WIP
This commit is contained in:
		| @ -7,7 +7,7 @@ import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.Mock; | ||||
| import org.mockito.Mockito; | ||||
| import org.mockito.runners.MockitoJUnitRunner; | ||||
| import org.mockito.junit.MockitoJUnitRunner; | ||||
| import org.owasp.webgoat.lessons.AbstractLesson; | ||||
| import org.owasp.webgoat.lessons.Assignment; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| @ -48,7 +48,6 @@ public class HintServiceTest { | ||||
|  | ||||
|     @Test | ||||
|     public void hintsPerAssignment() throws Exception { | ||||
|         when(lesson.getName()).thenReturn("Test lesson"); | ||||
|         Assignment assignment = Mockito.mock(Assignment.class); | ||||
|         when(assignment.getPath()).thenReturn("/HttpBasics/attack1"); | ||||
|         when(assignment.getHints()).thenReturn(Lists.newArrayList("hint 1", "hint 2")); | ||||
|  | ||||
| @ -4,6 +4,7 @@ import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.owasp.webgoat.session.Course; | ||||
| import org.owasp.webgoat.users.UserService; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; | ||||
| import org.springframework.boot.test.mock.mockito.MockBean; | ||||
| @ -53,6 +54,8 @@ public class LabelServiceTest { | ||||
|     public MockMvc mockMvc; | ||||
|     @MockBean | ||||
|     private Course course; | ||||
|     @MockBean | ||||
|     private UserService userService; | ||||
|  | ||||
|     @Test | ||||
|     @WithMockUser(username = "guest", password = "guest") | ||||
|  | ||||
| @ -7,7 +7,7 @@ import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.Mock; | ||||
| import org.mockito.Mockito; | ||||
| import org.mockito.runners.MockitoJUnitRunner; | ||||
| import org.mockito.junit.MockitoJUnitRunner; | ||||
| import org.owasp.webgoat.lessons.AbstractLesson; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
|  | ||||
| @ -39,10 +39,10 @@ import org.springframework.web.bind.annotation.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/HttpProxies/intercept-request") | ||||
| @RestController | ||||
| public class HttpBasicsInterceptRequest extends AssignmentEndpoint { | ||||
|  | ||||
|     @GetMapping | ||||
|     @GetMapping("/HttpProxies/intercept-request") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue, | ||||
|                                   @RequestParam(value = "changeMe", required = false) String paramValue) { | ||||
| @ -53,7 +53,7 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping | ||||
|     @PostMapping("/HttpProxies/intercept-request") | ||||
|     @ResponseBody | ||||
|     public AttackResult post() { | ||||
|         return trackProgress(failed().feedback("http-proxies.intercept.failure").build()); | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.IOException; | ||||
| @ -41,14 +38,13 @@ import java.io.IOException; | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("IDOR/diff-attributes") | ||||
| @RestController | ||||
| @AssignmentHints({"idor.hints.idorDiffAttributes1","idor.hints.idorDiffAttributes2","idor.hints.idorDiffAttributes3"}) | ||||
| public class IDORDiffAttributes extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(@RequestParam String attributes, HttpServletRequest request) throws IOException { | ||||
|     @PostMapping("IDOR/diff-attributes") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String attributes, HttpServletRequest request) throws IOException { | ||||
|         attributes = attributes.trim(); | ||||
|         String[] diffAttribs = attributes.split(","); | ||||
|         if (diffAttribs.length < 2) { | ||||
|  | ||||
| @ -37,17 +37,16 @@ import org.springframework.web.bind.annotation.*; | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("IDOR/profile/{userId}") | ||||
| @RestController | ||||
| @AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"}) | ||||
| public class IDOREditOtherProfiile extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     private UserSessionData userSessionData; | ||||
|  | ||||
|     @PutMapping(consumes = "application/json") | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) { | ||||
|     @PutMapping(path = "IDOR/profile/{userId}", consumes = "application/json") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) { | ||||
|  | ||||
|         String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id"); | ||||
|         // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization | ||||
|  | ||||
| @ -40,8 +40,7 @@ import java.util.Map; | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("/IDOR/login") | ||||
| @RestController | ||||
| @AssignmentHints({"idor.hints.idor_login"}) | ||||
| public class IDORLogin extends AssignmentEndpoint { | ||||
|  | ||||
| @ -63,7 +62,7 @@ public class IDORLogin extends AssignmentEndpoint { | ||||
|  | ||||
|     } | ||||
|  | ||||
|     @PostMapping | ||||
|     @PostMapping("/IDOR/login") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String username, @RequestParam String password) { | ||||
|         initIDORInfo(); | ||||
| @ -81,12 +80,4 @@ public class IDORLogin extends AssignmentEndpoint { | ||||
|             return trackProgress(failed().feedback("idor.login.failure").build()); | ||||
|         } | ||||
|     } | ||||
|  | ||||
| //        userSessionData.setValue("foo","bar"); | ||||
| //        System.out.println("*** value set"); | ||||
| //        System.out.println("*** fetching value"); | ||||
| //        System.out.println(userSessionData.getValue("foo")); | ||||
| //        System.out.println("*** DONE fetching value"); | ||||
| //        return trackProgress(AttackResult.failed("You are close, try again")); | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -7,10 +7,7 @@ import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.PathVariable; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.http.HttpServletResponse; | ||||
| import java.util.HashMap; | ||||
| @ -45,15 +42,14 @@ import java.util.Map; | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("IDOR/profile/{userId}") | ||||
| @RestController | ||||
| @AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"}) | ||||
| public class IDORViewOtherProfile extends AssignmentEndpoint{ | ||||
|  | ||||
|     @Autowired | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|     @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET) | ||||
|     @GetMapping(path = "IDOR/profile/{userId}", produces = {"application/json"}) | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) { | ||||
|         Map<String,Object> details = new HashMap<>(); | ||||
| @ -76,5 +72,4 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{ | ||||
|         } | ||||
|         return trackProgress(failed().build()); | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -3,9 +3,7 @@ package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| @ -43,15 +41,15 @@ import java.util.Map; | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
|  | ||||
| @RestController | ||||
| public class IDORViewOwnProfile { | ||||
|  | ||||
|     @Autowired | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|     @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET) | ||||
|     @GetMapping(produces = {"application/json"}) | ||||
|     @ResponseBody | ||||
|     public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||||
|     public Map<String, Object> invoke() { | ||||
|         Map<String,Object> details = new HashMap<>(); | ||||
|         try { | ||||
|             if (userSessionData.getValue("idor-authenticated-as").equals("tom")) { | ||||
| @ -71,9 +69,4 @@ public class IDORViewOwnProfile { | ||||
|         } | ||||
|         return details; | ||||
|     } | ||||
|  | ||||
| //    @Override | ||||
| //    public String getPath() { | ||||
| //        return "/IDOR/profile"; | ||||
| //    } | ||||
| } | ||||
|  | ||||
| @ -45,22 +45,20 @@ import java.util.Map; | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("IDOR/profile/alt-path") | ||||
| @AssignmentHints({"idor.hints.ownProfileAltUrl1","idor.hints.ownProfileAltUrl2","idor.hints.ownProfileAltUrl3"}) | ||||
| public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{ | ||||
| @RestController | ||||
