WIP
This commit is contained in:
Nanne Baars
@ -10,10 +10,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.annotation.PostConstruct;
|
||||
import java.io.File;
|
||||
@ -49,7 +46,7 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
||||
* @version $Id: $Id
|
||||
* @since November 18, 2016
|
||||
*/
|
||||
@AssignmentPath("xxe/blind")
|
||||
@RestController
|
||||
@AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"})
|
||||
public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
|
||||
@ -69,9 +66,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8);
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult addComment(@RequestBody String commentStr) throws Exception {
|
||||
public AttackResult addComment(@RequestBody String commentStr) {
|
||||
//Solution is posted as a separate comment
|
||||
if (commentStr.contains(CONTENTS)) {
|
||||
return trackProgress(success().build());
|
||||
|
||||
@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
@ -21,7 +22,7 @@ public class CommentsEndpoint {
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Comment> retrieveComments() {
|
||||
return comments.getComments();
|
||||
|
||||
@ -42,14 +42,13 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
|
||||
* @version $Id: $Id
|
||||
* @since November 17, 2016
|
||||
*/
|
||||
@AssignmentPath("xxe/content-type")
|
||||
@RestController
|
||||
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
|
||||
public class ContentTypeAssignment extends AssignmentEndpoint {
|
||||
|
||||
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
|
||||
private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
|
||||
|
||||
|
||||
@Value("${webgoat.server.directory}")
|
||||
private String webGoatHomeDirectory;
|
||||
@Autowired
|
||||
@ -57,7 +56,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@PostMapping(path = "xxe/content-type", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
|
||||
AttackResult attackResult = failed().build();
|
||||
|
||||
@ -4,17 +4,16 @@ import org.apache.commons.exec.OS;
|
||||
import org.apache.commons.lang.exception.ExceptionUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
@ -50,7 +49,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("xxe/simple")
|
||||
@RestController
|
||||
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
|
||||
public class SimpleXXE extends AssignmentEndpoint {
|
||||
|
||||
@ -62,7 +61,7 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
|
||||
@PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult createNewComment(@RequestBody String commentStr) throws Exception {
|
||||
String error = "";
|
||||
@ -77,12 +76,13 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
}
|
||||
return trackProgress(failed().output(error).build());
|
||||
}
|
||||
|
||||
private boolean checkSolution(Comment comment) {
|
||||
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
|
||||
boolean success = true;
|
||||
for (String directory : directoriesToCheck) {
|
||||
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
|
||||
}
|
||||
return success;
|
||||
}
|
||||
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
|
||||
boolean success = true;
|
||||
for (String directory : directoriesToCheck) {
|
||||
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
|
||||
}
|
||||
return success;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user