diff --git a/src/main/java/org/owasp/webgoat/container/WebGoat.java b/src/main/java/org/owasp/webgoat/container/WebGoat.java
index f98b95e81..71a4aa9fc 100644
--- a/src/main/java/org/owasp/webgoat/container/WebGoat.java
+++ b/src/main/java/org/owasp/webgoat/container/WebGoat.java
@@ -33,7 +33,6 @@ package org.owasp.webgoat.container;
import java.io.File;
import org.owasp.webgoat.container.session.LessonSession;
-import org.owasp.webgoat.container.users.UserRepository;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.domain.EntityScan;
@@ -54,12 +53,6 @@ import org.springframework.web.client.RestTemplate;
@EntityScan(basePackages = "org.owasp.webgoat.container")
public class WebGoat {
- private final UserRepository userRepository;
-
- public WebGoat(UserRepository userRepository) {
- this.userRepository = userRepository;
- }
-
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
return new File(webgoatHome);
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
index 78893ee12..9f81039fe 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
@@ -25,51 +25,4 @@
package org.owasp.webgoat.container.assignments;
-import org.owasp.webgoat.container.i18n.PluginMessages;
-import org.springframework.beans.factory.annotation.Autowired;
-
-public abstract class AssignmentEndpoint {
-
- // TODO: move this to different bean.
- @Autowired private PluginMessages messages;
-
- /**
- * Convenience method for create a successful result:
- *
- * - Assignment is set to solved - Feedback message is set to 'assignment.solved'
- *
- *
Of course you can overwrite these values in a specific lesson
- *
- * @return a builder for creating a result from a lesson
- * @param assignment
- */
- protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
- return AttackResult.builder(messages)
- .lessonCompleted(true)
- .attemptWasMade()
- .feedback("assignment.solved")
- .assignment(assignment);
- }
-
- /**
- * Convenience method for create a failed result:
- *
- *
- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
- *
- *
Of course you can overwrite these values in a specific lesson
- *
- * @return a builder for creating a result from a lesson
- * @param assignment
- */
- protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
- return AttackResult.builder(messages)
- .lessonCompleted(false)
- .attemptWasMade()
- .feedback("assignment.not.solved")
- .assignment(assignment);
- }
-
- protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
- return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
- }
-}
+public interface AssignmentEndpoint {}
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
index 3cf353c21..e9fcd1196 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
@@ -30,82 +30,18 @@ import static org.apache.commons.text.StringEscapeUtils.escapeJson;
import lombok.Getter;
import org.owasp.webgoat.container.i18n.PluginMessages;
+@Getter
public class AttackResult {
- public static class AttackResultBuilder {
+ private boolean lessonCompleted;
+ private String feedback;
+ private Object[] feedbackArgs;
+ private String output;
+ private Object[] outputArgs;
+ private final String assignment;
+ private boolean attemptWasMade;
- private boolean lessonCompleted;
- private PluginMessages messages;
- private Object[] feedbackArgs;
- private String feedbackResourceBundleKey;
- private String output;
- private Object[] outputArgs;
- private AssignmentEndpoint assignment;
- private boolean attemptWasMade = false;
-
- public AttackResultBuilder(PluginMessages messages) {
- this.messages = messages;
- }
-
- public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
- this.lessonCompleted = lessonCompleted;
- this.feedbackResourceBundleKey = "lesson.completed";
- return this;
- }
-
- public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
- this.lessonCompleted = lessonCompleted;
- this.feedbackResourceBundleKey = resourceBundleKey;
- return this;
- }
-
- public AttackResultBuilder feedbackArgs(Object... args) {
- this.feedbackArgs = args;
- return this;
- }
-
- public AttackResultBuilder feedback(String resourceBundleKey) {
- this.feedbackResourceBundleKey = resourceBundleKey;
- return this;
- }
-
- public AttackResultBuilder output(String output) {
- this.output = output;
- return this;
- }
-
- public AttackResultBuilder outputArgs(Object... args) {
- this.outputArgs = args;
- return this;
- }
-
- public AttackResultBuilder attemptWasMade() {
- this.attemptWasMade = true;
- return this;
- }
-
- public AttackResult build() {
- return new AttackResult(
- lessonCompleted,
- messages.getMessage(feedbackResourceBundleKey, feedbackArgs),
- messages.getMessage(output, output, outputArgs),
- assignment.getClass().getSimpleName(),
- attemptWasMade);
- }
-
- public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
- this.assignment = assignment;
- return this;
- }
- }
-
- @Getter private boolean lessonCompleted;
- @Getter private String feedback;
- @Getter private String output;
- @Getter private final String assignment;
- @Getter private boolean attemptWasMade;
-
- public AttackResult(
+ private AttackResult(
boolean lessonCompleted,
String feedback,
String output,
@@ -118,11 +54,33 @@ public class AttackResult {
this.attemptWasMade = attemptWasMade;
}
- public static AttackResultBuilder builder(PluginMessages messages) {
- return new AttackResultBuilder(messages);
+ public AttackResult(
+ boolean lessonCompleted,
+ String feedback,
+ Object[] feedbackArgs,
+ String output,
+ Object[] outputArgs,
+ String assignment,
+ boolean attemptWasMade) {
+ this.lessonCompleted = lessonCompleted;
+ this.feedback = feedback;
+ this.feedbackArgs = feedbackArgs;
+ this.output = output;
+ this.outputArgs = outputArgs;
+ this.assignment = assignment;
+ this.attemptWasMade = attemptWasMade;
}
public boolean assignmentSolved() {
return lessonCompleted;
}
+
+ public AttackResult apply(PluginMessages pluginMessages) {
+ return new AttackResult(
+ lessonCompleted,
+ pluginMessages.getMessage(feedback, feedback, feedbackArgs),
+ pluginMessages.getMessage(output, output, outputArgs),
+ assignment,
+ attemptWasMade);
+ }
}
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java
new file mode 100644
index 000000000..99e06a5cd
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java
@@ -0,0 +1,130 @@
+package org.owasp.webgoat.container.assignments;
+
+import org.owasp.webgoat.container.i18n.PluginMessages;
+
+public class AttackResultBuilder {
+
+ private PluginMessages messages;
+ private boolean lessonCompleted;
+ private Object[] feedbackArgs;
+ private String feedbackResourceBundleKey;
+ private String output;
+ private Object[] outputArgs;
+ private AssignmentEndpoint assignment;
+ private boolean attemptWasMade = false;
+ private boolean assignmentCompleted;
+
+ public AttackResultBuilder(PluginMessages messages) {
+ this.messages = messages;
+ }
+
+ public AttackResultBuilder() {}
+
+ public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
+ this.lessonCompleted = lessonCompleted;
+ this.feedbackResourceBundleKey = "lesson.completed";
+ return this;
+ }
+
+ public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
+ this.lessonCompleted = lessonCompleted;
+ this.feedbackResourceBundleKey = resourceBundleKey;
+ return this;
+ }
+
+ public AttackResultBuilder assignmentCompleted(boolean assignmentCompleted) {
+ this.assignmentCompleted = assignmentCompleted;
+ this.feedbackResourceBundleKey = "assignment.completed";
+ return this;
+ }
+
+ public AttackResultBuilder assignmentCompleted(
+ boolean assignmentCompleted, String resourceBundleKey) {
+ this.assignmentCompleted = assignmentCompleted;
+ this.feedbackResourceBundleKey = resourceBundleKey;
+ return this;
+ }
+
+ public AttackResultBuilder feedbackArgs(Object... args) {
+ this.feedbackArgs = args;
+ return this;
+ }
+
+ public AttackResultBuilder feedback(String resourceBundleKey) {
+ this.feedbackResourceBundleKey = resourceBundleKey;
+ return this;
+ }
+
+ public AttackResultBuilder output(String output) {
+ this.output = output;
+ return this;
+ }
+
+ public AttackResultBuilder outputArgs(Object... args) {
+ this.outputArgs = args;
+ return this;
+ }
+
+ public AttackResultBuilder attemptWasMade() {
+ this.attemptWasMade = true;
+ return this;
+ }
+
+ public AttackResult build() {
+ return new AttackResult(
+ lessonCompleted,
+ feedbackResourceBundleKey,
+ feedbackArgs,
+ output,
+ outputArgs,
+ assignment.getClass().getSimpleName(),
+ attemptWasMade);
+ }
+
+ public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
+ this.assignment = assignment;
+ return this;
+ }
+
+ /**
+ * Convenience method for create a successful result:
+ *
+ *
- Assignment is set to solved - Feedback message is set to 'assignment.solved'
+ *
+ *
Of course you can overwrite these values in a specific lesson
+ *
+ * @return a builder for creating a result from a lesson
+ * @param assignment
+ */
+ public static AttackResultBuilder success(AssignmentEndpoint assignment) {
+ return new AttackResultBuilder()
+ .lessonCompleted(true)
+ .assignmentCompleted(true)
+ .attemptWasMade()
+ .feedback("assignment.solved")
+ .assignment(assignment);
+ }
+
+ /**
+ * Convenience method for create a failed result:
+ *
+ *
- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
+ *
+ *
Of course you can overwrite these values in a specific lesson
+ *
+ * @return a builder for creating a result from a lesson
+ * @param assignment
+ */
+ public static AttackResultBuilder failed(AssignmentEndpoint assignment) {
+ return new AttackResultBuilder()
+ .lessonCompleted(false)
+ .assignmentCompleted(true)
+ .attemptWasMade()
+ .feedback("assignment.not.solved")
+ .assignment(assignment);
+ }
+
+ public static AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
+ return new AttackResultBuilder().lessonCompleted(false).assignment(assignment);
+ }
+}
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java
new file mode 100644
index 000000000..eea080c81
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java
@@ -0,0 +1,41 @@
+package org.owasp.webgoat.container.assignments;
+
