dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'feature/spring-boot' into develop

Browse Source 
* feature/spring-boot: (92 commits)
  XXE checkin
  XXE checkin
  XXE first attempt
  HTTP-Basics mark lesson complete issue fixed
  cleaning up some
  fixing the scroll 'sliver' problem. Likely need to check back on this when menu grows again
  lesson pagination fixes mainly, some other fixes included & clean up
  Incremental style changes
  refactor to help accomodate multiple attacks and output in one 'page'
  Updated some of the credits
  double-feedback fix on single page
  commenting out to stop redundant callbacks
  few cleanup items, added least privilege
  Fixed test for password
  First wave is complete; some rendering issues
  Trying to wire up the DB connection and fill out first sql stub
  Fixing hide/show of next/prev buttons
  another stub
  First round of sql injection with stubs
  Give focus to username when loading the login page
  ...

Signed-off-by: Doug Morato <dm@corp.io>

# Conflicts:
#	.travis.yml
#	README.MD
#	pom.xml
#	webgoat-container/pom.xml
#	webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
#	webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
#	webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
#	webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java
#	webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
#	webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java
#	webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
#	webgoat-container/src/main/resources/webgoat.properties
#	webgoat-container/src/main/webapp/META-INF/context.xml
#	webgoat-container/src/main/webapp/WEB-INF/context.xml
#	webgoat-container/src/main/webapp/js/goatApp/view/LessonContentView.js
#	webgoat-container/src/test/java/org/owasp/webgoat/plugins/WebGoatIT.java
#	webgoat-container/src/test/resources/log4j.properties
#	webgoat_developer_bootstrap.sh
This commit is contained in:
Doug Morato
2016-11-18 22:37:39 -05:00
parent b5467f0e59 f2a114419a
commit 3340eb92dd
371 changed files with 19523 additions and 29109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java
View File

@ -1,60 +0,0 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.application.Application;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* <p>ApplicationService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
public class ApplicationService extends BaseService {
/**
* Returns global application info
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.application.Application} object.
*/
@RequestMapping(value = "/application.mvc", produces = "application/json")
public @ResponseBody
Application showApplication(HttpSession session) {
Application app = Application.getInstance();
return app;
}
}

108
webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java
View File

@ -1,108 +0,0 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import java.io.PrintWriter;
import java.io.StringWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
/**
* <p>Abstract BaseService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@RequestMapping("/service")
public abstract class BaseService {
private static final Logger logger = LoggerFactory.getLogger(BaseService.class);
/**
* <p>handleException.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param ex a {@link java.lang.Exception} object.
* @return a {@link org.owasp.webgoat.service.ExceptionInfo} object.
*/
@ExceptionHandler(Exception.class)
@ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
public @ResponseBody
ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
String url = request.getRequestURL().toString();
logger.error("Exception handler for service caught exception when processing: " + url, ex);
ExceptionInfo response = new ExceptionInfo();
response.setUrl(url);
response.setMessage(getStringStackTrace(ex));
return response;
}
/**
* <p>getWebSession.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.session.WebSession} object.
*/
public WebSession getWebSession(HttpSession session) {
WebSession ws;
Object o = session.getAttribute(WebSession.SESSION);
if (o == null) {
throw new IllegalArgumentException("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
}
if (!(o instanceof WebSession)) {
throw new IllegalArgumentException("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
}
ws = (WebSession) o;
return ws;
}
/**
* <p>getStringStackTrace.</p>
*
* @param t a {@link java.lang.Throwable} object.
* @return a {@link java.lang.String} object.
*/
public String getStringStackTrace(Throwable t){
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
t.printStackTrace(pw);
return sw.toString();
}
}

