Added a quiz for cia-triad lessons

2018-11-11 14:17:53 +01:00 · 2018-11-11 14:17:53 +01:00 · 50c88738c2
commit 50c88738c2
parent baff6b06f3
5 changed files with 139 additions and 0 deletions
--- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
+++ b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
@ -0,0 +1,55 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+/**
+ * @TODO: Get JSON from file not from hardcoded string
+ * add a question: 1. Append new question to JSON string
+ * 2. add right solution to solutions array
+ * 3. add Request param with name of question to method head
+ */
+@AssignmentPath("/cia/quiz")
+public class CIAQuiz extends AssignmentEndpoint {
+
+    String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) throws IOException {
+        boolean correct = false;
+        String[][] solutionsInput = {question_0_solution, question_1_solution, question_2_solution, question_3_solution};
+        int counter = 0;
+        for(String[] sa : solutionsInput) {
+            for(String s : sa) {
+                if(sa.length == 1 && s.contains(this.solutions[counter])) {
+                    correct = true;
+                    break;
+                } else {
+                    correct = false;
+                    continue;
+                }
+            }
+            if(!correct) break;
+            counter++;
+        }
+        if(correct) {
+            return trackProgress(success().build());
+        } else {
+            return trackProgress(failed().build());
+        }
+    }
+
+}
--- a/webgoat-lessons/cia/src/main/resources/html/CIA.html
+++ b/webgoat-lessons/cia/src/main/resources/html/CIA.html
@ -18,4 +18,23 @@
    <div class="adoc-content" th:replace="doc:CIA_availability.adoc"></div>
 </div>

+<div class="lesson-page-wrapper">
+    <script th:src="@{/lesson_js/quiz.js}" language="JavaScript"></script>
+    <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
+    <div class="adoc-content" th:replace="doc:CIA_quiz.adoc"></div>
+    <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+    <div class="container-fluid">
+        <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="cia/quiz"
+              enctype="application/json;charset=UTF-8" role="form">
+            <div id="q_container"></div>
+            <br />
+            <input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
+        </form>
+    </div>
+    <div class="attack-feedback"></div>
+    <div class="attack-output"></div>
+</div>
+
 </html>
--- a/webgoat-lessons/cia/src/main/resources/js/questions.json
+++ b/webgoat-lessons/cia/src/main/resources/js/questions.json
@ -0,0 +1,35 @@
+{
+  "questions": [{
+    "text": "How could an intruder harm the security goal of confidentiality?",
+    "solutions": {
+      "1": "By deleting all the databases.",
+      "2": "By stealing a database where general configuration information for the system is stored.",
+      "3": "By stealing a database where names and emails are stored and uploading it to a website.",
+      "4": "Confidentiality can't be harmed by an intruder."
+    }
+  }, {
+    "text": "How could an intruder harm the security goal of integrity?",
+    "solutions": {
+      "1": "By changing the names and emails of one or more users stored in a database.",
+      "2": "By listening to incoming and outgoing network traffic.",
+      "3": "By bypassing authentication mechanisms that are in place to manage database access.",
+      "4": "Integrity can only be harmed when the intruder has physical access to the database storage."
+    }
+  }, {
+    "text": "How could an intruder harm the security goal of availability?",
+    "solutions": {
+      "1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.",
+      "2": "By redirecting emails with sensitive data to other individuals.",
+      "3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
+      "4": "By launching a denial of service attack on the servers."
+    }
+  }, {
+    "text": "What happens if at least one of the CIA security goals is harmed?",
+    "solutions": {
+      "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.",
+      "2": "The systems security is compromised even if only one goal is harmed.",
+      "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.",
+      "4": "It shouldn't be possible for an attacker to change data or make it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
+    }
+  }]
+}
--- a/webgoat-lessons/cia/src/main/resources/js/quiz.js
+++ b/webgoat-lessons/cia/src/main/resources/js/quiz.js
@ -0,0 +1,27 @@
+$(function () {
+    var json = "";
+    var client = new XMLHttpRequest();
+    client.open('GET', '/WebGoat/lesson_js/questions.json');
+    client.onreadystatechange = function() {
+        if (this.readyState == 4 && this.status == 200) {
+            json += client.responseText;
+            console.log("entry");
+            let questionsJson = json;
+            var questionsObj = JSON.parse(questionsJson);
+            let html = "";
+            jQuery.each(questionsObj, function(i, obj) {
+                jQuery.each(obj, function(j, quest) {
+                  html += "<div id='question_" + j + "' class='quiz_question attack-container' name='question'><p>" + (j+1) + ".&nbsp;" + quest.text + "</p>";
+                  html += "<fieldset>";
+                  jQuery.each(quest.solutions, function(k, solution) {
+                    solution = "Solution " + k + ": " + solution;
+                    html += '<input type="checkbox" name="question_' + j +'_solution" value="' + solution + '">' + solution + '<br>';
+                  });
+                  html += "</fieldset></div>";
+                });
+            });
+            document.getElementById("q_container").innerHTML = html;
+        }
+    }
+    client.send();
+});
--- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
+++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
@ -0,0 +1,3 @@
+Now it's time for a quiz! Answer the following question to check, if you understood the topic.
+
+Today every system is protected by a firewall. The firewall keeps intruders locked out of the system and guarantees, that the data handled there is safe. Imagine a system that handles personal data and is not protected by a firewall: