From 431da309464447f0dbd6376900dcd81d93af3031 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sun, 21 Feb 2021 19:57:08 +0100
Subject: [PATCH] Selenium test added (#906)

* add a selenium test for firefox

* add geckodriver and firefox to travis

* install updated

* install updated

* try out suggested webdriver dependency class

* add more resilience
---
 .travis.yml                                   |   5 +-
 webgoat-integration-tests/pom.xml             |  11 ++
 .../java/org/owasp/webgoat/SeleniumTest.java  | 111 ++++++++++++++++++
 .../owasp/webgoat/SqlInjectionLessonTest.java |  30 ++---
 4 files changed, 141 insertions(+), 16 deletions(-)
 create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java

diff --git a/.travis.yml b/.travis.yml
index 06ccd5c81..05d704bce 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -8,7 +8,10 @@ dist: xenial
 jdk:
   - openjdk11
   - openjdk15
-install: true
+addons:
+  firefox: latest
+install:  
+  - true
 script:
   - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH;
     else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml
index 630e6c280..853ce0244 100644
--- a/webgoat-integration-tests/pom.xml
+++ b/webgoat-integration-tests/pom.xml
@@ -10,6 +10,17 @@
     </parent>
 
     <dependencies>
+    	<dependency>
+            <groupId>org.seleniumhq.selenium</groupId>
+	    <artifactId>selenium-java</artifactId>
+	    <scope>test</scope>
+	</dependency>
+	<dependency>
+    	<groupId>io.github.bonigarcia</groupId>
+    	<artifactId>webdrivermanager</artifactId>
+    	<version>4.2.2</version>
+    	<scope>test</scope>
+	</dependency>
         <dependency>
             <groupId>org.owasp.webgoat</groupId>
             <artifactId>webgoat-server</artifactId>
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java
new file mode 100644
index 000000000..032d9676c
--- /dev/null
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java
@@ -0,0 +1,111 @@
+package org.owasp.webgoat;
+
+import java.util.concurrent.TimeUnit;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.openqa.selenium.By;
+import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.firefox.FirefoxBinary;
+import org.openqa.selenium.firefox.FirefoxDriver;
+import org.openqa.selenium.firefox.FirefoxOptions;
+
+import io.github.bonigarcia.wdm.WebDriverManager;
+import io.github.bonigarcia.wdm.config.DriverManagerType;
+
+public class SeleniumTest extends IntegrationTest {
+
+	static {
+		try {
+			WebDriverManager.getInstance(DriverManagerType.FIREFOX).setup();
+		} catch (Exception e) {
+			//sometimes a 403 cause an ExceptionInInitializerError
+		}
+	}
+	private WebDriver driver;
+
+	@BeforeEach
+	public void setUpAndLogin() {
+		try {
+			FirefoxBinary firefoxBinary = new FirefoxBinary();
+			firefoxBinary.addCommandLineOptions("--headless");
+
+			FirefoxOptions firefoxOptions = new FirefoxOptions();
+			firefoxOptions.setBinary(firefoxBinary);
+			driver = new FirefoxDriver(firefoxOptions);
+			driver.get(url("/login"));
+			driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
+			// Login
+			driver.findElement(By.name("username")).sendKeys(getWebgoatUser());
+			driver.findElement(By.name("password")).sendKeys("password");
+			driver.findElement(By.className("btn")).click();
+
+			// Check if user exists. If not, create user.
+			if (driver.getCurrentUrl().equals(url("/login?error"))) {
+				driver.get(url("/registration"));
+				driver.findElement(By.id("username")).sendKeys(getWebgoatUser());
+				driver.findElement(By.id("password")).sendKeys("password");
+				driver.findElement(By.id("matchingPassword")).sendKeys("password");
+				driver.findElement(By.name("agree")).click();
+				driver.findElement(By.className("btn-primary")).click();
+			}
+		} catch (IllegalStateException e) {
+			System.err.println("Web driver not found here: "+System.getProperty("webdriver.gecko.driver"));
+		}
+
+	}
+
+	@AfterEach
+	public void tearDown() {
+		if (null != driver) {
+			driver.close();
+		}
+	}
+
+	@Test
+	public void sqlInjection() {
+		
+		if (null==driver) return;
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson"));
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
+		driver.findElement(By.id("restart-lesson-button")).click();
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
+		driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonTest.sql_2);
+		driver.findElement(By.name("query")).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
+		driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonTest.sql_3);
+		driver.findElements(By.name("query")).get(1).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
+		driver.findElements(By.name("query")).get(2).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
+		driver.findElements(By.name("query")).get(2).clear();
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_add);
+		driver.findElements(By.name("query")).get(2).submit();
+		driver.findElements(By.name("query")).get(2).clear();
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
+		driver.findElements(By.name("query")).get(2).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
+		driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonTest.sql_5);
+		driver.findElements(By.name("query")).get(3).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
+		driver.findElement(By.name("account")).sendKeys("Smith'");
+		driver.findElement(By.name("operator")).sendKeys("OR");
+		driver.findElement(By.name("injection")).sendKeys("'1'='1");
+		driver.findElement(By.name("Get Account Info")).click();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
+		driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonTest.sql_10_userid);
+		driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonTest.sql_10_login_count);
+		driver.findElements(By.name("Get Account Info")).get(1).click();
+	}
+
+}
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
index 83d900435..680f80042 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
@@ -7,24 +7,24 @@ import org.junit.jupiter.api.Test;
 
 public class SqlInjectionLessonTest extends IntegrationTest {
 
-    private static final String sql_2 = "select department from employees where last_name='Franco'";
-    private static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
-    private static final String sql_4_drop = "alter table employees drop column phone";
-    private static final String sql_4_add = "alter table employees add column phone varchar(20)";
-    private static final String sql_5 = "grant alter table to UnauthorizedUser";
-    private static final String sql_9_account = " ' ";
-    private static final String sql_9_operator = "or";
-    private static final String sql_9_injection = "'1'='1";
-    private static final String sql_10_login_count = "2";
-    private static final String sql_10_userid = "1 or 1=1";
+    public static final String sql_2 = "select department from employees where last_name='Franco'";
+    public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
+    public static final String sql_4_drop = "alter table employees drop column phone";
+    public static final String sql_4_add = "alter table employees add column phone varchar(20)";
+    public static final String sql_5 = "grant alter table to UnauthorizedUser";
+    public static final String sql_9_account = " ' ";
+    public static final String sql_9_operator = "or";
+    public static final String sql_9_injection = "'1'='1";
+    public static final String sql_10_login_count = "2";
+    public static final String sql_10_userid = "1 or 1=1";
 
-    private static final String sql_11_a = "Smith' or '1' = '1";
-    private static final String sql_11_b = "3SL99A'  or '1'='1";
+    public static final String sql_11_a = "Smith' or '1' = '1";
+    public static final String sql_11_b = "3SL99A'  or '1'='1";
 
-    private static final String sql_12_a = "Smith";
-    private static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
+    public static final String sql_12_a = "Smith";
+    public static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
 
-    private static final String sql_13 = "%update% '; drop table access_log ; --'";
+    public static final String sql_13 = "%update% '; drop table access_log ; --'";
 
     @Test
     public void runTests() {