dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/develop' into develop

Browse Source
This commit is contained in:
Jason White
2017-01-31 12:02:25 -05:00
parent 1b2f54accc 21659ac298
commit 4b99eb6d4c
71 changed files with 876 additions and 927 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -31,6 +31,7 @@
package org.owasp.webgoat;
import com.google.common.collect.Sets;
import org.owasp.webgoat.i18n.Messages;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.LabelDebugger;
import org.springframework.beans.factory.annotation.Autowired;
@ -38,13 +39,14 @@ import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.LocaleResolver;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect;
import org.thymeleaf.spring4.SpringTemplateEngine;
import org.thymeleaf.spring4.templateresolver.SpringResourceTemplateResolver;
import org.thymeleaf.templatemode.StandardTemplateModeHandlers;
import org.thymeleaf.templateresolver.TemplateResolver;
import java.io.File;
@ -114,6 +116,19 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");
}
@Bean
public Messages messageSource() {
Messages messages = new Messages(localeResolver());
messages.setBasename("classpath:/i18n/messages");
return messages;
}
@Bean
public LocaleResolver localeResolver() {
SessionLocaleResolver slr = new SessionLocaleResolver();
return slr;
}
@Bean
public HammerHead hammerHead(Course course) {
return new HammerHead(course);

46
webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentEndpoint.java → webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
View File

@ -1,9 +1,8 @@
/**
* ************************************************************************************************
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2017 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
@ -23,19 +22,15 @@
* projects.
* <p>
*/
package org.owasp.webgoat.endpoints;
package org.owasp.webgoat.assignments;
import lombok.Getter;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.i18n.LabelProvider;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.i18n.Messages;
import org.owasp.webgoat.session.UserSessionData;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import javax.ws.rs.Path;
/**
* Each lesson can define an endpoint which can support the lesson. So for example if you create a lesson which uses JavaScript and
* needs to call out to the server to fetch data you can define an endpoint in that lesson. WebGoat will pick up this endpoint and
@ -53,11 +48,10 @@ public abstract class AssignmentEndpoint extends Endpoint {
private WebSession webSession;
@Autowired
private UserSessionData userSessionData;
@Autowired
@Getter
private LabelManager labelProvider;
@Autowired
private Messages messages;
//// TODO: 11/13/2016 events better fit?
protected AttackResult trackProgress(AttackResult attackResult) {
if (attackResult.assignmentSolved()) {
@ -80,4 +74,32 @@ public abstract class AssignmentEndpoint extends Endpoint {
public final String getPath() {
return this.getClass().getAnnotationsByType(AssignmentPath.class)[0].value();
}
/**
* Convenience method for create a successful result:
*
* - Assignment is set to solved
* - Feedback message is set to 'assignment.solved'
*
* Of course you can overwrite these values in a specific lesson
*
* @return a builder for creating a result from a lesson
*/
protected AttackResult.AttackResultBuilder success() {
return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved");
}
/**
* Convenience method for create a failed result:
*
* - Assignment is set to not solved
* - Feedback message is set to 'assignment.not.solved'
*
* Of course you can overwrite these values in a specific lesson
*
* @return a builder for creating a result from a lesson
*/
protected AttackResult.AttackResultBuilder failed() {
return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved");
}
}

2
webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentHints.java → webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.endpoints;
package org.owasp.webgoat.assignments;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;

4
webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentPath.java → webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
View File

@ -1,6 +1,4 @@
package org.owasp.webgoat.endpoints;
import org.springframework.core.annotation.AliasFor;
package org.owasp.webgoat.assignments;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;

94
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java Normal file
View File

@ -0,0 +1,94 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2017 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*/
package org.owasp.webgoat.assignments;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.i18n.Messages;
@AllArgsConstructor
public class AttackResult {
public static class AttackResultBuilder {
private boolean lessonCompleted;
private Messages messages;
private Object[] feedbackArgs;
private String feedbackResourceBundleKey;
private String output;
private Object[] outputArgs;
public AttackResultBuilder(Messages messages) {
this.messages = messages;
}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = "lesson.completed";
return this;
}
public AttackResultBuilder feedbackArgs(Object... args) {
this.feedbackArgs = args;
return this;
}
public AttackResultBuilder feedback(String resourceBundleKey) {
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder output(String output) {
this.output = output;
return this;
}
public AttackResultBuilder outputArgs(Object... args) {
this.outputArgs = args;
return this;
}
public AttackResult build() {
return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs));
}
}
@Getter
private boolean lessonCompleted;
@Getter
private String feedback;
@Getter
private String output;
public static AttackResultBuilder builder(Messages messages) {
return new AttackResultBuilder(messages);
}
public boolean assignmentSolved() {
return lessonCompleted;
}
}

26
webgoat-container/src/main/java/org/owasp/webgoat/endpoints/Endpoint.java → webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java
View File

@ -1,17 +1,8 @@
package org.owasp.webgoat.endpoints;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
import java.io.File;
/**
* ************************************************************************************************
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2017 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
@ -30,11 +21,16 @@ import java.io.File;
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author nbaars
* @version $Id: $Id
* @since November 13, 2016
*/
package org.owasp.webgoat.assignments;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
import java.io.File;
public abstract class Endpoint implements MvcEndpoint {
@Autowired

24
webgoat-container/src/main/java/org/owasp/webgoat/i18n/ExposedReloadableResourceMessageBundleSource.java
View File

@ -1,24 +0,0 @@
package org.owasp.webgoat.i18n;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import java.util.Locale;
import java.util.Properties;
/**
* <p>ExposedReloadableResourceMessageBundleSource class.</p>
* Extends the reloadable message source with a way to get all messages
*
* @author zupzup
*/
public class ExposedReloadableResourceMessageBundleSource extends ReloadableResourceBundleMessageSource {
/**
* Gets all messages for presented Locale.
* @param locale user request's locale
* @return all messages
*/
public Properties getMessages(Locale locale) {
return getMergedProperties(locale).getProperties();
}
}

