resources = new HashMap<>();
public LessonTemplateResolver(ResourceLoader resourceLoader) {
this.resourceLoader = resourceLoader;
- setResolvablePatterns(Sets.newHashSet(PREFIX + "*"));
+ setResolvablePatterns(Set.of(PREFIX + "*"));
}
@Override
@@ -69,7 +69,7 @@ public class LessonTemplateResolver extends FileTemplateResolver {
byte[] resource = resources.get(templateName);
if (resource == null) {
try {
- resource = ByteStreams.toByteArray(resourceLoader.getResource("classpath:/html/" + templateName + ".html").getInputStream());
+ resource = resourceLoader.getResource("classpath:/html/" + templateName + ".html").getInputStream().readAllBytes();
} catch (IOException e) {
e.printStackTrace();
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
index 0e2aac9f6..ea39e3f0b 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
@@ -28,6 +28,7 @@
* @version $Id: $Id
* @since October 28, 2003
*/
+
package org.owasp.webgoat;
import org.owasp.webgoat.i18n.Language;
@@ -122,11 +123,6 @@ public class MvcConfiguration implements WebMvcConfigurer {
return engine;
}
- /**
- * This way we expose the plugins target directory as a resource within the web application.
- *
- * @param registry
- */
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/images/");
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
index 30ade6d34..7b77b6dee 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@@ -28,6 +28,7 @@
* @version $Id: $Id
* @since October 28, 2003
*/
+
package org.owasp.webgoat;
import org.owasp.webgoat.session.UserSessionData;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index 81de89aa7..79a1b075b 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -1,4 +1,3 @@
-
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -28,6 +27,7 @@
* @version $Id: $Id
* @since December 12, 2015
*/
+
package org.owasp.webgoat;
import lombok.AllArgsConstructor;
@@ -38,7 +38,6 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
index 15b9415c0..1d1cbbb65 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
@@ -22,6 +22,7 @@
* projects.
*
*/
+
package org.owasp.webgoat.assignments;
import lombok.Getter;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
index 25336aa44..bb7f31a69 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
@@ -1,7 +1,5 @@
package org.owasp.webgoat.assignments;
-import org.springframework.core.annotation.AliasFor;
-import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.ElementType;
@@ -14,15 +12,11 @@ import java.lang.annotation.Target;
*/
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
-//@RequestMapping
public @interface AssignmentPath {
- // @AliasFor(annotation = RequestMapping.class)
String[] path() default {};
- // @AliasFor(annotation = RequestMapping.class)
RequestMethod[] method() default {};
- // @AliasFor("path")
String value() default "";
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
index 573f488a1..e78d46338 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
@@ -25,7 +25,6 @@
package org.owasp.webgoat.assignments;
-import com.google.common.base.Strings;
import lombok.Getter;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.i18n.PluginMessages;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
index 06efc9c0f..69e63c578 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
@@ -28,6 +28,7 @@
* @version $Id: $Id
* @since October 28, 2003
*/
+
package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.Lesson;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
index 44fe432de..af80e2c82 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
@@ -28,6 +28,7 @@
* @since October 28, 2003
* @version $Id: $Id
*/
+
package org.owasp.webgoat.controller;
import org.springframework.stereotype.Controller;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
index 4f3312ddf..e7758c43c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
@@ -22,6 +22,7 @@
* projects.
*
*/
+
package org.owasp.webgoat.i18n;
import lombok.AllArgsConstructor;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java
index 163909724..a2a046bf3 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java
@@ -25,9 +25,10 @@
package org.owasp.webgoat.i18n;
-import lombok.SneakyThrows;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import java.io.IOException;
+import java.net.URISyntaxException;
import java.net.URL;
import java.util.Enumeration;
import java.util.Properties;
@@ -50,18 +51,23 @@ public class PluginMessages extends ReloadableResourceBundleMessageSource {
}
@Override
- @SneakyThrows
protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) {
Properties properties = new Properties();
long lastModified = System.currentTimeMillis();
- Enumeration resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX);
- while (resources.hasMoreElements()) {
- URL resource = resources.nextElement();
- String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, "");
- PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
- properties.putAll(holder.getProperties());
+ Enumeration resources = null;
+ try {
+ resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX);
+ while (resources.hasMoreElements()) {
+ URL resource = resources.nextElement();
+ String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, "");
+ PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
+ properties.putAll(holder.getProperties());
+ }
+ } catch (IOException | URISyntaxException e) {
+ logger.error("Unable to read plugin message", e);
}
+
return new PropertiesHolder(properties, lastModified);
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
index 91d6b1937..f4e8aaa31 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
@@ -1,9 +1,9 @@
package org.owasp.webgoat.lessons;
-import com.google.common.collect.Lists;
import lombok.*;
import javax.persistence.*;
+import java.util.ArrayList;
import java.util.List;
/**
@@ -45,7 +45,7 @@ public class Assignment {
private Long id;
private String name;
private String path;
-
+
@Transient
private List hints;
@@ -54,7 +54,7 @@ public class Assignment {
}
public Assignment(String name) {
- this(name, name, Lists.newArrayList());
+ this(name, name, new ArrayList<>());
}
public Assignment(String name, String path, List hints) {
@@ -65,14 +65,15 @@ public class Assignment {
this.path = path;
this.hints = hints;
}
-
+
/**
* Set path is here to overwrite stored paths.
* Since a stored path can no longer be used in a lesson while
* the lesson (name) itself is still part of the lesson.
- * @param pathName
+ *
+ * @param pathName the path
*/
public void setPath(String pathName) {
- this.path = pathName;
+ this.path = pathName;
}
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
index f2a1fa4b0..6b45b4d1d 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
@@ -24,6 +24,7 @@
* projects.
*
*/
+
package org.owasp.webgoat.lessons;
import lombok.Value;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
index 41c45a682..8aca79fcc 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
@@ -1,32 +1,32 @@
/**
* *************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
*/
+
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
@@ -46,8 +46,6 @@ public class LessonMenuItem {
private boolean complete;
private String link;
private int ranking;
-// private boolean showSource = true;
-// private boolean showHints = true;
/**
*
Getter for the field name.
@@ -112,7 +110,6 @@ public class LessonMenuItem {
children.add(child);
}
- /** {@inheritDoc} */
@Override
public String toString() {
StringBuilder bldr = new StringBuilder();
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java
index 5d2716920..81c548fdf 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java
@@ -27,6 +27,7 @@
* for free software projects.
*
*/
+
package org.owasp.webgoat.lessons;
/**
@@ -69,7 +70,6 @@ public class RequestParameter implements Comparable {
return value;
}
- /** {@inheritDoc} */
@Override
public int compareTo(RequestParameter o) {
return this.name.compareTo(o.getName());
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java
index 36bdf1305..cb7269c04 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java
@@ -19,9 +19,9 @@
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
+
package org.owasp.webgoat.plugins;
-import com.google.common.collect.Lists;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.ArrayUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
@@ -39,9 +39,7 @@ import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import java.lang.reflect.Method;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
import static java.util.stream.Collectors.groupingBy;
import static java.util.stream.Collectors.toList;
@@ -70,7 +68,7 @@ public class CourseConfiguration {
var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
if (CollectionUtils.isEmpty(endpoints)) {
log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
- return Lists.newArrayList();
+ return new ArrayList();
}
return endpoints.stream().map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass()))).collect(toList());
}
@@ -110,8 +108,8 @@ public class CourseConfiguration {
private List getHints(Class e) {
if (e.isAnnotationPresent(AssignmentHints.class)) {
- return Lists.newArrayList(e.getAnnotationsByType(AssignmentHints.class)[0].value());
+ return List.of(e.getAnnotationsByType(AssignmentHints.class)[0].value());
}
- return Lists.newArrayList();
+ return Collections.emptyList();
}
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java
deleted file mode 100644
index fd9f55ae0..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import com.google.common.collect.Lists;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpSession;
-import java.util.List;
-
-/**
- * CookieService class.
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class CookieService {
-
- /**
- * Returns cookies for last attack
- *
- * @param session a {@link javax.servlet.http.HttpSession} object.
- * @return a {@link java.util.List} object.
- */
- @RequestMapping(path = "/service/cookie.mvc", produces = "application/json")
- public @ResponseBody
- List showCookies() {
- //// TODO: 11/6/2016 to be decided
- List cookies = Lists.newArrayList();
- return cookies;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
index b0743f865..43dd88c57 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
@@ -3,6 +3,7 @@
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
+
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.Assignment;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
index b32832a88..d009e889c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
@@ -1,32 +1,32 @@
/**
* *************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
*/
+
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
@@ -73,20 +73,20 @@ public class LabelDebugService {
return new ResponseEntity<>(result, HttpStatus.OK);
}
- /**
- * Sets the enabled flag on the label debugger to the given parameter
- * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
- * @throws Exception unhandled exception
- * @return a {@link org.springframework.http.ResponseEntity} object.
- */
- @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
- public @ResponseBody
- ResponseEntity> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
- log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
- Map result = createResponse(enabled);
- labelDebugger.setEnabled(enabled);
- return new ResponseEntity<>(result, HttpStatus.OK);
- }
+ /**
+ * Sets the enabled flag on the label debugger to the given parameter
+ * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+ * @throws Exception unhandled exception
+ * @return a {@link org.springframework.http.ResponseEntity} object.
+ */
+ @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
+ public @ResponseBody
+ ResponseEntity> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
+ log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
+ Map result = createResponse(enabled);
+ labelDebugger.setEnabled(enabled);
+ return new ResponseEntity<>(result, HttpStatus.OK);
+ }
/**
* @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
index e42904b6a..c2b72957c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
@@ -26,6 +26,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*/
+
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
@@ -67,21 +68,20 @@ public class LabelService {
* We use Springs session locale resolver which also gives us the option to change the local later on. For
* now it uses the accept-language from the HttpRequest. If this language is not found it will default back
* to messages.properties.
- *
+ *
* Note although it is possible to use Spring language interceptor we for now opt for this solution, the UI
* will always need to fetch the labels with the new language set by the user. So we don't need to intercept each
* and every request to see if the language param has been set in the request.
