Added Vagrant for users and developers

This commit is contained in:
Nanne Baars
2016-09-23 20:45:46 +02:00
parent 5d69467c6f
commit 1033df4d15
6 changed files with 245 additions and 96 deletions

View File

@ -0,0 +1,57 @@
package org.owasp.webgoat.plugins;
import org.openqa.selenium.By;
import org.openqa.selenium.NoSuchElementException;
import org.openqa.selenium.StaleElementReferenceException;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.support.ui.ExpectedConditions;
import org.openqa.selenium.support.ui.FluentWait;
import org.openqa.selenium.support.ui.WebDriverWait;
import static java.util.concurrent.TimeUnit.SECONDS;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since September 22, 2016
*/
public class TestUtils {
public static void assertTitlePresent(WebDriver webDriver, String title) {
FluentWait<WebDriver> wait = new WebDriverWait(webDriver, 15); // wait for a maximum of 15 seconds
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), title));
}
public static FluentWait createDefaultWait(WebDriver webDriver) {
return new FluentWait(webDriver)
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class)
.ignoring(StaleElementReferenceException.class);
}
}

View File

@ -14,7 +14,6 @@ import org.junit.runner.RunWith;
import org.openqa.selenium.By;
import org.openqa.selenium.JavascriptExecutor;
import org.openqa.selenium.NoSuchElementException;
import org.openqa.selenium.StaleElementReferenceException;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.WebElement;
import org.openqa.selenium.remote.CapabilityType;
@ -29,11 +28,12 @@ import java.net.URL;
import java.util.LinkedList;
import java.util.concurrent.TimeUnit;
import static com.github.webdriverextensions.WebDriverExtensionsContext.getDriver;
import static java.util.concurrent.TimeUnit.SECONDS;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.owasp.webgoat.plugins.TestUtils.assertTitlePresent;
import static org.owasp.webgoat.plugins.TestUtils.createDefaultWait;
/**
@ -138,10 +138,10 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
browsers.add(new String[]{"Windows 7", "45", "chrome", null, null});
// windows 10, Chrome 46
browsers.add(new String[]{"Windows 10", "46", "chrome", null, null});
//browsers.add(new String[]{"Windows 10", "46", "chrome", null, null});
// windows 10, Firefox 38
browsers.add(new String[]{"Windows 10", "38", "firefox", null, null});
// browsers.add(new String[]{"Windows 10", "38", "firefox", null, null});
// Linux, Firefox 37
browsers.add(new String[]{"Linux", "37", "firefox", null, null});
@ -207,7 +207,7 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
new URL("http://" + authentication.getUsername() + ":" + authentication.getAccessKey() +
"@ondemand.saucelabs.com:80/wd/hub"),
capabilities));
this.getWebDriver().manage().timeouts().implicitlyWait(2, SECONDS);
this.getWebDriver().manage().timeouts().implicitlyWait(4, SECONDS);
this.sessionId.set((((RemoteWebDriver) getWebDriver()).getSessionId()).toString());
String message = String.format("SauceOnDemandSessionID=%1$s job-name=%2$s", this.sessionId, methodName);
@ -283,7 +283,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
String pageSource = getWebDriver().getPageSource();
assertTrue("Page source should contain lessons: Test 1", pageSource.contains("Reflected XSS"));
assertTrue("Page source should contain lessons: Test 2", pageSource.contains("Access Control Flaws"));
assertTrue("Page source should contain lessons: Test 34", pageSource.contains("Fail Open Authentication Scheme"));
@ -297,17 +296,12 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1708534694/200");
FluentWait<WebDriver> wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Using an Access Control Matrix"));
wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class)
.ignoring(StaleElementReferenceException.class);
WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("User")));
user.click();
user.sendKeys("Larry");
user.sendKeys("L");
WebElement resource = getWebDriver().findElement(By.name("Resource"));
resource.click();
@ -316,11 +310,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
WebElement submit = getWebDriver().findElement(By.name("SUBMIT"));
submit.click();
wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Congratulations");
@ -336,48 +325,35 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/160587164/200");
FluentWait<WebDriver> wait = new WebDriverWait(getDriver(), 15); // wait for a maximum of 15 seconds
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "LAB: Role Based Access Control"));
assertTitlePresent(getWebDriver(), "LAB: Role Based Access Control");
this.getWebDriver().manage().timeouts().implicitlyWait(4, SECONDS);
wait = new FluentWait(getDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class)
.ignoring(StaleElementReferenceException.class);
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("employee_id")));
user.click();
user.sendKeys("T");
WebElement resource = getDriver().findElement(By.name("password"));
WebElement resource = getWebDriver().findElement(By.name("password"));
resource.click();
resource.sendKeys("tom");
WebElement submit = getDriver().findElement(By.name("action"));
WebElement submit = getWebDriver().findElement(By.name("action"));
submit.click();
wait = new FluentWait(getDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait = createDefaultWait(getWebDriver());
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Welcome Back");
}
});
JavascriptExecutor javascript = (JavascriptExecutor) getDriver();
JavascriptExecutor javascript = (JavascriptExecutor) getWebDriver();
