- Added new challenges
- Added new webapplication called WebWolf to make attacks more realistic - Added WebWolf lesson to explain the concepts behind this new application
This commit is contained in:
Nanne Baars
11
webgoat-lessons/webwolf-introduction/pom.xml
Normal file
11
webgoat-lessons/webwolf-introduction/pom.xml
Normal file
@ -0,0 +1,11 @@
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<artifactId>webwolf-introduction</artifactId>
|
||||
<packaging>jar</packaging>
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>8.0-SNAPSHOT</version>
|
||||
</parent>
|
||||
</project>
|
||||
@ -0,0 +1,48 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/WebWolf/landing")
|
||||
public class LandingAssignment extends AssignmentEndpoint {
|
||||
|
||||
private RestTemplate restTemplate = new RestTemplate();
|
||||
|
||||
@PostMapping
|
||||
@ResponseBody
|
||||
public AttackResult click(String uniqueCode) {
|
||||
if (StringUtils.reverse(getWebSession().getUserName()).equals(uniqueCode)) {
|
||||
return trackProgress(success().build());
|
||||
}
|
||||
return failed().feedback("webwolf.landing_wrong").build();
|
||||
}
|
||||
|
||||
|
||||
@GetMapping("/password-reset")
|
||||
public ModelAndView openPasswordReset(HttpServletRequest request) throws URISyntaxException {
|
||||
URI uri = new URI(request.getRequestURL().toString());
|
||||
ModelAndView modelAndView = new ModelAndView();
|
||||
modelAndView.addObject("webwolfUrl", uri.getScheme() + "://" + uri.getHost() + ":8081");
|
||||
modelAndView.addObject("uniqueCode", StringUtils.reverse(getWebSession().getUserName()));
|
||||
|
||||
modelAndView.setViewName("webwolfPasswordReset");
|
||||
return modelAndView;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
@ -0,0 +1,55 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import lombok.AllArgsConstructor;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.mail.IncomingMailEvent;
|
||||
import org.springframework.jms.core.JmsTemplate;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import java.time.LocalDateTime;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/WebWolf/mail")
|
||||
@AllArgsConstructor
|
||||
public class MailAssignment extends AssignmentEndpoint {
|
||||
|
||||
private JmsTemplate jmsTemplate;
|
||||
|
||||
@PostMapping("send")
|
||||
@ResponseBody
|
||||
public AttackResult sendEmail(@RequestParam String email) {
|
||||
String username = email.substring(0, email.indexOf("@"));
|
||||
if (username.equals(getWebSession().getUserName())) {
|
||||
IncomingMailEvent mailEvent = IncomingMailEvent.builder()
|
||||
.recipient(username)
|
||||
.title("Test messages from WebWolf")
|
||||
.time(LocalDateTime.now())
|
||||
.contents("This is a test message from WebWolf, your unique code is" + StringUtils.reverse(username))
|
||||
.sender("webgoat@owasp.org")
|
||||
.build();
|
||||
jmsTemplate.convertAndSend("mailbox", mailEvent);
|
||||
return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
|
||||
} else {
|
||||
return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@PostMapping
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String uniqueCode) {
|
||||
if (uniqueCode.equals(StringUtils.reverse(getWebSession().getUserName()))) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,63 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.NewLesson;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
* <p>
|
||||
*
|
||||
* @author WebGoat
|
||||
* @version $Id: $Id
|
||||
* @since October 12, 2016
|
||||
*/
|
||||
public class WebWolfIntroduction extends NewLesson {
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
return Category.INTRODUCTION;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getHints() {
|
||||
return new ArrayList();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Integer getDefaultRanking() {
|
||||
return 1;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
return "webwolf.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "WebWolfIntroduction";
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,99 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:Uploading_files.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<form accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/WebWolf/send"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
<div class="form-group input-group">
|
||||
<span class="input-group-addon">
|
||||
@
|
||||
</span>
|
||||
<input class="form-control" placeholder="test1233@webgoat.org" name="email" type="email"
|
||||
required=""/>
|
||||
</div>
|
||||
<button type="submit" class="btn btn-primary btn-block" id="btn-login">
|
||||
Send e-mail
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
<br/>
|
||||
<br/>
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/WebWolf/mail/"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
<div class="input-group">
|
||||
<input type="text" class="form-control"
|
||||
placeholder="Type in your unique code"
|
||||
name='uniqueCode'/>
|
||||
<div class="input-group-btn">
|
||||
<button class="btn btn-primary" type="submit">Go</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
<br/>
|
||||
<br/>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:Landing_page.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/WebWolf/landing/"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
<div class="input-group">
|
||||
<input type="text" class="form-control"
|
||||
placeholder="Type in your unique code"
|
||||
name='uniqueCode'/>
|
||||
<div class="input-group-btn">
|
||||
<button class="btn btn-primary" type="submit">Go</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
<br/>
|
||||
<br/>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</html>
|
||||
@ -0,0 +1,9 @@
|
||||
webwolf.title=WebWolf
|
||||
|
||||
webwolf.email_send=An email has been send to {0} please check your inbox.