*
* @param lang the language to fetch labels for (optional)
* @return a map of labels
- * @throws Exception
*/
@GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
- public ResponseEntity fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
+ public ResponseEntity fetchLabels(@RequestParam(value = "lang", required = false) String lang) {
if (!StringUtils.isEmpty(lang)) {
Locale locale = Locale.forLanguageTag(lang);
- ((SessionLocaleResolver)localeResolver).setDefaultLocale(locale);
+ ((SessionLocaleResolver) localeResolver).setDefaultLocale(locale);
log.debug("Language provided: {} leads to Locale: {}", lang, locale);
}
Properties allProperties = new Properties();
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
index d1d8c4efc..d3e9cf7b1 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
@@ -26,6 +26,7 @@
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
+
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
@@ -100,15 +101,7 @@ public class LessonMenuService {
return menu;
}
-
- /**
- * This determines if the lesson is complete based on data in the database
- * and the list of assignments actually linked to the existing current lesson.
- * This way older removed assignments will not prevent a lesson from being completed.
- * @param map
- * @param currentLesson
- * @return
- */
+
private boolean lessonCompleted(Map map, Lesson currentLesson) {
boolean result = true;
for (Map.Entry entry : map.entrySet()) {
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
index c28a7bd83..976f583e4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
@@ -27,6 +27,7 @@
* for free software projects.
*
*/
+
package org.owasp.webgoat.service;
import org.owasp.webgoat.session.WebSession;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
index de29eb0d6..17b9ae156 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
@@ -1,7 +1,5 @@
package org.owasp.webgoat.service;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.lessons.Lesson;
@@ -16,6 +14,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -40,14 +39,14 @@ public class LessonProgressService {
@RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
@ResponseBody
public Map getLessonInfo() {
- Map json = Maps.newHashMap();
+ Map json = new HashMap();
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
if (webSession.getCurrentLesson() != null) {
LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
String successMessage = "";
boolean lessonCompleted = false;
if (lessonTracker != null) {
- lessonCompleted = lessonCompleted(lessonTracker.getLessonOverview(),webSession.getCurrentLesson());
+ lessonCompleted = isLessonComplete(lessonTracker.getLessonOverview(), webSession.getCurrentLesson());
successMessage = "LessonCompleted"; //@todo we still use this??
}
json.put("lessonCompleted", lessonCompleted);
@@ -67,8 +66,8 @@ public class LessonProgressService {
public List lessonOverview() {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
Lesson currentLesson = webSession.getCurrentLesson();
- List result = Lists.newArrayList();
- if ( currentLesson != null ) {
+ List result = new ArrayList<>();
+ if (currentLesson != null) {
LessonTracker lessonTracker = userTracker.getLessonTracker(currentLesson);
result = toJson(lessonTracker.getLessonOverview(), currentLesson);
}
@@ -78,45 +77,38 @@ public class LessonProgressService {
private List toJson(Map map, Lesson currentLesson) {
List result = new ArrayList();
for (Map.Entry entry : map.entrySet()) {
- Assignment storedAssignment = entry.getKey();
- for (Assignment lessonAssignment: currentLesson.getAssignments()) {
- if (lessonAssignment.getName().equals(storedAssignment.getName())
- && !lessonAssignment.getPath().equals(storedAssignment.getPath())) {
- //here a stored path in the assignments table will be corrected for the JSON output
- //with the value of the actual expected path
- storedAssignment.setPath(lessonAssignment.getPath());
- result.add(new LessonOverview(storedAssignment, entry.getValue()));
- break;
-
- } else if (lessonAssignment.getName().equals(storedAssignment.getName())) {
- result.add(new LessonOverview(storedAssignment, entry.getValue()));
- break;
- }
- }
- //assignments not in the list will not be put in the lesson progress JSON output
-
+ Assignment storedAssignment = entry.getKey();
+ for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+ if (lessonAssignment.getName().equals(storedAssignment.getName())
+ && !lessonAssignment.getPath().equals(storedAssignment.getPath())) {
+ //here a stored path in the assignments table will be corrected for the JSON output
+ //with the value of the actual expected path
+ storedAssignment.setPath(lessonAssignment.getPath());
+ result.add(new LessonOverview(storedAssignment, entry.getValue()));
+ break;
+
+ } else if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+ result.add(new LessonOverview(storedAssignment, entry.getValue()));
+ break;
+ }
+ }
+ //assignments not in the list will not be put in the lesson progress JSON output
+
}
return result;
}
- /**
- * Get the lesson completed based on Assignment data from the database
- * while ignoring assignments no longer in the application.
- * @param map
- * @param currentLesson
- * @return
- */
- private boolean lessonCompleted(Map map, Lesson currentLesson) {
+ private boolean isLessonComplete(Map map, Lesson currentLesson) {
boolean result = true;
for (Map.Entry entry : map.entrySet()) {
- Assignment storedAssignment = entry.getKey();
- for (Assignment lessonAssignment: currentLesson.getAssignments()) {
- if (lessonAssignment.getName().equals(storedAssignment.getName())) {
- result = result && entry.getValue();
- break;
- }
- }
-
+ Assignment storedAssignment = entry.getKey();
+ for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+ if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+ result = result && entry.getValue();
+ break;
+ }
+ }
+
}
return result;
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java
deleted file mode 100644
index 8ba3738af..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.RequestParameter;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpSession;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * ParameterService class.
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class ParameterService {
-
- /**
- * Returns request parameters for last attack
- *
- * @param session a {@link javax.servlet.http.HttpSession} object.
- * @return a {@link java.util.List} object.
- */
- @RequestMapping(path = "/service/parameter.mvc", produces = "application/json")
- public @ResponseBody
- List showParameters(HttpSession session) {
- //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
- List listParms = Lists.newArrayList();
- Collections.sort(listParms);
- return listParms;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
index e9e494523..917920158 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
@@ -1,32 +1,32 @@
/**
* *************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
*/
+
package org.owasp.webgoat.service;
import org.springframework.http.HttpStatus;
@@ -46,6 +46,7 @@ import java.util.Map;
* @author nbaars
* @version $Id: $Id
*/
+//TODO REMOVE?
@Controller
public class PluginReloadService {
@@ -58,15 +59,6 @@ public class PluginReloadService {
@RequestMapping(path = "/service/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
ResponseEntity> reloadPlugins(HttpSession session) {
-// WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
-//
-// logger.debug("Loading plugins into cache");
-// String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
-// String targetPath = session.getServletContext().getRealPath("plugin_extracted");
-// //TODO fix me
-// //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
-// //webSession.getCourse().createLessonsFromPlugins();
-
Map result = new HashMap();
result.put("success", true);
result.put("message", "Plugins reloaded");
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
index c382e2947..eac1cb5a7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
@@ -26,9 +26,9 @@
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
+
package org.owasp.webgoat.service;
-import com.google.common.collect.Lists;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.Setter;
@@ -43,6 +43,7 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
+import java.util.ArrayList;
import java.util.List;
/**
@@ -66,14 +67,14 @@ public class ReportCardService {
@GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
@ResponseBody
public ReportCard reportCard() {
- UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
- var lessons = course.getLessons();
ReportCard reportCard = new ReportCard();
reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
+
+ UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
- for (Lesson lesson : lessons) {
+ for (Lesson lesson : course.getLessons()) {
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
LessonStatistics lessonStatistics = new LessonStatistics();
lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
@@ -93,7 +94,7 @@ public class ReportCardService {
private int solvedLessons;
private int numberOfAssignmentsSolved;
private int numberOfLessonsSolved;
- private List lessonStatistics = Lists.newArrayList();
+ private List lessonStatistics = new ArrayList<>();
}
@Setter
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
index e44780778..4c17cbe0a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
@@ -21,6 +21,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*/
+
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
index 715f4e88f..5d0f4b3cc 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
@@ -3,6 +3,7 @@
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
+
package org.owasp.webgoat.service;
import org.springframework.stereotype.Controller;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
index 639b32e02..e6beedf5c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
@@ -1,16 +1,12 @@
package org.owasp.webgoat.users;
-import com.google.common.collect.Sets;
import lombok.Getter;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import javax.persistence.*;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
+import java.util.*;
import java.util.stream.Collectors;
@@ -53,9 +49,9 @@ public class LessonTracker {
@Getter
private String lessonName;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
- private final Set solvedAssignments = Sets.newHashSet();
+ private final Set solvedAssignments = new HashSet<>();
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
- private final Set allAssignments = Sets.newHashSet();
+ private final Set allAssignments = new HashSet<>();
@Getter
private int numberOfAttempts = 0;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java
index 41eda0bda..754046f4c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java
@@ -10,6 +10,7 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PostMapping;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
@@ -32,8 +33,7 @@ public class RegistrationController {
}
@PostMapping("/register.mvc")
- @SneakyThrows
- public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) {
+ public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) throws ServletException {
userValidator.validate(userForm, bindingResult);
if (bindingResult.hasErrors()) {
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
index 0b77b89c6..43801e2db 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
@@ -1,6 +1,5 @@
package org.owasp.webgoat.users;
-import com.google.common.collect.Lists;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.i18n.PluginMessages;
@@ -8,6 +7,7 @@ import org.owasp.webgoat.session.Course;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
+import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
@@ -36,7 +36,7 @@ public class Scoreboard {
@GetMapping("/scoreboard-data")
public List getRankings() {
List allUsers = userRepository.findAll();
- List rankings = Lists.newArrayList();
+ List rankings = new ArrayList<>();
for (WebGoatUser user : allUsers) {
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
@@ -45,7 +45,7 @@ public class Scoreboard {
}
private List challengesSolved(UserTracker userTracker) {
- List challenges = Lists.newArrayList("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
+ List challenges = List.of("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
return challenges.stream()
.map(c -> userTracker.getLessonTracker(c))
.filter(l -> l.isPresent()).map(l -> l.get())
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
index 8161cacc9..e88ea5c47 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
@@ -16,14 +16,14 @@ import javax.validation.constraints.Size;
public class UserForm {
@NotNull
- @Size(min=6, max=45)
+ @Size(min = 6, max = 45)
@Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -")
private String username;
@NotNull
- @Size(min=6, max=10)
+ @Size(min = 6, max = 10)
private String password;
@NotNull
- @Size(min=6, max=10)
+ @Size(min = 6, max = 10)
private String matchingPassword;
@NotNull
private String agree;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
index 4a203fb68..3b7825dce 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
@@ -36,7 +36,7 @@ public class UserService implements UserDetailsService {
userRepository.save(new WebGoatUser(username, password));
//if user previously existed it will not get another tracker
if (webGoatUser == null) {
- userTrackerRepository.save(new UserTracker(username));
+ userTrackerRepository.save(new UserTracker(username));
}
}
@@ -44,14 +44,14 @@ public class UserService implements UserDetailsService {
//get user if there exists one by the name
WebGoatUser webGoatUser = userRepository.findByUsername(username);
//if user exists it will be updated, otherwise created
- userRepository.save(new WebGoatUser(username,password,role));
+ userRepository.save(new WebGoatUser(username, password, role));
//if user previously existed it will not get another tracker
if (webGoatUser == null) {
- userTrackerRepository.save(new UserTracker(username));
+ userTrackerRepository.save(new UserTracker(username));
}
}
- public List getAllUsers () {
+ public List getAllUsers() {
return userRepository.findAll();
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
index 675650e2a..eabc9fa68 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
@@ -1,12 +1,12 @@
package org.owasp.webgoat.users;
-import com.google.common.collect.Sets;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import javax.persistence.*;
+import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
@@ -53,7 +53,7 @@ public class UserTracker {
@Column(name = "username")
private String user;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
- private Set lessonTrackers = Sets.newHashSet();
+ private Set lessonTrackers = new HashSet<>();
private UserTracker() {}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
index b0a46b4d6..ce63a3ef7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
@@ -16,8 +16,8 @@ public class UserValidator implements Validator {
private final UserRepository userRepository;
@Override
- public boolean supports(Class aClass) {
- return UserForm.class.equals(aClass);
+ public boolean supports(Class clazz) {
+ return UserForm.class.equals(clazz);
}
@Override
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
index efec099cf..16d1d72bc 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
@@ -1,9 +1,8 @@
package org.owasp.webgoat.session;
-import com.google.common.collect.Lists;
import org.junit.Test;
-import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.users.LessonTracker;
import java.util.List;
@@ -48,7 +47,7 @@ public class LessonTrackerTest {
@Test
public void allAssignmentsSolvedShouldMarkLessonAsComplete() {
Lesson lesson = mock(Lesson.class);
- when(lesson.getAssignments()).thenReturn(Lists.newArrayList(new Assignment("assignment", "assignment", List.of(""))));
+ when(lesson.getAssignments()).thenReturn(List.of(new Assignment("assignment", "assignment", List.of(""))));
LessonTracker lessonTracker = new LessonTracker(lesson);
lessonTracker.assignmentSolved("assignment");
@@ -60,7 +59,7 @@ public class LessonTrackerTest {
Lesson lesson = mock(Lesson.class);
Assignment a1 = new Assignment("a1");
Assignment a2 = new Assignment("a2");
- List assignments = Lists.newArrayList(a1, a2);
+ List assignments = List.of(a1, a2);
when(lesson.getAssignments()).thenReturn(assignments);
LessonTracker lessonTracker = new LessonTracker(lesson);
lessonTracker.assignmentSolved("a1");
@@ -74,7 +73,7 @@ public class LessonTrackerTest {
public void solvingSameAssignmentShouldNotAddItTwice() {
Lesson lesson = mock(Lesson.class);
Assignment a1 = new Assignment("a1");
- List assignments = Lists.newArrayList(a1);
+ List assignments = List.of(a1);
when(lesson.getAssignments()).thenReturn(assignments);
LessonTracker lessonTracker = new LessonTracker(lesson);
lessonTracker.assignmentSolved("a1");
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java
index 5b0619398..97f4766ed 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java
@@ -6,7 +6,7 @@ import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import static org.mockito.Matchers.any;
+import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.when;
@RunWith(MockitoJUnitRunner.class)
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java
index 0d0032d5d..7d312b2bc 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java
@@ -31,29 +31,31 @@ import java.util.Map;
public class AccountVerificationHelper {
//simulating database storage of verification credentials
- private static final Integer verifyUserId = 1223445;
- private static final Map userSecQuestions = new HashMap<>();
+ private static final Integer verifyUserId = 1223445;
+ private static final Map userSecQuestions = new HashMap<>();
+
static {
- userSecQuestions.put("secQuestion0","Dr. Watson");
- userSecQuestions.put("secQuestion1","Baker Street");
+ userSecQuestions.put("secQuestion0", "Dr. Watson");
+ userSecQuestions.put("secQuestion1", "Baker Street");
}
- private static final Map secQuestionStore = new HashMap<>();
+ private static final Map secQuestionStore = new HashMap<>();
+
static {
- secQuestionStore.put(verifyUserId,userSecQuestions);
+ secQuestionStore.put(verifyUserId, userSecQuestions);
}
// end 'data store set up'
// this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code
- public boolean didUserLikelylCheat(HashMap submittedAnswers) {
+ public boolean didUserLikelylCheat(HashMap submittedAnswers) {
boolean likely = false;
if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
likely = true;
}
- if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) &&
- (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) {
+ if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
+ && (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
likely = true;
} else {
likely = false;
@@ -64,7 +66,7 @@ public class AccountVerificationHelper {
}
//end of cheating check ... the method below is the one of real interest. Can you find the flaw?
- public boolean verifyAccount(Integer userId, HashMap submittedQuestions ) {
+ public boolean verifyAccount(Integer userId, HashMap submittedQuestions) {
//short circuit if no questions are submitted
if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
return false;
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
index 80a851b1a..78110a807 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
@@ -68,7 +68,7 @@ public class VerifyAccount extends AssignmentEndpoint {
}
// else
- if (verificationHelper.verifyAccount(new Integer(userId), (HashMap) submittedAnswers)) {
+ if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) {
userSessionData.setValue("account-verified-id", userId);
return trackProgress(success()
.feedback("verify-account.success")
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
index 379c2fdfa..2cb76009f 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
@@ -35,24 +35,18 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
- if (select.equals("option1") || select.equals("option2")) {
- return trackProgress(failed().build());
- }
- if (radio.equals("option1") || radio.equals("option2")) {
- return trackProgress(failed().build());
- }
- if (checkbox.equals("on") || checkbox.equals("off")) {
- return trackProgress(failed().build());
- }
- if (shortInput.length() <= 5) {
- return trackProgress(failed().build());
- }
- /*if (disabled == null) {
- return trackProgress(failed().build());
- }
- if (submit.toString().equals("submit")) {
- return trackProgress(failed().build());
- }*/
+ if (select.equals("option1") || select.equals("option2")) {
+ return trackProgress(failed().build());
+ }
+ if (radio.equals("option1") || radio.equals("option2")) {
+ return trackProgress(failed().build());
+ }
+ if (checkbox.equals("on") || checkbox.equals("off")) {
+ return trackProgress(failed().build());
+ }
+ if (shortInput.length() <= 5) {
+ return trackProgress(failed().build());
+ }
return trackProgress(success().build());
}
}
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java
index 96a96ca36..1d2a4aab7 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java
@@ -36,13 +36,13 @@ public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/frontendValidation")
@ResponseBody
public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
- String regex1 = "^[a-z]{3}$";
- String regex2 = "^[0-9]{3}$";
- String regex3 = "^[a-zA-Z0-9 ]*$";
- String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
- String regex5 = "^\\d{5}$";
- String regex6 = "^\\d{5}(-\\d{4})?$";
- String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
+ final String regex1 = "^[a-z]{3}$";
+ final String regex2 = "^[0-9]{3}$";
+ final String regex3 = "^[a-zA-Z0-9 ]*$";
+ final String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
+ final String regex5 = "^\\d{5}$";
+ final String regex6 = "^\\d{5}(-\\d{4})?$";
+ final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
if (error > 0) {
return trackProgress(failed().build());
}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
index 5ba39b638..d9b7e9bba 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
@@ -22,7 +22,6 @@
package org.owasp.webgoat.challenges;
-import com.google.common.collect.Maps;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
@@ -40,6 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct;
+import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
@@ -52,7 +52,7 @@ import java.util.stream.IntStream;
@RestController
public class Flag {
- public static final Map FLAGS = Maps.newHashMap();
+ public static final Map FLAGS = new HashMap<>();
@Autowired
private UserTrackerRepository userTrackerRepository;
@Autowired
@@ -71,7 +71,7 @@ public class Flag {
IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
}
- @RequestMapping(path="/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
+ @RequestMapping(path = "/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult postFlag(@RequestParam String flag) {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
index cadc855eb..b8bc7bb4a 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
@@ -31,14 +31,14 @@ import static org.owasp.webgoat.challenges.Flag.FLAGS;
@Slf4j
public class Assignment7 extends AssignmentEndpoint {
- private static final String TEMPLATE = "Hi, you requested a password reset link, please use this " +
- "link to reset your password." +
- "\n \n\n" +
- "If you did not request this password change you can ignore this message." +
- "\n" +
- "If you have any comments or questions, please do not hesitate to reach us at support@webgoat-cloud.org" +
- "\n\n" +
- "Kind regards, \nTeam WebGoat";
+ private static final String TEMPLATE = "Hi, you requested a password reset link, please use this "
+ + "link to reset your password."
+ + "\n \n\n"
+ + "If you did not request this password change you can ignore this message."
+ + "\n"
+ + "If you have any comments or questions, please do not hesitate to reach us at support@webgoat-cloud.org"
+ + "\n\n"
+ + "Kind regards, \nTeam WebGoat";
@Autowired
private RestTemplate restTemplate;
@@ -48,9 +48,9 @@ public class Assignment7 extends AssignmentEndpoint {
@GetMapping("/challenge/7/reset-password/{link}")
public ResponseEntity resetPassword(@PathVariable(value = "link") String link) {
if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
- return ResponseEntity.accepted().body("Success!!
" +
- "
" +
- "
Here is your flag: " + "" + FLAGS.get(7) + "");
+ return ResponseEntity.accepted().body("Success!!
"
+ + ""
+ + "
Here is your flag: " + "" + FLAGS.get(7) + "");
}
return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
}
@@ -76,7 +76,6 @@ public class Assignment7 extends AssignmentEndpoint {
@GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
@ResponseBody
- @SneakyThrows
public ClassPathResource git() {
return new ClassPathResource("challenge7/git.zip");
}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
index a7706ea88..73bf2ecc5 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
@@ -20,7 +20,7 @@ public class PasswordResetLink {
}
public static String scramble(Random random, String inputString) {
- char a[] = inputString.toCharArray();
+ char[] a = inputString.toCharArray();
for (int i = 0; i < a.length; i++) {
int j = random.nextInt(a.length);
char temp = a[i];
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java
index 7d776d930..315c16962 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java
@@ -1,6 +1,5 @@
package org.owasp.webgoat.challenges.challenge8;
-import com.google.common.collect.Maps;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.challenges.Flag;
@@ -24,7 +23,7 @@ import java.util.stream.Collectors;
@Slf4j
public class Assignment8 extends AssignmentEndpoint {
- private static final Map votes = Maps.newHashMap();
+ private static final Map votes = new HashMap<>();
static {
votes.put(1, 400);
@@ -40,9 +39,7 @@ public class Assignment8 extends AssignmentEndpoint {
//Simple implementation of VERB Based Authentication
String msg = "";
if (request.getMethod().equals("GET")) {
- HashMap json = Maps.newHashMap();
- json.put("error", true);
- json.put("message", "Sorry but you need to login first in order to vote");
+ var json = Map.of("error", true, "message", "Sorry but you need to login first in order to vote");
return ResponseEntity.status(200).body(json);
}
Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
@@ -59,8 +56,7 @@ public class Assignment8 extends AssignmentEndpoint {
public ResponseEntity> average() {
int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
int categories = votes.entrySet().stream().mapToInt(e -> e.getKey() * e.getValue()).reduce(0, (a, b) -> a + b);
- Map json = Maps.newHashMap();
- json.put("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
+ var json = Map.of("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
return ResponseEntity.ok(json);
}
}
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java
index fdda6a53c..01a94915e 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java
@@ -37,8 +37,8 @@ public class ClientSideFilteringAssignment extends AssignmentEndpoint {
@PostMapping("/clientSideFiltering/attack1")
@ResponseBody
public AttackResult completed(@RequestParam String answer) {
- return trackProgress("450000".equals(answer) ?