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.springframework.core.MethodParameter;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
+
+/** This class intercepts the response body and applies the plugin messages to the attack result. */
+@RestControllerAdvice
+public class AttackResultMessageResponseBodyAdvice implements ResponseBodyAdvice {
+
+ private final PluginMessages pluginMessages;
+
+ public AttackResultMessageResponseBodyAdvice(PluginMessages pluginMessages) {
+ this.pluginMessages = pluginMessages;
+ }
+
+ @Override
+ public boolean supports(
+ MethodParameter returnType, Class> converterType) {
+ return true;
+ }
+
+ @Override
+ public Object beforeBodyWrite(
+ Object body,
+ MethodParameter returnType,
+ MediaType selectedContentType,
+ Class> selectedConverterType,
+ ServerHttpRequest request,
+ ServerHttpResponse response) {
+ if (body instanceof AttackResult a) {
+ return a.apply(pluginMessages);
+ }
+ return body;
+ }
+}
diff --git a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
index 14e9a2888..41e6e4e0c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.authbypass;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
@@ -46,7 +49,7 @@ import org.springframework.web.bind.annotation.RestController;
"auth-bypass.hints.verify.3",
"auth-bypass.hints.verify.4"
})
-public class VerifyAccount extends AssignmentEndpoint {
+public class VerifyAccount implements AssignmentEndpoint {
private final LessonSession userSessionData;
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
index 2ea8db965..9f28f2305 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@@ -30,7 +33,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
+public class BypassRestrictionsFieldRestrictions implements AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
index 9d2c048eb..71f200228 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@@ -30,7 +33,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
+public class BypassRestrictionsFrontendValidation implements AssignmentEndpoint {
@PostMapping("/BypassRestrictions/frontendValidation")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
index f887030a5..81bb924d6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
@@ -22,7 +22,9 @@
package org.owasp.webgoat.lessons.challenges;
-import lombok.AllArgsConstructor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PathVariable;
@@ -32,11 +34,14 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-@AllArgsConstructor
-public class FlagController extends AssignmentEndpoint {
+public class FlagController implements AssignmentEndpoint {
private final Flags flags;
+ public FlagController(Flags flags) {
+ this.flags = flags;
+ }
+
@PostMapping(path = "/challenge/flag/{flagNumber}")
@ResponseBody
public AttackResult postFlag(@PathVariable int flagNumber, @RequestParam String flag) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
index de99c4470..0b79c0b16 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
@@ -1,8 +1,9 @@
package org.owasp.webgoat.lessons.challenges.challenge1;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
-import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags;
@@ -42,11 +43,14 @@ import org.springframework.web.bind.annotation.RestController;
* @since August 11, 2016
*/
@RestController
-@RequiredArgsConstructor
-public class Assignment1 extends AssignmentEndpoint {
+public class Assignment1 implements AssignmentEndpoint {
private final Flags flags;
+ public Assignment1(Flags flags) {
+ this.flags = flags;
+ }
+
@PostMapping("/challenge/1")
@ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
index c8b3f3d10..db52392bf 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.challenges.challenge5;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import lombok.RequiredArgsConstructor;
@@ -39,7 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Slf4j
@RequiredArgsConstructor
-public class Assignment5 extends AssignmentEndpoint {
+public class Assignment5 implements AssignmentEndpoint {
private final LessonDataSource dataSource;
private final Flags flags;
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
index a641bff28..fab9d7482 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons.challenges.challenge7;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
@@ -29,7 +31,7 @@ import org.springframework.web.client.RestTemplate;
*/
@RestController
@Slf4j
-public class Assignment7 extends AssignmentEndpoint {
+public class Assignment7 implements AssignmentEndpoint {
public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
index 6623ea1a0..0bf9edeb9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
@@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Slf4j
@RequiredArgsConstructor
-public class Assignment8 extends AssignmentEndpoint {
+public class Assignment8 implements AssignmentEndpoint {
private static final Map votes = new HashMap<>();
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
index dea467589..cff6ab647 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.chromedevtools;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
* @since 30.11.18
*/
@RestController
-public class NetworkDummy extends AssignmentEndpoint {
+public class NetworkDummy implements AssignmentEndpoint {
private final LessonSession lessonSession;
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
index 7441ab4a5..106c03ceb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.chromedevtools;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -40,7 +43,7 @@ import org.springframework.web.bind.annotation.RestController;
*/
@RestController
@AssignmentHints({"networkHint1", "networkHint2"})
-public class NetworkLesson extends AssignmentEndpoint {
+public class NetworkLesson implements AssignmentEndpoint {
@PostMapping(
value = "/ChromeDevTools/network",
diff --git a/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
index fa01b43e5..35d462d24 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.cia;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.GetMapping;
@@ -9,9 +12,9 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class CIAQuiz extends AssignmentEndpoint {
+public class CIAQuiz implements AssignmentEndpoint {
- String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
+ private final String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
boolean[] guesses = new boolean[solutions.length];
@PostMapping("/cia/quiz")
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
index fbe11da93..6dcb154c8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
"ClientSideFilteringHint3",
"ClientSideFilteringHint4"
})
-public class ClientSideFilteringAssignment extends AssignmentEndpoint {
+public class ClientSideFilteringAssignment implements AssignmentEndpoint {
@PostMapping("/clientSideFiltering/attack1")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
index 9db150279..bc4a66ca1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -40,8 +43,7 @@ import org.springframework.web.bind.annotation.RestController;
"client.side.filtering.free.hint2",
"client.side.filtering.free.hint3"
})
-public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
-
+public class ClientSideFilteringFreeAssignment implements AssignmentEndpoint {
public static final String SUPER_COUPON_CODE = "get_it_for_free";
@PostMapping("/clientSideFiltering/getItForFree")
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
index 437e89959..4df2b97e2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64;
import java.util.Random;
@@ -35,7 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class EncodingAssignment extends AssignmentEndpoint {
+public class EncodingAssignment implements AssignmentEndpoint {
public static String getBasicAuth(String username, String password) {
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
index 266c53ffa..19f00b748 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
@@ -39,8 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
-public class HashingAssignment extends AssignmentEndpoint {
-
+public class HashingAssignment implements AssignmentEndpoint {
public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
@RequestMapping(path = "/crypto/hashing/md5", produces = MediaType.TEXT_HTML_VALUE)
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
index bb28f4202..d30708bbc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.security.NoSuchAlgorithmException;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
"crypto-secure-defaults.hints.2",
"crypto-secure-defaults.hints.3"
})
-public class SecureDefaultsAssignment extends AssignmentEndpoint {
+public class SecureDefaultsAssignment implements AssignmentEndpoint {
@PostMapping("/crypto/secure/defaults")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
index ffcb739a5..7a27cae61 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
@@ -47,7 +50,7 @@ import org.springframework.web.bind.annotation.RestController;
"crypto-signing.hints.4"
})
@Slf4j
-public class SigningAssignment extends AssignmentEndpoint {
+public class SigningAssignment implements AssignmentEndpoint {
@RequestMapping(path = "/crypto/signing/getprivate", produces = MediaType.TEXT_HTML_VALUE)
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
index d7e3ed94d..a2807b4e6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"crypto-encoding-xor.hints.1"})
-public class XOREncodingAssignment extends AssignmentEndpoint {
+public class XOREncodingAssignment implements AssignmentEndpoint {
@PostMapping("/crypto/encoding/xor")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
index 4ec61916c..f46c23862 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
@@ -22,11 +22,13 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@@ -34,9 +36,13 @@ import org.springframework.web.bind.annotation.RestController;
/** Created by jason on 9/29/17. */
@RestController
@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
-public class CSRFConfirmFlag1 extends AssignmentEndpoint {
+public class CSRFConfirmFlag1 implements AssignmentEndpoint {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public CSRFConfirmFlag1(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping(
path = "/csrf/confirm-flag-1",
