From 55bd0a49db4f58b24a006bf1d73ffc9aac3403a1 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 28 Feb 2025 18:39:23 +0100 Subject: [PATCH] chore: cleanup IT tests (#2040) --- pom.xml | 12 --- .../AccessControlIntegrationTest.java | 22 ++--- .../integration/CSRFIntegrationTest.java | 49 +++++------ .../integration/ChallengeIntegrationTest.java | 42 ++++----- .../integration/CryptoIntegrationTest.java | 26 +++--- .../DeserializationIntegrationTest.java | 2 +- .../GeneralLessonIntegrationTest.java | 38 ++++---- .../integration/IDORIntegrationTest.java | 18 ++-- .../webgoat/integration/IntegrationTest.java | 86 ++++--------------- .../integration/JWTLessonIntegrationTest.java | 23 +++-- .../LabelAndHintIntegrationTest.java | 28 +++--- .../PasswordResetLessonIntegrationTest.java | 38 ++++---- .../PathTraversalIntegrationTest.java | 24 +++--- .../ProgressRaceConditionIntegrationTest.java | 4 +- .../integration/SSRFIntegrationTest.java | 4 +- .../SessionManagementIntegrationTest.java | 4 +- .../SqlInjectionAdvancedIntegrationTest.java | 12 +-- .../SqlInjectionLessonIntegrationTest.java | 18 ++-- ...SqlInjectionMitigationIntegrationTest.java | 21 +++-- .../integration/WebWolfIntegrationTest.java | 16 ++-- .../integration/XSSIntegrationTest.java | 18 ++-- .../integration/XXEIntegrationTest.java | 18 ++-- .../lessons/missingac/DisplayUser.java | 4 +- .../HijackSessionAssignmentTest.java | 3 +- 24 files changed, 233 insertions(+), 297 deletions(-) diff --git a/pom.xml b/pom.xml index cdd69fb99..0cf86df09 100644 --- a/pom.xml +++ b/pom.xml @@ -242,18 +242,6 @@ provided true - - org.testcontainers - testcontainers - 1.20.5 - test - - - org.testcontainers - junit-jupiter - 1.20.5 - test - javax.xml.bind jaxb-api diff --git a/src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java index 25816fdad..0d933fb06 100644 --- a/src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java @@ -24,12 +24,12 @@ class AccessControlIntegrationTest extends IntegrationTest { private void assignment3() { // direct call should fail if user has not been created - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .contentType(ContentType.JSON) - .get(url("access-control/users-admin-fix")) + .get(webGoatUrlConfig.url("access-control/users-admin-fix")) .then() .statusCode(HttpStatus.SC_FORBIDDEN); @@ -38,52 +38,52 @@ class AccessControlIntegrationTest extends IntegrationTest { """ {"username":"%s","password":"%s","admin": "true"} """; - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .contentType(ContentType.JSON) .body(String.format(userTemplate, this.getUser(), this.getUser())) - .post(url("access-control/users")) + .post(webGoatUrlConfig.url("access-control/users")) .then() .statusCode(HttpStatus.SC_OK); // get the users - var userHash = + var userHash = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .contentType(ContentType.JSON) - .get(url("access-control/users-admin-fix")) + .get(webGoatUrlConfig.url("access-control/users-admin-fix")) .then() .statusCode(200) .extract() .jsonPath() .get("find { it.username == \"Jerry\" }.userHash"); - checkAssignment(url("access-control/user-hash-fix"), Map.of("userHash", userHash), true); + checkAssignment(webGoatUrlConfig.url("access-control/user-hash-fix"), Map.of("userHash", userHash), true); } private void assignment2() { - var userHash = + var userHash = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .contentType(ContentType.JSON) - .get(url("access-control/users")) + .get(webGoatUrlConfig.url("access-control/users")) .then() .statusCode(200) .extract() .jsonPath() .get("find { it.username == \"Jerry\" }.userHash"); - checkAssignment(url("access-control/user-hash"), Map.of("userHash", userHash), true); + checkAssignment(webGoatUrlConfig.url("access-control/user-hash"), Map.of("userHash", userHash), true); } private void assignment1() { var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config"); - checkAssignment(url("access-control/hidden-menu"), params, true); + checkAssignment(webGoatUrlConfig.url("access-control/hidden-menu"), params, true); } } diff --git a/src/it/java/org/owasp/webgoat/integration/CSRFIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/CSRFIntegrationTest.java index c27081b69..09dac7181 100644 --- a/src/it/java/org/owasp/webgoat/integration/CSRFIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/CSRFIntegrationTest.java @@ -5,7 +5,7 @@ package org.owasp.webgoat.integration; import static org.assertj.core.api.Assertions.assertThat; -import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.DynamicTest.dynamicTest; import io.restassured.RestAssured; @@ -68,12 +68,12 @@ public class CSRFIntegrationTest extends IntegrationTest { public void init() { startLesson("CSRF"); webwolfFileDir = getWebWolfFileServerLocation(); - uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("csrf/basic-get-flag"))); - uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("csrf/review"))); - uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("csrf/feedback/message"))); - uploadTrickHtml( + uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", webGoatUrlConfig.url("csrf/basic-get-flag"))); + uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", webGoatUrlConfig.url("csrf/review"))); + uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", webGoatUrlConfig.url("csrf/feedback/message"))); + uploadTrickHtml( "csrf8.html", - trickHTML8.replace("WEBGOATURL", url("login")).replace("USERNAME", this.getUser())); + trickHTML8.replace("WEBGOATURL", webGoatUrlConfig.url("login")).replace("USERNAME", this.getUser())); } @TestFactory @@ -107,7 +107,7 @@ public class CSRFIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) .multiPart("file", htmlName, htmlContent.getBytes()) - .post(new WebWolfUrlBuilder().path("fileupload").build()) + .post(webWolfUrlConfig.url("fileupload")) .then() .extract() .response() @@ -122,7 +122,7 @@ public class CSRFIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("files/%s/%s", this.getUser(), htmlName).build()) + .get(webWolfUrlConfig.url("files/%s/%s".formatted(this.getUser(), htmlName))) .then() .extract() .response() @@ -140,7 +140,7 @@ public class CSRFIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build()) + .header("Referer", webWolfUrlConfig.url("files/fake.html")) .post(goatURL) .then() .extract() @@ -148,15 +148,13 @@ public class CSRFIntegrationTest extends IntegrationTest { .toString(); Map params = new HashMap<>(); - params.clear(); params.put("confirmFlagVal", flag); - checkAssignment(url("csrf/confirm-flag-1"), params, true); + checkAssignment(webGoatUrlConfig.url("csrf/confirm-flag-1"), params, true); } private void checkAssignment4(String goatURL) { Map params = new HashMap<>(); - params.clear(); params.put("reviewText", "test review"); params.put("stars", "5"); params.put( @@ -167,13 +165,13 @@ public class CSRFIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build()) + .header("Referer", webWolfUrlConfig.url("files/fake.html")) .formParams(params) .post(goatURL) .then() .extract() .path("lessonCompleted"); - assertEquals(true, result); + assertTrue(result); } private void checkAssignment7(String goatURL) { @@ -188,7 +186,7 @@ public class CSRFIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build()) + .header("Referer", webWolfUrlConfig.url("files/fake.html")) .contentType(ContentType.TEXT) .body( "{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is" @@ -202,7 +200,7 @@ public class CSRFIntegrationTest extends