WIP
This commit is contained in:
Nanne Baars
parent
361249c666
commit
5e6f825e64
@ -7,7 +7,7 @@ import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.Mockito;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||
import org.owasp.webgoat.lessons.Assignment;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
@ -48,7 +48,6 @@ public class HintServiceTest {
|
||||
|
||||
@Test
|
||||
public void hintsPerAssignment() throws Exception {
|
||||
when(lesson.getName()).thenReturn("Test lesson");
|
||||
Assignment assignment = Mockito.mock(Assignment.class);
|
||||
when(assignment.getPath()).thenReturn("/HttpBasics/attack1");
|
||||
when(assignment.getHints()).thenReturn(Lists.newArrayList("hint 1", "hint 2"));
|
||||
|
||||
@ -4,6 +4,7 @@ import org.hamcrest.CoreMatchers;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.owasp.webgoat.session.Course;
|
||||
import org.owasp.webgoat.users.UserService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
|
||||
import org.springframework.boot.test.mock.mockito.MockBean;
|
||||
@ -53,6 +54,8 @@ public class LabelServiceTest {
|
||||
public MockMvc mockMvc;
|
||||
@MockBean
|
||||
private Course course;
|
||||
@MockBean
|
||||
private UserService userService;
|
||||
|
||||
@Test
|
||||
@WithMockUser(username = "guest", password = "guest")
|
||||
|
||||
@ -7,7 +7,7 @@ import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.Mockito;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.NewLesson;
|
||||
|
||||
@ -39,10 +39,10 @@ import org.springframework.web.bind.annotation.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/HttpProxies/intercept-request")
|
||||
@RestController
|
||||
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
|
||||
|
||||
@GetMapping
|
||||
@GetMapping("/HttpProxies/intercept-request")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue,
|
||||
@RequestParam(value = "changeMe", required = false) String paramValue) {
|
||||
@ -53,7 +53,7 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping
|
||||
@PostMapping("/HttpProxies/intercept-request")
|
||||
@ResponseBody
|
||||
public AttackResult post() {
|
||||
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -41,14 +38,13 @@ import java.io.IOException;
|
||||
* @version $Id: $Id
|
||||
* @since January 3, 2017
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/diff-attributes")
|
||||
@RestController
|
||||
@AssignmentHints({"idor.hints.idorDiffAttributes1","idor.hints.idorDiffAttributes2","idor.hints.idorDiffAttributes3"})
|
||||
public class IDORDiffAttributes extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String attributes, HttpServletRequest request) throws IOException {
|
||||
@PostMapping("IDOR/diff-attributes")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String attributes, HttpServletRequest request) throws IOException {
|
||||
attributes = attributes.trim();
|
||||
String[] diffAttribs = attributes.split(",");
|
||||
if (diffAttribs.length < 2) {
|
||||
|
||||
@ -37,17 +37,16 @@ import org.springframework.web.bind.annotation.*;
|
||||
* @version $Id: $Id
|
||||
* @since January 3, 2017
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/profile/{userId}")
|
||||
@RestController
|
||||
@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
|
||||
public class IDOREditOtherProfiile extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private UserSessionData userSessionData;
|
||||
|
||||
@PutMapping(consumes = "application/json")
|
||||
public @ResponseBody
|
||||
AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
|
||||
@PutMapping(path = "IDOR/profile/{userId}", consumes = "application/json")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
|
||||
|
||||
String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
|
||||
// this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization
|
||||
|
||||
@ -40,8 +40,7 @@ import java.util.Map;
|
||||
* @version $Id: $Id
|
||||
* @since January 3, 2017
|
||||
*/
|
||||
|
||||
@AssignmentPath("/IDOR/login")
|
||||
@RestController
|
||||
@AssignmentHints({"idor.hints.idor_login"})
|
||||
public class IDORLogin extends AssignmentEndpoint {
|
||||
|
||||
@ -63,7 +62,7 @@ public class IDORLogin extends AssignmentEndpoint {
|
||||
|
||||
}
|
||||
|
||||
@PostMapping
|
||||
@PostMapping("/IDOR/login")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
|
||||
initIDORInfo();
|
||||
@ -81,12 +80,4 @@ public class IDORLogin extends AssignmentEndpoint {
|
||||
return trackProgress(failed().feedback("idor.login.failure").build());
|
||||
}
|
||||
}
|
||||
|
||||
// userSessionData.setValue("foo","bar");
|
||||
// System.out.println("*** value set");
|
||||
// System.out.println("*** fetching value");
|
||||
// System.out.println(userSessionData.getValue("foo"));
|
||||
// System.out.println("*** DONE fetching value");
|
||||
// return trackProgress(AttackResult.failed("You are close, try again"));
|
||||
|
||||
}
|
||||
|
||||
@ -7,10 +7,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.util.HashMap;
|
||||
@ -45,15 +42,14 @@ import java.util.Map;
|
||||
* @version $Id: $Id
|
||||
* @since January 3, 2017
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/profile/{userId}")
|
||||
@RestController
|
||||
@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
|
||||
public class IDORViewOtherProfile extends AssignmentEndpoint{
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
|
||||
@GetMapping(path = "IDOR/profile/{userId}", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
|
||||
Map<String,Object> details = new HashMap<>();
|
||||
@ -76,5 +72,4 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -3,9 +3,7 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -43,15 +41,15 @@ import java.util.Map;
|
||||