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
index 9023c3b16..2154ed34d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.http.Cookie;
@@ -34,7 +37,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -44,10 +46,15 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
-public class CSRFFeedback extends AssignmentEndpoint {
+public class CSRFFeedback implements AssignmentEndpoint {
- @Autowired private LessonSession userSessionData;
- @Autowired private ObjectMapper objectMapper;
+ private final LessonSession userSessionData;
+ private final ObjectMapper objectMapper;
+
+ public CSRFFeedback(LessonSession userSessionData, ObjectMapper objectMapper) {
+ this.userSessionData = userSessionData;
+ this.objectMapper = objectMapper;
+ }
@PostMapping(
value = "/csrf/feedback/message",
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
index 11e1438fa..78fb16a10 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
-public class CSRFLogin extends AssignmentEndpoint {
+public class CSRFLogin implements AssignmentEndpoint {
@PostMapping(
path = "/csrf/login",
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
index 2dc315bab..50dcb8915 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import com.google.common.collect.Lists;
@@ -45,7 +47,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
-public class ForgedReviews extends AssignmentEndpoint {
+public class ForgedReviews implements AssignmentEndpoint {
private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
index d44823fdc..22dd18a1f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.deserialization;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InvalidClassException;
@@ -42,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
"insecure-deserialization.hints.2",
"insecure-deserialization.hints.3"
})
-public class InsecureDeserializationTask extends AssignmentEndpoint {
+public class InsecureDeserializationTask implements AssignmentEndpoint {
@PostMapping("/InsecureDeserialization/task")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
index 8fae4e89d..7817022f0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.hijacksession;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
@@ -30,7 +33,6 @@ import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
@@ -51,11 +53,14 @@ import org.springframework.web.bind.annotation.RestController;
"hijacksession.hints.4",
"hijacksession.hints.5"
})
-public class HijackSessionAssignment extends AssignmentEndpoint {
-
+public class HijackSessionAssignment implements AssignmentEndpoint {
private static final String COOKIE_NAME = "hijack_cookie";
- @Autowired HijackSessionAuthenticationProvider provider;
+ private final HijackSessionAuthenticationProvider provider;
+
+ public HijackSessionAssignment(HijackSessionAuthenticationProvider provider) {
+ this.provider = provider;
+ }
@PostMapping(path = "/HijackSession/login")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
index 8a0ba7103..2042ea0f6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.htmltampering;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"hint1", "hint2", "hint3"})
-public class HtmlTamperingTask extends AssignmentEndpoint {
+public class HtmlTamperingTask implements AssignmentEndpoint {
@PostMapping("/HtmlTampering/task")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
index 883f14f31..f73e3ae06 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.httpbasics;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
-public class HttpBasicsLesson extends AssignmentEndpoint {
+public class HttpBasicsLesson implements AssignmentEndpoint {
@PostMapping("/HttpBasics/attack1")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
index c6c14ad73..eb497c7e6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.httpbasics;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AssignmentPath;
@@ -34,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"http-basics.hints.http_basic_quiz.1", "http-basics.hints.http_basic_quiz.2"})
@AssignmentPath("HttpBasics/attack2")
-public class HttpBasicsQuiz extends AssignmentEndpoint {
+public class HttpBasicsQuiz implements AssignmentEndpoint {
@PostMapping("/HttpBasics/attack2")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
index 7330c747b..3731dec4e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.httpproxies;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,7 +37,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
+public class HttpBasicsInterceptRequest implements AssignmentEndpoint {
@RequestMapping(
path = "/HttpProxies/intercept-request",
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
index f91099742..7b641a228 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.idorDiffAttributes2",
"idor.hints.idorDiffAttributes3"
})
-public class IDORDiffAttributes extends AssignmentEndpoint {
+public class IDORDiffAttributes implements AssignmentEndpoint {
@PostMapping("/IDOR/diff-attributes")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
index 39207dcf4..e0b9debf8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
@@ -23,11 +23,13 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -46,9 +48,13 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.otherProfile8",
"idor.hints.otherProfile9"
})
-public class IDOREditOtherProfile extends AssignmentEndpoint {
+public class IDOREditOtherProfile implements AssignmentEndpoint {
- @Autowired private LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public IDOREditOtherProfile(LessonSession lessonSession) {
+ this.userSessionData = lessonSession;
+ }
@PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
index dd9d6e23c..febfb2f50 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -36,15 +39,14 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"idor.hints.idor_login"})
-public class IDORLogin extends AssignmentEndpoint {
-
+public class IDORLogin implements AssignmentEndpoint {
private final LessonSession lessonSession;
public IDORLogin(LessonSession lessonSession) {
this.lessonSession = lessonSession;
}
- private Map> idorUserInfo = new HashMap<>();
+ private final Map> idorUserInfo = new HashMap<>();
public void initIDORInfo() {
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
index c5a82846c..2bd783807 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@@ -23,12 +23,13 @@
package org.owasp.webgoat.lessons.idor;
-import jakarta.servlet.http.HttpServletResponse;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -46,15 +47,19 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.otherProfile8",
"idor.hints.otherProfile9"
})
-public class IDORViewOtherProfile extends AssignmentEndpoint {
+public class IDORViewOtherProfile implements AssignmentEndpoint {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public IDORViewOtherProfile(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@GetMapping(
path = "/IDOR/profile/{userId}",
produces = {"application/json"})
@ResponseBody
- public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
+ public AttackResult completed(@PathVariable("userId") String userId) {
Object obj = userSessionData.getValue("idor-authenticated-as");
if (obj != null && obj.equals("tom")) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
index c6c09bf23..5897fa868 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
@@ -27,7 +27,6 @@ import java.util.HashMap;
import java.util.Map;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@@ -36,7 +35,11 @@ import org.springframework.web.bind.annotation.RestController;
@Slf4j
public class IDORViewOwnProfile {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public IDORViewOwnProfile(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@GetMapping(
path = {"/IDOR/own", "/IDOR/profile"},
@@ -60,7 +63,7 @@ public class IDORViewOwnProfile {
"You do not have privileges to view the profile. Authenticate as tom first please.");
}
} catch (Exception ex) {
- log.error("something went wrong", ex.getMessage());
+ log.error("something went wrong: {}", ex.getMessage());
}
return details;
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
index df1d9781e..970b33932 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
@@ -23,11 +23,13 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -39,9 +41,12 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.ownProfileAltUrl2",
"idor.hints.ownProfileAltUrl3"
})
-public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
+public class IDORViewOwnProfileAltUrl implements AssignmentEndpoint {
+ private final LessonSession userSessionData;
- @Autowired LessonSession userSessionData;
+ public IDORViewOwnProfileAltUrl(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping("/IDOR/profile/alt-path")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
index 8d39a594d..24f5ac7f6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
@@ -22,13 +22,16 @@
package org.owasp.webgoat.lessons.insecurelogin;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.*;
@RestController
-public class InsecureLoginTask extends AssignmentEndpoint {
+public class InsecureLoginTask implements AssignmentEndpoint {
@PostMapping("/InsecureLogin/task")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
index 9b27236cb..75bfd6171 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@@ -8,7 +11,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class JWTDecodeEndpoint extends AssignmentEndpoint {
+public class JWTDecodeEndpoint implements AssignmentEndpoint {
@PostMapping("/JWT/decode")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
index abcd08edd..d73765cb4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.GetMapping;
@@ -9,7 +12,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class JWTQuiz extends AssignmentEndpoint {
+public class JWTQuiz implements AssignmentEndpoint {
private final String[] solutions = {"Solution 1", "Solution 2"};
private final boolean[] guesses = new boolean[solutions.length];
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
index 4efc9db09..03691dee1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.ResponseEntity.ok;
import io.jsonwebtoken.Claims;
@@ -56,7 +58,7 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-refresh-hint3",
"jwt-refresh-hint4"
})
-public class JWTRefreshEndpoint extends AssignmentEndpoint {
+public class JWTRefreshEndpoint implements AssignmentEndpoint {
public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
index 0e688c049..4eb46d6e7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
@@ -44,7 +47,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
-public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
+public class JWTSecretKeyEndpoint implements AssignmentEndpoint {
public static final String[] SECRETS = {
"victory", "business", "available", "shipping", "washington"
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
index e1ac1a0d2..4b4d6486e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@@ -25,6 +25,8 @@ package org.owasp.webgoat.lessons.jwt;
import static java.util.Comparator.comparingLong;
import static java.util.Optional.ofNullable;
import static java.util.stream.Collectors.toList;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
@@ -66,13 +68,13 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-change-token-hint4",
"jwt-change-token-hint5"
})
-public class JWTVotesEndpoint extends AssignmentEndpoint {
+public class JWTVotesEndpoint implements AssignmentEndpoint {
public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
private static String validUsers = "TomJerrySylvester";
private static int totalVotes = 38929;
- private Map votes = new HashMap<>();
+ private final Map votes = new HashMap<>();
@PostConstruct
public void initVotes() {
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
index 4272b79ca..4ff2e13ca 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
@@ -28,7 +31,7 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-jku-hint4",
"jwt-jku-hint5"
})
-public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
+public class JWTHeaderJKUEndpoint implements AssignmentEndpoint {
@PostMapping("jku/follow/{user}")
public @ResponseBody String follow(@PathVariable("user") String user) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
index 56b88c9f4..904f2656f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.Jwt;
@@ -53,8 +56,7 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-kid-hint6"
})
@RequestMapping("/JWT/")
-public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
-
+public class JWTHeaderKIDEndpoint implements AssignmentEndpoint {
private final LessonDataSource dataSource;
private JWTHeaderKIDEndpoint(LessonDataSource dataSource) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
index e1ef39d34..d4f0c1b86 100644
--- a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
@@ -22,13 +22,15 @@
package org.owasp.webgoat.lessons.lessontemplate;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.List;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
@@ -39,12 +41,14 @@ import org.springframework.web.bind.annotation.RestController;
/** Created by jason on 1/5/17. */
@RestController
@AssignmentHints({"lesson-template.hints.1", "lesson-template.hints.2", "lesson-template.hints.3"})
-public class SampleAttack extends AssignmentEndpoint {
+public class SampleAttack implements AssignmentEndpoint {
+ private static final String secretValue = "secr37Value";
- String secretValue = "secr37Value";
+ private final LessonSession userSessionData;
- // UserSessionData is bound to session and can be used to persist data across multiple assignments
- @Autowired LessonSession userSessionData;
+ public SampleAttack(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping("/lesson-template/sample-attack")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
index a338407bf..7b1f68937 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
@@ -22,7 +22,9 @@
package org.owasp.webgoat.lessons.logging;
-import jakarta.annotation.PostConstruct;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.UUID;
@@ -37,14 +39,13 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class LogBleedingTask extends AssignmentEndpoint {
+public class LogBleedingTask implements AssignmentEndpoint {
- Logger log = LoggerFactory.getLogger(this.getClass().getName());
- private String password;
+ private static final Logger log = LoggerFactory.getLogger(LogBleedingTask.class);
+ private final String password;
- @PostConstruct
- public void generatePassword() {
- password = UUID.randomUUID().toString();
+ public LogBleedingTask() {
+ this.password = UUID.randomUUID().toString();
log.info(
"Password for admin: {}",
Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
index 0fe3b3559..bcce8a57a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.logging;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -31,7 +34,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class LogSpoofingTask extends AssignmentEndpoint {
+public class LogSpoofingTask implements AssignmentEndpoint {
@PostMapping("/LogSpoofing/log-spoofing")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
index 8cf11a6fb..2bbb06687 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.missingac;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -36,7 +39,7 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hidden-menus.hint2",
"access-control.hidden-menus.hint3"
})
-public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
+public class MissingFunctionACHiddenMenus implements AssignmentEndpoint {
@PostMapping(
path = "/access-control/hidden-menu",
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
index 8417ae059..722e376f9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
@@ -22,9 +22,10 @@
package org.owasp.webgoat.lessons.missingac;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
-import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -40,11 +41,14 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hash.hint4",
"access-control.hash.hint5"
})
-@RequiredArgsConstructor
-public class MissingFunctionACYourHash extends AssignmentEndpoint {
+public class MissingFunctionACYourHash implements AssignmentEndpoint {
private final MissingAccessControlUserRepository userRepository;
+ public MissingFunctionACYourHash(MissingAccessControlUserRepository userRepository) {
+ this.userRepository = userRepository;
+ }
+
@PostMapping(
path = "/access-control/user-hash",
produces = {"application/json"})
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
index 8db5c5b7c..c36442a2a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.missingac;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -42,7 +44,7 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hash.hint12",
"access-control.hash.hint13"
})
-public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint {
+public class MissingFunctionACYourHashAdmin implements AssignmentEndpoint {
private final MissingAccessControlUserRepository userRepository;
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
index 8568b97ec..02a9475da 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.passwordreset;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
* @since 8/20/17.
*/
@RestController
-public class QuestionsAssignment extends AssignmentEndpoint {
+public class QuestionsAssignment implements AssignmentEndpoint {
private static final Map COLORS = new HashMap<>();
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
index eae7e4cfe..3fe8af534 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.passwordreset;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.util.StringUtils.hasText;
import com.google.common.collect.Maps;
@@ -58,7 +60,7 @@ import org.springframework.web.servlet.ModelAndView;
"password-reset-hint5",
"password-reset-hint6"
})
-public class ResetLinkAssignment extends AssignmentEndpoint {
+public class ResetLinkAssignment implements AssignmentEndpoint {
private static final String VIEW_FORMATTER = "lessons/passwordreset/templates/%s.html";
static final String PASSWORD_TOM_9 =
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
index fd293287c..1a2780467 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.passwordreset;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.util.UUID;
import org.owasp.webgoat.container.CurrentUsername;
@@ -44,12 +47,12 @@ import org.springframework.web.client.RestTemplate;
* @since 8/20/17.
*/
@RestController
-public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
+public class ResetLinkAssignmentForgotPassword implements AssignmentEndpoint {
private final RestTemplate restTemplate;
- private String webWolfHost;
- private String webWolfPort;
- private String webWolfURL;
+ private final String webWolfHost;
+ private final String webWolfPort;
+ private final String webWolfURL;
private final String webWolfMailURL;
public ResetLinkAssignmentForgotPassword(
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
index 044689717..f08bc7890 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
@@ -23,12 +23,13 @@
package org.owasp.webgoat.lessons.passwordreset;
import static java.util.Optional.of;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -41,9 +42,9 @@ import org.springframework.web.bind.annotation.RestController;
* @since 11.12.18
*/
@RestController
-public class SecurityQuestionAssignment extends AssignmentEndpoint {
+public class SecurityQuestionAssignment implements AssignmentEndpoint {
- @Autowired private TriedQuestions triedQuestions;
+ private final TriedQuestions triedQuestions;
private static Map questions;
@@ -90,6 +91,10 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint {
questions.put("What is your favorite color?", "Can easily be guessed.");
}
+ public SecurityQuestionAssignment(TriedQuestions triedQuestions) {
+ this.triedQuestions = triedQuestions;
+ }
+
@PostMapping("/PasswordReset/SecurityQuestions")
@ResponseBody
public AttackResult completed(@RequestParam String question) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
index 9e74fadd5..cd862d49b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.passwordreset;
import static java.util.Optional.ofNullable;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.time.LocalDateTime;
import org.apache.commons.lang3.StringUtils;
@@ -43,8 +46,7 @@ import org.springframework.web.client.RestTemplate;
* @since 8/20/17.
