From 5dd6b3190592fca16b6d2ea5a5c7f5485be04ebf Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 17 Nov 2019 13:39:56 +0100 Subject: [PATCH] Adjust lesson template (#704) * Remove method `getId()` from all lessons as it defaults to the class name * remove clean up endpoint * remove unused class `RequestParameter` * remove unused class `PluginLoadingFailure` * Move `CourseConfiguration` to lesson package * Add more content around the lesson template lesson and make it visible as a lesson in WebGoat * Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult` * Put original solution back as well for SQL string injection * review comments * Add --- .travis.yml | 61 +++++---- COPYRIGHT.txt | 19 +++ .../webgoat/CleanupLocalProgressFiles.java | 27 ---- .../assignments/AssignmentEndpoint.java | 29 ++--- .../webgoat/assignments/AttackResult.java | 16 ++- .../assignments/LessonTrackerInterceptor.java | 74 +++++++++++ .../CourseConfiguration.java | 2 +- .../org/owasp/webgoat/lessons/Lesson.java | 4 +- .../webgoat/lessons/RequestParameter.java | 78 ----------- .../webgoat/plugins/PluginLoadingFailure.java | 29 ----- .../resources/application-webgoat.properties | 1 - .../webgoat/service/LabelServiceTest.java | 3 + .../users/UserTrackerRepositoryTest.java | 5 - .../owasp/webgoat/auth_bypass/AuthBypass.java | 6 - .../webgoat/auth_bypass/VerifyAccount.java | 13 +- .../BypassRestrictions.java | 5 - .../BypassRestrictionsFieldRestrictions.java | 10 +- .../BypassRestrictionsFrontendValidation.java | 22 ++-- .../webgoat/challenges/ChallengeIntro.java | 5 - .../challenges/challenge1/Assignment1.java | 6 +- .../challenges/challenge1/Challenge1.java | 5 - .../challenges/challenge5/Assignment5.java | 8 +- .../challenges/challenge5/Challenge5.java | 5 - .../challenges/challenge7/Assignment7.java | 3 +- .../challenges/challenge7/Challenge7.java | 5 - .../challenges/challenge8/Challenge8.java | 5 - .../chrome_dev_tools/ChromeDevTools.java | 11 +- .../chrome_dev_tools/NetworkDummy.java | 7 +- .../chrome_dev_tools/NetworkLesson.java | 7 +- .../main/java/org/owasp/webgoat/cia/CIA.java | 5 - .../java/org/owasp/webgoat/cia/CIAQuiz.java | 4 +- .../ClientSideFiltering.java | 5 - .../ClientSideFilteringAssignment.java | 9 +- .../ClientSideFilteringFreeAssignment.java | 7 +- .../owasp/webgoat/xss/CrossSiteScripting.java | 5 - .../xss/CrossSiteScriptingLesson1.java | 4 +- .../xss/CrossSiteScriptingLesson3.java | 8 +- .../xss/CrossSiteScriptingLesson4.java | 4 +- .../xss/CrossSiteScriptingLesson5a.java | 12 +- .../xss/CrossSiteScriptingLesson6a.java | 6 +- .../webgoat/xss/CrossSiteScriptingQuiz.java | 4 +- .../webgoat/xss/DOMCrossSiteScripting.java | 4 +- .../xss/DOMCrossSiteScriptingVerifier.java | 4 +- .../CrossSiteScriptingMitigation.java | 5 - .../xss/stored/CrossSiteScriptingStored.java | 5 - .../StoredCrossSiteScriptingVerifier.java | 4 +- .../webgoat/xss/stored/StoredXssComments.java | 4 +- .../xss/DOMCrossSiteScriptingTest.java | 1 - .../java/org/owasp/webgoat/csrf/CSRF.java | 6 - .../owasp/webgoat/csrf/CSRFConfirmFlag1.java | 9 +- .../org/owasp/webgoat/csrf/CSRFFeedback.java | 12 +- .../org/owasp/webgoat/csrf/CSRFLogin.java | 4 +- .../org/owasp/webgoat/csrf/ForgedReviews.java | 6 +- .../webgoat/html_tampering/HtmlTampering.java | 5 - .../html_tampering/HtmlTamperingTask.java | 7 +- .../owasp/webgoat/http_basics/HttpBasics.java | 5 - .../webgoat/http_basics/HttpBasicsLesson.java | 9 +- .../webgoat/http_basics/HttpBasicsQuiz.java | 8 +- .../HttpBasicsInterceptRequest.java | 8 +- .../webgoat/http_proxies/HttpProxies.java | 5 - .../HttpBasicsInterceptRequestTest.java | 1 - .../java/org/owasp/webgoat/idor/IDOR.java | 6 - .../webgoat/idor/IDORDiffAttributes.java | 10 +- .../webgoat/idor/IDOREditOtherProfiile.java | 24 ++-- .../org/owasp/webgoat/idor/IDORLogin.java | 7 +- .../webgoat/idor/IDORViewOtherProfile.java | 8 +- .../idor/IDORViewOwnProfileAltUrl.java | 8 +- .../InsecureDeserialization.java | 5 - .../InsecureDeserializationTask.java | 16 +-- .../deserialization/DeserializeTest.java | 1 - .../webgoat/insecure_login/InsecureLogin.java | 5 - .../insecure_login/InsecureLoginTask.java | 8 +- .../main/java/org/owasp/webgoat/jwt/JWT.java | 5 - .../owasp/webgoat/jwt/JWTFinalEndpoint.java | 12 +- .../owasp/webgoat/jwt/JWTRefreshEndpoint.java | 9 +- .../webgoat/jwt/JWTSecretKeyEndpoint.java | 8 +- .../owasp/webgoat/jwt/JWTVotesEndpoint.java | 8 +- .../webgoat/missing_ac/MissingFunctionAC.java | 6 - .../MissingFunctionACHiddenMenus.java | 12 +- .../missing_ac/MissingFunctionACYourHash.java | 5 +- .../MissingFunctionACHiddenMenusTest.java | 1 - .../MissingFunctionYourHashTest.java | 1 - .../webgoat/password_reset/PasswordReset.java | 5 - .../password_reset/QuestionsAssignment.java | 8 +- .../password_reset/ResetLinkAssignment.java | 6 +- .../ResetLinkAssignmentForgotPassword.java | 4 +- .../SecurityQuestionAssignment.java | 4 +- .../password_reset/SimpleMailAssignment.java | 10 +- webgoat-lessons/pom.xml | 3 +- .../secure_password/SecurePasswords.java | 5 - .../SecurePasswordsAssignment.java | 4 +- .../advanced/SqlInjectionAdvanced.java | 5 - .../advanced/SqlInjectionChallenge.java | 12 +- .../advanced/SqlInjectionChallengeLogin.java | 6 +- .../advanced/SqlInjectionLesson6a.java | 10 +- .../advanced/SqlInjectionLesson6b.java | 4 +- .../advanced/SqlInjectionQuiz.java | 4 +- .../introduction/SqlInjection.java | 5 - .../introduction/SqlInjectionLesson10.java | 12 +- .../introduction/SqlInjectionLesson2.java | 6 +- .../introduction/SqlInjectionLesson3.java | 8 +- .../introduction/SqlInjectionLesson4.java | 8 +- .../introduction/SqlInjectionLesson5.java | 7 +- .../introduction/SqlInjectionLesson5a.java | 10 +- .../introduction/SqlInjectionLesson5b.java | 14 +- .../introduction/SqlInjectionLesson8.java | 12 +- .../introduction/SqlInjectionLesson9.java | 16 +-- .../mitigation/SqlInjectionLesson10a.java | 6 +- .../mitigation/SqlInjectionLesson10b.java | 12 +- .../mitigation/SqlInjectionLesson12a.java | 7 +- .../mitigation/SqlInjectionMitigations.java | 5 - .../src/main/resources/html/SqlInjection.html | 1 + .../java/org/owasp/webgoat/ssrf/SSRF.java | 5 - .../org/owasp/webgoat/ssrf/SSRFTask1.java | 32 ++--- .../org/owasp/webgoat/ssrf/SSRFTask2.java | 27 ++-- .../VulnerableComponents.java | 4 - .../VulnerableComponentsLesson.java | 6 +- .../introduction/WebGoatIntroduction.java | 4 - .../getting-started.MD | 15 +-- .../webgoat/template/LessonTemplate.java | 57 ++++---- .../owasp/webgoat/template/SampleAttack.java | 42 +++--- .../migration/V2019_11_10_1__introduction.sql | 13 ++ .../main/resources/html/LessonTemplate.html | 34 ++++- .../resources/i18n/WebGoatLabels.properties | 6 +- .../en/lesson-template-attack.adoc | 123 ++++++++---------- .../en/lesson-template-content.adoc | 36 +++++ .../en/lesson-template-database.adoc | 25 ++++ .../lessonPlans/en/lesson-template-glue.adoc | 59 +++++++++ .../lessonPlans/en/lesson-template-intro.adoc | 22 +--- .../en/lesson-template-lesson-class.adoc | 20 +++ .../en/lesson-template-video-more.adoc | 11 ++ .../LandingAssignment.java | 4 +- .../webwolf_introduction/MailAssignment.java | 13 +- .../WebWolfIntroduction.java | 4 - .../webgoat/xxe/BlindSendFileAssignment.java | 6 +- .../webgoat/xxe/ContentTypeAssignment.java | 10 +- .../java/org/owasp/webgoat/xxe/SimpleXXE.java | 4 +- .../main/java/org/owasp/webgoat/xxe/XXE.java | 5 - webgoat-server/pom.xml | 12 +- 139 files changed, 769 insertions(+), 870 deletions(-) create mode 100644 COPYRIGHT.txt delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java rename webgoat-container/src/main/java/org/owasp/webgoat/{plugins => lessons}/CourseConfiguration.java (99%) delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java create mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/db/migration/V2019_11_10_1__introduction.sql create mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-content.adoc create mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-database.adoc create mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-glue.adoc create mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-lesson-class.adoc create mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video-more.adoc diff --git a/.travis.yml b/.travis.yml index 792680eb5..35a55bcb5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,47 +1,52 @@ services: - - docker +- docker language: java jdk: - openjdk11 install: "/bin/true" script: -- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) +- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; + else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH" -- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi +- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; + fi - mvn clean install -q cache: directories: - "$HOME/.m2" before_deploy: - - export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target - - export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target - - export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/ - - mkdir -p $WEBGOAT_ARTIFACTS_FOLDER - - cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/ - - cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/ - - echo "Contents of artifacts folder:" - - ls $WEBGOAT_ARTIFACTS_FOLDER +- export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target +- export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target +- export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/ +- mkdir -p $WEBGOAT_ARTIFACTS_FOLDER +- cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/ +- cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/ +- echo "Contents of artifacts folder:" +- ls $WEBGOAT_ARTIFACTS_FOLDER deploy: - - provider: script - skip_cleanup: true - script: bash scripts/deploy-webgoat.sh - on: - repo: WebGoat/WebGoat - tags: true - - provider: releases - skip_cleanup: true - overwrite: true - api_key: - #api-key from webgoat-github user - secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc= - file_glob: true - file: $WEBGOAT_ARTIFACTS_FOLDER/* - on: - repo: WebGoat/WebGoat - tags: true +- provider: script + skip_cleanup: true + script: bash scripts/deploy-webgoat.sh + on: + repo: WebGoat/WebGoat + tags: true +- provider: releases + skip_cleanup: true + overwrite: true + api_key: + secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc= + file_glob: true + file: "$WEBGOAT_ARTIFACTS_FOLDER/*" + on: + repo: WebGoat/WebGoat + tags: true env: global: #Docker login - secure: XgPc0UKRTUI70I4YWNQpThPPWeQIxkmzh1GNoR/SSDC2GPIBq3EfkkbSQewqil8stTy+S1/xSzc0JXG8NTn7UOxHVHA/2nhI6jX9E+DKtXQ89YwmaDNQjkbMjziAtDCIex+5TRykxNfkxj6VPYbDssrzI7iJXOIZVj/HoyO3O5E= #Docker password - secure: aly5TKBUK9sIiqtMbytNNPZHQhC0a7Yond5tEtuJ8fO+j/KZB4Uro3I6BhzYjGWFb5Kndd0j2TXHPFvtOl402J1CmFsY3v0BhilQd0g6zOssp5T0A73m8Jgq4ItV8wQJJy2bQsXqL1B+uFYieYPiMchj7JxWW0vBn7TV5b68l6U= +notifications: + slack: + rooms: + secure: cDG2URRy7SEipMLyhodwjRBtsPBmfngFB4FyNaIhhr+2/SGyKvGhfW75YA9V+eC7J40KllxQhiIvrxngKDRABb3L1O72Sdj8mZSi8TVsUNLOdamJXHKGUwNSPWXv/1s2m+uC20cgxl66o31vxdV33uvxLdvGOd5e5qOKTsKP7UE= diff --git a/COPYRIGHT.txt b/COPYRIGHT.txt new file mode 100644 index 000000000..bed6f51c0 --- /dev/null +++ b/COPYRIGHT.txt @@ -0,0 +1,19 @@ +This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/ + +Copyright (c) 2002 - $today.year Bruce Mayhew + +This program is free software; you can redistribute it and/or modify it under the terms of the +GNU General Public License as published by the Free Software Foundation; either version 2 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without +even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License along with this program; if +not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +02111-1307, USA. + +Getting Source ============== + +Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. \ No newline at end of file diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java b/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java deleted file mode 100644 index 2048dbbd7..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java +++ /dev/null @@ -1,27 +0,0 @@ -package org.owasp.webgoat; - -import lombok.extern.slf4j.Slf4j; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression; -import org.springframework.context.annotation.Configuration; -import org.springframework.util.FileSystemUtils; - -import javax.annotation.PostConstruct; -import java.io.File; - -/** - * @author nbaars - * @since 4/15/17. - */ -@Slf4j -@Configuration -@ConditionalOnExpression("'${webgoat.clean}' == 'true'") -public class CleanupLocalProgressFiles { - - @Value("${webgoat.server.directory}") - private String webgoatHome; - - @PostConstruct - public void