* @version $Id: $Id
|
||||
* @since January 3, 2017
|
||||
*/
|
||||
|
||||
@RestController
|
||||
public class IDORViewOwnProfile {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
|
||||
@GetMapping(produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
public Map<String, Object> invoke() {
|
||||
Map<String,Object> details = new HashMap<>();
|
||||
try {
|
||||
if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
|
||||
@ -71,9 +69,4 @@ public class IDORViewOwnProfile {
|
||||
}
|
||||
return details;
|
||||
}
|
||||
|
||||
// @Override
|
||||
// public String getPath() {
|
||||
// return "/IDOR/profile";
|
||||
// }
|
||||
}
|
||||
|
||||
@ -45,22 +45,20 @@ import java.util.Map;
|
||||
* @version $Id: $Id
|
||||
* @since January 3, 2017
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/profile/alt-path")
|
||||
@AssignmentHints({"idor.hints.ownProfileAltUrl1","idor.hints.ownProfileAltUrl2","idor.hints.ownProfileAltUrl3"})
|
||||
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
|
||||
@RestController
|
||||
@AssignmentHints({"idor.hints.ownProfileAltUrl1", "idor.hints.ownProfileAltUrl2", "idor.hints.ownProfileAltUrl3"})
|
||||
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("IDOR/profile/alt-path")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String url, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
Map<String,Object> details = new HashMap<>();
|
||||
public AttackResult completed(@RequestParam String url) {
|
||||
try {
|
||||
if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
|
||||
//going to use session auth to view this one
|
||||
String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
|
||||
String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
|
||||
//don't care about http://localhost:8080 ... just want WebGoat/
|
||||
String[] urlParts = url.split("/");
|
||||
if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
|
||||
@ -74,9 +72,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
|
||||
return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
|
||||
}
|
||||
} catch (Exception ex) {
|
||||
System.out.println(ex.getMessage());
|
||||
return failed().feedback("an error occurred with your request").build();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,61 +1,58 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.util.Base64;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
*
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/InsecureDeserialization/task")
|
||||
@RestController
|
||||
public class InsecureDeserializationTask extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/InsecureDeserialization/task")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String token) throws IOException {
|
||||
public AttackResult completed(@RequestParam String token) throws IOException {
|
||||
String b64token;
|
||||
byte [] data;
|
||||
byte[] data;
|
||||
ObjectInputStream ois;
|
||||
Object o;
|
||||
long before, after;
|
||||
@ -64,7 +61,7 @@ public class InsecureDeserializationTask extends AssignmentEndpoint {
|
||||
b64token = token.replace('-', '+').replace('_', '/');
|
||||
try {
|
||||
data = Base64.getDecoder().decode(b64token);
|
||||
ois = new ObjectInputStream( new ByteArrayInputStream(data) );
|
||||
ois = new ObjectInputStream(new ByteArrayInputStream(data));
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
@ -78,13 +75,13 @@ public class InsecureDeserializationTask extends AssignmentEndpoint {
|
||||
after = System.currentTimeMillis();
|
||||
ois.close();
|
||||
|
||||
delay = (int)(after - before);
|
||||
if ( delay > 7000 ) {
|
||||
delay = (int) (after - before);
|
||||
if (delay > 7000) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if ( delay < 3000 ) {
|
||||
if (delay < 3000) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
}
|
||||
return trackProgress(success().build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -3,10 +3,7 @@ package org.owasp.webgoat.plugin;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -44,13 +41,12 @@ import java.io.IOException;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/InsecureLogin/task")
|
||||
@RestController
|
||||
public class InsecureLoginTask extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/InsecureLogin/task")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException {
|
||||
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
|
||||
if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
|
||||
return trackProgress(success().build());
|
||||
}
|
||||
|
||||
@ -11,10 +11,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.ResultSet;
|
||||
@ -44,14 +41,14 @@ import java.sql.SQLException;
|
||||
* @author nbaars
|
||||
* @since 4/23/17.
|
||||
*/
|
||||
@AssignmentPath("/JWT/final")
|
||||
@RestController
|
||||
@AssignmentHints({"jwt-final-hint1", "jwt-final-hint2", "jwt-final-hint3", "jwt-final-hint4", "jwt-final-hint5", "jwt-final-hint6"})
|
||||
public class JWTFinalEndpoint extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
|
||||
@PostMapping("follow/{user}")
|
||||
@PostMapping("/JWT/final/follow/{user}")
|
||||
public @ResponseBody
|
||||
String follow(@PathVariable("user") String user) {
|
||||
if ("Jerry".equals(user)) {
|
||||
@ -61,7 +58,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping("delete")
|
||||
@PostMapping("/JWT/final/delete")
|
||||
public @ResponseBody
|
||||
AttackResult resetVotes(@RequestParam("token") String token) {
|
||||
if (StringUtils.isEmpty(token)) {
|
||||
|
||||
@ -13,10 +13,7 @@ import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestHeader;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
@ -27,7 +24,7 @@ import java.util.concurrent.TimeUnit;
|
||||
* @author nbaars
|
||||
* @since 4/23/17.