78
webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
View File

@ -1,78 +0,0 @@
package org.owasp.webgoat.i18n;
import org.owasp.webgoat.session.LabelDebugger;
import org.springframework.stereotype.Component;
import java.io.Serializable;
import java.util.Locale;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* @version $Id: $Id
* @author dm
*/
@Component
public class LabelManager
{
private static final long serialVersionUID = 1L;
private LabelProvider labelProvider;
private LabelDebugger labelDebugger;
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
/**
* <p>Constructor for LabelManagerImpl.</p>
*
* @param labelProvider a {@link LabelProvider} object.
*/
protected LabelManager(LabelProvider labelProvider, LabelDebugger labelDebugger) {
this.labelDebugger = labelDebugger;
this.labelProvider = labelProvider;
}
/** {@inheritDoc} */
public void setLocale(Locale locale)
{
if (locale != null)
{
this.locale = locale;
}
}
/** {@inheritDoc} */
public String get(String labelKey, Object... params)
{
String label = labelProvider.get(locale, labelKey, params);
if (labelDebugger.isEnabled()) {
label = "<font color=\"#00CD00\">" + label + "</font>";
}
return label;
}
}

128
webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java
View File

@ -1,128 +0,0 @@
package org.owasp.webgoat.i18n;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
import org.springframework.core.io.UrlResource;
import org.springframework.stereotype.Component;
import java.net.MalformedURLException;
import java.nio.file.Path;
import java.util.*;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @version $Id: $Id
* @author dm
*/
@Component
public class LabelProvider {
/** Constant <code>DEFAULT_LANGUAGE="Locale.ENGLISH.getLanguage()"</code> */
public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();
private static final List<Locale> SUPPORTED = Arrays.asList(Locale.GERMAN, Locale.FRENCH, Locale.ENGLISH,
Locale.forLanguageTag("ru"));
private final ExposedReloadableResourceMessageBundleSource labels = new ExposedReloadableResourceMessageBundleSource();
private static final ExposedReloadableResourceMessageBundleSource pluginLabels = new ExposedReloadableResourceMessageBundleSource();
/**
* <p>Constructor for LabelProvider.</p>
*/
public LabelProvider() {
labels.setBasename("classpath:/i18n/WebGoatLabels");
labels.setFallbackToSystemLocale(false);
labels.setUseCodeAsDefaultMessage(true);
pluginLabels.setParentMessageSource(labels);
}
/**
* <p>updatePluginResources.</p>
*
* @param propertyFile a {@link java.nio.file.Path} object.
*/
public static void updatePluginResources(final Path propertyFile) {
pluginLabels.setBasename("WebGoatLabels");
pluginLabels.setFallbackToSystemLocale(false);
pluginLabels.setUseCodeAsDefaultMessage(true);
pluginLabels.setResourceLoader(new ResourceLoader() {
@Override
public Resource getResource(String location) {
try {
return new UrlResource(propertyFile.toUri());
} catch (MalformedURLException e) {
throw new RuntimeException(e);
}
}
@Override
public ClassLoader getClassLoader() {
return Thread.currentThread().getContextClassLoader();
}
});
pluginLabels.clearCache();
}
/**
* <p>get.</p>
*
* @param locale a {@link java.util.Locale} object.
* @param strName a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public String get(Locale locale, String strName, Object... params) {
return pluginLabels.getMessage(strName, params, useLocaleOrFallbackToEnglish(locale));
}
private Locale useLocaleOrFallbackToEnglish(Locale locale) {
return SUPPORTED.contains(locale) ? locale : Locale.ENGLISH;
}
/**
* <p>getLabels.</p>
* Returns a merged map of all the labels for a specified language or the
* default language, if the given language is not supported
*
* @param locale The Locale to get all the labels for
* @return A Map of all properties with their values
*/
public Map<String, String> getLabels(Locale locale) {
Properties messages = labels.getMessages(locale);
messages.putAll(pluginLabels.getMessages(useLocaleOrFallbackToEnglish(locale)));
Map<String,String> labelsMap = new HashMap<>();
for (Map.Entry<Object, Object> entry : messages.entrySet()) {
if (entry.getKey() != null && entry.getValue() != null) {
labelsMap.put(entry.getKey().toString(), entry.getValue().toString());
}
}
return labelsMap;
}
}

67
webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java Normal file
View File

@ -0,0 +1,67 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2017 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*/
package org.owasp.webgoat.i18n;
import lombok.AllArgsConstructor;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.LocaleResolver;
import java.util.Locale;
import java.util.Properties;
/**
* <p>ExposedReloadableResourceMessageBundleSource class.</p>
* Extends the reloadable message source with a way to get all messages
*
* @author zupzup
*/
@AllArgsConstructor
public class Messages extends ReloadableResourceBundleMessageSource {
private final LocaleResolver localeResolver;
/**
* Gets all messages for presented Locale.
* @return all messages
*/
public Properties getMessages() {
return getMergedProperties(resolveLocale()).getProperties();
}
public String getMessage(String code, Object... args) {
return getMessage(code, args, resolveLocale());
}
public String getMessage(String code, String defaultValue, Object... args) {
return super.getMessage(code, args, defaultValue, resolveLocale());
}
private Locale resolveLocale() {
return localeResolver.resolveLocale(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
}
}

72
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java
View File

@ -1,72 +0,0 @@
package org.owasp.webgoat.lessons;
import lombok.Getter;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since August 13, 2016
*/
@Getter
public class AttackResult {
private boolean assignmentCompleted;
private String feedback;
private String output;
public static AttackResult success() {
return AttackResult.success("Congratulations");
}
public static AttackResult success(String feedback) {
return success(feedback, "");
}
public static AttackResult success(String feedback, String output) {
AttackResult attackResult = new AttackResult();
attackResult.assignmentCompleted = true;
attackResult.feedback = feedback;
attackResult.output = output;
return attackResult;
}
public static AttackResult failed(String feedback) {
return failed(feedback, "");
}
public static AttackResult failed(String feedback, String output) {
AttackResult attackResult = new AttackResult();
attackResult.assignmentCompleted = false;
attackResult.feedback = feedback;
attackResult.output = output;
return attackResult;
}
public boolean assignmentSolved() {
return assignmentCompleted;
}
}

72
webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertiesMerger.java Normal file
View File

@ -0,0 +1,72 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2017 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*/
package org.owasp.webgoat.plugins;
import com.google.common.primitives.Bytes;
import lombok.SneakyThrows;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Properties;
import java.util.stream.Stream;
/**
* Merges the main message.properties with the plugins WebGoatLabels
*/
public class MessagePropertiesMerger {
private final File targetDirectory;
public MessagePropertiesMerger(File targetDirectory) {
this.targetDirectory = targetDirectory;
}
@SneakyThrows
public void mergeAllLanguage() {
try(Stream<Path> paths = Files.walk(new File(targetDirectory, "plugin/i18n/").toPath())) {
paths.filter(Files::isRegularFile).forEach(filePath -> merge(filePath));
}
}
@SneakyThrows
public void merge(Path propertyFile) {
Properties messageProperties = new Properties();
String messagePropertyFileName = propertyFile.getFileName().toString().replace("WebGoatLabels", "messages");
messageProperties.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("i18n/" + messagePropertyFileName));
preparePropertyFile(propertyFile);
messageProperties.load(new FileInputStream(propertyFile.toFile()));
messageProperties.store(new FileOutputStream(new File(Thread.currentThread().getContextClassLoader().getResource("i18n/" + messagePropertyFileName).toURI())), "WebGoat message properties");
}
@SneakyThrows
private void preparePropertyFile(Path propertyFile) {
byte[] lines = Files.readAllBytes(propertyFile);
lines = Bytes.concat(lines, System.lineSeparator().getBytes());
Files.write(propertyFile, lines);
}
}