clean() { - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java index 1d1cbbb65..823c04d6d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java @@ -29,7 +29,6 @@ import lombok.Getter; import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.users.UserTracker; import org.owasp.webgoat.users.UserTrackerRepository; import org.springframework.beans.factory.annotation.Autowired; @@ -45,20 +44,6 @@ public abstract class AssignmentEndpoint { @Autowired private PluginMessages messages; - protected AttackResult trackProgress(AttackResult attackResult) { - UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); - if (userTracker == null) { - userTracker = new UserTracker(webSession.getUserName()); - } - if (attackResult.assignmentSolved()) { - userTracker.assignmentSolved(webSession.getCurrentLesson(), this.getClass().getSimpleName()); - } else { - userTracker.assignmentFailed(webSession.getCurrentLesson()); - } - userTrackerRepository.save(userTracker); - return attackResult; - } - protected WebSession getWebSession() { return webSession; } @@ -76,9 +61,10 @@ public abstract class AssignmentEndpoint { * Of course you can overwrite these values in a specific lesson * * @return a builder for creating a result from a lesson + * @param assignment */ - protected AttackResult.AttackResultBuilder success() { - return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved"); + protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) { + return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved").assignment(assignment); } /** @@ -90,12 +76,13 @@ public abstract class AssignmentEndpoint { * Of course you can overwrite these values in a specific lesson * * @return a builder for creating a result from a lesson + * @param assignment */ - protected AttackResult.AttackResultBuilder failed() { - return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved"); + protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) { + return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved").assignment(assignment); } - protected AttackResult.AttackResultBuilder informationMessage() { - return AttackResult.builder(messages).lessonCompleted(false); + protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) { + return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment); } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java index e78d46338..87dbac643 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java @@ -29,8 +29,11 @@ import lombok.Getter; import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.i18n.PluginMessages; +import java.util.Objects; + public class AttackResult { + public static class AttackResultBuilder { private boolean lessonCompleted; @@ -39,6 +42,7 @@ public class AttackResult { private String feedbackResourceBundleKey; private String output; private Object[] outputArgs; + private AssignmentEndpoint assignment; public AttackResultBuilder(PluginMessages messages) { this.messages = messages; @@ -77,7 +81,12 @@ public class AttackResult { } public AttackResult build() { - return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs)); + return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName()); + } + + public AttackResultBuilder assignment(AssignmentEndpoint assignment) { + this.assignment = assignment; + return this; } } @@ -87,11 +96,14 @@ public class AttackResult { private String feedback; @Getter private String output; + @Getter + private final String assignment; - public AttackResult(boolean lessonCompleted, String feedback, String output) { + public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment) { this.lessonCompleted = lessonCompleted; this.feedback = StringEscapeUtils.escapeJson(feedback); this.output = StringEscapeUtils.escapeJson(output); + this.assignment = assignment; } public static AttackResultBuilder builder(PluginMessages messages) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java new file mode 100644 index 000000000..b378979bf --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java @@ -0,0 +1,74 @@ +/* + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2019 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. + */ + +package org.owasp.webgoat.assignments; + +import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.users.UserTracker; +import