- Introduced user registration

- Now using Spring Boot for classloading, this way local development does not need to restart the complete server - Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson. - Simplied loading of resources, by adding resource mappings in MvcConfig. - Refactored plugin loading, now only one class is left for loading the lessons.
2017-02-25 12:15:07 +01:00
parent 9b86aaba05
commit 259fd19c1b
221 changed files with 1179 additions and 1083 deletions
--- a/webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html
+++ b/webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html
@ -0,0 +1,175 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_plan.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content0.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content1.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content1a.adoc"></div>
+	</div>
+
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content2.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+                <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+                <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+					<table>
+						<tr>
+							<td>Clicking go will execute a jquery-ui close dialog:</td>
+							<td><input name="closetext" value="" type="TEXT" /><input
+								name="SUBMIT" value="Go!" type="SUBMIT" onclick="webgoat.customjs.vuln_jquery_ui()" /></td>
+							<td></td>
+						</tr>
+					</table>
+					<script th:inline="javascript">
+					/*<![CDATA[*/
+					webgoat.customjs.vuln_jquery_ui = function()
+					{
+						webgoat.customjs.jquery('#dialog').dialog({ closeText: 'OK<script>alert("XSS")<\/script>' });
+		        	};
+					/*]]>*/
+						</script>
+				<div id="dialog" title="jquery-ui-1.10.4">This dialog should have exploited a known flaw in jquery-ui:1.10.4 and allowed a XSS attack to occur</div>
+				<!-- do not remove the two following div's, this is where your feedback/output will land -->
+				<div class="attack-feedback"></div>
+				<div class="attack-output"></div>
+				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+			</div>
+
+		</div>
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content2a.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+                <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+                <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+					<table>
+						<tr>
+							<td>Clicking go will execute a jquery-ui close dialog:</td>
+							<td><input name="closetext" value="" type="TEXT" /><input
+								name="SUBMIT" value="Go!" type="SUBMIT" onclick="webgoat.customjs.jquery_ui()" /></td>
+							<td></td>
+						</tr>
+					</table>
+					<script th:inline="javascript">
+					/*<![CDATA[*/
+					webgoat.customjs.jquery_ui = function()
+					{
+						webgoat.customjs.jquery('#dialog2').dialog({ closeText: 'OK' });
+		        	};
+					/*]]>*/
+						</script>
+				<div id="dialog2" title="jquery-ui-1.12.0">This dialog should have prevented the above exploit using the EXACT same code in WebGoat but using a later version of jquery-ui.</div>
+				<!-- do not remove the two following div's, this is where your feedback/output will land -->
+				<div class="attack-feedback"></div>
+				<div class="attack-output"></div>
+				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+			</div>
+
+		</div>
+	</div>
+
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content3.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4a.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4b.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4c.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div>
+		<div class="attack-container">
+			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+			<form class="attack-form" accept-charset="UNKNOWN"
+				method="POST" name="form"
+				action="/WebGoat/VulnerableComponents/attack1"
+				enctype="application/json;charset=UTF-8">
+				<div id="lessonContent">
+					<form accept-charset="UNKNOWN" method="POST" name="form"
+						action="#attack/307/100" enctype="">					
+						<table>
+							<tr>
+								<td>Enter the contact's xml representation:</td>
+								<td><textarea name="payload" value="" type="TEXT" rows="15" cols="60"/></td>
+								<td><input name="SUBMIT" value="Go!" type="SUBMIT"/></td>
+							</tr>
+						</table>
+					</form>
+				</div>
+			</form>
+			<!-- do not remove the two following div's, this is where your feedback/output will land -->
+			<div class="attack-feedback"></div>
+			<div class="attack-output"></div>
+			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+		</div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content6.adoc"></div>
+	</div>
+	
+</html>