| @AssignmentHints({"idor.hints.ownProfileAltUrl1", "idor.hints.ownProfileAltUrl2", "idor.hints.ownProfileAltUrl3"}) | ||||
| public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("IDOR/profile/alt-path") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String url, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||||
|         Map<String,Object> details = new HashMap<>(); | ||||
|     public AttackResult completed(@RequestParam String url) { | ||||
|         try { | ||||
|             if (userSessionData.getValue("idor-authenticated-as").equals("tom")) { | ||||
|                 //going to use session auth to view this one | ||||
|                 String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id"); | ||||
|                 String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id"); | ||||
|                 //don't care about http://localhost:8080 ... just want WebGoat/ | ||||
|                 String[] urlParts = url.split("/"); | ||||
|                 if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) { | ||||
| @ -74,9 +72,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{ | ||||
|                 return trackProgress(failed().feedback("idor.view.own.profile.failure2").build()); | ||||
|             } | ||||
|         } catch (Exception ex) { | ||||
|             System.out.println(ex.getMessage()); | ||||
|             return failed().feedback("an error occurred with your request").build(); | ||||
|         } | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -1,61 +1,58 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.ByteArrayInputStream; | ||||
| import java.io.IOException; | ||||
| import java.io.ObjectInputStream; | ||||
| import java.io.ByteArrayInputStream; | ||||
| import java.util.Base64; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * <p> | ||||
|  * <p> | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository | ||||
|  * for free software projects. | ||||
|  * | ||||
|  * <p> | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  * | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/InsecureDeserialization/task") | ||||
| @RestController | ||||
| public class InsecureDeserializationTask extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/InsecureDeserialization/task") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String token) throws IOException { | ||||
|     public AttackResult completed(@RequestParam String token) throws IOException { | ||||
|         String b64token; | ||||
|         byte [] data; | ||||
|         byte[] data; | ||||
|         ObjectInputStream ois; | ||||
|         Object o; | ||||
|         long before, after; | ||||
| @ -64,7 +61,7 @@ public class InsecureDeserializationTask extends AssignmentEndpoint { | ||||
|         b64token = token.replace('-', '+').replace('_', '/'); | ||||
|         try { | ||||
|             data = Base64.getDecoder().decode(b64token); | ||||
|             ois = new ObjectInputStream( new ByteArrayInputStream(data) ); | ||||
|             ois = new ObjectInputStream(new ByteArrayInputStream(data)); | ||||
|         } catch (Exception e) { | ||||
|             return trackProgress(failed().build()); | ||||
|         } | ||||
| @ -78,11 +75,11 @@ public class InsecureDeserializationTask extends AssignmentEndpoint { | ||||
|         after = System.currentTimeMillis(); | ||||
|         ois.close(); | ||||
|  | ||||
|         delay = (int)(after - before); | ||||
|         if ( delay > 7000 ) { | ||||
|         delay = (int) (after - before); | ||||
|         if (delay > 7000) { | ||||
|             return trackProgress(failed().build()); | ||||
|         } | ||||
|         if ( delay < 3000 ) { | ||||
|         if (delay < 3000) { | ||||
|             return trackProgress(failed().build()); | ||||
|         } | ||||
|         return trackProgress(success().build()); | ||||
|  | ||||
| @ -3,10 +3,7 @@ package org.owasp.webgoat.plugin; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.IOException; | ||||
| @ -44,13 +41,12 @@ import java.io.IOException; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/InsecureLogin/task") | ||||
| @RestController | ||||
| public class InsecureLoginTask extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/InsecureLogin/task") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException { | ||||
|     public AttackResult completed(@RequestParam String username, @RequestParam String password) { | ||||
|     	if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) { | ||||
|     		return trackProgress(success().build()); | ||||
|     	} | ||||
|  | ||||
| @ -11,10 +11,7 @@ import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.PathVariable; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.sql.Connection; | ||||
| import java.sql.ResultSet; | ||||
| @ -44,14 +41,14 @@ import java.sql.SQLException; | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @AssignmentPath("/JWT/final") | ||||
| @RestController | ||||
| @AssignmentHints({"jwt-final-hint1", "jwt-final-hint2", "jwt-final-hint3", "jwt-final-hint4", "jwt-final-hint5", "jwt-final-hint6"}) | ||||
| public class JWTFinalEndpoint extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|  | ||||
|     @PostMapping("follow/{user}") | ||||
|     @PostMapping("/JWT/final/follow/{user}") | ||||
|     public @ResponseBody | ||||
|     String follow(@PathVariable("user") String user) { | ||||
|         if ("Jerry".equals(user)) { | ||||
| @ -61,7 +58,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping("delete") | ||||
|     @PostMapping("/JWT/final/delete") | ||||
|     public @ResponseBody | ||||
|     AttackResult resetVotes(@RequestParam("token") String token) { | ||||
|         if (StringUtils.isEmpty(token)) { | ||||
|  | ||||
| @ -13,10 +13,7 @@ import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.http.HttpStatus; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.http.ResponseEntity; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestBody; | ||||
| import org.springframework.web.bind.annotation.RequestHeader; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.util.Date; | ||||
| import java.util.List; | ||||
| @ -27,7 +24,7 @@ import java.util.concurrent.TimeUnit; | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @AssignmentPath("/JWT/refresh/") | ||||
| @RestController | ||||
| @AssignmentHints({"jwt-refresh-hint1", "jwt-refresh-hint2", "jwt-refresh-hint3", "jwt-refresh-hint4"}) | ||||
| public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|  | ||||
| @ -35,9 +32,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|     private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4"; | ||||
|     private static final List<String> validRefreshTokens = Lists.newArrayList(); | ||||
|  | ||||
|     @PostMapping(value = "login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     public @ResponseBody | ||||
|     ResponseEntity follow(@RequestBody Map<String, Object> json) { | ||||
|     @PostMapping(value = "/JWT/refresh/login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public ResponseEntity follow(@RequestBody Map<String, Object> json) { | ||||
|         String user = (String) json.get("user"); | ||||
|         String password = (String) json.get("password"); | ||||
|  | ||||
| @ -64,9 +61,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|         return tokenJson; | ||||
|     } | ||||
|  | ||||
|     @PostMapping("checkout") | ||||
|     public @ResponseBody | ||||
|     AttackResult checkout(@RequestHeader("Authorization") String token) { | ||||
|     @PostMapping("/JWT/refresh/checkout") | ||||
|     @ResponseBody | ||||
|     public AttackResult checkout(@RequestHeader("Authorization") String token) { | ||||
|         try { | ||||
|             Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); | ||||
|             Claims claims = (Claims) jwt.getBody(); | ||||
| @ -82,9 +79,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping("newToken") | ||||
|     public @ResponseBody | ||||
|     ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) { | ||||
|     @PostMapping("/JWT/refresh/newToken") | ||||