41
webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java
View File

@ -29,16 +29,14 @@
*/
package org.owasp.webgoat.service;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.model.RequestParameter;
import org.owasp.webgoat.session.WebSession;
import com.google.common.collect.Lists;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpSession;
import java.util.List;
/**
* <p>CookieService class.</p>
@ -47,7 +45,7 @@ import org.springframework.web.servlet.ModelAndView;
* @version $Id: $Id
*/
@Controller
public class CookieService extends BaseService {
public class CookieService {
/**
* Returns cookies for last attack
@ -55,30 +53,11 @@ public class CookieService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(value = "/cookie.mvc", produces = "application/json")
@RequestMapping(path = "/service/cookie.mvc", produces = "application/json")
public @ResponseBody
List<Cookie> showCookies(HttpSession session) {
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
List<Cookie> showCookies() {
//// TODO: 11/6/2016 to be decided
List<Cookie> cookies = Lists.newArrayList();
return cookies;
}
/**
* Returns cookies and params for current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/cookies_widget.mvc", produces = "text/html")
public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) {
ModelAndView model = new ModelAndView();
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
List<RequestParameter> listParms = ws.getParmsOnLastRequest();
Collections.sort(listParms);
model.addObject("wgcookies", cookies);
model.addObject("wgparams", listParms);
model.setViewName("widgets/cookies_and_params");
return model;
}
}

75
webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java
View File

@ -1,75 +0,0 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.service;
/**
* <p>ExceptionInfo class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
public class ExceptionInfo {
private String url;
private String message;
/**
* <p>Getter for the field <code>url</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getUrl() {
return url;
}
/**
* <p>Setter for the field <code>url</code>.</p>
*
* @param url a {@link java.lang.String} object.
*/
public void setUrl(String url) {
this.url = url;
}
/**
* <p>Getter for the field <code>message</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getMessage() {
return message;
}
/**
* <p>Setter for the field <code>message</code>.</p>
*
* @param message a {@link java.lang.String} object.
*/
public void setMessage(String message) {
this.message = message;
}
}

80
webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
View File

@ -5,17 +5,17 @@
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.model.Hint;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
import java.util.ArrayList;
import java.util.List;
import static java.util.stream.Collectors.toList;
/**
* <p>HintService class.</p>
@ -24,73 +24,43 @@ import org.springframework.web.servlet.ModelAndView;
* @version $Id: $Id
*/
@Controller
public class HintService extends BaseService {
public class HintService {
private final WebSession webSession;
public HintService(WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns hints for current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(value = "/hint.mvc", produces = "application/json")
public @ResponseBody
List<Hint> showHint(HttpSession session) {
@RequestMapping(path = "/service/hint.mvc", produces = "application/json")
public
@ResponseBody
List<Hint> showHint() {
List<Hint> listHints = new ArrayList<Hint>();
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
AbstractLesson l = webSession.getCurrentLesson();
if (l == null) {
return listHints;
}
List<String> hints = (l.getCategory().equals(Category.CHALLENGE)) ? null : l.getHintsPublic(ws);
List<String> hints = l.getHints();
if (hints == null) {
return listHints;
}
int idx = 0;
for (String h : hints) {
Hint hint = new Hint();
hint.setHint(h);
hint.setLesson(l.getName());
hint.setNumber(idx);
listHints.add(hint);
idx++;
}
return listHints;
return hints.stream().map(h -> createHint(h, l.getName(), idx)).collect(toList());
}
/**
* <p>showHintsAsHtml.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/hint_widget.mvc", produces = "text/html")
public
ModelAndView showHintsAsHtml(HttpSession session) {
ModelAndView model = new ModelAndView();
List<Hint> listHints = new ArrayList<Hint>();
model.addObject("hints", listHints);
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
if (l == null) {
return model;
}
List<String> hints;
hints = l.getHintsPublic(ws);
if (hints == null) {
return model;
}
int idx = 0;
for (String h : hints) {
Hint hint = new Hint();
hint.setHint(h);
hint.setLesson(l.getName());
hint.setNumber(idx);
listHints.add(hint);
idx++;
}
model.setViewName("widgets/hints");
return model;
private Hint createHint(String hintText, String lesson, int idx) {
Hint hint = new Hint();
hint.setHint(hintText);
hint.setLesson(lesson);
hint.setNumber(idx);
return hint;
}
}