*/
@RestController
-public class SimpleMailAssignment extends AssignmentEndpoint {
-
+public class SimpleMailAssignment implements AssignmentEndpoint {
private final String webWolfURL;
private RestTemplate restTemplate;
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
index d17a9b912..f212b170e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
@@ -1,5 +1,9 @@
package org.owasp.webgoat.lessons.pathtraversal;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -7,7 +11,6 @@ import java.nio.file.Files;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
-import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.SneakyThrows;
import org.apache.commons.io.FilenameUtils;
@@ -21,11 +24,14 @@ import org.springframework.util.FileSystemUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.multipart.MultipartFile;
-@AllArgsConstructor
@Getter
-public class ProfileUploadBase extends AssignmentEndpoint {
+public class ProfileUploadBase implements AssignmentEndpoint {
- private String webGoatHomeDirectory;
+ private final String webGoatHomeDirectory;
+
+ public ProfileUploadBase(String webGoatHomeDirectory) {
+ this.webGoatHomeDirectory = webGoatHomeDirectory;
+ }
protected AttackResult execute(MultipartFile file, String fullName, String username) {
if (file.isEmpty()) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
index 37ee58f10..2225c4d50 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.pathtraversal;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
@@ -40,8 +43,7 @@ import org.springframework.web.bind.annotation.RestController;
"path-traversal-profile-retrieve.hint6"
})
@Slf4j
-public class ProfileUploadRetrieval extends AssignmentEndpoint {
-
+public class ProfileUploadRetrieval implements AssignmentEndpoint {
private final File catPicturesDirectory;
public ProfileUploadRetrieval(@Value("${webgoat.server.directory}") String webGoatHomeDirectory) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
index f6422a306..891d6bafd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
@@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons.pathtraversal;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
diff --git a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
index 5b9932d36..b90adf437 100644
--- a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.securepasswords;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn;
import java.text.DecimalFormat;
@@ -35,7 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class SecurePasswordsAssignment extends AssignmentEndpoint {
+public class SecurePasswordsAssignment implements AssignmentEndpoint {
@PostMapping("SecurePasswords/assignment")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
index d8bda9007..6d68423b8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
@@ -23,6 +23,10 @@
package org.owasp.webgoat.lessons.spoofcookie;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map;
@@ -48,7 +52,7 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints({"spoofcookie.hint1", "spoofcookie.hint2", "spoofcookie.hint3"})
@RestController
-public class SpoofCookieAssignment extends AssignmentEndpoint {
+public class SpoofCookieAssignment implements AssignmentEndpoint {
private static final String COOKIE_NAME = "spoof_auth";
private static final String COOKIE_INFO =
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 95f86ca02..f5b0a88ba 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.*;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource;
@@ -42,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints(
value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
@Slf4j
-public class SqlInjectionChallenge extends AssignmentEndpoint {
+public class SqlInjectionChallenge implements AssignmentEndpoint {
private final LessonDataSource dataSource;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
index bdfcc88f2..4a6374851 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -39,8 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlInjectionChallengeHint3",
"SqlInjectionChallengeHint4"
})
-public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
-
+public class SqlInjectionChallengeLogin implements AssignmentEndpoint {
private final LessonDataSource dataSource;
public SqlInjectionChallengeLogin(LessonDataSource dataSource) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
index 1de70b5ca..96f090ff7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
@@ -46,8 +49,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-advanced-6a-4",
"SqlStringInjectionHint-advanced-6a-5"
})
-public class SqlInjectionLesson6a extends AssignmentEndpoint {
-
+public class SqlInjectionLesson6a implements AssignmentEndpoint {
private final LessonDataSource dataSource;
private static final String YOUR_QUERY_WAS = "or '1' ="
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
index ebc8e1013..4e4d3c41b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import java.sql.*;
import org.owasp.webgoat.container.LessonDataSource;
@@ -41,7 +44,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint5b3",
"SqlStringInjectionHint5b4"
})
-public class SqlInjectionLesson5b extends AssignmentEndpoint {
+public class SqlInjectionLesson5b implements AssignmentEndpoint {
private final LessonDataSource dataSource;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
index ae7fbb9f4..56f81ff56 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
@@ -24,6 +24,8 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static java.sql.ResultSet.CONCUR_UPDATABLE;
import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.*;
import java.text.SimpleDateFormat;
@@ -46,7 +48,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint.8.4",
"SqlStringInjectionHint.8.5"
})
-public class SqlInjectionLesson8 extends AssignmentEndpoint {
+public class SqlInjectionLesson8 implements AssignmentEndpoint {
private final LessonDataSource dataSource;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
index 1128e2fec..79ec3bb0a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
@@ -24,6 +24,8 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE;
import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.ResultSet;
@@ -47,7 +49,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint.9.4",
"SqlStringInjectionHint.9.5"
})
-public class SqlInjectionLesson9 extends AssignmentEndpoint {
+public class SqlInjectionLesson9 implements AssignmentEndpoint {
private final LessonDataSource dataSource;
@@ -99,7 +101,6 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
SqlInjectionLesson8.generateTable(this.getEmployeesDataOrderBySalaryDesc(connection)))
.build();
} catch (SQLException e) {
- System.err.println(e.getMessage());
return failed(this)
.output("" + e.getMessage() + " ")
.build();
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
index fbe551427..d4dc18d2c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -35,9 +38,9 @@ import org.springframework.web.bind.annotation.RestController;
@Slf4j
@AssignmentHints(
value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"})
-public class SqlInjectionLesson10a extends AssignmentEndpoint {
+public class SqlInjectionLesson10a implements AssignmentEndpoint {
- private String[] results = {
+ private static final String[] results = {
"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"
};
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
index 325d376bb..2037313f6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
@@ -52,7 +55,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-mitigation-10b-4",
"SqlStringInjectionHint-mitigation-10b-5"
})
-public class SqlInjectionLesson10b extends AssignmentEndpoint {
+public class SqlInjectionLesson10b implements AssignmentEndpoint {
@PostMapping("/SqlInjectionMitigations/attack10b")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
index 453f0e3e1..f2ac154d0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@@ -45,7 +48,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-mitigation-13-4"
})
@Slf4j
-public class SqlInjectionLesson13 extends AssignmentEndpoint {
+public class SqlInjectionLesson13 implements AssignmentEndpoint {
private final LessonDataSource dataSource;
@@ -68,7 +71,7 @@ public class SqlInjectionLesson13 extends AssignmentEndpoint {
return failed(this).build();
} catch (SQLException e) {
log.error("Failed", e);
- return (failed(this).build());
+ return failed(this).build();
}
}
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
index 4cfec6337..f0df96711 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,7 +36,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(
value = {"SqlOnlyInputValidation-1", "SqlOnlyInputValidation-2", "SqlOnlyInputValidation-3"})
-public class SqlOnlyInputValidation extends AssignmentEndpoint {
+public class SqlOnlyInputValidation implements AssignmentEndpoint {
private final SqlInjectionLesson6a lesson6a;
@@ -52,7 +54,9 @@ public class SqlOnlyInputValidation extends AssignmentEndpoint {
return new AttackResult(
attackResult.isLessonCompleted(),
attackResult.getFeedback(),
+ attackResult.getFeedbackArgs(),
attackResult.getOutput(),
+ attackResult.getOutputArgs(),
getClass().getSimpleName(),
true);
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
index 3a324bc65..0ca75999a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -38,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlOnlyInputValidationOnKeywords-2",
"SqlOnlyInputValidationOnKeywords-3"
})
-public class SqlOnlyInputValidationOnKeywords extends AssignmentEndpoint {
+public class SqlOnlyInputValidationOnKeywords implements AssignmentEndpoint {
private final SqlInjectionLesson6a lesson6a;
@@ -58,7 +60,9 @@ public class SqlOnlyInputValidationOnKeywords extends AssignmentEndpoint {
return new AttackResult(
attackResult.isLessonCompleted(),
attackResult.getFeedback(),
+ attackResult.getFeedbackArgs(),
attackResult.getOutput(),
+ attackResult.getOutputArgs(),
getClass().getSimpleName(),
true);
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
index 3a07664f3..986602731 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.ssrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"ssrf.hint1", "ssrf.hint2"})
-public class SSRFTask1 extends AssignmentEndpoint {
+public class SSRFTask1 implements AssignmentEndpoint {
@PostMapping("/SSRF/task1")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
index 35f9491f7..a48b42278 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.ssrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"ssrf.hint3"})
-public class SSRFTask2 extends AssignmentEndpoint {
+public class SSRFTask2 implements AssignmentEndpoint {
@PostMapping("/SSRF/task2")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
index ad1a91cc4..e2edd5667 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.vulnerablecomponents;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.thoughtworks.xstream.XStream;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -34,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"vulnerable.hint"})
-public class VulnerableComponentsLesson extends AssignmentEndpoint {
+public class VulnerableComponentsLesson implements AssignmentEndpoint {
@PostMapping("/VulnerableComponents/attack1")
public @ResponseBody AttackResult completed(@RequestParam String payload) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
index 72a04bebd..152bae920 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
@@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
-import jakarta.servlet.http.HttpServletRequest;
-import java.net.URI;
-import java.net.URISyntaxException;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -41,10 +41,12 @@ import org.springframework.web.servlet.ModelAndView;
* @since 8/20/17.
