Adjust lesson template (#704)
* Remove method `getId()` from all lessons as it defaults to the class name * remove clean up endpoint * remove unused class `RequestParameter` * remove unused class `PluginLoadingFailure` * Move `CourseConfiguration` to lesson package * Add more content around the lesson template lesson and make it visible as a lesson in WebGoat * Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult` * Put original solution back as well for SQL string injection * review comments * Add
This commit is contained in:
Nanne Baars
René Zubcevic
parent
f40b6ffd31
commit
5dd6b31905
61
.travis.yml
61
.travis.yml
@ -1,47 +1,52 @@
|
||||
services:
|
||||
- docker
|
||||
- docker
|
||||
language: java
|
||||
jdk:
|
||||
- openjdk11
|
||||
install: "/bin/true"
|
||||
script:
|
||||
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
|
||||
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH;
|
||||
else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
|
||||
- echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
|
||||
- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi
|
||||
- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1};
|
||||
fi
|
||||
- mvn clean install -q
|
||||
cache:
|
||||
directories:
|
||||
- "$HOME/.m2"
|
||||
before_deploy:
|
||||
- export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target
|
||||
- export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target
|
||||
- export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/
|
||||
- mkdir -p $WEBGOAT_ARTIFACTS_FOLDER
|
||||
- cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
|
||||
- cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
|
||||
- echo "Contents of artifacts folder:"
|
||||
- ls $WEBGOAT_ARTIFACTS_FOLDER
|
||||
- export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target
|
||||
- export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target
|
||||
- export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/
|
||||
- mkdir -p $WEBGOAT_ARTIFACTS_FOLDER
|
||||
- cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
|
||||
- cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
|
||||
- echo "Contents of artifacts folder:"
|
||||
- ls $WEBGOAT_ARTIFACTS_FOLDER
|
||||
deploy:
|
||||
- provider: script
|
||||
skip_cleanup: true
|
||||
script: bash scripts/deploy-webgoat.sh
|
||||
on:
|
||||
repo: WebGoat/WebGoat
|
||||
tags: true
|
||||
- provider: releases
|
||||
skip_cleanup: true
|
||||
overwrite: true
|
||||
api_key:
|
||||
#api-key from webgoat-github user
|
||||
secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
|
||||
file_glob: true
|
||||
file: $WEBGOAT_ARTIFACTS_FOLDER/*
|
||||
on:
|
||||
repo: WebGoat/WebGoat
|
||||
tags: true
|
||||
- provider: script
|
||||
skip_cleanup: true
|
||||
script: bash scripts/deploy-webgoat.sh
|
||||
on:
|
||||
repo: WebGoat/WebGoat
|
||||
tags: true
|
||||
- provider: releases
|
||||
skip_cleanup: true
|
||||
overwrite: true
|
||||
api_key:
|
||||
secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
|
||||
file_glob: true
|
||||
file: "$WEBGOAT_ARTIFACTS_FOLDER/*"
|
||||
on:
|
||||
repo: WebGoat/WebGoat
|
||||
tags: true
|
||||
env:
|
||||
global:
|
||||
#Docker login
|
||||
- secure: XgPc0UKRTUI70I4YWNQpThPPWeQIxkmzh1GNoR/SSDC2GPIBq3EfkkbSQewqil8stTy+S1/xSzc0JXG8NTn7UOxHVHA/2nhI6jX9E+DKtXQ89YwmaDNQjkbMjziAtDCIex+5TRykxNfkxj6VPYbDssrzI7iJXOIZVj/HoyO3O5E=
|
||||
#Docker password
|
||||
- secure: aly5TKBUK9sIiqtMbytNNPZHQhC0a7Yond5tEtuJ8fO+j/KZB4Uro3I6BhzYjGWFb5Kndd0j2TXHPFvtOl402J1CmFsY3v0BhilQd0g6zOssp5T0A73m8Jgq4ItV8wQJJy2bQsXqL1B+uFYieYPiMchj7JxWW0vBn7TV5b68l6U=
|
||||
notifications:
|
||||
slack:
|
||||
rooms:
|
||||
secure: cDG2URRy7SEipMLyhodwjRBtsPBmfngFB4FyNaIhhr+2/SGyKvGhfW75YA9V+eC7J40KllxQhiIvrxngKDRABb3L1O72Sdj8mZSi8TVsUNLOdamJXHKGUwNSPWXv/1s2m+uC20cgxl66o31vxdV33uvxLdvGOd5e5qOKTsKP7UE=
|
||||
|
||||
19
COPYRIGHT.txt
Normal file
19
COPYRIGHT.txt
Normal file
@ -0,0 +1,19 @@
|
||||
This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
|
||||
|
||||
Copyright (c) 2002 - $today.year Bruce Mayhew
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
License, or (at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along with this program; if
|
||||
not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
02111-1307, USA.
|
||||
|
||||
Getting Source ==============
|
||||
|
||||
Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
@ -1,27 +0,0 @@
|
||||
package org.owasp.webgoat;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.util.FileSystemUtils;
|
||||
|
||||
import javax.annotation.PostConstruct;
|
||||
import java.io.File;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 4/15/17.
|
||||
*/
|
||||
@Slf4j
|
||||
@Configuration
|
||||
@ConditionalOnExpression("'${webgoat.clean}' == 'true'")
|
||||
public class CleanupLocalProgressFiles {
|
||||
|
||||
@Value("${webgoat.server.directory}")
|
||||
private String webgoatHome;
|
||||
|
||||
@PostConstruct
|
||||
public void clean() {
|
||||
}
|
||||
}
|
||||
@ -29,7 +29,6 @@ import lombok.Getter;
|
||||
import org.owasp.webgoat.i18n.PluginMessages;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.users.UserTracker;
|
||||
import org.owasp.webgoat.users.UserTrackerRepository;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
||||
@ -45,20 +44,6 @@ public abstract class AssignmentEndpoint {
|
||||
@Autowired
|
||||
private PluginMessages messages;
|
||||
|
||||
protected AttackResult trackProgress(AttackResult attackResult) {
|
||||
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
|
||||
if (userTracker == null) {
|
||||
userTracker = new UserTracker(webSession.getUserName());
|
||||
}
|
||||
if (attackResult.assignmentSolved()) {
|
||||
userTracker.assignmentSolved(webSession.getCurrentLesson(), this.getClass().getSimpleName());
|
||||
} else {
|
||||
userTracker.assignmentFailed(webSession.getCurrentLesson());
|
||||
}
|
||||
userTrackerRepository.save(userTracker);
|
||||
return attackResult;
|
||||
}
|
||||
|
||||
protected WebSession getWebSession() {
|
||||
return webSession;
|
||||
}
|
||||
@ -76,9 +61,10 @@ public abstract class AssignmentEndpoint {
|
||||
* Of course you can overwrite these values in a specific lesson
|
||||
*
|
||||
* @return a builder for creating a result from a lesson
|
||||
* @param assignment
|
||||
*/
|
||||
protected AttackResult.AttackResultBuilder success() {
|
||||
return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved");
|
||||
protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
|
||||
return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved").assignment(assignment);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -90,12 +76,13 @@ public abstract class AssignmentEndpoint {
|
||||
* Of course you can overwrite these values in a specific lesson
|
||||
*
|
||||
* @return a builder for creating a result from a lesson
