Improvements for challenge 3

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java

@@ -1,9 +1,12 @@
 package org.owasp.webgoat.plugin.challenge3;
 
+import com.beust.jcommander.internal.Lists;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.EvictingQueue;
+import com.google.common.collect.Maps;
 import com.google.common.io.Files;
 import lombok.SneakyThrows;
+import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
@@ -30,6 +33,7 @@ import java.io.IOException;
 import java.io.StringReader;
 import java.nio.charset.Charset;
 import java.util.Collection;
+import java.util.Map;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -49,13 +53,14 @@ public class Assignment3 extends AssignmentEndpoint {
     private WebSession webSession;
     private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
 
+    private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
     private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
     private static final String secretContents = "Congratulations you may now collect your flag";
 
     static {
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
         comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
-        comments.add(new Comment("guest", DateTime.now().toString(), "Lol!! :-)."));
+        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
     }
 
     @PostConstruct
@@ -68,11 +73,16 @@ public class Assignment3 extends AssignmentEndpoint {
         Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
     }
 
-
-    @RequestMapping(method = GET, produces = APPLICATION_JSON_VALUE)
+    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
     public Collection<Comment> retrieveComments() {
-        return comments;
+        Collection<Comment> allComments = Lists.newArrayList();
+        Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
+        if (xmlComments != null) {
+            allComments.addAll(xmlComments);
+        }
+        allComments.addAll(comments);
+        return allComments;
     }
 
     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
@@ -82,27 +92,29 @@ public class Assignment3 extends AssignmentEndpoint {
         AttackResult attackResult = failed().build();
         if (APPLICATION_JSON_VALUE.equals(contentType)) {
             comment = parseJson(commentStr);
-            comment.setDateTime(DateTime.now().toString());
+            comment.setDateTime(DateTime.now().toString(fmt));
             comment.setUser(webSession.getUserName());
+            comments.add(comment);
         }
         if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
+            //Do not show these comments to all users
             comment = parseXml(commentStr);
             comment.setDateTime(DateTime.now().toString(fmt));
             comment.setUser(webSession.getUserName());
-        }
-        if (comment != null) {
+            EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
             comments.add(comment);
+            userComments.put(webSession.getUserName(), comments);
+        }
         if (checkSolution(comment)) {
             attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
         }
-        }
-
         return attackResult;
     }
 
     private boolean checkSolution(Comment comment) {
-        if (comment.getComment().contains(secretContents)) {
-            comment.setComment("Congratulations to " + webSession.getUserName() + " for finding the flag!!");
+        if (StringUtils.equals(comment.getText(), secretContents)) {
+            comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!!");
+            comments.add(comment);
             return true;
         }
         return false;

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java

@@ -5,6 +5,8 @@ import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 
+import javax.xml.bind.annotation.XmlRootElement;
+
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -13,9 +15,10 @@ import lombok.Setter;
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
+@XmlRootElement
 public class Comment {
     private String user;
     private String dateTime;
-    private String comment;
+    private String text;
 }
 

webgoat-lessons/challenge/src/main/resources/html/Challenge3.html

@@ -10,7 +10,7 @@
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
-        <div class="container">
+        <div class="container-fluid">
             <div class="panel post">
                 <div class="post-heading">
                     <div class="pull-left image">
@@ -48,7 +48,7 @@
             </div>
         </div>
 
-        <form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
+        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

webgoat-lessons/challenge/src/main/resources/js/challenge3.js

@@ -4,7 +4,7 @@ $(document).ready(function () {
         $.ajax({
             type: 'POST',
             url: 'challenge/3',
-            data: JSON.stringify({comment: commentInput}),
+            data: JSON.stringify({text: commentInput}),
             contentType: "application/json",
             dataType: 'json'
         }).then(
@@ -17,7 +17,7 @@ $(document).ready(function () {
 
     var html = '<li class="comment">' +
         '<div class="pull-left">' +
-        '<img class="avatar" src="http://bootdey.com/img/Content/avatar/avatar1.png" alt="avatar"/>' +
+        '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
         '</div>' +
         '<div class="comment-body">' +
         '<div class="comment-heading">' +
@@ -36,7 +36,7 @@ $(document).ready(function () {
             for (var i = 0; i < result.length; i++) {
                 var comment = html.replace('USER', result[i].user);
                 comment = comment.replace('DATETIME', result[i].dateTime);
-                comment = comment.replace('COMMENT', result[i].comment);
+                comment = comment.replace('COMMENT', result[i].text);
                 $("#list").append(comment);
             }