dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Introduced user registration

Browse Source 
- Now using Spring Boot for classloading, this way local development does not need to restart the complete server
- Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson.
- Simplied loading of resources, by adding resource mappings in MvcConfig.
- Refactored plugin loading, now only one class is left for loading the lessons.
This commit is contained in:
Nanne Baars
2017-02-25 12:15:07 +01:00
parent 9b86aaba05
commit 259fd19c1b
221 changed files with 1179 additions and 1083 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
webgoat-container/src/main/resources/application.properties
View File

@ -10,12 +10,13 @@ logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=TRACE
# Needed for creating a vulnerable web application
security.enable-csrf=false
spring.devtools.restart.enabled=false
spring.resources.cache-period=0
spring.thymeleaf.cache=false
webgoat.server.directory=${user.home}/.webgoat/
webgoat.user.directory=${user.home}/.webgoat/
webgoat.build.version=@project.version@
webgoat.build.number=@build.number@
@ -30,4 +31,12 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:test
webgoat.default.language=en
liquibase.change-log=classpath:db/changelog/db.changelog-master.xml
spring.datasource.url=jdbc:hsqldb:file:${user.home}/.webgoat/WebGoatDatabase
spring.datasource.driverClassName=org.hsqldb.jdbcDriver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.HSQLDialect
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=none

17
webgoat-container/src/main/resources/db/changelog/db.changelog-master.xml Normal file
View File

@ -0,0 +1,17 @@
<databaseChangeLog
xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.4.xsd">
<changeSet author="WebGoat" id="init_schema">
<createTable tableName="web_goat_user">
<column name="username" type="varchar(32)">
<constraints unique="true"/>
</column>
<column name="password" type="varchar(32)"/>
<column name="role" type="varchar(32)"/>
</createTable>
<addPrimaryKey columnNames="username" constraintName="pk_user" tableName="web_goat_user"/>
</changeSet>
</databaseChangeLog>

11
webgoat-container/src/main/resources/i18n/messages.properties
View File

@ -32,6 +32,7 @@ ErrorGenerating=Error generating
InvalidData=Invalid Data
Go!=Go!
password=Password
password.confirm=Confirm password
username=Username
logged_out=You've been logged out successfully.
invalid_username_password=Invalid username and password.
@ -50,3 +51,13 @@ show.hints=Show hints
lesson.overview=Lesson overview
reset.lesson=Reset lesson
sign.in=Sign in
register.new=Register new user
sign.up=Sign up
register.title=Register
not.empty=This field is required.
username.size=Please use between 6 and 10 characters.
username.duplicate=User already exists.
password.size=Password should at least contain 6 characters
password.diff=The passwords do not match.

1
webgoat-container/src/main/resources/plugin_lessons/ReadMe.txt
View File

@ -1 +0,0 @@
Lesson plugins stored under this directory.

0
webgoat-container/src/main/resources/plugin_lessons/plugin_lessons_marker.txt
View File

4
webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js
View File

@ -57,7 +57,7 @@ function($,
* from the model where the assignment name is contained in the assignmentPath. We do this not to mess
* with contextRoots etc and try to select the name from the url.
*
* @todo we can of course try to add the assigment name to the html form as attribute.
* @todo we can of course try to add the assignment name to the html form as attribute.
*
* @param nav the json structure for navigating
*/
@ -95,7 +95,7 @@ function($,
displayHint: function(curHint) {
if(this.hintsToShow.length == 0) {
this.hideHints();
// this.hideHints();
} else {
this.$el.find('#lesson-hint-content').html(polyglot.t(this.hintsToShow[curHint].get('hint')));
}

28
webgoat-container/src/main/resources/templates/login.html
View File

@ -29,7 +29,7 @@
<p th:text="#{logged_out}">You've been logged out successfully.</p>
</div>
<br/><br/>
<form th:action="@{/login}" method='POST' style="width: 400px;">
<form th:action="@{/login}" method='POST' style="width: 200px;">
<div class="form-group">
<label for="exampleInputEmail1" th:text="#{username}">Username</label>
<input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
@ -40,32 +40,10 @@
<input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password"
name='password' value="guest"/>
</div>
<button class="btn btn-large btn-primary" type="submit" th:text="#{sign.in}">Sign in</button>
<button class="btn btn-primary btn-block" type="submit" th:text="#{sign.in}">Sign in</button>
<div class="text-center"><a th:href="@{/registration}" th:text="#{register.new}"></a></div>
</form>
<br/><br/>
<h4 th:text="#{accounts.build.in}">The following accounts are built into Webgoat</h4>
<table class="table table-bordered" style="width:400px;">
<thead>
<tr class="warning">
<th th:text="#{accounts.table.account}">Account</th>
<th th:text="#{accounts.table.user}">User</th>
<th th:text="#{accounts.table.password}">Password</th>
</tr>
</thead>
<tbody>
<tr>
<td>Webgoat User</td>
<td>guest</td>
<td>guest</td>
</tr>
<tr>
<td>Webgoat Admin</td>
<td>webgoat</td>
<td>webgoat</td>
</tr>
</tbody>
</table>
<br/><br/>
</section>
</section>
</section>

