dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adjust lesson template (#704)

Browse Source 
* Remove method `getId()` from all lessons as it defaults to the class name

* remove clean up endpoint

* remove unused class `RequestParameter`

* remove unused class `PluginLoadingFailure`

* Move `CourseConfiguration` to lesson package

* Add more content around the lesson template lesson and make it visible as a lesson in WebGoat

* Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult`

* Put original solution back as well for SQL string injection

* review comments

* Add
This commit is contained in:
Nanne Baars
2019-11-17 13:39:56 +01:00
committed by René Zubcevic
parent f40b6ffd31
commit 5dd6b31905
139 changed files with 769 additions and 870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java
View File

@ -37,9 +37,4 @@ public class CrossSiteScripting extends Lesson {
public String getTitle() {
return "xss.title";
}
@Override
public String getId() {
return "CrossSiteScripting";
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
View File

@ -38,9 +38,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
@ResponseBody
public AttackResult completed(@RequestParam String answer_xss_1) {
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
return trackProgress(success().build());
return success(this).build();
} else {
return trackProgress(failed().feedback("xss.lesson1.failure").build());
return failed(this).feedback("xss.lesson1.failure").build();
}
}
}

8
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java
View File

@ -44,7 +44,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
public AttackResult completed(@RequestParam String editor) {
String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
try {
if (editor.isEmpty()) return trackProgress(failed().feedback("xss-mitigation-3-no-code").build());
if (editor.isEmpty()) return failed(this).feedback("xss-mitigation-3-no-code").build();
Document doc = Jsoup.parse(unescapedString);
String[] lines = unescapedString.split("<html>");
@ -68,12 +68,12 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
if (includeCorrect && firstNameCorrect && lastNameCorrect) {
System.out.println("true");
return trackProgress(success().feedback("xss-mitigation-3-success").build());
return success(this).feedback("xss-mitigation-3-success").build();
} else {
return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
return failed(this).feedback("xss-mitigation-3-failure").build();
}
} catch (Exception e) {
return trackProgress(failed().output(e.getMessage()).build());
return failed(this).output(e.getMessage()).build();
}
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java
View File

@ -52,10 +52,10 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
editor.contains("MyCommentDAO.addComment(threadID, userID") &&
editor.contains(".getCleanHTML());")) {
log.debug("true");
return trackProgress(success().feedback("xss-mitigation-4-success").build());
return success(this).feedback("xss-mitigation-4-success").build();
} else {
log.debug("false");
return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
return failed(this).feedback("xss-mitigation-4-failed").build();
}
}
}

12
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
View File

@ -46,7 +46,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
@RequestParam String field2) {
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
}
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
@ -64,19 +64,19 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
}
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
//return trackProgress()
//return )
userSessionData.setValue("xss-reflected-5a-complete", "true");
if (field1.toLowerCase().contains("console.log")) {
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
} else {
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
}
} else {
userSessionData.setValue("xss-reflected1-complete", "false");
return trackProgress(success()
return success(this)
.feedback("xss-reflected-5a-failure")
.output(cart.toString())
.build());
.build();
}
}
}

6
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java
View File

@ -42,10 +42,10 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
public AttackResult completed(@RequestParam String DOMTestRoute) {
if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
//return trackProgress()
return trackProgress(success().feedback("xss-reflected-6a-success").build());
//return )
return success(this).feedback("xss-reflected-6a-success").build();
} else {
return trackProgress(failed().feedback("xss-reflected-6a-failure").build());
return failed(this).feedback("xss-reflected-6a-failure").build();
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java
View File

@ -53,9 +53,9 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
}
if (correctAnswers == solutions.length) {
return trackProgress(success().build());
return success(this).build();
} else {
return trackProgress(failed().build());
return failed(this).build();
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
View File

@ -42,9 +42,9 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build());
return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
} else {
return trackProgress(failed().build());
return failed(this).build();
}
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java
View File

@ -42,9 +42,9 @@ public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
String answer = (String) userSessionData.getValue("randValue");
if (successMessage.equals(answer)) {
return trackProgress(success().feedback("xss-dom-message-success").build());
return success(this).feedback("xss-dom-message-success").build();
} else {
return trackProgress(failed().feedback("xss-dom-message-failure").build());
return failed(this).feedback("xss-dom-message-failure").build();
}
}
}

5
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java
View File

@ -35,9 +35,4 @@ public class CrossSiteScriptingMitigation extends Lesson {
public String getTitle() {
return "xss-mitigation.title";
}
@Override
public String getId() {
return "CrossSiteScriptingMitigation";
}
}

5
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java
View File

@ -35,9 +35,4 @@ public class CrossSiteScriptingStored extends Lesson {
public String getTitle() {
return "xss-stored.title";
}
@Override
public String getId() {
return "CrossSiteScriptingStored";
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
View File

@ -43,9 +43,9 @@ public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
UserSessionData userSessionData = getUserSessionData();
if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
return trackProgress(success().feedback("xss-stored-callback-success").build());
return success(this).feedback("xss-stored-callback-success").build();
} else {
return trackProgress(failed().feedback("xss-stored-callback-failure").build());
return failed(this).feedback("xss-stored-callback-failure").build();
}
}
}

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
View File

@ -88,9 +88,9 @@ public class StoredXssComments extends AssignmentEndpoint {
userComments.put(webSession.getUserName(), comments);
if (comment.getText().contains(phoneHomeString)) {
return (success().feedback("xss-stored-comment-success").build());
return (success(this).feedback("xss-stored-comment-success").build());
} else {
return (failed().feedback("xss-stored-comment-failure").build());
return (failed(this).feedback("xss-stored-comment-failure").build());
}
}