16
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
View File

@ -29,9 +29,6 @@
*/
package org.owasp.webgoat.service;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.session.LabelDebugger;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -44,6 +41,9 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.util.HashMap;
import java.util.Map;
/**
* <p>LabelDebugService class.</p>
*
@ -51,9 +51,9 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class LabelDebugService extends BaseService {
public class LabelDebugService {
private static final String URL_DEBUG_LABELS_MVC = "/debug/labels.mvc";
private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
private static final String KEY_ENABLED = "enabled";
private static final String KEY_SUCCESS = "success";
@ -68,12 +68,12 @@ public class LabelDebugService extends BaseService {
*
* @return a {@link org.springframework.http.ResponseEntity} object.
*/
@RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
logger.debug("Checking label debugging, it is " + labelDebugger.isEnabled()); // FIXME parameterize
Map<String, Object> result = createResponse(labelDebugger.isEnabled());
return new ResponseEntity<Map<String, Object>>(result, HttpStatus.OK);
return new ResponseEntity<>(result, HttpStatus.OK);
}
/**
@ -88,7 +88,7 @@ public class LabelDebugService extends BaseService {
logger.debug("Setting label debugging to " + labelDebugger.isEnabled()); // FIXME parameterize
Map<String, Object> result = createResponse(enabled);
labelDebugger.setEnabled(enabled);
return new ResponseEntity<Map<String, Object>>(result, HttpStatus.OK);
return new ResponseEntity<>(result, HttpStatus.OK);
}
/**

47
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
View File

@ -1,19 +1,10 @@
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.LessonInfoModel;
import org.owasp.webgoat.lessons.model.LessonMenuItem;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpSession;
@Controller
/**
@ -22,45 +13,23 @@ import javax.servlet.http.HttpSession;
* @author dm
* @version $Id: $Id
*/
public class LessonInfoService extends BaseService {
public class LessonInfoService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private final WebSession webSession;
public LessonInfoService(WebSession webSession) {
this.webSession = webSession;
}
/**
* <p>getLessonInfo.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
*/
@RequestMapping(value = "/lessoninfo.mvc", produces = "application/json")
@RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
public @ResponseBody
LessonInfoModel getLessonInfo(HttpSession session) {
WebSession webSession = getWebSession(session);
LessonInfoModel getLessonInfo() {
return new LessonInfoModel(webSession);
}
/**
* <p>handleException.</p>
*
* @param ex a {@link java.lang.Exception} object.
* @return a {@link java.lang.String} object.
*/
@ExceptionHandler(Exception.class)
@ResponseBody
@ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR)
public String handleException(Exception ex) {
return "An error occurred retrieving the LessonInfoModel:" + ex.getMessage();
}
/**
* <p>getLessonInfoModel.</p>
*
* @param webSession a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
*/
protected LessonInfoModel getLessonInfoModel(WebSession webSession) {
return new LessonInfoModel(webSession);
}
}

79
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -1,50 +1,49 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpSession;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.lessons.model.LessonMenuItem;
import org.owasp.webgoat.lessons.model.LessonMenuItemType;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import java.util.ArrayList;
import java.util.List;
/**
* <p>LessonMenuService class.</p>
*
@ -52,23 +51,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class LessonMenuService extends BaseService {
@AllArgsConstructor
public class LessonMenuService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private final Course course;
private UserTracker userTracker;
private final WebSession webSession;
/**
* Returns the lesson menu which is used to build the left nav
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(value = "/lessonmenu.mvc", produces = "application/json")
public @ResponseBody
List<LessonMenuItem> showLeftNav(HttpSession session) {
@RequestMapping(path = "/service/lessonmenu.mvc", produces = "application/json")
public
@ResponseBody
List<LessonMenuItem> showLeftNav() {
List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();
WebSession ws = getWebSession(session);
// Get the categories, these are the main menu items
Course course = ws.getCourse();
List<Category> categories = course.getCategories();
for (Category category : categories) {
@ -76,41 +75,15 @@ public class LessonMenuService extends BaseService {
categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY);
// check for any lessons for this category
List<AbstractLesson> lessons = ws.getLessons(category);
String role = ws.getRole();
logger.info("Role: " + role);
List<AbstractLesson> lessons = course.getLessons(category);
for (AbstractLesson lesson : lessons) {
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());
lessonItem.setType(LessonMenuItemType.LESSON);
if (lesson.isCompleted(ws)) {
lessonItem.setComplete(true);
}
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
lessonItem.setComplete(lessonTracker.isLessonSolved());
categoryItem.addChild(lessonItem);
// Does the lesson have stages
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null) {
String lessonLink = lesson.getLink();
int stageIdx = 1;
for (String stage : stages) {
LessonMenuItem stageItem = new LessonMenuItem();
stageItem.setName("Stage " + stageIdx + ": " + stage);
// build the link for the stage
String stageLink = lessonLink + "/" + stageIdx;
stageItem.setLink(stageLink);
stageItem.setType(LessonMenuItemType.STAGE);
if (rla.isStageComplete(ws, stage)) {
stageItem.setComplete(true);
}
lessonItem.addChild(stageItem);
stageIdx++;
}
}
}
}
menu.add(categoryItem);
}