|
||||
*/
|
||||
@AssignmentPath("/JWT/refresh/")
|
||||
@RestController
|
||||
@AssignmentHints({"jwt-refresh-hint1", "jwt-refresh-hint2", "jwt-refresh-hint3", "jwt-refresh-hint4"})
|
||||
public class JWTRefreshEndpoint extends AssignmentEndpoint {
|
||||
|
||||
@ -35,9 +32,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
|
||||
private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
|
||||
private static final List<String> validRefreshTokens = Lists.newArrayList();
|
||||
|
||||
@PostMapping(value = "login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
public @ResponseBody
|
||||
ResponseEntity follow(@RequestBody Map<String, Object> json) {
|
||||
@PostMapping(value = "/JWT/refresh/login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public ResponseEntity follow(@RequestBody Map<String, Object> json) {
|
||||
String user = (String) json.get("user");
|
||||
String password = (String) json.get("password");
|
||||
|
||||
@ -64,9 +61,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
|
||||
return tokenJson;
|
||||
}
|
||||
|
||||
@PostMapping("checkout")
|
||||
public @ResponseBody
|
||||
AttackResult checkout(@RequestHeader("Authorization") String token) {
|
||||
@PostMapping("/JWT/refresh/checkout")
|
||||
@ResponseBody
|
||||
public AttackResult checkout(@RequestHeader("Authorization") String token) {
|
||||
try {
|
||||
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
|
||||
Claims claims = (Claims) jwt.getBody();
|
||||
@ -82,9 +79,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping("newToken")
|
||||
public @ResponseBody
|
||||
ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) {
|
||||
@PostMapping("/JWT/refresh/newToken")
|
||||
@ResponseBody
|
||||
public ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) {
|
||||
String user;
|
||||
String refreshToken;
|
||||
try {
|
||||
@ -105,5 +102,4 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
|
||||
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -13,6 +13,7 @@ import io.jsonwebtoken.Claims;
|
||||
import io.jsonwebtoken.Jwt;
|
||||
import io.jsonwebtoken.Jwts;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@ -20,7 +21,7 @@ import java.util.List;
|
||||
* @author nbaars
|
||||
* @since 4/23/17.
|
||||
*/
|
||||
@AssignmentPath("/JWT/secret")
|
||||
@RestController
|
||||
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
|
||||
public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
|
||||
|
||||
@ -28,7 +29,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
|
||||
private static final String WEBGOAT_USER = "WebGoat";
|
||||
private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
|
||||
|
||||
@PostMapping
|
||||
@PostMapping("/JWT/secret")
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String token) {
|
||||
try {
|
||||
|
||||
@ -35,7 +35,7 @@ import static java.util.stream.Collectors.toList;
|
||||
* @author nbaars
|
||||
* @since 4/23/17.
|
||||
*/
|
||||
@AssignmentPath("/JWT/votings")
|
||||
@RestController
|
||||
@AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
|
||||
public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
|
||||
@ -64,7 +64,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
"challenge3-small.png", "challenge3.png", 10000, totalVotes));
|
||||
}
|
||||
|
||||
@GetMapping("/login")
|
||||
@GetMapping("/JWT/votings/login")
|
||||
public void login(@RequestParam("user") String user, HttpServletResponse response) {
|
||||
if (validUsers.contains(user)) {
|
||||
Claims claims = Jwts.claims().setIssuedAt(Date.from(Instant.now().plus(Duration.ofDays(10))));
|
||||
@ -86,7 +86,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@GetMapping
|
||||
@GetMapping("/JWT/votings")
|
||||
@ResponseBody
|
||||
public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
|
||||
MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList()));
|
||||
@ -109,7 +109,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
return value;
|
||||
}
|
||||
|
||||
@PostMapping(value = "{title}")
|
||||
@PostMapping(value = "/JWT/votings/{title}")
|
||||
@ResponseBody
|
||||
@ResponseStatus(HttpStatus.ACCEPTED)
|
||||
public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
|
||||
@ -132,9 +132,9 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping("reset")
|
||||
public @ResponseBody
|
||||
AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
|
||||
@PostMapping("/JWT/votings/reset")
|
||||
@ResponseBody
|
||||
public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
|
||||
if (StringUtils.isEmpty(accessToken)) {
|
||||
return trackProgress(failed().feedback("jwt-invalid-token").build());
|
||||
} else {
|
||||
|
||||
@ -7,10 +7,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -24,8 +21,7 @@ import java.util.Map;
|
||||
/**
|
||||
* Created by jason on 1/5/17.
|
||||
*/
|
||||
|
||||
@AssignmentPath("/access-control/hidden-menu")
|
||||
@RestController
|
||||
@AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
|
||||
public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
|
||||
//UserSessionData is bound to session and can be used to persist data across multiple assignments
|
||||
@ -33,10 +29,9 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
|
||||
UserSessionData userSessionData;
|
||||
|
||||
|
||||
@PostMapping(produces = {"application/json"})
|
||||
public @ResponseBody
|
||||
AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
|
||||
@PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(String hiddenMenu1, String hiddenMenu2) {
|
||||
//overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
|
||||
if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) {
|
||||
return trackProgress(success()
|
||||
@ -57,5 +52,4 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
|
||||
.output("")
|
||||
.build());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -21,7 +21,6 @@ import java.util.List;
|
||||
@Controller
|
||||
public class MissingFunctionACUsers {
|
||||
|
||||
|
||||
// this will actually put controllers on the /WebGoat/* path ... the jsp for list_users restricts what can be seen, but the add_user is not controlled carefully
|
||||
@Autowired
|
||||
private UserService userService;
|
||||
|
||||
@ -9,8 +9,9 @@ import org.owasp.webgoat.users.WebGoatUser;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
@AssignmentPath("/access-control/user-hash")
|
||||
@RestController
|
||||
@AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3",
|
||||
"access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7",
|
||||
"access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"})
|
||||
@ -19,9 +20,9 @@ public class MissingFunctionACYourHash extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private UserService userService;
|
||||
|
||||
@PostMapping(produces = {"application/json"})
|
||||
public @ResponseBody
|
||||
AttackResult completed(String userHash) {
|
||||
@PostMapping(path = "/access-control/user-hash", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(String userHash) {
|
||||
String currentUser = getWebSession().getUserName();
|
||||
WebGoatUser user = userService.loadUserByUsername(currentUser);
|
||||
DisplayUser displayUser = new DisplayUser(user);
|
||||
|
||||
@ -4,6 +4,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
@ -20,9 +21,9 @@ public class Users {
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
