Extended challenge 1 with checking ip address client

2017-05-02 09:13:41 +02:00 · 2017-05-02 09:13:41 +02:00 · 344b1f9beb
commit 344b1f9beb
parent 480dfe6a0a
2 changed files with 26 additions and 3 deletions
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
@ -1,5 +1,6 @@
 package org.owasp.webgoat.plugin.challenge1;

+import lombok.SneakyThrows;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
@ -9,7 +10,9 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;

+import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
+import java.net.InetAddress;

 import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;

@ -48,10 +51,28 @@ public class Assignment1 extends AssignmentEndpoint {
    @RequestMapping(method = RequestMethod.POST)
    public
    @ResponseBody
-    AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException {
-        if (PASSWORD.equals(password)) {
+    AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
+        boolean ipAddressKnown = checkClientOrigin(request);
+        boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
+        if (passwordCorrect && ipAddressKnown) {
            return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
+        } else if (passwordCorrect) {
+            return failed().feedback("ip.address.unknown").build();
        }
        return failed().build();
    }
+
+    @SneakyThrows
+    private boolean checkClientOrigin(HttpServletRequest request) {
+        InetAddress ip = InetAddress.getLocalHost();
+        return getClientIP(request).contains(ip.getHostAddress());
+    }
+
+    private String getClientIP(HttpServletRequest request) {
+        String xfHeader = request.getHeader("X-Forwarded-For");
+        if (xfHeader == null) {
+            return request.getRemoteAddr();
+        }
+        return xfHeader.split(",")[0];
+    }
 }
--- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
@ -13,3 +13,5 @@ input.invalid=Input for user, email and/or password is empty or too long, please

 challenge.flag.correct=Congratulations you have solved the challenge!!
 challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
+
+ip.address.unknown=IP address unknown, e-mail has been sent.