|
||||
webwolf.code_incorrect=That is not the correct code: {0}, please try again.
|
||||
|
||||
|
||||
webwolf.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.
|
||||
|
||||
webwolf.landing_wrong=This is the wrong code, try to look for the uniqueCode in the parameters in WebWolf.
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 26 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 54 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 57 KiB |
@ -0,0 +1,21 @@
|
||||
== Introducing WebWolf
|
||||
|
||||
WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
|
||||
make a clear distinction between what takes place on the attacked website and the actions you need to do as
|
||||
an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there
|
||||
was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
|
||||
website. The following items are supported in WebWolf:
|
||||
|
||||
* Hosting a file
|
||||
* Receiving email
|
||||
* Landing page for incoming requests
|
||||
|
||||
WebWolf runs as a separate web application and is started automatically when using the Docker image. If you
|
||||
are not using the Docker image you will need to download the jar file and start it:
|
||||
|
||||
```
|
||||
java -jar webwolf-<<version>>.jar
|
||||
```
|
||||
|
||||
This will start the application on port 8081, in your browser type: `http://localhost:8081/WebWolf`
|
||||
You will be redirected to the login page where you need to login with your WebGoat username and password
|
||||
@ -0,0 +1,25 @@
|
||||
== Landing page
|
||||
|
||||
This page will show all the requests made to '/' or '/challenge'. This means
|
||||
you can use WebWolf as your landing page for harvesting cookies etc which
|
||||
is helpful when you perform a XSS lesson.
|
||||
|
||||
image::images/requests.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
*For this exercise you need to login to WebWolf first.*
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
Suppose we tricked a user to click on a link he/she received in an email, this link will open up our crafted
|
||||
password reset link page. The user does not see any difference with the normal password reset page of the company.
|
||||
The user enters a new password and hits enter, the new password will be send to your host. In this case the new
|
||||
password will be send to WebWolf. Try to locate the unique code.
|
||||
|
||||
Please be aware after resetting the password the user will receive an error page in a real attack scenario the
|
||||
user would probably see a normal success page (this is due to a limit what we can control with WebWolf)
|
||||
|
||||
@ -0,0 +1,18 @@
|
||||
== Your own mailbox
|
||||
|
||||
WebWolf offers a mail client which will contain the e-mail send during a lesson.
|
||||
This mailbox is user specific so each user has a separate mailbox. All e-mail
|
||||
send to {user}@.... wil end up in this inbox.
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
image::images/mailbox.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
Try it, type in your e-mail address below and check in
|
||||
WebWolf your e-mail and type in the unique code below.
|
||||
@ -0,0 +1,12 @@
|
||||
== Uploading files
|
||||
|
||||
In this section you can upload files these files will be available from outside
|
||||
the application. For example in a XXE attack you want to reference a DTD which you
|
||||
reference from a xml, you can use WebWolf to serve this DTD.
|
||||
|
||||
image::images/files.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
|
||||
After uploading a file you can use the 'Link' to get the full URL to the uploaded
|
||||
file.
|
||||
@ -0,0 +1,34 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<head>
|
||||
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
|
||||
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
|
||||
<form role="form" method="POST" th:action="${webwolfUrl}">
|
||||
<h2 class="sign_up_title">Reset your password</h2>
|
||||
<input type="hidden" name="uniqueCode" th:value="${uniqueCode}"/>
|
||||
<div class="form-group">
|
||||
<label for="password" class="control-label">Password</label>
|
||||
<input type="password" class="form-control" id="password" placeholder="Password"
|
||||
name='password'/>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="col-xs-12 col-md-12">
|
||||
<button type="submit" class="btn btn-success btn-block btn-lg">Save</button>
|
||||
</div>
|
||||
</div>
|
||||
<div>
|
||||
<a href="https://github.com/WebGoat">(c) 2017 WebGoat Company</a>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Reference in New Issue
Block a user