*/
@RestController
-public class LandingAssignment extends AssignmentEndpoint {
+public class LandingAssignment implements AssignmentEndpoint {
+ private final String landingPageUrl;
- @Value("${webwolf.landingpage.url}")
- private String landingPageUrl;
+ public LandingAssignment(@Value("${webwolf.landingpage.url}") String landingPageUrl) {
+ this.landingPageUrl = landingPageUrl;
+ }
@PostMapping("/WebWolf/landing")
@ResponseBody
@@ -56,9 +58,7 @@ public class LandingAssignment extends AssignmentEndpoint {
}
@GetMapping("/WebWolf/landing/password-reset")
- public ModelAndView openPasswordReset(
- HttpServletRequest request, @CurrentUsername String username) throws URISyntaxException {
- URI uri = new URI(request.getRequestURL().toString());
+ public ModelAndView openPasswordReset(@CurrentUsername String username) {
ModelAndView modelAndView = new ModelAndView();
modelAndView.addObject(
"webwolfLandingPageUrl", landingPageUrl.replace("//landing", "/landing"));
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
index 241428ae1..274887640 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
@@ -22,6 +22,10 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -39,7 +43,7 @@ import org.springframework.web.client.RestTemplate;
* @since 8/20/17.
*/
@RestController
-public class MailAssignment extends AssignmentEndpoint {
+public class MailAssignment implements AssignmentEndpoint {
private final String webWolfURL;
private RestTemplate restTemplate;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
index 114632ef5..79ee3469e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@@ -30,7 +33,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
+public class CrossSiteScriptingLesson1 implements AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack1")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
index 58ec12fc9..dcc1b5903 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@@ -22,13 +22,15 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.function.Predicate;
import java.util.regex.Pattern;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -42,13 +44,18 @@ import org.springframework.web.bind.annotation.RestController;
"xss-reflected-5a-hint-3",
"xss-reflected-5a-hint-4"
})
-public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
+public class CrossSiteScriptingLesson5a implements AssignmentEndpoint {
public static final Predicate XSS_PATTERN =
Pattern.compile(
".*.*", Pattern.CASE_INSENSITIVE)
.asMatchPredicate();
- @Autowired LessonSession userSessionData;
+
+ private final LessonSession userSessionData;
+
+ public CrossSiteScriptingLesson5a(LessonSession lessonSession) {
+ this.userSessionData = lessonSession;
+ }
@GetMapping("/CrossSiteScripting/attack5a")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
index f4378bd72..a6fb245c3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
@@ -22,11 +22,13 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -40,8 +42,12 @@ import org.springframework.web.bind.annotation.RestController;
"xss-reflected-6a-hint-3",
"xss-reflected-6a-hint-4"
})
-public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
- @Autowired LessonSession userSessionData;
+public class CrossSiteScriptingLesson6a implements AssignmentEndpoint {
+ private final LessonSession userSessionData;
+
+ public CrossSiteScriptingLesson6a(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping("/CrossSiteScripting/attack6a")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
index e193d262a..ab2a0a310 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,9 +35,11 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
+public class CrossSiteScriptingQuiz implements AssignmentEndpoint {
- String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
+ private static final String[] solutions = {
+ "Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"
+ };
boolean[] guesses = new boolean[solutions.length];
@PostMapping("/CrossSiteScripting/quiz")
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
index e4e44f33e..83b927649 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -33,7 +36,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class DOMCrossSiteScripting extends AssignmentEndpoint {
+public class DOMCrossSiteScripting implements AssignmentEndpoint {
private final LessonSession lessonSession;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
index 5d3efc960..87a4e74f6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -42,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
"xss-dom-message-hint-5",
"xss-dom-message-hint-6"
})
-public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
+public class DOMCrossSiteScriptingVerifier implements AssignmentEndpoint {
private final LessonSession lessonSession;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java
index 574c7a401..dc59d0cb3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.xss.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -41,7 +44,7 @@ import org.springframework.web.bind.annotation.RestController;
"xss-mitigation-3-hint3",
"xss-mitigation-3-hint4"
})
-public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
+public class CrossSiteScriptingLesson3 implements AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack3")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java
index cd9341d9f..7afcc5d27 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
-public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
+public class CrossSiteScriptingLesson4 implements AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack4")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
index f64857cce..6a51ab079 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss.stored;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
@@ -32,7 +35,7 @@ import org.springframework.web.bind.annotation.RestController;
/** Created by jason on 11/23/16. */
@RestController
-public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
+public class StoredCrossSiteScriptingVerifier implements AssignmentEndpoint {
private final LessonSession lessonSession;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
index bfa1dd5a6..7d9c28fbc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.xss.stored;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -47,9 +49,9 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-public class StoredXssComments extends AssignmentEndpoint {
+public class StoredXssComments implements AssignmentEndpoint {
- private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
+ private static final DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
private static final Map> userComments = new HashMap<>();
private static final List comments = new ArrayList<>();
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
index 967634afa..55b577259 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
@@ -2,6 +2,8 @@ package org.owasp.webgoat.lessons.xxe;
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -58,7 +60,7 @@ import org.springframework.web.bind.annotation.RestController;
"xxe.blind.hints.4",
"xxe.blind.hints.5"
})
-public class BlindSendFileAssignment extends AssignmentEndpoint implements Initializable {
+public class BlindSendFileAssignment implements AssignmentEndpoint, Initializable {
private final String webGoatHomeDirectory;
private final CommentsCache comments;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
index cca470c61..4f5ed172e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
@@ -24,6 +24,8 @@ package org.owasp.webgoat.lessons.xxe;
import static java.util.Optional.empty;
import static java.util.Optional.of;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -36,7 +38,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -46,16 +47,13 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
-public class ContentTypeAssignment extends AssignmentEndpoint {
+public class ContentTypeAssignment implements AssignmentEndpoint {
private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {
"Windows", "Program Files (x86)", "Program Files", "pagefile.sys"
};
- @Value("${webgoat.server.directory}")
- private String webGoatHomeDirectory;
-
private final CommentsCache comments;
public ContentTypeAssignment(CommentsCache comments) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
index f9ca3af16..2547cbcd4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.xxe;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -32,7 +34,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -49,19 +50,13 @@ import org.springframework.web.bind.annotation.RestController;
"xxe.hints.simple.xxe.5",
"xxe.hints.simple.xxe.6"
})
-public class SimpleXXE extends AssignmentEndpoint {
+public class SimpleXXE implements AssignmentEndpoint {
private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {
"Windows", "Program Files (x86)", "Program Files", "pagefile.sys"
};
- @Value("${webgoat.server.directory}")
- private String webGoatHomeDirectory;
-
- @Value("${webwolf.landingpage.url}")
- private String webWolfURL;
-
private final CommentsCache comments;
public SimpleXXE(CommentsCache comments) {
diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
index e11f3ca98..c40a8f4bb 100644
--- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
@@ -1,13 +1,13 @@
=== Step 4: Add an assignment to your lesson
With an assignment, a user can practice within a lesson. A lesson can consist of multiple assignments, each assignment
-needs to extend the class `AssignmentEndpoint`, let's look at an example:
+needs to implement the class `AssignmentEndpoint`, let's look at an example:
[source,java]
----
-@RestController // <1>
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;@RestController // <1>
@AssignmentHints({"lesson-template.hints.1", "lesson-template.hints.2", "lesson-template.hints.3"}) // <2>
-public class SampleAttack extends AssignmentEndpoint { // <3>
+public class SampleAttack implements AssignmentEndpoint { // <3>
private final String secretValue = "secr37Value";
@@ -19,7 +19,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
