diff --git a/README.MD b/README.MD index df4c291d1..8453220ce 100644 --- a/README.MD +++ b/README.MD @@ -73,7 +73,7 @@ mvn clean package Now we are ready to run the project. WebGoat 8.x is using Spring-Boot. ```Shell -mvn -pl webgoat-container spring-boot:run +mvn -pl webgoat-assembly spring-boot:run ``` ... you should be running webgoat on localhost:8080/WebGoat momentarily diff --git a/catalina.policy b/catalina.policy deleted file mode 100644 index facb61327..000000000 --- a/catalina.policy +++ /dev/null @@ -1,3 +0,0 @@ -grant { - permission java.security.AllPermission; -}; \ No newline at end of file diff --git a/pom.xml b/pom.xml index d809fceeb..92f26f2ae 100644 --- a/pom.xml +++ b/pom.xml @@ -171,6 +171,7 @@ webgoat-container webgoat-lessons + webgoat-server diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 3fed15cd1..095d2fcfc 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -1,11 +1,11 @@ - + org.owasp.webgoat webgoat-container 4.0.0 webgoat-container - war + jar org.owasp.webgoat @@ -13,68 +13,6 @@ 8.0-SNAPSHOT - - org.owasp.webgoat.WebGoat - - - - - raspberry-pi-3 - - - rpi - - - - - - com.spotify - docker-maven-plugin - 0.4.10 - - webgoat/webgoat-8.0 - src/main/docker_rpi3 - - - / - ${project.build.directory} - ${project.build.finalName}.war - - - - - - - - - default - - - !rpi - - - - - - com.spotify - docker-maven-plugin - 0.4.10 - - webgoat/webgoat-8.0 - src/main/docker - - - / - ${project.build.directory} - ${project.build.finalName}.war - - - - - - - - @@ -93,41 +31,6 @@ - - org.apache.maven.plugins - maven-jar-plugin - ${maven-jar-plugin.version} - - - create-jar - compile - - jar - - - - - - org.codehaus.mojo - build-helper-maven-plugin - ${build-helper-maven-plugin.version} - - - attach-artifacts - package - - attach-artifact - - - - - ${project.build.directory}/webgoat-container-${project.version}.jar - - - - - - org.apache.maven.plugins maven-resources-plugin @@ -157,35 +60,6 @@ never - - org.springframework.boot - spring-boot-maven-plugin - - - - - org.thymeleaf.extra - thymeleaf-extras-springsecurity4 - - - org.asciidoctor - asciidoctorj - - - org.jruby - jruby-complete - - - true - - - - - - - - - maven-clean-plugin @@ -242,6 +116,11 @@ asciidoctorj 1.5.4 + + org.liquibase + liquibase-core + 3.4.1 + org.apache.commons commons-lang3 @@ -251,6 +130,14 @@ javax.servlet jstl + + org.springframework.boot + spring-boot-starter-data-jpa + + + org.springframework.boot + spring-boot-starter-jdbc + org.springframework.boot spring-boot-starter-security @@ -297,17 +184,8 @@ guava ${guava.version} - - com.spotify - docker-maven-plugin - 0.4.10 - - - - com.thoughtworks.xstream - xstream - 1.4.6 - + + diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java index 3d1ae40f7..a54baf21e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java @@ -34,25 +34,20 @@ import com.google.common.collect.Maps; import com.google.common.collect.Sets; import org.asciidoctor.Asciidoctor; import org.owasp.webgoat.i18n.Language; -import org.springframework.util.StringUtils; import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.resourceresolver.IResourceResolver; import org.thymeleaf.templateresolver.TemplateResolver; import java.io.*; -import java.nio.file.Files; -import java.nio.file.Path; import java.util.Map; -import java.util.Optional; -import java.util.function.Predicate; import static org.asciidoctor.Asciidoctor.Factory.create; /** * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file: - * + *

* - *

+ *
* */ public class AsciiDoctorTemplateResolver extends TemplateResolver { @@ -80,34 +75,26 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { @Override public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) { + InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName)); try { - Optional adocFile = resolveAdocFile(resourceName); - if (adocFile.isPresent()) { - try (FileReader reader = new FileReader(adocFile.get().toFile())) { - StringWriter writer = new StringWriter(); - asciidoctor.convert(reader, writer, createAttributes()); - return new ByteArrayInputStream(writer.getBuffer().toString().getBytes()); - } - } - return new ByteArrayInputStream(new byte[0]); + StringWriter writer = new StringWriter(); + asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); + return new ByteArrayInputStream(writer.getBuffer().toString().getBytes()); } catch (IOException e) { //no html yet return new ByteArrayInputStream(new byte[0]); } - } - private Optional resolveAdocFile(String resourceName) throws IOException { - Optional path = Optional.empty(); - if (language.getLocale() != null) { - path = find(pluginTargetDirectory.toPath(), resourceName, language.getLocale().toString()); - } - if (!path.isPresent()) { - path = find(pluginTargetDirectory.toPath(), resourceName, null); - } - return path; + /** + * The resource name is for example HttpBasics_content1.adoc. This is always located in the following directory: + * plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc + */ + private String computeResourceName(String resourceName) { + return String.format("lessonPlans/%s/%s", language.getLocale().getLanguage(), resourceName); } + private Map createAttributes() { Map attributes = Maps.newHashMap(); attributes.put("source-highlighter", "coderay"); @@ -119,14 +106,6 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { return options; } - private Optional find(Path path, String resourceName, String language) throws IOException { - Predicate languageFilter = p -> StringUtils.hasText(language) ? p.getParent().getFileName().toString().equals(language) : true; - return Files.walk(path) - .filter(Files::isRegularFile) - .filter(p -> p.toString().endsWith(resourceName)) - .filter(languageFilter).findFirst(); - } - @Override public String getName() { return "adocResourceResolver"; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java index dd23861fc..14e983a81 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java @@ -30,16 +30,19 @@ */ package org.owasp.webgoat; +import com.google.common.collect.Maps; import com.google.common.collect.Sets; -import com.google.common.io.Files; +import com.google.common.io.ByteStreams; +import lombok.SneakyThrows; +import org.springframework.core.io.ResourceLoader; import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.resourceresolver.IResourceResolver; import org.thymeleaf.templateresolver.TemplateResolver; import java.io.ByteArrayInputStream; import java.io.File; -import java.io.IOException; import java.io.InputStream; +import java.util.Map; /** * Dynamically resolve a lesson. In the html file this can be invoked as: @@ -48,15 +51,18 @@ import java.io.InputStream; *
* * - * Thymeleaf will invoke this resolver based on the prefix and this implementqtion will resolve the html in the plugins directory + * Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory */ public class LessonTemplateResolver extends TemplateResolver { private final static String PREFIX = "lesson:"; private final File pluginTargetDirectory; + private ResourceLoader resourceLoader; + private Map resources = Maps.newHashMap(); - public LessonTemplateResolver(File pluginTargetDirectory) { + public LessonTemplateResolver(File pluginTargetDirectory, ResourceLoader resourceLoader) { this.pluginTargetDirectory = pluginTargetDirectory; + this.resourceLoader = resourceLoader; setResourceResolver(new LessonResourceResolver()); setResolvablePatterns(Sets.newHashSet(PREFIX + "*")); } @@ -70,17 +76,14 @@ public class LessonTemplateResolver extends TemplateResolver { private class LessonResourceResolver implements IResourceResolver { @Override + @SneakyThrows public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) { - File lesson = new File(pluginTargetDirectory, "/plugin/" + resourceName + "/html/" + resourceName + ".html"); - if (lesson != null) { - try { - return new ByteArrayInputStream(Files.toByteArray(lesson)); - } catch (IOException e) { - //no html yet - return new ByteArrayInputStream(new byte[0]); - } + byte[] resource = resources.get(resourceName); + if (resource == null) { + resource = ByteStreams.toByteArray(resourceLoader.getResource("classpath:/html/" + resourceName + ".html").getInputStream()); + resources.put(resourceName, resource); } - return null; + return new ByteArrayInputStream(resource); } @Override diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java index 0ce4ca9e9..b119beaab 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java @@ -1,32 +1,32 @@ /** - ************************************************************************************************* - * - * + * ************************************************************************************************ + *

+ *

* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. - * + *

* You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. * * @author WebGoat - * @since October 28, 2003 * @version $Id: $Id + * @since October 28, 2003 */ package org.owasp.webgoat; @@ -39,8 +39,11 @@ import org.owasp.webgoat.session.LabelDebugger; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.ApplicationContext; +import org.springframework.context.MessageSource; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.io.ResourceLoader; +import org.springframework.validation.beanvalidation.LocalValidatorFactoryBean; import org.springframework.web.servlet.LocaleResolver; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; @@ -70,6 +73,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { registry.addViewController("/start.mvc").setViewName("main_new"); } + @Bean public TemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) { SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver(); @@ -82,8 +86,8 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { } @Bean - public LessonTemplateResolver lessonTemplateResolver() { - LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory); + public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) { + LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory, resourceLoader); resolver.setOrder(2); resolver.setCacheable(false); return resolver; @@ -92,7 +96,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Bean public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language) { AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(pluginTargetDirectory, language); - resolver.setCacheable(true); + resolver.setCacheable(false); resolver.setOrder(3); return resolver; } @@ -116,11 +120,18 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/"); + //registry.addResourceHandler("/images/**").addResourceLocations("classpath:/plugin/VulnerableComponents/images/"); + registry.addResourceHandler("/images/**").addResourceLocations("classpath:/images/"); + registry.addResourceHandler("/lesson_js/**").addResourceLocations("classpath:/js/"); + registry.addResourceHandler("/lesson_css/**").addResourceLocations("classpath:/css/"); + super.addResourceHandlers(registry); } @Bean public PluginMessages pluginMessages(Messages messages, Language language) { - return new PluginMessages(messages, language); + PluginMessages pluginMessages = new PluginMessages(messages, language); + pluginMessages.setBasenames("i18n/WebGoatLabels"); + return pluginMessages; } @Bean @@ -131,7 +142,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Bean public Messages messageSource(Language language) { Messages messages = new Messages(language); - messages.setBasename("classpath:/i18n/messages"); + messages.setBasename("classpath:i18n/messages"); return messages; } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java index 588cf51a7..9e88dec97 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java @@ -34,13 +34,9 @@ import com.fasterxml.jackson.annotation.JsonInclude; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.apache.catalina.Context; -import org.owasp.webgoat.i18n.PluginMessages; -import org.owasp.webgoat.plugins.PluginClassLoader; import org.owasp.webgoat.plugins.PluginEndpointPublisher; -import org.owasp.webgoat.plugins.PluginsExtractor; import org.owasp.webgoat.plugins.PluginsLoader; import org.owasp.webgoat.session.*; -import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @@ -86,16 +82,6 @@ public class WebGoat extends SpringBootServletInitializer { return new File(webgoatHome); } - @Bean - public PluginClassLoader pluginClassLoader() { - return new PluginClassLoader(PluginClassLoader.class.getClassLoader()); - } - - @Bean - public PluginsExtractor pluginsLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory, PluginClassLoader classLoader, PluginMessages messages) { - return new PluginsExtractor(pluginTargetDirectory, classLoader, messages); - } - @Bean @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS) public WebSession webSession(WebgoatContext webgoatContext) { @@ -114,8 +100,8 @@ public class WebGoat extends SpringBootServletInitializer { } @Bean - public Course course(PluginsExtractor extractor, PluginEndpointPublisher pluginEndpointPublisher) { - return new PluginsLoader(extractor, pluginEndpointPublisher).loadPlugins(); + public Course course(PluginEndpointPublisher pluginEndpointPublisher) { + return new PluginsLoader(pluginEndpointPublisher).loadPlugins(); } @Bean diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java index 92f5a4bd4..7bc8e7f79 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java @@ -1,6 +1,6 @@ /** - ************************************************************************************************* + * ************************************************************************************************ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ *

@@ -25,11 +25,13 @@ *

* * @author WebGoat - * @since December 12, 2015 * @version $Id: $Id + * @since December 12, 2015 */ package org.owasp.webgoat; +import lombok.AllArgsConstructor; +import org.owasp.webgoat.users.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -45,16 +47,20 @@ import org.springframework.security.core.userdetails.UserDetailsService; * Security configuration for WebGoat. */ @Configuration +@AllArgsConstructor @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + + private final UserService userDetailsService; + @Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry security = http .authorizeRequests() - .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll() + .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll() .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") // .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") // - .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN"); + .anyRequest().authenticated(); security.and() .formLogin() .loginPage("/login") @@ -79,15 +85,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication() - .withUser("guest").password("guest").roles("WEBGOAT_USER").and() // - .withUser("webgoat").password("webgoat").roles("WEBGOAT_ADMIN").and() // - .withUser("server").password("server").roles("SERVER_ADMIN"); + auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder()); } @Bean @Override public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); + return userDetailsService; } } \ No newline at end of file diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java index 46f8e47a9..746ac412d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java @@ -25,35 +25,10 @@ package org.owasp.webgoat.assignments; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint; -import java.io.File; - public abstract class Endpoint implements MvcEndpoint { - @Autowired - @Qualifier("pluginTargetDirectory") - private File pluginDirectory; - - /** - * The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will - * need to: - * - * - * File lessonDirectory = new File(getPluginDirectory(), "ClientSideFiltering"); - * - * - * The directory structure of the lesson is exactly the same as the directory structure in the plugins project. - * - * @return the top level - */ - protected File getPluginDirectory() { - return new File(this.pluginDirectory, "plugin"); - } - - @Override public final boolean isSensitive() { return false; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java index 546b1f992..44fe432de 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java @@ -55,7 +55,7 @@ public class Welcome { * @param request a {@link javax.servlet.http.HttpServletRequest} object. * @return a {@link org.springframework.web.servlet.ModelAndView} object. */ - @RequestMapping(path = "welcome.mvc", method = RequestMethod.GET) + @RequestMapping(path = {"welcome.mvc", "/"}, method = RequestMethod.GET) public ModelAndView welcome(HttpServletRequest request) { // set the welcome attribute diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java index 235669f68..163909724 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java @@ -27,29 +27,45 @@ package org.owasp.webgoat.i18n; import lombok.SneakyThrows; import org.springframework.context.support.ReloadableResourceBundleMessageSource; -import org.springframework.core.io.Resource; -import org.springframework.core.io.ResourceLoader; -import org.springframework.core.io.UrlResource; -import java.io.File; +import java.net.URL; +import java.util.Enumeration; import java.util.Properties; /** - * Message resource bundle for plugins. The files is created after startup during the init of the plugins so we - * need to load this file through a ResourceLoader instead of location on the classpath. + * Message resource bundle for plugins. * * @author nbaars * @date 2/4/17 */ public class PluginMessages extends ReloadableResourceBundleMessageSource { + private static final String PROPERTIES_SUFFIX = ".properties"; private Language language; public PluginMessages(Messages messages, Language language) { this.language = language; this.setParentMessageSource(messages); + this.setBasename("WebGoatLabels"); } + @Override + @SneakyThrows + protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) { + Properties properties = new Properties(); + long lastModified = System.currentTimeMillis(); + + Enumeration resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX); + while (resources.hasMoreElements()) { + URL resource = resources.nextElement(); + String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, ""); + PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder); + properties.putAll(holder.getProperties()); + } + return new PropertiesHolder(properties, lastModified); + } + + public Properties getMessages() { return getMergedProperties(language.getLocale()).getProperties(); } @@ -61,20 +77,4 @@ public class PluginMessages extends ReloadableResourceBundleMessageSource { public String getMessage(String code, String defaultValue, Object... args) { return super.getMessage(code, args, defaultValue, language.getLocale()); } - - public void addPluginMessageBundles(final File i18nPluginDirectory) { - this.setBasename("WebGoatLabels"); - this.setResourceLoader(new ResourceLoader() { - @Override - @SneakyThrows - public Resource getResource(String location) { - return new UrlResource(new File(i18nPluginDirectory, location).toURI()); - } - - @Override - public ClassLoader getClassLoader() { - return Thread.currentThread().getContextClassLoader(); - } - }); - } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertyMerger.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertyMerger.java deleted file mode 100644 index 04760d0bf..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertyMerger.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 2017 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - *

- * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - *

- */ -package org.owasp.webgoat.plugins; - -import lombok.SneakyThrows; - -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.InputStream; -import java.util.Properties; -import java.util.zip.ZipEntry; -import java.util.zip.ZipFile; - -import static com.google.common.io.Files.createParentDirs; - -/** - * Merges the main message.properties with the plugins WebGoatLabels - */ -public class MessagePropertyMerger { - - private final File targetDirectory; - - public MessagePropertyMerger(File targetDirectory) { - this.targetDirectory = targetDirectory; - } - - @SneakyThrows - public void merge(ZipFile zipFile, ZipEntry zipEntry) { - Properties messageProperties = new Properties(); - try (InputStream zis = zipFile.getInputStream(zipEntry)) { - messageProperties.load(zis); - } - - Properties messagesFromHome = new Properties(); - File pluginMessageFiles = new File(targetDirectory, zipEntry.getName()); - if (pluginMessageFiles.exists()) { - try (FileInputStream fis = new FileInputStream(pluginMessageFiles)) { - messagesFromHome.load(fis); - } - } - - messageProperties.putAll(messagesFromHome); - - createParentDirs(pluginMessageFiles); - try (FileOutputStream fos = new FileOutputStream(pluginMessageFiles)) { - messageProperties.store(fos, "Plugin message properties"); - } - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java deleted file mode 100644 index 319921aa1..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java +++ /dev/null @@ -1,132 +0,0 @@ -package org.owasp.webgoat.plugins; - -import com.google.common.base.Optional; -import com.google.common.collect.Lists; -import lombok.Getter; -import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; -import org.owasp.webgoat.assignments.Endpoint; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.Assignment; -import org.owasp.webgoat.lessons.NewLesson; -import org.springframework.util.StringUtils; - -import java.io.File; -import java.nio.file.Path; -import java.util.List; - -import static java.util.stream.Collectors.toList; -import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith; - -/** - *

Plugin class.

- * - * @author dm - * @version $Id: $Id - */ -public class Plugin { - - @Getter - private final String originationJar; - private PluginClassLoader classLoader; - private Class newLesson; - @Getter - private List> assignments = Lists.newArrayList(); - @Getter - private List> endpoints = Lists.newArrayList(); - private List pluginFiles = Lists.newArrayList(); - - public Plugin(PluginClassLoader classLoader, String originatingJar) { - this.classLoader = classLoader; - this.originationJar = originatingJar; - } - - /** - *

findLesson.

- * - * @param classes a {@link java.util.List} object. - */ - public void findLesson(List classes) { - for (String clazzName : classes) { - findLesson(clazzName); - } - } - - private void findLesson(String name) { - String realClassName = StringUtils.trimLeadingCharacter(name, '/').replaceAll("/", ".").replaceAll(".class", ""); - - try { - Class clazz = classLoader.loadClass(realClassName); - if (NewLesson.class.isAssignableFrom(clazz)) { - this.newLesson = clazz; - } - } catch (ClassNotFoundException ce) { - throw new PluginLoadingFailure("Class " + realClassName + " listed in jar but unable to load the class.", ce); - } - } - - public void findEndpoints(List classes) { - for (String clazzName : classes) { - String realClassName = StringUtils.trimLeadingCharacter(clazzName, '/').replaceAll("/", ".").replaceAll(".class", ""); - - try { - Class clazz = classLoader.loadClass(realClassName); - - if (AssignmentEndpoint.class.isAssignableFrom(clazz)) { - this.assignments.add(clazz); - } else - if (Endpoint.class.isAssignableFrom(clazz)) { - this.endpoints.add(clazz); - } - } catch (ClassNotFoundException ce) { - throw new PluginLoadingFailure("Class " + realClassName + " listed in jar but unable to load the class.", ce); - } - } - } - - /** - *

loadFiles.

- * - * @param file a {@link java.nio.file.Path} object. - */ - public void loadFiles(Path file) { - if (fileEndsWith(file, ".css", ".jsp", ".js")) { - pluginFiles.add(file.toFile()); - } - } - - /** - * Lesson is optional, it is also possible that the supplied jar contains only helper classes. - * - * @return a {@link com.google.common.base.Optional} object. - */ - public Optional getLesson() { - try { - if (newLesson != null) { - AbstractLesson lesson = newLesson.newInstance(); - lesson.setAssignments(createAssignment(assignments)); - return Optional.of(lesson); - } - } catch (IllegalAccessException | InstantiationException e) { - throw new PluginLoadingFailure("Unable to instantiate the lesson " + newLesson.getName(), e); - } - return Optional.absent(); - } - - - private List createAssignment(List> endpoints) { - return endpoints.stream().map(e -> new Assignment(e.getSimpleName(), getPath(e), getHints(e))).collect(toList()); - } - - private String getPath(Class e) { - return e.getAnnotationsByType(AssignmentPath.class)[0].value(); - } - - private List getHints(Class e) { - if (e.isAnnotationPresent(AssignmentHints.class)) { - return Lists.newArrayList(e.getAnnotationsByType(AssignmentHints.class)[0].value()); - } - return Lists.newArrayList(); - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java deleted file mode 100644 index 24aa42041..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java +++ /dev/null @@ -1,16 +0,0 @@ -package org.owasp.webgoat.plugins; - -import java.net.URL; -import java.net.URLClassLoader; - -public class PluginClassLoader extends URLClassLoader { - - public PluginClassLoader(ClassLoader parent) { - super(new URL[] {}, parent); - } - - @Override - public void addURL(URL url) { - super.addURL(url); - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java index 91f95ff2e..d3a2a333e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java @@ -1,6 +1,7 @@ package org.owasp.webgoat.plugins; import lombok.extern.slf4j.Slf4j; +import org.owasp.webgoat.assignments.Endpoint; import org.springframework.beans.factory.annotation.Autowire; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.support.DefaultListableBeanFactory; @@ -9,6 +10,8 @@ import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint; import org.springframework.context.ApplicationContext; import org.springframework.context.support.AbstractApplicationContext; +import java.util.List; + /** * ************************************************************************************************ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, @@ -47,9 +50,8 @@ public class PluginEndpointPublisher { this.applicationContext = (AbstractApplicationContext) applicationContext; } - public void publish(Plugin plugin) { - plugin.getAssignments().forEach(e -> publishEndpoint(e)); - plugin.getEndpoints().forEach(e -> publishEndpoint(e)); + public void publish(List> endpoints) { + endpoints.forEach(e -> publishEndpoint(e)); } private void publishEndpoint(Class e) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java deleted file mode 100644 index 084a3a87e..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java +++ /dev/null @@ -1,123 +0,0 @@ -package org.owasp.webgoat.plugins; - -import com.google.common.collect.Lists; -import com.google.common.io.Files; -import org.apache.commons.fileupload.util.Streams; - -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.nio.file.Path; -import java.util.ArrayList; -import java.util.Enumeration; -import java.util.List; -import java.util.zip.ZipEntry; -import java.util.zip.ZipFile; - -/** - * Extract the jar file and place them in the system temp directory in the folder webgoat and collect the files - * and classes. - * - * @author dm - * @version $Id: $Id - */ -public class PluginExtractor { - - private final List classes = Lists.newArrayList(); - private final List files = new ArrayList<>(); - - /** - *

extractJarFile.