org.owasp.webgoat.users.UserTrackerRepository; +import org.springframework.core.MethodParameter; +import org.springframework.http.MediaType; +import org.springframework.http.converter.HttpMessageConverter; +import org.springframework.http.server.ServerHttpRequest; +import org.springframework.http.server.ServerHttpResponse; +import org.springframework.web.bind.annotation.RestControllerAdvice; +import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice; + +@RestControllerAdvice +public class LessonTrackerInterceptor implements ResponseBodyAdvice { + + private UserTrackerRepository userTrackerRepository; + private WebSession webSession; + + public LessonTrackerInterceptor(UserTrackerRepository userTrackerRepository, WebSession webSession) { + this.userTrackerRepository = userTrackerRepository; + this.webSession = webSession; + } + + @Override + public boolean supports(MethodParameter methodParameter, Class> clazz) { + return true; + } + + @Override + public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) { + if (o != null && o instanceof AttackResult) { + trackProgress((AttackResult) o); + } + return o; + } + + + protected AttackResult trackProgress(AttackResult attackResult) { + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); + if (userTracker == null) { + userTracker = new UserTracker(webSession.getUserName()); + } + if (attackResult.assignmentSolved()) { + userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment()); + } else { + userTracker.assignmentFailed(webSession.getCurrentLesson()); + } + userTrackerRepository.saveAndFlush(userTracker); + return attackResult; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java similarity index 99% rename from webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java rename to webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java index cb7269c04..7c3a964ac 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java @@ -20,7 +20,7 @@ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ -package org.owasp.webgoat.plugins; +package org.owasp.webgoat.lessons; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.ArrayUtils; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java index 80828deb8..0bc5546ef 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java @@ -119,5 +119,7 @@ public abstract class Lesson { return getTitle(); } - public abstract String getId(); + public final String getId() { + return this.getClass().getSimpleName(); + } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java deleted file mode 100644 index 81c548fdf..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java +++ /dev/null @@ -1,78 +0,0 @@ -/** - * ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - * - */ - -package org.owasp.webgoat.lessons; - -/** - *

RequestParameter class.

- * - * @author rlawson - * @version $Id: $Id - */ -public class RequestParameter implements Comparable { - - private final String name; - private final String value; - - /** - *

Constructor for RequestParameter.

- * - * @param name a {@link java.lang.String} object. - * @param value a {@link java.lang.String} object. - */ - public RequestParameter(String name, String value) { - this.name = name; - this.value = value; - } - - /** - *

Getter for the field name.

- * - * @return the name - */ - public String getName() { - return name; - } - - /** - *

Getter for the field value.

- * - * @return the values - */ - public String getValue() { - return value; - } - - @Override - public int compareTo(RequestParameter o) { - return this.name.compareTo(o.getName()); - } - -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java deleted file mode 100644 index 007228ddb..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java +++ /dev/null @@ -1,29 +0,0 @@ -package org.owasp.webgoat.plugins; - -/** - *

PluginLoadingFailure class.

- * - * @version $Id: $Id - * @author dm - */ -public class PluginLoadingFailure extends RuntimeException { - - /** - *

Constructor for PluginLoadingFailure.

- * - * @param message a {@link java.lang.String} object. - */ - public PluginLoadingFailure(String message) { - super(message); - } - - /** - *

Constructor for PluginLoadingFailure.

