dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adjust lesson template (#704)

Browse Source 
* Remove method `getId()` from all lessons as it defaults to the class name

* remove clean up endpoint

* remove unused class `RequestParameter`

* remove unused class `PluginLoadingFailure`

* Move `CourseConfiguration` to lesson package

* Add more content around the lesson template lesson and make it visible as a lesson in WebGoat

* Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult`

* Put original solution back as well for SQL string injection

* review comments

* Add
This commit is contained in:
Nanne Baars
2019-11-17 13:39:56 +01:00
committed by René Zubcevic
parent f40b6ffd31
commit 5dd6b31905
139 changed files with 769 additions and 870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWT.java
View File

@ -42,9 +42,4 @@ public class JWT extends Lesson {
public String getTitle() {
return "jwt.title";
}
@Override
public String getId() {
return "JWT";
}
}

12
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
View File

@ -82,7 +82,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
public @ResponseBody
AttackResult resetVotes(@RequestParam("token") String token) {
if (StringUtils.isEmpty(token)) {
return trackProgress(failed().feedback("jwt-invalid-token").build());
return failed(this).feedback("jwt-invalid-token").build();
} else {
try {
final String[] errorMessage = {null};
@ -102,20 +102,20 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
}
}).parseClaimsJws(token);
if (errorMessage[0] != null) {
return trackProgress(failed().output(errorMessage[0]).build());
return failed(this).output(errorMessage[0]).build();
}
Claims claims = (Claims) jwt.getBody();
String username = (String) claims.get("username");
if ("Jerry".equals(username)) {
return trackProgress(failed().feedback("jwt-final-jerry-account").build());
return failed(this).feedback("jwt-final-jerry-account").build();
}
if ("Tom".equals(username)) {
return trackProgress(success().build());
return success(this).build();
} else {
return trackProgress(failed().feedback("jwt-final-not-tom").build());
return failed(this).feedback("jwt-final-not-tom").build();
}
} catch (JwtException e) {
return trackProgress(failed().feedback("jwt-invalid-token").output(e.toString()).build());
return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
}
}
}

9
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
View File

@ -26,7 +26,6 @@ import io.jsonwebtoken.*;
import org.apache.commons.lang3.RandomStringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@ -92,13 +91,13 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
Claims claims = (Claims) jwt.getBody();
String user = (String) claims.get("user");
if ("Tom".equals(user)) {
return ok(trackProgress(success().build()));
return ok(success(this).build());
}
return ok(trackProgress(failed().feedback("jwt-refresh-not-tom").feedbackArgs(user).build()));
return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
} catch (ExpiredJwtException e) {
return ok(trackProgress(failed().output(e.getMessage()).build()));
return ok(failed(this).output(e.getMessage()).build());
} catch (JwtException e) {
return ok(trackProgress(failed().feedback("jwt-invalid-token").build()));
return ok(failed(this).feedback("jwt-invalid-token").build());
}
}

8
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
View File

@ -74,19 +74,19 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
Claims claims = (Claims) jwt.getBody();
if (!claims.keySet().containsAll(expectedClaims)) {
return trackProgress(failed().feedback("jwt-secret-claims-missing").build());
return failed(this).feedback("jwt-secret-claims-missing").build();
} else {
String user = (String) claims.get("username");
if (WEBGOAT_USER.equalsIgnoreCase(user)) {
return trackProgress(success().build());
return success(this).build();
} else {
return trackProgress(failed().feedback("jwt-secret-incorrect-user").feedbackArgs(user).build());
return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
}
}
} catch (Exception e) {
e.printStackTrace();
return trackProgress(failed().feedback("jwt-invalid-token").output(e.getMessage()).build());
return failed(this).feedback("jwt-invalid-token").output(e.getMessage()).build();
}
}
}

8
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
View File

@ -157,20 +157,20 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
@ResponseBody
public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
if (StringUtils.isEmpty(accessToken)) {
return trackProgress(failed().feedback("jwt-invalid-token").build());
return failed(this).feedback("jwt-invalid-token").build();
} else {
try {
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
Claims claims = (Claims) jwt.getBody();
boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
if (!isAdmin) {
return trackProgress(failed().feedback("jwt-only-admin").build());
return failed(this).feedback("jwt-only-admin").build();
} else {
votes.values().forEach(vote -> vote.reset());
return trackProgress(success().build());
return success(this).build();
}
} catch (JwtException e) {
return trackProgress(failed().feedback("jwt-invalid-token").output(e.toString()).build());
return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
}
}
}