diff --git a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java index f4f8152c7..cc9cd397d 100644 --- a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java @@ -1,112 +1,112 @@ package org.owasp.webgoat; +import static java.util.concurrent.TimeUnit.SECONDS; +import static org.hamcrest.Matchers.lessThan; +import static org.junit.jupiter.api.Assertions.assertTrue; import io.restassured.RestAssured; -import org.junit.jupiter.api.Test; - import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; - -import static org.junit.jupiter.api.Assertions.assertTrue; - +import org.junit.jupiter.api.Test; public class ChallengeIntegrationTest extends IntegrationTest { - @Test - public void testChallenge1() { - startLesson("Challenge1"); + @Test + public void testChallenge1() { + startLesson("Challenge1"); - byte[] resultBytes = - RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("/WebGoat/challenge/logo")) - .then() - .statusCode(200) - .extract().asByteArray(); + byte[] resultBytes = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .get(url("/WebGoat/challenge/logo")) + .then() + .statusCode(200) + .extract() + .asByteArray(); - String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220)); - Map params = new HashMap<>(); - params.clear(); - params.put("username", "admin"); - params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode)); + String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220)); + Map params = new HashMap<>(); + params.clear(); + params.put("username", "admin"); + params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode)); + checkAssignment(url("/WebGoat/challenge/1"), params, true); + String result = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .formParams(params) + .post(url("/WebGoat/challenge/1")) + .then() + .statusCode(200) + .extract() + .asString(); - checkAssignment(url("/WebGoat/challenge/1"), params, true); - String result = - RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) - .formParams(params) - .post(url("/WebGoat/challenge/1")) - .then() - .statusCode(200) - .extract().asString(); + String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); + params.clear(); + params.put("flag", flag); + checkAssignment(url("/WebGoat/challenge/flag"), params, true); - String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); - params.clear(); - params.put("flag", flag); - checkAssignment(url("/WebGoat/challenge/flag"), params, true); + checkResults("/challenge/1"); + List capturefFlags = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .get(url("/WebGoat/scoreboard-data")) + .then() + .statusCode(200) + .extract() + .jsonPath() + .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured"); + assertTrue(capturefFlags.contains("Admin lost password")); + } - checkResults("/challenge/1"); + @Test + public void testChallenge5() { + startLesson("Challenge5"); - List capturefFlags = - RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("/WebGoat/scoreboard-data")) - .then() - .statusCode(200) - .extract().jsonPath() - .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured"); - assertTrue(capturefFlags.contains("Admin lost password")); - } + Map params = new HashMap<>(); + params.clear(); + params.put("username_login", "Larry"); + params.put("password_login", "1' or '1'='1"); - @Test - public void testChallenge5() { - startLesson("Challenge5"); + String result = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .formParams(params) + .post(url("/WebGoat/challenge/5")) + .then() + .statusCode(200) + .extract() + .asString(); - Map params = new HashMap<>(); - params.clear(); - params.put("username_login", "Larry"); - params.put("password_login", "1' or '1'='1"); + String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); + params.clear(); + params.put("flag", flag); + checkAssignment(url("/WebGoat/challenge/flag"), params, true); - String result = - RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) - .formParams(params) - .post(url("/WebGoat/challenge/5")) - .then() - .statusCode(200) - .extract().asString(); - - String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); - params.clear(); - params.put("flag", flag); - checkAssignment(url("/WebGoat/challenge/flag"), params, true); - - - checkResults("/challenge/5"); - - List capturefFlags = - RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("/WebGoat/scoreboard-data")) - .then() - .statusCode(200) - .extract().jsonPath() - .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured"); - assertTrue(capturefFlags.contains("Without password")); - } + checkResults("/challenge/5"); + List capturefFlags = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .get(url("/WebGoat/scoreboard-data")) + .then() + .statusCode(200) + .extract() + .jsonPath() + .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured"); + assertTrue(capturefFlags.contains("Without password")); + } } diff --git a/src/it/java/org/owasp/webgoat/IntegrationTest.java b/src/it/java/org/owasp/webgoat/IntegrationTest.java index c04c9578d..c3fb3d9ff 100644 --- a/src/it/java/org/owasp/webgoat/IntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/IntegrationTest.java @@ -26,7 +26,7 @@ public abstract class IntegrationTest { @Getter private String webWolfCookie; @Getter - private String user = "webgoat"; + private final String user = "webgoat"; protected String url(String url) { url = url.replaceFirst("/WebGoat/", ""); diff --git a/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java index 2f5ddefe2..3d94b056b 100644 --- a/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java +++ b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java @@ -1,8 +1,8 @@ package org.owasp.webgoat.container.users; -import java.util.ArrayList; import java.util.List; import java.util.Optional; +import java.util.stream.Collectors; import lombok.AllArgsConstructor; import lombok.Getter; import org.owasp.webgoat.container.i18n.PluginMessages; @@ -35,19 +35,15 @@ public class Scoreboard { @GetMapping("/scoreboard-data") public List getRankings() { - List allUsers = userRepository.findAll(); - List rankings = new ArrayList<>(); - for (WebGoatUser user : allUsers) { - if (user.getUsername().startsWith("csrf-")) { - // the csrf- assignment specific users do not need to be in the overview - continue; - } - UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername()); - rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker))); - } - /* sort on number of captured flags to present an ordered ranking */ - rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size()); - return rankings; + return userRepository.findAll().stream() + .filter(user -> !user.getUsername().startsWith("csrf-")) + .map( + user -> + new Ranking( + user.getUsername(), + challengesSolved(userTrackerRepository.findByUser(user.getUsername())))) + .sorted((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size()) + .collect(Collectors.toList()); } private List challengesSolved(UserTracker userTracker) {