|     @ResponseBody | ||||
|     public ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) { | ||||
|         String user; | ||||
|         String refreshToken; | ||||
|         try { | ||||
| @ -105,5 +102,4 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|             return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); | ||||
|         } | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -13,6 +13,7 @@ import io.jsonwebtoken.Claims; | ||||
| import io.jsonwebtoken.Jwt; | ||||
| import io.jsonwebtoken.Jwts; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import java.util.List; | ||||
|  | ||||
| @ -20,7 +21,7 @@ import java.util.List; | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @AssignmentPath("/JWT/secret") | ||||
| @RestController | ||||
| @AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"}) | ||||
| public class JWTSecretKeyEndpoint extends AssignmentEndpoint { | ||||
|  | ||||
| @ -28,7 +29,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint { | ||||
|     private static final String WEBGOAT_USER = "WebGoat"; | ||||
|     private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role"); | ||||
|  | ||||
|     @PostMapping | ||||
|     @PostMapping("/JWT/secret") | ||||
|     @ResponseBody | ||||
|     public AttackResult login(@RequestParam String token) { | ||||
|         try { | ||||
|  | ||||
| @ -35,7 +35,7 @@ import static java.util.stream.Collectors.toList; | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @AssignmentPath("/JWT/votings") | ||||
| @RestController | ||||
| @AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"}) | ||||
| public class JWTVotesEndpoint extends AssignmentEndpoint { | ||||
|  | ||||
| @ -64,7 +64,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint { | ||||
|                         "challenge3-small.png", "challenge3.png", 10000, totalVotes)); | ||||
|     } | ||||
|  | ||||
|     @GetMapping("/login") | ||||
|     @GetMapping("/JWT/votings/login") | ||||
|     public void login(@RequestParam("user") String user, HttpServletResponse response) { | ||||
|         if (validUsers.contains(user)) { | ||||
|             Claims claims = Jwts.claims().setIssuedAt(Date.from(Instant.now().plus(Duration.ofDays(10)))); | ||||
| @ -86,7 +86,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @GetMapping | ||||
|     @GetMapping("/JWT/votings") | ||||
|     @ResponseBody | ||||
|     public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) { | ||||
|         MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList())); | ||||
| @ -109,7 +109,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint { | ||||
|         return value; | ||||
|     } | ||||
|  | ||||
|     @PostMapping(value = "{title}") | ||||
|     @PostMapping(value = "/JWT/votings/{title}") | ||||
|     @ResponseBody | ||||
|     @ResponseStatus(HttpStatus.ACCEPTED) | ||||
|     public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) { | ||||
| @ -132,9 +132,9 @@ public class JWTVotesEndpoint extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping("reset") | ||||
|     public @ResponseBody | ||||
|     AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) { | ||||
|     @PostMapping("/JWT/votings/reset") | ||||
|     @ResponseBody | ||||
|     public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) { | ||||
|         if (StringUtils.isEmpty(accessToken)) { | ||||
|             return trackProgress(failed().feedback("jwt-invalid-token").build()); | ||||
|         } else { | ||||
|  | ||||
| @ -7,10 +7,7 @@ import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.PathVariable; | ||||
| import org.springframework.web.bind.annotation.GetMapping; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| @ -24,8 +21,7 @@ import java.util.Map; | ||||
| /** | ||||
|  * Created by jason on 1/5/17. | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("/access-control/hidden-menu") | ||||
| @RestController | ||||
| @AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"}) | ||||
| public class MissingFunctionACHiddenMenus extends AssignmentEndpoint { | ||||
|     //UserSessionData is bound to session and can be used to persist data across multiple assignments | ||||
| @ -33,10 +29,9 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint { | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|  | ||||
|     @PostMapping(produces = {"application/json"}) | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||||
|  | ||||
|     @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"}) | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(String hiddenMenu1, String hiddenMenu2) { | ||||
|         //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure' | ||||
|         if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) { | ||||
|             return trackProgress(success() | ||||
| @ -57,5 +52,4 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint { | ||||
|                 .output("") | ||||
|                 .build()); | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -21,7 +21,6 @@ import java.util.List; | ||||
| @Controller | ||||
| public class MissingFunctionACUsers { | ||||
|  | ||||
|  | ||||
|     // this will actually put controllers on the /WebGoat/* path ... the jsp for list_users restricts what can be seen, but the add_user is not controlled carefully | ||||
|     @Autowired | ||||
|     private UserService userService; | ||||
|  | ||||
| @ -9,8 +9,9 @@ import org.owasp.webgoat.users.WebGoatUser; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| @AssignmentPath("/access-control/user-hash") | ||||
| @RestController | ||||
| @AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3", | ||||
|         "access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7", | ||||
|         "access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"}) | ||||
| @ -19,9 +20,9 @@ public class MissingFunctionACYourHash extends AssignmentEndpoint { | ||||
|     @Autowired | ||||
|     private UserService userService; | ||||
|  | ||||
|     @PostMapping(produces = {"application/json"}) | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(String userHash) { | ||||
|     @PostMapping(path = "/access-control/user-hash", produces = {"application/json"}) | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(String userHash) { | ||||
|         String currentUser = getWebSession().getUserName(); | ||||
|         WebGoatUser user = userService.loadUserByUsername(currentUser); | ||||
|         DisplayUser displayUser = new DisplayUser(user); | ||||
|  | ||||
| @ -4,6 +4,7 @@ import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.GetMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| @ -20,9 +21,9 @@ public class Users { | ||||
|     @Autowired | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|     @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET) | ||||
|     @GetMapping(produces = {"application/json"}) | ||||
|     @ResponseBody | ||||
|     protected HashMap<Integer, HashMap> getUsers  (HttpServletRequest req) { | ||||
|     protected HashMap<Integer, HashMap> getUsers() { | ||||
|  | ||||
|         try { | ||||
|             Connection connection = DatabaseUtilities.getConnection(getWebSession()); | ||||
|  | ||||
| @ -1,20 +1,13 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.apache.commons.lang3.StringUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.plugin.PasswordResetEmail; | ||||
| import org.springframework.beans.factory.annotation.Value; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.client.RestClientException; | ||||
| import org.springframework.web.client.RestTemplate; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import java.time.LocalDateTime; | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
| @ -22,7 +15,7 @@ import java.util.Map; | ||||
|  * @author nbaars | ||||
|  * @since 8/20/17. | ||||
|  */ | ||||
| @AssignmentPath("/PasswordReset/questions") | ||||
| @RestController | ||||
| public class QuestionsAssignment extends AssignmentEndpoint { | ||||
|  | ||||
|     private final static Map<String, String> COLORS = new HashMap<>(); | ||||
