From 323daae57872e431a634defcbbfd3b66e84335d8 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 5 Jan 2023 20:51:15 +0100 Subject: [PATCH 1/2] Vulnerable components only work in a Docker container --- .../webgoat/GeneralLessonIntegrationTest.java | 342 ++++++++++-------- 1 file changed, 183 insertions(+), 159 deletions(-) diff --git a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java index 60dfef04d..8522681a5 100644 --- a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java +++ b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java @@ -2,185 +2,209 @@ package org.owasp.webgoat; import io.restassured.RestAssured; import io.restassured.http.ContentType; +import java.util.HashMap; +import java.util.Map; import org.hamcrest.CoreMatchers; import org.hamcrest.MatcherAssert; import org.junit.jupiter.api.Test; - -import java.util.HashMap; -import java.util.Map; - +import org.springframework.util.StringUtils; public class GeneralLessonIntegrationTest extends IntegrationTest { - @Test - public void httpBasics() { - startLesson("HttpBasics"); - Map params = new HashMap<>(); - params.clear(); - params.put("person", "goatuser"); - checkAssignment(url("HttpBasics/attack1"), params, true); + @Test + public void httpBasics() { + startLesson("HttpBasics"); + Map params = new HashMap<>(); + params.clear(); + params.put("person", "goatuser"); + checkAssignment(url("HttpBasics/attack1"), params, true); - params.clear(); - params.put("answer", "POST"); - params.put("magic_answer", "33"); - params.put("magic_num", "4"); - checkAssignment(url("HttpBasics/attack2"), params, false); + params.clear(); + params.put("answer", "POST"); + params.put("magic_answer", "33"); + params.put("magic_num", "4"); + checkAssignment(url("HttpBasics/attack2"), params, false); - params.clear(); - params.put("answer", "POST"); - params.put("magic_answer", "33"); - params.put("magic_num", "33"); - checkAssignment(url("HttpBasics/attack2"), params, true); + params.clear(); + params.put("answer", "POST"); + params.put("magic_answer", "33"); + params.put("magic_num", "33"); + checkAssignment(url("HttpBasics/attack2"), params, true); - checkResults("/HttpBasics/"); + checkResults("/HttpBasics/"); + } + + @Test + public void httpProxies() { + startLesson("HttpProxies"); + MatcherAssert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .header("x-request-intercepted", "true") + .contentType(ContentType.JSON) + .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) + .then() + .statusCode(200) + .extract() + .path("lessonCompleted"), + CoreMatchers.is(true)); + + checkResults("/HttpProxies/"); + } + + @Test + public void cia() { + startLesson("CIA"); + Map params = new HashMap<>(); + params.clear(); + params.put( + "question_0_solution", + "Solution 3: By stealing a database where names and emails are stored and uploading it to a website."); + params.put( + "question_1_solution", + "Solution 1: By changing the names and emails of one or more users stored in a database."); + params.put( + "question_2_solution", + "Solution 4: By launching a denial of service attack on the servers."); + params.put( + "question_3_solution", + "Solution 2: The systems security is compromised even if only one goal is harmed."); + checkAssignment(url("/WebGoat/cia/quiz"), params, true); + checkResults("/cia/"); + } + + @Test + public void vulnerableComponents() { + if (StringUtils.hasText(System.getProperty("running.in.docker"))) { + String solution = + "\n" + + "org.owasp.webgoat.lessons.vulnerablecomponents.Contact\n" + + " \n" + + " \n" + + " \n" + + " calc.exe\n" + + " \n" + + " \n" + + " start\n" + + " \n" + + ""; + startLesson("VulnerableComponents"); + Map params = new HashMap<>(); + params.clear(); + params.put("payload", solution); + checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true); + checkResults("/VulnerableComponents/"); } + } - @Test - public void httpProxies() { - startLesson("HttpProxies"); - MatcherAssert.assertThat(RestAssured.given() - .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true") - .contentType(ContentType.JSON) - .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) - .then() - .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true)); + @Test + public void insecureLogin() { + startLesson("InsecureLogin"); + Map params = new HashMap<>(); + params.clear(); + params.put("username", "CaptainJack"); + params.put("password", "BlackPearl"); + checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true); + checkResults("/InsecureLogin/"); + } - checkResults("/HttpProxies/"); - } + @Test + public void securePasswords() { + startLesson("SecurePasswords"); + Map params = new HashMap<>(); + params.clear(); + params.put("password", "ajnaeliclm^&&@kjn."); + checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true); + checkResults("SecurePasswords/"); - @Test - public void cia() { - startLesson("CIA"); - Map params = new HashMap<>(); - params.clear(); - params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website."); - params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database."); - params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers."); - params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed."); - checkAssignment(url("/WebGoat/cia/quiz"), params, true); - checkResults("/cia/"); + startLesson("AuthBypass"); + params.clear(); + params.put("secQuestion2", "John"); + params.put("secQuestion3", "Main"); + params.put("jsEnabled", "1"); + params.put("verifyMethod", "SEC_QUESTIONS"); + params.put("userId", "12309746"); + checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true); + checkResults("/auth-bypass/"); - } - - @Test - public void vulnerableComponents() { - String solution = "\n" + - "org.owasp.webgoat.lessons.vulnerablecomponents.Contact\n" + - " \n" + - " \n" + - " \n" + - " calc.exe\n" + - " \n" + - " \n" + - " start\n" + - " \n" + - ""; - startLesson("VulnerableComponents"); - Map params = new HashMap<>(); - params.clear(); - params.put("payload", solution); - checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true); - checkResults("/VulnerableComponents/"); - } - - @Test - public void insecureLogin() { - startLesson("InsecureLogin"); - Map params = new