Extended challenge 1 with checking ip address client
This commit is contained in:
		| @ -1,5 +1,6 @@ | ||||
| package org.owasp.webgoat.plugin.challenge1; | ||||
|  | ||||
| import lombok.SneakyThrows; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| @ -9,7 +10,9 @@ import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.IOException; | ||||
| import java.net.InetAddress; | ||||
|  | ||||
| import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD; | ||||
|  | ||||
| @ -48,10 +51,28 @@ public class Assignment1 extends AssignmentEndpoint { | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException { | ||||
|         if (PASSWORD.equals(password)) { | ||||
|     AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException { | ||||
|         boolean ipAddressKnown = checkClientOrigin(request); | ||||
|         boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password); | ||||
|         if (passwordCorrect && ipAddressKnown) { | ||||
|             return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build(); | ||||
|         } else if (passwordCorrect) { | ||||
|             return failed().feedback("ip.address.unknown").build(); | ||||
|         } | ||||
|         return failed().build(); | ||||
|     } | ||||
|  | ||||
|     @SneakyThrows | ||||
|     private boolean checkClientOrigin(HttpServletRequest request) { | ||||
|         InetAddress ip = InetAddress.getLocalHost(); | ||||
|         return getClientIP(request).contains(ip.getHostAddress()); | ||||
|     } | ||||
|  | ||||
|     private String getClientIP(HttpServletRequest request) { | ||||
|         String xfHeader = request.getHeader("X-Forwarded-For"); | ||||
|         if (xfHeader == null) { | ||||
|             return request.getRemoteAddr(); | ||||
|         } | ||||
|         return xfHeader.split(",")[0]; | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -12,4 +12,6 @@ user.created=User {0} created, please proceed to the login page. | ||||
| input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters. | ||||
|  | ||||
| challenge.flag.correct=Congratulations you have solved the challenge!! | ||||
| challenge.flag.incorrect=Sorry this is not the correct flag, please try again. | ||||
| challenge.flag.incorrect=Sorry this is not the correct flag, please try again. | ||||
|  | ||||
| ip.address.unknown=IP address unknown, e-mail has been sent.  | ||||
		Reference in New Issue
	
	Block a user