| @ -35,7 +28,7 @@ public class QuestionsAssignment extends AssignmentEndpoint { | ||||
|         COLORS.put("webgoat", "red"); | ||||
|     } | ||||
|  | ||||
|     @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) | ||||
|     @PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) | ||||
|     @ResponseBody | ||||
|     public AttackResult passwordReset(@RequestParam Map<String, Object> json) { | ||||
|         String securityQuestion = (String) json.getOrDefault("securityQuestion", ""); | ||||
|  | ||||
| @ -17,7 +17,7 @@ import java.util.Map; | ||||
|  * @author nbaars | ||||
|  * @since 8/20/17. | ||||
|  */ | ||||
| @AssignmentPath("/PasswordReset/reset") | ||||
| @RestController | ||||
| @AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"}) | ||||
| public class ResetLinkAssignment extends AssignmentEndpoint { | ||||
|  | ||||
| @ -37,7 +37,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint { | ||||
|             "Kind regards, \nTeam WebGoat"; | ||||
|  | ||||
|  | ||||
|     @PostMapping("/login") | ||||
|     @PostMapping("/PasswordReset/reset/login") | ||||
|     @ResponseBody | ||||
|     public AttackResult login(@RequestParam String password, @RequestParam String email) { | ||||
|         if (TOM_EMAIL.equals(email)) { | ||||
| @ -51,7 +51,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint { | ||||
|         return trackProgress(failed().feedback("login_failed.tom").build()); | ||||
|     } | ||||
|  | ||||
|     @GetMapping("/reset-password/{link}") | ||||
|     @GetMapping("/PasswordReset/reset/reset-password/{link}") | ||||
|     public String resetPassword(@PathVariable(value = "link") String link, Model model) { | ||||
|         if (this.resetLinks.contains(link)) { | ||||
|             PasswordChangeForm form = new PasswordChangeForm(); | ||||
| @ -63,7 +63,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping("/change-password") | ||||
|     @PostMapping("/PasswordReset/reset/change-password") | ||||
|     public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) { | ||||
|         if (!org.springframework.util.StringUtils.hasText(form.getPassword())) { | ||||
|             bindingResult.rejectValue("password", "not.empty"); | ||||
|  | ||||
| @ -7,9 +7,7 @@ import org.springframework.beans.factory.annotation.Value; | ||||
| import org.springframework.http.HttpEntity; | ||||
| import org.springframework.http.HttpHeaders; | ||||
| import org.springframework.http.HttpMethod; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
| import org.springframework.web.client.RestTemplate; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| @ -25,7 +23,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  * @author nbaars | ||||
|  * @since 8/20/17. | ||||
|  */ | ||||
| @AssignmentPath("/PasswordReset/ForgotPassword") | ||||
| @RestController | ||||
| public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint { | ||||
|  | ||||
|     private final RestTemplate restTemplate; | ||||
| @ -37,7 +35,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint { | ||||
|         this.webWolfMailURL = webWolfMailURL; | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = POST, value = "/create-password-reset-link") | ||||
|     @PostMapping("/PasswordReset/ForgotPassword/create-password-reset-link") | ||||
|     @ResponseBody | ||||
|     public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) { | ||||
|         String resetLink = UUID.randomUUID().toString(); | ||||
| @ -58,7 +56,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint { | ||||
|         return success().feedback("email.send").feedbackArgs(email).build(); | ||||
|     } | ||||
|  | ||||
|     private void sendMailToUser(@RequestParam String email, String host, String resetLink) { | ||||
|     private void sendMailToUser(String email, String host, String resetLink) { | ||||
|         int index = email.indexOf("@"); | ||||
|         String username = email.substring(0, index == -1 ? email.length() : index); | ||||
|         PasswordResetEmail mail = PasswordResetEmail.builder() | ||||
| @ -78,5 +76,4 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint { | ||||
|             //don't care | ||||
|         } | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
| @ -20,7 +17,7 @@ import static java.util.Optional.of; | ||||
|  * @author Tobias Melzer | ||||
|  * @since 11.12.18 | ||||
|  */ | ||||
| @AssignmentPath("/PasswordReset/SecurityQuestions") | ||||
| @RestController | ||||
| public class SecurityQuestionAssignment extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
| @ -46,7 +43,7 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint { | ||||
|         questions.put("What is your favorite color?", "Can easily be guessed."); | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("/PasswordReset/SecurityQuestions") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String question) { | ||||
|         var answer = of(questions.get(question)); | ||||
|  | ||||
| @ -9,6 +9,7 @@ import org.springframework.http.MediaType; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
| import org.springframework.web.client.RestClientException; | ||||
| import org.springframework.web.client.RestTemplate; | ||||
|  | ||||
| @ -20,8 +21,7 @@ import static java.util.Optional.ofNullable; | ||||
|  * @author nbaars | ||||
|  * @since 8/20/17. | ||||
|  */ | ||||
| @AssignmentPath("/PasswordReset/simple-mail") | ||||
|  | ||||
| @RestController | ||||
| public class SimpleMailAssignment extends AssignmentEndpoint { | ||||
|  | ||||
|     private final String webWolfURL; | ||||
| @ -32,7 +32,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint { | ||||
|         this.webWolfURL = webWolfURL; | ||||
|     } | ||||
|  | ||||
|     @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) | ||||
|     @PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) | ||||
|     @ResponseBody | ||||
|     public AttackResult login(@RequestParam String email, @RequestParam String password) { | ||||
|         String emailAddress = ofNullable(email).orElse("unknown@webgoat.org"); | ||||
| @ -45,7 +45,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset") | ||||
|     @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/PasswordReset/simple-mail/reset") | ||||
|     @ResponseBody | ||||
|     public AttackResult resetPassword(@RequestParam String emailReset) { | ||||
|         String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); | ||||
|  | ||||
| @ -1,35 +1,19 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.nulabinc.zxcvbn.Feedback; | ||||
| import com.nulabinc.zxcvbn.Strength; | ||||
| import com.nulabinc.zxcvbn.Zxcvbn; | ||||
| import org.jruby.RubyProcess; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
|  | ||||
| import javax.tools.*; | ||||
| import java.io.IOException; | ||||
| import java.net.URI; | ||||
| import java.text.DecimalFormat; | ||||
| import java.text.DecimalFormatSymbols; | ||||
| import java.util.Arrays; | ||||
| import java.util.List; | ||||
| import java.util.Locale; | ||||
| import java.util.ResourceBundle; | ||||
| import java.util.concurrent.TimeUnit; | ||||
| import java.util.regex.Matcher; | ||||
| import java.util.regex.Pattern; | ||||
|  | ||||
| @AssignmentPath("SecurePasswords/assignment") | ||||
| @RestController | ||||
| public class SecurePasswordsAssignment extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("SecurePasswords/assignment") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String password) { | ||||
|         Zxcvbn zxcvbn = new Zxcvbn(); | ||||
|  | ||||
| @ -13,6 +13,7 @@ import org.springframework.util.StringUtils; | ||||
| import org.springframework.web.bind.annotation.PutMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| @ -20,7 +21,7 @@ import java.sql.*; | ||||
|  * @author nbaars | ||||
|  * @since 4/8/17. | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjectionAdvanced/challenge") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"}) | ||||
| @Slf4j | ||||
| public class SqlInjectionChallenge extends AssignmentEndpoint { | ||||
| @ -36,7 +37,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { | ||||
|         log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME); | ||||