8
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -3,10 +3,10 @@ package org.owasp.webgoat.plugins;
import com.google.common.base.Optional;
import com.google.common.collect.Lists;
import lombok.Getter;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.Endpoint;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.NewLesson;

22
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java
View File

@ -3,28 +3,15 @@ package org.owasp.webgoat.plugins;
import com.google.common.collect.Lists;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.FileUtils;
import org.owasp.webgoat.i18n.LabelProvider;
import org.springframework.util.ResourceUtils;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.*;
import java.net.URL;
import java.nio.file.FileVisitResult;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.*;
import java.nio.file.attribute.BasicFileAttributes;
import java.util.Enumeration;
import java.util.List;
import java.util.concurrent.Callable;
import java.util.concurrent.CompletionService;
import java.util.concurrent.ExecutorCompletionService;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.*;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
@ -150,8 +137,7 @@ public class PluginsExtractor {
plugin.getOriginationJar());
}
}
LabelProvider.updatePluginResources(
pluginTargetDirectory.toPath().resolve("plugin/i18n/WebGoatLabels.properties"));
new MessagePropertiesMerger(pluginTargetDirectory).mergeAllLanguage();
return plugins;
} finally {
executorService.shutdown();

1
webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
View File

@ -6,7 +6,6 @@
package org.owasp.webgoat.service;
import com.google.common.collect.Lists;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.Hint;

36
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
View File

@ -30,7 +30,7 @@ package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.i18n.LabelProvider;
import org.owasp.webgoat.i18n.Messages;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@ -39,10 +39,12 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.LocaleResolver;
import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import javax.servlet.http.HttpServletRequest;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
/**
@ -50,19 +52,23 @@ import java.util.Map;
*
* @author zupzup
*/
@RestController
@Slf4j
@AllArgsConstructor
public class LabelService {
public static final String URL_LABELS_MVC = "/service/labels.mvc";
private final LabelProvider labelProvider;
private LocaleResolver localeResolver;
private Messages messages;
/**
* Fetches labels for given language
* If no language is provided, the language is determined from the request headers
* Otherwise, fall back to default language
* We use Springs session locale resolver which also gives us the option to change the local later on. For
* now it uses the accept-language from the HttpRequest. If this language is not found it will default back
* to messages.properties.
*
* Note although it is possible to use Spring language interceptor we for now opt for this solution, the UI
* will always need to fetch the labels with the new language set by the user. So we don't need to intercept each
* and every request to see if the language param has been set in the request.
*
* @param lang the language to fetch labels for (optional)
* @return a map of labels
@ -70,18 +76,12 @@ public class LabelService {
*/
@GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public ResponseEntity<Map<String, String>> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
Locale locale;
if (StringUtils.isEmpty(lang)) {
log.debug("No language provided, determining from request headers");
locale = request.getLocale();
if (locale != null) {
log.debug("Locale set to {}", locale);
}
} else {
locale = Locale.forLanguageTag(lang);
public ResponseEntity<Properties> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
if (!StringUtils.isEmpty(lang)) {
Locale locale = Locale.forLanguageTag(lang);
((SessionLocaleResolver)localeResolver).setDefaultLocale(locale);
log.debug("Language provided: {} leads to Locale: {}", lang, locale);
}
return new ResponseEntity<>(labelProvider.getLabels(locale), HttpStatus.OK);
return new ResponseEntity<>(messages.getMessages(), HttpStatus.OK);
}
}

12
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
View File

@ -1,10 +1,9 @@
package org.owasp.webgoat.service;
import org.owasp.webgoat.i18n.LabelManager;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.LessonInfoModel;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@ -17,15 +16,10 @@ import org.springframework.web.bind.annotation.RestController;
* @version $Id: $Id
*/
@RestController
@AllArgsConstructor
public class LessonInfoService {
private final WebSession webSession;
private final LabelManager labelManager;
public LessonInfoService(WebSession webSession, LabelManager labelManager) {
this.webSession = webSession;
this.labelManager = labelManager;
}
/**
* <p>getLessonInfo.</p>
@ -36,7 +30,7 @@ public class LessonInfoService {
public @ResponseBody
LessonInfoModel getLessonInfo() {
AbstractLesson lesson = webSession.getCurrentLesson();
return new LessonInfoModel(labelManager.get(lesson.getTitle()), false, false, false);
return new LessonInfoModel(lesson.getTitle(), false, false, false);
}
}

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@ -4,7 +4,6 @@ import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.LessonInfoModel;
@ -29,7 +28,6 @@ import java.util.Map;
@AllArgsConstructor
public class LessonProgressService {
private LabelManager labelManager;
private UserTracker userTracker;
private WebSession webSession;
@ -47,7 +45,7 @@ public class LessonProgressService {
boolean lessonCompleted = false;
if (lessonTracker != null) {
lessonCompleted = lessonTracker.isLessonSolved();
successMessage = labelManager.get("LessonCompleted");
successMessage = "LessonCompleted"; //@todo we still use this??
}
json.put("lessonCompleted", lessonCompleted);
json.put("successMessage", successMessage);

7
webgoat-container/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,7 +0,0 @@
#General
LessonCompleted=Congratulations. You have successfully completed this lesson.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
Go!=Go!

7
webgoat-container/src/main/resources/i18n/WebGoatLabels_de.properties
View File

@ -1,7 +0,0 @@
#General
LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
RestartLesson=Lektion neu beginnen
SolutionVideos=L\u00f6sungsvideos
ErrorGenerating=Fehler beim Generieren von
InvalidData=Ung\u00fcltige Daten
Go!=Los gehts!

7
webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties
View File

@ -1,7 +0,0 @@
#General
LessonCompleted=Congratulations. You have successfully completed this lesson.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
Go!=Go!