- * - * @param archive a {@link java.io.File} object. - * @param targetDirectory a {@link java.io.File} object. - * @return a {@link org.owasp.webgoat.plugins.Plugin} object. - * @throws java.io.IOException if any. - */ - public Plugin extractJarFile(final File archive, final File targetDirectory, PluginClassLoader cl) throws IOException { - ZipFile zipFile = new ZipFile(archive); - Plugin plugin = new Plugin(cl, zipFile.getName()); - try { - Enumeration entries = zipFile.entries(); - while (entries.hasMoreElements()) { - final ZipEntry zipEntry = entries.nextElement(); - if (shouldProcessFile(zipEntry)) { - boolean processed = processClassFile(zipFile, zipEntry, targetDirectory); - - if (!processed) { - processed = processPropertyFile(zipFile, zipEntry, targetDirectory); - } - if (!processed) { - processFile(plugin, zipFile, zipEntry, targetDirectory); - } - } - } - } finally { - plugin.findLesson(this.classes); - plugin.findEndpoints(this.classes); - zipFile.close(); - } - return plugin; - } - - private void processFile(Plugin plugin, ZipFile zipFile, ZipEntry zipEntry, File targetDirectory) - throws IOException { - final File targetFile = new File(targetDirectory, zipEntry.getName()); - copyFile(zipFile, zipEntry, targetFile, false); - plugin.loadFiles(targetFile.toPath()); - } - - private boolean processPropertyFile(ZipFile zipFile, ZipEntry zipEntry, File targetDirectory) - throws IOException { - if (zipEntry.getName().endsWith(".properties")) { - final File targetFile = new File(targetDirectory, zipEntry.getName()); - if ("WebGoatLabels.properties".equals(targetFile.getName())) { - new MessagePropertyMerger(targetDirectory).merge(zipFile, zipEntry); - } - copyFile(zipFile, zipEntry, targetFile, true); - return true; - } - return false; - } - - private boolean processClassFile(ZipFile zipFile, ZipEntry zipEntry, File targetDirectory) throws IOException { - if (zipEntry.getName().endsWith(".class")) { - classes.add(zipEntry.getName()); - final File targetFile = new File(targetDirectory, zipEntry.getName()); - copyFile(zipFile, zipEntry, targetFile, false); - return true; - } - return false; - } - - private boolean shouldProcessFile(ZipEntry zipEntry) { - return !zipEntry.isDirectory() && !zipEntry.getName().startsWith("META-INF"); - } - - private File copyFile(ZipFile zipFile, ZipEntry zipEntry, File targetFile, boolean append) throws IOException { - Files.createParentDirs(targetFile); - try (FileOutputStream fos = new FileOutputStream(targetFile, append)) { - Streams.copy(zipFile.getInputStream(zipEntry), fos, true); - } - return targetFile; - } - - - /** - *

Getter for the field classes.

- * - * @return a {@link java.util.List} object. - */ - public List getClasses() { - return this.classes; - } - - /** - *

Getter for the field files.

- * - * @return a {@link java.util.List} object. - */ - public List getFiles() { - return this.files; - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java deleted file mode 100644 index d744f2dac..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java +++ /dev/null @@ -1,107 +0,0 @@ -package org.owasp.webgoat.plugins; - - -import com.google.common.base.Preconditions; -import lombok.experimental.UtilityClass; -import org.apache.commons.io.IOUtils; - -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Path; -import java.util.Collection; - -/** - *

PluginFileUtils class.

- * - * @version $Id: $Id - * @author dm - */ -@UtilityClass -public class PluginFileUtils { - - /** - *

fileEndsWith.

- * - * @param p a {@link java.nio.file.Path} object. - * @param s a {@link java.lang.String} object. - * @return a boolean. - */ - public static boolean fileEndsWith(Path p, String s) { - return p.getFileName().toString().endsWith(s); - } - - /** - *

fileEndsWith.

- * - * @param p a {@link java.nio.file.Path} object. - * @param suffixes a {@link java.lang.String} object. - * @return a boolean. - */ - public static boolean fileEndsWith(Path p, String... suffixes) { - for (String suffix : suffixes) { - if (fileEndsWith(p, suffix)) { - return true; - } - } - return false; - } - - /** - *

hasParentDirectoryWithName.

- * - * @param p a {@link java.nio.file.Path} object. - * @param s a {@link java.lang.String} object. - * @return a boolean. - */ - public static boolean hasParentDirectoryWithName(Path p, String s) { - if (p == null || p.getParent() == null || p.getParent().equals(p.getRoot())) { - return false; - } - if (p.getParent().getFileName().toString().equals(s)) { - return true; - } - return hasParentDirectoryWithName(p.getParent(), s); - } - - /** - *

replaceInFiles.

- * - * @param replace a {@link java.lang.String} object. - * @param with a {@link java.lang.String} object. - * @param files a {@link java.util.Collection} object. - * @throws java.io.IOException if any. - */ - public static void replaceInFiles(String replace, String with, Collection files) throws IOException { - Preconditions.checkNotNull(replace); - Preconditions.checkNotNull(with); - Preconditions.checkNotNull(files); - - for (File file : files) { - replaceInFile(replace, with, file); - } - } - - /** - *

replaceInFile.

- * - * @param replace a {@link java.lang.String} object. - * @param with a {@link java.lang.String} object. - * @param file a {@link java.nio.file.Path} object. - * @throws java.io.IOException if any. - */ - public static void replaceInFile(String replace, String with, File file) throws IOException { - Preconditions.checkNotNull(replace); - Preconditions.checkNotNull(with); - Preconditions.checkNotNull(file); - - String fileAsString = ""; - try (FileInputStream fis = new FileInputStream(file);) { - fileAsString = IOUtils.toString(fis, StandardCharsets.UTF_8.name()); - fileAsString = fileAsString.replaceAll(replace, with); - } - Files.write(file.toPath(), fileAsString.getBytes()); - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginResource.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginResource.java new file mode 100644 index 000000000..c84f07da2 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginResource.java @@ -0,0 +1,46 @@ +package org.owasp.webgoat.plugins; + +import lombok.AllArgsConstructor; +import lombok.Getter; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.Endpoint; +import org.owasp.webgoat.lessons.NewLesson; + +import java.net.URL; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +/** + * Plugin resource + * + * @author nbaars + * @since 3/4/17. + */ +@AllArgsConstructor +@Getter +public class PluginResource { + + private final URL location; + private final List classes; + + public Optional getLesson() { + return classes.stream().filter(c -> c.getSuperclass() == NewLesson.class).findFirst(); + } + + public List> getEndpoints() { + return classes.stream(). + filter(c -> c.getSuperclass() == AssignmentEndpoint.class || c.getSuperclass() == Endpoint.class). + map(c -> (Class)c). + collect(Collectors.toList()); + } + + public List> getAssignments() { + return classes.stream(). + filter(c -> c.getSuperclass() == AssignmentEndpoint.class). + map(c -> (Class)c). + collect(Collectors.toList()); + } + + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java deleted file mode 100644 index d18ed7c50..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java +++ /dev/null @@ -1,162 +0,0 @@ -package org.owasp.webgoat.plugins; - -import com.google.common.collect.Lists; -import lombok.extern.slf4j.Slf4j; -import org.apache.commons.io.FileUtils; -import org.owasp.webgoat.i18n.PluginMessages; -import org.springframework.util.ResourceUtils; - -import java.io.*; -import java.net.URL; -import java.nio.file.*; -import java.nio.file.attribute.BasicFileAttributes; -import java.util.Enumeration; -import java.util.List; -import java.util.concurrent.*; -import java.util.zip.ZipEntry; -import java.util.zip.ZipFile; - -/** - *

PluginsLoader class.

- * - * @author dm - * @version $Id: $Id - */ -@Slf4j -public class PluginsExtractor { - - private static final String WEBGOAT_PLUGIN_EXTENSION = "jar"; - private static final int BUFFER_SIZE = 32 * 1024; - private final File pluginTargetDirectory; - private final PluginClassLoader classLoader; - private final PluginMessages messages; - - public PluginsExtractor(File pluginTargetDirectory, PluginClassLoader pluginClassLoader, PluginMessages messages) { - this.classLoader = pluginClassLoader; - this.pluginTargetDirectory = pluginTargetDirectory; - this.messages = messages; - } - - /** - *

loadPlugins.