|     } | ||||
|  | ||||
|     @PutMapping  //assignment path is bounded to class so we use different http method :-) | ||||
|     @PutMapping("/SqlInjectionAdvanced/challenge")  //assignment path is bounded to class so we use different http method :-) | ||||
|     @ResponseBody | ||||
|     public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception { | ||||
|         AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg); | ||||
|  | ||||
| @ -7,23 +7,20 @@ import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  | ||||
| @AssignmentPath("/SqlInjectionAdvanced/challenge_Login") | ||||
| @RestController | ||||
| @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) | ||||
| public class SqlInjectionChallengeLogin extends AssignmentEndpoint { | ||||
|  | ||||
|   @Autowired | ||||
|   private WebSession webSession; | ||||
|  | ||||
|  | ||||
|   @RequestMapping(method = POST) | ||||
|   @PostMapping("/SqlInjectionAdvanced/challenge_Login") | ||||
|   @ResponseBody | ||||
|   public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { | ||||
|     Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|  | ||||
| @ -42,15 +42,14 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjectionAdvanced/attack6a") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3", | ||||
| "SqlStringInjectionHint-advanced-6a-4"}) | ||||
| public class SqlInjectionLesson6a extends AssignmentEndpoint { | ||||
|  | ||||
|     @PostMapping | ||||
|     public | ||||
|     @PostMapping("/SqlInjectionAdvanced/attack6a") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String userid_6a) throws IOException { | ||||
|     public AttackResult completed(@RequestParam String userid_6a) throws IOException { | ||||
|         return injectableQuery(userid_6a); | ||||
|         // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- | ||||
|     } | ||||
|  | ||||
| @ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.sql.Connection; | ||||
| @ -47,10 +44,10 @@ import java.sql.Statement; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjectionAdvanced/attack6b") | ||||
| @RestController | ||||
| public class SqlInjectionLesson6b extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("/SqlInjectionAdvanced/attack6b") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String userid_6b) throws IOException { | ||||
|         if (userid_6b.toString().equals(getPassword())) { | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.sql.Connection; | ||||
| @ -21,13 +18,13 @@ import java.sql.Statement; | ||||
|  * 3. add Request param with name of question to method head | ||||
|  * For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjectionAdvanced/quiz") | ||||
| @RestController | ||||
| public class SqlInjectionQuiz extends AssignmentEndpoint { | ||||
|  | ||||
|     String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"}; | ||||
|     boolean[] guesses = new boolean[solutions.length]; | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("/SqlInjectionAdvanced/quiz") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException { | ||||
|         int correctAnswers = 0; | ||||
| @ -52,7 +49,7 @@ public class SqlInjectionQuiz extends AssignmentEndpoint { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.GET) | ||||
|     @GetMapping("/SqlInjectionAdvanced/quiz") | ||||
|     @ResponseBody | ||||
|     public boolean[] getResults() { | ||||
|         return this.guesses; | ||||
|  | ||||
| @ -6,21 +6,17 @@ import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| @AssignmentPath("/SqlInjection/attack10") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint.10.1", "SqlStringInjectionHint.10.2", "SqlStringInjectionHint.10.3", "SqlStringInjectionHint.10.4", "SqlStringInjectionHint.10.5", "SqlStringInjectionHint.10.6"}) | ||||
| public class SqlInjectionLesson10 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack10") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String action_string) { | ||||
|     public AttackResult completed(@RequestParam String action_string) { | ||||
|         return injectableQueryAvailability(action_string); | ||||
|     } | ||||
|  | ||||
|  | ||||
| @ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.sql.*; | ||||
| @ -45,14 +42,13 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack2") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"}) | ||||
| public class SqlInjectionLesson2 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack2") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String query) { | ||||
|     public AttackResult completed(@RequestParam String query) { | ||||
|         return injectableQuery(query); | ||||
|     } | ||||
|  | ||||
|  | ||||
| @ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.sql.*; | ||||
| @ -45,14 +42,13 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack3") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"}) | ||||
| public class SqlInjectionLesson3 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack3") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String query) { | ||||
|     public AttackResult completed(@RequestParam String query) { | ||||
|         return injectableQuery(query); | ||||
|     } | ||||
|  | ||||
|  | ||||
| @ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.sql.*; | ||||
| @ -45,22 +42,19 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack4") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"}) | ||||
| public class SqlInjectionLesson4 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack4") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String query) { | ||||
|     public AttackResult completed(@RequestParam String query) { | ||||
|         return injectableQuery(query); | ||||
|     } | ||||
|  | ||||
|     protected AttackResult injectableQuery(String _query) { | ||||
|         try { | ||||
|             Connection connection = DatabaseUtilities.getConnection(getWebSession()); | ||||
|             String query = _query; | ||||
|  | ||||
|             try { | ||||
|                 Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, | ||||
|                         ResultSet.CONCUR_READ_ONLY); | ||||
|  | ||||
| @ -3,16 +3,11 @@ package org.owasp.webgoat.plugin.introduction; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.sql.*; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
|  | ||||
| /*************************************************************************************************** | ||||
| @ -45,20 +40,18 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack5") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint5-a"}) | ||||
| public class SqlInjectionLesson5 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack5") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String query) { | ||||
|     public AttackResult completed(@RequestParam String query) { | ||||
|         return injectableQuery(query); | ||||
|     } | ||||
|  | ||||
|     protected AttackResult injectableQuery(String _query) { | ||||
|         try { | ||||
|             String query = _query; | ||||
|             String regex = "(?i)^(grant alter table to unauthorizedUser)(?:[;]?)$"; | ||||
|             Boolean isCorrect = false; | ||||
|             StringBuffer output = new StringBuffer(); | ||||
| @ -70,7 +63,6 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint { | ||||
|             } else { | ||||
|                 return trackProgress(failed().output(output.toString()).build()); | ||||
|             } | ||||
|  | ||||
|         } catch (Exception e) { | ||||
|             return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); | ||||
|         } | ||||
|  | ||||
| @ -41,7 +41,7 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/assignment5a") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint5a1"}) | ||||
| public class SqlInjectionLesson5a extends AssignmentEndpoint { | ||||
|  | ||||
| @ -50,10 +50,9 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint { | ||||
|           + "So the injected query basically looks like this: <span style=\"font-style: italic\">SELECT * FROM user_data WHERE first_name = 'John' and last_name = '' or TRUE</span>, " | ||||