String value = "document.getElementsByName('action')[0].value='DeleteProfile';";
javascript.executeScript(value);
WebElement viewProfile = getDriver().findElements(By.name("action")).get(0);
WebElement viewProfile = getWebDriver().findElements(By.name("action")).get(0);
viewProfile.click();
wait = new FluentWait(getDriver())
.withTimeout(40, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Stage 2");
@ -387,48 +363,37 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
//
// Stage 3
//
getDriver().get(baseWebGoatUrl + "/start.mvc#attack/160587164/200/3");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/160587164/200/3");
assertTitlePresent(getWebDriver(), "LAB: Role Based Access Control");
user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("employee_id")));
user.click();
user.sendKeys("T");
resource = getDriver().findElement(By.name("password"));
resource = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("password")));
resource.click();
resource.sendKeys("tom");
submit = getDriver().findElement(By.name("action"));
submit = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("action")));
submit.click();
wait = new FluentWait(getDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Welcome Back");
}
});
javascript = (JavascriptExecutor) getDriver();
javascript = (JavascriptExecutor) getWebDriver();
value = "var select = document.getElementsByName('employee_id')[0]; select.options[0].value='106'; ";
javascript.executeScript(value);
viewProfile = getDriver().findElements(By.name("action")).get(0);
viewProfile = wait.until(ExpectedConditions.presenceOfAllElementsLocatedBy(By.name("action"))).get(0);
viewProfile.click();
wait = new FluentWait(getDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("You have completed Stage 3");
return webDriver.getPageSource().contains("Stage 4");
}
});
}
@Test
@ -439,14 +404,9 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1075773632/200");
FluentWait<WebDriver> wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Fail Open Authentication Scheme"));
wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class)
.ignoring(StaleElementReferenceException.class);
WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("Username")));
user.click();
user.sendKeys("Larry");
@ -458,11 +418,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
WebElement submit = getWebDriver().findElement(By.name("SUBMIT"));
submit.click();
wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Congratulations");
@ -478,17 +433,13 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1537271095/200");
FluentWait<WebDriver> wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "LAB: SQL Injection"));
assertFalse(getWebDriver().getPageSource().contains("Lesson Plan Title: How to Perform a SQL Injection"));
WebElement user = getWebDriver().findElement(By.id("show-plan-button"));
user.click();
wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-plan-content"), "Lesson Plan Title: How to Perform a SQL Injection"));
}
@ -500,7 +451,7 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1129417221/200");
FluentWait<WebDriver> wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Insecure Client Storage"));
getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
@ -512,10 +463,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
WebElement submit = getWebDriver().findElement(By.name("SUBMIT"));
submit.click();
wait = new FluentWait(getWebDriver())
.withTimeout(20, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
@Override
public boolean apply(WebDriver input) {
@ -524,11 +471,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
});
//Stage 2
wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class)
.ignoring(StaleElementReferenceException.class);
WebElement qty = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("QTY1")));
qty.click();
qty.sendKeys("8");
@ -544,7 +486,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
submit = getWebDriver().findElement(By.name("SUBMIT"));
submit.click();
wait = new FluentWait(getWebDriver())
@ -566,13 +507,14 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1574219258/1700");
FluentWait<WebDriver> wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Bypass Client Side JavaScript Validation"));
getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
for (int i = 1; i <= 7; i++) {
WebElement field = getWebDriver().findElement(By.name("field" + i));
WebElement field = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("field" + i)));
field.click();
field.sendKeys("@#@{@#{");
}
@ -586,11 +528,6 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
wait = new FluentWait(getWebDriver())
.withTimeout(10, SECONDS)
.pollingEvery(2, SECONDS)
.ignoring(NoSuchElementException.class);
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Congratulations");
@ -606,16 +543,20 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1537271095/200");
FluentWait<WebDriver> wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "LAB: SQL Injection"));
this.getWebDriver().manage().timeouts().implicitlyWait(4, SECONDS);
WebElement user = getWebDriver().findElement(By.id("show-solution-button"));
WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.id("show-solution-button")));
user.click();
assertTrue(getWebDriver().getPageSource().contains("Could not find the solution file"));
wait.until(new Predicate<WebDriver>() {
public boolean apply(WebDriver webDriver) {
return webDriver.getPageSource().contains("Could not find the solution file");
}
});
}
@Test
public void testLogoutMvc() {