working version with fixed link and GET for tracing purposes (#677)

* working version with fixed link and GET for tracing purposes

* added integration test

* filter on request log

webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java

@@ -1,8 +1,6 @@
 package org.owasp.webgoat;
 
 import io.restassured.RestAssured;
-import io.restassured.config.RestAssuredConfig;
-import io.restassured.config.SSLConfig;
 import io.restassured.http.ContentType;
 import lombok.Getter;
 import org.hamcrest.CoreMatchers;
@@ -22,15 +20,12 @@ import static io.restassured.RestAssured.given;
 
 public abstract class IntegrationTest {
 
-    protected static int WG_PORT = 8843;
+    protected static int WG_PORT = 8080;
     protected static int WW_PORT = 9090;
     private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/";
     private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/";
     private static boolean WG_SSL = false;//enable this if you want to run the test on ssl
     
-    //TODO no longer required but will be removed once all usages are removed
-    protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation());
-    
     @Getter
     private String webGoatCookie;
     @Getter
@@ -248,7 +243,7 @@ public abstract class IntegrationTest {
         Assert.assertThat(
                 RestAssured.given()
                         .when()
-                        .config(restConfig)
+                        .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())   
                         .queryParams(params)
                         .get(url)                        

webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java

@@ -92,7 +92,6 @@ public class JWTLessonTest extends IntegrationTest {
                         .formParam("token", generateToken(secret))
                         .post(url("/WebGoat/JWT/secret"))
                         .then()
-                        .log().all()
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     	

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java

@@ -37,7 +37,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
 		checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);
 		
 		RestAssured.given()
-		.when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie())
+		.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie())
 		.contentType(ContentType.JSON)
 		.get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)"))
 		.then()

webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java

@@ -0,0 +1,72 @@
+package org.owasp.webgoat;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Test;
+
+import io.restassured.RestAssured;
+
+public class WebWolfTest extends IntegrationTest {
+    
+    @Test
+    public void runTests() throws IOException {
+        startLesson("WebWolfIntroduction");
+        
+        //Assignment 3
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("email", getWebgoatUser()+"@webgoat.org");
+        checkAssignment(url("/WebGoat/WebWolf/mail/send"), params, false);
+        
+        String responseBody = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("WEBWOLFSESSION", getWebWolfCookie())
+                .get(webWolfUrl("/WebWolf/mail"))
+                .then()
+                .extract().response().getBody().asString();
+        
+        String uniqueCode = responseBody.replace("%20", " ");
+        uniqueCode = uniqueCode.substring(21+uniqueCode.lastIndexOf("your unique code is: "),uniqueCode.lastIndexOf("your unique code is: ")+(21+getWebgoatUser().length()));
+        params.clear();
+        params.put("uniqueCode", uniqueCode);
+        checkAssignment(url("/WebGoat/WebWolf/mail"), params, true);
+        
+        //Assignment 4
+        RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())   
+                        .queryParams(params)
+                        .get(url("/WebGoat/WebWolf/landing/password-reset"))                        
+                        .then()
+                        .statusCode(200);
+        RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .queryParams(params)
+        .get(webWolfUrl("/landing"))                        
+        .then()
+        .statusCode(200);
+        responseBody = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("WEBWOLFSESSION", getWebWolfCookie())
+                .get(webWolfUrl("/WebWolf/requests"))
+                .then()
+                .extract().response().getBody().asString();
+        assertTrue(responseBody.contains(uniqueCode));
+        params.clear();
+        params.put("uniqueCode", uniqueCode);
+        checkAssignment(url("/WebGoat/WebWolf/landing"), params, true);
+        
+        checkResults("/WebWolf");
+        
+    }
+    
+}

webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java

@@ -39,7 +39,7 @@ public class XSSTest extends IntegrationTest {
         String result =
                 RestAssured.given()
                         .when()
-                        .config(restConfig)
+                        .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .header("webgoat-requested-by", "dom-xss-vuln")
                         .header("X-Requested-With", "XMLHttpRequest")

webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java

@@ -56,7 +56,7 @@ public class LandingAssignment extends AssignmentEndpoint {
     }
 
 
-    @GetMapping("/password-reset")
+    @GetMapping("/WebWolf/landing/password-reset")
     public ModelAndView openPasswordReset(HttpServletRequest request) throws URISyntaxException {
         URI uri = new URI(request.getRequestURL().toString());
         ModelAndView modelAndView = new ModelAndView();

webgoat-lessons/webwolf-introduction/src/main/resources/templates/webwolfPasswordReset.html

@@ -9,7 +9,7 @@
 <div class="container">
     <div class="row">
         <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
-            <form role="form" method="POST" th:action="${webwolfUrl}">
+            <form role="form" method="GET" th:action="${webwolfUrl}">
                 <h2 class="sign_up_title">Reset your password</h2>
                 <input type="hidden" name="uniqueCode" th:value="${uniqueCode}"/>
                 <div class="form-group">

webwolf/pom.xml

@@ -28,6 +28,11 @@
             <artifactId>commons-io</artifactId>
             <version>${commons-io.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons-lang3.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>

webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java

@@ -27,7 +27,12 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
+
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -65,13 +70,29 @@ public class Requests {
     @GetMapping
     public ModelAndView get() {
         ModelAndView m = new ModelAndView("requests");
+        UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
         List<Tracert> traces = traceRepository.findAllTraces().stream()
+        		.filter(t -> allowedTrace(t, user))
                 .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
         m.addObject("traces", traces);
 
         return m;
     }
     
+    private boolean allowedTrace(HttpTrace t, UserDetails user) {
+    	
+    	Request req = t.getRequest();
+    	boolean allowed = true;
+    	/* do not show certain traces to other users in a classroom setup */
+    	if (req.getUri().getPath().contains("/files") && !req.getUri().getPath().contains(user.getUsername())) {
+    		allowed = false;
+    	} else if (req.getUri().getPath().contains("/landing") && req.getUri().getQuery()!=null && req.getUri().getQuery().contains("uniqueCode") && !req.getUri().getQuery().contains(StringUtils.reverse(user.getUsername()))) {
+    		allowed = false;
+    	}
+    	    	
+    	return allowed;
+    }
+
     private String path(HttpTrace t) {
         return (String) t.getRequest().getUri().getPath();
     }

webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java

@@ -41,7 +41,7 @@ import java.util.List;
 public class WebWolfTraceRepository implements HttpTraceRepository {
 
     private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
-    private List<String> exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail", "/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");
+    private List<String> exclusionList = Lists.newArrayList("/tmpdir", "/WebWolf/home", "/WebWolf/mail", "/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");
 
     @Override
     public List<HttpTrace> findAll() {

webwolf/src/main/resources/application-webwolf.properties

@@ -18,9 +18,8 @@ logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webwolf=TRACE
 
-endpoints.trace.sensitive=false
+management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
-management.trace.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIES,ERRORS,TIME_TAKEN,PARAMETERS,QUERY_STRING
+management.endpoint.httptrace.enabled=true
-endpoints.trace.enabled=true
 
 spring.thymeleaf.cache=false