HashMap<>(); - params.clear(); - params.put("username", "CaptainJack"); - params.put("password", "BlackPearl"); - checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true); - checkResults("/InsecureLogin/"); - } + startLesson("HttpProxies"); + MatcherAssert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .header("x-request-intercepted", "true") + .contentType(ContentType.JSON) + .get( + url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")) + .then() + .statusCode(200) + .extract() + .path("lessonCompleted"), + CoreMatchers.is(true)); + checkResults("/HttpProxies/"); + } - @Test - public void securePasswords() { - startLesson("SecurePasswords"); - Map params = new HashMap<>(); - params.clear(); - params.put("password", "ajnaeliclm^&&@kjn."); - checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true); - checkResults("SecurePasswords/"); + @Test + public void chrome() { + startLesson("ChromeDevTools"); - startLesson("AuthBypass"); - params.clear(); - params.put("secQuestion2", "John"); - params.put("secQuestion3", "Main"); - params.put("jsEnabled", "1"); - params.put("verifyMethod", "SEC_QUESTIONS"); - params.put("userId", "12309746"); - checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true); - checkResults("/auth-bypass/"); + Map params = new HashMap<>(); + params.clear(); + params.put("param1", "42"); + params.put("param2", "24"); - startLesson("HttpProxies"); - MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true") - .contentType(ContentType.JSON) - .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then() - .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true)); - checkResults("/HttpProxies/"); - } + String result = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .header("webgoat-requested-by", "dom-xss-vuln") + .header("X-Requested-With", "XMLHttpRequest") + .formParams(params) + .post(url("/WebGoat/CrossSiteScripting/phone-home-xss")) + .then() + .statusCode(200) + .extract() + .path("output"); + String secretNumber = result.substring("phoneHome Response is ".length()); - @Test - public void chrome() { - startLesson("ChromeDevTools"); + params.clear(); + params.put("successMessage", secretNumber); + checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true); - Map params = new HashMap<>(); - params.clear(); - params.put("param1", "42"); - params.put("param2", "24"); + params.clear(); + params.put("number", "24"); + params.put("network_num", "24"); + checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true); - String result = - RestAssured.given() - .when() - .relaxedHTTPSValidation() - .cookie("JSESSIONID", getWebGoatCookie()) - .header("webgoat-requested-by", "dom-xss-vuln") - .header("X-Requested-With", "XMLHttpRequest") - .formParams(params) - .post(url("/WebGoat/CrossSiteScripting/phone-home-xss")) - .then() - .statusCode(200) - .extract().path("output"); - String secretNumber = result.substring("phoneHome Response is ".length()); + checkResults("/ChromeDevTools/"); + } - params.clear(); - params.put("successMessage", secretNumber); - checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true); + @Test + public void authByPass() { + startLesson("AuthBypass"); + Map params = new HashMap<>(); + params.clear(); + params.put("secQuestion2", "John"); + params.put("secQuestion3", "Main"); + params.put("jsEnabled", "1"); + params.put("verifyMethod", "SEC_QUESTIONS"); + params.put("userId", "12309746"); + checkAssignment(url("/auth-bypass/verify-account"), params, true); + checkResults("/auth-bypass/"); + } - params.clear(); - params.put("number", "24"); - params.put("network_num", "24"); - checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true); - - checkResults("/ChromeDevTools/"); - } - - @Test - public void authByPass() { - startLesson("AuthBypass"); - Map params = new HashMap<>(); - params.clear(); - params.put("secQuestion2", "John"); - params.put("secQuestion3", "Main"); - params.put("jsEnabled", "1"); - params.put("verifyMethod", "SEC_QUESTIONS"); - params.put("userId", "12309746"); - checkAssignment(url("/auth-bypass/verify-account"), params, true); - checkResults("/auth-bypass/"); - - } - - @Test - public void lessonTemplate() { - startLesson("LessonTemplate"); - Map params = new HashMap<>(); - params.clear(); - params.put("param1", "secr37Value"); - params.put("param2", "Main"); - checkAssignment(url("/lesson-template/sample-attack"), params, true); - checkResults("/lesson-template/"); - - } - + @Test + public void lessonTemplate() { + startLesson("LessonTemplate"); + Map params = new HashMap<>(); + params.clear(); + params.put("param1", "secr37Value"); + params.put("param2", "Main"); + checkAssignment(url("/lesson-template/sample-attack"), params, true); + checkResults("/lesson-template/"); + } } From 716a7dd9eadfc1a3a67e90880534c02a15b84325 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 5 Jan 2023 20:51:34 +0100 Subject: [PATCH 2/2] Preparing release 2023.0 --- README.md | 4 ++-- RELEASE_NOTES.md | 4 ++-- pom.xml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 6fb57e261..44f30e7e5 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ This way, you can start where you left off. If you remove the container, you nee Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) ```shell -java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.1.jar +java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.0.jar ``` Click the link in the log to start WebGoat. @@ -125,7 +125,7 @@ For instance running as a jar on a Linux/macOS it will look like this: ```Shell export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" -java -jar target/webgoat-2023.1-SNAPSHOT.jar +java -jar target/webgoat-2023.0-SNAPSHOT.jar ``` Or in a docker run it would (once this version is pushed into docker hub) look like this: diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 0c7b44d33..b0da20ea7 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,8 +1,8 @@ # WebGoat release notes -## Version 2023.1 +## Version 2023.0 -With great pleasure, we present you with a new release of WebGoat **2023.1**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme). +With great pleasure, we present you with a new release of WebGoat **2023.0**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme). A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make many more releases this year. diff --git a/pom.xml b/pom.xml index 056b987c5..4e2ab4ccd 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat - 2023.1 + 2023.0 jar WebGoat