39
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
View File

@ -29,15 +29,11 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>LessonPlanService class.</p>
*
@ -45,42 +41,33 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class LessonPlanService extends BaseService {
//TODO remove
public class LessonPlanService {
private final WebSession webSession;
public LessonPlanService(WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns source for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(value = "/lessonplan.mvc", produces = "application/html")
@RequestMapping(path = "/service/lessonplan.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
String plan = getPlan(ws);
String showPlan() {
String plan = getPlan();
return plan;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getPlan(WebSession s) {
String plan = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
plan = lesson.getLessonPlan(s);
}
}
if (plan == null) {
plan = "Plan is not available for this lesson.";
}
return plan;
protected String getPlan() {
return "Plan is not available for this lesson.";
}
}

42
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@ -1,52 +1,48 @@
package org.owasp.webgoat.service;
import com.google.common.collect.Maps;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.model.LessonInfoModel;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.LabelManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.Map;
@Controller
/**
* <p>LessonProgressService class.</p>
*
* @author webgoat
*/
public class LessonProgressService extends BaseService {
@Controller
@AllArgsConstructor
public class LessonProgressService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private LabelManager labelManager;
@Autowired
public LessonProgressService(final LabelManager labelManager) {
this.labelManager = labelManager;
}
private UserTracker userTracker;
private WebSession webSession;
/**
* <p>LessonProgressService.</p>
*
* @param session a {@link HttpSession} object.
* @return a {@link LessonInfoModel} object.
*/
@RequestMapping(value = "/lessonprogress.mvc", produces = "application/json")
@RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
@ResponseBody
public Map getLessonInfo(HttpSession session) {
WebSession webSession = getWebSession(session);
AbstractLesson lesson = webSession.getCurrentLesson();
boolean lessonCompleted = lesson.isCompleted(webSession);
String successMessage = lesson instanceof RandomLessonAdapter ? "Congratulations, you have completed this lab" : labelManager
.get("LessonCompleted");
public Map getLessonInfo() {
LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
Map json = Maps.newHashMap();
String successMessage = "";
boolean lessonCompleted = false;
if (lessonTracker != null) {
lessonCompleted = lessonTracker.isLessonSolved();
successMessage = labelManager.get("LessonCompleted");
}
json.put("lessonCompleted", lessonCompleted);
json.put("successMessage", successMessage);
return json;

42
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
View File

@ -1,46 +1,38 @@
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
/**
* <p>LessonTitleService class.</p>
*
* @version $Id: $Id
* @author dm
* @version $Id: $Id
*/
public class LessonTitleService extends BaseService {
@Controller
public class LessonTitleService {
private final WebSession webSession;
public LessonTitleService(final WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns the title for the current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(value = "/lessontitle.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
return getLessonTitle(ws);
}
private String getLessonTitle(WebSession s) {
String title = "";
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
title = lesson != null ? lesson.getTitle() : "";
}
return title;
@RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
public
@ResponseBody
String showPlan() {
AbstractLesson lesson = webSession.getCurrentLesson();
return lesson != null ? lesson.getTitle() : "";
}
}

22
webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java
View File

@ -29,18 +29,16 @@
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpSession;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.model.RequestParameter;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.Collections;
import java.util.List;
/**
* <p>ParameterService class.</p>
*
@ -48,9 +46,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class ParameterService extends BaseService {
final Logger logger = LoggerFactory.getLogger(ParameterService.class);
public class ParameterService {
/**
* Returns request parameters for last attack
@ -58,11 +54,11 @@ public class ParameterService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(value = "/parameter.mvc", produces = "application/json")
@RequestMapping(path = "/service/parameter.mvc", produces = "application/json")
public @ResponseBody
List<RequestParameter> showParameters(HttpSession session) {
WebSession ws = getWebSession(session);
List<RequestParameter> listParms = ws.getParmsOnLastRequest();
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
List<RequestParameter> listParms = Lists.newArrayList();
Collections.sort(listParms);
return listParms;
}