|
||||
@GetMapping(produces = {"application/json"})
|
||||
@ResponseBody
|
||||
protected HashMap<Integer, HashMap> getUsers (HttpServletRequest req) {
|
||||
protected HashMap<Integer, HashMap> getUsers() {
|
||||
|
||||
try {
|
||||
Connection connection = DatabaseUtilities.getConnection(getWebSession());
|
||||
|
||||
@ -1,20 +1,13 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.plugin.PasswordResetEmail;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.client.RestClientException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.time.LocalDateTime;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
@ -22,7 +15,7 @@ import java.util.Map;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/questions")
|
||||
@RestController
|
||||
public class QuestionsAssignment extends AssignmentEndpoint {
|
||||
|
||||
private final static Map<String, String> COLORS = new HashMap<>();
|
||||
@ -35,7 +28,7 @@ public class QuestionsAssignment extends AssignmentEndpoint {
|
||||
COLORS.put("webgoat", "red");
|
||||
}
|
||||
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult passwordReset(@RequestParam Map<String, Object> json) {
|
||||
String securityQuestion = (String) json.getOrDefault("securityQuestion", "");
|
||||
|
||||
@ -17,7 +17,7 @@ import java.util.Map;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/reset")
|
||||
@RestController
|
||||
@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"})
|
||||
public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
|
||||
@ -37,7 +37,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
"Kind regards, \nTeam WebGoat";
|
||||
|
||||
|
||||
@PostMapping("/login")
|
||||
@PostMapping("/PasswordReset/reset/login")
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String password, @RequestParam String email) {
|
||||
if (TOM_EMAIL.equals(email)) {
|
||||
@ -51,7 +51,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
return trackProgress(failed().feedback("login_failed.tom").build());
|
||||
}
|
||||
|
||||
@GetMapping("/reset-password/{link}")
|
||||
@GetMapping("/PasswordReset/reset/reset-password/{link}")
|
||||
public String resetPassword(@PathVariable(value = "link") String link, Model model) {
|
||||
if (this.resetLinks.contains(link)) {
|
||||
PasswordChangeForm form = new PasswordChangeForm();
|
||||
@ -63,7 +63,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping("/change-password")
|
||||
@PostMapping("/PasswordReset/reset/change-password")
|
||||
public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
|
||||
if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
|
||||
bindingResult.rejectValue("password", "not.empty");
|
||||
|
||||
@ -7,9 +7,7 @@ import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.HttpEntity;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -25,7 +23,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/ForgotPassword")
|
||||
@RestController
|
||||
public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
|
||||
private final RestTemplate restTemplate;
|
||||
@ -37,7 +35,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
this.webWolfMailURL = webWolfMailURL;
|
||||
}
|
||||
|
||||
@RequestMapping(method = POST, value = "/create-password-reset-link")
|
||||
@PostMapping("/PasswordReset/ForgotPassword/create-password-reset-link")
|
||||
@ResponseBody
|
||||
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) {
|
||||
String resetLink = UUID.randomUUID().toString();
|
||||
@ -58,7 +56,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
return success().feedback("email.send").feedbackArgs(email).build();
|
||||
}
|
||||
|
||||
private void sendMailToUser(@RequestParam String email, String host, String resetLink) {
|
||||
private void sendMailToUser(String email, String host, String resetLink) {
|
||||
int index = email.indexOf("@");
|
||||
String username = email.substring(0, index == -1 ? email.length() : index);
|
||||
PasswordResetEmail mail = PasswordResetEmail.builder()
|
||||
@ -78,5 +76,4 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
//don't care
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
@ -20,7 +17,7 @@ import static java.util.Optional.of;
|
||||
* @author Tobias Melzer
|
||||
* @since 11.12.18
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/SecurityQuestions")
|
||||
@RestController
|
||||
public class SecurityQuestionAssignment extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
@ -46,7 +43,7 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint {
|
||||
questions.put("What is your favorite color?", "Can easily be guessed.");
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/PasswordReset/SecurityQuestions")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String question) {
|
||||
var answer = of(questions.get(question));
|
||||
|
||||
@ -9,6 +9,7 @@ import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.client.RestClientException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
@ -20,8 +21,7 @@ import static java.util.Optional.ofNullable;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/simple-mail")
|
||||
|
||||
@RestController
|
||||
public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
|
||||
private final String webWolfURL;
|
||||
@ -32,7 +32,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
this.webWolfURL = webWolfURL;
|
||||
}
|
||||
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String email, @RequestParam String password) {
|
||||
String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
|
||||
@ -45,7 +45,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/PasswordReset/simple-mail/reset")
|
||||
@ResponseBody
|
||||
public AttackResult resetPassword(@RequestParam String emailReset) {
|
||||
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
|
||||
|
||||
@ -1,35 +1,19 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.nulabinc.zxcvbn.Feedback;
|
||||
import com.nulabinc.zxcvbn.Strength;
|
||||
import com.nulabinc.zxcvbn.Zxcvbn;
|
||||
import org.jruby.RubyProcess;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
|
||||
import javax.tools.*;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.text.DecimalFormat;
|
||||
import java.text.DecimalFormatSymbols;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.ResourceBundle;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@AssignmentPath("SecurePasswords/assignment")
|
||||
@RestController
|
||||
public class SecurePasswordsAssignment extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("SecurePasswords/assignment")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String password) {
|
||||
Zxcvbn zxcvbn = new Zxcvbn();
|
||||
|
||||
@ -13,6 +13,7 @@ import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.PutMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
@ -20,7 +21,7 @@ import java.sql.*;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("/SqlInjectionAdvanced/challenge")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
|
||||
@Slf4j
|
||||
public class SqlInjectionChallenge extends AssignmentEndpoint {
|
||||
@ -36,7 +37,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
||||
log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME);
|
||||
}
|
||||
|
||||
@PutMapping //assignment path is bounded to class so we use different http method :-)
|
||||