|
||||
* @param assignment
|
||||
*/
|
||||
protected AttackResult.AttackResultBuilder failed() {
|
||||
return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved");
|
||||
protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
|
||||
return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved").assignment(assignment);
|
||||
}
|
||||
|
||||
protected AttackResult.AttackResultBuilder informationMessage() {
|
||||
return AttackResult.builder(messages).lessonCompleted(false);
|
||||
protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
|
||||
return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
|
||||
}
|
||||
}
|
||||
|
||||
@ -29,8 +29,11 @@ import lombok.Getter;
|
||||
import org.apache.commons.lang3.StringEscapeUtils;
|
||||
import org.owasp.webgoat.i18n.PluginMessages;
|
||||
|
||||
import java.util.Objects;
|
||||
|
||||
public class AttackResult {
|
||||
|
||||
|
||||
public static class AttackResultBuilder {
|
||||
|
||||
private boolean lessonCompleted;
|
||||
@ -39,6 +42,7 @@ public class AttackResult {
|
||||
private String feedbackResourceBundleKey;
|
||||
private String output;
|
||||
private Object[] outputArgs;
|
||||
private AssignmentEndpoint assignment;
|
||||
|
||||
public AttackResultBuilder(PluginMessages messages) {
|
||||
this.messages = messages;
|
||||
@ -77,7 +81,12 @@ public class AttackResult {
|
||||
}
|
||||
|
||||
public AttackResult build() {
|
||||
return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs));
|
||||
return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName());
|
||||
}
|
||||
|
||||
public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
|
||||
this.assignment = assignment;
|
||||
return this;
|
||||
}
|
||||
}
|
||||
|
||||
@ -87,11 +96,14 @@ public class AttackResult {
|
||||
private String feedback;
|
||||
@Getter
|
||||
private String output;
|
||||
@Getter
|
||||
private final String assignment;
|
||||
|
||||
public AttackResult(boolean lessonCompleted, String feedback, String output) {
|
||||
public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment) {
|
||||
this.lessonCompleted = lessonCompleted;
|
||||
this.feedback = StringEscapeUtils.escapeJson(feedback);
|
||||
this.output = StringEscapeUtils.escapeJson(output);
|
||||
this.assignment = assignment;
|
||||
}
|
||||
|
||||
public static AttackResultBuilder builder(PluginMessages messages) {
|
||||
|
||||
@ -0,0 +1,74 @@
|
||||
/*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2019 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
*/
|
||||
|
||||
package org.owasp.webgoat.assignments;
|
||||
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.users.UserTracker;
|
||||
import org.owasp.webgoat.users.UserTrackerRepository;
|
||||
import org.springframework.core.MethodParameter;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.converter.HttpMessageConverter;
|
||||
import org.springframework.http.server.ServerHttpRequest;
|
||||
import org.springframework.http.server.ServerHttpResponse;
|
||||
import org.springframework.web.bind.annotation.RestControllerAdvice;
|
||||
import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
|
||||
|
||||
@RestControllerAdvice
|
||||
public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
|
||||
|
||||
private UserTrackerRepository userTrackerRepository;
|
||||
private WebSession webSession;
|
||||
|
||||
public LessonTrackerInterceptor(UserTrackerRepository userTrackerRepository, WebSession webSession) {
|
||||
this.userTrackerRepository = userTrackerRepository;
|
||||
this.webSession = webSession;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(MethodParameter methodParameter, Class<? extends HttpMessageConverter<?>> clazz) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
|
||||
if (o != null && o instanceof AttackResult) {
|
||||
trackProgress((AttackResult) o);
|
||||
}
|
||||
return o;
|
||||
}
|
||||
|
||||
|
||||
protected AttackResult trackProgress(AttackResult attackResult) {
|
||||
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
|
||||
if (userTracker == null) {
|
||||
userTracker = new UserTracker(webSession.getUserName());
|
||||
}
|
||||
if (attackResult.assignmentSolved()) {
|
||||
userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment());
|
||||
} else {
|
||||
userTracker.assignmentFailed(webSession.getCurrentLesson());
|
||||
}
|
||||
userTrackerRepository.saveAndFlush(userTracker);
|
||||
return attackResult;
|
||||
}
|
||||
}
|
||||
@ -20,7 +20,7 @@
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
*/
|
||||
|
||||
package org.owasp.webgoat.plugins;
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.commons.lang3.ArrayUtils;
|
||||
@ -119,5 +119,7 @@ public abstract class Lesson {
|
||||
return getTitle();
|
||||
}
|
||||
|
||||
public abstract String getId();
|
||||
public final String getId() {
|
||||
return this.getClass().getSimpleName();
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,78 +0,0 @@
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
*/
|
||||
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
/**
|
||||
* <p>RequestParameter class.</p>
|
||||
*
|
||||
* @author rlawson
|
||||
* @version $Id: $Id
|
||||
*/
|
||||
public class RequestParameter implements Comparable<RequestParameter> {
|
||||
|
||||
private final String name;
|
||||
private final String value;
|
||||
|
||||
/**
|
||||
* <p>Constructor for RequestParameter.</p>
|
||||
*
|
||||
* @param name a {@link java.lang.String} object.
|
||||
* @param value a {@link java.lang.String} object.
|
||||
*/
|
||||
public RequestParameter(String name, String value) {
|
||||
this.name = name;
|
||||
this.value = value;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>Getter for the field <code>name</code>.</p>
|
||||
*
|
||||
* @return the name
|
||||
*/
|
||||
public String getName() {
|
||||
return name;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>Getter for the field <code>value</code>.</p>
|
||||
*
|
||||
* @return the values
|
||||
*/
|
||||
public String getValue() {
|
||||
return value;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int compareTo(RequestParameter o) {
|
||||
return this.name.compareTo(o.getName());
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
package org.owasp.webgoat.plugins;
|
||||
|
||||
/**
|
||||
* <p>PluginLoadingFailure class.</p>
|
||||
*
|
||||
* @version $Id: $Id
|
||||
* @author dm
|
||||
*/
|
||||
public class PluginLoadingFailure extends RuntimeException {
|
||||
|
||||
/**
|
||||
* <p>Constructor for PluginLoadingFailure.</p>
|
||||
*
|
||||
* @param message a {@link java.lang.String} object.
|
||||
*/
|
||||
public PluginLoadingFailure(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>Constructor for PluginLoadingFailure.</p>
|
||||
*
|
||||
* @param message a {@link java.lang.String} object.
|
||||
* @param e a {@link java.lang.Exception} object.