- success().feedback("assignment.solved").build() :
+ return trackProgress("450000".equals(answer)
+ ? success().feedback("assignment.solved").build() :
failed().feedback("ClientSideFiltering.incorrect").build());
}
}
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
index b8756da29..f0ad580a9 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
@@ -22,12 +22,6 @@
package org.owasp.webgoat.client_side_filtering;
-/**
- *
- */
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
import lombok.SneakyThrows;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ClassPathResource;
@@ -48,6 +42,8 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -57,14 +53,17 @@ public class Salaries { // {extends Endpoint {
private String webGoatHomeDirectory;
@PostConstruct
- @SneakyThrows
public void copyFiles() {
ClassPathResource classPathResource = new ClassPathResource("employees.xml");
File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
if (!targetDirectory.exists()) {
targetDirectory.mkdir();
}
- FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "employees.xml")));
+ try {
+ FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "employees.xml")));
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
}
@RequestMapping(produces = {"application/json"})
@@ -73,7 +72,7 @@ public class Salaries { // {extends Endpoint {
NodeList nodes = null;
File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
XPathFactory factory = XPathFactory.newInstance();
- XPath xPath = factory.newXPath();
+ XPath path = factory.newXPath();
InputSource inputSource = new InputSource(new FileInputStream(d));
StringBuffer sb = new StringBuffer();
@@ -87,16 +86,16 @@ public class Salaries { // {extends Endpoint {
String expression = sb.toString();
try {
- nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET);
+ nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
} catch (XPathExpressionException e) {
e.printStackTrace();
}
- int COLUMNS = 5;
- List json = Lists.newArrayList();
- java.util.Map employeeJson = Maps.newHashMap();
+ int columns = 5;
+ List json = new ArrayList();
+ java.util.Map employeeJson = new HashMap<>();
for (int i = 0; i < nodes.getLength(); i++) {
- if (i % COLUMNS == 0) {
- employeeJson = Maps.newHashMap();
+ if (i % columns == 0) {
+ employeeJson = new HashMap<>();
json.add(employeeJson);
}
Node node = nodes.item(i);
@@ -104,11 +103,4 @@ public class Salaries { // {extends Endpoint {
}
return json;
}
-
-// @Override
-// public String getPath() {
-// return "/clientSideFiltering/salaries";
-// }
-
-
}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java
index 3a37f6c03..889ff6ef0 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java
@@ -22,13 +22,14 @@
package org.owasp.webgoat.xss;
-
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
//@RestController
@Deprecated
@@ -48,8 +49,8 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
String[] lines = unescapedString.split("");
String include = (lines[0]);
- String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
- String last_name_element = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
+ String fistNameElement = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
+ String lastNameElement = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
Boolean includeCorrect = false;
Boolean firstNameCorrect = false;
@@ -58,10 +59,10 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
if (include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")) {
includeCorrect = true;
}
- if (first_name_element.equals("${e:forHtml(param.first_name)}")) {
+ if (fistNameElement.equals("${e:forHtml(param.first_name)}")) {
firstNameCorrect = true;
}
- if (last_name_element.equals("${e:forHtml(param.last_name)}")) {
+ if (lastNameElement.equals("${e:forHtml(param.last_name)}")) {
lastNameCorrect = true;
}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
index 840445e97..e94ca0e1c 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -25,7 +25,10 @@ package org.owasp.webgoat.xss.stored;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
/**
* Created by jason on 11/23/16.
@@ -33,7 +36,7 @@ import org.springframework.web.bind.annotation.*;
@RestController
public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
- //TODO This assignment seems not to be in use in the UI
+ //TODO This assignment seems not to be in use in the UI
@PostMapping("/CrossSiteScriptingStored/stored-xss-follow-up")
@ResponseBody
public AttackResult completed(@RequestParam String successMessage) {
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
index 6669cfe37..a170feaef 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
@@ -24,8 +24,6 @@ package org.owasp.webgoat.xss.stored;
import com.beust.jcommander.internal.Lists;
import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
@@ -50,8 +48,8 @@ public class StoredXssComments extends AssignmentEndpoint {
private WebSession webSession;
private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
- private static final Map> userComments = Maps.newHashMap();
- private static final EvictingQueue comments = EvictingQueue.create(100);
+ private static final Map> userComments = new HashMap<>();
+ private static final List comments = new ArrayList<>();
private static final String phoneHomeString = "";
@@ -82,7 +80,7 @@ public class StoredXssComments extends AssignmentEndpoint {
public AttackResult createNewComment(@RequestBody String commentStr) {
Comment comment = parseJson(commentStr);
- EvictingQueue comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
+ List comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
comment.setDateTime(DateTime.now().toString(fmt));
comment.setUser(webSession.getUserName());
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
index f063c9208..ebfc8c630 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
@@ -49,21 +49,17 @@ public class CSRFGetFlag {
@Autowired
private PluginMessages pluginMessages;
- @RequestMapping(path="/csrf/basic-get-flag" ,produces = {"application/json"}, method = RequestMethod.POST)
+ @RequestMapping(path = "/csrf/basic-get-flag", produces = {"application/json"}, method = RequestMethod.POST)
@ResponseBody
public Map invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
Map response = new HashMap<>();
String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
-// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
-// Integer serverPort = (req.getServerPort() < 1) ? 0 : req.getServerPort();
-// String serverName = (req.getServerName() == null) ? "NULL" : req.getServerName();
String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
String[] refererArr = referer.split("/");
-
if (referer.equals("NULL")) {
if (req.getParameter("csrf").equals("true")) {
Random random = new Random();
@@ -93,9 +89,4 @@ public class CSRFGetFlag {
return response;
}
-//
-// @Override
-// public String getPath() {
-// return "/csrf/basic-get-flag";
-// }
}
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
index 4a895bf34..4f979d48a 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
@@ -23,8 +23,6 @@
package org.owasp.webgoat.csrf;
import com.beust.jcommander.internal.Lists;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
@@ -37,8 +35,7 @@ import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
-import java.util.Collection;
-import java.util.Map;
+import java.util.*;
import static org.springframework.http.MediaType.ALL_VALUE;
@@ -50,8 +47,8 @@ public class ForgedReviews extends AssignmentEndpoint {
private WebSession webSession;
private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
- private static final Map> userReviews = Maps.newHashMap();
- private static final EvictingQueue REVIEWS = EvictingQueue.create(100);
+ private static final Map> userReviews = new HashMap<>();
+ private static final List REVIEWS = new ArrayList<>();
private static final String weakAntiCSRF = "2aa14227b9a13d0bede0388a7fba9aa9";
@@ -79,22 +76,16 @@ public class ForgedReviews extends AssignmentEndpoint {
@PostMapping("/csrf/review")
@ResponseBody
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
+ final String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
+ final String referer = (request.getHeader("referer") == null) ? "NULL" : request.getHeader("referer");
+ final String[] refererArr = referer.split("/");
- String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
-// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
-// Integer serverPort = (req.getServerPort() < 1) ? 0 : req.getServerPort();
-// String serverName = (req.getServerName() == null) ? "NULL" : req.getServerName();
- String referer = (request.getHeader("referer") == null) ? "NULL" : request.getHeader("referer");
- String[] refererArr = referer.split("/");
-
- EvictingQueue reviews = userReviews.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
Review review = new Review();
-
review.setText(reviewText);
review.setDateTime(DateTime.now().toString(fmt));
review.setUser(webSession.getUserName());
review.setStars(stars);
-
+ var reviews = userReviews.getOrDefault(webSession.getUserName(), new ArrayList<>());
reviews.add(review);
userReviews.put(webSession.getUserName(), reviews);
//short-circuit
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
index a04bf518e..d547f6769 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
@@ -32,19 +32,19 @@ import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@RestController
-@AssignmentHints({"idor.hints.idorDiffAttributes1","idor.hints.idorDiffAttributes2","idor.hints.idorDiffAttributes3"})
+@AssignmentHints({"idor.hints.idorDiffAttributes1", "idor.hints.idorDiffAttributes2", "idor.hints.idorDiffAttributes3"})
public class IDORDiffAttributes extends AssignmentEndpoint {
@PostMapping("IDOR/diff-attributes")
@ResponseBody
- public AttackResult completed(@RequestParam String attributes, HttpServletRequest request) throws IOException {
+ public AttackResult completed(@RequestParam String attributes) {
attributes = attributes.trim();
String[] diffAttribs = attributes.split(",");
if (diffAttribs.length < 2) {
return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
}
- if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") ||
- diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
+ if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
+ || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
return trackProgress(success().feedback("idor.diff.success").build());
} else {
return trackProgress(failed().feedback("idor.diff.failure").build());
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
index f96798a81..07110c334 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
@@ -30,7 +30,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
@RestController
-@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
+@AssignmentHints({"idor.hints.otherProfile1", "idor.hints.otherProfile2", "idor.hints.otherProfile3", "idor.hints.otherProfile4", "idor.hints.otherProfile5", "idor.hints.otherProfile6", "idor.hints.otherProfile7", "idor.hints.otherProfile8", "idor.hints.otherProfile9"})
public class IDOREditOtherProfiile extends AssignmentEndpoint {
@Autowired
@@ -40,7 +40,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
@ResponseBody
public AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
- String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
+ String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
// this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization
// Certain roles can sometimes edit others' profiles, but we shouldn't just assume that and let everyone, right?