IntegrationTest { params.clear(); params.put("confirmFlagVal", flag); - checkAssignment(url("csrf/feedback"), params, true); + checkAssignment(webGoatUrlConfig.url("csrf/feedback"), params, true); } private void checkAssignment8(String goatURL) { @@ -211,7 +209,6 @@ public class CSRFIntegrationTest extends IntegrationTest { registerCSRFUser(); Map params = new HashMap<>(); - params.clear(); params.put("username", "csrf-" + this.getUser()); params.put("password", "password"); @@ -221,7 +218,7 @@ public class CSRFIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build()) + .header("Referer", webWolfUrlConfig.url("files/fake.html")) .params(params) .post(goatURL) .then() @@ -229,21 +226,21 @@ public class CSRFIntegrationTest extends IntegrationTest { .cookie("JSESSIONID"); // select the lesson - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", newCookie) - .get(url("CSRF.lesson.lesson")) + .get(webGoatUrlConfig.url("CSRF.lesson.lesson")) .then() .statusCode(200); // click on the assignment - boolean result = + boolean result = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", newCookie) - .post(url("csrf/login")) + .post(webGoatUrlConfig.url("csrf/login")) .then() .statusCode(200) .extract() @@ -254,11 +251,11 @@ public class CSRFIntegrationTest extends IntegrationTest { login(); startLesson("CSRF", false); - Overview[] assignments = + Overview[] assignments = RestAssured.given() .cookie("JSESSIONID", getWebGoatCookie()) .relaxedHTTPSValidation() - .get(url("service/lessonoverview.mvc/CSRF")) + .get(webGoatUrlConfig.url("service/lessonoverview.mvc/CSRF")) .then() .extract() .jsonPath() @@ -278,13 +275,13 @@ public class CSRFIntegrationTest extends IntegrationTest { /** Try to register the new user. Ignore the result. */ private void registerCSRFUser() { - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .formParam("username", "csrf-" + this.getUser()) .formParam("password", "password") .formParam("matchingPassword", "password") .formParam("agree", "agree") - .post(url("register.mvc")); + .post(webGoatUrlConfig.url("register.mvc")); } } diff --git a/src/it/java/org/owasp/webgoat/integration/ChallengeIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/ChallengeIntegrationTest.java index ac3bc7ab4..1c5add18e 100644 --- a/src/it/java/org/owasp/webgoat/integration/ChallengeIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/ChallengeIntegrationTest.java @@ -21,12 +21,12 @@ public class ChallengeIntegrationTest extends IntegrationTest { void testChallenge1() { startLesson("Challenge1"); - byte[] resultBytes = + byte[] resultBytes = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("challenge/logo")) + .get(webGoatUrlConfig.url("challenge/logo")) .then() .statusCode(200) .extract() @@ -38,14 +38,14 @@ public class ChallengeIntegrationTest extends IntegrationTest { params.put("username", "admin"); params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode)); - checkAssignment(url("challenge/1"), params, true); - String result = + checkAssignment(webGoatUrlConfig.url("challenge/1"), params, true); + String result = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParams(params) - .post(url("challenge/1")) + .post(webGoatUrlConfig.url("challenge/1")) .then() .statusCode(200) .extract() @@ -54,16 +54,16 @@ public class ChallengeIntegrationTest extends IntegrationTest { String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); params.clear(); params.put("flag", flag); - checkAssignment(url("challenge/flag/1"), params, true); + checkAssignment(webGoatUrlConfig.url("challenge/flag/1"), params, true); checkResults("Challenge1"); - List capturefFlags = + List capturefFlags = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("scoreboard-data")) + .get(webGoatUrlConfig.url("scoreboard-data")) .then() .statusCode(200) .extract() @@ -81,13 +81,13 @@ public class ChallengeIntegrationTest extends IntegrationTest { params.put("username_login", "Larry"); params.put("password_login", "1' or '1'='1"); - String result = + String result = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParams(params) - .post(url("challenge/5")) + .post(webGoatUrlConfig.url("challenge/5")) .then() .statusCode(200) .extract() @@ -96,16 +96,16 @@ public class ChallengeIntegrationTest extends IntegrationTest { String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); params.clear(); params.put("flag", flag); - checkAssignment(url("challenge/flag/5"), params, true); + checkAssignment(webGoatUrlConfig.url("challenge/flag/5"), params, true); checkResults("Challenge5"); - List capturefFlags = + List capturefFlags = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("scoreboard-data")) + .get(webGoatUrlConfig.url("scoreboard-data")) .then() .statusCode(200) .extract() @@ -120,23 +120,23 @@ public class ChallengeIntegrationTest extends IntegrationTest { cleanMailbox(); // One should first be able to download git.zip from WebGoat - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("challenge/7/.git")) + .get(webGoatUrlConfig.url("challenge/7/.git")) .then() .statusCode(200) .extract() .asString(); // Should email WebWolf inbox this should give a hint to the link being static - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParams("email", getUser() + "@webgoat.org") - .post(url("challenge/7")) + .post(webGoatUrlConfig.url("challenge/7")) .then() .statusCode(200) .extract() @@ -148,7 +148,7 @@ public class ChallengeIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("mail").build()) + .get(webWolfUrlConfig.url("mail")) .then() .extract() .response() @@ -157,18 +157,18 @@ public class ChallengeIntegrationTest extends IntegrationTest { Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link"); // Call reset link with admin link - String result = + String result = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2") + .get(webGoatUrlConfig.url("challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2") .then() .statusCode(HttpStatus.ACCEPTED.value()) .extract() .asString(); String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42); - checkAssignment(url("challenge/flag/7"), Map.of("flag", flag), true); + checkAssignment(webGoatUrlConfig.url("challenge/flag/7"), Map.of("flag", flag), true); } } diff --git a/src/it/java/org/owasp/webgoat/integration/CryptoIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/CryptoIntegrationTest.java index bc222c079..742a0ed85 100644 --- a/src/it/java/org/owasp/webgoat/integration/CryptoIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/CryptoIntegrationTest.java @@ -51,12 +51,12 @@ public class CryptoIntegrationTest extends IntegrationTest { private void checkAssignment2() { - String basicEncoding = + String basicEncoding = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("crypto/encoding/basic")) + .get(webGoatUrlConfig.url("crypto/encoding/basic")) .then() .extract() .asString(); @@ -68,7 +68,7 @@ public class CryptoIntegrationTest extends IntegrationTest { params.clear(); params.put("answer_user", answer_user); params.put("answer_pwd", answer_pwd); - checkAssignment(url("crypto/encoding/basic-auth"), params, true); + checkAssignment(webGoatUrlConfig.url("crypto/encoding/basic-auth"), params, true); } private void checkAssignment3() { @@ -76,27 +76,27 @@ public class CryptoIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("answer_pwd1", answer_1); - checkAssignment(url("crypto/encoding/xor"), params, true); + checkAssignment(webGoatUrlConfig.url("crypto/encoding/xor"), params, true); } private