- * - * @param message a {@link java.lang.String} object. - * @param e a {@link java.lang.Exception} object. - */ - public PluginLoadingFailure(String message, Exception e) { - super(message, e); - } -} diff --git a/webgoat-container/src/main/resources/application-webgoat.properties b/webgoat-container/src/main/resources/application-webgoat.properties index 7b6acee6e..a06a39eea 100644 --- a/webgoat-container/src/main/resources/application-webgoat.properties +++ b/webgoat-container/src/main/resources/application-webgoat.properties @@ -29,7 +29,6 @@ logging.level.org.owasp=DEBUG logging.level.org.owasp.webgoat=DEBUG webgoat.start.hsqldb=true -webgoat.clean=false webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.build.version=@project.version@ diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java index 42834969c..75e8e188b 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.service; import org.hamcrest.CoreMatchers; import org.junit.Test; import org.junit.runner.RunWith; +import org.owasp.webgoat.assignments.LessonTrackerInterceptor; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.users.UserService; import org.springframework.beans.factory.annotation.Autowired; @@ -56,6 +57,8 @@ public class LabelServiceTest { private Course course; @MockBean private UserService userService; + @MockBean + private LessonTrackerInterceptor interceptor; @Test @WithMockUser(username = "guest", password = "guest") diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java index c1d0d36ef..213efd45f 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java @@ -31,11 +31,6 @@ public class UserTrackerRepositoryTest { return "test"; } - @Override - public String getId() { - return "test"; - } - @Override public List getAssignments() { Assignment assignment = new Assignment("test", "test", Lists.newArrayList()); diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java index 47d3ab822..92f1f2250 100644 --- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java @@ -38,10 +38,4 @@ public class AuthBypass extends Lesson { public String getTitle() { return "auth-bypass.title"; } - - @Override - public String getId() { - return "AuthBypass"; - } - } diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java index 78110a807..3f6ff0b18 100644 --- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java @@ -24,7 +24,6 @@ package org.owasp.webgoat.auth_bypass; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.WebSession; @@ -61,22 +60,22 @@ public class VerifyAccount extends AssignmentEndpoint { AccountVerificationHelper verificationHelper = new AccountVerificationHelper(); Map submittedAnswers = parseSecQuestions(req); if (verificationHelper.didUserLikelylCheat((HashMap) submittedAnswers)) { - return trackProgress(failed() + return failed(this) .feedback("verify-account.cheated") .output("Yes, you guessed correctly, but see the feedback message") - .build()); + .build(); } // else if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) { userSessionData.setValue("account-verified-id", userId); - return trackProgress(success() + return success(this) .feedback("verify-account.success") - .build()); + .build(); } else { - return trackProgress(failed() + return failed(this) .feedback("verify-account.failed") - .build()); + .build(); } } diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java index 460b5f8fb..34a9341ca 100644 --- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java +++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java @@ -37,9 +37,4 @@ public class BypassRestrictions extends Lesson { public String getTitle() { return "bypass-restrictions.title"; } - - @Override - public String getId() { - return "BypassRestrictions"; - } } diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java index 2cb76009f..6de74feed 100644 --- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java +++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java @@ -36,17 +36,17 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint { @ResponseBody public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) { if (select.equals("option1") || select.equals("option2")) { - return trackProgress(failed().build()); + return failed(this).build(); } if (radio.equals("option1") || radio.equals("option2")) { - return trackProgress(failed().build()); + return failed(this).build(); } if (checkbox.equals("on") || checkbox.equals("off")) { - return trackProgress(failed().build()); + return failed(this).build(); } if (shortInput.length() <= 5) { - return trackProgress(failed().build()); + return failed(this).build(); } - return trackProgress(success().build()); + return success(this).build(); } } diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java index 1d2a4aab7..212ee9133 100644 --- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java +++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java @@ -23,13 +23,9 @@ package org.owasp.webgoat.bypass_restrictions; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.*; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; - @RestController public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint { @@ -44,29 +40,29 @@ public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint { final String regex6 = "^\\d{5}(-\\d{4})?$"; final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$"; if (error > 0) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field1.matches(regex1)) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field2.matches(regex2)) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field3.matches(regex3)) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field4.matches(regex4)) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field5.matches(regex5)) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field6.matches(regex6)) { - return trackProgress(failed().build()); + return failed(this).build(); } if (field7.matches(regex7)) { - return trackProgress(failed().build()); + return failed(this).build(); } - return trackProgress(success().build()); + return success(this).build(); } } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java index 9afdb83d4..405447e48 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java @@ -18,9 +18,4 @@ public class ChallengeIntro extends Lesson { public String getTitle() { return "challenge0.title"; } - - @Override - public String getId() { - return "Challenge"; - } } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java index 404cbb16b..4c2d0d683 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java @@ -48,11 +48,11 @@ public class Assignment1 extends AssignmentEndpoint { boolean ipAddressKnown = true; boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password); if (passwordCorrect && ipAddressKnown) { - return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build(); + return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build(); } else if (passwordCorrect) { - return failed().feedback("ip.address.unknown").build(); + return failed(this).feedback("ip.address.unknown").build(); } - return failed().build(); + return failed(this).build(); } public static boolean containsHeader(HttpServletRequest request) { diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java index 20945ca7f..86d1edfcc 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java @@ -20,9 +20,4 @@ public class Challenge1 extends Lesson { public String getTitle() { return "challenge1.title"; } - - @Override - public String getId() { - return "Challenge1"; - } } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java index f6f3ca953..e583d72a5 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java @@ -50,19 +50,19 @@ public class Assignment5 extends AssignmentEndpoint { @ResponseBody public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { if (!StringUtils.hasText(username_login) || !StringUtils.hasText(password_login)) { - return failed().feedback("required4").build(); + return failed(this).feedback("required4").build(); } if (!"Larry".equals(username_login)) { - return failed().feedback("user.not.larry").feedbackArgs(username_login).build(); + return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); } try (var connection = dataSource.getConnection()) { PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); ResultSet resultSet = statement.executeQuery(); if (resultSet.next()) { - return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build(); + return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build(); } else { - return failed().feedback("challenge.close").build(); + return failed(this).feedback("challenge.close").build(); } } } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java index 0c97011d7..ab068ff2a 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java @@ -42,9 +42,4 @@ public class Challenge5 extends Lesson { public String getTitle() { return "challenge5.title"; } - - @Override - public String getId() { - return "Challenge5"; - } } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java index b8bc7bb4a..a1276a559 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java @@ -1,6 +1,5 @@ package org.owasp.webgoat.challenges.challenge7; -import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AttackResult; @@ -71,7 +70,7 @@ public class Assignment7 extends AssignmentEndpoint { restTemplate.postForEntity(webWolfMailURL, mail, Object.class); } } - return success().feedback("email.send").feedbackArgs(email).build(); + return success(this).feedback("email.send").feedbackArgs(email).build(); } @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE) diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java index 75f96c85f..cbcd25f7a 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java @@ -20,9 +20,4 @@ public class Challenge7 extends Lesson { public String getTitle() { return "challenge7.title"; } - - @Override - public String getId() { - return "Challenge7"; - } } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java index 51f23beb2..6d02db4e5 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java @@ -20,9 +20,4 @@ public class Challenge8 extends Lesson { public String getTitle() { return "challenge8.title"; } - - @Override - public String getId() { - return "Challenge8"; - } } diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java index 64c96f36a..29c8dd9a9 100644 --- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java +++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java @@ -35,16 +35,11 @@ public class ChromeDevTools extends Lesson { @Override public Category getDefaultCategory() { - return Category.GENERAL; + return Category.GENERAL; } @Override public String getTitle() { - return "3.chrome-dev-tools.title";//3rd lesson in General + return "3.chrome-dev-tools.title";//3rd lesson in General } - - @Override - public String getId() { - return "ChromeDevTools"; - } - } +} diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java index b8bd0b5e3..dcc7ad7ef 100644 --- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java +++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java @@ -23,13 +23,10 @@ package org.owasp.webgoat.chrome_dev_tools; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.springframework.web.bind.annotation.*; -import java.io.IOException; - /** * This is just a class used to make the the HTTP request. * @@ -46,9 +43,9 @@ public class NetworkDummy extends AssignmentEndpoint { String answer = (String) userSessionData.getValue("randValue"); if (successMessage != null && successMessage.equals(answer)) { - return trackProgress(success().feedback("xss-dom-message-success").build()); + return success(this).feedback("xss-dom-message-success").build(); } else { - return trackProgress(failed().feedback("xss-dom-message-failure").build()); + return failed(this).feedback("xss-dom-message-failure").build(); } } } \ No newline at end of file diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java index 37addc0de..0baff0e15 100644 --- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java +++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java @@ -24,13 +24,10 @@ package org.owasp.webgoat.chrome_dev_tools; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.