7
webgoat-container/src/main/resources/i18n/WebGoatLabels_fr.properties
View File

@ -1,7 +0,0 @@
#General
LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
RestartLesson=Recommencer cette le\u00e7on
SolutionVideos=Solution vid\u00e9os
ErrorGenerating=Error generating
InvalidData=Donn\u00e9e invalide
Go!=Go!

7
webgoat-container/src/main/resources/i18n/WebGoatLabels_ru.properties
View File

@ -1,7 +0,0 @@
#General
LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

52
webgoat-container/src/main/resources/i18n/messages.properties Normal file
View File

@ -0,0 +1,52 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
lesson.completed=Congratulations. You have successfully completed this lesson.
assignment.solved=Congratulations. You have successfully complete the assignment.
assignment.not.solved=Sorry the solution is not correct, please try again.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
Go!=Go!
password=Password
username=Username
logged_out=You've been logged out successfully.
invalid_username_password=Invalid username and password.
login.page.title=Login Page
accounts.build.in=The following accounts are built into WebGoat
accounts.table.account=Account
accounts.table.user=User
accounts.table.password=Password
logout=Logout
version=Version
build=Build
report.card=Report card
about=About WebGoat
contact=Contact Us
show.hints=Show hints
lesson.overview=Lesson overview
reset.lesson=Reset lesson
sign.in=Sign in

32
webgoat-container/src/main/resources/i18n/messages_de.properties Normal file
View File

@ -0,0 +1,32 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
RestartLesson=Lektion neu beginnen
SolutionVideos=L\u00f6sungsvideos
ErrorGenerating=Fehler beim Generieren von
InvalidData=Ung\u00fcltige Daten
Go!=Los gehts!

32
webgoat-container/src/main/resources/i18n/messages_fr.properties Normal file
View File

@ -0,0 +1,32 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
RestartLesson=Recommencer cette le\u00e7on
SolutionVideos=Solution vid\u00e9os
ErrorGenerating=Error generating
InvalidData=Donn\u00e9e invalide
Go!=Go!

49
webgoat-container/src/main/resources/i18n/messages_nl.properties Normal file
View File

@ -0,0 +1,49 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
LessonCompleted=Gefeliciteerd, je hebt de les succesvol afgerond.
RestartLesson=Herstart de les
SolutionVideos=Video oplossingen
ErrorGenerating=Fout opgetreden tijdens generatie
InvalidData=Ongeldige invoer
Go!=Go!
password=Wachtwoord
username=Gebruikersnaam
logged_out=Je bent succesvol uitgelogd.
invalid_username_password=Ongeldige gebruikersnaam/wachtwoord combinatie
login.page.title=Inlog pagina
accounts.build.in=De volgende account zijn standaard beschikbaar binnen WebGoat
accounts.table.account=Account
accounts.table.user=Gebruikersnaam
accounts.table.password=Wachtwoord
logout=Uitloggen
version=Versie
build=Build
report.card=Rapport
about=Over WebGoat
contact=Neem contact met ons op
show.hints=Toon hints
lesson.overview=Overzicht les
reset.lesson=Herstart les
sign.in=Log in

32
webgoat-container/src/main/resources/i18n/messages_ru.properties Normal file
View File

@ -0,0 +1,32 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

2
webgoat-container/src/main/resources/static/js/goatApp/goatApp.js
View File

@ -14,7 +14,7 @@ define(['jquery',
return {
initApp: function () {
var locale = localStorage.getItem('locale') || 'en';
$.getJSON('service/labels.mvc?lang=' + locale, function(data) {
$.getJSON('service/labels.mvc', function(data) {
window.polyglot = new Polyglot({phrases: data});
asyncErrorHandler.init();
var goatRouter = new Router();

4
webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
View File

@ -148,13 +148,13 @@ define(['jquery',
},
renderFeedback: function(feedback) {
this.$curFeedback.html(feedback || "");
this.$curFeedback.html(polyglot.t(feedback) || "");
this.$curFeedback.show(400)
},
renderOutput: function(output) {
this.$curOutput.html(output || "");
this.$curOutput.html(polyglot.t(output) || "");
this.$curOutput.show(400)
},

2
webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js
View File

@ -6,7 +6,7 @@ function($,_,Backbone) {
el:'#header #lesson-title-wrapper',
render:function(title) {
var lessonTitleEl = $('<h1>',{id:'lesson-title',text:title});
var lessonTitleEl = $('<h1>',{id:'lesson-title',text:polyglot.t(title)});
this.$el.html(lessonTitleEl);
}
});

63
webgoat-container/src/main/resources/templates/login.html
View File

@ -1,64 +1,71 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Login Page</title>
<!-- CSS -->
<link rel="stylesheet" type="text/css" th:href="@{/css/main.css}" />
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}" />
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}" />
<link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}" />
<title th:text="#{login.page.title}">Login Page</title>
<link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
</head>
<body>
<section id="container">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
<a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
</div><!--toggle navigation end-->
<div class="lessonTitle" >
</div><!--lesson title end-->
</div>
<div class="lessonTitle">
</div>
</header>
<section class="main-content-wrapper">
<section id="main-content" >
<section id="main-content">
<div th:if="${param.error}">
Invalid username and password.
<p th:text="#{invalid_username_password}">Invalid username and password.</p>
</div>
<div th:if="${param.logout}">
You've been logged out successfully.
<p th:text="#{logged_out}">You've been logged out successfully.</p>
</div>
<br/><br/>
<form th:action="@{/login}" method='POST' style="width: 400px;">
<div class="form-group">
<label for="exampleInputEmail1">Username</label>
<input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'/>
<label for="exampleInputEmail1" th:text="#{username}">Username</label>
<input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
id="exampleInputEmail1" placeholder="Username" name='username' value="guest"/>
</div>
<div class="form-group">
<label for="exampleInputPassword1">Password</label>
<input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password" name='password'/>
<label for="exampleInputPassword1" th:text="#{password}">Password</label>
<input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password"
name='password' value="guest"/>
</div>
<button class="btn btn-large btn-primary" type="submit">Sign in</button>
<button class="btn btn-large btn-primary" type="submit" th:text="#{sign.in}">Sign in</button>
</form>
<br/><br/>
<h4>The following accounts are built into Webgoat</h4>
<h4 th:text="#{accounts.build.in}">The following accounts are built into Webgoat</h4>
<table class="table table-bordered" style="width:400px;">
<thead>
<tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr>
<tr class="warning">
<th th:text="#{accounts.table.account}">Account</th>
<th th:text="#{accounts.table.user}">User</th>
<th th:text="#{accounts.table.password}">Password</th>
</tr>
</thead>
<tbody>
<tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr>
<tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr>
<tr>
<td>Webgoat User</td>
<td>guest</td>
<td>guest</td>
</tr>
<tr>
<td>Webgoat Admin</td>
<td>webgoat</td>
<td>webgoat</td>
</tr>
</tbody>
</table>
<br/><br/>
</section>
</section>
</section>