void checkAssignment4() throws NoSuchAlgorithmException { - String md5Hash = + String md5Hash = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("crypto/hashing/md5")) + .get(webGoatUrlConfig.url("crypto/hashing/md5")) .then() .extract() .asString(); - String sha256Hash = + String sha256Hash = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("crypto/hashing/sha256")) + .get(webGoatUrlConfig.url("crypto/hashing/sha256")) .then() .extract() .asString(); @@ -116,17 +116,17 @@ public class CryptoIntegrationTest extends IntegrationTest { params.clear(); params.put("answer_pwd1", answer_1); params.put("answer_pwd2", answer_2); - checkAssignment(url("crypto/hashing"), params, true); + checkAssignment(webGoatUrlConfig.url("crypto/hashing"), params, true); } private void checkAssignmentSigning() throws NoSuchAlgorithmException, InvalidKeySpecException { - String privatePEM = + String privatePEM = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("crypto/signing/getprivate")) + .get(webGoatUrlConfig.url("crypto/signing/getprivate")) .then() .extract() .asString(); @@ -139,7 +139,7 @@ public class CryptoIntegrationTest extends IntegrationTest { params.clear(); params.put("modulus", modulus); params.put("signature", signature); - checkAssignment(url("crypto/signing/verify"), params, true); + checkAssignment(webGoatUrlConfig.url("crypto/signing/verify"), params, true); } private void checkAssignmentDefaults() { @@ -155,6 +155,6 @@ public class CryptoIntegrationTest extends IntegrationTest { params.clear(); params.put("secretText", text); params.put("secretFileName", "default_secret"); - checkAssignment(url("crypto/secure/defaults"), params, true); + checkAssignment(webGoatUrlConfig.url("crypto/secure/defaults"), params, true); } } diff --git a/src/it/java/org/owasp/webgoat/integration/DeserializationIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/DeserializationIntegrationTest.java index 881191b16..add9dd203 100644 --- a/src/it/java/org/owasp/webgoat/integration/DeserializationIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/DeserializationIntegrationTest.java @@ -30,7 +30,7 @@ public class DeserializationIntegrationTest extends IntegrationTest { params.put( "token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))); } - checkAssignment(url("InsecureDeserialization/task"), params, true); + checkAssignment(webGoatUrlConfig.url("InsecureDeserialization/task"), params, true); checkResults("InsecureDeserialization"); } diff --git a/src/it/java/org/owasp/webgoat/integration/GeneralLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/GeneralLessonIntegrationTest.java index 403d20cda..7eef982d7 100644 --- a/src/it/java/org/owasp/webgoat/integration/GeneralLessonIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/GeneralLessonIntegrationTest.java @@ -21,19 +21,19 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("person", "goatuser"); - checkAssignment(url("HttpBasics/attack1"), params, true); + checkAssignment(webGoatUrlConfig.url("HttpBasics/attack1"), params, true); params.clear(); params.put("answer", "POST"); params.put("magic_answer", "33"); params.put("magic_num", "4"); - checkAssignment(url("HttpBasics/attack2"), params, false); + checkAssignment(webGoatUrlConfig.url("HttpBasics/attack2"), params, false); params.clear(); params.put("answer", "POST"); params.put("magic_answer", "33"); params.put("magic_num", "33"); - checkAssignment(url("HttpBasics/attack2"), params, true); + checkAssignment(webGoatUrlConfig.url("HttpBasics/attack2"), params, true); checkResults("HttpBasics"); } @@ -45,20 +45,20 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("person", "goatuser"); - checkAssignment(url("HttpBasics/attack1"), params, true); + checkAssignment(webGoatUrlConfig.url("HttpBasics/attack1"), params, true); } @Test public void httpProxies() { startLesson("HttpProxies"); - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .header("x-request-intercepted", "true") .contentType(ContentType.JSON) - .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) + .get(webGoatUrlConfig.url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) .then() .statusCode(200) .extract() @@ -86,7 +86,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.put( "question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed."); - checkAssignment(url("cia/quiz"), params, true); + checkAssignment(webGoatUrlConfig.url("cia/quiz"), params, true); checkResults("CIA"); } @@ -109,7 +109,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("payload", solution); - checkAssignment(url("VulnerableComponents/attack1"), params, true); + checkAssignment(webGoatUrlConfig.url("VulnerableComponents/attack1"), params, true); checkResults("VulnerableComponents"); } } @@ -121,7 +121,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.clear(); params.put("username", "CaptainJack"); params.put("password", "BlackPearl"); - checkAssignment(url("InsecureLogin/task"), params, true); + checkAssignment(webGoatUrlConfig.url("InsecureLogin/task"), params, true); checkResults("InsecureLogin"); } @@ -131,7 +131,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("password", "ajnaeliclm^&&@kjn."); - checkAssignment(url("SecurePasswords/assignment"), params, true); + checkAssignment(webGoatUrlConfig.url("SecurePasswords/assignment"), params, true); checkResults("SecurePasswords"); startLesson("AuthBypass"); @@ -141,18 +141,18 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.put("jsEnabled", "1"); params.put("verifyMethod", "SEC_QUESTIONS"); params.put("userId", "12309746"); - checkAssignment(url("auth-bypass/verify-account"), params, true); + checkAssignment(webGoatUrlConfig.url("auth-bypass/verify-account"), params, true); checkResults("AuthBypass"); startLesson("HttpProxies"); - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .header("x-request-intercepted", "true") .contentType(ContentType.JSON) - .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) + .get(webGoatUrlConfig.url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) .then() .statusCode(200) .extract() @@ -170,7 +170,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.put("param1", "42"); params.put("param2", "24"); - String result = + String result = RestAssured.given() .when() .relaxedHTTPSValidation() @@ -178,7 +178,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { .header("webgoat-requested-by", "dom-xss-vuln") .header("X-Requested-With", "XMLHttpRequest") .formParams(params) - .post(url("CrossSiteScripting/phone-home-xss")) + .post(webGoatUrlConfig.url("CrossSiteScripting/phone-home-xss")) .then() .statusCode(200) .extract() @@ -187,12 +187,12 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.clear(); params.put("successMessage", secretNumber); - checkAssignment(url("ChromeDevTools/dummy"), params, true); + checkAssignment(webGoatUrlConfig.url("ChromeDevTools/dummy"), params, true); params.clear(); params.put("number", "24"); params.put("network_num", "24"); - checkAssignment(url("ChromeDevTools/network"), params, true); + checkAssignment(webGoatUrlConfig.url("ChromeDevTools/network"), params, true); checkResults("ChromeDevTools"); } @@ -207,7 +207,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.put("jsEnabled", "1"); params.put("verifyMethod", "SEC_QUESTIONS"); params.put("userId", "12309746"); - checkAssignment(url("auth-bypass/verify-account"), params, true); + checkAssignment(webGoatUrlConfig.url("auth-bypass/verify-account"), params, true); checkResults("AuthBypass"); } @@ -218,7 +218,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest { params.clear(); params.put("param1", "secr37Value"); params.put("param2", "Main"); - checkAssignment(url("lesson-template/sample-attack"), params, true); + checkAssignment(webGoatUrlConfig.url("lesson-template/sample-attack"), params, true); checkResults("LessonTemplate"); } } diff --git a/src/it/java/org/owasp/webgoat/integration/IDORIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/IDORIntegrationTest.java index 45e3217ce..dc5c8f239 100644 --- a/src/it/java/org/owasp/webgoat/integration/IDORIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/IDORIntegrationTest.java @@ -43,18 +43,18 @@ public class IDORIntegrationTest extends IntegrationTest { params.put("username", "tom"); params.put("password", "cat"); - checkAssignment(url("IDOR/login"), params, true); + checkAssignment(webGoatUrlConfig.url("IDOR/login"), params, true); } private void profile() { // View profile - assignment 3a - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("IDOR/profile")) + .get(webGoatUrlConfig.url("IDOR/profile")) .then() .statusCode(200) .extract() @@ -64,20 +64,20 @@ public class IDORIntegrationTest extends IntegrationTest { // Show difference - assignment 3b Map params = new HashMap<>(); params.put("attributes", "userId,role"); - checkAssignment(url("IDOR/diff-attributes"), params, true); + checkAssignment(webGoatUrlConfig.url("IDOR/diff-attributes"), params, true); // View profile another way - assignment 4 params.clear(); params.put("url", "WebGoat/IDOR/profile/2342384"); - checkAssignment(url("IDOR/profile/alt-path"), params, true); + checkAssignment(webGoatUrlConfig.url("IDOR/profile/alt-path"), params, true); // assignment 5a - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("IDOR/profile/2342388")) + .get(webGoatUrlConfig.url("IDOR/profile/2342388")) .then() .statusCode(200) .extract() @@ -85,7 +85,7 @@ public class IDORIntegrationTest extends IntegrationTest { CoreMatchers.is(true)); // assignment 5b - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() @@ -94,7 +94,7 @@ public class IDORIntegrationTest extends IntegrationTest { .body( "{\"role\":\"1\", \"color\":\"red\", \"size\":\"large\", \"name\":\"Buffalo Bill\"," + " \"userId\":\"2342388\"}") - .put(url("IDOR/profile/2342388")) + .put(webGoatUrlConfig.url("IDOR/profile/2342388")) .then() .statusCode(200) .extract() diff --git a/src/it/java/org/owasp/webgoat/integration/IntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/IntegrationTest.java index 4ee2748cb..0258eb1d1 100644 --- a/src/it/java/org/owasp/webgoat/integration/IntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/IntegrationTest.java @@ -20,66 +20,13 @@ import org.springframework.http.HttpStatus; public abstract class IntegrationTest { - private final ServerUrlConfig webGoatUrlConfig = ServerUrlConfig.webGoat(); - @Getter private final ServerUrlConfig webWolfUrlConfig = ServerUrlConfig.webWolf(); + protected final ServerUrlConfig webGoatUrlConfig = ServerUrlConfig.webGoat(); + protected final ServerUrlConfig webWolfUrlConfig = ServerUrlConfig.webWolf(); @Getter private String webGoatCookie; @Getter private String webWolfCookie; @Getter private final String user = "webgoat"; - protected String url(String url) { - return webGoatUrlConfig.url(url); - } - - protected class WebWolfUrlBuilder { - - private boolean attackMode = false; - private String path = null; - - protected String build() { - return webWolfUrlConfig.url(path != null ? path : ""); - } - - /** - * In attack mode it means WebGoat calls WebWolf to perform an attack. In this case we need to - * use port 9090 in a Docker environment. - */ - protected WebWolfUrlBuilder attackMode() { - attackMode = true; - return this; - } - - protected WebWolfUrlBuilder path(String path) { - this.path = path; - return this; - } - - protected WebWolfUrlBuilder path(String path, String... uriVariables) { - this.path = path.formatted(uriVariables); - return this; - } - } - - /** - * Debugging options: install TestContainers Desktop and map port 5005 to the host machine with - * https://newsletter.testcontainers.com/announcements/set-fixed-ports-to-easily-debug-development-services - * - *

Start the test and connect a remote debugger in IntelliJ to localhost:5005 and attach it. - */ - // private static GenericContainer webGoatContainer = - // new GenericContainer(new ImageFromDockerfile("webgoat").withFileFromPath("/", - // Paths.get("."))) - // .withLogConsumer(new Slf4jLogConsumer(LoggerFactory.getLogger("webgoat"))) - // .withExposedPorts(8080, 9090, 5005) - // .withEnv( - // "_JAVA_OPTIONS", - // "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5005") - // .waitingFor(Wait.forHealthcheck()); - // - // static { - // webGoatContainer.start(); - // } - @BeforeEach public void login() { login("webgoat"); @@ -92,7 +39,7 @@ public abstract class IntegrationTest { .relaxedHTTPSValidation() .formParam("username", user) .formParam("password", "password") - .post(url("login")) + .post(webGoatUrlConfig.url("login")) .then() .log() .ifValidationFails(LogDetail.ALL) // Log the response details if validation fails @@ -109,7 +56,7 @@ public abstract class IntegrationTest { .formParam("password", "password") .formParam("matchingPassword", "password") .formParam("agree", "agree") - .post(url("register.mvc")) + .post(webGoatUrlConfig.url("register.mvc")) .then() .cookie("JSESSIONID") .statusCode(302) @@ -122,7 +69,7 @@ public abstract class IntegrationTest { .relaxedHTTPSValidation() .formParam("username", user) .formParam("password", "password") - .post(url("login")) + .post(webGoatUrlConfig.url("login")) .then() .cookie("JSESSIONID") .statusCode(302) @@ -136,7 +83,7 @@ public abstract class IntegrationTest { .relaxedHTTPSValidation() .formParam("username", user) .formParam("password", "password") - .post(new WebWolfUrlBuilder().path("login").build()) + .post(webWolfUrlConfig.url("login")) .then() .statusCode(302) .cookie("WEBWOLFSESSION") @@ -146,7 +93,12 @@ public abstract class IntegrationTest { @AfterEach public void logout() { - RestAssured.given().when().relaxedHTTPSValidation().get(url("logout")).then().statusCode(200); + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .get(webGoatUrlConfig.url("logout")) + .then() + .statusCode(200); } public void startLesson(String lessonName) { @@ -158,7 +110,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url(lessonName + ".lesson.lesson")) + .get(webGoatUrlConfig.url(lessonName + ".lesson.lesson")) .then() .statusCode(200); @@ -167,7 +119,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/restartlesson.mvc/%s.lesson".formatted(lessonName))) + .get(webGoatUrlConfig.url("service/restartlesson.mvc/%s.lesson".formatted(lessonName))) .then() .statusCode(200); } @@ -209,7 +161,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/lessonoverview.mvc/%s.lesson".formatted(lesson))) + .get(webGoatUrlConfig.url("service/lessonoverview.mvc/%s.lesson".formatted(lesson))) .andReturn(); MatcherAssert.assertThat( @@ -223,7 +175,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/lessonoverview.mvc")) + .get(webGoatUrlConfig.url("service/lessonoverview.mvc")) .andReturn(); MatcherAssert.assertThat( @@ -269,7 +221,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("file-server-location").build()) + .get(webWolfUrlConfig.url("file-server-location")) .then() .extract() .response() @@ -284,7 +236,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("server-directory")) + .get(webGoatUrlConfig.url("server-directory")) .then() .extract() .response() @@ -297,7 +249,7 @@ public abstract class IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .delete(new WebWolfUrlBuilder().path("mail").build()) + .delete(webWolfUrlConfig.url("mail")) .then() .statusCode(HttpStatus.ACCEPTED.value()); } diff --git a/src/it/java/org/owasp/webgoat/integration/JWTLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/JWTLessonIntegrationTest.java index 162d87dda..e7c9d7bc1 100644 --- a/src/it/java/org/owasp/webgoat/integration/JWTLessonIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/JWTLessonIntegrationTest.java @@ -90,7 +90,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParam("jwt-encode-user", "user") - .post(url("JWT/decode")) + .post(webGoatUrlConfig.url("JWT/decode")) .then() .statusCode(200) .extract() @@ -105,7 +105,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("JWT/secret/gettoken")) + .get(webGoatUrlConfig.url("JWT/secret/gettoken")) .then() .extract() .response() @@ -119,7 +119,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParam("token", generateToken(secret)) - .post(url("JWT/secret")) + .post(webGoatUrlConfig.url("JWT/secret")) .then() .statusCode(200) .extract() @@ -133,7 +133,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("JWT/votings/login?user=Tom")) + .get(webGoatUrlConfig.url("JWT/votings/login?user=Tom")) .then() .extract() .cookie("access_token"); @@ -166,7 +166,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .cookie("access_token", replacedToken) - .post(url("JWT/votings")) + .post(webGoatUrlConfig.url("JWT/votings")) .then() .statusCode(200) .extract() @@ -207,7 +207,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .header("Authorization", "Bearer " + replacedToken) - .post(url("JWT/refresh/checkout")) + .post(webGoatUrlConfig.url("JWT/refresh/checkout")) .then() .statusCode(200) .extract() @@ -240,7 +240,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .post(url("JWT/kid/delete?token=" + token)) + .post(webGoatUrlConfig.url("JWT/kid/delete?token=" + token)) .then() .statusCode(200) .extract() @@ -258,7 +258,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) .multiPart("file", "jwks.json", jwks.toJson().getBytes()) - .post(new WebWolfUrlBuilder().path("fileupload").build()) + .post(webWolfUrlConfig.url("fileupload")) .then() .extract() .response() @@ -268,8 +268,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { Map header = new HashMap(); header.put(Header.TYPE, Header.JWT_TYPE); header.put( - JwsHeader.JWK_SET_URL, - new WebWolfUrlBuilder().attackMode().path("files/%s/jwks.json", getUser()).build()); + JwsHeader.JWK_SET_URL, webWolfUrlConfig.url("files/%s/jwks.json".formatted(getUser()))); String token = Jwts.builder() @@ -290,7 +289,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .post(url("JWT/jku/delete?token=" + token)) + .post(webGoatUrlConfig.url("JWT/jku/delete?token=" + token)) .then() .statusCode(200) .extract() @@ -303,6 +302,6 @@ public class JWTLessonIntegrationTest extends IntegrationTest { params.put("question_0_solution", "Solution 1"); params.put("question_1_solution", "Solution 2"); - checkAssignment(url("JWT/quiz"), params, true); + checkAssignment(webGoatUrlConfig.url("JWT/quiz"), params, true); } } diff --git a/src/it/java/org/owasp/webgoat/integration/LabelAndHintIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/LabelAndHintIntegrationTest.java index f4c3b4419..dc39d38c1 100644 --- a/src/it/java/org/owasp/webgoat/integration/LabelAndHintIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/LabelAndHintIntegrationTest.java @@ -21,14 +21,14 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { @Test public void testSingleLabel() { Assertions.assertTrue(true); - JsonPath jsonPath = + JsonPath jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "en") .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/labels.mvc")) + .get(webGoatUrlConfig.url("service/labels.mvc")) .then() .statusCode(200) .extract() @@ -39,14 +39,14 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "http-basics.close" + ESCAPE_JSON_PATH_CHAR)); // check if lang parameter overrules Accept-Language parameter - jsonPath = + jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "en") .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/labels.mvc?lang=nl")) + .get(webGoatUrlConfig.url("service/labels.mvc?lang=nl")) .then() .statusCode(200) .extract() @@ -55,14 +55,14 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { "Gebruikersnaam", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); - jsonPath = + jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "en") .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/labels.mvc?lang=de")) + .get(webGoatUrlConfig.url("service/labels.mvc?lang=de")) .then() .statusCode(200) .extract() @@ -72,14 +72,14 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); // check if invalid language returns english - jsonPath = + jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "nl") .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/labels.mvc?lang=xx")) + .get(webGoatUrlConfig.url("service/labels.mvc?lang=xx")) .then() .statusCode(200) .extract() @@ -88,14 +88,14 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { "Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); // check if invalid language returns english - jsonPath = + jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "xx_YY") .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/labels.mvc")) + .get(webGoatUrlConfig.url("service/labels.mvc")) .then() .statusCode(200) .extract() @@ -200,14 +200,14 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { } private JsonPath getLabels(String lang) { - return RestAssured.given() + return RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", lang) .cookie("JSESSIONID", getWebGoatCookie()) // .log().headers() - .get(url("service/labels.mvc")) + .get(webGoatUrlConfig.url("service/labels.mvc")) .then() // .log().all() .statusCode(200) @@ -216,13 +216,13 @@ public class LabelAndHintIntegrationTest extends IntegrationTest { } private List getHints() { - JsonPath jsonPath = + JsonPath jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .cookie("JSESSIONID", getWebGoatCookie()) - .get(url("service/hint.mvc")) + .get(webGoatUrlConfig.url("service/hint.mvc")) .then() // .log().all() .statusCode(200) diff --git a/src/it/java/org/owasp/webgoat/integration/PasswordResetLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/PasswordResetLessonIntegrationTest.java index 61a2805d5..654aa3b4e 100644 --- a/src/it/java/org/owasp/webgoat/integration/PasswordResetLessonIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/PasswordResetLessonIntegrationTest.java @@ -35,12 +35,12 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { } public void assignment2() { - checkAssignment( - url("PasswordReset/simple-mail/reset"), + checkAssignment( + webGoatUrlConfig.url("PasswordReset/simple-mail/reset"), Map.of("emailReset", this.getUser() + "@webgoat.org"), false); - checkAssignment( - url("PasswordReset/simple-mail"), + checkAssignment( + webGoatUrlConfig.url("PasswordReset/simple-mail"), Map.of( "email", this.getUser() + "@webgoat.org", @@ -50,19 +50,19 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { } public void assignment4() { - checkAssignment( - url("PasswordReset/questions"), + checkAssignment( + webGoatUrlConfig.url("PasswordReset/questions"), Map.of("username", "tom", "securityQuestion", "purple"), true); } public