public AttackResult completed(@RequestParam("param1") String param1, @RequestParam("param2") String param2) { <6>
if (userSessionData.getValue("some-value") != null) {
// do any session updating you want here ... or not, just comment/example here
- //return failed(this).feedback("lesson-template.sample-attack.failure-2").build();
+ //return builder.failed(this).feedback("lesson-template.sample-attack.failure-2").build();
}
//overly simple example for success. See other existing lessons for ways to detect 'success' or 'failure'
@@ -40,7 +40,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
----
<1> Every assignment is just a Spring RestController
<2> Each assignment can have a list of hints. The actual text needs to be placed in `WebGoatLabels.properties` in the folder `src/main/resources/{lessonName}/i18n`
-<3> Each assignment needs to extend the class `AssignmentEndpoint`, giving you some helpful methods you need when you want to mark an assignment as complete
+<3> Each assignment needs to implement the interface `AssignmentEndpoint`. This is a marker interface, so no methods need to be implemented
<4> As the assignment is a Spring-based class, you can auto wire every component managed by Spring necessary for the assignment
<5> Each assignment should at least have one mapping with the method signature (see 6)
<6> When the user tries to solve an assignment, you need return an `AttackResult`
diff --git a/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java b/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
deleted file mode 100644
index 74caee5df..000000000
--- a/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2017 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- */
-
-package org.owasp.webgoat.container.assignments;
-
-import java.util.Locale;
-import org.mockito.Mock;
-import org.owasp.webgoat.WithWebGoatUser;
-import org.owasp.webgoat.container.i18n.Language;
-import org.owasp.webgoat.container.i18n.Messages;
-import org.owasp.webgoat.container.i18n.PluginMessages;
-import org.owasp.webgoat.container.users.UserProgress;
-import org.owasp.webgoat.container.users.UserProgressRepository;
-import org.springframework.context.support.ClassPathXmlApplicationContext;
-import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.web.servlet.i18n.FixedLocaleResolver;
-
-// Do not remove is the base class for all assignments tests
-
-@WithWebGoatUser
-public class AssignmentEndpointTest {
-
- @Mock protected UserProgress userTracker;
- @Mock protected UserProgressRepository userTrackerRepository;
-
- private Language language =
- new Language(new FixedLocaleResolver()) {
- @Override
- public Locale getLocale() {
- return Locale.ENGLISH;
- }
- };
- protected Messages messages = new Messages(language);
- protected PluginMessages pluginMessages =
- new PluginMessages(messages, language, new ClassPathXmlApplicationContext());
-
- public void init(AssignmentEndpoint a) {
- messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
- ReflectionTestUtils.setField(a, "messages", pluginMessages);
- }
-}
diff --git a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
index c3a9378a6..a9d03074f 100644
--- a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
+++ b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
@@ -22,6 +22,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
/**
@@ -57,5 +58,6 @@ public abstract class LessonTest {
(WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
flywayLessons.apply(user.getUsername()).migrate();
lessonInitializers.forEach(init -> init.initialize(user));
+ this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
index 291baff2a..edd8f58a8 100644
--- a/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
@@ -25,30 +25,13 @@
package org.owasp.webgoat.lessons.authbypass;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
-@ExtendWith(MockitoExtension.class)
-public class BypassVerificationTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
-
- @BeforeEach
- public void setup() {
- VerifyAccount verifyAccount = new VerifyAccount(new LessonSession());
- init(verifyAccount);
- this.mockMvc = standaloneSetup(verifyAccount).build();
- }
+class BypassVerificationTest extends LessonTest {
@Test
- public void placeHolder() {
+ void placeHolder() {
assert (true);
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
index 3d360edfe..c792ffc58 100644
--- a/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
@@ -23,33 +23,22 @@
package org.owasp.webgoat.lessons.challenges;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import java.net.InetAddress;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.challenges.challenge1.Assignment1;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.challenges.challenge1.ImageServlet;
-import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-@ExtendWith(MockitoExtension.class)
-class Assignment1Test extends AssignmentEndpointTest {
+class Assignment1Test extends LessonTest {
- private MockMvc mockMvc;
- private Flags flags;
+ @Autowired private Flags flags;
@BeforeEach
- void setup() {
- flags = new Flags();
- Assignment1 assignment1 = new Assignment1(flags);
- init(assignment1);
- this.mockMvc = standaloneSetup(assignment1).build();
- }
+ public void setup() {}
@Test
void success() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java b/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java
index 0cd7fa945..8a13df1bb 100644
--- a/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java
@@ -27,44 +27,28 @@ import static org.hamcrest.Matchers.equalTo;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.http.HttpStatus;
-import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.web.client.RestTemplate;
-@ExtendWith(MockitoExtension.class)
-public class Assignment7Test extends AssignmentEndpointTest {
- private MockMvc mockMvc;
-
+class Assignment7Test extends LessonTest {
private static final String CHALLENGE_PATH = "/challenge/7";
private static final String RESET_PASSWORD_PATH = CHALLENGE_PATH + "/reset-password";
private static final String GIT_PATH = CHALLENGE_PATH + "/.git";
- @Mock private RestTemplate restTemplate;
+ @MockBean private RestTemplate restTemplate;
@Value("${webwolf.mail.url}")
String webWolfMailURL;
- @BeforeEach
- void setup() {
- Assignment7 assignment7 = new Assignment7(new Flags(), restTemplate, webWolfMailURL);
- init(assignment7);
- mockMvc = standaloneSetup(assignment7).build();
- }
-
@Test
@DisplayName("Reset password test")
void resetPasswordTest() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
index 7d5f65d24..e0d1e5f9c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
@@ -6,9 +6,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.hamcrest.Matchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -16,7 +14,6 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
* @author Benedikt Stuhrmann
* @since 13/03/19.
*/
-@ExtendWith(SpringExtension.class)
public class ChromeDevToolsTest extends LessonTest {
@BeforeEach
diff --git a/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
index a6da02a83..4f56116b9 100644
--- a/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
@@ -5,26 +5,19 @@ import static org.hamcrest.CoreMatchers.is;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
/**
* @author Benedikt Stuhrmann
* @since 13/03/19.
*/
-public class CIAQuizTest extends LessonTest {
-
- @BeforeEach
- public void setup() {
- this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
- }
+class CIAQuizTest extends LessonTest {
@Test
- public void allAnswersCorrectIsSuccess() throws Exception {
+ void allAnswersCorrectIsSuccess() throws Exception {
String[] solution0 = {"Solution 3"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -42,7 +35,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void oneAnswerWrongIsFailure() throws Exception {
+ void oneAnswerWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -60,7 +53,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void twoAnswersWrongIsFailure() throws Exception {
+ void twoAnswersWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -78,7 +71,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void threeAnswersWrongIsFailure() throws Exception {
+ void threeAnswersWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 1"};
@@ -96,7 +89,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void allAnswersWrongIsFailure() throws Exception {
+ void allAnswersWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 2"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 3"};
@@ -114,7 +107,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void allAnswersCorrectGetResultsReturnsTrueTrueTrueTrue() throws Exception {
+ void allAnswersCorrectGetResultsReturnsTrueTrueTrueTrue() throws Exception {
String[] solution0 = {"Solution 3"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -138,7 +131,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void firstAnswerFalseGetResultsReturnsFalseTrueTrueTrue() throws Exception {
+ void firstAnswerFalseGetResultsReturnsFalseTrueTrueTrue() throws Exception {
String[] solution0 = {"Solution 2"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -162,7 +155,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void secondAnswerFalseGetResultsReturnsTrueFalseTrueTrue() throws Exception {
+ void secondAnswerFalseGetResultsReturnsTrueFalseTrueTrue() throws Exception {
String[] solution0 = {"Solution 3"};
String[] solution1 = {"Solution 2"};
String[] solution2 = {"Solution 4"};
@@ -186,7 +179,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void allAnswersFalseGetResultsReturnsFalseFalseFalseFalse() throws Exception {
+ void allAnswersFalseGetResultsReturnsFalseFalseFalseFalse() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 2"};
String[] solution2 = {"Solution 1"};
diff --git a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
index b9ba65a95..e7d562a67 100644
--- a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
@@ -30,9 +30,7 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -40,7 +38,6 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
* @author nbaars
* @since 5/2/17.
