dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adjust lesson template (#704)

Browse Source 
* Remove method `getId()` from all lessons as it defaults to the class name

* remove clean up endpoint

* remove unused class `RequestParameter`

* remove unused class `PluginLoadingFailure`

* Move `CourseConfiguration` to lesson package

* Add more content around the lesson template lesson and make it visible as a lesson in WebGoat

* Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult`

* Put original solution back as well for SQL string injection

* review comments

* Add
This commit is contained in:
Nanne Baars
2019-11-17 13:39:56 +01:00
committed by René Zubcevic
parent f40b6ffd31
commit 5dd6b31905
139 changed files with 769 additions and 870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOR.java
View File

@ -45,10 +45,4 @@ public class IDOR extends Lesson {
public String getTitle() {
return "idor.title";
}
@Override
public String getId() {
return "IDOR";
}
}

10
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
View File

@ -24,13 +24,9 @@ package org.owasp.webgoat.idor;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@RestController
@AssignmentHints({"idor.hints.idorDiffAttributes1", "idor.hints.idorDiffAttributes2", "idor.hints.idorDiffAttributes3"})
public class IDORDiffAttributes extends AssignmentEndpoint {
@ -41,13 +37,13 @@ public class IDORDiffAttributes extends AssignmentEndpoint {
attributes = attributes.trim();
String[] diffAttribs = attributes.split(",");
if (diffAttribs.length < 2) {
return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
return failed(this).feedback("idor.diff.attributes.missing").build();
}
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
|| diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
return trackProgress(success().feedback("idor.diff.success").build());
return success(this).feedback("idor.diff.success").build();
} else {
return trackProgress(failed().feedback("idor.diff.failure").build());
return failed(this).feedback("idor.diff.failure").build();
}
}
}

24
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
View File

@ -52,42 +52,42 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
// we will persist in the session object for now in case we want to refer back or use it later
userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(success()
return success(this)
.feedback("idor.edit.profile.success1")
.output(currentUserProfile.profileToMap().toString())
.build());
.build();
}
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(success()
return success(this)
.feedback("idor.edit.profile.failure1")
.output(currentUserProfile.profileToMap().toString())
.build());
.build();
}
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
return trackProgress(success()
return success(this)
.feedback("idor.edit.profile.failure2")
.output(currentUserProfile.profileToMap().toString())
.build());
.build();
}
// else
return trackProgress(failed()
return failed(this)
.feedback("idor.edit.profile.failure3")
.output(currentUserProfile.profileToMap().toString())
.build());
.build();
} else if (userSubmittedProfile.getUserId().equals(authUserId)) {
return failed().feedback("idor.edit.profile.failure4").build();
return failed(this).feedback("idor.edit.profile.failure4").build();
}
if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1) {
return trackProgress(success()
return success(this)
.feedback("idor.edit.profile.success2")
.output(userSessionData.getValue("idor-updated-own-profile").toString())
.build());
.build();
} else {
return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
return failed(this).feedback("idor.edit.profile.failure3").build();
}
}

7
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORLogin.java
View File

@ -24,7 +24,6 @@ package org.owasp.webgoat.idor;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
@ -65,12 +64,12 @@ public class IDORLogin extends AssignmentEndpoint {
if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
userSessionData.setValue("idor-authenticated-as", username);
userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
return trackProgress(success().feedback("idor.login.success").feedbackArgs(username).build());
return success(this).feedback("idor.login.success").feedbackArgs(username).build();
} else {
return trackProgress(failed().feedback("idor.login.failure").build());
return failed(this).feedback("idor.login.failure").build();
}
} else {
return trackProgress(failed().feedback("idor.login.failure").build());
return failed(this).feedback("idor.login.failure").build();
}
}
}

8
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
View File

@ -56,14 +56,14 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
UserProfile requestedProfile = new UserProfile(userId);
// secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
if (requestedProfile.getUserId().equals("2342388")) {
return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
return success(this).feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build();
} else {
return trackProgress(failed().feedback("idor.view.profile.close1").build());
return failed(this).feedback("idor.view.profile.close1").build();
}
} else {
return trackProgress(failed().feedback("idor.view.profile.close2").build());
return failed(this).feedback("idor.view.profile.close2").build();
}
}
return trackProgress(failed().build());
return failed(this).build();
}
}

8
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfileAltUrl.java
View File

@ -48,16 +48,16 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
String[] urlParts = url.split("/");
if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
UserProfile userProfile = new UserProfile(authUserId);
return trackProgress(success().feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build());
return success(this).feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build();
} else {
return trackProgress(failed().feedback("idor.view.own.profile.failure1").build());
return failed(this).feedback("idor.view.own.profile.failure1").build();
}
} else {
return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
return failed(this).feedback("idor.view.own.profile.failure2").build();
}
} catch (Exception ex) {
return failed().feedback("an error occurred with your request").build();
return failed(this).feedback("an error occurred with your request").build();
}
}
}