diff --git a/.travis.yml b/.travis.yml
index d4c6df9f6..8559934a5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,27 +1,18 @@
language: java
jdk:
- - oraclejdk7
- oraclejdk8
install: "/bin/true"
script:
- - mvn clean install -q
- - git clone -b develop https://github.com/WebGoat/WebGoat-Lessons.git
- - mvn -file ./WebGoat-Lessons/pom.xml clean package -q
- - cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./webgoat-container/src/main/webapp/plugin_lessons/
- # Start the container this will make sure we do not see the debug logging of the Tomcat 7 Maven plugin
- # which seems to always be set to DEBUG this will fail the build because we generate too much logging
- - nohup bash -c "java -jar ./webgoat-standalone/target/webgoat-standalone-7.1-SNAPSHOT-exec.jar --port 8888 2>&1 &"
- - if [[ $TRAVIS_PULL_REQUEST == "false" ]]; then mvn "-Dbuild.number=$TRAVIS_BUILD_NUMBER" -q clean install failsafe:integration-test; else mvn -q failsafe:integration-test; fi
+ - mvn clean install
+ - if [[ $TRAVIS_PULL_REQUEST == "false" ]]; then mvn "-Dbuild.number=$TRAVIS_BUILD_NUMBER" clean install; else mvn clean install; fi
cache:
directories:
- $HOME/.m2
before_deploy:
- export WEBGOAT_CONTAINTER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-container/target
- - export WEBGOAT_STANDALONE_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-standalone/target
- export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/
- mkdir $WEBGOAT_ARTIFACTS_FOLDER
- cp -fa $WEBGOAT_CONTAINTER_TARGET_DIR/* $WEBGOAT_ARTIFACTS_FOLDER/
- - cp -fa $WEBGOAT_STANDALONE_TARGET_DIR/* $WEBGOAT_ARTIFACTS_FOLDER/
- echo "Contents of artifcts folder:"
- ls $WEBGOAT_ARTIFACTS_FOLDER
deploy:
@@ -35,11 +26,11 @@ deploy:
local_dir: "$WEBGOAT_ARTIFACTS_FOLDER"
on:
repo: WebGoat/WebGoat
- branch: develop
+ branch: master
jdk: oraclejdk8
after_success:
- - mvn versioneye:update -q
- - mvn cobertura:cobertura coveralls:report -q
+ - mvn versioneye:update
+ - mvn cobertura:cobertura coveralls:report
notifications:
slack:
secure: S9VFew5NSE8WDzYD1VDBUULKKT0fzgblQACznwQ85699b2yeX9TX58N3RZvRS1JVagVP1wu2xOrwN2g+AWx4Ro3UBZD5XG86uTJWpCLD4cRWHBoGMH2TfvI7/IzsWmgxH4MBxFRvZr/eEhlVAux+N9H4EoEdS4CKsJXEqV37PlA=
@@ -47,7 +38,6 @@ env:
global:
- secure: "ZLZKz6lGt8YZ+NhkZPBAlI235+lEmu37Tcf+yTwh5yXuHAlnvvF6hPui7rANA/stbYGOIqIdhGOXbdrwyTU4Pvg78VwJOwsa9RtHJfou3pg4Ud9i0/dEeVl8aakmg2HDaWYGcFox8X1ViVc5UWjuBLztfJKQUEx0buJoWdMSf2E="
addons:
- sauce_connect: true
coverity_scan:
project:
name: "WebGoat/WebGoat"
diff --git a/README.MD b/README.MD
index 074a568c2..e018c1206 100644
--- a/README.MD
+++ b/README.MD
@@ -45,23 +45,35 @@ first thing that all hackers claim.*
# Easy Run ( For non-developers )
Every successful build of the WebGoat Lessons Container and the WebGoat Lessons in our Continuous Integration Server
-creates an "Easy Run" Executable JAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.
+creates an "Easy Run" Executable WAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.
-You can check for the "Last Modified" date of our "Easy Run" jar file [HERE](http://webgoat-war.s3-website-us-east-1.amazonaws.com/)
+You can check for the "Last Modified" date of our "Easy Run" war file [HERE](http://webgoat-war.s3-website-us-east-1.amazonaws.com/)
The "Easy Run" JAR file offers a no hassle approach to testing and running WebGoat. Follow these instructions if you
wish to simply try/test/run the current development version of WebGoat
### Prerequisites:
-* Java VM 1.8
+* Java VM 1.8 or Docker installed
-## Standalone
+## Easy Run Instructions:
-#### 1. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server:
+#### 1. Docker image
+
+The latest version of WebGoat is available at DockerHub, see [https://hub.docker.com/r/webgoat/webgoat-container/](https://hub.docker.com/r/webgoat/webgoat-container/).
+First install Docker, then open a command shell/window and type:
+
+```Shell
+docker pull webgoat/webgoat-container
+docker run -p 8080:8080 webgoat/webgoat-container
+```
+
+Wait for the Docker container to start and go to step 3.
+
+#### 2. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server:
https://s3.amazonaws.com/webgoat-war/webgoat-standalone-7.1-SNAPSHOT-exec.jar
-#### 2. Run it using java:
+#### 3. Run it using java:
Open a command shell/window, browse to where you downloaded the easy run jar and type:
@@ -106,8 +118,8 @@ Follow these instructions if you wish to run Webgoat and modify the source code
### Prerequisites:
-* Java 1.8
-* Maven > 2.0.9
+* Java 8
+* Maven > 3.2.1
* Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
* Git, or Git support in your IDE
@@ -163,7 +175,7 @@ The __maven tomcat7:run-war__ goal runs the project in an embedded tomcat:
```Shell
cd WebGoat
-mvn -pl webgoat-container tomcat7:run-war
+mvn -pl webgoat-container spring-boot:run
```
Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
@@ -195,18 +207,33 @@ Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and hap
## Reloading plugins and lessons
-If you want to __reload all the plugin and lessons__, open a new browser tab and visit the following url:
-
-[http://localhost:8080/WebGoat/service/reloadplugins.mvc](http://localhost:8080/WebGoat/service/reloadplugins.mvc)
-
-After the plugin reload is complete, _reloading a message_ will appear and you can refresh the __main WebGoat browser tab__.
+If you want to __reload all the plugin and lessons__, open up the developer tools available from the info menu. This will
+show an extra set of links below the cookie overview.
## Debugging label properties
-To be able to see which labels are loaded through a property file, open a new browser tab and visit the following url:
+To be able to see which labels are loaded through a property file, open up the developer tools avalailable from the info menu
+After the reload is complete, all labels which are loaded from a property file will be __marked green__.
-[http://localhost:8080/WebGoat/service/debug/labels.mvc](http://localhost:8080/WebGoat/service/debug/labels.mvc)
-Switch back to the main WebGoat broswer tab and __reload the main WebGoat browser tab__.
+## Building a new Docker image
-After the reload is complete, all labels which where loaded from a property file will be __marked green__.
+WebGoat now has Docker support you can build a container with the following commands:
+
+```Shell
+cd WebGoat/
+mvn package
+cd webgoat-container
+mvn docker:build
+docker login
+docker push webgoat/webgoat-container
+```
+
+With the following command you are able to run the Docker container on your local machine:
+
+```Shell
+docker run -p 8080:8080 -t webgoat/webgoat-container
+docker ps
+```
+
+With the last command you are able to determine ip address to connect to.
diff --git a/pom.xml b/pom.xml
index 0b711b798..38400f79a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
org.owasp.webgoatwebgoat-parentpom
- 7.2-SNAPSHOT
+ 7.1-SNAPSHOTWebGoat Parent PomParent Pom for the WebGoat Project. A deliberately insecure Web Application
@@ -17,6 +17,12 @@
https://webgoat.github.io/
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 1.4.1.RELEASE
+
+
GNU General Public License, version 2
@@ -100,6 +106,9 @@
+ 1.8
+ 1.8
+
UTF-8UTF-8
@@ -123,7 +132,6 @@
3.41.24.0.0
- 1.4.218.01.4.1901.8.0.10
@@ -146,9 +154,7 @@
2.5.23.0.12.19
- 2.6
- 1.6.7
- 3.2.4.RELEASE
+ 1.6.62.1.202.48.21.7.12
@@ -164,7 +170,7 @@
webgoat-container
- webgoat-standalone
+ webgoat-lessons
@@ -285,6 +291,15 @@
+
+
+ org.projectlombok
+ lombok
+ 1.16.10
+ provided
+
+
+
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index 740631278..61ee923b3 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -1,5 +1,6 @@
-
+webgoat-container4.0.0
@@ -9,111 +10,44 @@
org.owasp.webgoatwebgoat-parent
- 7.2-SNAPSHOT
+ 7.1-SNAPSHOT
-
-
- run-integration-tests
-
- false
-
- run-integration
- true
-
-
-
-
-
- org.apache.tomcat.maven
- tomcat7-maven-plugin
- 2.3-SNAPSHOT
-
- local_tomcat
- http://localhost:8080/manager
- /WebGoat
- exec
- true
- true
- ${project.basedir}/src/main/webapp/WEB-INF/context.xml
-
-
-
- org.owasp.webgoat
- webgoat-container
- ${project.version}
-
-
-
-
- tomcat-run
-
- exec-war-only
-
- package
-
-
- tomcat-startup
- pre-integration-test
-
- run-war-only
-
-
- 8888
- true
-
-
-
-
- tomcat-shutdown
- post-integration-test
-
- shutdown
-
-
-
-
-
- org.apache.maven.plugins
- maven-failsafe-plugin
- ${maven-failsafe-plugin.version}
-
-
- file:${project.basedir}/src/test/resources/log4j-silent.properties
-
-
-
-
-
- integration-test
- verify
-
-
-
-
-
-
-
-
+
+ org.owasp.webgoat.WebGoat
+
- ${basedir}/src/main/java
+ src/main/java
- ${basedir}/src/main/resources
+ src/main/resources
+ true
+
+ **/application.properties
+
+
+
+ src/main/resources
- org.apache.maven.plugins
- maven-compiler-plugin
- ${maven-compiler-plugin.version}
+ com.spotify
+ docker-maven-plugin
+ 0.4.10
- 1.7
- 1.7
- ISO-8859-1
+ webgoat/${project.artifactId}
+ src/main/docker
+
+
+ /
+ ${project.build.directory}
+ ${project.build.finalName}.war
+
+
@@ -130,26 +64,6 @@
-
- org.apache.maven.plugins
- maven-war-plugin
- ${maven-war-plugin.version}
-
-
- false
-
-
- true
-
-
- ${project.name}
- ${project.version}
- ${build.number}
-
-
-
- org.codehaus.mojobuild-helper-maven-plugin
@@ -172,34 +86,25 @@
- org.apache.tomcat.maven
- tomcat7-maven-plugin
- 2.3-SNAPSHOT
+ org.apache.maven.plugins
+ maven-resources-plugin
+ 2.6
- local_tomcat
- http://localhost:8080/manager/text
- /WebGoat
- exec
- true
- true
- ${project.basedir}/src/main/webapp/WEB-INF/context.xml
+
+ @
+
+ false
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+ ${maven-compiler-plugin.version}
+
+ 1.8
+ 1.8
+ ISO-8859-1
-
-
- org.owasp.webgoat
- webgoat-container
- ${project.version}
-
-
-
-
- tomcat-run
-
- exec-war-only
-
- package
-
- org.apache.maven.plugins
@@ -211,32 +116,102 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+
+
+
+
+ org.thymeleaf.extra
+ thymeleaf-extras-springsecurity4
+
+
+ org.asciidoctor
+ asciidoctorj
+
+
+ org.jruby
+ jruby-complete
+
+
+ true
+
+
+
+
+
+
+
+
+
+
+ maven-clean-plugin
+
+
+
+ ${project.basedir}/src/main/resources/plugin_lessons
+
+ **/*.jar
+ **/*.pom
+
+
+
+ ${user.home}/.webgoat/
+
+ **/*.jar
+ **/org/**
+ **/plugin/**
+
+
+
+
+
+
+
+ org.projectlombok
+ lombok
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+ org.springframework.boot
+ spring-boot-starter-actuator
+
+
+
+
+ com.fasterxml.jackson.dataformat
+ jackson-dataformat-yaml
+
+
+ org.asciidoctor
+ asciidoctorj
+ 1.5.4
+
+
+ javax.servlet
+ jstl
+
+
+ org.springframework.boot
+ spring-boot-starter-security
+
+
+ org.springframework.boot
+ spring-boot-starter-thymeleaf
+
+
+ org.thymeleaf.extras
+ thymeleaf-extras-springsecurity4
+ 2.1.2.RELEASE
+ javax.activationactivation
@@ -267,52 +242,6 @@
axis-ant${axis-ant.version}
-
- org.apache.commons
- commons-lang3
- ${commons-lang3.version}
-
-
- commons-io
- commons-io
- ${commons-io.version}
-
-
- commons-collections
- commons-collections
- ${commons-collections.version}
-
-
- commons-digester
- commons-digester
- ${commons-digester.version}
-
-
- xml-apis
- xml-apis
-
-
-
-
- commons-logging
- commons-logging
- ${commons-logging.version}
-
-
- org.slf4j
- jcl-over-slf4j
- ${jcl-over-slf4j.version}
-
-
- commons-discovery
- commons-discovery
- ${commons-discovery.version}
-
-
- javax.mail
- javax.mail-api
- ${mail-api.version}
- hsqldbhsqldb
@@ -323,92 +252,11 @@
wsdl4j${wsdl4j.version}
-
- java2html
- j2h
- ${j2h.version}
-
-
- ecs
- ecs
- ${ecs.version}
- javax.transactionjavax.transaction-api${javax.transaction-api.version}
-
- net.sourceforge.jtds
- jtds
- ${jtds.version}
-
-
- org.apache.tomcat
- tomcat-catalina
- ${tomcat-catalina.version}
- provided
-
-
-
-
-
-
-
- javax
- javaee-api
- ${javaee-api.version}
- provided
-
-
-
- org.springframework
- spring-core
- ${org.springframework.version}
-
-
- org.springframework
- spring-aop
- ${org.springframework.version}
-
-
-
-
- com.fasterxml.jackson.core
- jackson-core
- ${jackson-core.version}
-
-
- com.fasterxml.jackson.core
- jackson-databind
- ${jackson-databind.version}
-
-
-
-
- org.springframework
- spring-webmvc
- ${org.springframework.version}
- jar
-
-
-
- org.springframework.security
- spring-security-core
- ${spring.security.version}
-
-
-
- org.springframework.security
- spring-security-config
- ${spring.security.version}
-
-
-
- org.springframework.security
- spring-security-web
- ${spring.security.version}
-
@@ -422,59 +270,19 @@
guava${guava.version}
-
-
- javax.servlet
- jstl
- ${jstl.version}
+ com.spotify
+ docker-maven-plugin
+ 0.4.10
-
- taglibs
- standard
- ${standard.version}
-
-
-
- log4j
- log4j
- ${log4j.version}
-
-
- javax.jms
- jms
-
-
- com.sun.jdmk
- jmxtools
-
-
- com.sun.jmx
- jmxri
-
-
-
-
- org.apache.tiles
- tiles-core
- ${tiles.version}
- jar
-
-
- org.slf4j
- slf4j-api
- ${slf4j-api.version}
- jar
-
-
- org.slf4j
- slf4j-log4j12
- ${slf4j-log4j12.version}
- jar
-
+
+ org.springframework.boot
+ spring-boot-starter-test
+ test
+ junitjunit
@@ -492,13 +300,9 @@
${sauce_junit.version}test
-
-
-
-
-
+
diff --git a/webgoat-container/src/main/docker/Dockerfile b/webgoat-container/src/main/docker/Dockerfile
new file mode 100644
index 000000000..a33389017
--- /dev/null
+++ b/webgoat-container/src/main/docker/Dockerfile
@@ -0,0 +1,6 @@
+FROM frolvlad/alpine-oraclejdk8:slim
+VOLUME /tmp
+RUN cd /root; mkdir -p .webgoat
+ADD webgoat-container-8.0-SNAPSHOT.war webgoat.jar
+RUN sh -c 'touch /webgoat.jar'
+ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/webgoat.jar"]
\ No newline at end of file
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
new file mode 100644
index 000000000..1a2a8c38c
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
@@ -0,0 +1,108 @@
+
+/**
+ *************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author WebGoat
+ * @since December 12, 2015
+ * @version $Id: $Id
+ */
+package org.owasp.webgoat;
+
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import org.asciidoctor.Asciidoctor;
+import org.thymeleaf.TemplateProcessingParameters;
+import org.thymeleaf.resourceresolver.IResourceResolver;
+import org.thymeleaf.templateresolver.TemplateResolver;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Optional;
+
+import static org.asciidoctor.Asciidoctor.Factory.create;
+
+/**
+ * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
+ *
+ *
+ *
+ *
+ */
+public class AsciiDoctorTemplateResolver extends TemplateResolver {
+
+ private static final Asciidoctor asciidoctor = create();
+ private static final String PREFIX = "doc:";
+ private final File pluginTargetDirectory;
+
+ public AsciiDoctorTemplateResolver(File pluginTargetDirectory) {
+ this.pluginTargetDirectory = pluginTargetDirectory;
+ setResourceResolver(new AdocResourceResolver());
+ setResolvablePatterns(Sets.newHashSet(PREFIX + "*"));
+ }
+
+ @Override
+ protected String computeResourceName(TemplateProcessingParameters params) {
+ String templateName = params.getTemplateName();
+ return templateName.substring(PREFIX.length());
+ }
+
+ private class AdocResourceResolver implements IResourceResolver {
+
+ @Override
+ public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
+ try {
+ Optional adocFile = find(pluginTargetDirectory.toPath(), resourceName);
+ if (adocFile.isPresent()) {
+ try (FileReader reader = new FileReader(adocFile.get().toFile())) {
+ StringWriter writer = new StringWriter();
+ asciidoctor.convert(reader, writer, Maps.newHashMap());
+ return new ByteArrayInputStream(writer.getBuffer().toString().getBytes());
+ }
+ }
+ return new ByteArrayInputStream(new byte[0]);
+ } catch (IOException e) {
+ //no html yet
+ return new ByteArrayInputStream(new byte[0]);
+ }
+ }
+
+ private Optional find(Path path, String resourceName) throws IOException {
+ return Files.walk(path)
+ .filter(Files::isRegularFile)
+ .filter(p -> p.toString().endsWith(resourceName)).findFirst();
+ }
+
+ @Override
+ public String getName() {
+ return "adocResourceResolver";
+ }
+ }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java b/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java
deleted file mode 100644
index 074c61c91..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java
+++ /dev/null
@@ -1,120 +0,0 @@
-
-package org.owasp.webgoat;
-
-import java.io.IOException;
-import java.util.Enumeration;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce Mayhew WebGoat
- * @since March 13, 2007
- * @version $Id: $Id
- */
-public class Catcher extends HammerHead
-{
-
- /**
- *
- */
- private static final long serialVersionUID = 7441856110845727651L;
-
- /**
- * Description of the Field
- */
- public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
-
- /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */
- public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
-
- /** Constant PROPERTY="PROPERTY" */
- public static final String PROPERTY = "PROPERTY";
-
- /** Constant EMPTY_STRING="" */
- public static final String EMPTY_STRING = "";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- * @exception IOException
- * Description of the Exception
- * @exception ServletException
- * Description of the Exception
- */
- public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
- {
- try
- {
- // System.out.println( "Entering doPost: " );
- // System.out.println( " - request " + request);
- // System.out.println( " - principle: " + request.getUserPrincipal() );
- // setCacheHeaders(response, 0);
- WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
- session.update(request, response, this.getServletName()); // FIXME: Too much in this
- // call.
