dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'next' into WEB-139

Browse Source
This commit is contained in:
nbaars 2014-09-15 15:52:57 +02:00
commit 0da280c4f8
11 changed files with 1715 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pom.xml
View File

@ -1,5 +1,6 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>WebGoat</name>
<modelVersion>4.0.0</modelVersion>
<groupId>WebGoat</groupId>
<artifactId>WebGoat</artifactId>
@ -19,6 +20,8 @@
<org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<spring.security.version>3.2.4.RELEASE</spring.security.version>
<tiles.version>2.2.2</tiles.version>
<!-- If run from Bamboo this will be replaced with the bamboo build number -->
<build.number>local</build.number>
</properties>
<build>
@ -40,6 +43,22 @@
<encoding>ISO-8859-1</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
<archive>
<manifestEntries>
<Specification-Title>${project.name}</Specification-Title>
<Specification-Version>${project.version}</Specification-Version>
<Implementation-Version>${build.number}</Implementation-Version>
</manifestEntries>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>

88
src/main/java/org/owasp/webgoat/application/Application.java Normal file
View File

@ -0,0 +1,88 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.application;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.builder.ToStringBuilder;
/**
* Singleton which is created on context startup
*
* @author rlawson
*/
public class Application {
private static final Application INSTANCE = new Application();
private Application() {
}
public static final Application getInstance() {
return INSTANCE;
}
private String version = "SNAPSHOT";
private String build = "local";
private String name = "WebGoat";
/**
* @return the version
*/
public String getVersion() {
return version;
}
/**
* @param version the version to set
*/
public void setVersion(String version) {
if (StringUtils.isNotBlank(version)) {
this.version = version;
}
}
/**
* @return the build
*/
public String getBuild() {
return build;
}
/**
* @param build the build to set
*/
public void setBuild(String build) {
if (StringUtils.isNotBlank(build)) {
this.build = build;
}
}
/**
* @return the name
*/
public String getName() {
return name;
}
/**
* @param name the name to set
*/
public void setName(String name) {
if (StringUtils.isNotBlank(name)) {
this.name = name;
}
}
@Override
public String toString() {
return new ToStringBuilder(this).
append("name", name).
append("version", version).
append("build", build).
toString();
}
}

52
src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java Normal file
View File

@ -0,0 +1,52 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.application;
import java.io.IOException;
import java.io.InputStream;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
/**
* Web application lifecycle listener.
*
* @author rlawson
*/
public class WebGoatServletListener implements ServletContextListener {
@Override
public void contextInitialized(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is starting");
setApplicationVariables(context);
}
@Override
public void contextDestroyed(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is stopping");
}
private void setApplicationVariables(ServletContext context) {
Application app = Application.getInstance();
try {
InputStream inputStream = context.getResourceAsStream("/META-INF/MANIFEST.MF");
Manifest manifest = new Manifest(inputStream);
Attributes attr = manifest.getMainAttributes();
String name = attr.getValue("Specification-Title");
String version = attr.getValue("Specification-Version");
String build = attr.getValue("Implementation-Version");
app.setName(name);
app.setVersion(version);
app.setBuild(build);
} catch (IOException ioe) {
context.log("Error setting application variables", ioe);
}
}
}

8
src/main/java/org/owasp/webgoat/controller/Start.java
View File

@ -10,6 +10,7 @@ import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.application.Application;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -55,6 +56,13 @@ public class Start {
String contactEmail = servletContext.getInitParameter("email");
model.addObject("contactEmail", contactEmail);
String emailList = servletContext.getInitParameter("emaillist");
model.addObject("emailList", emailList);
Application app = Application.getInstance();
logger.info("Setting application properties: " + app);
model.addObject("version", app.getVersion());
model.addObject("build", app.getBuild());
// if everything ok then go to webgoat UI
model.setViewName("main_new");

59
src/main/java/org/owasp/webgoat/service/ApplicationService.java Normal file
View File

@ -0,0 +1,59 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
* For details, please see http://webgoat.github.io
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.application.Application;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class ApplicationService extends BaseService {
/**
* Returns global application info
*
* @param session
* @return
*/
@RequestMapping(value = "/application.mvc", produces = "application/json")
public @ResponseBody
Application showApplication(HttpSession session) {
Application app = Application.getInstance();
return app;
}
}

9
src/main/webapp/WEB-INF/pages/about.jsp
View File

@ -17,13 +17,16 @@
<p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p>
<p>Version: 6.0</p>
<p>
Version: ${version},&nbsp;Build: ${build}
</p>
<div class="row">
<div class="col-md-6">
<p>Contact us:
<ul>
<li>WebGoat mailing list: owasp-webgoat@lists.owasp.org</li>
<li>Bruce Mayhew: webgoat@owasp.org</li>
<li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: ${contactEmail}</li>
</ul>
</p>
</div>

