From 61d5116d441e66a82db04ee8d1226ce5110f133a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 18 Aug 2016 21:15:12 +0200 Subject: [PATCH] Intermediate result for calling multiple lesson endpoints --- .../main/java/org/owasp/webgoat/WebGoat.java | 30 ++++++---- .../owasp/webgoat/controller/StartLesson.java | 32 +---------- .../org/owasp/webgoat/lessons/Attack.java | 4 +- .../owasp/webgoat/lessons/LessonEndpoint.java | 11 ++++ .../webgoat/lessons/model/AttackResult.java | 56 +++++++++++++++++++ .../owasp/webgoat/plugins/YmlBasedLesson.java | 2 +- .../src/main/resources/application.properties | 1 + .../js/goatApp/view/LessonContentView.js | 20 +------ 8 files changed, 93 insertions(+), 63 deletions(-) create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java index 009f36180..4f5c0dd1b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java @@ -1,38 +1,39 @@ /** - ************************************************************************************************* - * - * + * ************************************************************************************************ + *

+ *

* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. - * + *

* You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. * * @author WebGoat - * @since October 28, 2003 * @version $Id: $Id + * @since October 28, 2003 */ package org.owasp.webgoat; import org.owasp.webgoat.plugins.PluginClassLoader; import org.owasp.webgoat.plugins.PluginsLoader; import org.owasp.webgoat.session.Course; +import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebgoatContext; import org.owasp.webgoat.session.WebgoatProperties; @@ -94,11 +95,18 @@ public class WebGoat extends SpringBootServletInitializer { } @Bean - public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties, LessonEndpointProvider endpointProvider) { + public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties, + LessonEndpointProvider endpointProvider) { Course course = new Course(webgoatProperties); course.loadCourses(webgoatContext, context, "/"); course.loadLessonFromPlugin(pluginsLoader.loadPlugins()); endpointProvider.registerEndpoints(); return course; } + + @Bean + public UserTracker userTracker() { + UserTracker userTracker = UserTracker.instance(); + return userTracker; + } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java index 491e781c8..ff14a025d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java @@ -33,8 +33,6 @@ package org.owasp.webgoat.controller; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.RandomLessonAdapter; import org.owasp.webgoat.plugins.YmlBasedLesson; -import org.owasp.webgoat.session.LessonTracker; -import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.WebSession; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContext; @@ -88,37 +86,9 @@ public class StartLesson { Optional lesson = lessons.stream() .filter(l -> l.getId().equals(lessonName)) .findFirst(); + ws.setCurrentScreen(lesson.get().getScreenId()); model.setViewName("lesson_content"); model.addObject("lesson", lesson.get()); return model; } - -//// FIXME: 8/8/2016 duplicate code - @RequestMapping(value = {"*.attack"}, produces = "text/html") - public ModelAndView attack(HttpServletRequest request) { - // I will set here the thymeleaf fragment location based on the resource requested. - ModelAndView model = new ModelAndView(); - SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring - GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next(); - String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson - String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".attack")); - WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION); - List lessons = ws.getCourse() - .getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring - Optional lesson = lessons.stream() - .filter(l -> l.getId().equals(lessonName)) - .findFirst(); - model.setViewName("lesson_content"); - - YmlBasedLesson ymlBasedLesson = (YmlBasedLesson) lesson.get(); - if (ymlBasedLesson.getLessonAttack().attack()) { - UserTracker userTracker = UserTracker.instance(); - LessonTracker lessonTracker = userTracker.getLessonTracker(ws, lesson.get()); - lessonTracker.setCompleted(true); - model.addObject("message", ws.getMessage()); - } - - model.addObject("lesson", lesson.get()); - return model; - } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java index fa9b241ad..91930bf37 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java @@ -1,5 +1,7 @@ package org.owasp.webgoat.lessons; +import org.owasp.webgoat.lessons.model.AttackResult; + /** * ************************************************************************************************ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, @@ -31,5 +33,5 @@ package org.owasp.webgoat.lessons; */ public interface Attack { - boolean attack(); + AttackResult attack(); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java index 71a63a9eb..98376b71e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java @@ -25,6 +25,9 @@ */ package org.owasp.webgoat.lessons; +import org.owasp.webgoat.session.LessonTracker; +import org.owasp.webgoat.session.UserTracker; +import org.owasp.webgoat.session.WebSession; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.actuate.endpoint.Endpoint; @@ -47,6 +50,8 @@ public abstract class LessonEndpoint implements MvcEndpoint { @Autowired @Qualifier("pluginTargetDirectory") private File pluginDirectory; + @Autowired + private WebSession webSession; /** * The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will @@ -64,6 +69,12 @@ public abstract class LessonEndpoint implements MvcEndpoint { return new File(this.pluginDirectory, "plugin"); } + protected LessonTracker getLessonTracker() { + UserTracker userTracker = UserTracker.instance(); + LessonTracker lessonTracker = userTracker.getLessonTracker(webSession, webSession.getCurrentLesson()); + return lessonTracker; + } + @Override public final boolean isSensitive() { return false; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java new file mode 100644 index 000000000..947d368b3 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java @@ -0,0 +1,56 @@ +package org.owasp.webgoat.lessons.model; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author WebGoat + * @version $Id: $Id + * @since August 13, 2016 + */ +public class AttackResult { + + private boolean lessonCompleted; + private String feedback; + private String output; + + public static AttackResult success() { + AttackResult attackResult = new AttackResult(); + attackResult.lessonCompleted = true; + attackResult.feedback = "Congratulations"; + return attackResult; + } + + public boolean isLessonCompleted() { + return lessonCompleted; + } + + public String getFeedback() { + return feedback; + } + + public String getOutput() { + return output; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java index f1d53228d..6d712a2ab 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java @@ -50,7 +50,7 @@ public class YmlBasedLesson extends LessonAdapter { this.hints = hints; this.title = title; this.id = id; - createAttack(attack); + // createAttack(attack); } diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index bbe09b1dd..ea1a8fd24 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -6,6 +6,7 @@ server.port=8080 logging.level.org.springframework=WARN spring.thymeleaf.cache=false +spring.thymeleaf.content-type=text/html security.enable-csrf=false diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js index 7fef6a602..97214eddd 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js @@ -40,28 +40,10 @@ define(['jquery', // The current LessonAdapter#getLink() generates a hash-mark link. It will not match the mask below. // Besides, the new MVC code registers an event handler that will reload the lesson according to the route. $('form').submit(function(event){ - var url = this.baseURI; - url = url.replace('start.mvc#lesson', ''); - url = url + '.attack'; - $.get(url) + $.get(this.action, "json") .done(self.reLoadView.bind(self)) .fail(function() { alert("failed to GET " + url); }); }); - // - // - // $.each($('a[href^="*.attack"]'),function(i,el) { //FIXME: need to figure out what to do here ... - // var url = $(el).attr('href'); - // $(el).unbind('click').attr('href','#').attr('link',url); - // //TODO pull currentMenuId - // $(el).click(function(event) { - // event.preventDefault(); - // var _url = $(el).attr('link'); - // console.log("About to GET " + _url); - // $.get(_url) - // .done(self.reLoadView.bind(self)) - // .fail(function() { alert("failed to GET " + _url); }); - // }); - // }); }, onAttackExecution: function(feedback) {