void assignment5() { - checkAssignment( - url("PasswordReset/SecurityQuestions"), + checkAssignment( + webGoatUrlConfig.url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite animal?"), false); - checkAssignment( - url("PasswordReset/SecurityQuestions"), + checkAssignment( + webGoatUrlConfig.url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite color?"), true); } @@ -75,8 +75,8 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { var link = getPasswordResetLinkFromLandingPage(); // WebGoat changePassword(link); - checkAssignment( - url("PasswordReset/reset/login"), + checkAssignment( + webGoatUrlConfig.url("PasswordReset/reset/login"), Map.of("email", "tom@webgoat-cloud.org", "password", "123456"), true); } @@ -89,7 +89,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("mail").build()) + .get(webWolfUrlConfig.url("mail")) .then() .extract() .response() @@ -107,12 +107,12 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { } private void changePassword(String link) { - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParams("resetLink", link, "password", "123456") - .post(url("PasswordReset/reset/change-password")) + .post(webGoatUrlConfig.url("PasswordReset/reset/change-password")) .then() .statusCode(200); } @@ -123,7 +123,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("requests").build()) + .get(webWolfUrlConfig.url("requests")) .then() .extract() .response() @@ -138,13 +138,13 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest { } private void clickForgotEmailLink(String user) { - RestAssured.given() + RestAssured.given() .when() - .header(HttpHeaders.HOST, String.format("%s:%s", "127.0.0.1", getWebWolfUrlConfig().port())) + .header(HttpHeaders.HOST, String.format("%s:%s", "127.0.0.1", webWolfUrlConfig.port())) .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParams("email", user) - .post(url("PasswordReset/ForgotPassword/create-password-reset-link")) + .post(webGoatUrlConfig.url("PasswordReset/ForgotPassword/create-password-reset-link")) .then() .statusCode(200); } diff --git a/src/it/java/org/owasp/webgoat/integration/PathTraversalIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/PathTraversalIntegrationTest.java index f058506ea..0bb959e58 100644 --- a/src/it/java/org/owasp/webgoat/integration/PathTraversalIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/PathTraversalIntegrationTest.java @@ -52,14 +52,14 @@ class PathTraversalIT extends IntegrationTest { } private void assignment1() throws IOException { - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) .param("fullName", "../John Doe") - .post(url("PathTraversal/profile-upload")) + .post(webGoatUrlConfig.url("PathTraversal/profile-upload")) .then() .statusCode(200) .extract() @@ -68,14 +68,14 @@ class PathTraversalIT extends IntegrationTest { } private void assignment2() throws IOException { - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) .param("fullNameFix", "..././John Doe") - .post(url("PathTraversal/profile-upload-fix")) + .post(webGoatUrlConfig.url("PathTraversal/profile-upload-fix")) .then() .statusCode(200) .extract() @@ -84,7 +84,7 @@ class PathTraversalIT extends IntegrationTest { } private void assignment3() throws IOException { - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() @@ -93,7 +93,7 @@ class PathTraversalIT extends IntegrationTest { "uploadedFileRemoveUserInput", "../test.jpg", Files.readAllBytes(fileToUpload.toPath())) - .post(url("PathTraversal/profile-upload-remove-user-input")) + .post(webGoatUrlConfig.url("PathTraversal/profile-upload-remove-user-input")) .then() .statusCode(200) .extract() @@ -103,18 +103,18 @@ class PathTraversalIT extends IntegrationTest { private void assignment4() throws IOException { var uri = "PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"; - RestAssured.given() + RestAssured.given() .urlEncodingEnabled(false) .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) - .get(url(uri)) + .get(webGoatUrlConfig.url(uri)) .then() .statusCode(200) .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); - checkAssignment( - url("PathTraversal/random"), + checkAssignment( + webGoatUrlConfig.url("PathTraversal/random"), Map.of("secret", Sha512DigestUtils.shaHex(this.getUser())), true); } @@ -131,13 +131,13 @@ class PathTraversalIT extends IntegrationTest { zos.putNextEntry(e); zos.write("test".getBytes(StandardCharsets.UTF_8)); } - MatcherAssert.assertThat( + MatcherAssert.assertThat( RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath())) - .post(url("PathTraversal/zip-slip")) + .post(webGoatUrlConfig.url("PathTraversal/zip-slip")) .then() .log() .all() diff --git a/src/it/java/org/owasp/webgoat/integration/ProgressRaceConditionIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/ProgressRaceConditionIntegrationTest.java index 285f08e2d..c779f31f6 100644 --- a/src/it/java/org/owasp/webgoat/integration/ProgressRaceConditionIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/ProgressRaceConditionIntegrationTest.java @@ -28,12 +28,12 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest { Callable call = () -> { // System.out.println("thread "+Thread.currentThread().getName()); - return RestAssured.given() + return RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .formParams(Map.of("flag", "test")) - .post(url("challenge/flag/1")); + .post(webGoatUrlConfig.url("challenge/flag/1")); }; ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS); List> flagCalls = diff --git a/src/it/java/org/owasp/webgoat/integration/SSRFIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/SSRFIntegrationTest.java index 16efd0cfa..2851a5dfd 100644 --- a/src/it/java/org/owasp/webgoat/integration/SSRFIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/SSRFIntegrationTest.java @@ -18,11 +18,11 @@ public class SSRFIntegrationTest extends IntegrationTest { params.clear(); params.put("url", "images/jerry.png"); - checkAssignment(url("SSRF/task1"), params, true); + checkAssignment(webGoatUrlConfig.url("SSRF/task1"), params, true); params.clear(); params.put("url", "http://ifconfig.pro"); - checkAssignment(url("SSRF/task2"), params, true); + checkAssignment(webGoatUrlConfig.url("SSRF/task2"), params, true); checkResults("SSRF"); } diff --git a/src/it/java/org/owasp/webgoat/integration/SessionManagementIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/SessionManagementIntegrationTest.java index 0722dedb9..dad80872e 100644 --- a/src/it/java/org/owasp/webgoat/integration/SessionManagementIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/SessionManagementIntegrationTest.java @@ -18,8 +18,8 @@ class SessionManagementIT extends IntegrationTest { void hijackSessionTest() { startLesson("HijackSession"); - checkAssignment( - url(HIJACK_LOGIN_CONTEXT_PATH), + checkAssignment( + webGoatUrlConfig.url(HIJACK_LOGIN_CONTEXT_PATH), Map.of("username", "webgoat", "password", "webgoat"), false); } diff --git a/src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java index 2bfb03406..820a9f6fa 100644 --- a/src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java @@ -20,27 +20,27 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest { params.put("password_reg", "password"); params.put("email_reg", "someone@microsoft.com"); params.put("confirm_password", "password"); - checkAssignmentWithPUT(url("SqlInjectionAdvanced/challenge"), params, true); + checkAssignmentWithPUT(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge"), params, true); params.clear(); params.put("username_login", "tom"); params.put("password_login", "thisisasecretfortomonly"); - checkAssignment(url("SqlInjectionAdvanced/challenge_Login"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge_Login"), params, true); params.clear(); params.put("userid_6a", "'; SELECT * FROM user_system_data;--"); - checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/attack6a"), params, true); params.clear(); params.put( "userid_6a", "Smith' union select userid,user_name, user_name,user_name,password,cookie,userid from" + " user_system_data --"); - checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/attack6a"), params, true); params.clear(); params.put("userid_6b", "passW0rD"); - checkAssignment(url("SqlInjectionAdvanced/attack6b"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/attack6b"), params, true); params.clear(); params.put( @@ -58,7 +58,7 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest { params.put( "question_4_solution", "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'."); - checkAssignment(url("SqlInjectionAdvanced/quiz"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/quiz"), params, true); checkResults("SqlInjectionAdvanced"); } diff --git a/src/it/java/org/owasp/webgoat/integration/SqlInjectionLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/SqlInjectionLessonIntegrationTest.java index 7bea7afa8..b84fddefc 100644 --- a/src/it/java/org/owasp/webgoat/integration/SqlInjectionLessonIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/SqlInjectionLessonIntegrationTest.java @@ -38,44 +38,44 @@ public class SqlInjectionLessonIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("query", sql_2); - checkAssignment(url("SqlInjection/attack2"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack2"), params, true); params.clear(); params.put("query", sql_3); - checkAssignment(url("SqlInjection/attack3"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack3"), params, true); params.clear(); params.put("query", sql_4_add); - checkAssignment(url("SqlInjection/attack4"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack4"), params, true); params.clear(); params.put("query", sql_5); - checkAssignment(url("SqlInjection/attack5"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack5"), params, true); params.clear(); params.put("operator", sql_9_operator); params.put("account", sql_9_account); params.put("injection", sql_9_injection); - checkAssignment(url("SqlInjection/assignment5a"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/assignment5a"), params, true); params.clear(); params.put("login_count", sql_10_login_count); params.put("userid", sql_10_userid); - checkAssignment(url("SqlInjection/assignment5b"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/assignment5b"), params, true); params.clear(); params.put("name", sql_11_a); params.put("auth_tan", sql_11_b); - checkAssignment(url("SqlInjection/attack8"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack8"), params, true); params.clear(); params.put("name", sql_12_a); params.put("auth_tan", sql_12_b); - checkAssignment(url("SqlInjection/attack9"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack9"), params, true); params.clear(); params.put("action_string", sql_13); - checkAssignment(url("SqlInjection/attack10"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjection/attack10"), params, true); checkResults("SqlInjection"); } diff --git a/src/it/java/org/owasp/webgoat/integration/SqlInjectionMitigationIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/SqlInjectionMitigationIntegrationTest.java index 8151194e0..f9c8a0ec5 100644 --- a/src/it/java/org/owasp/webgoat/integration/SqlInjectionMitigationIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/SqlInjectionMitigationIntegrationTest.java @@ -27,7 +27,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest { params.put("field5", "?"); params.put("field6", "prep.setString(1,\"\")"); params.put("field7", "prep.setString(2,\\\"\\\")"); - checkAssignment(url("SqlInjectionMitigations/attack10a"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionMitigations/attack10a"), params, true); params.put( "editor", @@ -41,37 +41,36 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest { + "} catch (Exception e) {\r\n" + " System.out.println(\"Oops. Something went wrong!\");\r\n" + "}"); - checkAssignment(url("SqlInjectionMitigations/attack10b"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionMitigations/attack10b"), params, true); params.clear(); params.put( "userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--"); - checkAssignment(url("SqlOnlyInputValidation/attack"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlOnlyInputValidation/attack"), params, true); params.clear(); params.put( "userid_sql_only_input_validation_on_keywords", "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--"); - checkAssignment(url("SqlOnlyInputValidationOnKeywords/attack"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlOnlyInputValidationOnKeywords/attack"), params, true); - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .contentType(ContentType.JSON) .get( - url( - "SqlInjectionMitigations/servers?column=(case when (true) then hostname" - + " else id end)")) + webGoatUrlConfig.url("SqlInjectionMitigations/servers?column=(case when (true) then hostname" + + " else id end)")) .then() .statusCode(200); - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .contentType(ContentType.JSON) - .get(url("SqlInjectionMitigations/servers?column=unknown")) + .get(webGoatUrlConfig.url("SqlInjectionMitigations/servers?column=unknown")) .then() .statusCode(500) .body( @@ -82,7 +81,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest { params.clear(); params.put("ip", "104.130.219.202"); - checkAssignment(url("SqlInjectionMitigations/attack12a"), params, true); + checkAssignment(webGoatUrlConfig.url("SqlInjectionMitigations/attack12a"), params, true); checkResults("SqlInjectionMitigations"); } diff --git a/src/it/java/org/owasp/webgoat/integration/WebWolfIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/WebWolfIntegrationTest.java index 93f67f774..ba801493c 100644 --- a/src/it/java/org/owasp/webgoat/integration/WebWolfIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/WebWolfIntegrationTest.java @@ -20,14 +20,14 @@ public class WebWolfIntegrationTest extends IntegrationTest { // Assignment 3 Map params = new HashMap<>(); params.put("email", this.getUser() + "@webgoat.org"); - checkAssignment(url("WebWolf/mail/send"), params, false); + checkAssignment(webGoatUrlConfig.url("WebWolf/mail/send"), params, false); String responseBody = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("mail").build()) + .get(webWolfUrlConfig.url("mail")) .then() .extract() .response() @@ -41,15 +41,15 @@ public class WebWolfIntegrationTest extends IntegrationTest { uniqueCode.lastIndexOf("your unique code is: ") + (21 + this.getUser().length())); params.clear(); params.put("uniqueCode", uniqueCode); - checkAssignment(url("WebWolf/mail"), params, true); + checkAssignment(webGoatUrlConfig.url("WebWolf/mail"), params, true); // Assignment 4 - RestAssured.given() + RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("JSESSIONID", getWebGoatCookie()) .queryParams(params) - .get(url("WebWolf/landing/password-reset")) + .get(webGoatUrlConfig.url("WebWolf/landing/password-reset")) .then() .statusCode(200); RestAssured.given() @@ -57,7 +57,7 @@ public class WebWolfIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) .queryParams(params) - .get(new WebWolfUrlBuilder().path("landing").build()) + .get(webWolfUrlConfig.url("landing")) .then() .statusCode(200); responseBody = @@ -65,7 +65,7 @@ public class WebWolfIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("requests").build()) + .get(webWolfUrlConfig.url("requests")) .then() .extract() .response() @@ -74,7 +74,7 @@ public class WebWolfIntegrationTest extends IntegrationTest { assertTrue(responseBody.contains(uniqueCode)); params.clear(); params.put("uniqueCode", uniqueCode); - checkAssignment(url("WebWolf/landing"), params, true); + checkAssignment(webGoatUrlConfig.url("WebWolf/landing"), params, true); checkResults("WebWolfIntroduction"); } diff --git a/src/it/java/org/owasp/webgoat/integration/XSSIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/XSSIntegrationTest.java index fa06bb8f9..ed1cc12bf 100644 --- a/src/it/java/org/owasp/webgoat/integration/XSSIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/XSSIntegrationTest.java @@ -18,7 +18,7 @@ public class XSSIntegrationTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); params.put("checkboxAttack1", "value"); - checkAssignment(url("CrossSiteScripting/attack1"), params, true); + checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack1"), params, true); params.clear(); params.put("QTY1", "1"); @@ -27,17 +27,17 @@ public class XSSIntegrationTest extends IntegrationTest { params.put("QTY4", "1"); params.put("field1", ""); params.put("field2", "111"); - checkAssignmentWithGet(url("CrossSiteScripting/attack5a"), params, true); + checkAssignmentWithGet(webGoatUrlConfig.url("CrossSiteScripting/attack5a"), params, true); params.clear(); params.put("DOMTestRoute", "start.mvc#test"); - checkAssignment(url("CrossSiteScripting/attack6a"), params, true); + checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack6a"), params, true); params.clear(); params.put("param1", "42"); params.put("param2", "24"); - String result = + String result = RestAssured.given() .when() .relaxedHTTPSValidation() @@ -45,7 +45,7 @@ public class XSSIntegrationTest extends IntegrationTest { .header("webgoat-requested-by", "dom-xss-vuln") .header("X-Requested-With", "XMLHttpRequest") .formParams(params) - .post(url("CrossSiteScripting/phone-home-xss")) + .post(webGoatUrlConfig.url("CrossSiteScripting/phone-home-xss")) .then() .statusCode(200) .extract() @@ -54,7 +54,7 @@ public class XSSIntegrationTest extends IntegrationTest { params.clear(); params.put("successMessage", secretNumber); - checkAssignment(url("CrossSiteScripting/dom-follow-up"), params, true); + checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/dom-follow-up"), params, true); params.clear(); params.put( @@ -77,7 +77,7 @@ public class XSSIntegrationTest extends IntegrationTest { "question_4_solution", "Solution 4: No there are many other ways. Like HTML, Flash or any other type of code that" + " the browser executes."); - checkAssignment(url("CrossSiteScripting/quiz"), params, true); + checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/quiz"), params, true); params.clear(); params.put( @@ -103,7 +103,7 @@ public class XSSIntegrationTest extends IntegrationTest { + "" + "" + ""); - checkAssignment(url("CrossSiteScripting/attack3"), params, true); + checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack3"), params, true); params.clear(); params.put( @@ -113,7 +113,7 @@ public class XSSIntegrationTest extends IntegrationTest { + "s.scan(newComment,\"\");" + "CleanResults();" + "MyCommentDAO.addComment(threadID, userID).getCleanHTML());"); - checkAssignment(url("CrossSiteScripting/attack4"), params, true); + checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack4"), params, true); checkResults("CrossSiteScripting"); } diff --git a/src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java b/src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java index b998359bf..33fd2ff6b 100644 --- a/src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java @@ -61,7 +61,7 @@ public class XXEIntegrationTest extends IntegrationTest { */ private String getSecret() { String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt"); - String webWolfCallback = new WebWolfUrlBuilder().path("landing").attackMode().build(); + String webWolfCallback = webWolfUrlConfig.url("landing"); String dtd7String = dtd7.replace("WEBWOLFURL", webWolfCallback).replace("SECRET", secretFile); // upload DTD @@ -70,7 +70,7 @@ public class XXEIntegrationTest extends IntegrationTest { .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) .multiPart("file", "blind.dtd", dtd7String.getBytes()) - .post(new WebWolfUrlBuilder().path("fileupload").build()) + .post(webWolfUrlConfig.url("fileupload")) .then() .extract() .response() @@ -79,9 +79,9 @@ public class XXEIntegrationTest extends IntegrationTest { // upload attack String xxe7String = - xxe7.replace("WEBWOLFURL", new WebWolfUrlBuilder().attackMode().path("files").build()) + xxe7.replace("WEBWOLFURL", webWolfUrlConfig.url("files")) .replace("USERNAME", this.getUser()); - checkAssignment(url("xxe/blind"), ContentType.XML, xxe7String, false); + checkAssignment(webGoatUrlConfig.url("xxe/blind"), ContentType.XML, xxe7String, false); // read results from WebWolf String result = @@ -89,7 +89,7 @@ public class XXEIntegrationTest extends IntegrationTest { .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) - .get(new WebWolfUrlBuilder().path("requests").build()) + .get(webWolfUrlConfig.url("requests")) .then() .extract() .response() @@ -109,10 +109,10 @@ public class XXEIntegrationTest extends IntegrationTest { public void runTests() throws IOException { startLesson("XXE", true); webGoatHomeDirectory = webGoatServerDirectory(); - checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, true); - checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, true); - checkAssignment( - url("xxe/blind"), + checkAssignment(webGoatUrlConfig.url("xxe/simple"), ContentType.XML, xxe3, true); + checkAssignment(webGoatUrlConfig.url("xxe/content-type"), ContentType.XML, xxe4, true); + checkAssignment( + webGoatUrlConfig.url("xxe/blind"), ContentType.XML, "" + getSecret() + "", true); diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java b/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java index 765d87abd..1d4822591 100644 --- a/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java +++ b/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java @@ -13,8 +13,8 @@ import lombok.Getter; public class DisplayUser { // intended to provide a display version of WebGoatUser for admins to view user attributes - private String username; - private boolean admin; + private final String username; + private final boolean admin; private String userHash; public DisplayUser(User user, String passwordSalt) { diff --git a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java index 89a8a5d87..28986b0a4 100644 --- a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java +++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java @@ -31,7 +31,8 @@ class HijackSessionAssignmentTest extends LessonTest { private static final String COOKIE_NAME = "hijack_cookie"; private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login"; - @MockBean Authentication authenticationMock; + @MockBean + Authentication authenticationMock; @MockBean HijackSessionAuthenticationProvider providerMock;