// Except that this is a vulnerable app ... so we will
@@ -50,12 +50,12 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
currentUserProfile.setColor(userSubmittedProfile.getColor());
currentUserProfile.setRole(userSubmittedProfile.getRole());
// we will persist in the session object for now in case we want to refer back or use it later
- userSessionData.setValue("idor-updated-other-profile",currentUserProfile);
+ userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(success()
- .feedback("idor.edit.profile.success1")
- .output(currentUserProfile.profileToMap().toString())
- .build());
+ .feedback("idor.edit.profile.success1")
+ .output(currentUserProfile.profileToMap().toString())
+ .build());
}
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
@@ -67,25 +67,25 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(success()
- .feedback("idor.edit.profile.failure2")
- .output(currentUserProfile.profileToMap().toString())
- .build());
+ .feedback("idor.edit.profile.failure2")
+ .output(currentUserProfile.profileToMap().toString())
+ .build());
}
// else
- return trackProgress(failed().
- feedback("idor.edit.profile.failure3")
- .output(currentUserProfile.profileToMap().toString())
- .build());
+ return trackProgress(failed()
+ .feedback("idor.edit.profile.failure3")
+ .output(currentUserProfile.profileToMap().toString())
+ .build());
} else if (userSubmittedProfile.getUserId().equals(authUserId)) {
return failed().feedback("idor.edit.profile.failure4").build();
}
- if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1 ) {
+ if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1) {
return trackProgress(success()
- .feedback("idor.edit.profile.success2")
- .output(userSessionData.getValue("idor-updated-own-profile").toString())
- .build());
+ .feedback("idor.edit.profile.success2")
+ .output(userSessionData.getValue("idor-updated-own-profile").toString())
+ .build());
} else {
return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
}
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
index 629505438..e8c597af3 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
@@ -22,21 +22,23 @@
package org.owasp.webgoat.idor;
-
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;
@RestController
-@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
-public class IDORViewOtherProfile extends AssignmentEndpoint{
+@AssignmentHints({"idor.hints.otherProfile1", "idor.hints.otherProfile2", "idor.hints.otherProfile3", "idor.hints.otherProfile4", "idor.hints.otherProfile5", "idor.hints.otherProfile6", "idor.hints.otherProfile7", "idor.hints.otherProfile8", "idor.hints.otherProfile9"})
+public class IDORViewOtherProfile extends AssignmentEndpoint {
@Autowired
UserSessionData userSessionData;
@@ -44,16 +46,16 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{
@GetMapping(path = "IDOR/profile/{userId}", produces = {"application/json"})
@ResponseBody
public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
- Map details = new HashMap<>();
+ Map details = new HashMap<>();
if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
//going to use session auth to view this one
- String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
- if(userId != null && !userId.equals(authUserId)) {
+ String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
+ if (userId != null && !userId.equals(authUserId)) {
//on the right track
UserProfile requestedProfile = new UserProfile(userId);
// secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
- if (requestedProfile.getUserId().equals("2342388")){
+ if (requestedProfile.getUserId().equals("2342388")) {
return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
} else {
return trackProgress(failed().feedback("idor.view.profile.close1").build());
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
index d43905174..c49e3d9d4 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
+++ b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
@@ -38,27 +38,28 @@ import java.io.ObjectInputStream;
import java.util.Base64;
@RestController
-@AssignmentHints({"insecure-deserialization.hints.1","insecure-deserialization.hints.2","insecure-deserialization.hints.3"})
+@AssignmentHints({"insecure-deserialization.hints.1", "insecure-deserialization.hints.2", "insecure-deserialization.hints.3"})
public class InsecureDeserializationTask extends AssignmentEndpoint {
@PostMapping("/InsecureDeserialization/task")
@ResponseBody
public AttackResult completed(@RequestParam String token) throws IOException {
String b64token;
- long before, after;
+ long before;
+ long after;
int delay;
b64token = token.replace('-', '+').replace('_', '/');
-
+
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
- before = System.currentTimeMillis();
- Object o = ois.readObject();
- if (!(o instanceof VulnerableTaskHolder)) {
- if (o instanceof String) {
- return trackProgress(failed().feedback("insecure-deserialization.stringobject").build());
- }
- return trackProgress(failed().feedback("insecure-deserialization.wrongobject").build());
- }
+ before = System.currentTimeMillis();
+ Object o = ois.readObject();
+ if (!(o instanceof VulnerableTaskHolder)) {
+ if (o instanceof String) {
+ return trackProgress(failed().feedback("insecure-deserialization.stringobject").build());
+ }
+ return trackProgress(failed().feedback("insecure-deserialization.wrongobject").build());
+ }
after = System.currentTimeMillis();
} catch (InvalidClassException e) {
return trackProgress(failed().feedback("insecure-deserialization.invalidversion").build());
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
index 0ffd90b02..8fbb46dc8 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
+++ b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
@@ -1,54 +1,54 @@
-package org.owasp.webgoat.deserialization;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.DataOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.io.Serializable;
-import java.util.Base64;
-
-public class SerializationHelper {
-
- private final static char[] hexArray = "0123456789ABCDEF".toCharArray();
-
- public static Object fromString( String s ) throws IOException ,
- ClassNotFoundException {
- byte [] data = Base64.getDecoder().decode( s );
- ObjectInputStream ois = new ObjectInputStream(
- new ByteArrayInputStream( data ) );
- Object o = ois.readObject();
- ois.close();
- return o;
- }
-
- public static String toString( Serializable o ) throws IOException {
-
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- ObjectOutputStream oos = new ObjectOutputStream( baos );
- oos.writeObject( o );
- oos.close();
- return Base64.getEncoder().encodeToString(baos.toByteArray());
- }
-
- public static String show() throws IOException {
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- DataOutputStream dos = new DataOutputStream(baos);
- dos.writeLong(-8699352886133051976L);
- dos.close();
- byte[] longBytes = baos.toByteArray();
- return bytesToHex(longBytes);
- }
-
- public static String bytesToHex(byte[] bytes) {
- char[] hexChars = new char[bytes.length * 2];
- for ( int j = 0; j < bytes.length; j++ ) {
- int v = bytes[j] & 0xFF;
- hexChars[j * 2] = hexArray[v >>> 4];
- hexChars[j * 2 + 1] = hexArray[v & 0x0F];
- }
- return new String(hexChars);
- }
-
-}
+package org.owasp.webgoat.deserialization;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+import java.util.Base64;
+
+public class SerializationHelper {
+
+ private static final char[] hexArray = "0123456789ABCDEF".toCharArray();
+
+ public static Object fromString(String s) throws IOException,
+ ClassNotFoundException {
+ byte[] data = Base64.getDecoder().decode(s);
+ ObjectInputStream ois = new ObjectInputStream(
+ new ByteArrayInputStream(data));
+ Object o = ois.readObject();
+ ois.close();
+ return o;
+ }
+
+ public static String toString(Serializable o) throws IOException {
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(baos);
+ oos.writeObject(o);
+ oos.close();
+ return Base64.getEncoder().encodeToString(baos.toByteArray());
+ }
+
+ public static String show() throws IOException {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ DataOutputStream dos = new DataOutputStream(baos);
+ dos.writeLong(-8699352886133051976L);
+ dos.close();
+ byte[] longBytes = baos.toByteArray();
+ return bytesToHex(longBytes);
+ }
+
+ public static String bytesToHex(byte[] bytes) {
+ char[] hexChars = new char[bytes.length * 2];
+ for (int j = 0; j < bytes.length; j++) {
+ int v = bytes[j] & 0xFF;
+ hexChars[j * 2] = hexArray[v >>> 4];
+ hexChars[j * 2 + 1] = hexArray[v & 0x0F];
+ }
+ return new String(hexChars);
+ }
+
+}
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
index 40b17ed38..74979f359 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
@@ -22,24 +22,17 @@
package org.owasp.webgoat.jwt;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
import io.jsonwebtoken.*;
import org.apache.commons.lang3.RandomStringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
import java.util.concurrent.TimeUnit;
/**
@@ -52,7 +45,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
- private static final List validRefreshTokens = Lists.newArrayList();
+ private static final List validRefreshTokens = new ArrayList<>();
@PostMapping(value = "/JWT/refresh/login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
@@ -67,7 +60,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
}
private Map createNewTokens(String user) {
- Map claims = Maps.newHashMap();
+ Map claims = new HashMap<>();
claims.put("admin", "false");
claims.put("user", user);
String token = Jwts.builder()
@@ -75,7 +68,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
.setClaims(claims)
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
.compact();
- Map tokenJson = Maps.newHashMap();
+ Map tokenJson = new HashMap<>();
String refreshToken = RandomStringUtils.randomAlphabetic(20);
validRefreshTokens.add(refreshToken);
tokenJson.put("access_token", token);
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
index 62cd55d77..3cf037e53 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
@@ -22,24 +22,16 @@
package org.owasp.webgoat.jwt;
-import com.google.common.collect.Lists;
-import io.jsonwebtoken.impl.TextCodec;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
-
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+import io.jsonwebtoken.impl.TextCodec;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
import java.time.Instant;
import java.util.Calendar;
@@ -55,24 +47,24 @@ import java.util.Random;
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
- public static final String[] SECRETS = {"victory","business","available", "shipping", "washington"};
+ public static final String[] SECRETS = {"victory", "business", "available", "shipping", "washington"};
public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
private static final String WEBGOAT_USER = "WebGoat";
- private static final List expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
+ private static final List expectedClaims = List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
- @RequestMapping(path="/JWT/secret/gettoken",produces=MediaType.TEXT_HTML_VALUE)
+ @RequestMapping(path = "/JWT/secret/gettoken", produces = MediaType.TEXT_HTML_VALUE)
@ResponseBody
public String getSecretToken() {
- return Jwts.builder()
- .setIssuer("WebGoat Token Builder")
- .setAudience("webgoat.org")
- .setIssuedAt(Calendar.getInstance().getTime())
- .setExpiration(Date.from(Instant.now().plusSeconds(60)))
- .setSubject("tom@webgoat.org")
- .claim("username", "Tom")
- .claim("Email", "tom@webgoat.org")
- .claim("Role", new String[] {"Manager", "Project Administrator"})
- .signWith(SignatureAlgorithm.HS256, JWT_SECRET).compact();
+ return Jwts.builder()
+ .setIssuer("WebGoat Token Builder")
+ .setAudience("webgoat.org")
+ .setIssuedAt(Calendar.getInstance().getTime())
+ .setExpiration(Date.from(Instant.now().plusSeconds(60)))
+ .setSubject("tom@webgoat.org")
+ .claim("username", "Tom")