|
||||
*/
|
||||
public PluginLoadingFailure(String message, Exception e) {
|
||||
super(message, e);
|
||||
}
|
||||
}
|
||||
@ -29,7 +29,6 @@ logging.level.org.owasp=DEBUG
|
||||
logging.level.org.owasp.webgoat=DEBUG
|
||||
|
||||
webgoat.start.hsqldb=true
|
||||
webgoat.clean=false
|
||||
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
|
||||
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
|
||||
webgoat.build.version=@project.version@
|
||||
|
||||
@ -3,6 +3,7 @@ package org.owasp.webgoat.service;
|
||||
import org.hamcrest.CoreMatchers;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.owasp.webgoat.assignments.LessonTrackerInterceptor;
|
||||
import org.owasp.webgoat.session.Course;
|
||||
import org.owasp.webgoat.users.UserService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@ -56,6 +57,8 @@ public class LabelServiceTest {
|
||||
private Course course;
|
||||
@MockBean
|
||||
private UserService userService;
|
||||
@MockBean
|
||||
private LessonTrackerInterceptor interceptor;
|
||||
|
||||
@Test
|
||||
@WithMockUser(username = "guest", password = "guest")
|
||||
|
||||
@ -31,11 +31,6 @@ public class UserTrackerRepositoryTest {
|
||||
return "test";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "test";
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Assignment> getAssignments() {
|
||||
Assignment assignment = new Assignment("test", "test", Lists.newArrayList());
|
||||
|
||||
@ -38,10 +38,4 @@ public class AuthBypass extends Lesson {
|
||||
public String getTitle() {
|
||||
return "auth-bypass.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "AuthBypass";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -24,7 +24,6 @@ package org.owasp.webgoat.auth_bypass;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
@ -61,22 +60,22 @@ public class VerifyAccount extends AssignmentEndpoint {
|
||||
AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
|
||||
Map<String, String> submittedAnswers = parseSecQuestions(req);
|
||||
if (verificationHelper.didUserLikelylCheat((HashMap) submittedAnswers)) {
|
||||
return trackProgress(failed()
|
||||
return failed(this)
|
||||
.feedback("verify-account.cheated")
|
||||
.output("Yes, you guessed correctly, but see the feedback message")
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
// else
|
||||
if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) {
|
||||
userSessionData.setValue("account-verified-id", userId);
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("verify-account.success")
|
||||
.build());
|
||||
.build();
|
||||
} else {
|
||||
return trackProgress(failed()
|
||||
return failed(this)
|
||||
.feedback("verify-account.failed")
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -37,9 +37,4 @@ public class BypassRestrictions extends Lesson {
|
||||
public String getTitle() {
|
||||
return "bypass-restrictions.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "BypassRestrictions";
|
||||
}
|
||||
}
|
||||
|
||||
@ -36,17 +36,17 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
|
||||
if (select.equals("option1") || select.equals("option2")) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (radio.equals("option1") || radio.equals("option2")) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (checkbox.equals("on") || checkbox.equals("off")) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (shortInput.length() <= 5) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -23,13 +23,9 @@
|
||||
package org.owasp.webgoat.bypass_restrictions;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
@RestController
|
||||
public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
|
||||
|
||||
@ -44,29 +40,29 @@ public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
|
||||
final String regex6 = "^\\d{5}(-\\d{4})?$";
|
||||
final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
|
||||
if (error > 0) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field1.matches(regex1)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field2.matches(regex2)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field3.matches(regex3)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field4.matches(regex4)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field5.matches(regex5)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field6.matches(regex6)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (field7.matches(regex7)) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -18,9 +18,4 @@ public class ChallengeIntro extends Lesson {
|
||||
public String getTitle() {
|
||||
return "challenge0.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge";
|
||||
}
|
||||
}
|
||||
|
||||
@ -48,11 +48,11 @@ public class Assignment1 extends AssignmentEndpoint {
|
||||
boolean ipAddressKnown = true;
|
||||
boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
|
||||
if (passwordCorrect && ipAddressKnown) {
|
||||
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
|
||||
return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
|
||||
} else if (passwordCorrect) {
|
||||
return failed().feedback("ip.address.unknown").build();
|
||||
return failed(this).feedback("ip.address.unknown").build();
|
||||
}
|
||||
return failed().build();
|
||||
return failed(this).build();
|
||||
}
|
||||
|
||||
public static boolean containsHeader(HttpServletRequest request) {
|
||||
|
||||
@ -20,9 +20,4 @@ public class Challenge1 extends Lesson {
|
||||
public String getTitle() {
|
||||
return "challenge1.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge1";
|
||||
}
|
||||
}
|
||||
|
||||
@ -50,19 +50,19 @@ public class Assignment5 extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||
if (!StringUtils.hasText(username_login) || !StringUtils.hasText(password_login)) {
|
||||
return failed().feedback("required4").build();
|
||||
return failed(this).feedback("required4").build();
|
||||
}
|
||||
if (!"Larry".equals(username_login)) {
|
||||
return failed().feedback("user.not.larry").feedbackArgs(username_login).build();
|
||||
return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
|
||||
}
|
||||
try (var connection = dataSource.getConnection()) {
|
||||
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
|
||||
ResultSet resultSet = statement.executeQuery();
|
||||
|
||||
if (resultSet.next()) {
|
||||
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
|
||||
return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
|
||||
} else {
|
||||
return failed().feedback("challenge.close").build();
|
||||
return failed(this).feedback("challenge.close").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -42,9 +42,4 @@ public class Challenge5 extends Lesson {
|
||||
public String getTitle() {
|
||||
return "challenge5.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge5";
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
package org.owasp.webgoat.challenges.challenge7;
|
||||
|
||||
import lombok.SneakyThrows;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
@ -71,7 +70,7 @@ public class Assignment7 extends AssignmentEndpoint {
|
||||
restTemplate.postForEntity(webWolfMailURL, mail, Object.class);
|
||||
}
|
||||
}
|
||||
return success().feedback("email.send").feedbackArgs(email).build();
|
||||
return success(this).feedback("email.send").feedbackArgs(email).build();
|
||||
}
|
||||
|
||||
@GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
|
||||
|
||||
@ -20,9 +20,4 @@ public class Challenge7 extends Lesson {
|
||||
public String getTitle() {
|
||||
return "challenge7.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge7";
|
||||
}
|
||||
}
|
||||
|
||||
@ -20,9 +20,4 @@ public class Challenge8 extends Lesson {
|
||||
public String getTitle() {
|
||||
return "challenge8.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge8";
|
||||
}
|
||||
}
|
||||
|
||||
@ -35,16 +35,11 @@ public class ChromeDevTools extends Lesson {
|
||||
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
return Category.GENERAL;
|
||||
return Category.GENERAL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
return "3.chrome-dev-tools.title";//3rd lesson in General
|
||||
return "3.chrome-dev-tools.title";//3rd lesson in General
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "ChromeDevTools";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -23,13 +23,10 @@
|
||||
package org.owasp.webgoat.chrome_dev_tools;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* This is just a class used to make the the HTTP request.
|
||||
*
|
||||
@ -46,9 +43,9 @@ public class NetworkDummy extends AssignmentEndpoint {
|
||||
String answer = (String) userSessionData.getValue("randValue");
|
||||
|
||||
if (successMessage != null && successMessage.equals(answer)) {
|
||||
return trackProgress(success().feedback("xss-dom-message-success").build());
|
||||
return success(this).feedback("xss-dom-message-success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-dom-message-failure").build());
|
||||
return failed(this).feedback("xss-dom-message-failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -24,13 +24,10 @@ package org.owasp.webgoat.chrome_dev_tools;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* Assignment where the user has to look through an HTTP Request
|
||||
* using the Developer Tools and find a specific number.