14
src/main/webapp/WEB-INF/pages/main_new.jsp
View File

@ -41,6 +41,7 @@
<!--Global JS-->
<script src="js/jquery/jquery-1.10.2.min.js"></script>
<script src="js/jquery_form/jquery.form.js"></script>
<script src="plugins/bootstrap/js/bootstrap.min.js"></script>
<script src="js/application.js"></script>
@ -76,16 +77,20 @@
<div class="lessonTitle" >
<h1 id="lessonTitle">Lesson Title in here</h1>
</div><!--lesson title end-->
<div class="user-nav pull-right" style="margin-right: 50px;">
<div class="user-nav pull-right" style="margin-right: 75px;">
<div class="dropdown" style="display:inline">
<button type="button" class="btn btn-default dropdown-toggle" id="dropdownMenu1" data-toggle="dropdown">
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left" role="menu" aria-labelledby="dropdownMenu1">
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">${version}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build: ${build}</a></li>
</ul>
</div>
<button type="button" class="btn btn-default right_nav_button" ng-click="showAbout()" data-toggle="tooltip" title="About WebGoat">
@ -106,7 +111,7 @@
<div id="leftside-navigation" class="nano">
<ul class="nano-content">
<li class="sub-menu" ng-repeat="item in menuTopics">
<a ng-click="expanded = !expanded" href=""><span>{{item.name}}</span><i class="fa {{item.class}}"></i></a>
<a ng-click="expanded = !expanded" href=""><i class="fa {{item.class}}"></i><span>{{item.name}}</span></a>
<ul class="slideDown" ng-show="expanded">
<li ng-repeat="lesson in item.children">
<a ng-click="renderLesson(lesson.link)" title="link to {{lesson.name}}" href="">{{lesson.name}}</a>
@ -279,9 +284,6 @@
<!--main content end-->
</section>
<!-- TODO pull source into project instead of loading from external -->
<script src="http://malsup.github.com/jquery.form.js"></script>
<script>
//Load global functions

80
src/main/webapp/WEB-INF/web.xml
View File

@ -1,10 +1,5 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- General description of your web application -->
<display-name>WebGoat</display-name>
<description>
@ -14,9 +9,6 @@
application security problems. Please contact Bruce Mayhew
(webgoat@owasp.org) if you have any questions.
</description>
<!-- Context initialization parameters that define shared
String constants used within your application, which
can be customized by the system administrator who is
@ -33,16 +25,21 @@
You can define any number of context initialization
parameters, including zero.
-->
<context-param>
<param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value>
<param-value>webgoat@owasp.org</param-value>
<description>
The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
</context-param>
<context-param>
<param-name>emaillist</param-name>
<param-value>owasp-webgoat@lists.owasp.org</param-value>
<description>
The EMAIL address of the webgoat email list
</description>
</context-param>
<!-- spring MVC -->
<context-param>
<param-name>contextConfigLocation</param-name>
@ -51,8 +48,6 @@
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Servlet definitions for the servlets that make up
your web application, including initialization
parameters. With Tomcat, you can also send requests
@ -77,7 +72,6 @@
You can define any number of servlets, including zero.
-->
<servlet>
<servlet-name>AxisServlet</servlet-name>
<display-name>Apache-Axis Servlet</display-name>
@ -85,7 +79,6 @@
org.apache.axis.transport.http.AxisServlet
</servlet-class>
</servlet>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<display-name>Axis Admin Servlet</display-name>
@ -94,7 +87,6 @@
</servlet-class>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<servlet-name>SOAPMonitorService</servlet-name>
<display-name>SOAPMonitorService</display-name>
@ -107,7 +99,6 @@
</init-param>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<servlet-name>WebGoat</servlet-name>
<description>
@ -120,41 +111,33 @@
name of the action class that will be used to process this request.
</description>
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<init-param>
<param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value>
<description>
The EMAIL address of the administrator to whom questions
<description>The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>CookieDebug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>DefuseOSCommands</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>Enterprise</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>CodingExercises</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
@ -165,14 +148,12 @@
&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
</param-value>
</init-param>
<init-param>
<param-name>DatabaseDriver</param-name>
<param-value>
org.hsqldb.jdbcDriver
</param-value>
</init-param>
<init-param>
<param-name>DatabaseConnectionString</param-name>
<!--
@ -181,12 +162,9 @@
-->
<param-value>jdbc:hsqldb:mem:${USER}</param-value>
</init-param>
<!-- Load this servlet at server startup time -->
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<servlet-name>LessonSource</servlet-name>
<description>
@ -194,7 +172,6 @@
</description>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet>
<servlet>
<servlet-name>Catcher</servlet-name>
<description>
@ -202,45 +179,39 @@
</description>
<servlet-class>org.owasp.webgoat.Catcher</servlet-class>
</servlet>
<servlet>
<servlet-name>conf</servlet-name>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
</servlet>
<!-- spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.mvc</url-pattern>
</servlet-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
<description>Spring context init</description>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<description>WebGoat application init</description>
<listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class>
</listener>
<!-- end spring MVC -->
<!-- spring security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- end spring security -->
<!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the
@ -258,56 +229,43 @@
It is also legal to define more than one mapping for the same
servlet, if you wish to.
-->
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping>
<!-- uncomment this if you want the admin servlet -->
<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WebGoat</servlet-name>
<url-pattern>/attack</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LessonSource</servlet-name>
<url-pattern>/source</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Catcher</servlet-name>
<url-pattern>/catcher</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>conf</servlet-name>
<url-pattern>/conf</url-pattern>
</servlet-mapping>
<!-- Define the default session timeout for your application,
in minutes. From a servlet or JSP page, you can modify
the timeout for a particular session dynamically by using
@ -316,15 +274,11 @@
<!-- 2 days -->
<session-timeout>2880</session-timeout>
</session-config>
<mime-mapping>
<extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

1
src/main/webapp/WEB-INF/webgoat.properties
View File

@ -1,2 +1,3 @@
#lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true
lesson.RemoteAdminFlaw.hidden=true

4
src/main/webapp/css/main.css
View File

@ -229,10 +229,6 @@ img {
background-color: #16a086;
}
.sidebar > div > ul > li > ul > li > a {
float:left; margin-left:1em;
}
.sidebar > div > ul > li > ul > li > span {
float:left; margin-left:1.5em;
}

1277
src/main/webapp/js/jquery_form/jquery.form.js Normal file
View File

File diff suppressed because it is too large Load Diff