-
- int scr = session.getCurrentScreen();
- Course course = session.getCourse();
- AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
-
- log(request, lesson.getClass().getName() + " | " + session.getParser().toString());
-
- String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING));
-
- // if the PROPERTY parameter is available - write all the parameters to the
- // property file. No other control parameters are supported at this time.
- if (!property.equals(EMPTY_STRING))
- {
- Enumeration e = session.getParser().getParameterNames();
-
- while (e.hasMoreElements())
- {
- String name = (String) e.nextElement();
- String value = session.getParser().getParameterValues(name)[0];
- lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value);
- }
- }
- lesson.getLessonTracker(session).store(session, lesson);
-
- // BDM MC
-// WEB-173 - removed for testing, as plugin architecture would not allow this
-// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();}
-
- } catch (Throwable t)
- {
- t.printStackTrace();
- log("ERROR: " + t);
- }
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
index d870a8a49..e2a09ab3a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
@@ -1,442 +1,59 @@
package org.owasp.webgoat;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.WelcomeScreen;
-import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.ErrorScreen;
-import org.owasp.webgoat.session.Screen;
-import org.owasp.webgoat.session.UserTracker;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.session.WebgoatContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.net.URL;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.Locale;
-import java.util.TimeZone;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.servlet.ModelAndView;
/**
* *************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
- * @author Jeff Williams Aspect
- * Security
- * @author Bruce Mayhew WebGoat
- * @since October 28, 2003
+ * @author Jeff Williams
+ * @author Bruce Mayhew
+ * @author Nanne Baars
* @version $Id: $Id
+ * @since October 28, 2003
*/
-public class HammerHead extends HttpServlet {
+@Controller
+public class HammerHead {
- final Logger logger = LoggerFactory.getLogger(HammerHead.class);
+ private final Course course;
-
- /**
- *
- */
- private static final long serialVersionUID = 645640331343188020L;
-
- /**
- * Description of the Field
- */
- protected static SimpleDateFormat httpDateFormat;
-
- /**
- * Set the session timeout to be 2 days
- */
- private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
-
- // private final static int sessionTimeoutSeconds = 1;
- /**
- * Properties file path
- */
- public static String propertiesPath = null;
-
- /**
- * provides convenience methods for getting setup information from the
- * ServletContext
- */
- private WebgoatContext webgoatContext = null;
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- * @exception IOException Description of the Exception
- * @exception ServletException Description of the Exception
- */
- @Override
- public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
- doPost(request, response);
+ public HammerHead(Course course) {
+ this.course = course;
}
/**
- * {@inheritDoc}
- *
- * Description of the Method
- * @exception IOException Description of the Exception
- * @exception ServletException Description of the Exception
+ * Entry point for WebGoat, redirects to the first lesson found within the course.
*/
- @Override
- public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
- Screen screen = null;
-
- WebSession mySession = null;
- try {
- logger.debug("Entering doPost");
- logger.debug("request: " + request);
- logger.debug("principle: " + request.getUserPrincipal());
- // setCacheHeaders(response, 0);
- ServletContext context = getServletContext();
-
- // FIXME: If a response is written by updateSession(), do not
- // call makeScreen() and writeScreen()
- mySession = updateSession(request, response, context);
-
- if (response.isCommitted()) {
- logger.debug("Response already committed, exiting");
- return;
- }
-
- if ("true".equals(request.getParameter("start")) || request.getQueryString() == null) {
- logger.warn("Redirecting to first lesson");
- response.sendRedirect("start.mvc" + mySession.getCourse().getFirstLesson().getLink());
- return;
- }
-
- // Note: For the lesson to track the status, we need to update
- // the lesson tracker object
- // from the screen.createContent() method. The create content is
- // the only point
- // where the lesson "knows" what has happened. To track it at a
- // latter point would
- // require the lesson to have memory.
- screen = makeScreen(mySession);
- // This calls the lesson's
- // handleRequest()
- if (response.isCommitted()) {
- return;
- }
-
- // perform lesson-specific tracking activities
- if (screen instanceof AbstractLesson) {
- AbstractLesson lesson = (AbstractLesson) screen;
-
- // we do not count the initial display of the lesson screen as a visit
- if ("GET".equals(request.getMethod())) {
- String uri = request.getRequestURI() + "?" + request.getQueryString();
- if (!uri.endsWith(lesson.getLink())) {
- screen.getLessonTracker(mySession).incrementNumVisits();
- }
- } else if ("POST".equals(request.getMethod())
- && mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
- screen.getLessonTracker(mySession).incrementNumVisits();
- }
- }
-
- // log the access to this screen for this user
- UserTracker userTracker = UserTracker.instance();
- userTracker.update(mySession, screen);
- log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
-
- // Redirect the request to our View servlet
- String userAgent = request.getHeader("user-agent");
- String clientBrowser = "Not known!";
- if (userAgent != null) {
- clientBrowser = userAgent;
- }
- request.setAttribute("client.browser", clientBrowser);
- // removed - this is being done in updateSession call
- //request.getSession().setAttribute(WebSession.SESSION, mySession);
- // not sure why this is being set in the session?
- //request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
- String viewPage = getViewPage(mySession);
- logger.debug("Forwarding to view: " + viewPage);
- logger.debug("Screen: " + screen);
- request.getRequestDispatcher(viewPage).forward(request, response);
- } catch (Throwable t) {
- logger.error("Error handling request", t); screen = new ErrorScreen(mySession, t);
- } finally {
- try {
- if (screen instanceof ErrorScreen) {
- this.writeScreen(mySession, screen, response);
- }
- } catch (Throwable thr) {
- logger.error("Could not write error screen", thr);
- }
- WebSession.returnConnection(mySession);
- logger.debug("Leaving doPost: ");
- }
- }
-
- private String getViewPage(WebSession webSession) {
- // now always display the lesson content
- String page = "/lesson_content.jsp";
- //page = "/main.jsp";
- return page;
- }
-
- /**
- * Description of the Method
- *
- * @param date Description of the Parameter
- * @return RFC 1123 http date format
- */
- protected static String formatHttpDate(Date date) {
- synchronized (httpDateFormat) {
- return httpDateFormat.format(date);
- }
- }
-
- /**
- * {@inheritDoc}
- *
- * Return information about this servlet
- */
- @Override
- public String getServletInfo() {
- return "WebGoat is sponsored by Aspect Security.";
- }
-
- /**
- * {@inheritDoc}
- *
- * Return properties path
- */
- @Override
- public void init() throws ServletException {
- logger.info("Initializing main webgoat servlet");
- httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
- httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
- propertiesPath = getServletContext().getRealPath("/WEB-INF/webgoat.properties");
- webgoatContext = new WebgoatContext(this);
- URL runningStandalone = Thread.currentThread().getContextClassLoader().getResource("standalone.properties");
- if (runningStandalone == null) {
- logger.info("Browse to http://localhost:8080/WebGoat and happy hacking!");
- }
- }
-
- /**
- * Description of the Method
- *
- * @param request Description of the Parameter
- * @param message Description of the Parameter
- */
- public void log(HttpServletRequest request, String message) {
- String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
- log(output);
- logger.debug(output);
- }
-
- /*
- * public List getLessons(Category category, String role) { Course course =
- * mySession.getCourse(); // May need to clone the List before returning it. //return new
- * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
- */
- /**
- * Description of the Method
- *
- * @param s Description of the Parameter
- * @return Description of the Return Value
- */
- protected Screen makeScreen(WebSession s) {
- Screen screen = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isChallenge()) {
- if (scr == WebSession.WELCOME) {
- screen = new WelcomeScreen(s);
- } else {
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
- if (lesson == null && s.isHackedAdmin()) {
- // If admin was hacked, let the user see some of the
- // admin screens
- lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
- }
-
- if (lesson != null) {
- screen = lesson;
-
- // We need to do some bookkeeping for the hackable admin
- // interface.
- // This is the only place we can tell if the user
- // successfully hacked the hackable
- // admin and has actually accessed an admin screen. You
- // need BOTH pieces of information
- // in order to satisfy the remote admin lesson.
- s.setHasHackableAdmin(screen.getRole());
-
- lesson.handleRequest(s);
- s.setCurrentMenu(lesson.getCategory().getRanking());
- } else {
- screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
- }
- }
- } else if (s.isAdmin()) {
- if (scr == WebSession.WELCOME) {
- screen = new WelcomeAdminScreen(s);
- } else {
- // Admin can see all roles.
- // FIXME: should be able to pass a list of roles.
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
- if (lesson == null) {
- lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
- }
- if (lesson == null) {
- lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
- }
-
- if (lesson != null) {
- screen = lesson;
-
- // We need to do some bookkeeping for the hackable admin
- // interface.
- // This is the only place we can tell if the user
- // successfully hacked the hackable
- // admin and has actually accessed an admin screen. You
- // need BOTH pieces of information
- // in order to satisfy the remote admin lesson.
- s.setHasHackableAdmin(screen.getRole());
-
- lesson.handleRequest(s);
- s.setCurrentMenu(lesson.getCategory().getRanking());
- } else {
- screen = new ErrorScreen(s,
- "Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
- }
- }
- }
-
- return (screen);
- }
-
- /**
- * This method sets the required expiration headers in the response for a
- * given RunData object. This method attempts to set all relevant headers,
- * both for HTTP 1.0 and HTTP 1.1.
- *
- * @param response The new cacheHeaders value
- * @param expiry The new cacheHeaders value
- */
- protected static void setCacheHeaders(HttpServletResponse response, int expiry) {
- if (expiry == 0) {
- response.setHeader("Pragma", "no-cache");
- response.setHeader("Cache-Control", "no-cache");
- response.setHeader("Expires", formatHttpDate(new Date()));
- } else {
- Date expiryDate = new Date(System.currentTimeMillis() + expiry);
- response.setHeader("Expires", formatHttpDate(expiryDate));
- }
- }
-
- /**
- * Description of the Method
- *
- * @param request Description of the Parameter
- * @param response Description of the Parameter
- * @param context Description of the Parameter
- * @return Description of the Return Value
- * @throws java.io.IOException if any.
- */
- protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
- throws IOException {
- HttpSession hs;
- // session should already be created by spring security
- hs = request.getSession(false);
-
- logger.debug("HH Entering Session_id: " + hs.getId());
- // dumpSession( hs );
- // Get our session object out of the HTTP session
- WebSession session = null;
- Object o = hs.getAttribute(WebSession.SESSION);
-
- if ((o != null) && o instanceof WebSession) {
- session = (WebSession) o;
- hs.setAttribute(WebSession.COURSE, session.getCourse());
- } else {
- // Create new custom session and save it in the HTTP session
- logger.warn("HH Creating new WebSession");
- session = new WebSession(webgoatContext, context);
- // Ensure splash screen shows on any restart
- // rlawson - removed this since we show splash screen at login now
- //hs.removeAttribute(WELCOMED);
- hs.setAttribute(WebSession.SESSION, session);
- // reset timeout
- hs.setMaxInactiveInterval(sessionTimeoutSeconds);
- }
-
- session.update(request, response, this.getServletName());
- // update last attack request info (cookies, parms)
- // this is so the REST services can have access to them via the session
- session.updateLastAttackRequestInfo(request);
-
- // to authenticate
- logger.debug("HH Leaving Session_id: " + hs.getId());
- //dumpSession( hs );
- return (session);
- }
-
- /**
- * Description of the Method
- *
- * @param s Description of the Parameter
- * @param screen a {@link org.owasp.webgoat.session.Screen} object.
- * @param screen a {@link org.owasp.webgoat.session.Screen} object.
- * @param response Description of the Parameter
- * @exception IOException Description of the Exception
- * @throws java.io.IOException if any.
- */
- protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
- response.setContentType("text/html");
-
- PrintWriter out = response.getWriter();
-
- if (s == null) {
- screen = new ErrorScreen(s, "Page to display was null");
- }
-
- // set the content-length of the response.
- // Trying to avoid chunked-encoding. (Aspect required)
- response.setContentLength(screen.getContentLength());
- response.setHeader("Content-Length", screen.getContentLength() + "");
-
- screen.output(out);
- out.flush();
- out.close();
+ @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
+ public ModelAndView attack() {
+ return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
}
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java b/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java
deleted file mode 100644
index 0b03e30ba..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java
+++ /dev/null
@@ -1,191 +0,0 @@
-package org.owasp.webgoat;
-
-import java.io.IOException;
-import java.io.PrintWriter;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * @author Bruce Mayhew WebGoat
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class LessonSource extends HammerHead {
-
- /**
- *
- */
- private static final long serialVersionUID = 2588430536196446145L;
-
- /**
- * Description of the Field
- */
- public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
-
- /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */
- public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- * @exception IOException Description of the Exception
- * @exception ServletException Description of the Exception
- */
- public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
- String source = null;
-
- try {
- // System.out.println( "Entering doPost: " );
- // System.out.println( " - request " + request);
- // System.out.println( " - principle: " + request.getUserPrincipal()
- // );
- // setCacheHeaders(response, 0);
- WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
- // FIXME: Too much in this call.
- session.update(request, response, this.getServletName());
-
- boolean showSolution = session.getParser().getBooleanParameter("solution", false);
- boolean showSource = session.getParser().getBooleanParameter("source", false);
- if (showSolution) {
-
- // Get the Java solution of the lesson.
- source = getSolution(session);
-
- int scr = session.getCurrentScreen();
- Course course = session.getCourse();
- AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
- lesson.getLessonTracker(session).setViewedSolution(true);
-
- } else if (showSource) {
-
- // Get the Java source of the lesson. FIXME: Not needed
- source = getSource(session);
-
- int scr = session.getCurrentScreen();
- Course course = session.getCourse();
- AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
- lesson.getLessonTracker(session).setViewedSource(true);
- }
- } catch (Throwable t) {
- t.printStackTrace();
- log("ERROR: " + t);
- } finally {
- try {
- this.writeSource(source, response);
- } catch (Throwable thr) {
- thr.printStackTrace();
- log(request, "Could not write error screen: " + thr.getMessage());
- }
- // System.out.println( "Leaving doPost: " );
-
- }
- }
-
- /**
- * Description of the Method
- *
- * @param s Description of the Parameter
- * @return Description of the Return Value
- */
- protected String getSource(WebSession s) {
-
- String source = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isChallenge()) {
-
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
- if (lesson != null) {
- source = lesson.getSource(s);
- }
- }
- if (source == null) {
- return "Source code is not available. Contact "
- + s.getWebgoatContext().getFeedbackAddressHTML();
- }
- return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
- "Code Section Deliberately Omitted"));
- }
-
- /**
- *
getSolution.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link java.lang.String} object.
- */
- protected String getSolution(WebSession s) {
-
- String source = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isChallenge()) {
-
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
- if (lesson != null) {
- source = lesson.getSolution(s);
- }
- }
- if (source == null) {
- return "Solution is not available. Contact "
- + s.getWebgoatContext().getFeedbackAddressHTML();
- }
- return (source);
- }
-
- /**
- * Description of the Method
- *
- * @param s Description of the Parameter
- * @param response Description of the Parameter
- * @exception IOException Description of the Exception
- * @throws java.io.IOException if any.
- */
- protected void writeSource(String s, HttpServletResponse response) throws IOException {
- response.setContentType("text/html");
-
- PrintWriter out = response.getWriter();
-
- if (s == null) {
- s = new String();
- }
-
- out.print(s);
- out.close();
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
new file mode 100644
index 000000000..dd23861fc
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
@@ -0,0 +1,91 @@
+/**
+ *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * @author WebGoat
+ * @since October 28, 2003
+ * @version $Id: $Id
+ */
+package org.owasp.webgoat;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+import org.thymeleaf.TemplateProcessingParameters;
+import org.thymeleaf.resourceresolver.IResourceResolver;
+import org.thymeleaf.templateresolver.TemplateResolver;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * Dynamically resolve a lesson. In the html file this can be invoked as:
+ *
+ *
+ *
+ *
+ *
+ * Thymeleaf will invoke this resolver based on the prefix and this implementqtion will resolve the html in the plugins directory
+ */
+public class LessonTemplateResolver extends TemplateResolver {
+
+ private final static String PREFIX = "lesson:";
+ private final File pluginTargetDirectory;
+
+ public LessonTemplateResolver(File pluginTargetDirectory) {
+ this.pluginTargetDirectory = pluginTargetDirectory;
+ setResourceResolver(new LessonResourceResolver());
+ setResolvablePatterns(Sets.newHashSet(PREFIX + "*"));
+ }
+
+ @Override
+ protected String computeResourceName(TemplateProcessingParameters params) {
+ String templateName = params.getTemplateName();
+ return templateName.substring(PREFIX.length());
+ }
+
+ private class LessonResourceResolver implements IResourceResolver {
+
+ @Override
+ public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
+ File lesson = new File(pluginTargetDirectory, "/plugin/" + resourceName + "/html/" + resourceName + ".html");
+ if (lesson != null) {
+ try {
+ return new ByteArrayInputStream(Files.toByteArray(lesson));
+ } catch (IOException e) {
+ //no html yet
+ return new ByteArrayInputStream(new byte[0]);
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public String getName() {
+ return "lessonResourceResolver";
+ }
+ }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
new file mode 100644
index 000000000..02ab81b6d
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
@@ -0,0 +1,124 @@
+/**
+ *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * @author WebGoat
+ * @since October 28, 2003
+ * @version $Id: $Id
+ */
+package org.owasp.webgoat;
+
+import com.google.common.collect.Sets;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.LabelDebugger;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect;
+import org.thymeleaf.spring4.SpringTemplateEngine;
+import org.thymeleaf.spring4.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.templateresolver.TemplateResolver;
+
+import java.io.File;
+
+/**
+ * Configuration for Spring MVC
+ */
+@Configuration
+public class MvcConfiguration extends WebMvcConfigurerAdapter {
+
+ @Autowired
+ @Qualifier("pluginTargetDirectory")
+ private File pluginTargetDirectory;
+
+ @Override
+ public void addViewControllers(ViewControllerRegistry registry) {
+ registry.addViewController("/login").setViewName("login");
+ registry.addViewController("/lesson_content").setViewName("lesson_content");
+ registry.addViewController("/start.mvc").setViewName("main_new");
+ }
+
+ @Bean
+ public TemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
+ SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
+ resolver.setPrefix("classpath:/templates/");
+ resolver.setSuffix(".html");
+ resolver.setOrder(1);
+ resolver.setApplicationContext(applicationContext);
+ return resolver;
+ }
+
+ @Bean
+ public LessonTemplateResolver lessonTemplateResolver() {
+ LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory);
+ resolver.setOrder(2);
+ resolver.setCacheable(false);
+ return resolver;
+ }
+
+ @Bean
+ public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver() {
+ AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(pluginTargetDirectory);
+ resolver.setCacheable(true);
+ resolver.setOrder(3);
+ return resolver;
+ }
+
+ @Bean
+ public SpringTemplateEngine thymeleafTemplateEngine(TemplateResolver springThymeleafTemplateResolver,
+ LessonTemplateResolver lessonTemplateResolver,
+ AsciiDoctorTemplateResolver asciiDoctorTemplateResolver) {
+ SpringTemplateEngine engine = new SpringTemplateEngine();
+ engine.addDialect(new SpringSecurityDialect());
+ engine.setTemplateResolvers(
+ Sets.newHashSet(springThymeleafTemplateResolver, lessonTemplateResolver, asciiDoctorTemplateResolver));
+ return engine;
+ }
+
+ /**
+ * This way we expose the plugins target directory as a resource within the web application.
+ *
+ * @param registry
+ */
+ @Override
+ public void addResourceHandlers(ResourceHandlerRegistry registry) {
+ registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");
+ }
+
+ @Bean
+ public HammerHead hammerHead(Course course) {
+ return new HammerHead(course);
+ }
+
+ @Bean
+ public LabelDebugger labelDebugger() {
+ return new LabelDebugger();
+ }
+}
\ No newline at end of file
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
new file mode 100644
index 000000000..edaf68ce5
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@@ -0,0 +1,116 @@
+/**
+ * ************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 28, 2003
+ */
+package org.owasp.webgoat;
+
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.plugins.Plugin;
+import org.owasp.webgoat.plugins.PluginClassLoader;
+import org.owasp.webgoat.plugins.PluginEndpointPublisher;
+import org.owasp.webgoat.plugins.PluginsLoader;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.WebgoatContext;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.web.support.SpringBootServletInitializer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Scope;
+import org.springframework.context.annotation.ScopedProxyMode;
+
+import java.io.File;
+import java.util.List;
+
+@SpringBootApplication
+@Slf4j
+public class WebGoat extends SpringBootServletInitializer {
+
+ @Override
+ protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
+ return application.sources(WebGoat.class);
+ }
+
+ public static void main(String[] args) throws Exception {
+ SpringApplication.run(WebGoat.class, args);
+ }
+
+ @Bean(name = "pluginTargetDirectory")
+ public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
+ return new File(webgoatHome);
+ }
+
+ @Bean
+ public PluginClassLoader pluginClassLoader() {
+ return new PluginClassLoader(PluginClassLoader.class.getClassLoader());
+ }
+
+ @Bean
+ public PluginsLoader pluginsLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory, PluginClassLoader classLoader) {
+ return new PluginsLoader(pluginTargetDirectory, classLoader);
+ }
+
+ @Bean
+ @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
+ public WebSession webSession(WebgoatContext webgoatContext) {
+ return new WebSession(webgoatContext);
+ }
+
+ @Bean
+ public Course course(PluginsLoader pluginsLoader, PluginEndpointPublisher pluginEndpointPublisher) {
+ Course course = new Course();
+ List plugins = pluginsLoader.loadPlugins();
+ if (plugins.isEmpty()) {
+ log.error("No lessons found if you downloaded an official release of WebGoat please take the time to");
+ log.error("create a new issue at https://github.com/WebGoat/WebGoat/issues/new");
+ log.error("For developers run 'mvn package' first from the root directory.");
+ log.error("Stopping WebGoat...");
+ System.exit(1); //we always run standalone
+ }
+ course.createLessonsFromPlugins(plugins);
+ plugins.forEach(p -> pluginEndpointPublisher.publish(p));
+
+ return course;
+ }
+
+ @Bean
+ @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
+ @SneakyThrows
+ public UserTracker userTracker(@Value("${webgoat.user.directory}") final String webgoatHome, WebSession webSession) {
+ UserTracker userTracker = new UserTracker(webgoatHome, webSession.getUserName());
+ userTracker.load();
+ return userTracker;
+ }
+
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
new file mode 100644
index 000000000..51a9eecbf
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -0,0 +1,92 @@
+
+/**
+ *************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author WebGoat
+ * @since December 12, 2015
+ * @version $Id: $Id
+ */
+package org.owasp.webgoat;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.core.userdetails.UserDetailsService;
+
+/**
+ * Security configuration for WebGoat.
+ */
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry security = http
+ .authorizeRequests()
+ .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll()
+ .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
+ .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
+ .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN");
+ security.and()
+ .formLogin()
+ .loginPage("/login")
+ .defaultSuccessUrl("/welcome.mvc", true)
+ .usernameParameter("username")
+ .passwordParameter("password")
+ .permitAll();
+ security.and()
+ .logout()
+ .permitAll();
+ security.and().csrf().disable();
+
+ http.headers().cacheControl().disable();
+ }
+
+ //// TODO: 11/18/2016 make this a little bit more configurabe last part at least
+ @Override
+ public void configure(WebSecurity web) throws Exception {
+ web.ignoring().antMatchers("/plugin_lessons/**", "/XXE/**");
+ }
+
+ @Autowired
+ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+ auth.inMemoryAuthentication()
+ .withUser("guest").password("guest").roles("WEBGOAT_USER").and() //
+ .withUser("webgoat").password("webgoat").roles("WEBGOAT_ADMIN").and() //
+ .withUser("server").password("server").roles("SERVER_ADMIN");
+ }
+
+ @Bean
+ @Override
+ public UserDetailsService userDetailsServiceBean() throws Exception {
+ return super.userDetailsServiceBean();
+ }
+}
\ No newline at end of file
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java b/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java
deleted file mode 100644
index 7ad64dbb5..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package org.owasp.webgoat.application;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.lang3.builder.ToStringBuilder;
-
-/**
- * Singleton which is created on context startup
- *
- * @author rlawson
- * @version $Id: $Id
- */
-public class Application {
-
- private static final Application INSTANCE = new Application();
-
- private Application() {
-
- }
-
- /**
- *
getInstance.
- *
- * @return a {@link org.owasp.webgoat.application.Application} object.
- */
- public static final Application getInstance() {
- return INSTANCE;
- }
-
- private String version = "SNAPSHOT";
- private String build = "local";
- private String name = "WebGoat";
-
- /**
- *
Getter for the field version.
- *
- * @return the version
- */
- public String getVersion() {
- return version;
- }
-
- /**
- *
Setter for the field version.
- *
- * @param version the version to set
- */
- public void setVersion(String version) {
- if (StringUtils.isNotBlank(version)) {
- this.version = version;
- }
- }
-
- /**
- *
- *
- * @param request a {@link javax.servlet.http.HttpServletRequest} object.
- * @param error a {@link java.lang.String} object.
- * @param logout a {@link java.lang.String} object.
- * @return a {@link org.springframework.web.servlet.ModelAndView} object.
- */
- @RequestMapping(value = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST})
- public ModelAndView start(HttpServletRequest request,
- @RequestParam(value = "error", required = false) String error,
- @RequestParam(value = "logout", required = false) String logout) {
-
- ModelAndView model = new ModelAndView();
- // make sure session is set up correctly
- // if not redirect user to login
- if (checkWebSession(request.getSession()) == false) {
- model.setViewName("redirect:/login.mvc");
- return model;
- }
- String role = getRole();
- String user = request.getUserPrincipal().getName();
- model.addObject("role", role);
- model.addObject("user", user);
-
- String contactEmail = servletContext.getInitParameter("email");
- model.addObject("contactEmail", contactEmail);
- String emailList = servletContext.getInitParameter("emaillist");
- model.addObject("emailList", emailList);
-
- Application app = Application.getInstance();
- logger.info("Setting application properties: " + app);
- model.addObject("version", app.getVersion());
- model.addObject("build", app.getBuild());
-
- // if everything ok then go to webgoat UI
- model.setViewName("main_new");
- return model;
- }
-
- private String getRole() {
- Collection authorities = (Collection) SecurityContextHolder.getContext().getAuthentication().getAuthorities();
- String role = "N/A";
- for (GrantedAuthority authority : authorities) {
- authority.getAuthority();
- role = authority.getAuthority();
- role = StringUtils.lowerCase(role);
- role = StringUtils.remove(role, "role_");
- break;
- }
- return role;
- }
-
- /**
- *
checkWebSession.
- *
- * @param session a {@link javax.servlet.http.HttpSession} object.
- * @return a boolean.
- */
- public boolean checkWebSession(HttpSession session) {
- Object o = session.getAttribute(WebSession.SESSION);
- if (o == null) {
- logger.error("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
- return false;
- }
- if (!(o instanceof WebSession)) {
- logger.error("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
- return false;
- }
- return true;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
new file mode 100644
index 000000000..6af1770f3
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
@@ -0,0 +1,93 @@
+/**
+ * ************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 28, 2003
+ */
+package org.owasp.webgoat.controller;
+
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.servlet.ModelAndView;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+import java.util.Optional;
+
+
+@Controller
+public class StartLesson {
+
+ private final WebSession ws;
+ private final Course course;
+
+ public StartLesson(final WebSession ws, final Course course) {
+ this.ws = ws;
+ this.course = course;
+ }
+
+ /**
+ *
start.
+ *
+ * @return a {@link ModelAndView} object.
+ */
+ @RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
+ public ModelAndView start() {
+ ModelAndView model = new ModelAndView();
+
+ model.addObject("course", course);
+ model.addObject("lesson", ws.getCurrentLesson());
+ model.setViewName("lesson_content");
+ return model;
+ }
+
+ @RequestMapping(value = {"*.lesson"}, produces = "text/html")
+ public ModelAndView lessonPage(HttpServletRequest request) {
+ // I will set here the thymeleaf fragment location based on the resource requested.
+ ModelAndView model = new ModelAndView();
+ SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
+ GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
+ String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
+ String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
+ List lessons = course.getLessons();
+ Optional lesson = lessons.stream()
+ .filter(l -> l.getId().equals(lessonName))
+ .findFirst();
+ ws.setCurrentLesson(lesson.get());
+ model.setViewName("lesson_content");
+ model.addObject("lesson", lesson.get());
+ return model;
+ }
+
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
index 050b0a79f..546b1f992 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
@@ -1,20 +1,43 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
+/**
+ *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * @author WebGoat
+ * @since October 28, 2003
+ * @version $Id: $Id
*/
package org.owasp.webgoat.controller;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
/**
*
Welcome class.
*
@@ -23,22 +46,17 @@ import org.springframework.web.servlet.ModelAndView;
*/
@Controller
public class Welcome {
-
- final Logger logger = LoggerFactory.getLogger(Welcome.class);
+
private static final String WELCOMED = "welcomed";
/**
*
welcome.
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
- * @param error a {@link java.lang.String} object.
- * @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
- @RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
- public ModelAndView welcome(HttpServletRequest request,
- @RequestParam(value = "error", required = false) String error,
- @RequestParam(value = "logout", required = false) String logout) {
+ @RequestMapping(path = "welcome.mvc", method = RequestMethod.GET)
+ public ModelAndView welcome(HttpServletRequest request) {
// set the welcome attribute
// this is so the attack servlet does not also
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
similarity index 98%
rename from webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
index a0f42adc9..21990bf6e 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
@@ -1,5 +1,5 @@
-package org.owasp.webgoat.util;
+package org.owasp.webgoat.i18n;
import java.util.Locale;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java
similarity index 81%
rename from webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java
index f98b1a981..0e3ed00c4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java
@@ -1,8 +1,7 @@
-package org.owasp.webgoat.util;
+package org.owasp.webgoat.i18n;
import org.owasp.webgoat.session.LabelDebugger;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.io.Serializable;
@@ -38,30 +37,22 @@ import java.util.Locale;
* @version $Id: $Id
* @author dm
*/
-@Component("labelManager")
+@Component
public class LabelManagerImpl implements LabelManager, Serializable
{
private static final long serialVersionUID = 1L;
- @Autowired
- private transient LabelProvider labelProvider;
- @Autowired
+ private LabelProvider labelProvider;
private LabelDebugger labelDebugger;
-
- /** Locale mapped with current session. */
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
- /**
- *
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a boolean.
- */
- public boolean isCompleted(WebSession s) {
- return getLessonTracker(s, this).getCompleted();
- }
/**
* {@inheritDoc}
@@ -212,7 +100,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
*
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.util.List} object.
*/
- protected abstract List getHints(WebSession s);
-
- // @TODO we need to restrict access at the service layer
- // rather than passing session object around
-
- /**
- *
getHintsPublic.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link java.util.List} object.
- */
- public List getHintsPublic(WebSession s) {
- List hints = getHints(s);
- return hints;
- }
-
- /**
- * Fill in a minor hint that will help people who basically get it, but are
- * stuck on somthing silly.
- *
- * @param s The users WebSession
- * @param hintNumber a int.
- * @return The hint1 value
- */
- public String getHint(WebSession s, int hintNumber) {
- return "Hint: " + getHints(s).get(hintNumber);
- }
-
- /**
- * Gets the instructions attribute of the AbstractLesson object
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return The instructions value
- */
- public abstract String getInstructions(WebSession s);
-
- /**
- * Gets the lessonPlan attribute of the Lesson object
- *
- * @return The lessonPlan value
- */
- public String getLessonName() {
- return this.getClass().getSimpleName();
- }
+ public abstract List getHints();
/**
* Gets the title attribute of the HelloScreen object
@@ -421,36 +154,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link java.lang.String} object.
- */
- public String getHtml_DELETE_ME(WebSession s) {
- String html = null;
-
- // FIXME: This doesn't work for the labs since they do not implement
- // createContent().
- String rawHtml = createContent(s).toString();
- // System.out.println("Getting raw html content: " +
- // rawHtml.substring(0, Math.min(rawHtml.length(), 100)));
- html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(new StringReader(rawHtml)), true));
- // System.out.println("Getting encoded html content: " +
- // html.substring(0, Math.min(html.length(), 100)));
-
- return html;
- }
-
- /**
- *
getSource.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link java.lang.String} object.
- */
- public String getSource(WebSession s) {
- String source = null;
- String src = null;
-
- try {
- // System.out.println("Loading source file: " +
- // getSourceFileName());
- src = convertMetacharsJavaCode(readFromFile(new BufferedReader(new FileReader(getSourceFileName())), true));
-
- // TODO: For styled line numbers and better memory efficiency,
- // use a custom FilterReader
- // that performs the convertMetacharsJavaCode() transform plus
- // optionally adds a styled
- // line number. Wouldn't color syntax be great too?