- * - * @return a {@link java.util.List} object. - */ - public List loadPlugins() { - List plugins = Lists.newArrayList(); - try { - URL location = this.getClass().getProtectionDomain().getCodeSource().getLocation(); - log.trace("Determining whether we run as standalone jar or as directory..."); - if (ResourceUtils.isFileURL(location)) { - log.trace("Running from directory, copying lessons from {}", location.toString()); - extractToTargetDirectoryFromExplodedDirectory(ResourceUtils.getFile(location)); - } else { - log.trace("Running from standalone jar, extracting lessons from {}", location.toString()); - extractToTargetDirectoryFromJarFile(ResourceUtils.getFile(ResourceUtils.extractJarFileURL(location))); - } - List jars = listJars(); - plugins = processPlugins(jars); - } catch (Exception e) { - log.error("Loading plugins failed", e); - } - return plugins; - } - - private void extractToTargetDirectoryFromJarFile(File jarFile) throws IOException { - ZipFile jar = new ZipFile(jarFile); - Enumeration entries = jar.entries(); - while (entries.hasMoreElements()) { - ZipEntry zipEntry = entries.nextElement(); - if (zipEntry.getName().contains("plugin_lessons") && zipEntry.getName().endsWith(".jar")) { - unpack(jar, zipEntry); - } - } - } - - private void unpack(ZipFile jar, ZipEntry zipEntry) throws IOException { - try (InputStream inputStream = jar.getInputStream(zipEntry)) { - String name = zipEntry.getName(); - if (name.lastIndexOf("/") != -1) { - name = name.substring(name.lastIndexOf("/") + 1); - } - try (OutputStream outputStream = new FileOutputStream(new File(pluginTargetDirectory, name))) { - byte[] buffer = new byte[BUFFER_SIZE]; - int bytesRead = -1; - while ((bytesRead = inputStream.read(buffer)) != -1) { - outputStream.write(buffer, 0, bytesRead); - } - outputStream.flush(); - } - } - log.trace("Extracting {} to {}", jar.getName(), pluginTargetDirectory); - } - - private void extractToTargetDirectoryFromExplodedDirectory(File directory) throws IOException { - Files.walkFileTree(directory.toPath(), new SimpleFileVisitor() { - @Override - public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException { - if (dir.endsWith("plugin_lessons")) { - log.trace("Copying {} to {}", dir.toString(), pluginTargetDirectory); - FileUtils.copyDirectory(dir.toFile(), pluginTargetDirectory); - } - return FileVisitResult.CONTINUE; - } - }); - } - - private List listJars() throws Exception { - final List jars = Lists.newArrayList(); - Files.walkFileTree(Paths.get(pluginTargetDirectory.toURI()), new SimpleFileVisitor() { - - @Override - public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException { - if (PluginFileUtils.fileEndsWith(file, WEBGOAT_PLUGIN_EXTENSION)) { - jars.add(file.toUri().toURL()); - log.trace("Found jar file at location: {}", file.toString()); - } - return FileVisitResult.CONTINUE; - } - }); - return jars; - } - - private List processPlugins(List jars) throws Exception { - final ExecutorService executorService = Executors.newFixedThreadPool(10); - try { - final List plugins = Lists.newArrayList(); - final CompletionService completionService = new ExecutorCompletionService<>(executorService); - final List> callables = extractJars(jars); - - callables.forEach(s -> completionService.submit(s)); - int n = callables.size(); - - for (int i = 0; i < n; i++) { - Plugin plugin = completionService.take().get(); - if (plugin.getLesson().isPresent()) { - log.trace("Plugin jar '{}' contains a lesson, loading into WebGoat...", plugin.getOriginationJar()); - plugins.add(plugin); - } else { - log.trace("Plugin jar: '{}' does not contain a lesson not processing as a plugin (can be a utility jar)", - plugin.getOriginationJar()); - } - } - messages.addPluginMessageBundles(new File(pluginTargetDirectory, "plugin/i18n")); - return plugins; - } finally { - executorService.shutdown(); - } - } - - private List> extractJars(List jars) { - List> extractorCallables = Lists.newArrayList(); - - for (final URL jar : jars) { - classLoader.addURL(jar); - extractorCallables.add(() -> { - PluginExtractor extractor = new PluginExtractor(); - return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTargetDirectory, classLoader); - }); - } - return extractorCallables; - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java index 7c2f1fae6..50a255381 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java @@ -1,13 +1,29 @@ package org.owasp.webgoat.plugins; import com.google.common.collect.Lists; +import com.google.common.collect.Maps; import lombok.AllArgsConstructor; +import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; +import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.Assignment; import org.owasp.webgoat.lessons.NewLesson; import org.owasp.webgoat.session.Course; +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider; +import org.springframework.core.type.filter.RegexPatternTypeFilter; +import java.net.URL; import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import static java.util.stream.Collectors.toList; /** * ************************************************************************************************ @@ -42,7 +58,6 @@ import java.util.List; @Slf4j public class PluginsLoader { - private final PluginsExtractor extractor; private final PluginEndpointPublisher pluginEndpointPublisher; /** @@ -50,11 +65,15 @@ public class PluginsLoader { */ public Course loadPlugins() { List lessons = Lists.newArrayList(); - for (Plugin plugin : extractor.loadPlugins()) { + for (PluginResource plugin : findPluginResources()) { try { - NewLesson lesson = (NewLesson) plugin.getLesson().get(); + Class lessonClazz = plugin.getLesson() + .orElseThrow(() -> new PluginLoadingFailure("Plugin resource does not contain lesson")); + NewLesson lesson = (NewLesson) lessonClazz.newInstance(); + List> assignments = plugin.getAssignments(); + lesson.setAssignments(createAssignment(assignments)); lessons.add(lesson); - pluginEndpointPublisher.publish(plugin); + pluginEndpointPublisher.publish(plugin.getEndpoints()); } catch (Exception e) { log.error("Error in loadLessons: ", e); } @@ -67,4 +86,43 @@ public class PluginsLoader { return new Course(lessons); } + private List createAssignment(List> endpoints) { + return endpoints.stream().map(e -> new Assignment(e.getSimpleName(), getPath(e), getHints(e))).collect(toList()); + } + + private String getPath(Class e) { + return e.getAnnotationsByType(AssignmentPath.class)[0].value(); + } + + private List getHints(Class e) { + if (e.isAnnotationPresent(AssignmentHints.class)) { + return Lists.newArrayList(e.getAnnotationsByType(AssignmentHints.class)[0].value()); + } + return Lists.newArrayList(); + } + + + + @SneakyThrows + public List findPluginResources() { + final ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(false); + provider.addIncludeFilter(new RegexPatternTypeFilter(Pattern.compile(".*"))); + final Set classes = provider.findCandidateComponents("org.owasp.webgoat.plugin"); + Map> pluginClasses = Maps.newHashMap(); + for (BeanDefinition bean : classes) { + Class clazz = Class.forName(bean.getBeanClassName()); + URL location = clazz.getProtectionDomain().getCodeSource().getLocation(); + List classFiles = pluginClasses.get(location); + if (classFiles == null) { + classFiles = Lists.newArrayList(clazz); + } else { + classFiles.add(clazz); + } + pluginClasses.put(location, classFiles); + } + return pluginClasses.entrySet().parallelStream() + .map(e -> new PluginResource(e.getKey(), e.getValue())) + .collect(Collectors.toList()); + } + } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java index 246923e39..77e18c793 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java @@ -6,11 +6,12 @@ import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.Assignment; -import org.springframework.util.FileCopyUtils; -import org.springframework.util.SerializationUtils; +import org.springframework.core.serializer.DefaultDeserializer; +import org.springframework.core.serializer.DefaultSerializer; import java.io.File; -import java.util.HashMap; +import java.io.FileInputStream; +import java.io.FileOutputStream; import java.util.Map; import java.util.stream.Collectors; @@ -50,7 +51,6 @@ public class UserTracker { private final String webgoatHome; private final String user; - private Map storage = new HashMap<>(); public UserTracker(final String webgoatHome, final String user) { this.webgoatHome = webgoatHome; @@ -64,53 +64,72 @@ public class UserTracker { * @return the optional lesson tracker */ public LessonTracker getLessonTracker(AbstractLesson lesson) { + return getLessonTracker(load(), lesson); + } + + /** + * Returns the lesson tracker for a specific lesson if available. + * + * @param lesson the lesson + * @return the optional lesson tracker + */ + public LessonTracker getLessonTracker(Map storage, AbstractLesson lesson) { LessonTracker lessonTracker = storage.get(lesson.getTitle()); if (lessonTracker == null) { lessonTracker = new LessonTracker(lesson); storage.put(lesson.getTitle(), lessonTracker); + save(storage); } return lessonTracker; } public void assignmentSolved(AbstractLesson lesson, String assignmentName) { - LessonTracker lessonTracker = getLessonTracker(lesson); + Map storage = load(); + LessonTracker lessonTracker = storage.get(lesson.getTitle()); lessonTracker.incrementAttempts(); lessonTracker.assignmentSolved(assignmentName); - save(); + save(storage); } public void assignmentFailed(AbstractLesson lesson) { - LessonTracker lessonTracker = getLessonTracker(lesson); + Map storage = load(); + LessonTracker lessonTracker = storage.get(lesson.getTitle()); lessonTracker.incrementAttempts(); - save(); + save(storage); } - public void load() { + public Map load() { File file = new File(webgoatHome, user + ".progress"); if (file.exists() && file.isFile()) { try { - this.storage = (Map) SerializationUtils.deserialize(FileCopyUtils.copyToByteArray(file)); + DefaultDeserializer deserializer = new DefaultDeserializer(Thread.currentThread().getContextClassLoader()); + return (Map) deserializer.deserialize(new FileInputStream(file)); } catch (Exception e) { log.error("Unable to read the progress file, creating a new one..."); - this.storage = Maps.newHashMap(); + } } + return Maps.newHashMap(); } @SneakyThrows - private void save() { + private void save(Map storage) { File file = new File(webgoatHome, user + ".progress"); - FileCopyUtils.copy(SerializationUtils.serialize(this.storage), file); + DefaultSerializer serializer = new DefaultSerializer(); + serializer.serialize(storage, new FileOutputStream(file)); } public void reset(AbstractLesson al) { - getLessonTracker(al).reset(); - save(); + Map storage = load(); + LessonTracker lessonTracker = getLessonTracker(storage, al); + lessonTracker.reset(); + save(storage); } public int numberOfLessonsSolved() { int numberOfLessonsSolved = 0; + Map storage = load(); for (LessonTracker lessonTracker : storage.values()) { if (lessonTracker.isLessonSolved()) { numberOfLessonsSolved = numberOfLessonsSolved + 1; @@ -121,6 +140,7 @@ public class UserTracker { public int numberOfAssignmentsSolved() { int numberOfAssignmentsSolved = 0; + Map storage = load(); for (LessonTracker lessonTracker : storage.values()) { Map lessonOverview = lessonTracker.getLessonOverview(); numberOfAssignmentsSolved = lessonOverview.values().stream().filter(b -> b).collect(Collectors.counting()).intValue(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebGoatUser.