dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: challenge test fails sometimes when calling scoreboard endpoint

Browse Source
This commit is contained in:
Nanne Baars 2023-02-15 17:28:15 +00:00
parent eb4c8388f8
commit 3ec34b0df5
3 changed files with 99 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
View File

@ -1,112 +1,112 @@
package org.owasp.webgoat; package org.owasp.webgoat;
import static java.util.concurrent.TimeUnit.SECONDS;
import static org.hamcrest.Matchers.lessThan;
import static org.junit.jupiter.api.Assertions.assertTrue;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import org.junit.jupiter.api.Test;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class ChallengeIntegrationTest extends IntegrationTest { public class ChallengeIntegrationTest extends IntegrationTest {
@Test @Test
public void testChallenge1() { public void testChallenge1() {
startLesson("Challenge1"); startLesson("Challenge1");
byte[] resultBytes = byte[] resultBytes =
RestAssured.given() RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/challenge/logo")) .get(url("/WebGoat/challenge/logo"))
.then() .then()
.statusCode(200) .statusCode(200)
.extract().asByteArray(); .extract()
.asByteArray();
String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220)); String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("username", "admin"); params.put("username", "admin");
params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode)); params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
checkAssignment(url("/WebGoat/challenge/1"), params, true);
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/1"))
.then()
.statusCode(200)
.extract()
.asString();
checkAssignment(url("/WebGoat/challenge/1"), params, true); String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
String result = params.clear();
RestAssured.given() params.put("flag", flag);
.when() checkAssignment(url("/WebGoat/challenge/flag"), params, true);
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/1"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); checkResults("/challenge/1");
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Admin lost password"));
}
checkResults("/challenge/1"); @Test
public void testChallenge5() {
startLesson("Challenge5");
List<String> capturefFlags = Map<String, Object> params = new HashMap<>();
RestAssured.given() params.clear();
.when() params.put("username_login", "Larry");
.relaxedHTTPSValidation() params.put("password_login", "1' or '1'='1");
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Admin lost password"));
}
@Test String result =
public void testChallenge5() { RestAssured.given()
startLesson("Challenge5"); .when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/5"))
.then()
.statusCode(200)
.extract()
.asString();
Map<String, Object> params = new HashMap<>(); String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear(); params.clear();
params.put("username_login", "Larry"); params.put("flag", flag);
params.put("password_login", "1' or '1'='1"); checkAssignment(url("/WebGoat/challenge/flag"), params, true);
String result = checkResults("/challenge/5");
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/5"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/5");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password"));
}
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password"));
}
} }

2
src/it/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -26,7 +26,7 @@ public abstract class IntegrationTest {
@Getter @Getter
private String webWolfCookie; private String webWolfCookie;
@Getter @Getter
private String user = "webgoat"; private final String user = "webgoat";
protected String url(String url) { protected String url(String url) {
url = url.replaceFirst("/WebGoat/", ""); url = url.replaceFirst("/WebGoat/", "");

24
src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Optional; import java.util.Optional;
import java.util.stream.Collectors;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.container.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
@ -35,19 +35,15 @@ public class Scoreboard {
@GetMapping("/scoreboard-data") @GetMapping("/scoreboard-data")
public List<Ranking> getRankings() { public List<Ranking> getRankings() {
List<WebGoatUser> allUsers = userRepository.findAll(); return userRepository.findAll().stream()
List<Ranking> rankings = new ArrayList<>(); .filter(user -> !user.getUsername().startsWith("csrf-"))
for (WebGoatUser user : allUsers) { .map(
if (user.getUsername().startsWith("csrf-")) { user ->
// the csrf- assignment specific users do not need to be in the overview new Ranking(
continue; user.getUsername(),
} challengesSolved(userTrackerRepository.findByUser(user.getUsername()))))
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername()); .sorted((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size())
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker))); .collect(Collectors.toList());
}
/* sort on number of captured flags to present an ordered ranking */
rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
return rankings;
} }
private List<String> challengesSolved(UserTracker userTracker) { private List<String> challengesSolved(UserTracker userTracker) {