*; -import java.io.IOException; - /** * Assignment where the user has to look through an HTTP Request * using the Developer Tools and find a specific number. @@ -46,9 +43,9 @@ public class NetworkLesson extends AssignmentEndpoint { @ResponseBody public AttackResult completed(@RequestParam String network_num, @RequestParam String number) { if (network_num.equals(number)) { - return trackProgress(success().feedback("network.success").output("").build()); + return success(this).feedback("network.success").output("").build(); } else { - return trackProgress(failed().feedback("network.failed").build()); + return failed(this).feedback("network.failed").build(); } } diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java index 00d3ecd01..7210de301 100644 --- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java +++ b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java @@ -20,9 +20,4 @@ public class CIA extends Lesson { public String getTitle() { return "4.cia.title";//4th lesson in general } - - @Override - public String getId() { - return "CIA"; - } } \ No newline at end of file diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java index 84a162841..4134b2915 100644 --- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java +++ b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java @@ -29,9 +29,9 @@ public class CIAQuiz extends AssignmentEndpoint { } if (correctAnswers == solutions.length) { - return trackProgress(success().build()); + return success(this).build(); } else { - return trackProgress(failed().build()); + return failed(this).build(); } } diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java index 1d84974e3..b51ba9d40 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java @@ -45,9 +45,4 @@ public class ClientSideFiltering extends Lesson { public String getTitle() { return "client.side.filtering.title"; } - - @Override - public String getId() { - return "ClientSideFiltering"; - } } diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java index 01a94915e..2cb88888d 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java @@ -24,12 +24,9 @@ package org.owasp.webgoat.client_side_filtering; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.*; -import java.io.IOException; - @RestController @AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"}) public class ClientSideFilteringAssignment extends AssignmentEndpoint { @@ -37,8 +34,8 @@ public class ClientSideFilteringAssignment extends AssignmentEndpoint { @PostMapping("/clientSideFiltering/attack1") @ResponseBody public AttackResult completed(@RequestParam String answer) { - return trackProgress("450000".equals(answer) - ? success().feedback("assignment.solved").build() : - failed().feedback("ClientSideFiltering.incorrect").build()); + return "450000".equals(answer) + ? success(this).feedback("assignment.solved").build() : + failed(this).feedback("ClientSideFiltering.incorrect").build(); } } diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java index 4ff906850..2331b4d0c 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java @@ -24,12 +24,9 @@ package org.owasp.webgoat.client_side_filtering; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.*; -import java.io.IOException; - /** * @author nbaars * @since 4/6/17. @@ -44,8 +41,8 @@ public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint { @ResponseBody public AttackResult completed(@RequestParam String checkoutCode) { if (SUPER_COUPON_CODE.equals(checkoutCode)) { - return trackProgress(success().build()); + return success(this).build(); } - return trackProgress(failed().build()); + return failed(this).build(); } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java index 0a62c18b3..898d13838 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java @@ -37,9 +37,4 @@ public class CrossSiteScripting extends Lesson { public String getTitle() { return "xss.title"; } - - @Override - public String getId() { - return "CrossSiteScripting"; - } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java index 327b56bfe..3f988a8e2 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java @@ -38,9 +38,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint { @ResponseBody public AttackResult completed(@RequestParam String answer_xss_1) { if (answer_xss_1.toString().toLowerCase().equals("yes")) { - return trackProgress(success().build()); + return success(this).build(); } else { - return trackProgress(failed().feedback("xss.lesson1.failure").build()); + return failed(this).feedback("xss.lesson1.failure").build(); } } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java index 889ff6ef0..78310b9b0 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java @@ -44,7 +44,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { public AttackResult completed(@RequestParam String editor) { String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true); try { - if (editor.isEmpty()) return trackProgress(failed().feedback("xss-mitigation-3-no-code").build()); + if (editor.isEmpty()) return failed(this).feedback("xss-mitigation-3-no-code").build(); Document doc = Jsoup.parse(unescapedString); String[] lines = unescapedString.split(""); @@ -68,12 +68,12 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { if (includeCorrect && firstNameCorrect && lastNameCorrect) { System.out.println("true"); - return trackProgress(success().feedback("xss-mitigation-3-success").build()); + return success(this).feedback("xss-mitigation-3-success").build(); } else { - return trackProgress(failed().feedback("xss-mitigation-3-failure").build()); + return failed(this).feedback("xss-mitigation-3-failure").build(); } } catch (Exception e) { - return trackProgress(failed().output(e.getMessage()).build()); + return failed(this).output(e.getMessage()).build(); } } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java index 6e30f7f7d..738d46054 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java @@ -52,10 +52,10 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { editor.contains("MyCommentDAO.addComment(threadID, userID") && editor.contains(".getCleanHTML());")) { log.debug("true"); - return trackProgress(success().feedback("xss-mitigation-4-success").build()); + return success(this).feedback("xss-mitigation-4-success").build(); } else { log.debug("false"); - return trackProgress(failed().feedback("xss-mitigation-4-failed").build()); + return failed(this).feedback("xss-mitigation-4-failed").build(); } } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java index e21a49c15..a3a0e9780 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java @@ -46,7 +46,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { @RequestParam String field2) { if (field2.toLowerCase().matches("