@PutMapping("/SqlInjectionAdvanced/challenge") //assignment path is bounded to class so we use different http method :-)
|
||||
@ResponseBody
|
||||
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
|
||||
AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
|
||||
|
||||
@ -7,23 +7,20 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
|
||||
@AssignmentPath("/SqlInjectionAdvanced/challenge_Login")
|
||||
@RestController
|
||||
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
|
||||
public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
|
||||
|
||||
@RequestMapping(method = POST)
|
||||
@PostMapping("/SqlInjectionAdvanced/challenge_Login")
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||
|
||||
@ -42,15 +42,14 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjectionAdvanced/attack6a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
|
||||
"SqlStringInjectionHint-advanced-6a-4"})
|
||||
public class SqlInjectionLesson6a extends AssignmentEndpoint {
|
||||
|
||||
@PostMapping
|
||||
public
|
||||
@PostMapping("/SqlInjectionAdvanced/attack6a")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String userid_6a) throws IOException {
|
||||
public AttackResult completed(@RequestParam String userid_6a) throws IOException {
|
||||
return injectableQuery(userid_6a);
|
||||
// The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
|
||||
}
|
||||
|
||||
@ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.Connection;
|
||||
@ -47,10 +44,10 @@ import java.sql.Statement;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjectionAdvanced/attack6b")
|
||||
@RestController
|
||||
public class SqlInjectionLesson6b extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/SqlInjectionAdvanced/attack6b")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String userid_6b) throws IOException {
|
||||
if (userid_6b.toString().equals(getPassword())) {
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.Connection;
|
||||
@ -21,13 +18,13 @@ import java.sql.Statement;
|
||||
* 3. add Request param with name of question to method head
|
||||
* For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js
|
||||
*/
|
||||
@AssignmentPath("/SqlInjectionAdvanced/quiz")
|
||||
@RestController
|
||||
public class SqlInjectionQuiz extends AssignmentEndpoint {
|
||||
|
||||
String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};
|
||||
boolean[] guesses = new boolean[solutions.length];
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/SqlInjectionAdvanced/quiz")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
|
||||
int correctAnswers = 0;
|
||||
@ -52,7 +49,7 @@ public class SqlInjectionQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
@GetMapping("/SqlInjectionAdvanced/quiz")
|
||||
@ResponseBody
|
||||
public boolean[] getResults() {
|
||||
return this.guesses;
|
||||
|
||||
@ -6,21 +6,17 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
@AssignmentPath("/SqlInjection/attack10")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint.10.1", "SqlStringInjectionHint.10.2", "SqlStringInjectionHint.10.3", "SqlStringInjectionHint.10.4", "SqlStringInjectionHint.10.5", "SqlStringInjectionHint.10.6"})
|
||||
public class SqlInjectionLesson10 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack10")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String action_string) {
|
||||
public AttackResult completed(@RequestParam String action_string) {
|
||||
return injectableQueryAvailability(action_string);
|
||||
}
|
||||
|
||||
|
||||
@ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.*;
|
||||
@ -45,14 +42,13 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack2")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"})
|
||||
public class SqlInjectionLesson2 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack2")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String query) {
|
||||
public AttackResult completed(@RequestParam String query) {
|
||||
return injectableQuery(query);
|
||||
}
|
||||
|
||||
|
||||
@ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.*;
|
||||
@ -45,14 +42,13 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack3")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"})
|
||||
public class SqlInjectionLesson3 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack3")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String query) {
|
||||
public AttackResult completed(@RequestParam String query) {
|
||||
return injectableQuery(query);
|
||||
}
|
||||
|
||||
|
||||
@ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.*;
|
||||
@ -45,22 +42,19 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack4")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"})
|
||||
public class SqlInjectionLesson4 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack4")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String query) {
|
||||
public AttackResult completed(@RequestParam String query) {
|
||||
return injectableQuery(query);
|
||||
}
|
||||
|
||||
protected AttackResult injectableQuery(String _query) {
|
||||
try {
|
||||
Connection connection = DatabaseUtilities.getConnection(getWebSession());
|
||||
String query = _query;
|
||||
|
||||
try {
|
||||
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
|
||||
@ -3,16 +3,11 @@ package org.owasp.webgoat.plugin.introduction;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.*;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
@ -45,20 +40,18 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack5")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint5-a"})
|
||||
public class SqlInjectionLesson5 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack5")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String query) {
|
||||
public AttackResult completed(@RequestParam String query) {
|
||||
return injectableQuery(query);
|
||||
}
|
||||
|
||||
protected AttackResult injectableQuery(String _query) {
|
||||
try {
|
||||
String query = _query;
|
||||
String regex = "(?i)^(grant alter table to unauthorizedUser)(?:[;]?)$";
|
||||
Boolean isCorrect = false;
|
||||
StringBuffer output = new StringBuffer();
|
||||
@ -70,7 +63,6 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
|
||||
} else {
|
||||
return trackProgress(failed().output(output.toString()).build());
|
||||
}
|
||||
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
|
||||
}
|
||||
|
||||
@ -41,7 +41,7 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/assignment5a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint5a1"})
|
||||
public class SqlInjectionLesson5a extends AssignmentEndpoint {
|
||||
|
||||
@ -50,10 +50,9 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
|
||||
+ "So the injected query basically looks like this: <span style=\"font-style: italic\">SELECT * FROM user_data WHERE first_name = 'John' and last_name = '' or TRUE</span>, "
|
||||
+ "which will always evaluate to true, no matter what came before it.";
|
||||
|
||||
@PostMapping
|
||||
public
|
||||
@PostMapping("/SqlInjection/assignment5a")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
|
||||
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
|
||||
return injectableQuery(account + " " + operator + " " + injection);
|
||||
}
|
||||
|
||||
|
||||
@ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -46,18 +43,16 @@ import java.sql.*;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/assignment5b")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint5b1", "SqlStringInjectionHint5b2", "SqlStringInjectionHint5b3", "SqlStringInjectionHint5b4"})
|
||||
public class SqlInjectionLesson5b extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/assignment5b")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
|
||||
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
|
||||
return injectableQuery(login_count, userid);
|
||||
}
|
||||
|
||||
|
||||
protected AttackResult injectableQuery(String login_count, String accountName) {
|
||||
String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
|
||||
try {
|
||||
|
||||
@ -6,23 +6,20 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.util.Calendar;
|
||||
import java.text.SimpleDateFormat;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
@AssignmentPath("/SqlInjection/attack8")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint.8.1", "SqlStringInjectionHint.8.2", "SqlStringInjectionHint.8.3", "SqlStringInjectionHint.8.4", "SqlStringInjectionHint.8.5"})
|
||||
public class SqlInjectionLesson8 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack8")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
|
||||
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
|
||||
return injectableQueryConfidentiality(name, auth_tan);
|
||||
}
|
||||
|
||||
|
||||
@ -3,24 +3,25 @@ package org.owasp.webgoat.plugin.introduction;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.sql.*;
|
||||
import java.sql.Connection;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
@AssignmentPath("/SqlInjection/attack9")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint.9.1", "SqlStringInjectionHint.9.2", "SqlStringInjectionHint.9.3", "SqlStringInjectionHint.9.4", "SqlStringInjectionHint.9.5"})
|
||||
public class SqlInjectionLesson9 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/SqlInjection/attack9")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
|
||||
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
|
||||
return injectableQueryIntegrity(name, auth_tan);
|
||||
}
|
||||
|
||||
|
||||
@ -8,25 +8,19 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
@AssignmentPath("SqlInjectionMitigations/attack10a")
|
||||
@RestController
|
||||
@Slf4j
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"})
|
||||
public class SqlInjectionLesson10a extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
// @TODO: Maybe provide regex instead of "hard coded" strings
|
||||
private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"};
|
||||
|
||||
// @TODO Method head too big, better solution?
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("SqlInjectionMitigations/attack10a")
|
||||
@ResponseBody
|
||||
@SneakyThrows
|
||||
public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7) {
|
||||
String[] userInput = {field1, field2, field3, field4, field5, field6, field7};
|
||||
int position = 0;
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.tools.*;
|
||||
@ -18,11 +15,11 @@ import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@AssignmentPath("SqlInjectionMitigations/attack10b")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"})
|
||||
public class SqlInjectionLesson10b extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("SqlInjectionMitigations/attack10b")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String editor) {
|
||||
try {
|
||||
|
||||
@ -4,23 +4,24 @@ import lombok.SneakyThrows;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.sql.*;
|
||||
import java.sql.Connection;
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 6/13/17.
|
||||
*/
|
||||
@AssignmentPath("SqlInjectionMitigations/attack12a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"})
|
||||
@Slf4j
|
||||
public class SqlInjectionLesson12a extends AssignmentEndpoint {
|
||||
@ -28,7 +29,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("SqlInjectionMitigations/attack12a")
|
||||
@ResponseBody
|
||||
@SneakyThrows
|
||||
public AttackResult completed(@RequestParam String ip) {
|
||||
@ -42,6 +43,4 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -22,77 +19,75 @@ import java.net.URLConnection;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 2014 Bruce Mayhew
|
||||
*
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
*
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Alex Fry <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created December 26, 2018
|
||||
*/
|
||||
@AssignmentPath("/SSRF/task1")
|
||||
@AssignmentHints({"ssrf.hint1","ssrf.hint2"})
|
||||
@RestController
|
||||
@AssignmentHints({"ssrf.hint1", "ssrf.hint2"})
|
||||
public class SSRFTask1 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
|
||||
AttackResult completed(@RequestParam String url) throws IOException {
|
||||
@PostMapping("/SSRF/task1")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String url) {
|
||||
return stealTheCheese(url);
|
||||
}
|
||||
|
||||
protected AttackResult stealTheCheese(String url) {
|
||||
try {
|
||||
StringBuffer html = new StringBuffer();
|
||||
StringBuffer html = new StringBuffer();
|
||||
|
||||
if (url.matches("images/tom.png")) {
|
||||
html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");
|
||||
return trackProgress(failed()
|
||||
.feedback("ssrf.tom")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
}else if (url.matches("images/jerry.png")){
|
||||
html.append("<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\" height=\"25%\">");
|
||||
return trackProgress(success()
|
||||
.feedback("ssrf.success")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
}else{
|
||||
html.append("<img class=\"image\" alt=\"Silly Cat\" src=\"images/cat.jpg\">");
|
||||
return trackProgress(failed()
|
||||
.feedback("ssrf.failure")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
}
|
||||
|
||||
}catch(Exception e) {
|
||||
e.printStackTrace();
|
||||
if (url.matches("images/tom.png")) {
|
||||
html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");
|
||||
return trackProgress(failed()
|
||||
.output(e.getMessage())
|
||||
.build());
|
||||
.feedback("ssrf.tom")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
} else if (url.matches("images/jerry.png")) {
|
||||
html.append("<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\" height=\"25%\">");
|
||||
return trackProgress(success()
|
||||
.feedback("ssrf.success")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
} else {
|
||||
html.append("<img class=\"image\" alt=\"Silly Cat\" src=\"images/cat.jpg\">");
|
||||
return trackProgress(failed()
|
||||
.feedback("ssrf.failure")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
}
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
return trackProgress(failed()
|
||||
.output(e.getMessage())
|
||||
.build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -22,80 +19,78 @@ import java.net.URLConnection;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 2014 Bruce Mayhew
|
||||
*
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
*
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Alex Fry <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created December 26, 2018
|
||||
*/
|
||||
@AssignmentPath("/SSRF/task2")
|
||||
@RestController
|
||||
@AssignmentHints({"ssrf.hint3"})
|
||||