|
||||
@ -46,9 +43,9 @@ public class NetworkLesson extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
|
||||
if (network_num.equals(number)) {
|
||||
return trackProgress(success().feedback("network.success").output("").build());
|
||||
return success(this).feedback("network.success").output("").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("network.failed").build());
|
||||
return failed(this).feedback("network.failed").build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -20,9 +20,4 @@ public class CIA extends Lesson {
|
||||
public String getTitle() {
|
||||
return "4.cia.title";//4th lesson in general
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "CIA";
|
||||
}
|
||||
}
|
||||
@ -29,9 +29,9 @@ public class CIAQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
if (correctAnswers == solutions.length) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -45,9 +45,4 @@ public class ClientSideFiltering extends Lesson {
|
||||
public String getTitle() {
|
||||
return "client.side.filtering.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "ClientSideFiltering";
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,12 +24,9 @@ package org.owasp.webgoat.client_side_filtering;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@RestController
|
||||
@AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"})
|
||||
public class ClientSideFilteringAssignment extends AssignmentEndpoint {
|
||||
@ -37,8 +34,8 @@ public class ClientSideFilteringAssignment extends AssignmentEndpoint {
|
||||
@PostMapping("/clientSideFiltering/attack1")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String answer) {
|
||||
return trackProgress("450000".equals(answer)
|
||||
? success().feedback("assignment.solved").build() :
|
||||
failed().feedback("ClientSideFiltering.incorrect").build());
|
||||
return "450000".equals(answer)
|
||||
? success(this).feedback("assignment.solved").build() :
|
||||
failed(this).feedback("ClientSideFiltering.incorrect").build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,12 +24,9 @@ package org.owasp.webgoat.client_side_filtering;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 4/6/17.
|
||||
@ -44,8 +41,8 @@ public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String checkoutCode) {
|
||||
if (SUPER_COUPON_CODE.equals(checkoutCode)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -37,9 +37,4 @@ public class CrossSiteScripting extends Lesson {
|
||||
public String getTitle() {
|
||||
return "xss.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "CrossSiteScripting";
|
||||
}
|
||||
}
|
||||
|
||||
@ -38,9 +38,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String answer_xss_1) {
|
||||
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss.lesson1.failure").build());
|
||||
return failed(this).feedback("xss.lesson1.failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -44,7 +44,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
|
||||
public AttackResult completed(@RequestParam String editor) {
|
||||
String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
|
||||
try {
|
||||
if (editor.isEmpty()) return trackProgress(failed().feedback("xss-mitigation-3-no-code").build());
|
||||
if (editor.isEmpty()) return failed(this).feedback("xss-mitigation-3-no-code").build();
|
||||
Document doc = Jsoup.parse(unescapedString);
|
||||
String[] lines = unescapedString.split("<html>");
|
||||
|
||||
@ -68,12 +68,12 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
|
||||
|
||||
if (includeCorrect && firstNameCorrect && lastNameCorrect) {
|
||||
System.out.println("true");
|
||||
return trackProgress(success().feedback("xss-mitigation-3-success").build());
|
||||
return success(this).feedback("xss-mitigation-3-success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
|
||||
return failed(this).feedback("xss-mitigation-3-failure").build();
|
||||
}
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().output(e.getMessage()).build());
|
||||
return failed(this).output(e.getMessage()).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -52,10 +52,10 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
|
||||
editor.contains("MyCommentDAO.addComment(threadID, userID") &&
|
||||
editor.contains(".getCleanHTML());")) {
|
||||
log.debug("true");
|
||||
return trackProgress(success().feedback("xss-mitigation-4-success").build());
|
||||
return success(this).feedback("xss-mitigation-4-success").build();
|
||||
} else {
|
||||
log.debug("false");
|
||||
return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
|
||||
return failed(this).feedback("xss-mitigation-4-failed").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -46,7 +46,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
|
||||
@RequestParam String field2) {
|
||||
|
||||
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
|
||||
return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
|
||||
}
|
||||
|
||||
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
|
||||
@ -64,19 +64,19 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
//return trackProgress()
|
||||
//return )
|
||||
userSessionData.setValue("xss-reflected-5a-complete", "true");
|
||||
if (field1.toLowerCase().contains("console.log")) {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
|
||||
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
|
||||
} else {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
|
||||
return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
|
||||
}
|
||||
} else {
|
||||
userSessionData.setValue("xss-reflected1-complete", "false");
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("xss-reflected-5a-failure")
|
||||
.output(cart.toString())
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -42,10 +42,10 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
|
||||
public AttackResult completed(@RequestParam String DOMTestRoute) {
|
||||
|
||||
if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
|
||||
//return trackProgress()
|
||||
return trackProgress(success().feedback("xss-reflected-6a-success").build());
|
||||
//return )
|
||||
return success(this).feedback("xss-reflected-6a-success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-reflected-6a-failure").build());
|
||||
return failed(this).feedback("xss-reflected-6a-failure").build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -53,9 +53,9 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
if (correctAnswers == solutions.length) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -42,9 +42,9 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
|
||||
userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
|
||||
|
||||
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
|
||||
return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build());
|
||||
return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -42,9 +42,9 @@ public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
|
||||
String answer = (String) userSessionData.getValue("randValue");
|
||||
|
||||
if (successMessage.equals(answer)) {
|
||||
return trackProgress(success().feedback("xss-dom-message-success").build());
|
||||
return success(this).feedback("xss-dom-message-success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-dom-message-failure").build());
|
||||
return failed(this).feedback("xss-dom-message-failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -35,9 +35,4 @@ public class CrossSiteScriptingMitigation extends Lesson {
|
||||
public String getTitle() {
|
||||
return "xss-mitigation.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "CrossSiteScriptingMitigation";
|
||||
}
|
||||
}
|
||||
|
||||
@ -35,9 +35,4 @@ public class CrossSiteScriptingStored extends Lesson {
|
||||
public String getTitle() {
|
||||
return "xss-stored.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "CrossSiteScriptingStored";
|
||||
}
|
||||
}
|
||||
|
||||
@ -43,9 +43,9 @@ public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
|
||||
if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
|
||||
return trackProgress(success().feedback("xss-stored-callback-success").build());
|
||||
return success(this).feedback("xss-stored-callback-success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-stored-callback-failure").build());
|
||||
return failed(this).feedback("xss-stored-callback-failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -88,9 +88,9 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
userComments.put(webSession.getUserName(), comments);
|
||||
|
||||
if (comment.getText().contains(phoneHomeString)) {
|
||||
return (success().feedback("xss-stored-comment-success").build());
|
||||
return (success(this).feedback("xss-stored-comment-success").build());
|
||||
} else {
|
||||
return (failed().feedback("xss-stored-comment-failure").build());
|
||||
return (failed(this).feedback("xss-stored-comment-failure").build());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -52,7 +52,6 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