104
webgoat-container/src/main/resources/templates/registration.html Normal file
View File

@ -0,0 +1,104 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<title th:text="#{login.page.title}">Login Page</title>
<link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
</head>
<body>
<section id="container">
<header id="header">
<div class="brand">
<a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<div class="toggle-navigation toggle-left">
</div>
<div class="lessonTitle">
</div>
</header>
<section class="main-content-wrapper">
<section id="main-content">
<br/><br/>
<fieldset>
<legend th:text="#{register.title}">Please Sign Up</legend>
<form class="form-horizontal" action="#" th:action="@{/register.mvc}" th:object="${userForm}"
method='POST'>
<div class="form-group" th:classappend="${#fields.hasErrors('username')}? 'has-error'">
<label for="username" class="col-sm-2 control-label" th:text="#{username}">Username</label>
<div class="col-sm-4">
<input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
th:field="*{username}"
id="username" placeholder="Username" name='username'/>
</div>
<span th:if="${#fields.hasErrors('username')}" th:errors="*{username}">Username error</span>
</div>
<div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
<label for="password" class="col-sm-2 control-label" th:text="#{password}">Password</label>
<div class="col-sm-4">
<input type="password" class="form-control" id="password" placeholder="Password"
name='password' th:value="*{password}"/>
</div>
<span th:if="${#fields.hasErrors('password')}" th:errors="*{password}">Password error</span>
</div>
<div class="form-group" th:classappend="${#fields.hasErrors('matchingPassword')}? 'has-error'">
<label for="matchingPassword" class="col-sm-2 control-label" th:text="#{password.confirm}">Confirm
password</label>
<div class="col-sm-4">
<input type="password" class="form-control" id="matchingPassword" placeholder="Password"
name='matchingPassword' th:value="*{matchingPassword}"/>
</div>
<span th:if="${#fields.hasErrors('matchingPassword')}" th:errors="*{matchingPassword}">Password error</span>
</div>
<div class="form-group" th:classappend="${#fields.hasErrors('agree')}? 'has-error'">
<label class="col-sm-2 control-label">Terms of use</label>
<div class="col-sm-6">
<div style="border: 1px solid #e5e5e5; height: 200px; overflow: auto; padding: 10px;">
<p>
While running this program your machine will be extremely
vulnerable to attack. You should disconnect from the Internet while using
this program. WebGoat's default configuration binds to localhost to minimize
the exposure.
</p>
<p>
This program is for educational purposes only. If you attempt
these techniques without authorization, you are very likely to get caught. If
you are caught engaging in unauthorized hacking, most companies will fire you.
Claiming that you were doing security research will not work as that is the
first thing that all hackers claim.
</p>
</div>
</div>
</div>
<div class="form-group" th:classappend="${#fields.hasErrors('agree')}? 'has-error'">
<div class="col-sm-6 col-sm-offset-2">
<div class="checkbox">
<label>
<input type="checkbox" name="agree" value="agree"/>Agree with the terms and
conditions
</label>
</div>
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-2 col-sm-6">
<button type="submit" class="btn btn-primary" th:text="#{sign.up}">Sign up</button>
</div>
</div>
</form>
</fieldset>
</section>
</section>
</section>
</body>
</html>

19
webgoat-container/src/main/resources/webgoat.properties
View File

@ -1,19 +0,0 @@
#lesson.BufferOverflow.hidden=true
#
#
# Hide lessons using name of source file,
# For Example: BlindScript.java
# lesson.BlindScript.hidden=true;
#
# These lesson need to be refactored
lesson.BasicAuthentication.hidden=false
lesson.BlindScript.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.HttpSplitting.hidden=true
lesson.SameOriginPolicyProtection.hidden=true
lesson.SilentTransactions.hidden=true
lesson.TraceXSS.hidden=true
lesson.DBSQLInjection.hidden=true
lesson.DBCrossSiteScripting.hidden=true
lesson.XPATHInjection.hidden=true
lesson.ForcedBrowsing.hidden=true