws</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern> <url-pattern>/services/*</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name> <servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern> <url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping> </servlet-mapping>
<!-- uncomment this if you want the admin servlet --> <!-- uncomment this if you want the admin servlet -->
<servlet-mapping> <servlet-mapping>
<servlet-name>AdminServlet</servlet-name> <servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern> <url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>WebGoat</servlet-name> <servlet-name>WebGoat</servlet-name>
<url-pattern>/attack</url-pattern> <url-pattern>/attack</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>LessonSource</servlet-name> <servlet-name>LessonSource</servlet-name>
<url-pattern>/source</url-pattern> <url-pattern>/source</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>Catcher</servlet-name> <servlet-name>Catcher</servlet-name>
<url-pattern>/catcher</url-pattern> <url-pattern>/catcher</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>conf</servlet-name> <servlet-name>conf</servlet-name>
<url-pattern>/conf</url-pattern> <url-pattern>/conf</url-pattern>
</servlet-mapping> </servlet-mapping>
<!-- Define the default session timeout for your application, <!-- Define the default session timeout for your application,
in minutes. From a servlet or JSP page, you can modify in minutes. From a servlet or JSP page, you can modify
the timeout for a particular session dynamically by using the timeout for a particular session dynamically by using
HttpSession.getMaxInactiveInterval(). --> HttpSession.getMaxInactiveInterval(). -->
<session-config> <session-config>
<!-- 2 days --> <!-- 2 days -->
<session-timeout>2880</session-timeout> <session-timeout>2880</session-timeout>
</session-config> </session-config>
<mime-mapping> <mime-mapping>
<extension>wmv</extension> <extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type> <mime-type>video/x-ms-wmv</mime-type>
</mime-mapping> </mime-mapping>
<welcome-file-list> <welcome-file-list>
<welcome-file>index.jsp</welcome-file> <welcome-file>index.jsp</welcome-file>
</welcome-file-list> </welcome-file-list>
</web-app> </web-app>

1
src/main/webapp/WEB-INF/webgoat.properties
View File

@ -1,2 +1,3 @@
#lesson.BufferOverflow.hidden=true #lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true lesson.BlindScript.hidden=true
lesson.RemoteAdminFlaw.hidden=true

4
src/main/webapp/css/main.css
View File

@ -229,10 +229,6 @@ img {
background-color: #16a086; background-color: #16a086;
} }
.sidebar > div > ul > li > ul > li > a {
float:left; margin-left:1em;
}
.sidebar > div > ul > li > ul > li > span { .sidebar > div > ul > li > ul > li > span {
float:left; margin-left:1.5em; float:left; margin-left:1.5em;
} }

1277
src/main/webapp/js/jquery_form/jquery.form.js Normal file
View File

File diff suppressed because it is too large Load Diff