|
||||
init(domXss);
|
||||
this.mockMvc = standaloneSetup(domXss).build();
|
||||
CrossSiteScripting xss = new CrossSiteScripting();
|
||||
when(webSession.getCurrentLesson()).thenReturn(xss);
|
||||
when(userSessionData.getValue("randValue")).thenReturn(randVal);
|
||||
}
|
||||
|
||||
|
||||
@ -41,10 +41,4 @@ public class CSRF extends Lesson {
|
||||
|
||||
@Override
|
||||
public String getTitle() { return "csrf.title"; }
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "CSRF";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -47,11 +47,12 @@ public class CSRFConfirmFlag1 extends AssignmentEndpoint {
|
||||
public AttackResult completed(String confirmFlagVal) {
|
||||
Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
|
||||
if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
|
||||
return trackProgress(
|
||||
success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build()
|
||||
);
|
||||
return success(this)
|
||||
.feedback("csrf-get-null-referer.success")
|
||||
.output("Correct, the flag was " + userSessionData.getValue("csrf-get-success"))
|
||||
.build();
|
||||
}
|
||||
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,11 +24,9 @@ package org.owasp.webgoat.csrf;
|
||||
|
||||
import com.fasterxml.jackson.databind.DeserializationFeature;
|
||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.commons.lang3.exception.ExceptionUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@ -66,25 +64,25 @@ public class CSRFFeedback extends AssignmentEndpoint {
|
||||
objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
|
||||
objectMapper.readValue(feedback.getBytes(), Map.class);
|
||||
} catch (IOException e) {
|
||||
return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
|
||||
return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
|
||||
}
|
||||
boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().contains(MediaType.TEXT_PLAIN_VALUE);
|
||||
correctCSRF &= hostOrRefererDifferentHost(request);
|
||||
if (correctCSRF) {
|
||||
String flag = UUID.randomUUID().toString();
|
||||
userSessionData.setValue("csrf-feedback", flag);
|
||||
return success().feedback("csrf-feedback-success").feedbackArgs(flag).build();
|
||||
return success(this).feedback("csrf-feedback-success").feedbackArgs(flag).build();
|
||||
}
|
||||
return failed().build();
|
||||
return failed(this).build();
|
||||
}
|
||||
|
||||
@PostMapping(path = "/csrf/feedback", produces = "application/json")
|
||||
@ResponseBody
|
||||
public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
|
||||
if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -51,9 +51,9 @@ public class CSRFLogin extends AssignmentEndpoint {
|
||||
String userName = request.getUserPrincipal().getName();
|
||||
if (userName.startsWith("csrf")) {
|
||||
markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
|
||||
return trackProgress(success().feedback("csrf-login-success").build());
|
||||
return success(this).feedback("csrf-login-success").build();
|
||||
}
|
||||
return trackProgress(failed().feedback("csrf-login-failed").feedbackArgs(userName).build());
|
||||
return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
|
||||
}
|
||||
|
||||
private void markAssignmentSolvedWithRealUser(String username) {
|
||||
|
||||
@ -90,13 +90,13 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
userReviews.put(webSession.getUserName(), reviews);
|
||||
//short-circuit
|
||||
if (validateReq == null || !validateReq.equals(weakAntiCSRF)) {
|
||||
return trackProgress(failed().feedback("csrf-you-forgot-something").build());
|
||||
return failed(this).feedback("csrf-you-forgot-something").build();
|
||||
}
|
||||
//we have the spoofed files
|
||||
if (referer != "NULL" && refererArr[2].equals(host)) {
|
||||
return trackProgress(failed().feedback("csrf-same-host").build());
|
||||
return failed(this).feedback("csrf-same-host").build();
|
||||
} else {
|
||||
return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
|
||||
return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -44,9 +44,4 @@ public class HtmlTampering extends Lesson {
|
||||
public String getTitle() {
|
||||
return "html-tampering.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "HtmlTampering";
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,12 +24,9 @@ package org.owasp.webgoat.html_tampering;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@RestController
|
||||
@AssignmentHints({"hint1", "hint2", "hint3"})
|
||||
public class HtmlTamperingTask extends AssignmentEndpoint {
|
||||
@ -38,8 +35,8 @@ public class HtmlTamperingTask extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String QTY, @RequestParam String Total) {
|
||||
if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
|
||||
return trackProgress(success().feedback("html-tampering.tamper.success").build());
|
||||
return success(this).feedback("html-tampering.tamper.success").build();
|
||||
}
|
||||
return trackProgress(failed().feedback("html-tampering.tamper.failure").build());
|
||||
return failed(this).feedback("html-tampering.tamper.failure").build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -37,9 +37,4 @@ public class HttpBasics extends Lesson {
|
||||
public String getTitle() {
|
||||
return "1.http-basics.title";//first lesson in general
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "HttpBasics";
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,12 +24,9 @@ package org.owasp.webgoat.http_basics;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@RestController
|
||||
@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
|
||||
public class HttpBasicsLesson extends AssignmentEndpoint {
|
||||
@ -38,12 +35,12 @@ public class HttpBasicsLesson extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String person) {
|
||||
if (!person.equals("")) {
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("http-basics.reversed")
|
||||
.feedbackArgs(new StringBuffer(person).reverse().toString())
|
||||
.build());
|
||||
.build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("http-basics.empty").build());
|
||||
return failed(this).feedback("http-basics.empty").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -40,15 +40,15 @@ public class HttpBasicsQuiz extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
|
||||
if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
if (!"POST".equals(answer.toUpperCase())) {
|
||||
return trackProgress(failed().feedback("http-basics.incorrect").build());
|
||||
return failed(this).feedback("http-basics.incorrect").build();
|
||||
}
|
||||
if (!magic_answer.equals(magic_num)) {
|
||||
return trackProgress(failed().feedback("http-basics.magic").build());
|
||||
return failed(this).feedback("http-basics.magic").build();
|
||||
}
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -23,10 +23,8 @@
|
||||
package org.owasp.webgoat.http_proxies;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.web.bind.MissingServletRequestParameterException;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -39,12 +37,12 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
|
||||
public AttackResult completed(@RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue,
|
||||
@RequestParam(value = "changeMe", required = false) String paramValue, HttpServletRequest request) {
|
||||
if (HttpMethod.POST.matches(request.getMethod())) {
|
||||
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
|
||||
return failed(this).feedback("http-proxies.intercept.failure").build();
|
||||
}
|
||||
if (headerValue != null && paramValue != null && headerValue && "Requests are tampered easily".equalsIgnoreCase(paramValue)) {
|
||||
return trackProgress(success().feedback("http-proxies.intercept.success").build());
|
||||
return success(this).feedback("http-proxies.intercept.success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
|
||||
return failed(this).feedback("http-proxies.intercept.failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -44,9 +44,4 @@ public class HttpProxies extends Lesson {
|
||||
public String getTitle() {
|
||||
return "2.http-proxies.title";//second lesson in GENERAL
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "HttpProxies";
|
||||
}
|
||||
}
|
||||
|
||||
@ -47,7 +47,6 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
|
||||
HttpBasicsInterceptRequest httpBasicsInterceptRequest = new HttpBasicsInterceptRequest();
|
||||
init(httpBasicsInterceptRequest);
|
||||
this.mockMvc = standaloneSetup(httpBasicsInterceptRequest).build();
|
||||
when(webSession.getCurrentLesson()).thenReturn(new HttpProxies());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@ -45,10 +45,4 @@ public class IDOR extends Lesson {
|
||||
public String getTitle() {
|
||||
return "idor.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "IDOR";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -24,13 +24,9 @@ package org.owasp.webgoat.idor;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
@RestController
|
||||