24
webgoat-container/src/main/resources/templates/main_new.html
View File

@ -62,7 +62,7 @@
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}">Logout</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}" th:text="#{logout}">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: <span
th:text="${#authentication.name}"></span></a>
@ -73,12 +73,10 @@
</a>
</li>
<li role="presentation" class="divider"></li>
<li role="presentation"><a role="menuitem" tabindex="-1" href="#developer-controls">Show developer
controls</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Version: <span
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{version}">Version: <span
th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
</li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build:
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{build}">Build:
<span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
</ul>
@ -88,7 +86,7 @@
<!--<i class="fa fa-cog"></i>-->
<!--</button>-->
<button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
title="Report card">
th:title="#{report.card}">
<a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
</button>
<!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
@ -96,12 +94,12 @@
<!--<i class="fa fa-users"></i>-->
<!--</button>-->
</div>
<button type="button" id="about-button" class="btn btn-default right_nav_button" title="About WebGoat"
<button type="button" id="about-button" class="btn btn-default right_nav_button" title="#{about}"
data-toggle="modal" data-target="#about-modal">
<i class="fa fa-info"></i>
</button>
<a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
<button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" title="Contact Us">
<button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" th:title="#{contact}">
<i class="fa fa-envelope"></i>
</button>
</a>
@ -139,16 +137,12 @@
<i class="fa fa-code"/>
</button>
<button class="btn btn-primary btn-xs btn-danger help-button"
id="show-hints-button">Show Hints
id="show-hints-button" th:text="#{show.hints}">Show hints
</button>
<!--<button class="btn btn-primary btn-xs btn-danger help-button" id="show-attack-button">-->
<!--Attack It-->
<!--</button>-->
<button class="btn btn-primary btn-xs btn-danger help-button"
id="show-lesson-overview-button">Lesson overview
id="show-lesson-overview-button" th:text="#{lesson.overview}">Lesson overview
</button>
<button class="btn btn-xs help-button" id="restart-lesson-button">
Reset Lesson
<button class="btn btn-xs help-button" id="restart-lesson-button" th:text="#{reset.lesson}">Reset Lesson
</button>
</div>

31
webgoat-container/src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java
View File

@ -1,31 +0,0 @@
package org.owasp.webgoat.plugins;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
public class PluginTestHelper {
private static Path tempDirectory;
public static Path createTmpDir() throws IOException {
tempDirectory = Files.createTempDirectory(PluginTestHelper.class.getSimpleName());
tempDirectory.toFile().deleteOnExit();
return tempDirectory;
}
public static Path pathForLoading() throws IOException, URISyntaxException {
Path path = Paths.get(PluginTestHelper.class.getProtectionDomain().getCodeSource().getLocation().toURI());
return Paths.get(path.toString(), "org/owasp/webgoat/plugins");
}
// public static Plugin createPluginFor(Class pluginClass) throws Exception {
// Path pluginTargetPath = Files.createDirectory(Paths.get(tempDirectory.toString(), "pluginTargetPath"));
// Map<String, byte[]> classes = new HashMap<>();
// classes.put(pluginClass.getName(), Files.readAllBytes(Paths.get(pathForLoading().toString(), pluginClass.getSimpleName() + ".class")));
// Plugin plugin = new Plugin(pluginTargetPath, classes);
// return plugin;
// }
}

5
webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
View File

@ -8,19 +8,14 @@ import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.session.WebSession;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.junit.Assert.*;
import static org.mockito.AdditionalAnswers.returnsFirstArg;
import static org.mockito.Matchers.anyString;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.service.HintService.URL_HINTS_MVC;
import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

18
webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
View File

@ -1,10 +1,9 @@
package org.owasp.webgoat.service;
import org.assertj.core.util.Maps;
import org.hamcrest.CoreMatchers;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.i18n.LabelProvider;
import org.owasp.webgoat.session.Course;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.boot.test.mock.mockito.MockBean;
@ -13,9 +12,6 @@ import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import java.util.Locale;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -49,30 +45,28 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @version $Id: $Id
* @since November 29, 2016
*/
@WebMvcTest(value = {LabelService.class, LabelProvider.class})
@WebMvcTest(value = {LabelService.class})
@RunWith(SpringRunner.class)
public class LabelServiceTest {
@Autowired
public MockMvc mockMvc;
@MockBean
private LabelProvider labelProvider;
private Course course;
@Test
@WithMockUser(username = "guest", password = "guest")
public void withoutLocale() throws Exception {
when(labelProvider.getLabels(Locale.ENGLISH)).thenReturn(Maps.newHashMap("key", "value"));
mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC))
.andExpect(status().isOk())
.andExpect(jsonPath("key", CoreMatchers.is("value")));
.andExpect(jsonPath("password", CoreMatchers.is("Password")));
}
@Test
@WithMockUser(username = "guest", password = "guest")
public void withLocale() throws Exception {
when(labelProvider.getLabels(Locale.GERMAN)).thenReturn(Maps.newHashMap("key", "value"));
mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "de"))
mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "nl"))
.andExpect(status().isOk())
.andExpect(jsonPath("key", CoreMatchers.is("value")));
.andExpect(jsonPath("password", CoreMatchers.is("Wachtwoord")));
}
}

6
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
View File

@ -6,7 +6,6 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.session.LessonTracker;
@ -65,9 +64,6 @@ public class LessonProgressServiceTest {
private LessonTracker lessonTracker;
@Mock
private WebSession websession;
@Mock
private LabelManager labelManager;
@Before
public void setup() {
@ -75,7 +71,7 @@ public class LessonProgressServiceTest {
when(userTracker.getLessonTracker(any())).thenReturn(lessonTracker);
when(websession.getCurrentLesson()).thenReturn(lesson);
when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(labelManager, userTracker, websession)).build();
this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTracker, websession)).build();
}
@Test