- } catch (Exception e) {
- s.setMessage("Could not find source file");
- src = ("Could not find the source file or source file does not exist. "
- + "Send this message to: " + s.getWebgoatContext()
- .getFeedbackAddress() + "");
- }
-
- Html html = new Html();
-
- Head head = new Head();
- head.addElement(new Title(getSourceFileName()));
-
- Body body = new Body();
- body.addElement(new StringElement(src));
-
- html.addElement(head);
- html.addElement(body);
-
- source = html.toString();
-
- return source;
- }
-
- /**
- *
getRawSource.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link java.lang.String} object.
- */
- public String getRawSource(WebSession s) {
- String src;
-
- try {
- logger.debug("Loading source file: " + getSourceFileName());
- src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false);
-
- } catch (FileNotFoundException e) {
- s.setMessage("Could not find source file");
- src = ("Could not find the source file or source file does not exist. "
- + "Send this message to: " + s.getWebgoatContext()
- .getFeedbackAddress() + "");
- }
-
- return src;
- }
-
- /**
- *
getSolution.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link java.lang.String} object.
- */
- public String getSolution(WebSession s) {
- String src = null;
-
- try {
- // System.out.println("Solution: " + getLessonSolutionFileName());
- src = readFromFile(new BufferedReader(new FileReader(getLessonSolutionFileName())), false);
- } catch (Exception e) {
- logger.error("Could not find solution for {}", getLessonSolutionFileName());
- s.setMessage("Could not find the solution file");
- src = ("Could not find the solution file or solution file does not exist. "
- + "Send this message to: " + s.getWebgoatContext()
- .getFeedbackAddress() + "");
- }
-
- // Solutions are html files
- return src;
- }
-
/**
*
Returns the default "path" portion of a lesson's URL.
*
+ *
* Legacy webgoat lesson links are of the form
* "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of
* the url, i.e., "attack" in the string above.
@@ -630,7 +190,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
- *
- * @return a {@link org.owasp.webgoat.util.LabelManager} object.
- */
- protected LabelManager getLabelManager() {
- if (labelManager == null) {
- labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
- }
- return labelManager;
- }
-
-
+ public abstract String getId();
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
new file mode 100644
index 000000000..0189a7884
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
@@ -0,0 +1,65 @@
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ */
+package org.owasp.webgoat.lessons;
+
+import org.owasp.webgoat.lessons.model.AttackResult;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Each lesson can define an endpoint which can support the lesson. So for example if you create a lesson which uses JavaScript and
+ * needs to call out to the server to fetch data you can define an endpoint in that lesson. WebGoat will pick up this endpoint and
+ * Spring will publish it.
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @author Bruce Mayhew WebGoat
- * @since October 28, 2003
* @version $Id: $Id
+ * @since October 28, 2003
*/
-public class Category implements Comparable {
+public enum Category {
- /** Constant INTRODUCTION */
- public final static Category INTRODUCTION = new Category("Introduction", new Integer(5));
-
- /** Constant GENERAL */
- public final static Category GENERAL = new Category("General", new Integer(100));
-
- /** Constant ACCESS_CONTROL */
- public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200));
-
- /** Constant AJAX_SECURITY */
- public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400));
-
- /** Constant AUTHENTICATION */
- public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500));
-
- /** Constant BUFFER_OVERFLOW */
- public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600));
-
- /** Constant CODE_QUALITY */
- public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700));
-
- /** Constant CONCURRENCY */
- public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800));
-
- /** Constant XSS */
- public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
-
- /** Constant ERROR_HANDLING */
- public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
-
- /** Constant INJECTION */
- public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
-
- /** Constant DOS */
- public final static Category DOS = new Category("Denial of Service", new Integer(1200));
-
- /** Constant INSECURE_COMMUNICATION */
- public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
-
- /** Constant INSECURE_CONFIGURATION */
- public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400));
-
- /** Constant INSECURE_STORAGE */
- public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500));
-
- /** Constant MALICIOUS_EXECUTION */
- public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600));
-
- /** Constant PARAMETER_TAMPERING */
- public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700));
-
- /** Constant SESSION_MANAGEMENT */
- public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800));
-
- /** Constant WEB_SERVICES */
- public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900));
-
- /** Constant ADMIN_FUNCTIONS */
- public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000));
-
- /** Constant CHALLENGE */
- public final static Category CHALLENGE = new Category("Challenge", new Integer(3000));
-
- private static final List categories = new ArrayList();
-
- private String category;
+ INTRODUCTION("Introduction", new Integer(5)),
+ GENERAL("General", new Integer(100)),
+ ACCESS_CONTROL("Access Control Flaws", new Integer(200)),
+ AJAX_SECURITY("AJAX Security", new Integer(400)),
+ AUTHENTICATION("Authentication Flaws", new Integer(500)),
+ BUFFER_OVERFLOW("Buffer Overflows", new Integer(600)),
+ CODE_QUALITY("Code Quality", new Integer(700)),
+ CONCURRENCY("Concurrency", new Integer(800)),
+ XSS("Cross-Site Scripting (XSS)", new Integer(900)),
+ ERROR_HANDLING("Improper Error Handling", new Integer(1000)),
+ INJECTION("Injection Flaws", new Integer(1100)),
+ DOS("Denial of Service", new Integer(1200)),
+ INSECURE_COMMUNICATION("Insecure Communication", new Integer(1300)),
+ INSECURE_CONFIGURATION("Insecure Configuration", new Integer(1400)),
+ INSECURE_STORAGE("Insecure Storage", new Integer(1500)),
+ MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
+ PARAMETER_TAMPERING("Parameter Tampering", new Integer(1700)),
+ SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
+ WEB_SERVICES("Web Services", new Integer(1900)),
+ ADMIN_FUNCTIONS("Admin Functions", new Integer(2000)),
+ CHALLENGE("Challenge", new Integer(3000));
+ @Getter
+ private String name;
+ @Getter
private Integer ranking;
- static {
- categories.add(INTRODUCTION);
- categories.add(PARAMETER_TAMPERING);
- categories.add(ACCESS_CONTROL);
- categories.add(AUTHENTICATION);
- categories.add(SESSION_MANAGEMENT);
- categories.add(XSS);
- categories.add(BUFFER_OVERFLOW);
- categories.add(INJECTION);
- categories.add(MALICIOUS_EXECUTION);
- categories.add(ERROR_HANDLING);
- categories.add(INSECURE_STORAGE);
- categories.add(DOS);
- categories.add(INSECURE_CONFIGURATION);
- categories.add(WEB_SERVICES);
- categories.add(AJAX_SECURITY);
- categories.add(ADMIN_FUNCTIONS);
- categories.add(GENERAL);
- categories.add(CODE_QUALITY);
- categories.add(CONCURRENCY);
- categories.add(INSECURE_COMMUNICATION);
- categories.add(CHALLENGE);
- }
-
- /**
- *
addCategory.
- *
- * @param c a {@link org.owasp.webgoat.lessons.Category} object.
- */
- public static synchronized void addCategory(Category c) {
- categories.add(c);
- }
-
- /**
- *
Getter for the field category.
- *
- * @param name a {@link java.lang.String} object.
- * @return a {@link org.owasp.webgoat.lessons.Category} object.
- */
- public static synchronized Category getCategory(String name) {
- Iterator it = categories.iterator();
- while (it.hasNext()) {
- Category c = it.next();
- if (c.getName().equals(name)) {
- return c;
- }
- }
- return null;
- }
-
- /**
- *
Constructor for Category.
- *
- * @param category a {@link java.lang.String} object.
- * @param ranking a {@link java.lang.Integer} object.
- */
- public Category(String category, Integer ranking) {
- this.category = category;
+ Category(String name, Integer ranking) {
+ this.name = name;
this.ranking = ranking;
}
- /** {@inheritDoc} */
- @Override
- public int compareTo(Object obj) {
- int value = 1;
-
- if (obj instanceof Category) {
- value = this.getRanking().compareTo(((Category) obj).getRanking());
- }
-
- return value;
- }
-
/**
- *
- *
- * @return a {@link java.lang.String} object.
- */
- public String getName() {
- return category;
- }
-
- /** {@inheritDoc} */
- @Override
- public boolean equals(Object obj) {
- return (obj instanceof Category) && getName().equals(((Category) obj).getName());
- }
-
- /** {@inheritDoc} */
@Override
public String toString() {
return getName();
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Endpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Endpoint.java
new file mode 100644
index 000000000..18e33f4ef
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Endpoint.java
@@ -0,0 +1,70 @@
+package org.owasp.webgoat.lessons;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
+
+import java.io.File;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author nbaars
+ * @version $Id: $Id
+ * @since November 13, 2016
+ */
+public abstract class Endpoint implements MvcEndpoint {
+
+ @Autowired
+ @Qualifier("pluginTargetDirectory")
+ private File pluginDirectory;
+
+ /**
+ * The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will
+ * need to:
+ *
+ *
+ * File lessonDirectory = new File(getPluginDirectory(), "ClientSideFiltering");
+ *
+ *
+ * The directory structure of the lesson is exactly the same as the directory structure in the plugins project.
+ *
+ * @return the top level
+ */
+ protected File getPluginDirectory() {
+ return new File(this.pluginDirectory, "plugin");
+ }
+
+
+ @Override
+ public final boolean isSensitive() {
+ return false;
+ }
+
+ @Override
+ public final Class getEndpointType() {
+ return null;
+ }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
index ef9f0f7fd..70d0fdf52 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
@@ -1,26 +1,3 @@
-package org.owasp.webgoat.lessons;
-
-import com.google.common.base.Joiner;
-import org.apache.commons.io.IOUtils;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H3;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.PRE;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.WebSession;
-
-import java.io.BufferedReader;
-import java.io.FileReader;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.List;
-
/**
*************************************************************************************************
*
@@ -51,59 +28,11 @@ import java.util.List;
* @since October 28, 2003
* @version $Id: $Id
*/
+package org.owasp.webgoat.lessons;
+
+//// TODO: 11/8/2016 remove
public abstract class LessonAdapter extends AbstractLesson {
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s) {
- // Mark this lesson as completed.
- makeSuccess(s);
-
- ElementContainer ec = new ElementContainer();
-
- ec.addElement(new Center().addElement(new H3().addElement(new StringElement(
- "Detailed Lesson Creation Instructions."))));
- ec.addElement(new P());
- ec
- .addElement(new StringElement(
- "Lesson are simple to create and very little coding is required. "
- + "In fact, most lessons can be created by following the easy to use instructions by going to the WebGoat wiki page "
- + "WebGoat Wiki Page "
- + "If you would prefer, send your lesson ideas to "
- + getWebgoatContext().getFeedbackAddressHTML())
- + " Note: you will need to register at "
- + "the following link to use the feedback tool: "
- + "List Registration "
- + "Finally, OWASP has a slack channel. You can register at the following link: "
- + "OWASP Slack Channel");
-
- try (InputStream is = Thread.currentThread().getContextClassLoader()
- .getResourceAsStream("New Lesson Instructions.txt")) {
- if (is != null) {
- PRE pre = new PRE();
- pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is)));
- ec.addElement(pre);
- }
- } catch (IOException e) {
- e.printStackTrace();
- }
- return (ec);
- }
-
- /**
- * Gets the category attribute of the LessonAdapter object. The default
- * category is "General" Only override this method if you wish to create a
- * new category or if you wish this lesson to reside within a category other
- * the "General"
- *
- * @return The category value
- */
- protected Category getDefaultCategory() {
- return Category.GENERAL;
- }
/**
*
getDefaultHidden.
@@ -133,29 +62,6 @@ public abstract class LessonAdapter extends AbstractLesson {
return DEFAULT_RANKING;
}
- /**
- * {@inheritDoc}
- *
- * Gets the hintCount attribute of the LessonAdapter object
- */
- public int getHintCount(WebSession s) {
- return getHints(s).size();
- }
-
- /**
- * {@inheritDoc}
- *
- * Fill in a minor hint that will help people who basically get it, but are
- * stuck on somthing silly. Hints will be returned to the user in the order
- * they appear below. The user must click on the "next hint" button before
- * the hint will be displayed.
- */
- protected List getHints(WebSession s) {
- List hints = new ArrayList();
- hints.add("There are no hints defined.");
- return hints;
- }
-
/**
* provide a default submitMethod of lesson does not implement
*
@@ -165,44 +71,6 @@ public abstract class LessonAdapter extends AbstractLesson {
return "GET";
}
- /**
- * {@inheritDoc}
- *
- * Gets the instructions attribute of the LessonAdapter object. Instructions
- * will rendered as html and will appear below the control area and above
- * the actual lesson area. Instructions should provide the user with the
- * general setup and goal of the lesson.
- */
- public String getInstructions(WebSession s) {
- StringBuffer buff = new StringBuffer();
- String lang = s.getCurrrentLanguage();
- try {
- String fileName = getLessonPlanFileName(lang);
- if (fileName != null) {
- BufferedReader in = new BufferedReader(new FileReader(fileName));
- String line = null;
- boolean startAppending = false;
- while ((line = in.readLine()) != null) {
- if (line.indexOf("") != -1) {
- startAppending = true;
- continue;
- }
- if (line.indexOf("") != -1) {
- startAppending = false;
- continue;
- }
- if (startAppending) {
- buff.append(line + "\n");
- }
- }
- }
- } catch (Exception e) {
- }
-
- return buff.toString();
-
- }
-
/**
* Fill in a descriptive title for this lesson. The title of the lesson.
* This will appear above the control area at the top of the page. This
@@ -214,66 +82,5 @@ public abstract class LessonAdapter extends AbstractLesson {
return "Untitled Lesson " + getScreenId();
}
- /** {@inheritDoc} */
- public String getCurrentAction(WebSession s) {
- return s.getLessonSession(this).getCurrentLessonScreen();
- }
-
- /** {@inheritDoc} */
- public void setCurrentAction(WebSession s, String lessonScreen) {
- s.getLessonSession(this).setCurrentLessonScreen(lessonScreen);
- }
-
- /**
- *
getSessionAttribute.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param key a {@link java.lang.String} object.
- * @return a {@link java.lang.Object} object.
- */
- public Object getSessionAttribute(WebSession s, String key) {
- return s.getRequest().getSession().getAttribute(key);
- }
-
- /**
- *
setSessionAttribute.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param key a {@link java.lang.String} object.
- * @param value a {@link java.lang.Object} object.
- */
- public void setSessionAttribute(WebSession s, String key, Object value) {
- s.getRequest().getSession().setAttribute(key, value);
- }
-
- /**
- * Description of the Method
- *
- * @param s Description of the Parameter
- * @return Description of the Return Value
- */
- protected Element makeSuccess(WebSession s) {
- getLessonTracker(s).setCompleted(true);
-
- //s.setMessage(getLabelManager().get("LessonCompleted"));
-
- return (null);
- }
-
- /**
- * Gets the credits attribute of the AbstractLesson object
- *
- * @return The credits value
- * @param text a {@link java.lang.String} object.
- * @param e a {@link org.apache.ecs.Element} object.
- */
- protected Element getCustomCredits(String text, Element e) {
- Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT");
- TR tr = new TR();
- tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%"));
- tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT"));
- t.addElement(tr);
- return t;
- }
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/NewLesson.java
similarity index 69%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/lessons/NewLesson.java
index 9cc6737d8..c0a10e9d4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/NewLesson.java
@@ -1,10 +1,9 @@
package org.owasp.webgoat.lessons;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
+import java.util.List;
/**
- *************************************************************************************************
+ * ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- */
- protected Element createStagedContent(WebSession s)
- {
- try
- {
- int stage = getLessonTracker(s).getStage();
- // int stage = Integer.parseInt(
- // getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
-
- switch (stage)
- {
- case 1:
- return (doStage1(s));
- case 2:
- return (doStage2(s));
- case 3:
- return (doStage3(s));
- case 4:
- return (doStage4(s));
- case 5:
- return (doStage5(s));
- case 6:
- return (doStage6(s));
- default:
- throw new Exception("Invalid stage");
- }
- } catch (Exception e)
- {
- s.setMessage("Error generating " + this.getClass().getName());
- // System.out.println(e);
- e.printStackTrace();
- }
-
- return (new StringElement(""));
- }
-
- /**
- *
doStage1.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- * @throws java.lang.Exception if any.
- */
- protected Element doStage1(WebSession s) throws Exception
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement("Stage 1 Stub");
- return ec;
- }
-
- /**
- *
doStage2.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- * @throws java.lang.Exception if any.
- */
- protected Element doStage2(WebSession s) throws Exception
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement("Stage 2 Stub");
- return ec;
- }
-
- /**
- *
doStage3.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- * @throws java.lang.Exception if any.
- */
- protected Element doStage3(WebSession s) throws Exception
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement("Stage 3 Stub");
- return ec;
- }
-
- /**
- *
doStage4.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- * @throws java.lang.Exception if any.
- */
- protected Element doStage4(WebSession s) throws Exception
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement("Stage 4 Stub");
- return ec;
- }
-
- /**
- *
doStage5.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- * @throws java.lang.Exception if any.
- */
- protected Element doStage5(WebSession s) throws Exception
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement("Stage 5 Stub");
- return ec;
- }
-
- /**
- *
doStage6.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- * @throws java.lang.Exception if any.