|           + "which will always evaluate to true, no matter what came before it."; | ||||
|  | ||||
|   @PostMapping | ||||
|   public | ||||
|   @PostMapping("/SqlInjection/assignment5a") | ||||
|   @ResponseBody | ||||
|   AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { | ||||
|   public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { | ||||
|     return injectableQuery(account + " " + operator + " " + injection); | ||||
|   } | ||||
|  | ||||
|  | ||||
| @ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.IOException; | ||||
| @ -46,18 +43,16 @@ import java.sql.*; | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/assignment5b") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint5b1", "SqlStringInjectionHint5b2", "SqlStringInjectionHint5b3", "SqlStringInjectionHint5b4"}) | ||||
| public class SqlInjectionLesson5b extends AssignmentEndpoint { | ||||
|  | ||||
|   @RequestMapping(method = RequestMethod.POST) | ||||
|   public | ||||
|   @PostMapping("/SqlInjection/assignment5b") | ||||
|   @ResponseBody | ||||
|   AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { | ||||
|   public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException { | ||||
|     return injectableQuery(login_count, userid); | ||||
|   } | ||||
|  | ||||
|  | ||||
|   protected AttackResult injectableQuery(String login_count, String accountName) { | ||||
|     String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; | ||||
|     try { | ||||
|  | ||||
| @ -6,23 +6,20 @@ import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.util.Calendar; | ||||
| import java.text.SimpleDateFormat; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| @AssignmentPath("/SqlInjection/attack8") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint.8.1", "SqlStringInjectionHint.8.2", "SqlStringInjectionHint.8.3", "SqlStringInjectionHint.8.4", "SqlStringInjectionHint.8.5"}) | ||||
| public class SqlInjectionLesson8 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack8") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { | ||||
|     public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { | ||||
|         return injectableQueryConfidentiality(name, auth_tan); | ||||
|     } | ||||
|  | ||||
|  | ||||
| @ -3,24 +3,25 @@ package org.owasp.webgoat.plugin.introduction; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import java.sql.*; | ||||
| import java.sql.Connection; | ||||
| import java.sql.ResultSet; | ||||
| import java.sql.SQLException; | ||||
| import java.sql.Statement; | ||||
|  | ||||
| @AssignmentPath("/SqlInjection/attack9") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint.9.1", "SqlStringInjectionHint.9.2", "SqlStringInjectionHint.9.3", "SqlStringInjectionHint.9.4", "SqlStringInjectionHint.9.5"}) | ||||
| public class SqlInjectionLesson9 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @PostMapping("/SqlInjection/attack9") | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { | ||||
|     public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { | ||||
|         return injectableQueryIntegrity(name, auth_tan); | ||||
|     } | ||||
|  | ||||
|  | ||||
| @ -8,25 +8,19 @@ import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| @AssignmentPath("SqlInjectionMitigations/attack10a") | ||||
| @RestController | ||||
| @Slf4j | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"}) | ||||
| public class SqlInjectionLesson10a extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|     // @TODO: Maybe provide regex instead of "hard coded" strings | ||||
|     private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"}; | ||||
|  | ||||
|     // @TODO Method head too big, better solution? | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("SqlInjectionMitigations/attack10a") | ||||
|     @ResponseBody | ||||
|     @SneakyThrows | ||||
|     public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7) { | ||||
|         String[] userInput = {field1, field2, field3, field4, field5, field6, field7}; | ||||
|         int position = 0; | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.tools.*; | ||||
| @ -18,11 +15,11 @@ import java.util.List; | ||||
| import java.util.regex.Matcher; | ||||
| import java.util.regex.Pattern; | ||||
|  | ||||
| @AssignmentPath("SqlInjectionMitigations/attack10b") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"}) | ||||
| public class SqlInjectionLesson10b extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("SqlInjectionMitigations/attack10b") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String editor) { | ||||
|         try { | ||||
|  | ||||
| @ -4,23 +4,24 @@ import lombok.SneakyThrows; | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import java.sql.*; | ||||
| import java.sql.Connection; | ||||
| import java.sql.PreparedStatement; | ||||
| import java.sql.ResultSet; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 6/13/17. | ||||
|  */ | ||||
| @AssignmentPath("SqlInjectionMitigations/attack12a") | ||||
| @RestController | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"}) | ||||
| @Slf4j | ||||
| public class SqlInjectionLesson12a extends AssignmentEndpoint { | ||||
| @ -28,7 +29,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint { | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @PostMapping("SqlInjectionMitigations/attack12a") | ||||
|     @ResponseBody | ||||
|     @SneakyThrows | ||||
|     public AttackResult completed(@RequestParam String ip) { | ||||
| @ -43,5 +44,3 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint { | ||||
|         return trackProgress(failed().build()); | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| @ -22,45 +19,44 @@ import java.net.URLConnection; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * <p> | ||||
|  * <p> | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 2014 Bruce Mayhew | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository | ||||
|  * for free software projects. | ||||
|  * | ||||
|  * <p> | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  * | ||||
|  * @author Alex Fry <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created December 26, 2018 | ||||
|  */ | ||||
| @AssignmentPath("/SSRF/task1") | ||||
| @AssignmentHints({"ssrf.hint1","ssrf.hint2"}) | ||||
| @RestController | ||||
| @AssignmentHints({"ssrf.hint1", "ssrf.hint2"}) | ||||
| public class SSRFTask1 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public @ResponseBody | ||||
|      | ||||
|     AttackResult completed(@RequestParam String url) throws IOException { | ||||
|     @PostMapping("/SSRF/task1") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String url) { | ||||
|         return stealTheCheese(url); | ||||
|     } | ||||
|  | ||||
| @ -74,21 +70,20 @@ public class SSRFTask1 extends AssignmentEndpoint { | ||||
|                         .feedback("ssrf.tom") | ||||
|                         .output(html.toString()) | ||||
|                         .build()); | ||||
|                 }else if (url.matches("images/jerry.png")){ | ||||
|             } else if (url.matches("images/jerry.png")) { | ||||
|                 html.append("<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\" height=\"25%\">"); | ||||
|                 return trackProgress(success() | ||||
|                         .feedback("ssrf.success") | ||||
|                         .output(html.toString()) | ||||
|                         .build()); | ||||
|                 }else{ | ||||
|             } else { | ||||
|                 html.append("<img class=\"image\" alt=\"Silly Cat\" src=\"images/cat.jpg\">"); | ||||
|                 return trackProgress(failed() | ||||
|                         .feedback("ssrf.failure") | ||||
|                         .output(html.toString()) | ||||
|                         .build()); | ||||
|             } | ||||
|             | ||||
|             }catch(Exception e) { | ||||
|         } catch (Exception e) { | ||||
|             e.printStackTrace(); | ||||
|             return trackProgress(failed() | ||||
