diff --git a/README.MD b/README.MD
index 099d49aef..654454fd3 100644
--- a/README.MD
+++ b/README.MD
@@ -97,27 +97,10 @@ To change IP address add the following variable to WebGoat/webgoat-container/src
server.address=x.x.x.x
```
-# Vagrant
-
-We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
-
-```shell
- $ cd WebGoat/webgoat-images/vagrant-training
- $ vagrant up
-```
-
-Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
-WebGoat and WebWolf will automatically start when you login to this image.
-
-
# Building a new Docker image
NOTE: Travis will create a new Docker image automatically when making a new release.
-WebGoat now has Docker support for x86 and ARM (raspberry pi).
-### Docker on x86
-On x86 you can build a container with the following commands:
-
```Shell
cd WebGoat/
mvn install
@@ -128,31 +111,6 @@ docker login
docker push webgoat/webgoat-8.0
```
-### Docker on ARM (Raspberry Pi)
-On a Raspberry Pi (it has yet been tested with a Raspberry Pi 3 and the hypriot Docker image) you need to build JFFI for
-ARM first. This is needed by the docker-maven-plugin ([see here](https://github.com/spotify/docker-maven-plugin/issues/233)):
-
-```Shell
-sudo apt-get install build-essential
-git clone https://github.com/jnr/jffi.git
-cd jffi
-ant jar
-cd build/jni
-sudo cp libjffi-1.2.so /usr/lib
-```
-
-When you have done this you can build the Docker container using the following commands:
-
-```Shell
-cd WebGoat/
-mvn install
-cd webgoat-server
-mvn docker:build -Drpi=true
-docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
-docker login
-docker push webgoat/webgoat-8.0
-```
-
# Run Instructions:
Once installed connect to http://localhost:8080/WebGoat and http://localhost:9090/WebWolf
diff --git a/pom.xml b/pom.xml
index cb133b10f..36b9913c0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,7 +21,7 @@
org.springframework.boot
spring-boot-starter-parent
- 1.5.18.RELEASE
+ 1.5.21.RELEASE
@@ -116,46 +116,19 @@
1.1.1
- 1.4
- 1.4
- 1.4
- 1.4
- 1.9.1
- 2.7
3.2.1
- 2.1
- 0.5
- 1.3.1
- 2.6
3.4
- 4.0.0
- 2.2.5
- 2.2.4
+ 2.6
18.0
- 1.4.190
2.3.4
- 1.3.1
- 2.6.3
- 2.6.3
- 6.0
- 1.3
- 1.7.12
- 1.3.1
4.12
1.18.4
- 1.5.4
3.8.0
2.22.0
- 1.6
- 3.1.1
- 2.10.4
- 2.5.2
- 3.0.1
+ 3.1.2
+ 3.1.1
+ 3.1.0
2.22.0
- 1.6.6
- 2.11.7
- 2.1.20
- 2.48.2
3.2.4.RELEASE
@@ -166,32 +139,6 @@
webwolf
-
-
- ossrh
- https://oss.sonatype.org/content/repositories/snapshots
-
-
- ossrh
- https://oss.sonatype.org/service/local/staging/deploy/maven2/
-
-
-
-
-
- apache.snapshots
- http://repository.apache.org/snapshots/
-
-
- daily
-
-
- daily
-
-
-
-
org.projectlombok
@@ -224,38 +171,6 @@
UTF-8
-
- org.apache.maven.plugins
- maven-release-plugin
- ${maven-release-plugin.version}
-
- true
- false
- release
- @{project.version}
- deploy
-
-
-
- org.eluder.coveralls
- coveralls-maven-plugin
- ${coveralls-maven-plugin.version}
-
-
-
-
-
- org.codehaus.mojo
- cobertura-maven-plugin
- ${cobertura-maven-plugin.version}
-
-
- xml
- 256m
-
- true
-
-
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index 2f766037a..cf324686b 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -13,29 +13,6 @@
v8.0.0-SNAPSHOT
-
-
- performance
-
-
-
- io.gatling
- gatling-maven-plugin
- ${gatling-plugin.version}
-
-
-
- execute
-
-
-
-
-
-
-
-
-
-
@@ -69,7 +46,11 @@
maven-surefire-plugin
${maven-surefire-plugin.version}
- never
+ 0
+ true
+
+ --illegal-access=permit
+
@@ -89,12 +70,23 @@
- com.fasterxml.jackson.datatype
- jackson-datatype-jsr310
+ org.springframework.boot
+ spring-boot-starter-undertow
org.springframework.boot
spring-boot-starter-web
+
+
+ org.springframework.boot
+ spring-boot-starter-tomcat
+
+
+
+
+ javax.activation
+ activation
+ ${activation.version}
org.springframework.boot
@@ -119,14 +111,6 @@
guava
${guava.version}
-
-
-
- io.gatling.highcharts
- gatling-charts-highcharts
- ${gatling.version}
- test
-
org.springframework.boot
spring-boot-starter-security
@@ -140,28 +124,11 @@
thymeleaf-extras-springsecurity4
2.1.2.RELEASE
-
- javax.activation
- activation
- ${activation.version}
-
org.hsqldb
hsqldb
${hsqldb.version}