- */
- protected Element doStage6(WebSession s) throws Exception
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement("Stage 6 Stub");
- return ec;
- }
-
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java
deleted file mode 100644
index d9ac9328e..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java
+++ /dev/null
@@ -1,159 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.HtmlColor;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.*;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams Aspect Security
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class WelcomeScreen extends Screen
-{
-
- /**
- * Constructor for the WelcomeScreen object
- *
- * @param s
- * Description of the Parameter
- */
- public WelcomeScreen(WebSession s)
- {
- setup(s);
- }
-
- /**
- * Constructor for the WelcomeScreen object
- */
- public WelcomeScreen()
- {
- }
-
- /**
- *
setup.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- */
- public void setup(WebSession s)
- {
- // call createContent first so messages will go somewhere
-
- Form form = new Form("attack", Form.POST).setName("form").setEncType("");
-
- form.addElement(wrapForm(s));
-
- TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
- TR row = new TR().addElement(lowerright);
- Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
-
- layout.addElement(row);
-
- setContent(layout);
- }
-
- /**
- *
wrapForm.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- */
- protected Element wrapForm(WebSession s)
- {
- if (s == null) { return new StringElement("Invalid Session"); }
-
- Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
-
- // CreateContent can generate error messages so you MUST call it before makeMessages()
- Element content = createContent(s);
- container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
- container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
- container.addElement(new TR());
-
- return (container);
- }
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
- Element b = ECSFactory.makeButton("Start the Course!");
- ec.addElement(new Center(b));
-
- return (ec);
- }
-
- /**
- * Gets the instructions attribute of the WelcomeScreen object
- *
- * @return The instructions value
- */
- protected String getInstructions()
- {
- String instructions = "Enter your name and learn how HTTP really works!";
-
- return (instructions);
- }
-
- /**
- * Gets the title attribute of the WelcomeScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Welcome to the Penetration Testing Course");
- }
-
- /*
- * (non-Javadoc)
- * @see session.Screen#getRole()
- */
- /**
- *
getRole.
- *
- * @return a {@link java.lang.String} object.
- */
- public String getRole()
- {
- return AbstractLesson.USER_ROLE;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java
deleted file mode 100644
index ea1cbb175..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java
+++ /dev/null
@@ -1,109 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.session.Screen;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams Aspect Security
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public abstract class AdminScreen extends Screen
-{
-
- /**
- * Description of the Field
- */
- protected String query = null;
-
- /**
- * Constructor for the AdminScreen object
- *
- * @param s
- * Description of the Parameter
- * @param q
- * Description of the Parameter
- */
- public AdminScreen(WebSession s, String q)
- {
- setQuery(q);
-
- // setupAdmin(s); FIXME: what was this supposed to do?
- }
-
- /**
- * Constructor for the AdminScreen object
- *
- * @param s
- * Description of the Parameter
- */
- public AdminScreen(WebSession s)
- {
- }
-
- /**
- * Constructor for the AdminScreen object
- */
- public AdminScreen()
- {
- }
-
- /**
- * Gets the title attribute of the AdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Admin Information");
- }
-
- /**
- *
getRole.
- *
- * @return a {@link java.lang.String} object.
- */
- public String getRole()
- {
- return AbstractLesson.ADMIN_ROLE;
- }
-
- /**
- * Sets the query attribute of the AdminScreen object
- *
- * @param q
- * The new query value
- */
- public void setQuery(String q)
- {
- query = q;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/MenuToLessonMapperScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/MenuToLessonMapperScreen.java
deleted file mode 100644
index 5a5085ef5..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/MenuToLessonMapperScreen.java
+++ /dev/null
@@ -1,162 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.LessonAdapter;
-import org.owasp.webgoat.session.WebSession;
-
-import java.net.URL;
-
-import static org.springframework.util.StringUtils.getFilename;
-import static org.springframework.util.StringUtils.stripFilenameExtension;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce Mayhew WebGoat
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class MenuToLessonMapperScreen extends LessonAdapter
-{
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement(new StringElement("This page describes an overview of all the lessons and maps the lesson to the WebGoat-Lessons project"));
- ec.addElement(new BR());
- ec.addElement(new BR());
- ec.addElement(makeMenuToLessonMapping(s));
-
- return ec;
- }
-
- /**
- * Gets the category attribute of the UserAdminScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-
- /**
- * Gets the role attribute of the UserAdminScreen object
- *
- * @return The role value
- */
- public String getRole()
- {
- return ADMIN_ROLE;
- }
-
- /**
- * Gets the title attribute of the UserAdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Lesson information");
- }
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public Element makeMenuToLessonMapping(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
- Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
- t.addElement(makeHeaderRow());
-
- for (AbstractLesson lesson : s.getCourse().getLessons(s, AbstractLesson.USER_ROLE)) {
- TR tr = new TR();
- tr.addElement(new TD().addElement(lesson.getName()));
-
- URL jarLocation = lesson.getClass().getProtectionDomain().getCodeSource().getLocation();
- String projectName = removeVersion(stripFilenameExtension(getFilename(jarLocation.getFile())));
- tr.addElement(new TD().addElement(projectName));
-
- tr.addElement(new TD().addElement(lesson.getClass().getName() + ".java"));
- t.addElement(tr);
- }
- ec.addElement(t);
- return (ec);
- }
-
- //Remove version number and last '-'
- private static String removeVersion(String s) {
- return s.replaceAll("[^a-z\\-]", "").replaceAll("-$", "");
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- private TR makeHeaderRow()
- {
- TR tr = new TR();
-
- tr.addElement(new TH("Lesson menu item"));
- tr.addElement(new TH("Lesson project"));
- tr.addElement(new TH("Lesson source class"));
-
- return tr;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
deleted file mode 100644
index 43b74795d..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
+++ /dev/null
@@ -1,124 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.Statement;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.LessonAdapter;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams Aspect Security
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class ProductsAdminScreen extends LessonAdapter
-{
-
- private final static String QUERY = "SELECT * FROM product_system_data";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- try
- {
- Connection connection = DatabaseUtilities.getConnection(s);
-
- Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
- ResultSet.CONCUR_READ_ONLY);
- ResultSet results = statement.executeQuery(QUERY);
-
- if (results != null)
- {
- makeSuccess(s);
- ResultSetMetaData resultsMetaData = results.getMetaData();
- ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
- }
- } catch (Exception e)
- {
- s.setMessage("Error generating " + this.getClass().getName());
- e.printStackTrace();
- }
-
- return (ec);
- }
-
- /**
- * Gets the category attribute of the ProductsAdminScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- /**
- * Gets the role attribute of the ProductsAdminScreen object
- *
- * @return The role value
- */
- public String getRole()
- {
- return HACKED_ADMIN_ROLE;
- }
-
- /**
- * Gets the title attribute of the ProductsAdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Product Information");
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
deleted file mode 100644
index 556701f0b..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
+++ /dev/null
@@ -1,160 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import java.sql.Connection;
-import org.owasp.webgoat.lessons.*;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.*;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams Aspect Security
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class RefreshDBScreen extends LessonAdapter
-{
-
- private final static String REFRESH = "Refresh";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- try
- {
- boolean refresh = s.getParser().getBooleanParameter(REFRESH, false);
-
- if (refresh)
- {
- refreshDB(s);
- ec.addElement(new StringElement("Successfully refreshed the database."));
- }
- else
- {
- Element label = new StringElement("Refresh the database? ");
- A link1 = ECSFactory.makeLink("Yes", REFRESH, true);
- A link2 = ECSFactory.makeLink("No", REFRESH, false);
- TD td1 = new TD().addElement(label);
- TD td2 = new TD().addElement(link1);
- TD td3 = new TD().addElement(link2);
- TR row = new TR().addElement(td1).addElement(td2).addElement(td3);
- Table t = new Table().setCellSpacing(40).setWidth("50%");
-
- if (s.isColor())
- {
- t.setBorder(1);
- }
-
- t.addElement(row);
- ec.addElement(t);
- }
- } catch (Exception e)
- {
- s.setMessage("Error generating " + this.getClass().getName());
- e.printStackTrace();
- }
-
- return (ec);
- }
-
- /**
- * Gets the category attribute of the RefreshDBScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-
- /**
- * Gets the role attribute of the RefreshDBScreen object
- *
- * @return The role value
- */
- public String getRole()
- {
- return ADMIN_ROLE;
- }
-
- /**
- * Gets the title attribute of the RefreshDBScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Refresh Database");
- }
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- */
- public void refreshDB(WebSession s)
- {
- try
- {
- Connection connection = DatabaseUtilities.getConnection(s);
-
- CreateDB db = new CreateDB();
- db.makeDB(connection);
- System.out.println("Successfully refreshed the database.");
- } catch (Exception e)
- {
- s.setMessage("Error refreshing database " + this.getClass().getName());
- e.printStackTrace();
- }
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
deleted file mode 100644
index 13f31a753..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
+++ /dev/null
@@ -1,295 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import java.util.Iterator;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.HtmlColor;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H2;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.LessonAdapter;
-import org.owasp.webgoat.session.LessonTracker;
-import org.owasp.webgoat.session.Screen;
-import org.owasp.webgoat.session.UserTracker;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce Mayhew WebGoat
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class ReportCardScreen extends LessonAdapter
-{
-
- /**
- * Description of the Field
- */
- protected final static String USERNAME = "Username";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- String user = null;
-
- try
- {
- if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
- {
- user = s.getParser().getRawParameter(USERNAME);
- }
- else
- {
- user = s.getUserName();
- }
- } catch (Exception e)
- {
- }
-
- if (user == null)
- {
- user = s.getUserName();
- }
-
- ec.addElement(makeFeedback(s));
- ec.addElement(makeReportCard(s, user));
-
- return ec;
- }
-
- private Element makeFeedback(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
- ec.addElement(new StringElement("Comments and suggestions are welcome. "
- + getWebgoatContext().getFeedbackAddressHTML() + "
"));
-
- return ec;
- }
-
- /**
- * Gets the category attribute of the UserAdminScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-
- /**
- * Gets the role attribute of the UserAdminScreen object
- *
- * @return The role value
- */
- public String getRole()
- {
- return USER_ROLE;
- }
-
- /**
- * Gets the title attribute of the UserAdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Report Card");
- }
-
- /**
- * Description of the Method
- *
- * @param screen
- * Description of the Parameter
- * @param s
- * Description of the Parameter
- * @param user
- * Description of the Parameter
- * @return Description of the Return Value
- */
- private TR makeLessonRow(WebSession s, String user, Screen screen)
- {
- LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
- TR tr = new TR();
- if (lessonTracker.getCompleted())
- {
- tr.setBgColor(HtmlColor.LIGHTGREEN);
- }
- else if (lessonTracker.getNumVisits() == 0)
- {
- tr.setBgColor(HtmlColor.LIGHTBLUE);
- }
- else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10)
- {
- tr.setBgColor(HtmlColor.RED);
- }
- else
- {
- tr.setBgColor(HtmlColor.YELLOW);
- }
- tr.addElement(new TD().addElement(screen.getTitle()));
- tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N"));
- tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits())));
- tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel())));
- return tr;
- }
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element makeMessages(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- return (ec);
- }
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @param user
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public Element makeReportCard(WebSession s, String user)
- {
- ElementContainer ec = new ElementContainer();
-
- ec.addElement(makeUser(s, user));
- Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
-
- if (s.isColor())
- {
- t.setBorder(1);
- }
- TR tr = new TR();
- t.addElement(makeUserHeaderRow());
-
- // These are all the user lesson
- tr = new TR();
- tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons"));
- t.addElement(tr);
- for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
- .hasNext();)
- {
- Screen screen = (Screen) lessonIter.next();
- t.addElement(makeLessonRow(s, user, screen));
- }
-
- // The user figured out there was a hackable admin acocunt
- tr = new TR();
- tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens"));
- t.addElement(tr);
- for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
- .hasNext();)
- {
- Screen screen = (Screen) lessonIter.next();
- t.addElement(makeLessonRow(s, user, screen));
- }
-
- // The user figured out how to actually hack the admin acocunt
- tr = new TR();
- tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens"));
- t.addElement(tr);
- for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter
- .hasNext();)
- {
- Screen screen = (Screen) lessonIter.next();
- t.addElement(makeLessonRow(s, user, screen));
- }
-
- ec.addElement(t);
- return (ec);
- }
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @param user
- * Description of the Parameter
- * @return Description of the Return Value
- */
- protected Element makeUser(WebSession s, String user)
- {
- H2 h2 = new H2();
- // FIXME: The session is the current session, not the session of the user we are reporting.
- // String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ?
- // " [Normal User - Hacked Admin Access]" : " [Normal User]";
- String type = "";
- h2.addElement(new StringElement("Results for: " + user + type));
- return h2;
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- private TR makeUserHeaderRow()
- {
- TR tr = new TR();
-
- tr.addElement(new TH("Lesson"));
- tr.addElement(new TH("Complete"));
- tr.addElement(new TH("Visits"));
- tr.addElement(new TH("Hints"));
-
- return tr;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
deleted file mode 100644
index 00225fcc8..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
+++ /dev/null
@@ -1,326 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import java.util.Enumeration;
-import java.util.Iterator;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.HtmlColor;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.LessonAdapter;
-import org.owasp.webgoat.session.LessonTracker;
-import org.owasp.webgoat.session.Screen;
-import org.owasp.webgoat.session.UserTracker;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce mayhew WebGoat
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class SummaryReportCardScreen extends LessonAdapter
-{
-
- private int totalUsersNormalComplete = 0;
-
- private int totalUsersAdminComplete = 0;
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- String selectedUser = null;
-
- try
- {
- if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
- {
- Enumeration e = s.getParser().getParameterNames();
-
- while (e.hasMoreElements())
- {
- String key = (String) e.nextElement();
- if (key.startsWith("View_"))
- {
- selectedUser = key.substring("View_".length());
- ReportCardScreen reportCard = new ReportCardScreen();
- return reportCard.makeReportCard(s, selectedUser);
- }
- if (key.startsWith("Delete_"))
- {
- selectedUser = key.substring("Delete_".length());
- deleteUser(selectedUser);
- }
- }
- }
- } catch (Exception e)
- {
- e.printStackTrace();
- }
-
- ec.addElement(new Center().addElement(makeSummary(s)));
-
- ec.addElement(new P());
-
- Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%");
- if (s.isColor())
- {
- t.setBorder(1);
- }
- t.addElement(makeUserSummaryHeader());
-
- for (Iterator userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter
- .hasNext();)
- {
-
- String user = userIter.next();
- t.addElement(makeUserSummaryRow(s, user));
- }
-
- ec.addElement(new Center().addElement(t));
-
- return ec;
- }
-
- /**
- *
makeSummary.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @return a {@link org.apache.ecs.Element} object.
- */
- protected Element makeSummary(WebSession s)
- {
- Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%");
- if (s.isColor())
- {
- t.setBorder(1);
- }
- TR tr = new TR();
- // tr.addElement( new TH().addElement( "Summary").setColSpan(1));
- // t.addElement( tr );
-
- tr = new TR();
- tr.addElement(new TD().setWidth("60%").addElement("Total number of users"));
- tr.addElement(new TD().setAlign("LEFT").addElement(
- Integer.toString(UserTracker.instance()
- .getAllUsers(WebSession.WEBGOAT_USER).size())));
- t.addElement(tr);
-
- tr = new TR();
- tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons"));
- tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete)));
- t.addElement(tr);
-
- tr = new TR();
- tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons"));
- tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete)));
- t.addElement(tr);
- return t;
- }
-
- private void deleteUser(String user)
- {
- UserTracker.instance().deleteUser(user);
- }
-
- /**
- * Gets the category attribute of the UserAdminScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-
- /**
- * Gets the role attribute of the UserAdminScreen object
- *
- * @return The role value
- */
- public String getRole()
- {
- return ADMIN_ROLE;
- }
-
- /**
- * Gets the title attribute of the UserAdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Summary Report Card");
- }
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element makeMessages(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- return (ec);
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- protected Element makeUserSummaryHeader()
- {
- TR tr = new TR();
-
- tr.addElement(new TH("User Name"));
- tr.addElement(new TH("Normal Complete"));
- tr.addElement(new TH("Admin Complete"));
- tr.addElement(new TH("View"));
- tr.addElement(new TH("Delete"));
-
- return tr;
- }
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @param user
- * Description of the Parameter
- * @return Description of the Return Value
- */
- protected Element makeUserSummaryRow(WebSession s, String user)
- {
- TR tr = new TR();
-
- tr.addElement(new TD().setAlign("LEFT").addElement(user));
- int lessonCount = 0;
- int passedCount = 0;
- boolean normalComplete = false;
- boolean adminComplete = false;
-
- for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
- .hasNext();)
- {
- lessonCount++;
- Screen screen = (Screen) lessonIter.next();
-
- LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
- if (lessonTracker.getCompleted())
- {
- passedCount++;
- }
- }
- if (lessonCount == passedCount)
- {
- normalComplete = true;
- totalUsersNormalComplete++;
- }
- String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
- tr.addElement(new TD().setAlign("CENTER").addElement(text));
-
- lessonCount = 0;
- passedCount = 0;
- for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
- .hasNext();)
- {
- lessonCount++;
- Screen screen = (Screen) lessonIter.next();
-
- LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
- if (lessonTracker.getCompleted())
- {
- passedCount++;
- }
- }
- if (lessonCount == passedCount)
- {
- adminComplete = true;
- totalUsersAdminComplete++;
- }
- text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
- tr.addElement(new TD().setAlign("CENTER").addElement(text));
-
- tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View")));
- tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete")));
-
- if (normalComplete && adminComplete)
- {
- tr.setBgColor(HtmlColor.GREEN);
- }
- else if (normalComplete)
- {
- tr.setBgColor(HtmlColor.LIGHTGREEN);
- }
- else
- {
- tr.setBgColor(HtmlColor.LIGHTBLUE);
- }
-
- return (tr);
- }
-
- /**
- *
isEnterprise.