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebGoatUser.java new file mode 100644 index 000000000..381617386 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebGoatUser.java @@ -0,0 +1,71 @@ +package org.owasp.webgoat.session; + +import lombok.Getter; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; + +import javax.persistence.Entity; +import javax.persistence.Id; +import javax.persistence.Transient; +import java.util.Collection; +import java.util.Collections; + +/** + * @author nbaars + * @since 3/19/17. + */ +@Getter +@Entity +public class WebGoatUser implements UserDetails { + + public static final String ROLE_USER = "WEBGOAT_USER"; + public static final String ROLE_ADMIN = "WEBGOAT_ADMIN"; + + @Id + private String username; + private String password; + private String role = ROLE_USER; + @Transient + private User user; + + protected WebGoatUser() { + } + + public WebGoatUser(String username, String password) { + this.username = username; + this.password = password; + createUser(); + } + + public void createUser() { + this.user = new User(username, password, getAuthorities()); + } + + public Collection getAuthorities() { + return Collections.singleton(new SimpleGrantedAuthority(getRole())); + } + + @Override + public boolean isAccountNonExpired() { + return this.user.isAccountNonExpired(); + } + + @Override + public boolean isAccountNonLocked() { + return this.user.isAccountNonLocked(); + } + + @Override + public boolean isCredentialsNonExpired() { + return this.user.isCredentialsNonExpired(); + } + + @Override + public boolean isEnabled() { + return this.user.isEnabled(); + } +} + + diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java index 858610b4a..bc12af039 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java @@ -3,7 +3,6 @@ package org.owasp.webgoat.session; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.lessons.AbstractLesson; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.userdetails.User; import java.sql.Connection; import java.sql.SQLException; @@ -40,10 +39,9 @@ import java.sql.SQLException; @Slf4j public class WebSession { - private final User currentUser; + private final WebGoatUser currentUser; private final WebgoatContext webgoatContext; private AbstractLesson currentLesson; - private UserTracker userTracker; /** * Constructor for the WebSession object @@ -52,7 +50,7 @@ public class WebSession { */ public WebSession(WebgoatContext webgoatContext) { this.webgoatContext = webgoatContext; - this.currentUser = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); + this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); } /** diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java new file mode 100644 index 000000000..f4bf8fe61 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java @@ -0,0 +1,61 @@ +package org.owasp.webgoat.users; + +import lombok.AllArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import org.owasp.webgoat.session.WebGoatUser; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Controller; +import org.springframework.validation.BindingResult; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.ModelAttribute; +import org.springframework.web.bind.annotation.PostMapping; + +import javax.validation.Valid; + +/** + * @author nbaars + * @since 3/19/17. + */ +@Controller +@AllArgsConstructor +@Slf4j +public class RegistrationController { + + private UserValidator userValidator; + private UserService userService; + private AuthenticationManager authenticationManager; + + @GetMapping("/registration") + public String showForm(UserForm userForm) { + return "registration"; + } + + @PostMapping("/register.mvc") + public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult) { + userValidator.validate(userForm, bindingResult); + + if (bindingResult.hasErrors()) { + return "registration"; + } + userService.addUser(userForm.getUsername(), userForm.getPassword()); + autologin(userForm.getUsername(), userForm.getPassword()); + + return "redirect:/attack"; + } + + private void autologin(String username, String password) { + WebGoatUser user = userService.loadUserByUsername(username); + UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities()); + + authenticationManager.authenticate(usernamePasswordAuthenticationToken); + + if (usernamePasswordAuthenticationToken.isAuthenticated()) { + SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken); + log.debug("Login for {} successfully!", username); + } + } + + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java new file mode 100644 index 000000000..e5143704b --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java @@ -0,0 +1,28 @@ +package org.owasp.webgoat.users; + +import lombok.Getter; +import lombok.Setter; + +import javax.validation.constraints.NotNull; +import javax.validation.constraints.Size; + +/** + * @author nbaars + * @since 3/19/17. + */ +@Getter +@Setter +public class UserForm { + + @NotNull + @Size(min=6, max=10) + private String username; + @NotNull + @Size(min=6, max=10) + private String password; + @NotNull + @Size(min=6, max=10) + private String matchingPassword; + @NotNull + private String agree; +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java new file mode 100644 index 000000000..d7d85db54 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java @@ -0,0 +1,13 @@ +package org.owasp.webgoat.users; + +import org.owasp.webgoat.session.WebGoatUser; +import org.springframework.data.repository.CrudRepository; + +/** + * @author nbaars + * @since 3/19/17. + */ +public interface UserRepository extends CrudRepository { + + WebGoatUser findByUsername(String username); +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java new file mode 100644 index 000000000..7e153f81c --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java @@ -0,0 +1,29 @@ +package org.owasp.webgoat.users; + +import lombok.AllArgsConstructor; +import org.owasp.webgoat.session.WebGoatUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.stereotype.Service; + +/** + * @author nbaars + * @since 3/19/17. + */ +@Service +@AllArgsConstructor +public class UserService implements UserDetailsService { + + private final UserRepository userRepository; + + @Override + public WebGoatUser loadUserByUsername(String username) throws UsernameNotFoundException { + WebGoatUser webGoatUser = userRepository.findByUsername(username); + webGoatUser.createUser(); + return webGoatUser; + } + + public void addUser(String username, String password) { + userRepository.save(new WebGoatUser(username, password)); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java new file mode 100644 index 000000000..e3c1e9c35 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java @@ -0,0 +1,34 @@ +package org.owasp.webgoat.users; + +import org.springframework.stereotype.Component; +import org.springframework.validation.Errors; +import org.springframework.validation.Validator; + +/** + * @author nbaars + * @since 3/19/17. + */ +@Component +public class UserValidator implements Validator { + +// @Autowired +// private UserService userService; + + @Override + public boolean supports(Class aClass) { + return UserForm.class.equals(aClass); + } + + @Override + public void validate(Object o, Errors errors) { + UserForm userForm = (UserForm) o; + +// if (userService.findByUsername(userForm.getUsername()) != null) { +// errors.rejectValue("username", "Duplicate.userForm.username"); +// } + + if (!userForm.getMatchingPassword().equals(userForm.getPassword())) { + errors.rejectValue("matchingPassword", "password.diff"); + } + } +} diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index 75cf3a5ed..1c38cb01f 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -10,12 +10,13 @@ logging.level.org.springframework.boot.devtools=WARN logging.level.org.owasp=DEBUG logging.level.org.owasp.webgoat=TRACE +# Needed for creating a vulnerable web application security.enable-csrf=false -spring.devtools.restart.enabled=false spring.resources.cache-period=0 spring.thymeleaf.cache=false +webgoat.server.directory=${user.home}/.webgoat/ webgoat.user.directory=${user.home}/.webgoat/ webgoat.build.version=@project.version@ webgoat.build.number=@build.number@ @@ -30,4 +31,12 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:test webgoat.default.language=en +liquibase.change-log=classpath:db/changelog/db.changelog-master.xml +spring.datasource.url=jdbc:hsqldb:file:${user.home}/.webgoat/WebGoatDatabase +spring.datasource.driverClassName=org.hsqldb.jdbcDriver +spring.datasource.username=sa +spring.datasource.password= +spring.jpa.database-platform=org.hibernate.dialect.HSQLDialect +spring.jpa.show-sql=true +spring.jpa.hibernate.ddl-auto=none diff --git a/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml b/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml new file mode 100644 index 000000000..f3b67826b --- /dev/null +++ b/webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + + diff --git a/webgoat-container/src/main/resources/i18n/messages.properties b/webgoat-container/src/main/resources/i18n/messages.properties index fc9e1791e..442a4d35b 100644 --- a/webgoat-container/src/main/resources/i18n/messages.properties +++ b/webgoat-container/src/main/resources/i18n/messages.properties @@ -32,6 +32,7 @@ ErrorGenerating=Error generating InvalidData=Invalid Data Go!=Go! password=Password +password.confirm=Confirm password username=Username logged_out=You've been logged out successfully. invalid_username_password=Invalid username and password. @@ -50,3 +51,13 @@ show.hints=Show hints lesson.overview=Lesson overview reset.lesson=Reset lesson sign.in=Sign in +register.new=Register new user +sign.up=Sign up +register.title=Register + + +not.empty=This field is required. +username.size=Please use between 6 and 10 characters. +username.duplicate=User already exists. +password.size=Password should at least contain 6 characters +password.diff=The passwords do not match. \ No newline at end of file diff --git a/webgoat-container/src/main/resources/plugin_lessons/ReadMe.txt b/webgoat-container/src/main/resources/plugin_lessons/ReadMe.txt deleted file mode 100644 index 101910ac2..000000000 --- a/webgoat-container/src/main/resources/plugin_lessons/ReadMe.txt +++ /dev/null @@ -1 +0,0 @@ -Lesson plugins stored under this directory. \ No newline at end of file diff --git a/webgoat-container/src/main/resources/plugin_lessons/plugin_lessons_marker.txt b/webgoat-container/src/main/resources/plugin_lessons/plugin_lessons_marker.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js index 06094592b..042b17c54 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js @@ -57,7 +57,7 @@ function($, * from the model where the assignment name is contained in the assignmentPath. We do this not to mess * with contextRoots etc and try to select the name from the url. * - * @todo we can of course try to add the assigment name to the html form as attribute. + * @todo we can of course try to add the assignment name to the html form as attribute. * * @param nav the json structure for navigating */ @@ -95,7 +95,7 @@ function($, displayHint: function(curHint) { if(this.hintsToShow.length == 0) { - this.hideHints(); + // this.hideHints(); } else { this.$el.find('#lesson-hint-content').html(polyglot.t(this.hintsToShow[curHint].get('hint'))); } diff --git a/webgoat-container/src/main/resources/templates/login.html b/webgoat-container/src/main/resources/templates/login.html index 6ece09348..208df2021 100644 --- a/webgoat-container/src/main/resources/templates/login.html +++ b/webgoat-container/src/main/resources/templates/login.html @@ -29,7 +29,7 @@