@AssignmentHints({"idor.hints.idorDiffAttributes1", "idor.hints.idorDiffAttributes2", "idor.hints.idorDiffAttributes3"})
|
||||
public class IDORDiffAttributes extends AssignmentEndpoint {
|
||||
@ -41,13 +37,13 @@ public class IDORDiffAttributes extends AssignmentEndpoint {
|
||||
attributes = attributes.trim();
|
||||
String[] diffAttribs = attributes.split(",");
|
||||
if (diffAttribs.length < 2) {
|
||||
return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
|
||||
return failed(this).feedback("idor.diff.attributes.missing").build();
|
||||
}
|
||||
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
|
||||
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
|
||||
return trackProgress(success().feedback("idor.diff.success").build());
|
||||
return success(this).feedback("idor.diff.success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.diff.failure").build());
|
||||
return failed(this).feedback("idor.diff.failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -52,42 +52,42 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
|
||||
// we will persist in the session object for now in case we want to refer back or use it later
|
||||
userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
|
||||
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("idor.edit.profile.success1")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("idor.edit.profile.failure1")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("idor.edit.profile.failure2")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
// else
|
||||
return trackProgress(failed()
|
||||
return failed(this)
|
||||
.feedback("idor.edit.profile.failure3")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
.build();
|
||||
} else if (userSubmittedProfile.getUserId().equals(authUserId)) {
|
||||
return failed().feedback("idor.edit.profile.failure4").build();
|
||||
return failed(this).feedback("idor.edit.profile.failure4").build();
|
||||
}
|
||||
|
||||
if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1) {
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.feedback("idor.edit.profile.success2")
|
||||
.output(userSessionData.getValue("idor-updated-own-profile").toString())
|
||||
.build());
|
||||
.build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
|
||||
return failed(this).feedback("idor.edit.profile.failure3").build();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -24,7 +24,6 @@ package org.owasp.webgoat.idor;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
@ -65,12 +64,12 @@ public class IDORLogin extends AssignmentEndpoint {
|
||||
if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
|
||||
userSessionData.setValue("idor-authenticated-as", username);
|
||||
userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
|
||||
return trackProgress(success().feedback("idor.login.success").feedbackArgs(username).build());
|
||||
return success(this).feedback("idor.login.success").feedbackArgs(username).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.login.failure").build());
|
||||
return failed(this).feedback("idor.login.failure").build();
|
||||
}
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.login.failure").build());
|
||||
return failed(this).feedback("idor.login.failure").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -56,14 +56,14 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
|
||||
UserProfile requestedProfile = new UserProfile(userId);
|
||||
// secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
|
||||
if (requestedProfile.getUserId().equals("2342388")) {
|
||||
return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
|
||||
return success(this).feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.view.profile.close1").build());
|
||||
return failed(this).feedback("idor.view.profile.close1").build();
|
||||
}
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.view.profile.close2").build());
|
||||
return failed(this).feedback("idor.view.profile.close2").build();
|
||||
}
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -48,16 +48,16 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
|
||||
String[] urlParts = url.split("/");
|
||||
if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
|
||||
UserProfile userProfile = new UserProfile(authUserId);
|
||||
return trackProgress(success().feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build());
|
||||
return success(this).feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.view.own.profile.failure1").build());
|
||||
return failed(this).feedback("idor.view.own.profile.failure1").build();
|
||||
}
|
||||
|
||||
} else {
|
||||
return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
|
||||
return failed(this).feedback("idor.view.own.profile.failure2").build();
|
||||
}
|
||||
} catch (Exception ex) {
|
||||
return failed().feedback("an error occurred with your request").build();
|
||||
return failed(this).feedback("an error occurred with your request").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -44,9 +44,4 @@ public class InsecureDeserialization extends Lesson {
|
||||
public String getTitle() {
|
||||
return "insecure-deserialization.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "InsecureDeserialization";
|
||||
}
|
||||
}
|
||||
|
||||
@ -56,26 +56,26 @@ public class InsecureDeserializationTask extends AssignmentEndpoint {
|
||||
Object o = ois.readObject();
|
||||
if (!(o instanceof VulnerableTaskHolder)) {
|
||||
if (o instanceof String) {
|
||||
return trackProgress(failed().feedback("insecure-deserialization.stringobject").build());
|
||||
return failed(this).feedback("insecure-deserialization.stringobject").build();
|
||||
}
|
||||
return trackProgress(failed().feedback("insecure-deserialization.wrongobject").build());
|
||||
return failed(this).feedback("insecure-deserialization.wrongobject").build();
|
||||
}
|
||||
after = System.currentTimeMillis();
|
||||
} catch (InvalidClassException e) {
|
||||
return trackProgress(failed().feedback("insecure-deserialization.invalidversion").build());
|
||||
return failed(this).feedback("insecure-deserialization.invalidversion").build();
|
||||
} catch (IllegalArgumentException e) {
|
||||
return trackProgress(failed().feedback("insecure-deserialization.expired").build());
|
||||
return failed(this).feedback("insecure-deserialization.expired").build();
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().feedback("insecure-deserialization.invalidversion").build());
|
||||
return failed(this).feedback("insecure-deserialization.invalidversion").build();
|
||||
}
|
||||
|
||||
delay = (int) (after - before);
|
||||
if (delay > 7000) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
if (delay < 3000) {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
}
|
||||
@ -28,7 +28,6 @@ public class DeserializeTest extends AssignmentEndpointTest {
|
||||
InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
|
||||
init(insecureTask);
|
||||
this.mockMvc = standaloneSetup(insecureTask).build();
|
||||
when(webSession.getCurrentLesson()).thenReturn(new InsecureDeserialization());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@ -44,9 +44,4 @@ public class InsecureLogin extends Lesson {
|
||||
public String getTitle() {
|
||||
return "insecure-login.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "InsecureLogin";
|
||||
}
|
||||
}
|
||||
|
||||
@ -23,13 +23,9 @@
|
||||
package org.owasp.webgoat.insecure_login;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
@RestController
|
||||
public class InsecureLoginTask extends AssignmentEndpoint {
|
||||
|
||||
@ -37,8 +33,8 @@ public class InsecureLoginTask extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
|
||||
if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -42,9 +42,4 @@ public class JWT extends Lesson {
|
||||
public String getTitle() {
|
||||
return "jwt.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "JWT";
|
||||
}
|
||||
}
|
||||
|
||||
@ -82,7 +82,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
|
||||
public @ResponseBody
|
||||
AttackResult resetVotes(@RequestParam("token") String token) {
|
||||
if (StringUtils.isEmpty(token)) {
|
||||
return trackProgress(failed().feedback("jwt-invalid-token").build());
|
||||
return failed(this).feedback("jwt-invalid-token").build();
|
||||
} else {
|
||||
try {
|
||||
final String[] errorMessage = {null};
|
||||
@ -102,20 +102,20 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
|
||||
}
|
||||
}).parseClaimsJws(token);
|
||||
if (errorMessage[0] != null) {
|
||||
return trackProgress(failed().output(errorMessage[0]).build());
|
||||
return failed(this).output(errorMessage[0]).build();
|
||||
}
|
||||
Claims claims = (Claims) jwt.getBody();
|
||||
String username = (String) claims.get("username");
|
||||
if ("Jerry".equals(username)) {
|
||||
return trackProgress(failed().feedback("jwt-final-jerry-account").build());
|
||||
return failed(this).feedback("jwt-final-jerry-account").build();
|
||||
}
|
||||