- *
- * @return a boolean.
- */
- public boolean isEnterprise()
- {
- return true;
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
deleted file mode 100644
index 7cae656e5..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
+++ /dev/null
@@ -1,124 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.Statement;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.LessonAdapter;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce Mayhew WebGoat
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class UserAdminScreen extends LessonAdapter
-{
-
- private final static String QUERY = "SELECT * FROM user_system_data";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- try
- {
- Connection connection = DatabaseUtilities.getConnection(s);
-
- Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
- ResultSet.CONCUR_READ_ONLY);
- ResultSet results = statement.executeQuery(QUERY);
-
- if (results != null)
- {
- makeSuccess(s);
- ResultSetMetaData resultsMetaData = results.getMetaData();
- ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
- }
- } catch (Exception e)
- {
- s.setMessage("Error generating " + this.getClass().getName());
- e.printStackTrace();
- }
-
- return (ec);
- }
-
- /**
- * Gets the category attribute of the UserAdminScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-
- /**
- * Gets the role attribute of the UserAdminScreen object
- *
- * @return The role value
- */
- public String getRole()
- {
- return HACKED_ADMIN_ROLE;
- }
-
- /**
- * Gets the title attribute of the UserAdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("User Information");
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java
deleted file mode 100644
index c967255ff..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java
+++ /dev/null
@@ -1,165 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-import org.owasp.webgoat.lessons.*;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Input;
-import org.owasp.webgoat.session.*;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams Aspect Security
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class ViewDatabase extends LessonAdapter
-{
-
- private final static String SQL = "sql";
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- try
- {
- ec.addElement(new StringElement("Enter a SQL statement: "));
-
- StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, ""));
- Input input = new Input(Input.TEXT, SQL, sqlStatement.toString());
- ec.addElement(input);
-
- Element b = ECSFactory.makeButton("Go!");
- ec.addElement(b);
-
- Connection connection = DatabaseUtilities.getConnection(s);
-
- if (sqlStatement.length() > 0)
- {
-
- Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
- ResultSet.CONCUR_READ_ONLY);
- ResultSet results = statement.executeQuery(sqlStatement.toString());
-
- if ((results != null) && (results.first() == true))
- {
- makeSuccess(s);
- ResultSetMetaData resultsMetaData = results.getMetaData();
- ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
- }
-
- }
- } catch (Exception e)
- {
- s.setMessage("Error generating " + this.getClass().getName());
- e.printStackTrace();
- }
-
- return (ec);
- }
-
- /**
- * Gets the category attribute of the DatabaseScreen object
- *
- * @return The category value
- */
- protected Category getDefaultCategory()
- {
- return Category.ADMIN_FUNCTIONS;
- }
-
- private final static Integer DEFAULT_RANKING = new Integer(1000);
-
- /**
- *
getDefaultRanking.
- *
- * @return a {@link java.lang.Integer} object.
- */
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
-
- /**
- * {@inheritDoc}
- *
- * Gets the hints attribute of the DatabaseScreen object
- */
- protected List getHints(WebSession s)
- {
- List hints = new ArrayList();
- hints.add("There are no hints defined");
-
- return hints;
- }
-
- /**
- * {@inheritDoc}
- *
- * Gets the instructions attribute of the ViewDatabase object
- */
- public String getInstructions(WebSession s)
- {
- String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
-
- return (instructions);
- }
-
- /**
- * Gets the role attribute of the ViewDatabase object
- *
- * @return The role value
- */
- public String getRole()
- {
- return HACKED_ADMIN_ROLE;
- }
-
- /**
- * Gets the title attribute of the DatabaseScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Adhoc Query");
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
deleted file mode 100644
index b6b456a10..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
+++ /dev/null
@@ -1,87 +0,0 @@
-
-package org.owasp.webgoat.lessons.admin;
-
-import org.owasp.webgoat.lessons.WelcomeScreen;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams Aspect Security
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class WelcomeAdminScreen extends WelcomeScreen
-{
-
- /**
- * Constructor for the WelcomeAdminScreen object
- *
- * @param s
- * Description of the Parameter
- */
- public WelcomeAdminScreen(WebSession s)
- {
- super(s);
- }
-
- /**
- * Constructor for the WelcomeAdminScreen object
- */
- public WelcomeAdminScreen()
- {
- }
-
- /**
- * {@inheritDoc}
- *
- * Description of the Method
- */
- protected Element createContent(WebSession s)
- {
- ElementContainer ec = new ElementContainer();
-
- ec.addElement(new Center(new H1("You are logged on as an administrator")));
- ec.addElement(super.createContent(s));
-
- return (ec);
- }
-
- /**
- * Gets the title attribute of the WelcomeAdminScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Admin Welcome");
- }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java
new file mode 100644
index 000000000..bfcc34c68
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java
@@ -0,0 +1,72 @@
+package org.owasp.webgoat.lessons.model;
+
+import lombok.Getter;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since August 13, 2016
+ */
+@Getter
+public class AttackResult {
+
+ private boolean lessonCompleted;
+ private String feedback;
+ private String output;
+
+ public static AttackResult success() {
+ return AttackResult.success("Congratulations");
+ }
+
+ public static AttackResult success(String feedback) {
+ return success(feedback, "");
+ }
+
+ public static AttackResult success(String feedback, String output) {
+ AttackResult attackResult = new AttackResult();
+ attackResult.lessonCompleted = true;
+ attackResult.feedback = feedback;
+ attackResult.output = output;
+ return attackResult;
+ }
+
+ public static AttackResult failed(String feedback) {
+ return failed(feedback, "");
+ }
+
+ public static AttackResult failed(String feedback, String output) {
+ AttackResult attackResult = new AttackResult();
+ attackResult.lessonCompleted = false;
+ attackResult.feedback = feedback;
+ attackResult.output = output;
+ return attackResult;
+ }
+
+ public boolean assignmentSolved() {
+ return lessonCompleted;
+ }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java
index a08decbc6..427a7f57c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java
@@ -1,7 +1,7 @@
package org.owasp.webgoat.lessons.model;
+import lombok.Getter;
import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.session.WebSession;
/**
@@ -10,6 +10,8 @@ import org.owasp.webgoat.session.WebSession;
* @author dm
* @version $Id: $Id
*/
+//// TODO: 11/5/2016 this can be removed???
+@Getter
public class LessonInfoModel {
private String lessonTitle;
@@ -27,78 +29,11 @@ public class LessonInfoModel {
public LessonInfoModel(WebSession webSession) {
AbstractLesson lesson = webSession.getCurrentLesson();
//TODO make these first class citizens of the lesson itself; and stop passing the session all over ... and generally tighten the checks up
- this.hasSource = !lesson.getSource(webSession).contains("Could not find the source file or source file does not exist");
- this.hasPlan = !lesson.getSource(webSession).contains("Could not find lesson plan");
- this.hasSolution = !lesson.getSolution(webSession).contains("Could not find the solution file or solution file does not exist");
+ this.hasSource = false;
+ this.hasPlan = false;
+ this.hasSolution = false;
this.lessonTitle = lesson.getTitle();
- this.numberHints = lesson.getHintCount(webSession);
+ this.numberHints = lesson.getHintCount();
this.submitMethod = lesson.getSubmitMethod();
-
- if ( this.numberHints < 1 || lesson.getHint(webSession,0).equals("Hint: There are no hints defined.")) {
- this.numberHints = 0;
- }
- //special challenge case
- if (lesson.getCategory().equals(Category.CHALLENGE)) {
- this.numberHints = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)) ? lesson.getHintCount(webSession) : 0;
- this.hasSource = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS));
- this.hasSolution = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this to fall in line with source and solution
- this.hasPlan = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this to fall in line with source and solutionn
- }
}
-
- // GETTERS
- /**
- *
- *
- * @param source the source to set
- */
- public void setSource(String source) {
- this.source = source;
- }
-
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java
deleted file mode 100644
index ff337f19a..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java
+++ /dev/null
@@ -1,260 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.session.WebgoatContext;
-import org.owasp.webgoat.session.WebgoatProperties;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.ServletContext;
-import java.io.File;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Set;
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce Mayhew WebGoat
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public class LegacyLoader {
-
- final Logger logger = LoggerFactory.getLogger(LegacyLoader.class);
-
- private final List files = new LinkedList();
-
- /**
- *
Constructor for LegacyLoader.
- */
- public LegacyLoader() {
- }
-
- /**
- * Take an absolute file and return the filename.
- *
- * Ex. /etc/password becomes password
- *
- * @param s
- * @return the file name
- */
- private static String getFileName(String s) {
- String fileName = new File(s).getName();
-
- if (fileName.contains("/")) {
- fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
- }
-
- if (fileName.contains(".")) {
- fileName = fileName.substring(0, fileName.indexOf("."));
- }
-
- return fileName;
- }
-
- /**
- * Take a class name and return the equivalent file name
- *
- * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
- *
- * @param className
- * @return
- */
- private static String getSourceFile(String className) {
- StringBuilder sb = new StringBuilder();
-
- sb.append(className.replace(".", "/"));
- sb.append(".java");
-
- return sb.toString();
- }
-
- /**
- * Takes a file name and builds the class file name
- *
- * @param fileName Description of the Parameter
- * @param path Description of the Parameter
- * @return Description of the Return Value
- */
- private static String getClassFile(String fileName, String path) {
- String ext = ".class";
- fileName = fileName.trim();
-
- /**
- * We do not handle directories. We do not handle files with different
- * extensions
- */
- if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
- return null;
- }
-
- // skip over plugins and/or extracted plugins
- if ( fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) {
- return null;
- }
-
- // if the file is in /WEB-INF/classes strip the dir info off
- int index = fileName.indexOf("/WEB-INF/classes/");
- if (index != -1) {
- fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
- fileName = fileName.replace('/', '.');
- fileName = fileName.replace('\\', '.');
- } else {
- // Strip off the leading path info
- fileName = fileName.substring(path.length(), fileName.length() - ext.length());
- }
-
- return fileName;
- }
-
-
-
- /**
- * Load all of the filenames into a temporary cache
- *
- * @param context a {@link javax.servlet.ServletContext} object.
- * @param path a {@link java.lang.String} object.
- */
- public void loadFiles(ServletContext context, String path) {
- logger.debug("Loading files into cache, path: " + path);
- Set resourcePaths = context.getResourcePaths(path);
- if (resourcePaths == null) {
- logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue");
- return;
- }
- Iterator itr = resourcePaths.iterator();
-
- while (itr.hasNext()) {
- String file = (String) itr.next();
-
- if (file.length() != 1 && file.endsWith("/")) {
- loadFiles(context, file);
- } else {
- files.add(file);
- }
- }
- }
-
- /**
- * Instantiate all the lesson objects into a cache
- *
- * @param path a {@link java.lang.String} object.
- * @param context a {@link javax.servlet.ServletContext} object.
- * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
- * @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object.
- * @return a {@link java.util.List} object.
- */
- public List loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties ) {
-
- loadFiles(context, path);
-
- List lessons = new LinkedList();
-
- for (String file : files) {
- String className = getClassFile(file, path);
-
- if (className != null && !className.endsWith("_i") && className.startsWith("org.owasp.webgoat.lessons.admin")) {
- try {
- Class c = Class.forName(className);
- Object o = c.newInstance();
-
- if (o instanceof AbstractLesson) {
- AbstractLesson lesson = (AbstractLesson) o;
- lesson.setWebgoatContext(webgoatContext);
-
- lesson.update(properties);
-
- if (lesson.getHidden() == false) {
- lessons.add(lesson);
- }
- }
- } catch (Exception e) {
- // Bruce says:
- // I don't think we want to log the exception here. We could
- // be potentially showing a lot of exceptions that don't matter.
- // We would only care if the lesson extended AbstractLesson and we
- // can't tell that because it threw the exception. Catch 22
- // logger.error("Error in loadLessons: ", e);
- }
- }
- }
- loadResources(lessons);
- return lessons;
- }
-
- private String getLanguageFromFileName(String first, String absoluteFile) {
- int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1);
- int p2 = absoluteFile.indexOf("/", p1 + 1);
- String langStr = absoluteFile.substring(p1 + 1, p2);
-
- return langStr;
- }
-
- /**
- * For each lesson, set the source file and lesson file
- *
- * @param lessons a {@link java.util.List} object.
- */
- public void loadResources(List lessons ) {
- for (AbstractLesson lesson : lessons) {
- logger.info("Loading resources for lesson -> " + lesson.getName());
- String className = lesson.getClass().getName();
- String classFile = getSourceFile(className);
- logger.info("Lesson classname: " + className);
- logger.info("Lesson java file: " + classFile);
-
- for (String absoluteFile : files) {
- String fileName = getFileName(absoluteFile);
- //logger.debug("Course: looking at file: " + absoluteFile);
-
- if (absoluteFile.endsWith(classFile)) {
- logger.info("Set source file for " + classFile);
- lesson.setSourceFileName(absoluteFile);
- }
-
- if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
- && className.endsWith(fileName)) {
- logger.info("setting lesson plan file " + absoluteFile + " for lesson "
- + lesson.getClass().getName());
- logger.info("fileName: " + fileName + " == className: " + className);
- String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
- lesson.setLessonPlanFileName(language, absoluteFile);
- }
- if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
- && className.endsWith(fileName)) {
- logger.info("setting lesson solution file " + absoluteFile + " for lesson "
- + lesson.getClass().getName());
- logger.info("fileName: " + fileName + " == className: " + className);
- lesson.setLessonSolutionFileName(absoluteFile);
- }
- }
- }
- }
-
-
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
index 7621e6338..4c4d36bb7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
@@ -2,38 +2,47 @@ package org.owasp.webgoat.plugins;
import com.google.common.base.Optional;
import com.google.common.collect.Lists;
-import org.apache.catalina.loader.WebappClassLoader;
+import lombok.Getter;
import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.lessons.Endpoint;
+import org.owasp.webgoat.lessons.NewLesson;
import org.springframework.util.StringUtils;
import java.io.File;
-import java.io.IOException;
import java.nio.file.Path;
-import java.util.Arrays;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith;
-import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName;
-import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles;
/**
*
- *
- * @return a {@link java.util.Map} object.
- */
- public Map getLessonPlans() {
- return this.lessonPlansLanguageFiles;
- }
-
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java
new file mode 100644
index 000000000..24aa42041
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java
@@ -0,0 +1,16 @@
+package org.owasp.webgoat.plugins;
+
+import java.net.URL;
+import java.net.URLClassLoader;
+
+public class PluginClassLoader extends URLClassLoader {
+
+ public PluginClassLoader(ClassLoader parent) {
+ super(new URL[] {}, parent);
+ }
+
+ @Override
+ public void addURL(URL url) {
+ super.addURL(url);
+ }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java
new file mode 100644
index 000000000..9c8654669
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java
@@ -0,0 +1,66 @@
+package org.owasp.webgoat.plugins;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowire;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.DefaultListableBeanFactory;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.support.AbstractApplicationContext;
+import org.springframework.stereotype.Component;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author nbaars
+ * @version $Id: $Id
+ * @since October 16, 2016
+ */
+@Component
+@Slf4j
+public class PluginEndpointPublisher {
+
+ private AbstractApplicationContext applicationContext;
+
+ public PluginEndpointPublisher(ApplicationContext applicationContext) {
+ this.applicationContext = (AbstractApplicationContext) applicationContext;
+ }
+
+ public void publish(Plugin plugin) {
+ plugin.getAssignments().forEach(e -> publishEndpoint(e));
+ plugin.getEndpoints().forEach(e -> publishEndpoint(e));
+ }
+
+ private void publishEndpoint(Class e) {
+ try {
+ BeanDefinition beanDefinition = new RootBeanDefinition(e, Autowire.BY_TYPE.value(), true);
+ DefaultListableBeanFactory beanFactory = (DefaultListableBeanFactory) applicationContext.getBeanFactory();
+ beanFactory.registerBeanDefinition(beanDefinition.getBeanClassName(), beanDefinition);
+ } catch (Exception ex) {
+ log.error("Failed to register " + e.getSimpleName() + " as endpoint with Spring, skipping...");
+ }
+ }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java
index 1d7b1cf24..fef9b13d6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java
@@ -34,15 +34,15 @@ public class PluginExtractor {
* @return a {@link org.owasp.webgoat.plugins.Plugin} object.
* @throws java.io.IOException if any.