+ .claim("Email", "tom@webgoat.org")
+ .claim("Role", new String[]{"Manager", "Project Administrator"})
+ .signWith(SignatureAlgorithm.HS256, JWT_SECRET).compact();
}
@PostMapping("/JWT/secret")
@@ -93,7 +85,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
}
}
} catch (Exception e) {
- e.printStackTrace();
+ e.printStackTrace();
return trackProgress(failed().feedback("jwt-invalid-token").output(e.getMessage()).build());
}
}
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
index 656cb492f..da6278560 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
@@ -22,7 +22,6 @@
package org.owasp.webgoat.jwt;
-import com.google.common.collect.Maps;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException;
@@ -46,6 +45,7 @@ import javax.servlet.http.HttpServletResponse;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
+import java.util.HashMap;
import java.util.Map;
import static java.util.Comparator.comparingLong;
@@ -64,7 +64,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
private static String validUsers = "TomJerrySylvester";
private static int totalVotes = 38929;
- private Map votes = Maps.newHashMap();
+ private Map votes = new HashMap<>();
@PostConstruct
public void initVotes() {
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
index f07334549..e9f6970e4 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
@@ -1,6 +1,5 @@
package org.owasp.webgoat.jwt;
-import com.google.common.collect.Maps;
import io.jsonwebtoken.Jwts;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
@@ -8,12 +7,12 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.core.AutoConfigureCache;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import java.util.Date;
+import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
@@ -39,7 +38,7 @@ public class JWTFinalEndpointTest extends LessonTest {
@Test
public void solveAssignment() throws Exception {
String key = "deletingTom";
- Map claims = Maps.newHashMap();
+ Map claims = new HashMap<>();
claims.put("username", "Tom");
String token = Jwts.builder()
.setHeaderParam("kid", "hacked' UNION select '" + key + "' from INFORMATION_SCHEMA.SYSTEM_USERS --")
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
index c196855ec..89d368763 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
@@ -23,7 +23,6 @@
package org.owasp.webgoat.jwt;
import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.Maps;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
@@ -36,6 +35,7 @@ import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import java.util.HashMap;
import java.util.Map;
import static org.hamcrest.Matchers.is;
@@ -62,9 +62,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
ObjectMapper objectMapper = new ObjectMapper();
//First login to obtain tokens for Jerry
- Map loginJson = Maps.newHashMap();
- loginJson.put("user", "Jerry");
- loginJson.put("password", PASSWORD);
+ var loginJson = Map.of("user", "Jerry", "password", PASSWORD);
MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(loginJson)))
@@ -76,7 +74,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
//Now create a new refresh token for Tom based on Toms old access token and send the refresh token of Jerry
String accessTokenTom = "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
- Map refreshJson = Maps.newHashMap();
+ Map refreshJson = new HashMap<>();
refreshJson.put("refresh_token", refreshToken);
result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
.contentType(MediaType.APPLICATION_JSON)
@@ -116,9 +114,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
public void flowForJerryAlwaysWorks() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
- Map loginJson = Maps.newHashMap();
- loginJson.put("user", "Jerry");
- loginJson.put("password", PASSWORD);
+ var loginJson = Map.of("user", "Jerry", "password", PASSWORD);
MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(loginJson)))
@@ -137,9 +133,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
public void loginShouldNotWorkForJerryWithWrongPassword() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
- Map loginJson = Maps.newHashMap();
- loginJson.put("user", "Jerry");
- loginJson.put("password", PASSWORD + "wrong");
+ var loginJson = Map.of("user", "Jerry", "password", PASSWORD + "wrong");
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(loginJson)))
@@ -150,9 +144,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
public void loginShouldNotWorkForTom() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
- Map loginJson = Maps.newHashMap();
- loginJson.put("user", "Tom");
- loginJson.put("password", PASSWORD);
+ var loginJson = Map.of("user", "Tom", "password", PASSWORD);
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(loginJson)))
@@ -162,7 +154,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
@Test
public void newTokenShouldWorkForJerry() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
- Map loginJson = Maps.newHashMap();
+ Map loginJson = new HashMap<>();
loginJson.put("user", "Jerry");
loginJson.put("password", PASSWORD);
MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
@@ -174,8 +166,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
String accessToken = tokens.get("access_token");
String refreshToken = tokens.get("refresh_token");
- Map refreshJson = Maps.newHashMap();
- refreshJson.put("refresh_token", refreshToken);
+ var refreshJson = Map.of("refresh_token", refreshToken);
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
.contentType(MediaType.APPLICATION_JSON)
.header("Authorization", "Bearer " + accessToken)
@@ -186,7 +177,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
@Test
public void unknownRefreshTokenShouldGiveUnauthorized() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
- Map loginJson = Maps.newHashMap();
+ Map loginJson = new HashMap<>();
loginJson.put("user", "Jerry");
loginJson.put("password", PASSWORD);
MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
@@ -197,8 +188,7 @@ public class JWTRefreshEndpointTest extends LessonTest {
Map tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
String accessToken = tokens.get("access_token");
- Map refreshJson = Maps.newHashMap();
- refreshJson.put("refresh_token", "wrong_refresh_token");
+ var refreshJson = Map.of("refresh_token", "wrong_refresh_token");
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
.contentType(MediaType.APPLICATION_JSON)
.header("Authorization", "Bearer " + accessToken)
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java
index fb319d99e..afc129877 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java
@@ -22,16 +22,12 @@
package org.owasp.webgoat.jwt;
-import com.google.common.base.Charsets;
-import com.google.common.collect.Maps;
import io.jsonwebtoken.*;
import io.jsonwebtoken.impl.TextCodec;
import org.junit.Test;
import java.time.Duration;
import java.time.Instant;
-import java.time.LocalDateTime;
-import java.time.Period;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.TimeUnit;
@@ -41,10 +37,7 @@ public class TokenTest {
@Test
public void test() {
String key = "qwertyqwerty1234";
- Map claims = Maps.newHashMap();
- claims.put("username", "Jerry");
- claims.put("aud", "webgoat.org");
- claims.put("email", "jerry@webgoat.com");
+ Map claims = Map.of("username", "Jerry", "aud", "webgoat.org", "email", "jerry@webgoat.com");
String token = Jwts.builder()
.setHeaderParam("kid", "webgoat_key")
.setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
@@ -52,7 +45,7 @@ public class TokenTest {
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, key).compact();
System.out.println(token);
Jwt jwt = Jwts.parser().setSigningKey("qwertyqwerty1234").parse(token);
- jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter(){
+ jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
@Override
public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
return TextCodec.BASE64.decode(key);
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
index 99d05351b..38dc0f211 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
@@ -1,7 +1,5 @@
package org.owasp.webgoat.missing_ac;
-
-import lombok.Getter;
import org.owasp.webgoat.users.WebGoatUser;
import org.springframework.security.core.GrantedAuthority;
@@ -32,10 +30,8 @@ import java.util.Base64;
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
- *
*/
-
public class DisplayUser {
//intended to provide a display version of WebGoatUser for admins to view user attributes
@@ -63,7 +59,7 @@ public class DisplayUser {
}
- protected String genUserHash (String username, String password) throws Exception {
+ protected String genUserHash(String username, String password) throws Exception {
MessageDigest md = MessageDigest.getInstance("SHA-256");
// salting is good, but static & too predictable ... short too for a salt
String salted = password + "DeliberatelyInsecure1234" + username;
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
index da74aa05e..3c16195df 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
@@ -22,23 +22,14 @@
package org.owasp.webgoat.missing_ac;
-import com.google.common.collect.Lists;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.*;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-
-import java.util.Map;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
/**
* Created by jason on 1/5/17.
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
index 21898432f..291ee9c82 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
@@ -58,7 +58,6 @@ public class Users {
if ((results != null) && (results.first() == true)) {
while (results.next()) {
- int id = results.getInt(0);
HashMap userMap = new HashMap<>();
userMap.put("first", results.getString(1));
userMap.put("last", results.getString(2));
@@ -66,7 +65,7 @@ public class Users {
userMap.put("ccType", results.getString(4));
userMap.put("cookie", results.getString(5));
userMap.put("loginCount", Integer.toString(results.getInt(6)));
- allUsersMap.put(id, userMap);
+ allUsersMap.put(results.getInt(0), userMap);
}
userSessionData.setValue("allUsers", allUsersMap);
return allUsersMap;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
index 36b8fcb06..69901cb76 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
@@ -40,7 +40,7 @@ import java.util.Map;
@RestController
public class QuestionsAssignment extends AssignmentEndpoint {
- private final static Map COLORS = new HashMap<>();
+ private static final Map COLORS = new HashMap<>();
static {
COLORS.put("admin", "green");
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
index 8dd2c2d1e..5e37d760c 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
@@ -22,8 +22,7 @@
package org.owasp.webgoat.password_reset;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
+import com.beust.jcommander.internal.Maps;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
@@ -33,6 +32,9 @@ import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.ModelAndView;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
import java.util.Map;
/**
@@ -45,18 +47,18 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
static final String TOM_EMAIL = "tom@webgoat-cloud.org";
- static Map userToTomResetLink = Maps.newHashMap();
+ static Map userToTomResetLink = new HashMap<>();
static Map usersToTomPassword = Maps.newHashMap();
- static EvictingQueue resetLinks = EvictingQueue.create(1000);
+ static List resetLinks = new ArrayList<>();
- static final String TEMPLATE = "Hi, you requested a password reset link, please use this " +
- "link to reset your password." +
- "\n \n\n" +
- "If you did not request this password change you can ignore this message." +
- "\n" +
- "If you have any comments or questions, please do not hesitate to reach us at support@webgoat-cloud.org" +
- "\n\n" +
- "Kind regards, \nTeam WebGoat";
+ static final String TEMPLATE = "Hi, you requested a password reset link, please use this "
+ + "link to reset your password."
+ + "\n \n\n"
+ + "If you did not request this password change you can ignore this message."
