dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#843: Add readonly field and update the layout of the assignment

Browse Source
This commit is contained in:
Nanne Baars 2020-10-23 16:44:50 +02:00 committed by Nanne Baars
parent 753a2db958
commit 488a8e934a
3 changed files with 159 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
View File

@ -34,7 +34,7 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions") @PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) { public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput, @RequestParam String readOnlyInput) {
if (select.equals("option1") || select.equals("option2")) { if (select.equals("option1") || select.equals("option2")) {
return failed(this).build(); return failed(this).build();
} }
@ -47,6 +47,9 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
if (shortInput.length() <= 5) { if (shortInput.length() <= 5) {
return failed(this).build(); return failed(this).build();
} }
if ("change".equals(readOnlyInput)) {
return failed(this).build();
}
return success(this).build(); return success(this).build();
} }
} }

5
webgoat-lessons/bypass-restrictions/src/main/resources/css/bypass-restrictions.css Normal file
View File

@ -0,0 +1,5 @@
.bypass-input-container {
position: relative;
padding: 7px;
margin-top: 7px;
}

257
webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html
View File

@ -1,124 +1,167 @@
<!DOCTYPE html> <!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org" xmlns="http://www.w3.org/1999/html">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div> <div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments --> <!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div> <div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
<div class="attack-container"> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions" <form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
method="POST" method="POST"
action="/WebGoat/BypassRestrictions/FieldRestrictions"> action="/WebGoat/BypassRestrictions/FieldRestrictions">
<div>Select field with two possible values</div> <div class="bypass-input-container"><b>Select field with two possible value</b>
<select name="select"> <div class="input-group">
<option value="option1">Option 1</option> <select name="select">
<option value="option2">Option 2</option> <option value="option1">Option 1</option>
</select> <option value="option2">Option 2</option>
<div>Radio button with two possible values</div> </select>
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br /> </div>
<input type="radio" name="radio" value="option2" /> Option 2<br /> </div>
<div>Checkbox: value either on or off</div> <div class="bypass-input-container"><b>Radio button with two possible values</b>
<input type="checkbox" name="checkbox" checked="checked"/> Checkbox <div class="input-group">
<div>Input restricted to max 5 characters</div> <input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br/>
<input type="text" value="12345" name="shortInput" maxlength="5"/> <input type="radio" name="radio" value="option2"/> Option 2<br/>
<div>Disabled input field</div> </div>
<input type="submit" value="submit"/> </div>
<div class="bypass-input-container"><b>Checkbox: value either on or off</b>
<div class="input-group">
<input type="checkbox" name="checkbox" checked="checked"> Checkbox</input>
</div>
</div>
<div class="bypass-input-container"><b>Input restricted to max 5 characters</b>
<div class="input-group"><input type="text" value="12345" name="shortInput" maxlength="5"/>
</div>
</div>
<div class="bypass-input-container"><b>Readonly input field</b>
<div class="input-group">
<input type="text" value="change" readonly="readonly" name="readOnlyInput"/>
</div>
</div>
<br>
<input type="submit" class="btn btn-primary" value="Submit"/>
</form> </form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div> </div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div> </div>
</div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div> <div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation" <form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
id="frontendValidation" id="frontendValidation"
method="POST" method="POST"
action="/WebGoat/BypassRestrictions/frontendValidation/" action="/WebGoat/BypassRestrictions/frontendValidation/"
onsubmit="return validate()"> onsubmit="return validate()">
<div> <div>
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$) <strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)
</div> </div>
<div> <div>
<textarea cols="25" name="field1" rows="1">abc</textarea> <textarea cols="25" name="field1" rows="1">abc</textarea>
</div> </div>
<p></p> <p></p>
<div><strong>Field 2:</strong> exactly three digits(^[0-9]{3}$)</div> <div><strong>Field 2:</strong> exactly three digits(^[0-9]{3}$)</div>