*/
- public Plugin extractJarFile(final File archive, final File targetDirectory) throws IOException {
+ public Plugin extractJarFile(final File archive, final File targetDirectory, PluginClassLoader cl) throws IOException {
ZipFile zipFile = new ZipFile(archive);
- Plugin plugin = new Plugin();
+ Plugin plugin = new Plugin(cl, zipFile.getName());
try {
Enumeration entries = zipFile.entries();
while (entries.hasMoreElements()) {
final ZipEntry zipEntry = entries.nextElement();
if (shouldProcessFile(zipEntry)) {
- boolean processed = processClassFile(zipEntry);
+ boolean processed = processClassFile(zipFile, zipEntry, targetDirectory);
if (!processed) {
processed = processPropertyFile(zipFile, zipEntry, targetDirectory);
@@ -54,9 +54,7 @@ public class PluginExtractor {
}
} finally {
plugin.findLesson(this.classes);
- if (plugin.getLesson().isPresent()) {
- plugin.rewritePaths(targetDirectory.toPath());
- }
+ plugin.findEndpoints(this.classes);
zipFile.close();
}
return plugin;
@@ -79,9 +77,11 @@ public class PluginExtractor {
return false;
}
- private boolean processClassFile(ZipEntry zipEntry) {
+ private boolean processClassFile(ZipFile zipFile, ZipEntry zipEntry, File targetDirectory) throws IOException {
if (zipEntry.getName().endsWith(".class")) {
classes.add(zipEntry.getName());
+ final File targetFile = new File(targetDirectory, zipEntry.getName());
+ copyFile(zipFile, zipEntry, targetFile, false);
return true;
}
return false;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java
index 1b9cef313..d744f2dac 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java
@@ -2,6 +2,7 @@ package org.owasp.webgoat.plugins;
import com.google.common.base.Preconditions;
+import lombok.experimental.UtilityClass;
import org.apache.commons.io.IOUtils;
import java.io.File;
@@ -18,6 +19,7 @@ import java.util.Collection;
* @version $Id: $Id
* @author dm
*/
+@UtilityClass
public class PluginFileUtils {
/**
@@ -64,20 +66,6 @@ public class PluginFileUtils {
return hasParentDirectoryWithName(p.getParent(), s);
}
- /**
- *
createDirsIfNotExists.
- *
- * @param p a {@link java.nio.file.Path} object.
- * @return a {@link java.nio.file.Path} object.
- * @throws java.io.IOException if any.
- */
- public static Path createDirsIfNotExists(Path p) throws IOException {
- if (Files.notExists(p)) {
- Files.createDirectories(p);
- }
- return p;
- }
-
/**
*
replaceInFiles.
*
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java
index ec9104791..007228ddb 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java
@@ -8,6 +8,15 @@ package org.owasp.webgoat.plugins;
*/
public class PluginLoadingFailure extends RuntimeException {
+ /**
+ *
*
- * @version $Id: $Id
* @author dm
+ * @version $Id: $Id
*/
+@Slf4j
public class PluginsLoader {
private static final String WEBGOAT_PLUGIN_EXTENSION = "jar";
- private static boolean alreadyLoaded = false;
- private final Logger logger = LoggerFactory.getLogger(this.getClass());
- private final Path pluginSource;
- private Path pluginTarget;
+ private static final int BUFFER_SIZE = 32 * 1024;
+ private final File pluginTargetDirectory;
+ private final PluginClassLoader classLoader;
- /**
- *
Constructor for PluginsLoader.
- *
- * @param pluginSource a {@link java.nio.file.Path} object.
- * @param pluginTarget a {@link java.nio.file.Path} object.
- */
- public PluginsLoader(Path pluginSource, Path pluginTarget) {
- this.pluginSource = Objects.requireNonNull(pluginSource, "plugin source cannot be null");
- this.pluginTarget = Objects.requireNonNull(pluginTarget, "plugin target cannot be null");
- }
-
- /**
- * Copy jars to the lib directory
- */
- public void copyJars() {
- try {
- if (!alreadyLoaded) {
- WebappClassLoader cl = (WebappClassLoader) Thread.currentThread().getContextClassLoader();
- List jars = listJars();
- for (URL jar : jars) {
- cl.addRepository(jar.toString());
- }
- alreadyLoaded = true;
- }
- } catch (Exception e) {
- logger.error("Copying plugins failed", e);
- }
+ public PluginsLoader(File pluginTargetDirectory, PluginClassLoader pluginClassLoader) {
+ this.classLoader = pluginClassLoader;
+ this.pluginTargetDirectory = pluginTargetDirectory;
}
/**
@@ -72,34 +53,76 @@ public class PluginsLoader {
* @return a {@link java.util.List} object.
*/
public List loadPlugins() {
- copyJars();
List plugins = Lists.newArrayList();
-
try {
- PluginFileUtils.createDirsIfNotExists(pluginTarget);
- cleanupExtractedPluginsDirectory();
+ URL location = this.getClass().getProtectionDomain().getCodeSource().getLocation();
+ log.trace("Determining whether we run as standalone jar or as directory...");
+ if (ResourceUtils.isFileURL(location)) {
+ log.trace("Running from directory, copying lessons from {}", location.toString());
+ extractToTargetDirectoryFromExplodedDirectory(ResourceUtils.getFile(location));
+ } else {
+ log.trace("Running from standalone jar, extracting lessons from {}", location.toString());
+ extractToTargetDirectoryFromJarFile(ResourceUtils.getFile(ResourceUtils.extractJarFileURL(location)));
+ }
List jars = listJars();
-
plugins = processPlugins(jars);
} catch (Exception e) {
- logger.error("Loading plugins failed", e);
+ log.error("Loading plugins failed", e);
}
return plugins;
}
- private void cleanupExtractedPluginsDirectory() {
- Path i18nDirectory = pluginTarget.resolve("plugin/i18n/");
- FileUtils.deleteQuietly(i18nDirectory.toFile());
+ private void extractToTargetDirectoryFromJarFile(File jarFile) throws IOException {
+ ZipFile jar = new ZipFile(jarFile);
+ Enumeration entries = jar.entries();
+ while (entries.hasMoreElements()) {
+ ZipEntry zipEntry = entries.nextElement();
+ if (zipEntry.getName().contains("plugin_lessons") && zipEntry.getName().endsWith(".jar")) {
+ unpack(jar, zipEntry);
+ }
+ }
}
- private List listJars() throws IOException {
+ private void unpack(ZipFile jar, ZipEntry zipEntry) throws IOException {
+ try (InputStream inputStream = jar.getInputStream(zipEntry)) {
+ String name = zipEntry.getName();
+ if (name.lastIndexOf("/") != -1) {
+ name = name.substring(name.lastIndexOf("/") + 1);
+ }
+ try (OutputStream outputStream = new FileOutputStream(new File(pluginTargetDirectory, name))) {
+ byte[] buffer = new byte[BUFFER_SIZE];
+ int bytesRead = -1;
+ while ((bytesRead = inputStream.read(buffer)) != -1) {
+ outputStream.write(buffer, 0, bytesRead);
+ }
+ outputStream.flush();
+ }
+ }
+ log.trace("Extracting {} to {}", jar.getName(), pluginTargetDirectory);
+ }
+
+ private void extractToTargetDirectoryFromExplodedDirectory(File directory) throws IOException {
+ Files.walkFileTree(directory.toPath(), new SimpleFileVisitor() {
+ @Override
+ public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException {
+ if (dir.endsWith("plugin_lessons")) {
+ log.trace("Copying {} to {}", dir.toString(), pluginTargetDirectory);
+ FileUtils.copyDirectory(dir.toFile(), pluginTargetDirectory);
+ }
+ return FileVisitResult.CONTINUE;
+ }
+ });
+ }
+
+ private List listJars() throws Exception {
final List jars = Lists.newArrayList();
- Files.walkFileTree(pluginSource, new SimpleFileVisitor() {
+ Files.walkFileTree(Paths.get(pluginTargetDirectory.toURI()), new SimpleFileVisitor() {
@Override
public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
if (PluginFileUtils.fileEndsWith(file, WEBGOAT_PLUGIN_EXTENSION)) {
jars.add(file.toUri().toURL());
+ log.trace("Found jar file at location: {}", file.toString());
}
return FileVisitResult.CONTINUE;
}
@@ -114,17 +137,21 @@ public class PluginsLoader {
final CompletionService completionService = new ExecutorCompletionService<>(executorService);
final List> callables = extractJars(jars);
- for (Callable s : callables) {
- completionService.submit(s);
- }
+ callables.forEach(s -> completionService.submit(s));
int n = callables.size();
+
for (int i = 0; i < n; i++) {
Plugin plugin = completionService.take().get();
if (plugin.getLesson().isPresent()) {
+ log.trace("Plugin jar '{}' contains a lesson, loading into WebGoat...", plugin.getOriginationJar());
plugins.add(plugin);
+ } else {
+ log.trace("Plugin jar: '{}' does not contain a lesson not processing as a plugin (can be a utility jar)",
+ plugin.getOriginationJar());
}
}
- LabelProvider.updatePluginResources(pluginTarget.resolve("plugin/i18n/WebGoatLabels.properties"));
+ LabelProvider.updatePluginResources(
+ pluginTargetDirectory.toPath().resolve("plugin/i18n/WebGoatLabels.properties"));
return plugins;
} finally {
executorService.shutdown();
@@ -133,14 +160,12 @@ public class PluginsLoader {
private List> extractJars(List jars) {
List> extractorCallables = Lists.newArrayList();
- for (final URL jar : jars) {
- extractorCallables.add(new Callable() {
- @Override
- public Plugin call() throws Exception {
- PluginExtractor extractor = new PluginExtractor();
- return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTarget.toFile());
- }
+ for (final URL jar : jars) {
+ classLoader.addURL(jar);
+ extractorCallables.add(() -> {
+ PluginExtractor extractor = new PluginExtractor();
+ return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTargetDirectory, classLoader);
});
}
return extractorCallables;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java
deleted file mode 100644
index e348f67bd..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import javax.servlet.http.HttpSession;
-import org.owasp.webgoat.application.Application;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-/**
- *
ApplicationService class.
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class ApplicationService extends BaseService {
-
- /**
- * Returns global application info
- *
- * @param session a {@link javax.servlet.http.HttpSession} object.
- * @return a {@link org.owasp.webgoat.application.Application} object.
- */
- @RequestMapping(value = "/application.mvc", produces = "application/json")
- public @ResponseBody
- Application showApplication(HttpSession session) {
- Application app = Application.getInstance();
- return app;
- }
-
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java
deleted file mode 100644
index aec0d2076..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import java.io.PrintWriter;
-import java.io.StringWriter;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import org.owasp.webgoat.session.WebSession;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.ExceptionHandler;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.ResponseStatus;
-
-/**
- *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
*
@@ -48,9 +46,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
-public class ParameterService extends BaseService {
-
- final Logger logger = LoggerFactory.getLogger(ParameterService.class);
+public class ParameterService {
/**
* Returns request parameters for last attack
@@ -58,11 +54,11 @@ public class ParameterService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
- @RequestMapping(value = "/parameter.mvc", produces = "application/json")
+ @RequestMapping(path = "/service/parameter.mvc", produces = "application/json")
public @ResponseBody
List showParameters(HttpSession session) {
- WebSession ws = getWebSession(session);
- List listParms = ws.getParmsOnLastRequest();
+ //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
+ List listParms = Lists.newArrayList();
Collections.sort(listParms);
return listParms;
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
index 6355318aa..e9e494523 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
@@ -29,16 +29,6 @@
*/
package org.owasp.webgoat.service;
-import java.nio.file.Paths;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.servlet.http.HttpSession;
-
-import org.owasp.webgoat.plugins.PluginsLoader;
-import org.owasp.webgoat.session.WebSession;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@@ -46,6 +36,10 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
+import javax.servlet.http.HttpSession;
+import java.util.HashMap;
+import java.util.Map;
+
/**
*
PluginReloadService class.
*
@@ -53,9 +47,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
-public class PluginReloadService extends BaseService {
-
- private static final Logger logger = LoggerFactory.getLogger(PluginReloadService.class);
+public class PluginReloadService {
/**
* Reload all the plugins
@@ -63,20 +55,21 @@ public class PluginReloadService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.http.ResponseEntity} object.
*/
- @RequestMapping(value = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
+ @RequestMapping(path = "/service/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
ResponseEntity> reloadPlugins(HttpSession session) {
- WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
-
- logger.debug("Loading plugins into cache");
- String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
- String targetPath = session.getServletContext().getRealPath("plugin_extracted");
- new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
- webSession.getCourse().loadLessonFromPlugin(session.getServletContext());
+// WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
+//
+// logger.debug("Loading plugins into cache");
+// String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
+// String targetPath = session.getServletContext().getRealPath("plugin_extracted");
+// //TODO fix me
+// //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
+// //webSession.getCourse().createLessonsFromPlugins();
Map result = new HashMap();
result.put("success", true);
result.put("message", "Plugins reloaded");
- return new ResponseEntity>(result, HttpStatus.OK);
+ return new ResponseEntity<>(result, HttpStatus.OK);
}
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
index 909433e54..34650cc1c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
@@ -1,39 +1,38 @@
/***************************************************************************************************
- *
- *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
- *
*/
package org.owasp.webgoat.service;
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
-import javax.servlet.http.HttpSession;
-
/**
*
@@ -23,7 +24,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
-public class SessionService extends BaseService {
+public class SessionService {
/**
* Returns hints for current lesson
@@ -32,7 +33,7 @@ public class SessionService extends BaseService {
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link java.lang.String} object.
*/
- @RequestMapping(value = "/session.mvc", produces = "application/json")
+ @RequestMapping(path = "/service/session.mvc", produces = "application/json")
public @ResponseBody
String showSession(HttpServletRequest request, HttpSession session) {
StringBuilder sb = new StringBuilder();
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
index b91d153b4..2314ac6d5 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
@@ -1,43 +1,37 @@
/**
* *************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
- *
*/
package org.owasp.webgoat.service;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
-import javax.servlet.http.HttpSession;
-
/**
*
SolutionService class.
*
@@ -45,42 +39,28 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
-public class SolutionService extends BaseService {
+public class SolutionService {
/**
* Returns solution for current attack
*
- * @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
- @RequestMapping(value = "/solution.mvc", produces = "text/html")
- public @ResponseBody
- String showSolution(HttpSession session) {
- WebSession ws = getWebSession(session);
- String source = getSolution(ws);
+ @RequestMapping(path = "/service/solution.mvc", produces = "text/html")
+ public
+ @ResponseBody
+ String showSolution() {
+ //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
+ String source = getSolution();
return source;
}
/**
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
- *
*/
package org.owasp.webgoat.service;
import org.apache.commons.lang3.StringEscapeUtils;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
-import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
-import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
-
/**
*
SourceService class.
*
@@ -49,7 +42,16 @@ import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
* @version $Id: $Id
*/
@Controller
-public class SourceService extends BaseService {
+//TODO REMOVE!
+public class SourceService {
+
+ /**
+ * Description of the Field
+ */
+ public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
+
+ /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */
+ public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/**
* Returns source for current attack
@@ -57,11 +59,12 @@ public class SourceService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
- @RequestMapping(value = "/source.mvc", produces = "application/text")
- public @ResponseBody
+ @RequestMapping(path = "/service/source.mvc", produces = "application/text")
+ public
+ @ResponseBody
String showSource(HttpSession session) {
- WebSession ws = getWebSession(session);
- String source = getSource(ws);
+ //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
+ String source = getSource();
if (source == null) {
source = "No source listing found";
}
@@ -71,24 +74,9 @@ public class SourceService extends BaseService {
/**
* Description of the Method
*
- * @param s Description of the Parameter
* @return Description of the Return Value
*/
- protected String getSource(WebSession s) {
- String source = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isAdmin()) {
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
- if (lesson != null) {
- source = lesson.getRawSource(s);
- }
- }
- if (source == null) {
- return "Source code is not available for this lesson.";
- }
- return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
- "Code Section Deliberately Omitted");
+ protected String getSource() {
+ return "Source code is not available for this lesson.";
}
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java
deleted file mode 100644
index 36c8c3a67..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java
+++ /dev/null
@@ -1,73 +0,0 @@
-
-package org.owasp.webgoat.session;
-
-import java.util.Hashtable;
-import java.util.Map;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * * @version $Id: $Id
- *
- * @author dm
- * @version $Id: $Id
- */
-public class Authorization
-{
-
- Map permissions = new Hashtable();
-
- /**
- *
Constructor for Authorization.
- */
- public Authorization()
- {
- }
-
- /**
- *
setPermission.
- *
- * @param userId a int.
- * @param functionId a int.
- */
- public void setPermission(int userId, int functionId)
- {
- permissions.put(new Integer(userId), new Integer(functionId));
- }
-
- /**
- *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew WebGoat
- * @since October 28, 2003
* @version $Id: $Id
+ * @since October 28, 2003
*/
+@Slf4j
public class Course {
- final Logger logger = LoggerFactory.getLogger(Course.class);
-
- private final List lessons = new LinkedList();
-
- private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
-
- private WebgoatProperties properties = null;
-
- private WebgoatContext webgoatContext;
-
- /**
- *
Constructor for Course.
- */
- public Course() {
- try {
- properties = new WebgoatProperties(PROPERTIES_FILENAME);
- } catch (IOException e) {
- logger.error("Error loading webgoat properties", e);
- }
- }
-
- /**
- * Take an absolute file and return the filename.