You've been logged out successfully.



-
+
- + +


-

The following accounts are built into Webgoat

- - - - - - - - - - - - - - - - - - - - -
AccountUserPassword
Webgoat Userguestguest
Webgoat Adminwebgoatwebgoat
-

diff --git a/webgoat-container/src/main/resources/templates/registration.html b/webgoat-container/src/main/resources/templates/registration.html new file mode 100644 index 000000000..705d77eeb --- /dev/null +++ b/webgoat-container/src/main/resources/templates/registration.html @@ -0,0 +1,104 @@ + + + + Login Page + + + + + + +
+ +
+ +
+

+
+ Please Sign Up +
+ +
+ +
+ +
+ Username error +
+
+ +
+ +
+ Password error +
+
+ +
+ +
+ Password error + +
+ +
+ +
+
+

+ While running this program your machine will be extremely + vulnerable to attack. You should disconnect from the Internet while using + this program. WebGoat's default configuration binds to localhost to minimize + the exposure. +

+

+ This program is for educational purposes only. If you attempt + these techniques without authorization, you are very likely to get caught. If + you are caught engaging in unauthorized hacking, most companies will fire you. + Claiming that you were doing security research will not work as that is the + first thing that all hackers claim. +

+
+
+
+ +
+
+
+ +
+
+
+ +
+
+ +
+
+
+
+
+
+
+ + + + \ No newline at end of file diff --git a/webgoat-container/src/main/resources/webgoat.properties b/webgoat-container/src/main/resources/webgoat.properties deleted file mode 100644 index 7d6842215..000000000 --- a/webgoat-container/src/main/resources/webgoat.properties +++ /dev/null @@ -1,19 +0,0 @@ -#lesson.BufferOverflow.hidden=true -# -# -# Hide lessons using name of source file, -# For Example: BlindScript.java -# lesson.BlindScript.hidden=true; -# -# These lesson need to be refactored -lesson.BasicAuthentication.hidden=false -lesson.BlindScript.hidden=true -lesson.RemoteAdminFlaw.hidden=true -lesson.HttpSplitting.hidden=true -lesson.SameOriginPolicyProtection.hidden=true -lesson.SilentTransactions.hidden=true -lesson.TraceXSS.hidden=true -lesson.DBSQLInjection.hidden=true -lesson.DBCrossSiteScripting.hidden=true -lesson.XPATHInjection.hidden=true -lesson.ForcedBrowsing.hidden=true diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java index 793104dbf..787711c67 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java @@ -55,7 +55,7 @@ public class AssignmentEndpointTest { protected PluginMessages pluginMessages = new PluginMessages(messages, language); public void init(AssignmentEndpoint a) { - messages.setBasenames("classpath:/i18n/messages", "classpath:/plugin/i18n/WebGoatLabels"); + messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels"); ReflectionTestUtils.setField(a, "userTracker", userTracker); ReflectionTestUtils.setField(a, "userSessionData", userSessionData); ReflectionTestUtils.setField(a, "webSession", webSession); diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/session/UserTrackerTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/session/UserTrackerTest.java index 06fae61c5..209c19a31 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/session/UserTrackerTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/session/UserTrackerTest.java @@ -8,9 +8,9 @@ import org.owasp.webgoat.lessons.Assignment; import java.io.File; import java.io.IOException; +import java.util.UUID; import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.Matchers.eq; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -68,7 +68,7 @@ public class UserTrackerTest { @Test public void assignmentFailedShouldIncrementAttempts() { - UserTracker userTracker = new UserTracker(home.getParent(), "test"); + UserTracker userTracker = new UserTracker(home.getParent(), UUID.randomUUID().toString()); AbstractLesson lesson = mock(AbstractLesson.class); when(lesson.getAssignments()).thenReturn(Lists.newArrayList(new Assignment("assignment", "assignment"))); userTracker.getLessonTracker(lesson); @@ -83,6 +83,7 @@ public class UserTrackerTest { UserTracker userTracker = new UserTracker(home.getParent(), "test"); AbstractLesson lesson = mock(AbstractLesson.class); when(lesson.getAssignments()).thenReturn(Lists.newArrayList(new Assignment("assignment", "assignment"))); + userTracker.getLessonTracker(lesson); userTracker.assignmentSolved(lesson, "assignment"); assertThat(userTracker.getLessonTracker(lesson).isLessonSolved()).isTrue(); @@ -95,6 +96,7 @@ public class UserTrackerTest { UserTracker userTracker = new UserTracker(home.getParent(), "test"); AbstractLesson lesson = mock(AbstractLesson.class); when(lesson.getAssignments()).thenReturn(Lists.newArrayList(new Assignment("assignment", "assignment"))); + userTracker.getLessonTracker(lesson); userTracker.assignmentSolved(lesson, "assignment"); assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1); diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html new file mode 100644 index 000000000..00c0e2c2f --- /dev/null +++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html @@ -0,0 +1,12 @@ + + + + +
+ + +
+
+ + \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties new file mode 100644 index 000000000..cbae74dcb --- /dev/null +++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties @@ -0,0 +1 @@ +challenge.title=WebGoat Challenge diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_content1.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_content1.adoc new file mode 100644 index 000000000..987f45684 --- /dev/null +++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_content1.adoc @@ -0,0 +1 @@ +This is the challenge \ No newline at end of file diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java similarity index 76% rename from webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java rename to webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java index 2c43c9df2..e21f5c77d 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java @@ -1,6 +1,7 @@ package org.owasp.webgoat.plugin; import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.RequestMapping; @@ -40,14 +41,15 @@ import java.io.IOException; * @since August 11, 2016 */ @AssignmentPath("/clientSideFiltering/attack1") -public class Attack extends AssignmentEndpoint { +@AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"}) +public class ClientSideFilteringAssignment extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) - public @ResponseBody AttackResult completed(@RequestParam String answer) throws IOException { - if ("450000".equals(answer)) { - return trackProgress(success().build()); - } else { - return trackProgress(failed().build()); - } + public + @ResponseBody + AttackResult completed(@RequestParam String answer) throws IOException { + return trackProgress("450000".equals(answer) ? + success().feedback("assignment.solved").build() : + failed().feedback("ClientSideFiltering.incorrect").build()); } } diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java index 16d4a1e90..3bc780e6f 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java @@ -6,34 +6,51 @@ package org.owasp.webgoat.plugin; import com.google.common.collect.Lists; import com.google.common.collect.Maps; +import lombok.SneakyThrows; import org.owasp.webgoat.assignments.Endpoint; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.core.io.ClassPathResource; +import org.springframework.util.FileCopyUtils; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.InputSource; +import javax.annotation.PostConstruct; import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathConstants; import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import java.io.File; import java.io.FileInputStream; +import java.io.FileOutputStream; import java.io.IOException; import java.util.List; import java.util.Map; public class Salaries extends Endpoint { + @Value("${webgoat.user.directory}") + private String webGoatHomeDirectory; + + @PostConstruct + @SneakyThrows + public void copyFiles() { + ClassPathResource classPathResource = new ClassPathResource("employees.xml"); + File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering"); + if (!targetDirectory.exists()) { + targetDirectory.mkdir(); + } + FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "employees.xml"))); + } + @RequestMapping(produces = {"application/json"}) @ResponseBody - public List> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - String userId = req.getParameter("userId"); + public List> invoke() throws ServletException, IOException { NodeList nodes = null; - File d = new File(getPluginDirectory(), "ClientSideFiltering/html/employees.xml"); + File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml"); XPathFactory factory = XPathFactory.newInstance(); XPath xPath = factory.newXPath(); InputSource inputSource = new InputSource(new FileInputStream(d)); @@ -49,8 +66,7 @@ public class Salaries extends Endpoint { String expression = sb.toString(); try { - nodes = (NodeList) xPath.evaluate(expression, inputSource, - XPathConstants.NODESET); + nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET); } catch (XPathExpressionException e) { e.printStackTrace(); } @@ -58,7 +74,7 @@ public class Salaries extends Endpoint { List json = Lists.newArrayList(); java.util.Map employeeJson = Maps.newHashMap(); for (int i = 0; i < nodes.getLength(); i++) { - if (i != 0 && i % COLUMNS == 0) { + if (i % COLUMNS == 0) { employeeJson = Maps.newHashMap(); json.add(employeeJson); } diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/clientSideFiltering-stage1.css b/webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFiltering-stage1.css similarity index 82% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/clientSideFiltering-stage1.css rename to webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFiltering-stage1.css index 76bb26818..ecb2d6e76 100644 --- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/clientSideFiltering-stage1.css +++ b/webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFiltering-stage1.css @@ -1,3 +1,3 @@ #lesson_wrapper {height: 435px;width: 500px;} #lesson_header {background-image: url(../images/lesson1_header.jpg); width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;} -.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} \ No newline at end of file +.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 490px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} \ No newline at end of file diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml b/webgoat-lessons/client-side-filtering/src/main/resources/employees.xml similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml rename to webgoat-lessons/client-side-filtering/src/main/resources/employees.xml diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/ClientSideFiltering.html b/webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html similarity index 76% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/ClientSideFiltering.html rename to webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html index 16df814f0..7e861d4ee 100644 --- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/ClientSideFiltering.html +++ b/webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html @@ -1,22 +1,25 @@ - -
- +
+
+
+