<div> <div>
<textarea cols="25" name="field2" rows="1">123</textarea> <textarea cols="25" name="field2" rows="1">123</textarea>
</div> </div>
<p></p> <p></p>
<div><strong>Field 3:</strong> letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div> <div><strong>Field 3:</strong> letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div>
<div> <div>
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea> <textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
</div> </div>
<p></p> <p></p>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)</div> <div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)
<div> </div>
<textarea cols="25" name="field4" rows="1">seven</textarea> <div>
</div> <textarea cols="25" name="field4" rows="1">seven</textarea>
<p></p> </div>
<div><strong>Field 5:</strong> simple zip code (^\d{5}$)</div> <p></p>
<div> <div><strong>Field 5:</strong> simple zip code (^\d{5}$)</div>
<textarea cols="25" name="field5" rows="1">01101</textarea> <div>
</div> <textarea cols="25" name="field5" rows="1">01101</textarea>
<p></p> </div>
<div><strong>Field 6:</strong> zip with optional dash four (^\d{5}(-\d{4})?$)</div> <p></p>
<div> <div><strong>Field 6:</strong> zip with optional dash four (^\d{5}(-\d{4})?$)</div>
<textarea cols="25" name="field6" rows="1">90210-1111</textarea> <div>
</div> <textarea cols="25" name="field6" rows="1">90210-1111</textarea>
<p></p> </div>
<div><strong>Field 7:</strong> US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div> <p></p>
<div> <div><strong>Field 7:</strong> US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div>
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea> <div>
</div> <textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
<input type="hidden" value="" name="error" /> </div>
<p><button type="submit" class="btn btn-primary">Submit</button></p> <input type="hidden" value="" name="error"/>
</form> <p>
<button type="submit" class="btn btn-primary">Submit</button>
</p>
</form>
<script> <script>
var regex1=/^[a-z]{3}$/; var regex1 = /^[a-z]{3}$/;
var regex2=/^[0-9]{3}$/; var regex2 = /^[0-9]{3}$/;
var regex3=/^[a-zA-Z0-9 ]*$/; var regex3 = /^[a-zA-Z0-9 ]*$/;
var regex4=/^(one|two|three|four|five|six|seven|eight|nine)$/; var regex4 = /^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5=/^\d{5}$/; var regex5 = /^\d{5}$/;
var regex6=/^\d{5}(-\d{4})?$/; var regex6 = /^\d{5}(-\d{4})?$/;
var regex7=/^[2-9]\d{2}-?\d{3}-?\d{4}$/; var regex7 = /^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function() { var validate = function () {
var msg='JavaScript found form errors'; var msg = 'JavaScript found form errors';
var err=0; var err = 0;
if (!regex1.test(document.frontendValidation.field1.value)) {err+=1; msg+='\n Value entered for field 1 is not correct';} if (!regex1.test(document.frontendValidation.field1.value)) {
if (!regex2.test(document.frontendValidation.field2.value)) {err+=1; msg+='\n Value entered for field 2 is not correct';} err += 1;
if (!regex3.test(document.frontendValidation.field3.value)) {err+=1; msg+='\n Value entered for field 3 is not correct';} msg += '\n Value entered for field 1 is not correct';
if (!regex4.test(document.frontendValidation.field4.value)) {err+=1; msg+='\n Value entered for field 4 is not correct';} }
if (!regex5.test(document.frontendValidation.field5.value)) {err+=1; msg+='\n Value entered for field 5 is not correct';} if (!regex2.test(document.frontendValidation.field2.value)) {
if (!regex6.test(document.frontendValidation.field6.value)) {err+=1; msg+='\n Value entered for field 6 is not correct';} err += 1;
if (!regex7.test(document.frontendValidation.field7.value)) {err+=1; msg+='\n Value entered for field 7 is not correct';} msg += '\n Value entered for field 2 is not correct';
document.frontendValidation.error.value = err }
if ( err > 0 ) { if (!regex3.test(document.frontendValidation.field3.value)) {
alert(msg) err += 1;
return false; msg += '\n Value entered for field 3 is not correct';
} }
return true; if (!regex4.test(document.frontendValidation.field4.value)) {
err += 1;
msg += '\n Value entered for field 4 is not correct';
}
if (!regex5.test(document.frontendValidation.field5.value)) {
err += 1;
msg += '\n Value entered for field 5 is not correct';
}
if (!regex6.test(document.frontendValidation.field6.value)) {
err += 1;
msg += '\n Value entered for field 6 is not correct';
}
if (!regex7.test(document.frontendValidation.field7.value)) {
err += 1;
msg += '\n Value entered for field 7 is not correct';
}
document.frontendValidation.error.value = err
if (err > 0) {
alert(msg)
return false;
}
return true;
} }
</script> </script>
<br/> <br/>
<br/> <br/>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
</div>
</div> </div>
</div>
</html> </html>