From 1a64fcd8d43811e94618031e9fbe2bca47b87572 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Tue, 16 Nov 2021 16:11:23 +0100
Subject: [PATCH] Recommit logging lesson as PR got a lot of conflicts

---
 webgoat-lessons/logging/pom.xml               | 25 +++++++
 .../webgoat/logging/LogBleedingTask.java      | 66 +++++++++++++++++++
 .../owasp/webgoat/logging/LogSpoofing.java    | 47 +++++++++++++
 .../webgoat/logging/LogSpoofingTask.java      | 51 ++++++++++++++
 .../src/main/resources/html/LogSpoofing.html  | 55 ++++++++++++++++
 .../resources/i18n/WebGoatLabels.properties   |  2 +
 .../lessonPlans/en/logReading_Task.adoc       |  5 ++
 .../lessonPlans/en/logSpoofing_Task.adoc      |  5 ++
 .../lessonPlans/en/logging_intro.adoc         | 13 ++++
 .../lessonPlans/en/more_logging.adoc          | 32 +++++++++
 .../en/sensitive_logging_intro.adoc           | 36 ++++++++++
 webgoat-lessons/pom.xml                       |  1 +
 12 files changed, 338 insertions(+)
 create mode 100755 webgoat-lessons/logging/pom.xml
 create mode 100644 webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
 create mode 100644 webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
 create mode 100644 webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
 create mode 100755 webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
 create mode 100755 webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
 create mode 100644 webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
 create mode 100755 webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
 create mode 100755 webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
 create mode 100644 webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
 create mode 100644 webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc

diff --git a/webgoat-lessons/logging/pom.xml b/webgoat-lessons/logging/pom.xml
new file mode 100755
index 000000000..515b25f51
--- /dev/null
+++ b/webgoat-lessons/logging/pom.xml
@@ -0,0 +1,25 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>logging</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.2.3-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
new file mode 100644
index 000000000..3a0949218
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
@@ -0,0 +1,66 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.logging;
+
+import org.apache.logging.log4j.util.Strings;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.annotation.PostConstruct;
+import java.util.Base64;
+
+import java.nio.charset.StandardCharsets;
+import java.util.UUID;
+
+@RestController
+public class LogBleedingTask extends AssignmentEndpoint {
+
+    Logger log = LoggerFactory.getLogger(this.getClass().getName());
+    private String password;
+
+    @PostConstruct
+    public void generatePassword(){
+        password = UUID.randomUUID().toString();
+        log.info("Password for admin: {}", Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
+    }
+
+    @PostMapping("/LogSpoofing/log-bleeding")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+        if (Strings.isEmpty(username) || Strings.isEmpty(password)) {
+            return failed(this).output("Please provide username (Admin) and password").build();
+        }
+
+        if (username.equals("Admin") && password.equals(this.password)) {
+            return success(this).build();
+        }
+
+        return failed(this).build();
+    }
+}
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
new file mode 100644
index 000000000..ccf32eae6
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
@@ -0,0 +1,47 @@
+package org.owasp.webgoat.logging;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.Lesson;
+import org.springframework.stereotype.Component;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+@Component
+public class LogSpoofing extends Lesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.INSECURE_CONFIGURATION;
+    }
+
+    @Override
+    public String getTitle() {
+        return "logging.title";
+    }
+}
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
new file mode 100644
index 000000000..193a5ab73
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
@@ -0,0 +1,51 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.logging;
+
+import org.apache.logging.log4j.util.Strings;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class LogSpoofingTask extends AssignmentEndpoint {
+
+    @PostMapping("/LogSpoofing/log-spoofing")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+        if (Strings.isEmpty(username)) {
+            return failed(this).output(username).build();
+        }
+        username = username.replace("\n", "<br/>");
+        if (username.contains("<p>") || username.contains("<div>")) {
+            return failed(this).output("Try to think of something simple ").build();
+        }
+        if (username.indexOf("<br/>") < username.indexOf("admin")) {
+            return success(this).output(username).build();
+        }
+        return failed(this).output(username).build();
+    }
+}
diff --git a/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html b/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
new file mode 100755
index 000000000..50907ad78
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:logging_intro.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- stripped down without extra comments -->
+    <div class="adoc-content" th:replace="doc:logSpoofing_Task.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" name="task"
+              method="POST"
+              action="/WebGoat/LogSpoofing/log-spoofing">
+
+            <input type="text" value="" name="username" placeholder="username"/>
+            <input type="password" value="" name="password" placeholder="password"/>
+            <input type="submit" value="Submit"/>
+
+        </form>
+        <div class="attack-feedback"></div>
+        Log output:
+        <div style="background-color:red;color:white;">Login failed for username:<p class="attack-output"
+                                                                                    style="display:inline;"></p></div>
+    </div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:sensitive_logging_intro.adoc"></div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:logReading_Task.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" name="task"
+              method="POST"
+              action="/WebGoat/LogSpoofing/log-bleeding">
+
+            <input type="text" value="" name="username" placeholder="username"/>
+            <input type="password" value="" name="password" placeholder="password"/>
+            <input type="submit" value="Submit"/>
+
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:more_logging.adoc"></div>
+</div>
+</html>
diff --git a/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100755
index 000000000..3bb38d82c
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,2 @@
+logging.title=Logging Security
+
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
new file mode 100644
index 000000000..bbff01af7
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
@@ -0,0 +1,5 @@
+=== Let's try
+
+- Some servers provide Administrator credentials at the boot-up of the server.
+- The goal of this challenge is to find the secret in the application log of the WebGoat server to login as the Admin user.
+- Note that we tried to "protect" it. Can you decode it?
\ No newline at end of file
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
new file mode 100755
index 000000000..c1d11a2bc
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
@@ -0,0 +1,5 @@
+=== Let's try
+
+- The goal of this challenge is to make it look like username "admin" succeeded in logging in.
+- The red area below shows what will be logged in the web server's log file.
+- Want to go beyond? Try to elevate your attack by adding a script to the log file.
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
new file mode 100755
index 000000000..3e35bf96e
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
@@ -0,0 +1,13 @@
+
+== Concept
+Logging is very important for modern systems. We use it for various reasons:
+
+- Application monitoring and debugging.
+- Audit logging: E.g. record specific actions of your users and systems.
+- Security Event Monitoring: e.g. provide information to a SIEM or SOAR system that will trigger based on the information provided in these logs.
+
+== Goals
+* The user should have a basic understanding of logging and where to log for.
+* The user understands the risks of log spoofing and leaking log information.
+* The user will be able to do a simple log spoofing attack.
+* The user will be able to tell the basic risks involved in logging.
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
new file mode 100644
index 000000000..e33639908
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
@@ -0,0 +1,32 @@
+=== More About Logging (2)
+
+By now it should be clear that using simple encoding/decoding is not a way to protect sensitive information in a log. Instead, it is better to use different techniques: not logging the data at all, blanking it out, or encrypting it with another shared secret.
+
+There are a few more topics we might want to cover here:
+
+- How to work with log-levels
+- How to do Exception Handling
+- How to use logging for other purposes
+- Some resources to read up on.
+
+==== Log Levels
+Explain log levels
+
+==== Exception Handling
+ exception handling (maybe an example of logging exception towards the client with cryptography and why this is a bad idea)
+
+
+==== Audit Logging, Security Event Monitoring, and Application Logs
+Note that logging is often used for more than just application debugging. Application logs are often used as a feed for other purposes, think of:
+
+ - *Audit logging*: Specific events need to be recorded by your application log to create a trail that can be used to reconstruct the actions done on behalf of/by your user. This can later be used, for instance, in court to prove what happened in case of a dispute.
+ - *Security Event Monitoring (SEM)*: Events generated by your application can often be used by your security department to understand what is going on in the application landscape of the organization. There are various types of events as well as various attributes that can play a role to detect whether the organization is in trouble. For instance: a privileged administrative logon that is only used as a break-glass procedure can already be a very valuable event for them. Another example: While frequently used administrative logons are good to record, they might not trigger an event at the security department by themselves, unless a completely different location is used for that administrative role. A threat model exercise with your security department can often help to understand which types of logs they require, and what they should trigger a security alert on immediately.
+ - *Fraud Detection*: your application logs can help in fraud detection. For instance: logs that show that someone is trying to move around more money than that they have, could indicate something is going wrong.
+ - *Business Process Monitoring*: your application logs can be used to see if the business processes are still progressing as they should. For instance: the lack of new events further down a process could indicate that the business process has stopped. This can be valuable information to the business when it comes to steering the company.
+ - *And many more*...
+
+Note that a lot of these logging purposes differ quite a lot from each other! Therefore it is best to separate your application (debug) logging, from your SEM, and audit logs in terms of output by your application, storage and processing of the logs within your organization.
+
+==== More reading
+
+- link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[The OWASP Logging Cheat sheet]
\ No newline at end of file
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc
new file mode 100644
index 000000000..31e01dfb4
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc
@@ -0,0 +1,36 @@
+=== More About Logging
+
+As you can tell by now, log-spoofing can become an issue when users try to spoof logs. There are various ways to do this other than a form-post. Think of URL parameters or crafted JSON payloads for instance. Therefore, it is important to do
+
+- apply proper input-sanitization
+- make sure you can establish source authenticity and implement integrity controls to detect log-tampering.
+- make sure that a user cannot inject logs from any channel
+- make sure that the log storage is protected
+
+But there is more to log security than just sanitization against spoofing attacks. Let's have a look at logging sensitive information.
+
+==== Logging Sensitive Information
+
+In the previous exercise, we saw only the username passing by, but no password. Why? Because we want to make sure that an application log does not contain any sensitive information. Let's make sure that when our logs get compromised, we do not have to fear authentication information to be reused.
+
+Similarly, we should not log any other sensitive information, such as symmetric or private keys, access tokens, and such.
+
+==== Logging Personal Information
+
+Be careful with logging personal information. For instance: do not log bank account details, personally identifiable information to which a user did not consent having it logged. Do not log facts that can establish the identity of the subject being logged.
+
+What you basically want to prevent, is that people use the logs to profile people or spy on them. You want to protect the privacy of the subjects using your system.
+
+===== Special case: Access Logs
+
+One special case is always the access logs offered by your ingress and/or application server. These logs should contain at least a few things: Where the request came from, when the request was made, and possibly what the response code was. Additional information can be shared in an access log, depending on the security of the log. For instance: you don't want to share the raw request in the access logs to safeguard the privacy of your users.
+
+And here the problem often starts: access logs sometimes capture the full URL used for the request. This can include sensitive URL parameters. Therefore: be careful with what you put in the URL as parameters & let's make sure that you do not log those in an openly accessible log.
+
+
+==== Read more
+
+Want to read up on more about logging? Have a look at:
+
+- link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[The OWASP Logging Cheat sheet]
+- link:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Principles[GDPR article at Wikipedia]
\ No newline at end of file
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index cdcad2a46..60879b20b 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -42,6 +42,7 @@
 		<module>crypto</module>
         <module>path-traversal</module>
         <module>spoof-cookie</module>
+        
     </modules>
 
     <dependencies>