34
webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java
View File

@ -1,34 +0,0 @@
package org.owasp.webgoat.util;
import org.hamcrest.CoreMatchers;
import org.junit.Test;
import org.owasp.webgoat.i18n.LabelProvider;
import java.util.Locale;
import static org.junit.Assert.assertThat;
public class LabelProviderTest {
@Test
public void defaultLabelsShouldBePresent() {
LabelProvider labelProvider = new LabelProvider();
assertThat(labelProvider.get(Locale.ENGLISH, "LessonCompleted"), CoreMatchers.equalTo(
"Congratulations. You have successfully completed this lesson."));
}
@Test
public void shouldFallBackToEnglishIfLanguageNotSupported() {
LabelProvider labelProvider = new LabelProvider();
assertThat(labelProvider.get(Locale.CHINESE, "LessonCompleted"), CoreMatchers.equalTo(
"Congratulations. You have successfully completed this lesson."));
}
@Test
public void shouldUseProvidedLanguageIfSupported() {
LabelProvider labelProvider = new LabelProvider();
assertThat(labelProvider.get(Locale.GERMAN, "RestartLesson"), CoreMatchers.equalTo(
"Lektion neu beginnen"));
}
}

12
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java
View File

@ -1,15 +1,13 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.ws.rs.Path;
import java.io.IOException;
/**
@ -47,9 +45,9 @@ public class Attack extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer) throws IOException {
if ("450000".equals(answer)) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("You are close, try again"));
return trackProgress(failed().build());
}
}
}

2
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
View File

@ -6,7 +6,7 @@ package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.assignments.Endpoint;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.w3c.dom.Node;

18
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
View File

@ -1,19 +1,17 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/***************************************************************************************************
@ -52,9 +50,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("Are you sure? Try using a tab from a different site."));
return trackProgress(failed().feedback("xss.lesson1.failure").build());
}
}
}

16
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
View File

@ -1,19 +1,17 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/***************************************************************************************************
@ -64,6 +62,6 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
cart.append("<p>We have chaged credit card:" + field1 + "<br />");
cart.append( " ------------------- <br />");
cart.append( " $" + totalSale);
return trackProgress(AttackResult.failed(cart.toString()));
return trackProgress(failed().output(cart.toString()).build());
}
}

24
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
View File

@ -2,24 +2,8 @@ package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
@ -55,7 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
*/
@AssignmentPath("/CrossSiteScripting/attack5b")
public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
/*
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
return injectableQuery(userid);
@ -225,6 +209,6 @@ public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
//
// }
*/
}

24
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
View File

@ -1,24 +1,8 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
@ -54,7 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
*/
@AssignmentPath("/CrossSiteScripting/attack6a")
public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
/*
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid_6a, HttpServletRequest request) throws IOException {
return injectableQuery(userid_6a);
@ -224,6 +208,6 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
//
// }
*/
}

26
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
View File

@ -1,24 +1,22 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/***************************************************************************************************
@ -57,9 +55,9 @@ public class CrossSiteScriptingLesson6b extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
if (userid_6b.toString().equals(getPassword())) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("You are close, try again"));
return trackProgress(failed().build());
}
}

11
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
View File

@ -1,15 +1,14 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
/**
@ -24,9 +23,9 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
throws IOException {
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
return trackProgress(AttackResult.success("well done!"));
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("keep trying!"));
return trackProgress(failed().build());
}
}
}

2
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -6,3 +6,5 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
xss.lesson1.failure=Are you sure? Try using a tab from a different site.

59
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
View File

@ -1,59 +0,0 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/HttpBasics/intercept-request")
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.GET)
public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
} else {
return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
}
}
}

51
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java
View File

@ -1,48 +1,44 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
import java.util.List;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* <p>
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@ -52,12 +48,17 @@ import java.util.List;
@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
public class HttpBasicsLesson extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String person) throws IOException {
if (!person.toString().equals("")) {
return trackProgress(AttackResult.success(getLabelProvider().get("http-basics.reversed", new StringBuffer(person).reverse().toString())));
} else {
return trackProgress(AttackResult.failed(getLabelProvider().get("http-basics.close")));
}
}
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String person) throws IOException {
if (!person.toString().equals("")) {
return trackProgress(success()
.feedback("http-basics.reversed")
.feedbackArgs(new StringBuffer(person).reverse().toString())
.build());
} else {
return trackProgress(failed().feedback("http-basics.close").build());
}
}
}

23
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java
View File

@ -1,24 +1,18 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
import java.util.List;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
@ -55,16 +49,15 @@ public class HttpBasicsQuiz extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
StringBuffer message = new StringBuffer();
if (!"POST".equals(answer.toUpperCase())) {
message.append(getLabelProvider().get("http-basics.incorrect"));
return trackProgress(failed().feedback("http-basics.incorrect").build());
}
if (!magic_answer.equals(magic_num)){
message.append(getLabelProvider().get("http-basics.magic"));
return trackProgress(failed().feedback("http-basics.magic").build());
}
return trackProgress(AttackResult.failed(getLabelProvider().get("http-basics.close", message.toString())));
}
return trackProgress(failed().build());
}
}

5
webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -10,6 +10,5 @@ http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='h
http-basics.reversed=The server has reversed your name: {0}
http-basics.close=You are close, try again: {0}
http-basics.incorrect=the HTTP Command is incorrect.
http-basics.magic=the magic number is incorrect.
http-basics.incorrect=You are close, try again: the HTTP Command is incorrect.
http-basics.magic=You are close, try again: the magic number is incorrect.

15
webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
View File

@ -1,12 +1,10 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
@ -49,11 +47,12 @@ import java.io.IOException;
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.GET)
public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
public @ResponseBody
AttackResult completed(HttpServletRequest request) throws IOException {
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
return trackProgress(success().feedback("http-proxies.intercept.success").build());
} else {
return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
}
}
}

15
webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -1,15 +1,4 @@
http-basics.EnterYourName=Enter your Name
http-basics.Go!=Go!
http-proxies.title=HTTP Proxies
http-basics.hints.http_basics_lesson.1=Type in your name and press 'go'
http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features
http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>
http-basics.reversed=The server has reversed your name: {0}
http-basics.close=You are close, try again: {0}
http-basics.incorrect=the HTTP Command is incorrect.
http-basics.magic=the magic number is incorrect.
http-proxies.intercept.success=Well done, you tampered the request as expected
http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!