public class SSRFTask2 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
|
||||
AttackResult completed(@RequestParam String url) throws IOException {
|
||||
@PostMapping("/SSRF/task2")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String url) {
|
||||
return furBall(url);
|
||||
}
|
||||
|
||||
protected AttackResult furBall(String url) {
|
||||
try {
|
||||
StringBuffer html = new StringBuffer();
|
||||
StringBuffer html = new StringBuffer();
|
||||
|
||||
if (url.matches("http://ifconfig.pro")){
|
||||
URL u = new URL(url);
|
||||
URLConnection urlConnection = u.openConnection();
|
||||
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
|
||||
String inputLine;
|
||||
|
||||
while ((inputLine = in.readLine()) != null) {
|
||||
html.append(inputLine);
|
||||
}
|
||||
in.close();
|
||||
if (url.matches("http://ifconfig.pro")) {
|
||||
URL u = new URL(url);
|
||||
URLConnection urlConnection = u.openConnection();
|
||||
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
|
||||
String inputLine;
|
||||
|
||||
return trackProgress(success()
|
||||
.feedback("ssrf.success")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
}else{
|
||||
html.append("<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">");
|
||||
return trackProgress(failed()
|
||||
.feedback("ssrf.failure")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
while ((inputLine = in.readLine()) != null) {
|
||||
html.append(inputLine);
|
||||
}
|
||||
|
||||
}catch(Exception e) {
|
||||
e.printStackTrace();
|
||||
in.close();
|
||||
|
||||
return trackProgress(success()
|
||||
.feedback("ssrf.success")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
} else {
|
||||
html.append("<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">");
|
||||
return trackProgress(failed()
|
||||
.output(e.getMessage())
|
||||
.build());
|
||||
.feedback("ssrf.failure")
|
||||
.output(html.toString())
|
||||
.build());
|
||||
}
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
return trackProgress(failed()
|
||||
.output(e.getMessage())
|
||||
.build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -5,61 +5,57 @@ import com.thoughtworks.xstream.io.xml.DomDriver;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
*
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/VulnerableComponents/attack1")
|
||||
@RestController
|
||||
//@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
|
||||
public class VulnerableComponentsLesson extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
|
||||
|
||||
|
||||
@PostMapping("/VulnerableComponents/attack1")
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String payload) {
|
||||
XStream xstream = new XStream(new DomDriver());
|
||||
xstream.setClassLoader(Contact.class.getClassLoader());
|
||||
|
||||
xstream.processAnnotations(Contact.class);
|
||||
// xstream.registerConverter(new ContactConverter());
|
||||
// xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
|
||||
|
||||
|
||||
// Contact c = new Contact();
|
||||
// c.setName("Alvaro");
|
||||
// String sc = xstream.toXML(c);
|
||||
@ -85,16 +81,11 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
|
||||
// System.out.println("Payload:" + payload);
|
||||
Contact expl = (Contact) xstream.fromXML(payload);
|
||||
return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build());
|
||||
|
||||
} catch (com.thoughtworks.xstream.converters.ConversionException ex) {
|
||||
if (ex.getMessage().contains("Integer"))
|
||||
{
|
||||
if (ex.getMessage().contains("Integer")) {
|
||||
return trackProgress(success().feedback("vulnerable-components.success").build());
|
||||
}
|
||||
}
|
||||
return trackProgress(failed().feedback("vulnerable-components.close").build());
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -10,10 +10,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.annotation.PostConstruct;
|
||||
import java.io.File;
|
||||
@ -49,7 +46,7 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
||||
* @version $Id: $Id
|
||||
* @since November 18, 2016
|
||||
*/
|
||||
@AssignmentPath("xxe/blind")
|
||||
@RestController
|
||||
@AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"})
|
||||
public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
|
||||
@ -69,9 +66,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8);
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult addComment(@RequestBody String commentStr) throws Exception {
|
||||
public AttackResult addComment(@RequestBody String commentStr) {
|
||||
//Solution is posted as a separate comment
|
||||
if (commentStr.contains(CONTENTS)) {
|
||||
return trackProgress(success().build());
|
||||
|
||||
@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
@ -21,7 +22,7 @@ public class CommentsEndpoint {
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Comment> retrieveComments() {
|
||||
return comments.getComments();
|
||||
|
||||
@ -42,14 +42,13 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
|
||||
* @version $Id: $Id
|
||||
* @since November 17, 2016
|
||||
*/
|
||||
@AssignmentPath("xxe/content-type")
|
||||
@RestController
|
||||
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
|
||||
public class ContentTypeAssignment extends AssignmentEndpoint {
|
||||
|
||||
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
|
||||
private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
|
||||
|
||||
|
||||
@Value("${webgoat.server.directory}")
|
||||
private String webGoatHomeDirectory;
|
||||
@Autowired
|
||||
@ -57,7 +56,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@PostMapping(path = "xxe/content-type", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
|
||||
AttackResult attackResult = failed().build();
|
||||
|
||||
@ -4,17 +4,16 @@ import org.apache.commons.exec.OS;
|
||||
import org.apache.commons.lang.exception.ExceptionUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
@ -50,7 +49,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("xxe/simple")
|
||||
@RestController
|
||||
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
|
||||
public class SimpleXXE extends AssignmentEndpoint {
|
||||
|
||||
@ -62,7 +61,7 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
|
||||
@PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult createNewComment(@RequestBody String commentStr) throws Exception {
|
||||
String error = "";
|
||||
@ -77,12 +76,13 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
}
|
||||
return trackProgress(failed().output(error).build());
|
||||
}
|
||||
|
||||
private boolean checkSolution(Comment comment) {
|
||||
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
|
||||
boolean success = true;
|
||||
for (String directory : directoriesToCheck) {
|
||||
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
|
||||
}
|
||||
return success;
|
||||
}
|
||||
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
|
||||
boolean success = true;
|
||||
for (String directory : directoriesToCheck) {
|
||||
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
|
||||
}
|
||||
return success;
|
||||
}
|
||||
}
|
||||
|
||||
@ -38,6 +38,4 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
|
||||
file.mkdirs();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
@ -35,12 +35,14 @@ import org.owasp.webwolf.user.UserService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
|
||||
/**
|
||||
* Security configuration for WebGoat.