if ("Tom".equals(username)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("jwt-final-not-tom").build());
|
||||
return failed(this).feedback("jwt-final-not-tom").build();
|
||||
}
|
||||
} catch (JwtException e) {
|
||||
return trackProgress(failed().feedback("jwt-invalid-token").output(e.toString()).build());
|
||||
return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -26,7 +26,6 @@ import io.jsonwebtoken.*;
|
||||
import org.apache.commons.lang3.RandomStringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
@ -92,13 +91,13 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
|
||||
Claims claims = (Claims) jwt.getBody();
|
||||
String user = (String) claims.get("user");
|
||||
if ("Tom".equals(user)) {
|
||||
return ok(trackProgress(success().build()));
|
||||
return ok(success(this).build());
|
||||
}
|
||||
return ok(trackProgress(failed().feedback("jwt-refresh-not-tom").feedbackArgs(user).build()));
|
||||
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
|
||||
} catch (ExpiredJwtException e) {
|
||||
return ok(trackProgress(failed().output(e.getMessage()).build()));
|
||||
return ok(failed(this).output(e.getMessage()).build());
|
||||
} catch (JwtException e) {
|
||||
return ok(trackProgress(failed().feedback("jwt-invalid-token").build()));
|
||||
return ok(failed(this).feedback("jwt-invalid-token").build());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -74,19 +74,19 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
|
||||
Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
|
||||
Claims claims = (Claims) jwt.getBody();
|
||||
if (!claims.keySet().containsAll(expectedClaims)) {
|
||||
return trackProgress(failed().feedback("jwt-secret-claims-missing").build());
|
||||
return failed(this).feedback("jwt-secret-claims-missing").build();
|
||||
} else {
|
||||
String user = (String) claims.get("username");
|
||||
|
||||
if (WEBGOAT_USER.equalsIgnoreCase(user)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("jwt-secret-incorrect-user").feedbackArgs(user).build());
|
||||
return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
|
||||
}
|
||||
}
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
return trackProgress(failed().feedback("jwt-invalid-token").output(e.getMessage()).build());
|
||||
return failed(this).feedback("jwt-invalid-token").output(e.getMessage()).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -157,20 +157,20 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
|
||||
if (StringUtils.isEmpty(accessToken)) {
|
||||
return trackProgress(failed().feedback("jwt-invalid-token").build());
|
||||
return failed(this).feedback("jwt-invalid-token").build();
|
||||
} else {
|
||||
try {
|
||||
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
|
||||
Claims claims = (Claims) jwt.getBody();
|
||||
boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
|
||||
if (!isAdmin) {
|
||||
return trackProgress(failed().feedback("jwt-only-admin").build());
|
||||
return failed(this).feedback("jwt-only-admin").build();
|
||||
} else {
|
||||
votes.values().forEach(vote -> vote.reset());
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
} catch (JwtException e) {
|
||||
return trackProgress(failed().feedback("jwt-invalid-token").output(e.toString()).build());
|
||||
return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -38,10 +38,4 @@ public class MissingFunctionAC extends Lesson {
|
||||
public String getTitle() {
|
||||
return "missing-function-access-control.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "MissingFunctionAC";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -47,22 +47,22 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
|
||||
public AttackResult completed(String hiddenMenu1, String hiddenMenu2) {
|
||||
//overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
|
||||
if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) {
|
||||
return trackProgress(success()
|
||||
return success(this)
|
||||
.output("")
|
||||
.feedback("access-control.hidden-menus.success")
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
if (hiddenMenu1.equals("Config") && hiddenMenu2.equals("Users")) {
|
||||
return trackProgress(failed()
|
||||
return failed(this)
|
||||
.output("")
|
||||
.feedback("access-control.hidden-menus.close")
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
|
||||
return trackProgress(failed()
|
||||
return failed(this)
|
||||
.feedback("access-control.hidden-menus.failure")
|
||||
.output("")
|
||||
.build());
|
||||
.build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,7 +24,6 @@ package org.owasp.webgoat.missing_ac;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.users.UserService;
|
||||
import org.owasp.webgoat.users.WebGoatUser;
|
||||
@ -49,9 +48,9 @@ public class MissingFunctionACYourHash extends AssignmentEndpoint {
|
||||
WebGoatUser user = userService.loadUserByUsername(currentUser);
|
||||
DisplayUser displayUser = new DisplayUser(user);
|
||||
if (userHash.equals(displayUser.getUserHash())) {
|
||||
return trackProgress(success().feedback("access-control.hash.success").build());
|
||||
return success(this).feedback("access-control.hash.success").build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("access-control.hash.close").build());
|
||||
return failed(this).feedback("access-control.hash.close").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -44,7 +44,6 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
|
||||
public void setup() {
|
||||
MissingFunctionACHiddenMenus hiddenMenus = new MissingFunctionACHiddenMenus();
|
||||
init(hiddenMenus);
|
||||
when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
|
||||
this.mockMvc = standaloneSetup(hiddenMenus).build();
|
||||
}
|
||||
|
||||
|
||||
@ -57,7 +57,6 @@ public class MissingFunctionYourHashTest extends AssignmentEndpointTest {
|
||||
this.mockDisplayUser = new DisplayUser(new WebGoatUser("user", "userPass"));
|
||||
ReflectionTestUtils.setField(yourHashTest, "userService", userService);
|
||||
when(userService.loadUserByUsername(any())).thenReturn(new WebGoatUser("user", "userPass"));
|
||||
when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@ -37,9 +37,4 @@ public class PasswordReset extends Lesson {
|
||||
public String getTitle() {
|
||||
return "password-reset.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "PasswordReset";
|
||||
}
|
||||
}
|
||||
|
||||
@ -57,15 +57,15 @@ public class QuestionsAssignment extends AssignmentEndpoint {
|
||||
String username = (String) json.getOrDefault("username", "");
|
||||
|
||||
if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
|
||||
return trackProgress(failed().feedback("password-questions-wrong-user").build());
|
||||
return failed(this).feedback("password-questions-wrong-user").build();
|
||||
}
|
||||
|
||||
String validAnswer = COLORS.get(username.toLowerCase());
|
||||
if (validAnswer == null) {
|
||||
return trackProgress(failed().feedback("password-questions-unknown-user").feedbackArgs(username).build());
|
||||
return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build();
|
||||
} else if (validAnswer.equals(securityQuestion)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -67,12 +67,12 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
if (TOM_EMAIL.equals(email)) {
|
||||
String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
|
||||
if (passwordTom.equals(PASSWORD_TOM_9)) {
|
||||
return trackProgress(failed().feedback("login_failed").build());
|
||||
return failed(this).feedback("login_failed").build();
|
||||
} else if (passwordTom.equals(password)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
}
|
||||
}
|
||||
return trackProgress(failed().feedback("login_failed.tom").build());
|
||||
return failed(this).feedback("login_failed.tom").build();
|
||||
}
|
||||
|
||||
@GetMapping("/PasswordReset/reset/reset-password/{link}")
|
||||
|
||||
@ -68,11 +68,11 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
try {
|
||||
sendMailToUser(email, host, resetLink);
|
||||
} catch (Exception e) {
|
||||
return failed().output("E-mail can't be send. please try again.").build();
|
||||
return failed(this).output("E-mail can't be send. please try again.").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
return success().feedback("email.send").feedbackArgs(email).build();
|
||||
return success(this).feedback("email.send").feedbackArgs(email).build();
|
||||
}
|
||||
|
||||
private void sendMailToUser(String email, String host, String resetLink) {
|
||||
|
||||
@ -71,10 +71,10 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint {
|
||||
if (answer.isPresent()) {
|
||||
triedQuestions.incr(question);
|
||||
if (triedQuestions.isComplete()) {
|
||||
return trackProgress(success().output("<b>" + answer + "</b>").build());
|
||||
return success(this).output("<b>" + answer + "</b>").build();
|
||||
}
|
||||
}
|
||||
return informationMessage()
|
||||
return informationMessage(this)
|
||||
.feedback("password-questions-one-successful")
|
||||
.output(answer.orElse("Unknown question, please try again..."))