13
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
View File

@ -1,15 +1,14 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
/**
@ -51,13 +50,13 @@ public class IDORDiffAttributes extends AssignmentEndpoint {
attributes = attributes.trim();
String[] diffAttribs = attributes.split(",");
if (diffAttribs.length < 2) {
return AttackResult.failed("You did not list two attributes, comma delimited");
return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
}
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") ||
diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
return trackProgress(AttackResult.success("Correct, the two attributes not displayed are userId & role. Keep those in mind"));
return trackProgress(success().feedback("idor.diff.success").build());
} else {
return trackProgress(AttackResult.failed("Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen."));
return trackProgress(failed().feedback("idor.diff.failure").build());
}
}
}

42
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
View File

@ -1,18 +1,12 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@ -65,28 +59,42 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
// we will persist in the session object for now in case we want to refer back or use it later
userSessionData.setValue("idor-updated-other-profile",currentUserProfile);
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(AttackResult.success("Well done, you have modified someone else's profile (as displayed below)",currentUserProfile.profileToMap().toString()));
return trackProgress(success()
.feedback("idor.edit.profile.success1")
.output(currentUserProfile.profileToMap().toString())
.build());
}
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(AttackResult.success("Close ... you've got the technique. Now try for a lower role number)",currentUserProfile.profileToMap().toString()));
return trackProgress(success()
.feedback("idor.edit.profile.failure1")
.output(currentUserProfile.profileToMap().toString())
.build());
}
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(AttackResult.success("Close ... you've got the technique. Now change the color in their profile to red.)",currentUserProfile.profileToMap().toString()));
return trackProgress(success()
.feedback("idor.edit.profile.failure2")
.output(currentUserProfile.profileToMap().toString())
.build());
}
// else
return trackProgress(AttackResult.success("Try again. Use the hints if you need to.",currentUserProfile.profileToMap().toString()));
return trackProgress(failed().
feedback("idor.edit.profile.failure3")
.output(currentUserProfile.profileToMap().toString())
.build());
} else if (userSubmittedProfile.getUserId().equals(authUserId)) {
return AttackResult.failed("Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.");
return failed().feedback("idor.edit.profile.failure4").build();
}
if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1 ) {
return trackProgress(AttackResult.success("Good work! View the updated profile below",userSessionData.getValue("idor-updated-own-profile").toString()));
return trackProgress(success()
.feedback("idor.edit.profile.success2")
.output(userSessionData.getValue("idor-updated-own-profile").toString())
.build());
} else {
return trackProgress(AttackResult.failed("Please try again. Use the hints if need be."));
return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
}
}

20
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
View File

@ -1,16 +1,13 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentHints;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
@ -67,9 +64,8 @@ public class IDORLogin extends AssignmentEndpoint {
}
@PostMapping
public
@ResponseBody
AttackResult completed(@RequestParam String username, @RequestParam String password) {
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
initIDORInfo();
UserSessionData userSessionData = getUserSessionData();
@ -77,12 +73,12 @@ public class IDORLogin extends AssignmentEndpoint {
if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
userSessionData.setValue("idor-authenticated-as", username);
userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
return trackProgress(AttackResult.success("You are now logged in as " + username + ". Please proceed."));
return trackProgress(success().feedback("idor.login.success").feedbackArgs(username).build());
} else {
return trackProgress(AttackResult.failed("credentials provided are not correct"));
return trackProgress(failed().feedback("idor.login.failure").build());
}
} else {
return trackProgress(AttackResult.failed("credentials provided are not correct"));
return trackProgress(failed().feedback("idor.login.failure").build());
}
}

19
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
View File

@ -1,10 +1,9 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
@ -12,11 +11,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Path;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
@ -69,15 +64,15 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{
UserProfile requestedProfile = new UserProfile(userId);
// secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
if (requestedProfile.getUserId().equals("2342388")){
return trackProgress(AttackResult.success("Well done, you found someone else's profile",requestedProfile.profileToMap().toString()));
return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
} else {
return trackProgress((AttackResult.failed("You're on the right path, try a different id")));
return trackProgress(failed().feedback("idor.view.profile.close1").build());
}
} else {
return trackProgress((AttackResult.failed("Try again. You need to use the same method/URL you used to access your own profile via direct object reference.")));
return trackProgress(failed().feedback("idor.view.profile.close2").build());
}
}
return trackProgress((AttackResult.failed("Try again. ")));
return trackProgress(failed().build());
}
}

5
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfile.java
View File

@ -1,7 +1,7 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.assignments.Endpoint;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
@ -12,12 +12,9 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import com.google.common.collect.Lists;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
/**
* ************************************************************************************************

15
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
View File

@ -1,10 +1,9 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
@ -65,17 +64,17 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
String[] urlParts = url.split("/");
if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
UserProfile userProfile = new UserProfile(authUserId);
return trackProgress(AttackResult.success("congratultions, you have used the alternate Url/route to view your own profile.",userProfile.profileToMap().toString()));
return trackProgress(success().feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build());
} else {
return trackProgress(AttackResult.failed("please try again. The alternoute route is very similar to the previous way you viewed your profile. Only one difference really"));
return trackProgress(failed().feedback("idor.view.own.profile.failure1").build());
}
} else {
return trackProgress(AttackResult.failed("You need to authenticate as tom first."));
return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
}
} catch (Exception ex) {
System.out.println(ex.getMessage());
return AttackResult.failed("an error occurred with your request");
return failed().feedback("an error occurred with your request").build();
}
}

13
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
View File

@ -1,9 +1,9 @@
package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
@ -13,7 +13,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Path;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
@ -43,7 +42,7 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
if (userSessionData.getValue("idor-authenticated-as") == null) {
json.add(errorMap);
return trackProgress(AttackResult.failed("You must authenticate first"));
return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
} else {
if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
@ -52,11 +51,11 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
//secure code would check to make sure authUserId matches userId or some similar access control
// ... and in this endpoint, we won't bother with that
UserProfile userProfile = new UserProfile(userId);
return trackProgress(AttackResult.failed("still working"));
return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
}
}
// else
return trackProgress(AttackResult.failed("fall back"));
return trackProgress(failed().build());
}

26
webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -1,3 +1,29 @@
idor.title=Insecure Direct Object References
idor.hints.idor_login=Log in first
idor.diff.attributes.missing=You did not list two attributes, comma delimited
idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind
idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen.
idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
idor.edit.profile.success2=Good work! View the updated profile below
idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
idor.edit.profile.failure3=Try again. Use the hints if you need to.
idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.
idor.login.success=You are now logged in as {0}. Please proceed.
idor.login.failure=Credentials provided are not correct
idor.view.profile.success=Well done, you found someone else's profile
idor.view.profile.close1=You're on the right path, try a different id
idor.view.profile.close2=Try again. You need to use the same method/URL you used to access your own profile via direct object reference.
idor.view.own.profile.success=Congratulations, you have used the alternate Url/route to view your own profile.
idor.view.own.profile.failure1=Please try again. The alternate route is very similar to the previous way you viewed your profile. Only one difference really
idor.view.own.profile.failure2=You need to authenticate as tom first.
idor.view.other.profile.failure1=You must authenticate first
idor.view.other.profile.failure2=<<still working>>