+
-
+ - - +


@@ -34,7 +37,8 @@

-
@@ -63,11 +67,11 @@ + +
+
+
- -
-
-
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties similarity index 68% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties index 01db41641..a5a163cad 100644 --- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties @@ -10,10 +10,10 @@ ClientSideFilteringStage1Question=What is Neville Bartholomew's salary? ClientSideFilteringStage1SubmitAnswer=Submit Answer ClientSideFilteringStage2Finish=Click here when you believe you have completed the lesson. ClientSideFilteringChoose=Choose Employee -ClientSideFilteringHint1=Stage 1: The information displayed when an employee is chosen from the drop down menu is stored on the client side. -ClientSideFilteringHint2=Stage 1: Use Firebug to find where the information is stored on the client side. -ClientSideFilteringHint3=Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu. -ClientSideFilteringHint4=Stage 1: Look in the last row of the hidden table. +ClientSideFilteringHint1=The information displayed when an employee is chosen from the drop down menu is stored on the client side. +ClientSideFilteringHint2=Use Firebug to find where the information is stored on the client side. +ClientSideFilteringHint3=Examine the hidden table to see if there is anyone listed who is not in the drop down menu. +ClientSideFilteringHint4=Look in the last row of the hidden table. ClientSideFilteringHint5a=Stage 1: You can access the server directly ClientSideFilteringHint5b=here ClientSideFilteringHint5c=to see what results are being returned @@ -22,5 +22,6 @@ ClientSideFilteringHint7=Stage 2: The query currently returns all of the content ClientSideFilteringHint8=Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102 ClientSideFilteringHint9=Stage 2: Try using a filter operator. ClientSideFilteringHint10=Stage 2: Your filter operator should look something like: [Managers/Manager/text()= -ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, Neville Bartholomew. Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find. +ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, . Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find. ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see. +ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew... diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/images/lesson1_header.jpg b/webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_header.jpg similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/images/lesson1_header.jpg rename to webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_header.jpg diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/images/lesson1_workspace.jpg b/webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_workspace.jpg similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/images/lesson1_workspace.jpg rename to webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_workspace.jpg diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js b/webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFiltering.js similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js rename to webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFiltering.js diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc new file mode 100644 index 000000000..f8d563b63 --- /dev/null +++ b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc @@ -0,0 +1,5 @@ +== Salary manager + +You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, +except the CEO, Neville Bartholomew. Or at least you shouldn't have access to the CEO's information. For this assignment, +examine the contents of the page to see what extra information you can find. \ No newline at end of file diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/en/ClientSideFiltering_plan.adoc b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/en/ClientSideFiltering_plan.adoc rename to webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/ru/ClientSideFiltering.html b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/ru/ClientSideFiltering.html similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/ru/ClientSideFiltering.html rename to webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/ru/ClientSideFiltering.html diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonSolutions/en/ClientSideFiltering.html b/webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering.html similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonSolutions/en/ClientSideFiltering.html rename to webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering.html diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg b/webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg similarity index 100% rename from webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg rename to webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg diff --git a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html b/webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html similarity index 100% rename from webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html rename to webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html diff --git a/webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc b/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc similarity index 75% rename from webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc rename to webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc index 6344750d7..ce6d3f4b2 100644 --- a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc +++ b/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc @@ -1,9 +1,9 @@ == HTTP Proxy Overview -Many times proxies are used as a way of accessing otehrwise blocked content. A user might connect to server A, which relays content from server B - ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same. -HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to +Many times proxies are used as a way of accessing otherwise blocked content. A user might connect to server A, which relays content from server B + ... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same. +HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in relationship to proxies. @@ -17,4 +17,4 @@ analyzing the security of a website. ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a -CI/CD with Jenkins, maven or other build processes. \ No newline at end of file +CI/CD with Jenkins, Maven or other build processes. \ No newline at end of file diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index 30c506d29..c6043ff30 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -24,7 +24,7 @@ html - src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/ + src/main/resources/lessonPlans/en/ diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html similarity index 99% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html rename to webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html index a1ccd483c..4371a5def 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html @@ -64,7 +64,7 @@
- +
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels_de.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_de.properties similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels_de.properties rename to webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_de.properties diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_fr.properties similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties rename to webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_fr.properties diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_ru.properties similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties rename to webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_ru.properties diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/images/Reflected-XSS.png b/webgoat-lessons/cross-site-scripting/src/main/resources/images/Reflected-XSS.png similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/images/Reflected-XSS.png rename to webgoat-lessons/cross-site-scripting/src/main/resources/images/Reflected-XSS.png diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/images/Stored-XSS.png b/webgoat-lessons/cross-site-scripting/src/main/resources/images/Stored-XSS.png similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/images/Stored-XSS.png rename to webgoat-lessons/cross-site-scripting/src/main/resources/images/Stored-XSS.png diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js b/webgoat-lessons/cross-site-scripting/src/main/resources/js/dom-xss.js similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js rename to webgoat-lessons/cross-site-scripting/src/main/resources/js/dom-xss.js diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content1.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content10.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content10.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content11.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content11.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content12.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content12.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content13.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content13.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content13a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content13a.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content14.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content14.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content15.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content15.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content15a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content15a.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content16.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content16.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content2.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content2.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content3.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content3.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content3.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content3.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content4.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content4.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5a.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5c.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5c.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5c.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5c.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content7.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content7.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content8.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content8.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content9.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content9.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content9a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9a.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content9a.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9a.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_plan.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_plan.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonSolutions/en/CrossSiteScripting_solution.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/en/CrossSiteScripting_solution.adoc similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonSolutions/en/CrossSiteScripting_solution.adoc rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/en/CrossSiteScripting_solution.adoc diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonSolutions/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/html/CrossSiteScripting.html similarity index 100% rename from webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonSolutions/html/CrossSiteScripting.html rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/html/CrossSiteScripting.html diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/html/HttpBasics.html similarity index 98% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html rename to webgoat-lessons/http-basics/src/main/resources/html/HttpBasics.html index d57a81e3a..f8be45cb2 100644 --- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html +++ b/webgoat-lessons/http-basics/src/main/resources/html/HttpBasics.html @@ -5,7 +5,7 @@
+ which you put in src/main/resources/lessonplans/{lang}/{fileName}.adoc -->
diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_de.properties b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_de.properties similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_de.properties rename to webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_de.properties diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_fr.properties similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties rename to webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_fr.properties diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_nl.properties b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_nl.properties similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_nl.properties rename to webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_nl.properties diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_ru.properties similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties rename to webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_ru.properties diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/de/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/de/HttpBasics.html similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/de/HttpBasics.html rename to webgoat-lessons/http-basics/src/main/resources/lessonPlans/de/HttpBasics.html diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc rename to webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_content2.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content2.adoc similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_content2.adoc rename to webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content2.adoc diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_plan.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_plan.adoc similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_plan.adoc rename to webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_plan.adoc diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/nl/HttpBasics_content1.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/nl/HttpBasics_content1.adoc similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/nl/HttpBasics_content1.adoc rename to webgoat-lessons/http-basics/src/main/resources/lessonPlans/nl/HttpBasics_content1.adoc diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/ru/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/ru/HttpBasics.html similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/ru/HttpBasics.html rename to webgoat-lessons/http-basics/src/main/resources/lessonPlans/ru/HttpBasics.html diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonSolutions/en/HttpBasics_solution.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/en/HttpBasics_solution.adoc similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonSolutions/en/HttpBasics_solution.adoc rename to webgoat-lessons/http-basics/src/main/resources/lessonSolutions/en/HttpBasics_solution.adoc diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonSolutions/html/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/html/HttpBasics.html similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonSolutions/html/HttpBasics.html rename to webgoat-lessons/http-basics/src/main/resources/lessonSolutions/html/HttpBasics.html diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/.DS_Store b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/.DS_Store deleted file mode 100644 index cd3a2cf86..000000000 Binary files a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/.DS_Store and /dev/null differ diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html b/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html rename to webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/http-proxies/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/http-proxies/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/chrome-manual-proxy.png b/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/chrome-manual-proxy.png rename to webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/firefox-proxy-config.png b/webgoat-lessons/http-proxies/src/main/resources/images/firefox-proxy-config.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/firefox-proxy-config.png rename to webgoat-lessons/http-proxies/src/main/resources/images/firefox-proxy-config.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-button.png b/webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-button.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-button.png rename to webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-button.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-details.png b/webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-details.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-details.png rename to webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-details.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-history.png b/webgoat-lessons/http-proxies/src/main/resources/images/zap-history.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-history.png rename to webgoat-lessons/http-proxies/src/main/resources/images/zap-history.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-local-proxy.png b/webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-local-proxy.png rename to webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-start.png b/webgoat-lessons/http-proxies/src/main/resources/images/zap-start.png similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-start.png rename to webgoat-lessons/http-proxies/src/main/resources/images/zap-start.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntercept.adoc similarity index 67% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc rename to webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntercept.adoc index 8f66cc0fb..98a8436e9 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntercept.adoc @@ -1,15 +1,15 @@ === Use the intercept -To incercept a request, you start by clicking the green button. This will set a break point for the next request. +To intercept a request, you start by clicking the green button. This will set a break point for the next request. -image::plugin_lessons/plugin/HttpProxies/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] +image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore. That's part of what hackers do ... explore! -Once you are interecepting requests and a request is made, it should look something like this: +Once you are intercepting requests and a request is made, it should look something like this: -image::plugin_lessons/plugin/HttpProxies/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"] +image::images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"] === Intercept and modify a request diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro0.adoc similarity index 100% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc rename to webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro0.adoc diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc similarity index 77% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc rename to webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc index 7502cf15b..7cc84b033 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc @@ -15,7 +15,7 @@ Once you have 'installed' ZAP (you don't really install it, just unpack it and r === Start ZAP When ZAP starts, you will be presented with a dialog such as the one below ... -image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256,style="lesson-image"] +image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"] === Configure Proxy's Port @@ -24,4 +24,4 @@ image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256, . Choose an available port ... Since WebGoat is using port 8080, use something different like 8090 . Click OK -image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"] +image::images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"] diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc similarity index 87% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc rename to webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc index a0f127e69..6b4fad1b1 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc @@ -14,7 +14,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust .. input *8090* as the port .. check the _Use this proxy server for all protocols_ checkbox -image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"] +image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"] === Chrome Proxy Config @@ -26,7 +26,7 @@ image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox . Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right) . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to -image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"] +image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"] === Other Proxy Configuration Options diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro3.adoc similarity index 63% rename from webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc rename to webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro3.adoc index 06667d532..fbebe9bf2 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro3.adoc @@ -3,4 +3,4 @@ You should now be able to browse somewhere. We suggest starting with a plain http host. If it's working, ZAP's history tab will start to look something like this. -image::plugin_lessons/plugin/HttpProxies/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"] \ No newline at end of file +image::images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"] \ No newline at end of file diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index 4e4db28c9..21437a0c9 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -25,7 +25,7 @@ html - src/main/resources/plugin/IDOR/lessonPlans/en/ + src/main/resources/lessonPlans/en/ diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java index f0473443f..677783200 100644 --- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java +++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java @@ -11,7 +11,6 @@ import org.springframework.web.bind.annotation.*; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.Path; import java.io.IOException; import java.util.HashMap; import java.util.Map; diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html b/webgoat-lessons/idor/src/main/resources/html/IDOR.html similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html rename to webgoat-lessons/idor/src/main/resources/html/IDOR.html diff --git a/webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/js/idor.js b/webgoat-lessons/idor/src/main/resources/js/idor.js similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/js/idor.js rename to webgoat-lessons/idor/src/main/resources/js/idor.js diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_editOtherProfile.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_editOtherProfile.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_editOwnProfile.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOwnProfile.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_editOwnProfile.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOwnProfile.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_inputAltPath.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_inputAltPath.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_intro.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_intro.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_login.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_login.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_mitigation.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_mitigation.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewDiffs.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewDiffs.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewDiffs.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewDiffs.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewOtherProfile.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOtherProfile.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewOtherProfile.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOtherProfile.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewOwnAltPath.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOwnAltPath.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewOwnAltPath.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOwnAltPath.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_whatDiffs.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_whatDiffs.adoc similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_whatDiffs.adoc rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_whatDiffs.adoc diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/temp.txt b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/temp.txt similarity index 100% rename from webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/temp.txt rename to webgoat-lessons/idor/src/main/resources/lessonPlans/en/temp.txt diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml new file mode 100644 index 000000000..0867ac1cc --- /dev/null +++ b/webgoat-lessons/jwt/pom.xml @@ -0,0 +1,12 @@ + + 4.0.0 + jwt + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + 8.0-SNAPSHOT + + + diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java new file mode 100644 index 000000000..928ff6557 --- /dev/null +++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java @@ -0,0 +1,39 @@ +package org.owasp.webgoat.plugin; + +import com.beust.jcommander.internal.Lists; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.List; + +/** + * @author nbaars + * @since 3/22/17. + */ +public class JWT extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.AUTHENTICATION; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return null; + } + + @Override + public String getTitle() { + return "jwt.title"; + } + + @Override + public String getId() { + return "JWT"; + } +} diff --git a/webgoat-lessons/jwt/src/main/resources/html/JWT.html b/webgoat-lessons/jwt/src/main/resources/html/JWT.html new file mode 100644 index 000000000..242452f71 --- /dev/null +++ b/webgoat-lessons/jwt/src/main/resources/html/JWT.html @@ -0,0 +1,42 @@ + + + + +