|                     .output(e.getMessage()) | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| @ -22,45 +19,44 @@ import java.net.URLConnection; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * <p> | ||||
|  * <p> | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 2014 Bruce Mayhew | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository | ||||
|  * for free software projects. | ||||
|  * | ||||
|  * <p> | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  * | ||||
|  * @author Alex Fry <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created December 26, 2018 | ||||
|  */ | ||||
| @AssignmentPath("/SSRF/task2") | ||||
| @RestController | ||||
| @AssignmentHints({"ssrf.hint3"}) | ||||
| public class SSRFTask2 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public @ResponseBody | ||||
|      | ||||
|     AttackResult completed(@RequestParam String url) throws IOException { | ||||
|     @PostMapping("/SSRF/task2") | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String url) { | ||||
|         return furBall(url); | ||||
|     } | ||||
|  | ||||
| @ -68,7 +64,7 @@ public class SSRFTask2 extends AssignmentEndpoint { | ||||
|         try { | ||||
|             StringBuffer html = new StringBuffer(); | ||||
|  | ||||
|                 if (url.matches("http://ifconfig.pro")){ | ||||
|             if (url.matches("http://ifconfig.pro")) { | ||||
|                 URL u = new URL(url); | ||||
|                 URLConnection urlConnection = u.openConnection(); | ||||
|                 BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); | ||||
| @ -83,15 +79,14 @@ public class SSRFTask2 extends AssignmentEndpoint { | ||||
|                         .feedback("ssrf.success") | ||||
|                         .output(html.toString()) | ||||
|                         .build()); | ||||
|                 }else{ | ||||
|             } else { | ||||
|                 html.append("<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">"); | ||||
|                 return trackProgress(failed() | ||||
|                         .feedback("ssrf.failure") | ||||
|                         .output(html.toString()) | ||||
|                         .build()); | ||||
|             } | ||||
|             | ||||
|             }catch(Exception e) { | ||||
|         } catch (Exception e) { | ||||
|             e.printStackTrace(); | ||||
|             return trackProgress(failed() | ||||
|                     .output(e.getMessage()) | ||||
|  | ||||
| @ -5,54 +5,50 @@ import com.thoughtworks.xstream.io.xml.DomDriver; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import java.io.IOException; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * <p> | ||||
|  * <p> | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository | ||||
|  * for free software projects. | ||||
|  * | ||||
|  * <p> | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  * | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/VulnerableComponents/attack1") | ||||
| @RestController | ||||
| //@AssignmentHints({"http-basics.hints.http_basics_lesson.1"}) | ||||
| public class VulnerableComponentsLesson extends AssignmentEndpoint { | ||||
|  | ||||
| 	@RequestMapping(method = RequestMethod.POST) | ||||
| 	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException { | ||||
|  | ||||
| 		 | ||||
|     @PostMapping("/VulnerableComponents/attack1") | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(@RequestParam String payload) { | ||||
|         XStream xstream = new XStream(new DomDriver()); | ||||
|         xstream.setClassLoader(Contact.class.getClassLoader()); | ||||
|  | ||||
| @ -85,16 +81,11 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint { | ||||
| //        	System.out.println("Payload:" + payload); | ||||
|             Contact expl = (Contact) xstream.fromXML(payload); | ||||
|             return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build()); | ||||
|  | ||||
|         } catch (com.thoughtworks.xstream.converters.ConversionException ex) { | ||||
|         	if (ex.getMessage().contains("Integer")) | ||||
|         	{ | ||||
|             if (ex.getMessage().contains("Integer")) { | ||||
|                 return trackProgress(success().feedback("vulnerable-components.success").build()); | ||||
|             } | ||||
|             return trackProgress(failed().feedback("vulnerable-components.close").build()); | ||||
|         } | ||||
|  | ||||
|   | ||||
|  | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -10,10 +10,7 @@ import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.beans.factory.annotation.Value; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.web.bind.annotation.RequestBody; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.annotation.PostConstruct; | ||||
| import java.io.File; | ||||
| @ -49,7 +46,7 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic; | ||||
|  * @version $Id: $Id | ||||
|  * @since November 18, 2016 | ||||
|  */ | ||||
| @AssignmentPath("xxe/blind") | ||||
| @RestController | ||||
| @AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"}) | ||||
| public class BlindSendFileAssignment extends AssignmentEndpoint { | ||||
|  | ||||
| @ -69,9 +66,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint { | ||||
|         Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8); | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public AttackResult addComment(@RequestBody String commentStr) throws Exception { | ||||
|     public AttackResult addComment(@RequestBody String commentStr) { | ||||
|         //Solution is posted as a separate comment | ||||
|         if (commentStr.contains(CONTENTS)) { | ||||
|             return trackProgress(success().build()); | ||||
|  | ||||
| @ -2,6 +2,7 @@ package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.web.bind.annotation.GetMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
| @ -21,7 +22,7 @@ public class CommentsEndpoint { | ||||
|     @Autowired | ||||
|     private Comments comments; | ||||
|  | ||||
|     @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public Collection<Comment> retrieveComments() { | ||||
|         return comments.getComments(); | ||||
|  | ||||
| @ -42,14 +42,13 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; | ||||
|  * @version $Id: $Id | ||||
|  * @since November 17, 2016 | ||||
|  */ | ||||
| @AssignmentPath("xxe/content-type") | ||||
| @RestController | ||||
| @AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"}) | ||||
| public class ContentTypeAssignment extends AssignmentEndpoint { | ||||
|  | ||||
|     private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};  | ||||
|     private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"}; | ||||
|  | ||||
|  | ||||
|     @Value("${webgoat.server.directory}") | ||||
|     private String webGoatHomeDirectory; | ||||
|     @Autowired | ||||
| @ -57,7 +56,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint { | ||||
|     @Autowired | ||||
|     private Comments comments; | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @PostMapping(path = "xxe/content-type", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception { | ||||
|         AttackResult attackResult = failed().build(); | ||||
|  | ||||
| @ -4,17 +4,16 @@ import org.apache.commons.exec.OS; | ||||
| import org.apache.commons.lang.exception.ExceptionUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.beans.factory.annotation.Value; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestBody; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| import static org.springframework.http.MediaType.ALL_VALUE; | ||||
| import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; | ||||
| import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************ | ||||
| @ -50,7 +49,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  * @author nbaars | ||||
|  * @since 4/8/17. | ||||
|  */ | ||||
| @AssignmentPath("xxe/simple") | ||||
| @RestController | ||||
| @AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"}) | ||||
| public class SimpleXXE extends AssignmentEndpoint { | ||||
|  | ||||
| @ -62,7 +61,7 @@ public class SimpleXXE extends AssignmentEndpoint { | ||||