-
- javax.transaction
- javax.transaction-api
- ${javax.transaction-api.version}
-
-
- org.scala-lang
- scala-compiler
- ${scala.version}
- test
-
-
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
index df4c11e0b..e5a4c7da9 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
@@ -44,9 +44,9 @@ import org.thymeleaf.resourceresolver.IResourceResolver;
import org.thymeleaf.templateresolver.TemplateResolver;
import java.io.*;
+import java.nio.charset.StandardCharsets;
import java.util.Map;
-import static org.apache.commons.lang3.CharEncoding.UTF_8;
import static org.asciidoctor.Asciidoctor.Factory.create;
/**
@@ -92,7 +92,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
- return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
+ return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(StandardCharsets.UTF_8));
}
} catch (IOException e) {
//no html yet
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
index d78e248d7..e18374c23 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@@ -31,7 +31,6 @@
package org.owasp.webgoat;
import lombok.extern.slf4j.Slf4j;
-import org.apache.catalina.Context;
import org.owasp.webgoat.plugins.PluginEndpointPublisher;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.owasp.webgoat.session.Course;
@@ -42,9 +41,6 @@ import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
-import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
-import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.boot.web.support.SpringBootServletInitializer;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
@@ -53,7 +49,6 @@ import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.client.RestTemplate;
import java.io.File;
-import java.util.Arrays;
@SpringBootApplication
@Slf4j
@@ -99,20 +94,4 @@ public class WebGoat extends SpringBootServletInitializer {
public RestTemplate restTemplate() {
return new RestTemplate();
}
-
- @Bean
- public EmbeddedServletContainerFactory servletContainer() {
- TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
- factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
- return factory;
- }
-
- static class CustomCustomizer implements TomcatContextCustomizer {
- @Override
- public void customize(Context context) {
- context.setUseHttpOnly(false);
- }
- }
-
-
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index 05f185927..b8b526af8 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -58,8 +58,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry security = http
.authorizeRequests()
.antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll()
- .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
- .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
.anyRequest().authenticated();
security.and()
.formLogin()
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
index e78d46338..573f488a1 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
@@ -25,6 +25,7 @@
package org.owasp.webgoat.assignments;
+import com.google.common.base.Strings;
import lombok.Getter;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.i18n.PluginMessages;
diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties
index 281b53230..2346f3f30 100644
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@@ -17,7 +17,6 @@ spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
-
logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=DEBUG
diff --git a/webgoat-container/src/test/scala/Simulation.scala b/webgoat-container/src/test/scala/Simulation.scala
deleted file mode 100644
index 4e8fe9b42..000000000
--- a/webgoat-container/src/test/scala/Simulation.scala
+++ /dev/null
@@ -1,27 +0,0 @@
-import io.gatling.core.Predef._
-import io.gatling.http.Predef._
-import org.apache.commons.lang3.RandomStringUtils
-
-import scala.concurrent.duration._
-
-class BasicSimulation extends Simulation {
-
- val httpConf = http
- .baseURL("http://localhost:8080/WebGoat/") // Here is the root for all relative URLs
- .userAgentHeader("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0")
-
- val scn = scenario("Register and automatic login").
