From 344b1f9bebb81db371eecdaf146c5baaf74d85db Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 2 May 2017 09:13:41 +0200
Subject: [PATCH] Extended challenge 1 with checking ip address client
---
.../plugin/challenge1/Assignment1.java | 25 +++++++++++++++++--
.../resources/i18n/WebGoatLabels.properties | 4 ++-
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
index a05fcafab..a4dfae2d4 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
@@ -1,5 +1,6 @@
package org.owasp.webgoat.plugin.challenge1;
+import lombok.SneakyThrows;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
@@ -9,7 +10,9 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
+import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
+import java.net.InetAddress;
import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;
@@ -48,10 +51,28 @@ public class Assignment1 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
- AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException {
- if (PASSWORD.equals(password)) {
+ AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
+ boolean ipAddressKnown = checkClientOrigin(request);
+ boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
+ if (passwordCorrect && ipAddressKnown) {
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
+ } else if (passwordCorrect) {
+ return failed().feedback("ip.address.unknown").build();
}
return failed().build();
}
+
+ @SneakyThrows
+ private boolean checkClientOrigin(HttpServletRequest request) {
+ InetAddress ip = InetAddress.getLocalHost();
+ return getClientIP(request).contains(ip.getHostAddress());
+ }
+
+ private String getClientIP(HttpServletRequest request) {
+ String xfHeader = request.getHeader("X-Forwarded-For");
+ if (xfHeader == null) {
+ return request.getRemoteAddr();
+ }
+ return xfHeader.split(",")[0];
+ }
}
diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
index 9e5284d90..517e234aa 100644
--- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
@@ -12,4 +12,6 @@ user.created=User {0} created, please proceed to the login page.
input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters.
challenge.flag.correct=Congratulations you have solved the challenge!!
-challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
\ No newline at end of file
+challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
+
+ip.address.unknown=IP address unknown, e-mail has been sent.
\ No newline at end of file