*/
-@ExtendWith(SpringExtension.class)
public class ShopEndpointTest extends LessonTest {
private MockMvc mockMvc;
diff --git a/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
index 802c8c672..59e59e1f4 100644
--- a/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
@@ -3,32 +3,17 @@ package org.owasp.webgoat.lessons.deserialization;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.dummy.insecure.framework.VulnerableTaskHolder;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-@ExtendWith(MockitoExtension.class)
-class DeserializeTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
+class DeserializeTest extends LessonTest {
private static String OS = System.getProperty("os.name").toLowerCase();
- @BeforeEach
- void setup() {
- InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
- init(insecureTask);
- this.mockMvc = standaloneSetup(insecureTask).build();
- }
-
@Test
void success() throws Exception {
if (OS.indexOf("win") > -1) {
@@ -75,8 +60,7 @@ class DeserializeTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(
- pluginMessages.getMessage("insecure-deserialization.invalidversion"))))
+ CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@@ -90,7 +74,7 @@ class DeserializeTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.expired"))))
+ CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@@ -104,8 +88,7 @@ class DeserializeTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(
- pluginMessages.getMessage("insecure-deserialization.stringobject"))))
+ CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
index c5f05d4d5..6c23013ed 100644
--- a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
@@ -28,20 +28,14 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.lenient;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import jakarta.servlet.http.Cookie;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
-import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -50,27 +44,14 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
* @author Angel Olle Blazquez
*
*/
+class HijackSessionAssignmentTest extends LessonTest {
-@ExtendWith(MockitoExtension.class)
-class HijackSessionAssignmentTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
private static final String COOKIE_NAME = "hijack_cookie";
private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login";
- @Mock Authentication authenticationMock;
+ @MockBean Authentication authenticationMock;
- @Mock HijackSessionAuthenticationProvider providerMock;
-
- HijackSessionAssignment assignment;
-
- @BeforeEach
- void setup() {
- assignment = new HijackSessionAssignment();
- init(assignment);
- ReflectionTestUtils.setField(assignment, "provider", new HijackSessionAuthenticationProvider());
- mockMvc = standaloneSetup(assignment).build();
- }
+ @MockBean HijackSessionAuthenticationProvider providerMock;
@Test
void testValidCookie() throws Exception {
@@ -78,7 +59,6 @@ class HijackSessionAssignmentTest extends AssignmentEndpointTest {
lenient()
.when(providerMock.authenticate(any(Authentication.class)))
.thenReturn(authenticationMock);
- ReflectionTestUtils.setField(assignment, "provider", providerMock);
Cookie cookie = new Cookie(COOKIE_NAME, "value");
@@ -94,6 +74,10 @@ class HijackSessionAssignmentTest extends AssignmentEndpointTest {
@Test
void testBlankCookie() throws Exception {
+ lenient().when(authenticationMock.isAuthenticated()).thenReturn(false);
+ lenient()
+ .when(providerMock.authenticate(any(Authentication.class)))
+ .thenReturn(authenticationMock);
ResultActions result =
mockMvc.perform(
MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
diff --git a/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
index 4ba92bf70..77a6ddf42 100644
--- a/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
@@ -24,31 +24,19 @@ package org.owasp.webgoat.lessons.httpproxies;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@ExtendWith(MockitoExtension.class)
-public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
-
- @BeforeEach
- public void setup() {
- HttpBasicsInterceptRequest httpBasicsInterceptRequest = new HttpBasicsInterceptRequest();
- init(httpBasicsInterceptRequest);
- this.mockMvc = standaloneSetup(httpBasicsInterceptRequest).build();
- }
+public class HttpBasicsInterceptRequestTest extends LessonTest {
@Test
- public void success() throws Exception {
+ void success() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -58,12 +46,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.success"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.success"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
- public void failure() throws Exception {
+ void failure() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -73,12 +61,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void missingParam() throws Exception {
+ void missingParam() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -87,12 +75,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void missingHeader() throws Exception {
+ void missingHeader() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -101,12 +89,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void whenPostAssignmentShouldNotPass() throws Exception {
+ void whenPostAssignmentShouldNotPass() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/HttpProxies/intercept-request")
@@ -116,7 +104,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
index 7972c7b9e..5abb6fdaf 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
@@ -65,7 +65,6 @@ public class JWTRefreshEndpointTest extends LessonTest {
.andReturn();
Map tokens =
objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
- String accessToken = tokens.get("access_token");
String refreshToken = tokens.get("refresh_token");
// Now create a new refresh token for Tom based on Toms old access token and send the refresh
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
index d55c08814..01f381839 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
@@ -23,31 +23,16 @@
package org.owasp.webgoat.lessons.missingac;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-@ExtendWith(MockitoExtension.class)
-public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
-
- @BeforeEach
- public void setup() {
- MissingFunctionACHiddenMenus hiddenMenus = new MissingFunctionACHiddenMenus();
- init(hiddenMenus);
- this.mockMvc = standaloneSetup(hiddenMenus).build();
- }
+class MissingFunctionACHiddenMenusTest extends LessonTest {
@Test
- public void HiddenMenusSuccess() throws Exception {
+ void HiddenMenusSuccess() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/access-control/hidden-menu")
@@ -56,12 +41,12 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.success"))))
+ CoreMatchers.is(messages.getMessage("access-control.hidden-menus.success"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
- public void HiddenMenusClose() throws Exception {
+ void HiddenMenusClose() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/access-control/hidden-menu")
@@ -70,12 +55,12 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.close"))))
+ CoreMatchers.is(messages.getMessage("access-control.hidden-menus.close"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void HiddenMenusFailure() throws Exception {
+ void HiddenMenusFailure() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/access-control/hidden-menu")
@@ -84,7 +69,7 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.failure"))))
+ CoreMatchers.is(messages.getMessage("access-control.hidden-menus.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
index 23ac86607..6d07a9118 100644
--- a/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
@@ -7,18 +7,15 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ResourceLoader;
import org.springframework.http.HttpHeaders;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-@ExtendWith(SpringExtension.class)
class ResetLinkAssignmentTest extends LessonTest {
@Value("${webwolf.host}")
diff --git a/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
index 1bc0e8b33..26ce4ed23 100644
--- a/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
@@ -6,15 +6,12 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.mock.web.MockHttpSession;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-@ExtendWith(SpringExtension.class)
public class SecurityQuestionAssignmentTest extends LessonTest {
private MockMvc mockMvc;
diff --git a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
index 9d5e7055e..9e0302af6 100644
--- a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
@@ -28,22 +28,17 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import jakarta.servlet.http.Cookie;
import java.util.stream.Stream;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
-import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -53,21 +48,12 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
*
*/
-@ExtendWith(MockitoExtension.class)
-class SpoofCookieAssignmentTest extends AssignmentEndpointTest {
+class SpoofCookieAssignmentTest extends LessonTest {
- private MockMvc mockMvc;
private static final String COOKIE_NAME = "spoof_auth";
private static final String LOGIN_CONTEXT_PATH = "/SpoofCookie/login";
private static final String ERASE_COOKIE_CONTEXT_PATH = "/SpoofCookie/cleanup";
- @BeforeEach
- void setup() {
- SpoofCookieAssignment spoofCookieAssignment = new SpoofCookieAssignment();
- init(spoofCookieAssignment);
- mockMvc = standaloneSetup(spoofCookieAssignment).build();
- }
-
@Test
@DisplayName("Lesson completed")
void success() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
deleted file mode 100644
index 9dd008dde..000000000
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webgoat.lessons.sqlinjection;
-
-import org.junit.jupiter.api.BeforeEach;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-public class SqlLessonTest extends LessonTest {
-
- @BeforeEach
- public void setup() {
- this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
- }
-}
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
index 8bb4444e2..329c28875 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
@@ -27,14 +27,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
-public class SqlInjectionLesson10Test extends SqlLessonTest {
+public class SqlInjectionLesson10Test extends LessonTest {
private String completedError = "JSON path \"lessonCompleted\"";
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
index c71cc2d6c..177fbb79a 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
@@ -27,10 +27,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson2Test extends SqlLessonTest {
+public class SqlInjectionLesson2Test extends LessonTest {
@Test
public void solution() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
index 3dcaafbc8..256957a99 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
@@ -30,11 +30,11 @@ import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.LessonDataSource;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson5Test extends SqlLessonTest {
+public class SqlInjectionLesson5Test extends LessonTest {
@Autowired private LessonDataSource dataSource;
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
index db48b6643..23ead11be 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
@@ -29,10 +29,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson5aTest extends SqlLessonTest {
+public class SqlInjectionLesson5aTest extends LessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
index 4ca0469b8..d28b47b53 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
@@ -28,10 +28,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson6aTest extends SqlLessonTest {
+public class SqlInjectionLesson6aTest extends LessonTest {
@Test
public void wrongSolution() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
index 6bb702178..6e6921449 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
@@ -27,10 +27,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson6bTest extends SqlLessonTest {
+public class SqlInjectionLesson6bTest extends LessonTest {
@Test
public void submitCorrectPassword() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
index 8ab7e242e..0152e106f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
@@ -28,14 +28,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
-public class SqlInjectionLesson8Test extends SqlLessonTest {
+public class SqlInjectionLesson8Test extends LessonTest {
@Test
public void oneAccount() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
index 44438f6c0..9cac06a8c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
@@ -28,14 +28,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
-public class SqlInjectionLesson9Test extends SqlLessonTest {
+public class SqlInjectionLesson9Test extends LessonTest {
private final String completedError = "JSON path \"lessonCompleted\"";
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
index c319ba89e..9155c7d65 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
@@ -5,14 +5,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author nbaars
* @since 5/21/17.
*/
-public class SqlInjectionLesson13Test extends SqlLessonTest {
+public class SqlInjectionLesson13Test extends LessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
index c160f2a94..2442ccbfa 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
@@ -6,10 +6,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
+public class SqlOnlyInputValidationOnKeywordsTest extends LessonTest {
@Test
public void solve() throws Exception {
@@ -40,6 +40,6 @@ public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
containsString(
"unexpected token: *