37
webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
View File

@ -29,16 +29,6 @@
*/
package org.owasp.webgoat.service;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@ -46,6 +36,10 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.HashMap;
import java.util.Map;
/**
* <p>PluginReloadService class.</p>
*
@ -53,9 +47,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class PluginReloadService extends BaseService {
private static final Logger logger = LoggerFactory.getLogger(PluginReloadService.class);
public class PluginReloadService {
/**
* Reload all the plugins
@ -63,20 +55,21 @@ public class PluginReloadService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.http.ResponseEntity} object.
*/
@RequestMapping(value = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = "/service/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
ResponseEntity<Map<String, Object>> reloadPlugins(HttpSession session) {
WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
logger.debug("Loading plugins into cache");
String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
String targetPath = session.getServletContext().getRealPath("plugin_extracted");
new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
webSession.getCourse().loadLessonFromPlugin(session.getServletContext());
// WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
//
// logger.debug("Loading plugins into cache");
// String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
// String targetPath = session.getServletContext().getRealPath("plugin_extracted");
// //TODO fix me
// //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
// //webSession.getCourse().createLessonsFromPlugins();
Map<String, Object> result = new HashMap<String, Object>();
result.put("success", true);
result.put("message", "Plugins reloaded");
return new ResponseEntity<Map<String, Object>>(result, HttpStatus.OK);
return new ResponseEntity<>(result, HttpStatus.OK);
}
}

43
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -1,39 +1,38 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpSession;
/**
* <p>RestartLessonService class.</p>
*
@ -41,20 +40,24 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class RestartLessonService extends BaseService {
@AllArgsConstructor
@Slf4j
public class RestartLessonService {
private final WebSession webSession;
private final UserTracker userTracker;
/**
* Returns current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(value = "/restartlesson.mvc")
@RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
@ResponseStatus(value = HttpStatus.OK)
public void restartLesson(HttpSession session) {
WebSession ws = getWebSession(session);
int currentScreen = ws.getCurrentScreen();
if(currentScreen > 0){
ws.restartLesson(currentScreen);
}
public void restartLesson() {
AbstractLesson al = webSession.getCurrentLesson();
log.debug("Restarting lesson: " + al);
userTracker.reset(al);
}
}

15
webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
View File

@ -5,16 +5,17 @@
*/
package org.owasp.webgoat.service;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* <p>SessionService class.</p>
@ -23,7 +24,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class SessionService extends BaseService {
public class SessionService {
/**
* Returns hints for current lesson
@ -32,7 +33,7 @@ public class SessionService extends BaseService {
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(value = "/session.mvc", produces = "application/json")
@RequestMapping(path = "/service/session.mvc", produces = "application/json")
public @ResponseBody
String showSession(HttpServletRequest request, HttpSession session) {
StringBuilder sb = new StringBuilder();

54
webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
View File

@ -1,43 +1,37 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>SolutionService class.</p>
*
@ -45,42 +39,28 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class SolutionService extends BaseService {
public class SolutionService {
/**
* Returns solution for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(value = "/solution.mvc", produces = "text/html")
public @ResponseBody
String showSolution(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSolution(ws);
@RequestMapping(path = "/service/solution.mvc", produces = "text/html")
public
@ResponseBody
String showSolution() {
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSolution();
return source;
}
/**
* <p>getSolution.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
protected String getSolution(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getSolution(s);
}
}
if (source == null) {
return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddressHTML();
}
return source;
protected String getSolution() {
return "Solution is not available";
}
}

62
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -1,47 +1,40 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
/**
* <p>SourceService class.</p>
*
@ -49,7 +42,16 @@ import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
* @version $Id: $Id
*/
@Controller
public class SourceService extends BaseService {
//TODO REMOVE!
public class SourceService {
/**
* Description of the Field
*/
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
/** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/**
* Returns source for current attack
@ -57,11 +59,12 @@ public class SourceService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(value = "/source.mvc", produces = "application/text")
public @ResponseBody
@RequestMapping(path = "/service/source.mvc", produces = "application/text")
public
@ResponseBody
String showSource(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSource(ws);
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSource();
if (source == null) {
source = "No source listing found";
}
@ -71,24 +74,9 @@ public class SourceService extends BaseService {
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getRawSource(s);
}
}
if (source == null) {
return "Source code is not available for this lesson.";
}
return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted");
protected String getSource() {
return "Source code is not available for this lesson.";
}
}