|
||||
.build();
|
||||
|
||||
@ -60,9 +60,9 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
String username = extractUsername(emailAddress);
|
||||
|
||||
if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedbackArgs("password-reset-simple.password_incorrect").build());
|
||||
return failed(this).feedbackArgs("password-reset-simple.password_incorrect").build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -90,11 +90,11 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
try {
|
||||
restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
|
||||
} catch (RestClientException e) {
|
||||
return informationMessage().feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
|
||||
return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
|
||||
}
|
||||
return informationMessage().feedback("password-reset-simple.email_send").feedbackArgs(email).build();
|
||||
return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build();
|
||||
} else {
|
||||
return informationMessage().feedback("password-reset-simple.email_mismatch").feedbackArgs(username).build();
|
||||
return informationMessage(this).feedback("password-reset-simple.email_mismatch").feedbackArgs(username).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -38,8 +38,7 @@
|
||||
<module>password-reset</module>
|
||||
<module>ssrf</module>
|
||||
<module>secure-passwords</module>
|
||||
<!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml to have it run in the project fully -->
|
||||
<!--<module>webgoat-lesson-template</module>-->
|
||||
<module>webgoat-lesson-template</module>
|
||||
</modules>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -42,9 +42,4 @@ public class SecurePasswords extends Lesson {
|
||||
public String getTitle() {
|
||||
return "secure-passwords.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "SecurePasswords";
|
||||
}
|
||||
}
|
||||
|
||||
@ -69,9 +69,9 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
|
||||
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
|
||||
|
||||
if (strength.getScore() >= 4)
|
||||
return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
|
||||
return success(this).feedback("securepassword-success").output(output.toString()).build();
|
||||
else
|
||||
return trackProgress(failed().feedback("securepassword-failed").output(output.toString()).build());
|
||||
return failed(this).feedback("securepassword-failed").output(output.toString()).build();
|
||||
}
|
||||
|
||||
public static String calculateTime(long seconds) {
|
||||
|
||||
@ -37,9 +37,4 @@ public class SqlInjectionAdvanced extends Lesson {
|
||||
public String getTitle() {
|
||||
return "2.sql.advanced.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "SqlInjectionAdvanced";
|
||||
}
|
||||
}
|
||||
|
||||
@ -66,9 +66,9 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
||||
|
||||
if (resultSet.next()) {
|
||||
if (username_reg.contains("tom'")) {
|
||||
attackResult = trackProgress(success().feedback("user.exists").build());
|
||||
attackResult = success(this).feedback("user.exists").build();
|
||||
} else {
|
||||
attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
|
||||
attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build();
|
||||
}
|
||||
} else {
|
||||
PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)");
|
||||
@ -76,10 +76,10 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
||||
preparedStatement.setString(2, email_reg);
|
||||
preparedStatement.setString(3, password_reg);
|
||||
preparedStatement.execute();
|
||||
attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
|
||||
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
|
||||
}
|
||||
} catch (SQLException e) {
|
||||
attackResult = failed().output("Something went wrong").build();
|
||||
attackResult = failed(this).output("Something went wrong").build();
|
||||
}
|
||||
}
|
||||
return attackResult;
|
||||
@ -87,10 +87,10 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
||||
|
||||
private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
|
||||
if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) {
|
||||
return failed().feedback("input.invalid").build();
|
||||
return failed(this).feedback("input.invalid").build();
|
||||
}
|
||||
if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
|
||||
return failed().feedback("input.invalid").build();
|
||||
return failed(this).feedback("input.invalid").build();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
@ -54,10 +54,10 @@ public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
|
||||
ResultSet resultSet = statement.executeQuery();
|
||||
|
||||
if (resultSet.next()) {
|
||||
return ("tom".equals(username_login)) ? trackProgress(success().build())
|
||||
: success().feedback("ResultsButNotTom").build();
|
||||
return ("tom".equals(username_login)) ? success(this).build()
|
||||
: success(this).feedback("ResultsButNotTom").build();
|
||||
} else {
|
||||
return failed().feedback("NoResultsMatched").build();
|
||||
return failed(this).feedback("NoResultsMatched").build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -81,19 +81,19 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
|
||||
|
||||
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
|
||||
output.append(appendingWhenSucceded);
|
||||
return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
|
||||
return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
|
||||
} else {
|
||||
return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
|
||||
return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
|
||||
}
|
||||
} else {
|
||||
return trackProgress(failed().feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build());
|
||||
return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
|
||||
}
|
||||
} catch (SQLException sqle) {
|
||||
return trackProgress(failed().output(sqle.getMessage() + "<br> Your query was: " + query).build());
|
||||
return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build();
|
||||
}
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build());
|
||||
return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -51,9 +51,9 @@ public class SqlInjectionLesson6b extends AssignmentEndpoint {
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String userid_6b) throws IOException {
|
||||
if (userid_6b.equals(getPassword())) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -59,9 +59,9 @@ public class SqlInjectionQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
if (correctAnswers == solutions.length) {
|
||||
return trackProgress(success().build());
|
||||
return success(this).build();
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
return failed(this).build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -37,9 +37,4 @@ public class SqlInjection extends Lesson {
|
||||
public String getTitle() {
|
||||
return "1.sql.injection.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "SqlInjection";
|
||||
}
|
||||
}
|
||||
|
||||
@ -65,24 +65,24 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint {
|
||||
if (results.getStatement() != null) {
|
||||
results.first();
|
||||
output.append(SqlInjectionLesson8.generateTable(results));
|
||||
return trackProgress(failed().feedback("sql-injection.10.entries").output(output.toString()).build());
|
||||
return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
|
||||
} else {
|
||||
if (tableExists(connection)) {
|
||||
return trackProgress(failed().feedback("sql-injection.10.entries").output(output.toString()).build());
|
||||
return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
|
||||
} else {
|
||||
return trackProgress(success().feedback("sql-injection.10.success").build());
|
||||
return success(this).feedback("sql-injection.10.success").build();
|
||||
}
|
||||
}
|
||||
} catch (SQLException e) {
|
||||
if (tableExists(connection)) {
|
||||
return trackProgress(failed().feedback("sql-injection.error").output("<span class='feedback-negative'>" + e.getMessage() + "</span><br>" + output.toString()).build());
|
||||
return failed(this).feedback("sql-injection.error").output("<span class='feedback-negative'>" + e.getMessage() + "</span><br>" + output.toString()).build();
|
||||
} else {
|
||||
return trackProgress(success().feedback("sql-injection.10.success").build());
|
||||
return success(this).feedback("sql-injection.10.success").build();
|
||||
}
|
||||
}
|
||||
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().output("<span class='feedback-negative'>" + e.getMessage() + "</span>").build());
|
||||
return failed(this).output("<span class='feedback-negative'>" + e.getMessage() + "</span>").build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -67,12 +67,12 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
|
||||
if (results.getString("department").equals("Marketing")) {
|
||||
output.append("<span class='feedback-positive'>" + query + "</span>");
|
||||
output.append(SqlInjectionLesson8.generateTable(results));
|
||||
return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build());
|
||||
return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
|
||||
} else {
|
||||
return trackProgress(failed().feedback("sql-injection.2.failed").output(output.toString()).build());
|
||||
return failed(this).feedback("sql-injection.2.failed").output(output.toString()).build();
|
||||
}
|
||||
} catch (SQLException sqle) {
|
||||
return trackProgress(failed().feedback("sql-injection.2.failed").output(sqle.getMessage()).build());
|
||||
return failed(this).feedback("sql-injection.2.failed").output(sqle.getMessage()).build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user