- *
- * Ex. /etc/password becomes password
- *
- * @param s
- * @return the file name
- */
- private static String getFileName(String s) {
- String fileName = new File(s).getName();
-
- if (fileName.contains("/")) {
- fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
- }
-
- if (fileName.contains(".")) {
- fileName = fileName.substring(0, fileName.indexOf("."));
- }
-
- return fileName;
- }
-
- /**
- * Take a class name and return the equivalent file name
- *
- * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
- *
- * @param className
- * @return
- */
- private static String getSourceFile(String className) {
- StringBuilder sb = new StringBuilder();
-
- sb.append(className.replace(".", "/"));
- sb.append(".java");
-
- return sb.toString();
- }
-
- /**
- * Takes a file name and builds the class file name
- *
- * @param fileName Description of the Parameter
- * @param path Description of the Parameter
- * @return Description of the Return Value
- */
- private static String getClassFile(String fileName, String path) {
- String ext = ".class";
- fileName = fileName.trim();
-
- /**
- * We do not handle directories. We do not handle files with different
- * extensions
- */
- if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
- return null;
- }
-
- // if the file is in /WEB-INF/classes strip the dir info off
- int index = fileName.indexOf("/WEB-INF/classes/");
- if (index != -1) {
- fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
- fileName = fileName.replace('/', '.');
- fileName = fileName.replace('\\', '.');
- } else {
- // Strip off the leading path info
- fileName = fileName.substring(path.length(), fileName.length() - ext.length());
- }
-
- return fileName;
- }
+ private List lessons = new LinkedList<>();
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
- public List getCategories() {
- List categories = new ArrayList();
- for (AbstractLesson lesson : lessons) {
- if (!categories.contains(lesson.getCategory())) {
- categories.add(lesson.getCategory());
- }
- }
-
- Collections.sort(categories);
-
- return categories;
+ public List getCategories() {
+ return lessons.parallelStream().map(l -> l.getCategory()).distinct().sorted().collect(toList());
}
/**
@@ -178,202 +61,46 @@ public class Course {
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson() {
- List roles = new ArrayList();
- roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is normally the General category and the Http Basics lesson
- return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0));
- }
-
- /**
- * Gets the lesson attribute of the Course object
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param lessonId Description of the Parameter
- * @param roles a {@link java.util.List} object.
- * @return The lesson value
- */
- public AbstractLesson getLesson(WebSession s, int lessonId, List roles) {
- if (s.isHackedAdmin()) {
- roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
- }
- // System.out.println("getLesson() with roles: " + roles);
- Iterator iter = lessons.iterator();
-
- while (iter.hasNext()) {
- AbstractLesson lesson = iter.next();
-
- if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) {
- return lesson;
- }
- }
-
- return null;
- }
-
- /**
- *
getLesson.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param lessonId a int.
- * @param role a {@link java.lang.String} object.
- * @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
- */
- public AbstractLesson getLesson(WebSession s, int lessonId, String role) {
- List roles = new ArrayList();
- roles.add(role);
- return getLesson(s, lessonId, roles);
+ return getLessons(getCategories().get(0)).get(0);
}
/**
*
Getter for the field lessons.
*
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
- public List getLessons(WebSession s, String role) {
- List roles = new ArrayList();
- roles.add(role);
- return getLessons(s, roles);
- }
-
- /**
- * Gets the lessons attribute of the Course object
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param roles a {@link java.util.List} object.
- * @return The lessons value
- */
- public List getLessons(WebSession s, List roles) {
- if (s.isHackedAdmin()) {
- roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
- }
- List lessonList = new ArrayList();
- Iterator categoryIter = getCategories().iterator();
-
- while (categoryIter.hasNext()) {
- lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
- }
- return lessonList;
- }
-
- /**
- * Gets the lessons attribute of the Course object
- *
- * @param category Description of the Parameter
- * @param role Description of the Parameter
- * @return The lessons value
- */
- private List getLessons(Category category, List roles) {
- List lessonList = new ArrayList();
-
- for (AbstractLesson lesson : lessons) {
- if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) {
- lessonList.add(lesson);
- }
- }
-
- Collections.sort(lessonList);
- return lessonList;
+ public List getLessons() {
+ return this.lessons;
}
/**
*
Getter for the field lessons.
*
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
- * @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
- public List getLessons(WebSession s, Category category, String role) {
- List roles = new ArrayList();
- roles.add(role);
- return getLessons(s, category, roles);
+ public List getLessons(Category category) {
+ return this.lessons.stream().filter(l -> l.getCategory() == category).collect(toList());
+ }
+
+ public void setLessons(List lessons) {
+ this.lessons = lessons;
}
/**
- *
Getter for the field lessons.
- *
- * @param s a {@link org.owasp.webgoat.session.WebSession} object.
- * @param category a {@link org.owasp.webgoat.lessons.Category} object.
- * @param roles a {@link java.util.List} object.
- * @return a {@link java.util.List} object.
+ *
createLessonsFromPlugins.
*/
- public List getLessons(WebSession s, Category category, List roles) {
- if (s.isHackedAdmin()) {
- roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
- }
- return getLessons(category, roles);
- }
-
- /**
- *
getLesson.
- *
- * @param lessonId a int.
- * @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
- */
- public AbstractLesson getLesson(int lessonId) {
- for (AbstractLesson l : lessons) {
- if (l.getScreenId() == lessonId) {
- return l;
- }
- }
- return null;
- }
-
- /**
- *
loadLessonFromPlugin.
- *
- * @param context a {@link javax.servlet.ServletContext} object.
- */
- public void loadLessonFromPlugin(ServletContext context) {
- logger.debug("Loading plugins into cache");
- String pluginPath = context.getRealPath("plugin_lessons");
- String targetPath = context.getRealPath("plugin_extracted");
-
- if (pluginPath == null) {
- logger.error("Plugins directory {} not found", pluginPath);
- return;
- }
- lessons.clear();
- List plugins = new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins();
+ public void createLessonsFromPlugins(List plugins) {
for (Plugin plugin : plugins) {
try {
- AbstractLesson lesson = plugin.getLesson().get();
- lesson.setWebgoatContext(webgoatContext);
- lesson.update(properties);
-
- if (!lesson.getHidden()) {
- lessons.add(lesson);
- }
- for(Map.Entry lessonPlan : plugin.getLessonPlans().entrySet()) {
- lesson.setLessonPlanFileName(lessonPlan.getKey(), lessonPlan.getValue().toString());
- }
- if (plugin.getLessonSolution("en").isPresent()) {
- lesson.setLessonSolutionFileName(plugin.getLessonSolution("en").get().toString());
- }
- if (plugin.getLessonSource().isPresent()) {
- lesson.setSourceFileName(plugin.getLessonSource().get().toString());
- }
+ NewLesson lesson = (NewLesson) plugin.getLesson().get();
+ lesson.setAssignments(plugin.getAssignments());
+ lessons.add(lesson);
} catch (Exception e) {
- logger.error("Error in loadLessons: ", e);
+ log.error("Error in loadLessons: ", e);
}
}
}
-
- /**
- * Description of the Method
- *
- * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
- * @param path Description of the Parameter
- * @param context Description of the Parameter
- */
- public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
- logger.info("Loading courses: " + path);
- this.webgoatContext = webgoatContext;
- loadLessonFromPlugin(context);
- LegacyLoader loader = new LegacyLoader();
- lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties));
- }
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
index 2afc1296f..4031e0c82 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
@@ -4,7 +4,6 @@ package org.owasp.webgoat.session;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
-import org.owasp.webgoat.lessons.AbstractLesson;
/**
@@ -759,16 +758,16 @@ public class CreateDB
String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')";
String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')";
- // Add a permission for the webgoat role to see the source.
- // The challenge(s) will change the default role to "challenge"
- String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
- + "')";
- String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
- + "')";
+// // Add a permission for the webgoat role to see the source.
+// // The challenge(s) will change the default role to "challenge"
+// String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
+// + "')";
+// String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
+// + "')";
// Add a permission for the webgoat role to see the solution.
// The challenge(s) will change the default role to "challenge"
- String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
- + "')";
+// String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
+// + "')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
@@ -803,9 +802,9 @@ public class CreateDB
statement.executeUpdate(insertData25);
statement.executeUpdate(insertData25_1);
statement.executeUpdate(insertData25_2);
- statement.executeUpdate(insertData26);
- statement.executeUpdate(insertData27);
- statement.executeUpdate(insertData28);
+ //statement.executeUpdate(insertData26);
+ //statement.executeUpdate(insertData27);
+ //statement.executeUpdate(insertData28);
}
private void createOwnershipTable(Connection connection) throws SQLException
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
index 391baec5c..4692528b4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
@@ -1,19 +1,13 @@
package org.owasp.webgoat.session;
-import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
-import org.apache.ecs.MultiPartElement;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
+
+import org.springframework.beans.factory.annotation.Autowired;
/**
@@ -131,73 +125,5 @@ public class DatabaseUtilities
String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
return DriverManager.getConnection(url, "sa", "");
}
-
- /**
- * Description of the Method
- *
- * @param results
- * Description of the Parameter
- * @param resultsMetaData
- * Description of the Parameter
- * @param resultsMetaData
- * Description of the Parameter
- * @param resultsMetaData
- * Description of the Parameter
- * @param resultsMetaData
- * Description of the Parameter
- * @param resultsMetaData
- * Description of the Parameter
- * @param resultsMetaData
- * Description of the Parameter
- * @return Description of the Return Value
- * @exception IOException
- * Description of the Exception
- * @exception SQLException
- * Description of the Exception
- * @throws java.io.IOException if any.
- * @throws java.sql.SQLException if any.
- */
- public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
- SQLException
- {
- int numColumns = resultsMetaData.getColumnCount();
- results.beforeFirst();
-
- if (results.next())
- {
- Table t = new Table(1); // 1 = with border
- t.setCellPadding(1);
-
- TR tr = new TR();
-
- for (int i = 1; i < (numColumns + 1); i++)
- {
- tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
- }
-
- t.addElement(tr);
- results.beforeFirst();
-
- while (results.next())
- {
- TR row = new TR();
-
- for (int i = 1; i < (numColumns + 1); i++)
- {
- String str = results.getString(i);
- if (str == null) str = "";
- row.addElement(new TD(str.replaceAll(" ", " ")));
- }
-
- t.addElement(row);
- }
-
- return (t);
- }
- else
- {
- return (new B("Query Successful; however no data was returned from this query."));
- }
- }
-
+
}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java
deleted file mode 100644
index e3f85f263..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java
+++ /dev/null
@@ -1,754 +0,0 @@
-
-package org.owasp.webgoat.session;
-
-import java.util.Iterator;
-import java.util.List;
-import java.util.StringTokenizer;
-import java.util.Vector;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.H3;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.Label;
-import org.apache.ecs.html.Option;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.Select;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.U;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams (jeff.williams@aspectsecurity.com)
- * @since October 29, 2003
- * @version $Id: $Id
- */
-public class ECSFactory
-{
-
- /**
- * Description of the Field
- */
-
- public final static String ON = "On";
-
- /**
- * Description of the Field
- */
-
- public final static String PASSWORD = "Password";
-
- /**
- * Don't let anyone instantiate this class
- */
-
- private ECSFactory()
- {
- }
-
- /**
- * Description of the Method
- *
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makeBox(String name, String value)
- {
-
- Input i = new Input(Input.CHECKBOX, name, ON);
-
- i.setChecked(value.equals(ON));
-
- return (i);
- }
-
- /**
- * Description of the Method
- *
- * @param text
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makeButton(String text)
- {
-
- Input b = new Input();
-
- b.setType(Input.SUBMIT);
- b.setValue(text);
- b.setName(Input.SUBMIT);
-
- return (b);
- }
-
- /**
- *
makeButton.
- *
- * @param text a {@link java.lang.String} object.
- * @param onClickFunction a {@link java.lang.String} object.
- * @return a {@link org.apache.ecs.Element} object.
- */
- public static Element makeButton(String text, String onClickFunction)
- {
-
- Input b = (Input) makeButton(text);
- b.setOnClick(onClickFunction);
-
- return (b);
- }
-
- /**
- * Description of the Method
- *
- * @param labeltext
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @param e
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static TR makeField(String labeltext, String value, Element e)
- {
-
- TD left = new TD().setAlign("right");
-
- Label label = new Label().addElement(labeltext);
-
- left.addElement(label);
-
- TD right = new TD().setAlign("left");
-
- right.addElement(e);
-
- TR row = new TR();
-
- row.addElement(left);
-
- row.addElement(right);
-
- return (row);
- }
-
- /**
- * Description of the Method
- *
- * @param labeltext
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @param size
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static TR makeField(String labeltext, String name, String value, int size)
- {
-
- Input field = new Input().setName(name).setValue(value).setSize(size).setMaxlength(size);
-
- // double check in case someone means to make a * starred out password field
-
- if (name.equals(PASSWORD))
- {
-
- field.setType(Input.PASSWORD);
-
- }
-
- return (makeField(labeltext, value, field));
- }
-
- /**
- * Description of the Method
- *
- * @param label
- * Description of the Parameter
- * @param type
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @param alignment
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makeInput(String label, String type, String name, boolean value, boolean selected,
- String alignment)
- {
-
- return makeInput(label, type, name, new Boolean(value).toString(), selected, alignment);
- }
-
- /**
- * Description of the Method
- *
- * @param label
- * Description of the Parameter
- * @param type
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makeInput(String label, String type, String name, String value)
- {
-
- return makeInput(label, type, name, value, new Boolean(value).booleanValue(), "RIGHT");
- }
-
- /**
- * Description of the Method
- *
- * @param label
- * Description of the Parameter
- * @param type
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @param alignment
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makeInput(String label, String type, String name, String value, boolean selected,
- String alignment)
- {
-
- ElementContainer ec = new ElementContainer();
-
- if (!alignment.equalsIgnoreCase("LEFT"))
- {
-
- ec.addElement(new StringElement(label));
-
- }
-
- Input input = new Input(type, name, value);
-
- ec.addElement(input);
-
- if (alignment.equalsIgnoreCase("LEFT"))
- {
-
- ec.addElement(new StringElement(label));
-
- }
-
- if (type.equalsIgnoreCase("CHECKBOX"))
- {
-
- input.setChecked(selected);
-
- }
-
- return (ec);
- }
-
- /**
- * Description of the Method
- *
- * @param text
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static A makeLink(String text, String name, String value)
- {
-
- String href = "attack?" + name;
-
- if (value.length() > 0)
- {
-
- href = href + "=" + value;
-
- }
-
- A a = new A(href);
-
- a.addElement(new U().addElement(text));
-
- a.addAttribute("style", "cursor:hand");
-
- return (a);
- }
-
- /**
- * Description of the Method
- *
- * @param text
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static A makeLink(String text, String name, int value)
- {
-
- return (makeLink(text, name, Integer.toString(value)));
- }
-
- /**
- * Description of the Method
- *
- * @param text
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static A makeLink(String text, String name, boolean value)
- {
-
- return (makeLink(text, name, new Boolean(value).toString()));
- }
-
- /**
- * Description of the Method
- *
- * @param text
- * Description of the Parameter
- * @param clickAction
- * Description of the Parameter
- * @param type
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Input makeOnClickInput(String text, String clickAction, String type)
- {
-
- Input b = new Input();
-
- b.setType(type);
-
- b.setValue(text);
-
- b.setOnClick(clickAction);
-
- return (b);
- }
-
- /**
- * Description of the Method
- *
- * @param labeltext
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @param e
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static TR makeOption(String labeltext, String value, Element e)
- {
-
- TD left = new TD().setAlign("left").setWidth("10%");
-
- left.addElement(e);
-
- TD right = new TD().setAlign("right");
-
- Label label = new Label().addElement(labeltext);
-
- right.addElement(label);
-
- TR row = new TR();
-
- row.addElement(right);
-
- row.addElement(left);
-
- return (row);
- }
-
- /**
- * Description of the Method
- *
- * @param label
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Option makeOption(String label, boolean value)
- {
-
- Option option = new Option(label, new Boolean(value).toString());
-
- option.setSelected(value);
-
- return option;
- }
-
- /**
- * Description of the Method
- *
- * @param line
- * Description of the Parameter
- * @return Description of the Return Value
- */
-
- private static org.apache.ecs.html.Option makeOption(String line)
- {
-
- StringTokenizer st = new StringTokenizer(line, "|");
-
- org.apache.ecs.html.Option o = new org.apache.ecs.html.Option();
-
- String token = "";
-
- if (st.hasMoreTokens())
- {
-
- token = st.nextToken();
-
- }
-
- o.addElement(token);
-
- return (o);
- }
-
- /**
- * Description of the Method
- *
- * @param name
- * Description of the Parameter
- * @param options
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makePulldown(String name, List options)
- {
-
- Select s = new Select(name);
-
- s.addElement(options.toArray(new String[options.size()]));
-
- return (s);
- }
-
- /**
- * Description of the Method
- *
- * @param results
- * Description of the Parameter
- * @return Description of the Return Value
- * @param name a {@link java.lang.String} object.
- */
- public static Element makePulldown(String name, String results)
- {
-
- Select select = new Select(name);
-
- StringTokenizer st = new StringTokenizer(results, "\n");
-
- if (!st.hasMoreTokens()) {
-
- return (new StringElement("")); }
-
- while (st.hasMoreTokens())
- {
-
- String line = st.nextToken();
-
- select.addElement(makeOption(line));
-
- }
-
- select.addElement("-------------------------");
-
- return (select);
- }
-
- /**
- * Description of the Method
- *
- * @param name
- * Description of the Parameter
- * @param list
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @param rowsShowing
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Select makePulldown(String name, Object[] list, String selected, int rowsShowing)
- {
-
- Select select = new Select(name);
-
- for (int loop = 0; loop < list.length; loop++)
- {
-
- String value = list[loop].toString();
-
- org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value, value, value);
-
- if (value.equals(selected))
- {
-
- o.setSelected(true);
-
- }
-
- select.addElement(o);
-
- }
-
- select.setSize(rowsShowing);
-
- return select;
- }
-
- /**
- * Default size of 1 for rows showing in select box.
- *
- * @param diffNames
- * Description of the Parameter
- * @param select
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- * @param options
- * Description of the Parameter
- * @param list
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @param selected
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public static Element makeSelect(boolean diffNames, Select select, String name, Vector