|     @Autowired | ||||
|     private Comments comments; | ||||
|  | ||||
|     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) | ||||
|     @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public AttackResult createNewComment(@RequestBody String commentStr) throws Exception { | ||||
|         String error = ""; | ||||
| @ -77,6 +76,7 @@ public class SimpleXXE extends AssignmentEndpoint { | ||||
|         } | ||||
|         return trackProgress(failed().output(error).build()); | ||||
|     } | ||||
|  | ||||
|     private boolean checkSolution(Comment comment) { | ||||
|         String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; | ||||
|         boolean success = true; | ||||
|  | ||||
| @ -38,6 +38,4 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { | ||||
|             file.mkdirs(); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|  | ||||
| } | ||||
| @ -35,12 +35,14 @@ import org.owasp.webwolf.user.UserService; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.context.annotation.Bean; | ||||
| import org.springframework.context.annotation.Configuration; | ||||
| import org.springframework.security.authentication.AuthenticationManager; | ||||
| import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; | ||||
| import org.springframework.security.config.annotation.web.builders.HttpSecurity; | ||||
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | ||||
| import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | ||||
| import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; | ||||
| import org.springframework.security.core.userdetails.UserDetailsService; | ||||
| import org.springframework.security.crypto.password.NoOpPasswordEncoder; | ||||
|  | ||||
| /** | ||||
|  * Security configuration for WebGoat. | ||||
| @ -81,4 +83,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { | ||||
|     public UserDetailsService userDetailsServiceBean() throws Exception { | ||||
|         return userDetailsService; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     @Bean | ||||
|     protected AuthenticationManager authenticationManager() throws Exception { | ||||
|         return super.authenticationManager(); | ||||
|     } | ||||
|  | ||||
|     @Bean | ||||
|     public NoOpPasswordEncoder passwordEncoder() { | ||||
|         return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance(); | ||||
|     } | ||||
| } | ||||
| @ -2,18 +2,15 @@ package org.owasp.webwolf; | ||||
|  | ||||
| import org.owasp.webwolf.requests.WebWolfTraceRepository; | ||||
| import org.springframework.boot.SpringApplication; | ||||
| import org.springframework.boot.actuate.trace.TraceRepository; | ||||
| import org.springframework.boot.actuate.trace.http.HttpTraceRepository; | ||||
| import org.springframework.boot.autoconfigure.SpringBootApplication; | ||||
| import org.springframework.boot.builder.SpringApplicationBuilder; | ||||
| import org.springframework.context.annotation.Bean; | ||||
|  | ||||
| import java.util.Map; | ||||
|  | ||||
| @SpringBootApplication | ||||
| public class WebWolf { | ||||
|  | ||||
|     @Bean | ||||
|     public TraceRepository traceRepository() { | ||||
|     public HttpTraceRepository traceRepository() { | ||||
|         return new WebWolfTraceRepository(); | ||||
|     } | ||||
|  | ||||
|  | ||||
| @ -5,14 +5,13 @@ import com.fasterxml.jackson.databind.ObjectMapper; | ||||
| import lombok.AllArgsConstructor; | ||||
| import lombok.Getter; | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.springframework.boot.actuate.trace.Trace; | ||||
| import org.springframework.boot.actuate.trace.http.HttpTrace; | ||||
| import org.springframework.stereotype.Controller; | ||||
| import org.springframework.web.bind.annotation.GetMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.servlet.ModelAndView; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.util.Date; | ||||
| import java.time.Instant; | ||||
| import java.util.List; | ||||
|  | ||||
| import static java.util.stream.Collectors.toList; | ||||
| @ -36,7 +35,7 @@ public class Requests { | ||||
|     @AllArgsConstructor | ||||
|     @Getter | ||||
|     private class Tracert { | ||||
|         private final Date date; | ||||
|         private final Instant date; | ||||
|         private final String path; | ||||
|         private final String json; | ||||
|     } | ||||
| @ -51,13 +50,13 @@ public class Requests { | ||||
|         return m; | ||||
|     } | ||||
|  | ||||
|     private String path(Trace t) { | ||||
|         return (String) t.getInfo().getOrDefault("path", ""); | ||||
|     private String path(HttpTrace t) { | ||||
|         return (String) t.getRequest().getUri().getPath(); | ||||
|     } | ||||
|  | ||||
|     private String toJsonString(Trace t) { | ||||
|     private String toJsonString(HttpTrace t) { | ||||
|         try { | ||||
|             return objectMapper.writeValueAsString(t.getInfo()); | ||||
|             return objectMapper.writeValueAsString(t); | ||||
|         } catch (JsonProcessingException e) { | ||||
|             log.error("Unable to create json", e); | ||||
|         } | ||||
|  | ||||
| @ -2,15 +2,11 @@ package org.owasp.webwolf.requests; | ||||
|  | ||||
| import com.google.common.collect.EvictingQueue; | ||||
| import com.google.common.collect.Lists; | ||||
| import com.google.common.collect.Maps; | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.springframework.boot.actuate.trace.Trace; | ||||
| import org.springframework.boot.actuate.trace.TraceRepository; | ||||
| import org.springframework.boot.actuate.trace.http.HttpTrace; | ||||
| import org.springframework.boot.actuate.trace.http.HttpTraceRepository; | ||||
|  | ||||
| import java.util.Date; | ||||
| import java.util.HashMap; | ||||
| import java.util.List; | ||||
| import java.util.Map; | ||||
|  | ||||
| /** | ||||
|  * Keep track of all the incoming requests, we are only keeping track of request originating from | ||||
| @ -20,20 +16,17 @@ import java.util.Map; | ||||
|  * @since 8/13/17. | ||||
|  */ | ||||
| @Slf4j | ||||
| public class WebWolfTraceRepository implements TraceRepository { | ||||
| public class WebWolfTraceRepository implements HttpTraceRepository { | ||||
|  | ||||
|     private final EvictingQueue<Trace> traces = EvictingQueue.create(10000); | ||||
|     private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000); | ||||
|     private List<String> exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail", "/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail"); | ||||
|  | ||||
|     @Override | ||||
|     public List<Trace> findAll() { | ||||
|         HashMap<String, Object> map = Maps.newHashMap(); | ||||
|         map.put("nice", "Great you found the standard Spring Boot tracing endpoint!"); | ||||
|         Trace trace = new Trace(new Date(), map); | ||||
|         return Lists.newArrayList(trace); | ||||
|     public List<HttpTrace> findAll() { | ||||
|         return List.of(); | ||||
|     } | ||||
|  | ||||
|     public List<Trace> findAllTraces() { | ||||
|     public List<HttpTrace> findAllTraces() { | ||||
|         return Lists.newArrayList(traces); | ||||
|     } | ||||
|  | ||||
| @ -42,10 +35,10 @@ public class WebWolfTraceRepository implements TraceRepository { | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public void add(Map<String, Object> map) { | ||||
|         String path = (String) map.getOrDefault("path", ""); | ||||
|     public void add(HttpTrace httpTrace) { | ||||
|         var path = httpTrace.getRequest().getUri().getPath(); | ||||
|         if (!isInExclusionList(path)) { | ||||
|             traces.add(new Trace(new Date(), map)); | ||||
|             traces.add(httpTrace); | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -21,7 +21,6 @@ endpoints.trace.sensitive=false | ||||
| management.trace.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIES,ERRORS,TIME_TAKEN,PARAMETERS,QUERY_STRING | ||||
| endpoints.trace.enabled=true | ||||
|  | ||||
| spring.resources.cache-period=0 | ||||
| spring.thymeleaf.cache=false | ||||
|  | ||||
| multipart.enabled=true | ||||
|  | ||||
		Reference in New Issue
	
	Block a user