|
||||
@ -81,4 +83,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
public UserDetailsService userDetailsServiceBean() throws Exception {
|
||||
return userDetailsService;
|
||||
}
|
||||
|
||||
@Override
|
||||
@Bean
|
||||
protected AuthenticationManager authenticationManager() throws Exception {
|
||||
return super.authenticationManager();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public NoOpPasswordEncoder passwordEncoder() {
|
||||
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
|
||||
}
|
||||
}
|
||||
@ -2,18 +2,15 @@ package org.owasp.webwolf;
|
||||
|
||||
import org.owasp.webwolf.requests.WebWolfTraceRepository;
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.actuate.trace.TraceRepository;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
@SpringBootApplication
|
||||
public class WebWolf {
|
||||
|
||||
@Bean
|
||||
public TraceRepository traceRepository() {
|
||||
public HttpTraceRepository traceRepository() {
|
||||
return new WebWolfTraceRepository();
|
||||
}
|
||||
|
||||
|
||||
@ -5,14 +5,13 @@ import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Getter;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.boot.actuate.trace.Trace;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTrace;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.Date;
|
||||
import java.time.Instant;
|
||||
import java.util.List;
|
||||
|
||||
import static java.util.stream.Collectors.toList;
|
||||
@ -36,7 +35,7 @@ public class Requests {
|
||||
@AllArgsConstructor
|
||||
@Getter
|
||||
private class Tracert {
|
||||
private final Date date;
|
||||
private final Instant date;
|
||||
private final String path;
|
||||
private final String json;
|
||||
}
|
||||
@ -51,13 +50,13 @@ public class Requests {
|
||||
return m;
|
||||
}
|
||||
|
||||
private String path(Trace t) {
|
||||
return (String) t.getInfo().getOrDefault("path", "");
|
||||
private String path(HttpTrace t) {
|
||||
return (String) t.getRequest().getUri().getPath();
|
||||
}
|
||||
|
||||
private String toJsonString(Trace t) {
|
||||
private String toJsonString(HttpTrace t) {
|
||||
try {
|
||||
return objectMapper.writeValueAsString(t.getInfo());
|
||||
return objectMapper.writeValueAsString(t);
|
||||
} catch (JsonProcessingException e) {
|
||||
log.error("Unable to create json", e);
|
||||
}
|
||||
|
||||
@ -2,15 +2,11 @@ package org.owasp.webwolf.requests;
|
||||
|
||||
import com.google.common.collect.EvictingQueue;
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Maps;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.boot.actuate.trace.Trace;
|
||||
import org.springframework.boot.actuate.trace.TraceRepository;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTrace;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
|
||||
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* Keep track of all the incoming requests, we are only keeping track of request originating from
|
||||
@ -20,20 +16,17 @@ import java.util.Map;
|
||||
* @since 8/13/17.
|
||||
*/
|
||||
@Slf4j
|
||||
public class WebWolfTraceRepository implements TraceRepository {
|
||||
public class WebWolfTraceRepository implements HttpTraceRepository {
|
||||
|
||||
private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
|
||||
private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
|
||||
private List<String> exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail", "/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");
|
||||
|
||||
@Override
|
||||
public List<Trace> findAll() {
|
||||
HashMap<String, Object> map = Maps.newHashMap();
|
||||
map.put("nice", "Great you found the standard Spring Boot tracing endpoint!");
|
||||
Trace trace = new Trace(new Date(), map);
|
||||
return Lists.newArrayList(trace);
|
||||
public List<HttpTrace> findAll() {
|
||||
return List.of();
|
||||
}
|
||||
|
||||
public List<Trace> findAllTraces() {
|
||||
public List<HttpTrace> findAllTraces() {
|
||||
return Lists.newArrayList(traces);
|
||||
}
|
||||
|
||||
@ -42,10 +35,10 @@ public class WebWolfTraceRepository implements TraceRepository {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(Map<String, Object> map) {
|
||||
String path = (String) map.getOrDefault("path", "");
|
||||
public void add(HttpTrace httpTrace) {
|
||||
var path = httpTrace.getRequest().getUri().getPath();
|
||||
if (!isInExclusionList(path)) {
|
||||
traces.add(new Trace(new Date(), map));
|
||||
traces.add(httpTrace);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -21,7 +21,6 @@ endpoints.trace.sensitive=false
|
||||
management.trace.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIES,ERRORS,TIME_TAKEN,PARAMETERS,QUERY_STRING
|
||||
endpoints.trace.enabled=true
|
||||
|
||||
spring.resources.cache-period=0
|
||||
spring.thymeleaf.cache=false
|
||||
|
||||
multipart.enabled=true
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user