+ + +
+
+ +
+ + +
+ +
+
+ + + +
+
+ + Enter Your Name: + +
+ + +
+
+ +
+ +
+ + \ No newline at end of file diff --git a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties new file mode 100644 index 000000000..3a581a904 --- /dev/null +++ b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties @@ -0,0 +1 @@ +jwt.title=JWT tokens diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_content1.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_content1.adoc new file mode 100644 index 000000000..e192587b6 --- /dev/null +++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_content1.adoc @@ -0,0 +1 @@ +== Test \ No newline at end of file diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_plan.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_plan.adoc new file mode 100644 index 000000000..d6c375bb8 --- /dev/null +++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_plan.adoc @@ -0,0 +1,39 @@ += JWT Tokens + +== Concept + +This lesson teaches about using JSON Web Tokens (JWT) for authentication and the common pitfalls you need to be aware of + when using JWT. + +== Goals + +Teach how to securely implement the usage of tokens. + +== Introduction + +Many application use JSON Web Tokens (JWT) to allow the client to indicate is identity for further exchange after authentication. + +From https://jwt.io/introduction: + +------------------------------------------------------- +JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact +and self-contained way for securely transmitting +information between parties as a JSON object. This information can be +verified and trusted because it is digitally signed. JWTs can be signed using +a secret (with the HMAC algorithm) or a public/private key pair using RSA. + +JSON Web Token is used to carry information related to the identity and +characteristics (claims) of a client. This "container" is signed by the server +in order to avoid that a client tamper it in order to change, for example, +the identity or any characteristics (example: change the role from simple +user to admin or change the client login). This token is created during +authentication (is provided in case of successful authentication) and is +verified by the server before any processing. It is used by an application +to allow a client to present a token representing his "identity card" (container +with all user information about him) to server and allow the server to verify +the validity and integrity of the token in a secure way, all of this in a stateless +and portable approach (portable in the way that client and server technologies can +be different including also the transport channel even if HTTP is the most often used) +------------------------------------------------------- + + diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index caccdb305..51babeab6 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -19,6 +19,7 @@ cross-site-scripting http-basics http-proxies + jwt sql-injection xxe idor diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html rename to webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels_de.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_de.properties similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels_de.properties rename to webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_de.properties diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_fr.properties similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels_fr.properties rename to webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_fr.properties diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_ru.properties similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels_ru.properties rename to webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_ru.properties diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content1.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content1.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content10.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content10.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content11.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content11.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content11.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content11.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content12.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content12.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content13.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content13.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content3.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content4.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5a.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5a.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5a.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5b.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5b.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5b.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5b.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6a.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content7.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content7.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content8.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content8.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content8.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content8.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content9.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content9.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content9.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content9.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_plan.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_plan.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_plan.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonSolutions/en/SqlInjection_solution.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/en/SqlInjection_solution.adoc similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonSolutions/en/SqlInjection_solution.adoc rename to webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/en/SqlInjection_solution.adoc diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonSolutions/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/html/SqlInjection.html similarity index 100% rename from webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonSolutions/html/SqlInjection.html rename to webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/html/SqlInjection.html diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index ff124ffcf..04ff99e84 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -8,17 +8,31 @@ webgoat-lessons-parent 8.0-SNAPSHOT - - - com.thoughtworks.xstream - xstream - 1.4.7 - + - junit - junit + com.thoughtworks.xstream + xstream + 1.4.7 + + + cglib + cglib-nodep + 2.2 + + + ant + ant-launcher + 1.6.2 + + + ant + ant + 1.6.2 + + + xml-resolver + xml-resolver + 1.2 - - diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponents.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponents.java index 5a8f87cce..c353798f4 100644 --- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponents.java +++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponents.java @@ -1,9 +1,9 @@ package org.owasp.webgoat.plugin; -import com.beust.jcommander.internal.Lists; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.NewLesson; +import java.util.ArrayList; import java.util.List; /** @@ -43,7 +43,7 @@ public class VulnerableComponents extends NewLesson { @Override public List getHints() { - return Lists.newArrayList(); + return new ArrayList(); } @Override diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java index 5026a2256..e3c8a338e 100644 --- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java +++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java @@ -1,7 +1,7 @@ package org.owasp.webgoat.plugin; -import java.io.IOException; - +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.io.xml.DomDriver; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; @@ -10,8 +10,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; -import com.thoughtworks.xstream.XStream; -import com.thoughtworks.xstream.io.xml.DomDriver; +import java.io.IOException; /** * ************************************************************************************************* @@ -55,7 +54,9 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint { XStream xstream = new XStream(new DomDriver()); -// xstream.processAnnotations(Contact.class); + xstream.setClassLoader(Contact.class.getClassLoader()); + + xstream.processAnnotations(Contact.class); // xstream.registerConverter(new ContactConverter()); // xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW); diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html b/webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html rename to webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/OWASP-2013-A9.png b/webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-2013-A9.png similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/OWASP-2013-A9.png rename to webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-2013-A9.png diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/OWASP-Dep-Check.png b/webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-Dep-Check.png similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/OWASP-Dep-Check.png rename to webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-Dep-Check.png diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Old-Components.png b/webgoat-lessons/vulnerable-components/src/main/resources/images/Old-Components.png similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Old-Components.png rename to webgoat-lessons/vulnerable-components/src/main/resources/images/Old-Components.png diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/OpenSourceGrowing.png b/webgoat-lessons/vulnerable-components/src/main/resources/images/OpenSourceGrowing.png similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/OpenSourceGrowing.png rename to webgoat-lessons/vulnerable-components/src/main/resources/images/OpenSourceGrowing.png diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Risk-of-Old-Components.png b/webgoat-lessons/vulnerable-components/src/main/resources/images/Risk-of-Old-Components.png similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Risk-of-Old-Components.png rename to webgoat-lessons/vulnerable-components/src/main/resources/images/Risk-of-Old-Components.png diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png b/webgoat-lessons/vulnerable-components/src/main/resources/images/WebGoat-Vulns.png similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png rename to webgoat-lessons/vulnerable-components/src/main/resources/images/WebGoat-Vulns.png diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content0.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content0.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content0.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content0.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1.adoc new file mode 100644 index 000000000..e5defe314 --- /dev/null +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1.adoc @@ -0,0 +1,7 @@ + +== 2013 OWASP Top 10 - A9 + +As early as 2013, thought leaders like OWASP recognized that "WE" need to pay attention to this problem. + + +image::images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"] diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1a.adoc similarity index 72% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1a.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1a.adoc index 2021f6290..a35106342 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1a.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1a.adoc @@ -7,5 +7,5 @@ WebGoat uses almost *200 Java and JavaScript* libraries. Like most Java applica When this lesson was created WebGoat contained more than a dozen high security risks within it's components. Most of these were not deliberate choices. How are developers supposed to track this information across the hundreds of components? -image::plugin_lessons/plugin/VulnerableComponents/images/WebGoat-Vulns.png[caption="Figure: ", title="WebGoat Security Issues", alt="Security Issues", width="800", height="400", style="lesson-image"] +image::images/WebGoat-Vulns.png[caption="Figure: ", title="WebGoat Security Issues", alt="Security Issues", width="800", height="400", style="lesson-image"] diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2a.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2a.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2a.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content3.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content3.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content3.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content3.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc similarity index 71% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc index de72cf84c..d24babbda 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc @@ -4,6 +4,6 @@ There are several open source and paid-for solutions that will identify risk in Dependency check uses several pieces of evidence to determine the library names. Below is a snippet of a report: -image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-Dep-Check.png[caption="Figure: ", title="WebGoat Bill of Materials", alt="BoM", width="988", height="515", style="lesson-image"] +image::images/OWASP-Dep-Check.png[caption="Figure: ", title="WebGoat Bill of Materials", alt="BoM", width="988", height="515", style="lesson-image"] diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4a.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4a.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4a.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4b.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4b.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4b.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4b.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4c.adoc similarity index 56% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4c.adoc index 9b553b92c..bf712d94f 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4c.adoc @@ -20,6 +20,6 @@ For the components analyzed in 25,000 applications it was found that: [cols="2a,2a"] |=== -| image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] -| image::plugin_lessons/plugin/VulnerableComponents/images/Risk-of-Old-Components.png[caption="Figure: ", title="Risk of Old Components", alt="Risk of Old Components", width="355", height="304", style="lesson-image"] +| image::images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] +| image::images/Risk-of-Old-Components.png[caption="Figure: ", title="Risk of Old Components", alt="Risk of Old Components", width="355", height="304", style="lesson-image"] |=== \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content6.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content6.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_plan.adoc similarity index 73% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_plan.adoc index 004671a9b..f09d521e2 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_plan.adoc @@ -6,7 +6,7 @@ The way we build software has changed. The open source community is maturing an This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk. -image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="500", height="300", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"] +image::images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="500", height="300", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"] == Goals diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonSolutions/en/VulnerableComponents_solution.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/en/VulnerableComponents_solution.adoc similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonSolutions/en/VulnerableComponents_solution.adoc rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/en/VulnerableComponents_solution.adoc diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonSolutions/html/VulnerableComponents.html b/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/html/VulnerableComponents.html similarity index 100% rename from webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonSolutions/html/VulnerableComponents.html rename to webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/html/VulnerableComponents.html diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc deleted file mode 100644 index 989dc2c92..000000000 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc +++ /dev/null @@ -1,7 +0,0 @@ - -== 2013 OWASP Top 10 - A9 - -As early as 2013, thought leaders like OWASP recognized that "WE" need to pay attention to this problem. - - -image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"] diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index f01262e6e..c1e89bd06 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -9,28 +9,11 @@ 8.0-SNAPSHOT - - - - org.asciidoctor - asciidoctor-maven-plugin - 1.5.3 - - - - output-html - generate-resources - - process-asciidoc - - - html - src/main/resources/plugin/XXE/lessonPlans/en/ - - - - - - - + + + commons-lang + commons-lang + 2.6 + + \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java index f08258245..6961b4fe3 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java @@ -1,17 +1,23 @@ package org.owasp.webgoat.plugin; import com.google.common.base.Joiner; +import lombok.SneakyThrows; import org.apache.commons.lang.exception.ExceptionUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.core.io.ClassPathResource; import org.springframework.http.MediaType; +import org.springframework.util.FileCopyUtils; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; +import javax.annotation.PostConstruct; import java.io.File; +import java.io.FileOutputStream; import java.nio.file.Files; import java.nio.file.Paths; import java.util.List; @@ -50,6 +56,20 @@ import static org.owasp.webgoat.plugin.SimpleXXE.parseXml; @AssignmentPath("XXE/blind") public class BlindSendFileAssignment extends AssignmentEndpoint { + @Value("${webgoat.user.directory}") + private String webGoatHomeDirectory; + + @PostConstruct + @SneakyThrows + public void copyFile() { + ClassPathResource classPathResource = new ClassPathResource("secret.txt"); + File targetDirectory = new File(webGoatHomeDirectory, "/XXE"); + if (!targetDirectory.exists()) { + targetDirectory.mkdir(); + } + FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "secret.txt"))); + } + @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody public AttackResult createNewUser(@RequestBody String userInfo) throws Exception { @@ -60,7 +80,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint { error = ExceptionUtils.getFullStackTrace(e); } - File logFile = new File(getPluginDirectory(), "/XXE/log.txt"); + File logFile = new File(webGoatHomeDirectory, "/XXE/log.txt"); List lines = Files.readAllLines(Paths.get(logFile.toURI())); boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent(); logFile.delete(); diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java index 618c1e3a3..6ef28f863 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java @@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.assignments.Endpoint; +import org.springframework.beans.factory.annotation.Value; import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -44,6 +45,9 @@ import java.io.PrintWriter; @Slf4j public class Ping extends Endpoint { + @Value("${webgoat.user.directory}") + private String webGoatHomeDirectory; + @Override public String getPath() { return "XXE/ping"; @@ -54,13 +58,13 @@ public class Ping extends Endpoint { public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { String logLine = String.format("%s %s %s", "GET", userAgent, text); log.debug(logLine); - File logFile = new File(getPluginDirectory(), "/XXE/log.txt"); + File logFile = new File(webGoatHomeDirectory, "/XXE/log.txt"); try { try (PrintWriter pw = new PrintWriter(logFile)) { pw.println(logLine); } } catch (FileNotFoundException e) { - log.error("Error occured while writing the logfile", e); + log.error("Error occurred while writing the logfile", e); } return ""; } diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt b/webgoat-lessons/xxe/src/main/resources/csv/flights.txt similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt rename to webgoat-lessons/xxe/src/main/resources/csv/flights.txt diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html similarity index 96% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html rename to webgoat-lessons/xxe/src/main/resources/html/XXE.html index 06d790ec8..831d55cdc 100644 --- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html +++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html @@ -27,7 +27,7 @@
-
Registration form @@ -77,7 +77,7 @@ -
Registration form @@ -135,13 +135,13 @@ - -
Registration form - + diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties rename to webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js rename to webgoat-lessons/xxe/src/main/resources/js/xxe.js diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc similarity index 96% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc index 27becf7bb..68cc95ccd 100644 --- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc @@ -4,7 +4,7 @@ In some cases you will see no output because although your attack might have wor Or the resource you are trying to read contains illegal XML character which causes the parser to fail. Let's start with an example, in this case we reference a external DTD which we control on our own server. -Our WebGoat server by default has an /xxe/ping endpoint which we can use. In real case this can be any server you control. +Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server you control.* [source] ---- diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc similarity index 75% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index dd8dfca85..22c2bdff2 100644 --- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -1,7 +1,7 @@ == Blind XXE assignment In the previous page we showed you how you can ping a server with a XXE attack, in this assigment try to make a DTD which will upload the -contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/plugin/XXE/secret.txt`, for Windows -this would be `c:/Users/USER/.webgoat/plugin/XXE/secret.txt` +contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows +this would be `c:/Users/USER/.webgoat/XXE/secret.txt` Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control) diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type.adoc similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type.adoc diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_mitigation.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_mitigation.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_overflow.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_overflow.adoc similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_overflow.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_overflow.adoc diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_plan.adoc similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_plan.adoc diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/temp.txt similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt rename to webgoat-lessons/xxe/src/main/resources/lessonPlans/en/temp.txt diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/secret.txt b/webgoat-lessons/xxe/src/main/resources/secret.txt similarity index 100% rename from webgoat-lessons/xxe/src/main/resources/plugin/XXE/secret.txt rename to webgoat-lessons/xxe/src/main/resources/secret.txt diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml new file mode 100644 index 000000000..725a08dbf --- /dev/null +++ b/webgoat-server/pom.xml @@ -0,0 +1,176 @@ + + 4.0.0 + webgoat-server + jar + + org.owasp.webgoat + webgoat-parent + 8.0-SNAPSHOT + + + + org.owasp.webgoat.StartWebGoat + + + + + raspberry-pi-3 + + + rpi + + + + + + com.spotify + docker-maven-plugin + 0.4.10 + + webgoat/webgoat-8.0 + src/main/docker_rpi3 + + + / + ${project.build.directory} + ${project.build.finalName}.war + + + + + + + + + default + + + !rpi + + + + + + com.spotify + docker-maven-plugin + 0.4.10 + + webgoat/webgoat-8.0 + src/main/docker + + + / + ${project.build.directory} + ${project.build.finalName}.war + + + + + + + + + + + + + + com.spotify + docker-maven-plugin + 0.4.10 + compile + + + org.owasp.webgoat + webgoat-container + ${project.version} + + + org.owasp.webgoat.lesson + challenge + ${project.version} + + + org.owasp.webgoat.lesson + client-side-filtering + ${project.version} + + + org.owasp.webgoat.lesson + cross-site-scripting + ${project.version} + + + org.owasp.webgoat.lesson + http-basics + ${project.version} + + + org.owasp.webgoat.lesson + http-proxies + ${project.version} + + + org.owasp.webgoat.lesson + idor + ${project.version} + + + org.owasp.webgoat.lesson + jwt + ${project.version} + + + org.owasp.webgoat.lesson + sql-injection + ${project.version} + + + org.owasp.webgoat.lesson + vulnerable-components + ${project.version} + + + org.owasp.webgoat.lesson + xxe + ${project.version} + + + org.springframework.boot + spring-boot-devtools + true + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + + org.thymeleaf.extra + thymeleaf-extras-springsecurity4 + + + org.asciidoctor + asciidoctorj + + + org.jruby + jruby-complete + + + + + + true + + + + + + diff --git a/webgoat-container/src/main/docker/Dockerfile b/webgoat-server/src/main/docker/Dockerfile similarity index 100% rename from webgoat-container/src/main/docker/Dockerfile rename to webgoat-server/src/main/docker/Dockerfile diff --git a/webgoat-container/src/main/docker_rpi3/Dockerfile b/webgoat-server/src/main/docker_rpi3/Dockerfile similarity index 100% rename from webgoat-container/src/main/docker_rpi3/Dockerfile rename to webgoat-server/src/main/docker_rpi3/Dockerfile diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java new file mode 100644 index 000000000..0ec4ab17a --- /dev/null +++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java @@ -0,0 +1,40 @@ +/* + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 2017 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ */ +package org.owasp.webgoat;import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +/** + * @author nbaars + * @date 2/21/17 + */ +@SpringBootApplication +public class StartWebGoat { + + public static void main(String[] args) { + SpringApplication.run(WebGoat.class, args); + } + + +}

Username