Intermediate result for calling multiple lesson endpoints

webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java

@@ -1,38 +1,39 @@
 /**
- *************************************************************************************************
+ * ************************************************************************************************
- *
+ * <p>
- *
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  *
  * @author WebGoat
- * @since October 28, 2003
  * @version $Id: $Id
+ * @since October 28, 2003
  */
 package org.owasp.webgoat;
 
 import org.owasp.webgoat.plugins.PluginClassLoader;
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.session.WebgoatProperties;
@@ -94,11 +95,18 @@ public class WebGoat extends SpringBootServletInitializer {
     }
 
     @Bean
-    public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties, LessonEndpointProvider endpointProvider) {
+    public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties,
+                         LessonEndpointProvider endpointProvider) {
         Course course = new Course(webgoatProperties);
         course.loadCourses(webgoatContext, context, "/");
         course.loadLessonFromPlugin(pluginsLoader.loadPlugins());
         endpointProvider.registerEndpoints();
         return course;
     }
+
+    @Bean
+    public UserTracker userTracker() {
+        UserTracker userTracker = UserTracker.instance();
+        return userTracker;
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java

@@ -33,8 +33,6 @@ package org.owasp.webgoat.controller;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.RandomLessonAdapter;
 import org.owasp.webgoat.plugins.YmlBasedLesson;
-import org.owasp.webgoat.session.LessonTracker;
-import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
@@ -88,37 +86,9 @@ public class StartLesson {
         Optional<AbstractLesson> lesson = lessons.stream()
                 .filter(l -> l.getId().equals(lessonName))
                 .findFirst();
+        ws.setCurrentScreen(lesson.get().getScreenId());
         model.setViewName("lesson_content");
         model.addObject("lesson", lesson.get());
         return model;
     }
-    
-//// FIXME: 8/8/2016 duplicate code
-    @RequestMapping(value = {"*.attack"}, produces = "text/html")
-    public ModelAndView attack(HttpServletRequest request) {
-        // I will set here the thymeleaf fragment location based on the resource requested.
-        ModelAndView model = new ModelAndView();
-        SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
-        GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
-        String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
-        String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".attack"));
-        WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
-        List<AbstractLesson> lessons = ws.getCourse()
-                .getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring
-        Optional<AbstractLesson> lesson = lessons.stream()
-                .filter(l -> l.getId().equals(lessonName))
-                .findFirst();
-        model.setViewName("lesson_content");
-
-        YmlBasedLesson ymlBasedLesson = (YmlBasedLesson) lesson.get();
-        if (ymlBasedLesson.getLessonAttack().attack()) {
-            UserTracker userTracker = UserTracker.instance();
-            LessonTracker lessonTracker = userTracker.getLessonTracker(ws, lesson.get());
-            lessonTracker.setCompleted(true);
-            model.addObject("message", ws.getMessage());
-        }
-
-        model.addObject("lesson", lesson.get());
-        return model;
-    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java

@@ -1,5 +1,7 @@
 package org.owasp.webgoat.lessons;
 
+import org.owasp.webgoat.lessons.model.AttackResult;
+
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -31,5 +33,5 @@ package org.owasp.webgoat.lessons;
  */
 public interface Attack {
 
-    boolean attack();
+    AttackResult attack();
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java

@@ -25,6 +25,9 @@
  */
 package org.owasp.webgoat.lessons;
 
+import org.owasp.webgoat.session.LessonTracker;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.actuate.endpoint.Endpoint;
@@ -47,6 +50,8 @@ public abstract class LessonEndpoint implements MvcEndpoint {
     @Autowired
     @Qualifier("pluginTargetDirectory")
     private File pluginDirectory;
+    @Autowired
+    private WebSession webSession;
 
     /**
      * The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will
@@ -64,6 +69,12 @@ public abstract class LessonEndpoint implements MvcEndpoint {
         return new File(this.pluginDirectory, "plugin");
     }
 
+    protected LessonTracker getLessonTracker() {
+        UserTracker userTracker = UserTracker.instance();
+        LessonTracker lessonTracker = userTracker.getLessonTracker(webSession, webSession.getCurrentLesson());
+        return lessonTracker;
+    }
+
     @Override
     public final boolean isSensitive() {
         return false;

webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java

@@ -0,0 +1,56 @@
+package org.owasp.webgoat.lessons.model;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since August 13, 2016
+ */
+public class AttackResult {
+
+    private boolean lessonCompleted;
+    private String feedback;
+    private String output;
+
+    public static AttackResult success() {
+        AttackResult attackResult = new AttackResult();
+        attackResult.lessonCompleted = true;
+        attackResult.feedback = "Congratulations";
+        return attackResult;
+    }
+
+    public boolean isLessonCompleted() {
+        return lessonCompleted;
+    }
+
+    public String getFeedback() {
+        return feedback;
+    }
+
+    public String getOutput() {
+        return output;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java

@@ -50,7 +50,7 @@ public class YmlBasedLesson extends LessonAdapter {
         this.hints = hints;
         this.title = title;
         this.id = id;
-        createAttack(attack);
+      //  createAttack(attack);
 
     }
 

webgoat-container/src/main/resources/application.properties

@@ -6,6 +6,7 @@ server.port=8080
 
 logging.level.org.springframework=WARN
 spring.thymeleaf.cache=false
+spring.thymeleaf.content-type=text/html
 security.enable-csrf=false
 
 

webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js

@@ -40,28 +40,10 @@ define(['jquery',
             // The current LessonAdapter#getLink() generates a hash-mark link.  It will not match the mask below.
             // Besides, the new MVC code registers an event handler that will reload the lesson according to the route.
             $('form').submit(function(event){
-                var url = this.baseURI;
+                $.get(this.action, "json")
-                url = url.replace('start.mvc#lesson', '');
-                url = url + '.attack';
-                $.get(url)
                     .done(self.reLoadView.bind(self))
                     .fail(function() { alert("failed to GET " + url); });
             });
-            //
-            //
-            // $.each($('a[href^="*.attack"]'),function(i,el) { //FIXME: need to figure out what to do here ...
-            //     var url = $(el).attr('href');
-            //     $(el).unbind('click').attr('href','#').attr('link',url);
-            //     //TODO pull currentMenuId
-            //     $(el).click(function(event) {
-            //         event.preventDefault();
-            //         var _url = $(el).attr('link');
-            //         console.log("About to GET " + _url);
-            //         $.get(_url)
-            //             .done(self.reLoadView.bind(self))
-            //             .fail(function() { alert("failed to GET " + _url); });
-            //     });
-            // });
         },
 
         onAttackExecution: function(feedback) {