+ + "\n"
+ + "If you have any comments or questions, please do not hesitate to reach us at support@webgoat-cloud.org"
+ + "\n\n"
+ + "Kind regards, \nTeam WebGoat";
@PostMapping("/PasswordReset/reset/login")
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
index e39178bfc..c873328c7 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
@@ -22,17 +22,17 @@
package org.owasp.webgoat.password_reset;
-import com.google.common.collect.Sets;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.SessionScope;
+import java.util.HashSet;
import java.util.Set;
@Component
@SessionScope
public class TriedQuestions {
- private Set answeredQuestions = Sets.newHashSet();
+ private Set answeredQuestions = new HashSet<>();
public void incr(String question) {
answeredQuestions.add(question);
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java
index 23364a843..d9ab5f71a 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java
@@ -15,7 +15,7 @@ import javax.validation.constraints.Size;
public class PasswordChangeForm {
@NotNull
- @Size(min=6, max=10)
+ @Size(min = 6, max = 10)
private String password;
private String resetLink;
diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
index 76e596748..d240cb793 100644
--- a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
+++ b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
@@ -39,36 +39,36 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
@ResponseBody
public AttackResult completed(@RequestParam String password) {
Zxcvbn zxcvbn = new Zxcvbn();
- Strength strength = zxcvbn.measure(password);
StringBuffer output = new StringBuffer();
DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
df.setMaximumFractionDigits(340);
+ Strength strength = zxcvbn.measure(password);
output.append("Your Password: *******");
- output.append("Length: " + password.length()+ "");
- output.append("Estimated guesses needed to crack your password: " + df.format(strength.getGuesses())+ "");
- output.append("Score: " + strength.getScore()+ "/4
");
- if(strength.getScore()<=1){
+ output.append("Length: " + password.length() + "");
+ output.append("Estimated guesses needed to crack your password: " + df.format(strength.getGuesses()) + "");
+ output.append("Score: " + strength.getScore() + "/4
");
+ if (strength.getScore() <= 1) {
output.append("
");
- } else if(strength.getScore()<=3){
+ } else if (strength.getScore() <= 3) {
output.append("
");
- } else{
+ } else {
output.append("
");
}
output.append("Estimated cracking time: " + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
- if(strength.getFeedback().getWarning().length() != 0)
+ if (strength.getFeedback().getWarning().length() != 0)
output.append("Warning: " + strength.getFeedback().getWarning());
// possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee
// maybe ask user to try also weak passwords to see and understand feedback?
- if(strength.getFeedback().getSuggestions().size() != 0){
+ if (strength.getFeedback().getSuggestions().size() != 0) {
output.append("Suggestions:");
- for(String sug: strength.getFeedback().getSuggestions()) output.append("- "+sug+"
");
+ for (String sug : strength.getFeedback().getSuggestions()) output.append("- " + sug + "
");
output.append("
");
}
- output.append("Score: " + strength.getScore()+ "/5 ");
+ output.append("Score: " + strength.getScore() + "/5 ");
output.append("Estimated cracking time in seconds: " + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
- if(strength.getScore() >= 4)
+ if (strength.getScore() >= 4)
return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
else
return trackProgress(failed().feedback("securepassword-failed").output(output.toString()).build());
@@ -76,16 +76,16 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
public static String calculateTime(long seconds) {
int s = 1;
- int min = (60*s);
- int hr = (60*min);
- int d = (24*hr);
- int yr = (365*d);
+ int min = (60 * s);
+ int hr = (60 * min);
+ int d = (24 * hr);
+ int yr = (365 * d);
- long years = seconds/(d)/365;
- long days = (seconds%yr)/(d);
- long hours = (seconds%d)/(hr);
- long minutes = (seconds%hr)/(min);
- long sec = (seconds%min*s);
+ long years = seconds / (d) / 365;
+ long days = (seconds % yr) / (d);
+ long hours = (seconds % d) / (hr);
+ long minutes = (seconds % hr) / (min);
+ long sec = (seconds % min * s);
return (years + " years " + days + " days " + hours + " hours " + minutes + " minutes " + sec + " seconds");
}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java
index b72c355ca..f965c2c48 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java
@@ -47,7 +47,7 @@ public class SqlInjectionQuiz extends AssignmentEndpoint {
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
- for(int i = 0; i < solutions.length; i++) {
+ for (int i = 0; i < solutions.length; i++) {
if (givenAnswers[i].contains(solutions[i])) {
// answer correct
correctAnswers++;
@@ -58,7 +58,7 @@ public class SqlInjectionQuiz extends AssignmentEndpoint {
}
}
- if(correctAnswers == solutions.length) {
+ if (correctAnswers == solutions.length) {
return trackProgress(success().build());
} else {
return trackProgress(failed().build());
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
index c6e662f99..f3281bc9a 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
@@ -93,8 +93,8 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint {
int cols = results.getMetaData().getColumnCount();
return (cols > 0);
} catch (SQLException e) {
- String error_msg = e.getMessage();
- if (error_msg.contains("object not found: ACCESS_LOG")) {
+ String errorMsg = e.getMessage();
+ if (errorMsg.contains("object not found: ACCESS_LOG")) {
return false;
} else {
System.err.println(e.getMessage());
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
index 7541c2065..dacec702e 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
@@ -57,19 +57,19 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
return injectableQuery(query);
}
- protected AttackResult injectableQuery(String _query) {
+ protected AttackResult injectableQuery(String query) {
try (Connection connection = dataSource.getConnection()) {
try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
- Statement check_statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE,
+ Statement checkStatement = connection.createStatement(TYPE_SCROLL_INSENSITIVE,
CONCUR_READ_ONLY);
- statement.executeUpdate(_query);
- ResultSet _results = check_statement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
+ statement.executeUpdate(query);
+ ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
StringBuffer output = new StringBuffer();
// user completes lesson if the department of Tobi Barnett now is 'Sales'
- _results.first();
- if (_results.getString("department").equals("Sales")) {
- output.append("" + _query + "");
- output.append(SqlInjectionLesson8.generateTable(_results));
+ results.first();
+ if (results.getString("department").equals("Sales")) {
+ output.append("" + query + "");
+ output.append(SqlInjectionLesson8.generateTable(results));
return trackProgress(success().output(output.toString()).build());
} else {
return trackProgress(failed().output(output.toString()).build());
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
index 9bbe9e831..0f3a503ee 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
@@ -53,16 +53,16 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint {
return injectableQuery(query);
}
- protected AttackResult injectableQuery(String _query) {
+ protected AttackResult injectableQuery(String query) {
try (Connection connection = dataSource.getConnection()) {
try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
- statement.executeUpdate(_query);
+ statement.executeUpdate(query);
connection.commit();
- ResultSet _results = statement.executeQuery("SELECT phone from employees;");
+ ResultSet results = statement.executeQuery("SELECT phone from employees;");
StringBuffer output = new StringBuffer();
// user completes lesson if column phone exists
- if (_results.first()) {
- output.append("" + _query + "");
+ if (results.first()) {
+ output.append("" + query + "");
return trackProgress(success().output(output.toString()).build());
} else {
return trackProgress(failed().output(output.toString()).build());
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
index 00e4c0560..d20c95a6b 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
@@ -22,7 +22,6 @@
package org.owasp.webgoat.sql_injection.introduction;
-
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
@@ -62,8 +61,8 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
try {
count = Integer.parseInt(login_count);
} catch (Exception e) {
- return trackProgress(failed().output("Could not parse: " + login_count + " to a number" +
- "
Your query was: " + queryString.replace("?", login_count)).build());
+ return trackProgress(failed().output("Could not parse: " + login_count + " to a number"
+ + "
Your query was: " + queryString.replace("?", login_count)).build());
}
query.setInt(1, count);
@@ -87,8 +86,6 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
} else {
return trackProgress(failed().feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build());
-
-// output.append(getLabelManager().get("NoResultsMatched"));
}
} catch (SQLException sqle) {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
index 88dc0c0dd..b120713ae 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
@@ -130,11 +130,11 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
String time = sdf.format(cal.getTime());
- String log_query = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
+ String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
try {
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
- statement.executeUpdate(log_query);
+ statement.executeUpdate(logQuery);
} catch (SQLException e) {
System.err.println(e.getMessage());
}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
index 19400c1a2..416216843 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
@@ -22,10 +22,10 @@
package org.owasp.webgoat.sql_injection.mitigation;
-import com.google.common.collect.Lists;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.*;
@@ -33,6 +33,8 @@ import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.ArrayList;
import java.util.List;
/**
@@ -41,6 +43,7 @@ import java.util.List;
*/
@RestController
@RequestMapping("SqlInjectionMitigations/servers")
+@Slf4j
public class Servers {
private final DataSource dataSource;
@@ -62,16 +65,19 @@ public class Servers {
}
@GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
- @SneakyThrows
@ResponseBody
public List sort(@RequestParam String column) {
- Connection connection = dataSource.getConnection();
- PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column);
- ResultSet rs = preparedStatement.executeQuery();
- List servers = Lists.newArrayList();
- while (rs.next()) {
- Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
- servers.add(server);
+ List servers = new ArrayList<>();
+
+ try (Connection connection = dataSource.getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
+ ResultSet rs = preparedStatement.executeQuery();
+ while (rs.next()) {
+ Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
+ servers.add(server);
+ }
+ } catch (SQLException e) {
+ log.error("Unable to get servers", e);
}
return servers;
}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
index 7b2e1b496..1c5b8ef1f 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
@@ -49,21 +49,21 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
editor = editor.replaceAll("\\<.*?>", "");
- String regex_setsUpConnection = "(?=.*getConnection.*)";
- String regex_usesPreparedStatement = "(?=.*PreparedStatement.*)";
- String regex_usesPlaceholder = "(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
- String regex_usesSetString = "(?=.*setString.*)";
- String regex_usesExecute = "(?=.*execute.*)";
- String regex_usesExecuteUpdate = "(?=.*executeUpdate.*)";
+ String regexSetsUpConnection = "(?=.*getConnection.*)";
+ String regexUsesPreparedStatement = "(?=.*PreparedStatement.*)";
+ String regexUsesPlaceholder = "(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
+ String regexUsesSetString = "(?=.*setString.*)";
+ String regexUsesExecute = "(?=.*execute.*)";
+ String regexUsesExecuteUpdate = "(?=.*executeUpdate.*)";
String codeline = editor.replace("\n", "").replace("\r", "");
- boolean setsUpConnection = this.check_text(regex_setsUpConnection, codeline);
- boolean usesPreparedStatement = this.check_text(regex_usesPreparedStatement, codeline);
- boolean usesSetString = this.check_text(regex_usesSetString, codeline);
- boolean usesPlaceholder = this.check_text(regex_usesPlaceholder, codeline);
- boolean usesExecute = this.check_text(regex_usesExecute, codeline);
- boolean usesExecuteUpdate = this.check_text(regex_usesExecuteUpdate, codeline);
+ boolean setsUpConnection = this.check_text(regexSetsUpConnection, codeline);