- exec(session =>
- session.setAll(("username", RandomStringUtils.randomAlphabetic(10)))
- )
- .exec(
- http("Test")
- .post("register.mvc")
- .formParam("username", "${username}")
- .formParam("password", "${username}")
- .formParam("matchingPassword", "${username}")
- .formParam("agree", "agree")
- )
-
- setUp(scn.inject(atOnceUsers(100)).protocols(httpConf))
-}
\ No newline at end of file
diff --git a/webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidationTest.java b/webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidationTest.java
index 34bb4dd54..4c7d630c5 100644
--- a/webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidationTest.java
+++ b/webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidationTest.java
@@ -21,7 +21,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
public class BypassRestrictionsFrontendValidationTest extends LessonTest {
@Before
- public void setup() throws Exception {
+ public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new BypassRestrictions());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml
index 6c99401b6..9deca9f21 100644
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ b/webgoat-lessons/cross-site-scripting/pom.xml
@@ -8,6 +8,14 @@
webgoat-lessons-parent
v8.0.0-SNAPSHOT
+
+
+
+ org.jsoup
+ jsoup
+ 1.11.3
+
+
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
index f27684843..12d8cf1ce 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
@@ -32,10 +32,8 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
-import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.EvictingQueue;
import com.google.common.collect.Maps;
-import org.apache.catalina.servlet4preview.http.HttpServletRequest;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
@@ -46,11 +44,11 @@ import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
+import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Collection;
import java.util.Map;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java
index cec9fd62c..6efba6025 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java
@@ -84,7 +84,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
}
return null;
}
- }).parse(token);
+ }).parseClaimsJws(token);
if (errorMessage[0] != null) {
return trackProgress(failed().output(errorMessage[0]).build());
}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTFinalEndpointTest.java b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTFinalEndpointTest.java
index fefdbe8f0..bc90c4534 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTFinalEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTFinalEndpointTest.java
@@ -59,4 +59,13 @@ public class JWTFinalEndpointTest extends LessonTest {
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-final-jerry-account"))));
}
+
+ @Test
+ public void shouldNotBeAbleToBypassWithSimpleToken() throws Exception {
+ mockMvc.perform(MockMvcRequestBuilders.post("/JWT/final/delete")
+ .param("token", ".eyJ1c2VybmFtZSI6IlRvbSJ9.")
+ .content(""))
+ .andExpect(status().isOk())
+ .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+ }
}
\ No newline at end of file
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 1294595d7..6f28f4954 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -32,7 +32,7 @@
vulnerable-components
webgoat-introduction
webwolf-introduction
- auth-bypass
+ auth-bypass
missing-function-ac
csrf
password-reset
@@ -67,7 +67,6 @@
org.mockito
mockito-core
- 1.10.19
test
@@ -97,12 +96,6 @@
xstream
1.4.7
-
-
- org.jsoup
- jsoup
- 1.11.3
-
@@ -118,28 +111,25 @@
org.apache.maven.plugins
- maven-dependency-plugin
-
-
- copy-artifact-src
- package
-
- copy
-
-
- true
-
-
- ${project.groupId}
- ${project.artifactId}
- ${project.version}
- ${project.packaging}
-
-
- ${project.basedir}/../webgoat-container/src/main/resources/plugin_lessons
-
-
-
+ maven-surefire-plugin
+ ${maven-surefire-plugin.version}
+
+ 0
+ true
+
+ --illegal-access=permit
+
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+ ${maven-compiler-plugin.version}
+
+ 11
+ 11
+ UTF-8
+
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 6317305ed..95bb65f69 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -13,83 +13,7 @@
org.owasp.webgoat.StartWebGoat
-
-
- raspberry-pi-3
-
-
- rpi
-
-
-
-
-
- com.spotify
- docker-maven-plugin
- 0.4.10
-
- webgoat/webgoat-8.0
- src/main/docker_rpi3
-
-
- /
- ${project.build.directory}
- ${project.build.finalName}.jar
-
-
- /
- ${project.basedir}/../webwolf/target
- webwolf-${project.version}.jar
-
-
-
-
-
-
-
-
- default
-
-
- !rpi
-
-
-
-
-
- com.spotify
- docker-maven-plugin
- 0.4.10
-
- webgoat/webgoat-8.0
- ${project.basedir}
-
-
- /
- ${project.build.directory}
- ${project.build.finalName}.jar
-
-
- /
- ${project.basedir}/../webwolf/target
- webwolf-${project.version}.jar
-
-
-
-
-
-
-
-
-
-
- com.spotify
- docker-maven-plugin
- 0.4.10
- test
- true
-
org.owasp.webgoat
webgoat-container
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index 385a0fbc5..c0126b712 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -28,10 +28,6 @@
commons-io
${commons-io.version}
-
- org.springframework.boot
- spring-boot-starter-cache
-
org.springframework.boot
spring-boot-starter-security
@@ -114,6 +110,17 @@
org.springframework.boot
spring-boot-maven-plugin
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+ ${maven-surefire-plugin.version}
+
+ never
+
+ --illegal-access=permit
+
+
+