31
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
View File

@ -1,25 +1,19 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.*;
/***************************************************************************************************
@ -84,26 +78,25 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
// If they get back more than one user they succeeded
if (results.getRow() >= 6)
{
return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
return trackProgress(success().feedback("sql-injection.5a.success").feedbackArgs(output.toString()).build());
} else {
return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
return trackProgress(failed().output(output.toString()).build());
}
}
else
{
return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
return trackProgress(failed().feedback("sql-injection.5a.no.results").build());
}
} catch (SQLException sqle)
{
return trackProgress(AttackResult.failed(sqle.getMessage()));
return trackProgress(failed().output(sqle.getMessage()).build());
}
} catch (Exception e)
{
e.printStackTrace();
return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
}
}

30
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
View File

@ -2,25 +2,19 @@ package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.*;
/***************************************************************************************************
@ -86,27 +80,27 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
// If they get back more than one user they succeeded
if (results.getRow() >= 6)
{
return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
return trackProgress(success().feedback("sql-injection.5b.success").feedbackArgs(output.toString()).build());
} else {
return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
return trackProgress(failed().output(output.toString()).build());
}
}
else
{
return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
return trackProgress(failed().feedback("sql-injection.5b.no.results").build());
// output.append(getLabelManager().get("NoResultsMatched"));
}
} catch (SQLException sqle)
{
return trackProgress(AttackResult.failed(sqle.getMessage()));
return trackProgress(failed().output(sqle.getMessage()).build());
}
} catch (Exception e)
{
e.printStackTrace();
return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
}
}

30
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
View File

@ -1,25 +1,19 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.*;
/***************************************************************************************************
@ -86,26 +80,26 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
// If they get back more than one user they succeeded
if (results.getRow() >= 6)
{
return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
return trackProgress(success().feedback("sql-injection.6b.success").feedbackArgs(output.toString()).build());
} else {
return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
return trackProgress(failed().output(output.toString()).build());
}
}
else
{
return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
return trackProgress(failed().feedback("sql-injection.6b.no.results").build());
}
} catch (SQLException sqle)
{
return trackProgress(AttackResult.failed(sqle.getMessage()));
return trackProgress(failed().output(sqle.getMessage()).build());
}
} catch (Exception e)
{
e.printStackTrace();
return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
}
}

26
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
View File

@ -1,24 +1,22 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/***************************************************************************************************
@ -57,9 +55,9 @@ public class SqlInjectionLesson6b extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
if (userid_6b.toString().equals(getPassword())) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("You are close, try again"));
return trackProgress(failed().build());
}
}

10
webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -6,3 +6,13 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
sql-injection.5a.success=You have succeed:
sql-injection.5a.no.results=No results matched. Try Again.
sql-injection.5b.success=You have succeed:
sql-injection.5b.no.results=No results matched. Try Again.
sql-injection.6b.success=You have succeed:
sql-injection.6b.no.results=No results matched. Try Again.

11
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
View File

@ -2,16 +2,15 @@ package org.owasp.webgoat.plugin;
import com.google.common.base.Joiner;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.ws.rs.Path;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
@ -66,9 +65,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
logFile.delete();
if (solved) {
return AttackResult.success(String.format("Contents of the file is: %s", Joiner.on('\n').join(lines)));
return success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build();
} else {
return AttackResult.failed("Try again...", error);
return failed().output(error).build();
}
}

17
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
View File

@ -1,9 +1,10 @@
package org.owasp.webgoat.plugin;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
@ -11,7 +12,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.ws.rs.Path;
import java.io.IOException;
import static org.owasp.webgoat.plugin.SimpleXXE.checkSolution;
@ -47,24 +47,25 @@ import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
* @since November 17, 2016
*/
@AssignmentPath("XXE/content-type")
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
public class ContentTypeAssignment extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult createNewUser(@RequestBody String userInfo, @RequestHeader("Content-Type") String contentType) throws Exception {
User user = new User();
AttackResult attackResult = AttackResult.failed("Try again!");
AttackResult attackResult = failed().build();
if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
user = parseJson(userInfo);
attackResult = AttackResult.failed("You are posting JSON which does not work with a XXE");
attackResult = failed().feedback("xxe.content.type.feedback.json").build();
}
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
user = parseXml(userInfo);
attackResult = AttackResult.failed("You are posting XML but there is no XXE attack performed");
attackResult = failed().feedback("xxe.content.type.feedback.xml").build();
}
if (checkSolution(user)) {
attackResult = AttackResult.success(String.format("Welcome %s", user.getUsername()));
attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
}
return attackResult;
}

2
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
View File

@ -1,7 +1,7 @@
package org.owasp.webgoat.plugin;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.assignments.Endpoint;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

19
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
View File

@ -1,16 +1,16 @@
package org.owasp.webgoat.plugin;
import org.apache.commons.exec.OS;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.ws.rs.Path;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
@ -47,6 +47,7 @@ import java.io.StringReader;
* @since November 17, 2016
*/
@AssignmentPath("XXE/simple")
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
public class SimpleXXE extends AssignmentEndpoint {
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
@ -57,13 +58,11 @@ public class SimpleXXE extends AssignmentEndpoint {
public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
User user = parseXml(userInfo);
if (checkSolution(user)) {
return AttackResult.success("Congratulation", String.format("Welcome %s you can now login to our website", user.getUsername()));
}
if (userInfo.contains("<!DOCTYPE")) {
return AttackResult.failed("Try again you did include a doctype in the xml!");
} else {
return AttackResult.failed(String.format("Welcome %s you can now login to our website", user.getUsername()));
return trackProgress(success()
.output("xxe.simple.output")
.outputArgs(user.getUsername()).build());
}
return trackProgress(failed().build());
}
public static User parseXml(String xml) throws Exception {

37
webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,37 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
xxe.simple.output=Welcome {0} you can now login to our website
xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed
xxe.content.output=Welcome {0} you can now login to our website
xxe.blind.output=Contents of the file is:
xxe.hints.simple.xxe.1=Try submitting the form and see what happens
xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
xxe.hints.simple.xxe.3=Try to include your own DTD
xxe.hints.simple.xxe.4=Try to include a doctype (<!DOCTYPE...) in the xml
xxe.hints.content.type.xxe.1=Take a look at the content type
xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?