+ boolean usesPreparedStatement = this.check_text(regexUsesPreparedStatement, codeline);
+ boolean usesSetString = this.check_text(regexUsesSetString, codeline);
+ boolean usesPlaceholder = this.check_text(regexUsesPlaceholder, codeline);
+ boolean usesExecute = this.check_text(regexUsesExecute, codeline);
+ boolean usesExecuteUpdate = this.check_text(regexUsesExecuteUpdate, codeline);
boolean hasImportant = (setsUpConnection && usesPreparedStatement && usesPlaceholder && usesSetString && (usesExecute || usesExecuteUpdate));
List hasCompiled = this.compileFromString(editor);
@@ -79,7 +79,7 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
} else {
return trackProgress(failed().feedback("sql-injection.10b.failed").build());
}
- } catch(Exception e) {
+ } catch (Exception e) {
return trackProgress(failed().output(e.getMessage()).build());
}
}
@@ -87,7 +87,7 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
private List compileFromString(String s) {
JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
DiagnosticCollector diagnosticsCollector = new DiagnosticCollector();
- StandardJavaFileManager fileManager = compiler.getStandardFileManager(diagnosticsCollector, null, null);
+ StandardJavaFileManager fileManager = compiler.getStandardFileManager(diagnosticsCollector, null, null);
JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s);
Iterable fileObjects = Arrays.asList(javaObjectFromString);
JavaCompiler.CompilationTask task = compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects);
@@ -96,12 +96,12 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
return diagnostics;
}
- private SimpleJavaFileObject getJavaFileContentsAsString(String s){
+ private SimpleJavaFileObject getJavaFileContentsAsString(String s) {
StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { static String DBUSER; static String DBPW; static String DBURL; public static void main(String[] args) {" + s + "}}");
JavaObjectFromString javaFileObject = null;
- try{
+ try {
javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString());
- }catch(Exception exception){
+ } catch (Exception exception) {
exception.printStackTrace();
}
return javaFileObject;
@@ -109,10 +109,12 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
class JavaObjectFromString extends SimpleJavaFileObject {
private String contents = null;
- public JavaObjectFromString(String className, String contents) throws Exception{
+
+ public JavaObjectFromString(String className, String contents) throws Exception {
super(new URI(className), Kind.SOURCE);
this.contents = contents;
}
+
public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException {
return contents;
}
@@ -121,7 +123,7 @@ public class SqlInjectionLesson10b extends AssignmentEndpoint {
private boolean check_text(String regex, String text) {
Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
Matcher m = p.matcher(text);
- if(m.find())
+ if (m.find())
return true;
else return false;
}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java
index 5bef46772..eb2a3cad4 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java
@@ -36,6 +36,7 @@ import javax.sql.DataSource;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
+import java.sql.SQLException;
@RestController
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"})
@@ -50,10 +51,9 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
@PostMapping("/SqlInjectionMitigations/attack12a")
@ResponseBody
- @SneakyThrows
public AttackResult completed(@RequestParam String ip) {
- try (Connection connection = dataSource.getConnection()) {
- PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ? and hostname = ?");
+ try (Connection connection = dataSource.getConnection();
+ PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ? and hostname = ?")) {
preparedStatement.setString(1, ip);
preparedStatement.setString(2, "webgoat-prd");
ResultSet resultSet = preparedStatement.executeQuery();
@@ -61,6 +61,9 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
return trackProgress(success().build());
}
return trackProgress(failed().build());
+ } catch (SQLException e) {
+ log.error("Failed", e);
+ return trackProgress(failed().build());
}
}
}
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
index 547bcae15..68fad1012 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
@@ -1,19 +1,22 @@
package org.owasp.webgoat.xxe;
-import com.google.common.base.Charsets;
-import com.google.common.io.Files;
-import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct;
import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
@@ -46,8 +49,9 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
* @version $Id: $Id
* @since November 18, 2016
*/
+@Slf4j
@RestController
-@AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"})
+@AssignmentHints({"xxe.blind.hints.1", "xxe.blind.hints.2", "xxe.blind.hints.3", "xxe.blind.hints.4", "xxe.blind.hints.5"})
public class BlindSendFileAssignment extends AssignmentEndpoint {
static final String CONTENTS = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
@@ -57,13 +61,16 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
private Comments comments;
@PostConstruct
- @SneakyThrows
public void createSecretFileWithRandomContents() {
File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
if (!targetDirectory.exists()) {
targetDirectory.mkdir();
}
- Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8);
+ try {
+ Files.writeString(new File(targetDirectory, "secret.txt").toPath(), CONTENTS, StandardCharsets.UTF_8);
+ } catch (IOException e) {
+ log.error("Unable to write 'secret.txt' to '{}", targetDirectory);
+ }
}
@PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
@@ -82,46 +89,4 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
}
return trackProgress(failed().build());
}
-
-/**
-
-
-%remote;
-]>
- test&send;
-**/
- /**
- * Solution:
- *
- * Create DTD:
- *
- *
- *
- *
- * ">
- * %all;
- *
- *
- * This will be reduced to:
- *
- *
- *
- *
- *
- * Wire it all up in the xml send to the server:
- *
- *
- *
- *
- * %remote;
- * ]>
- *
- * test&send;
- *
- *
- *
- *
- */
}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
index f396f27f0..c711e7f13 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
@@ -24,8 +24,6 @@ package org.owasp.webgoat.xxe;
import com.beust.jcommander.internal.Lists;
import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
@@ -40,10 +38,7 @@ import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamReader;
import java.io.IOException;
import java.io.StringReader;
-import java.util.Collection;
-import java.util.Comparator;
-import java.util.Map;
-import java.util.Optional;
+import java.util.*;
import java.util.stream.Collectors;
import static java.util.Optional.empty;
@@ -62,8 +57,8 @@ public class Comments {
protected static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
- private static final Map> userComments = Maps.newHashMap();
- private static final EvictingQueue comments = EvictingQueue.create(100);
+ private static final Map> userComments = new HashMap<>();
+ private static final List comments = new ArrayList<>();
static {
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
@@ -110,7 +105,7 @@ public class Comments {
if (visibleForAllUsers) {
comments.add(comment);
} else {
- EvictingQueue comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
+ List comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
comments.add(comment);
userComments.put(webSession.getUserName(), comments);
}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
index 48c7eb8f1..be7b481dd 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
@@ -38,8 +38,8 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
public class ContentTypeAssignment extends AssignmentEndpoint {
- private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
- private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
+ private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
+ private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
@Value("${webgoat.server.directory}")
private String webGoatHomeDirectory;
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
index e9e4b7c6d..6c9b5b378 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
@@ -33,18 +33,13 @@ import java.io.FileNotFoundException;
import java.io.PrintWriter;
@Slf4j
-public class Ping {
+public class Ping {
@Value("${webgoat.user.directory}")
private String webGoatHomeDirectory;
@Autowired
private WebSession webSession;
-// @Override
-// public String getPath() {
-// return "XXE/ping";
-// }
-
@RequestMapping(method = RequestMethod.GET)
@ResponseBody
public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
index 69aaa056b..e5e77c158 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
@@ -48,16 +48,16 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
public class SimpleXXE extends AssignmentEndpoint {
- private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
- private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
+ private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
+ private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
@Value("${webgoat.server.directory}")
private String webGoatHomeDirectory;
-
+
@Value("${webwolf.url.landingpage}")
private String webWolfURL;
-
-
+
+
@Autowired
private Comments comments;
@@ -85,20 +85,20 @@ public class SimpleXXE extends AssignmentEndpoint {
}
return success;
}
-
- @RequestMapping(path="/xxe/tmpdir",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
+
+ @RequestMapping(path = "/xxe/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
@ResponseBody
public String getWebGoatHomeDirectory() {
- return webGoatHomeDirectory;
+ return webGoatHomeDirectory;
}
-
- @RequestMapping(path="/xxe/sampledtd",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
+
+ @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
@ResponseBody
public String getSampleDTDFile() {
- return "\n" +
- "\n" +
- "\">\n" +
- "%all;";
+ return "\n"
+ + "\n"
+ + "\">\n"
+ + "%all;";
}
-
+
}
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
index 6c5f56ee4..68b24076c 100644
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@@ -22,6 +22,7 @@
* projects.
*
*/
+
package org.owasp.webgoat;
import lombok.extern.slf4j.Slf4j;
diff --git a/webwolf/src/main/java/org/owasp/webwolf/FileServer.java b/webwolf/src/main/java/org/owasp/webwolf/FileServer.java
index 06af38b4a..e811af2c4 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/FileServer.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/FileServer.java
@@ -22,11 +22,8 @@
package org.owasp.webwolf;
-import com.google.common.collect.Lists;
-import com.google.common.io.Files;
import lombok.AllArgsConstructor;
import lombok.Getter;
-import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.FileUtils;
import org.owasp.webwolf.user.WebGoatUser;
@@ -35,22 +32,19 @@ import org.springframework.http.MediaType;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.RedirectView;
import javax.servlet.http.HttpServletRequest;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.ArrayList;
import static org.springframework.http.MediaType.ALL_VALUE;
-import java.io.File;
-import java.util.List;
-
/**
* Controller for uploading a file
*/
@@ -65,21 +59,20 @@ public class FileServer {
@Value("${server.port}")
private int port;
- @RequestMapping(path="/tmpdir",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
+ @RequestMapping(path = "/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
@ResponseBody
public String getFileLocation() {
- return fileLocation;
+ return fileLocation;
}
@PostMapping(value = "/WebWolf/fileupload")
- @SneakyThrows
- public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) {
+ public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
File destinationDir = new File(fileLocation, user.getUsername());
destinationDir.mkdirs();
myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
- Files.touch(new File(destinationDir, user.getUsername() + "_changed"));
+ Files.createFile(new File(destinationDir, user.getUsername() + "_changed").toPath());
ModelMap model = new ModelMap();
model.addAttribute("uploadSuccess", "File uploaded successful");
@@ -111,7 +104,7 @@ public class FileServer {
}
changeIndicatorFile.delete();
- List uploadedFiles = Lists.newArrayList();
+ var uploadedFiles = new ArrayList<>();
File[] files = destinationDir.listFiles(File::isFile);
if (files != null) {
for (File file : files) {
@@ -122,7 +115,7 @@ public class FileServer {
}
modelAndView.addObject("files", uploadedFiles);
- modelAndView.addObject("webwolf_url", "http://" + server +":" + port);
+ modelAndView.addObject("webwolf_url", "http://" + server + ":" + port);
return modelAndView;
}
}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java b/webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java
index fecebc7dd..502835e90 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java
@@ -22,7 +22,6 @@
package org.owasp.webwolf.requests;
-
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;