dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'release/v2023.0' into develop

Browse Source
This commit is contained in:
Nanne Baars 2023-01-05 20:52:02 +01:00
commit 64b10c1a59
4 changed files with 188 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -62,7 +62,7 @@ This way, you can start where you left off. If you remove the container, you nee
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell ```shell
java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.1.jar java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.0.jar
``` ```
Click the link in the log to start WebGoat. Click the link in the log to start WebGoat.
@ -125,7 +125,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
```Shell ```Shell
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar target/webgoat-2023.1-SNAPSHOT.jar java -jar target/webgoat-2023.0-SNAPSHOT.jar
``` ```
Or in a docker run it would (once this version is pushed into docker hub) look like this: Or in a docker run it would (once this version is pushed into docker hub) look like this:

4
RELEASE_NOTES.md
View File

@ -1,8 +1,8 @@
# WebGoat release notes # WebGoat release notes
## Version 2023.1 ## Version 2023.0
With great pleasure, we present you with a new release of WebGoat **2023.1**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme). With great pleasure, we present you with a new release of WebGoat **2023.0**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year. many more releases this year.

2
pom.xml
View File

@ -10,7 +10,7 @@
</parent> </parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat</artifactId> <artifactId>webgoat</artifactId>
<version>2023.1</version> <version>2023.0</version>
<packaging>jar</packaging> <packaging>jar</packaging>
<name>WebGoat</name> <name>WebGoat</name>

84
src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
View File

@ -2,13 +2,12 @@ package org.owasp.webgoat;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import io.restassured.http.ContentType; import io.restassured.http.ContentType;
import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert; import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.util.StringUtils;
import java.util.HashMap;
import java.util.Map;
public class GeneralLessonIntegrationTest extends IntegrationTest { public class GeneralLessonIntegrationTest extends IntegrationTest {
@ -38,12 +37,19 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
@Test @Test
public void httpProxies() { public void httpProxies() {
startLesson("HttpProxies"); startLesson("HttpProxies");
MatcherAssert.assertThat(RestAssured.given() MatcherAssert.assertThat(
.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true") RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily")) .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then() .then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true)); .statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
checkResults("/HttpProxies/"); checkResults("/HttpProxies/");
} }
@ -53,28 +59,37 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
startLesson("CIA"); startLesson("CIA");
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website."); params.put(
params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database."); "question_0_solution",
params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers."); "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed."); params.put(
"question_1_solution",
"Solution 1: By changing the names and emails of one or more users stored in a database.");
params.put(
"question_2_solution",
"Solution 4: By launching a denial of service attack on the servers.");
params.put(
"question_3_solution",
"Solution 2: The systems security is compromised even if only one goal is harmed.");
checkAssignment(url("/WebGoat/cia/quiz"), params, true); checkAssignment(url("/WebGoat/cia/quiz"), params, true);
checkResults("/cia/"); checkResults("/cia/");
} }
@Test @Test
public void vulnerableComponents() { public void vulnerableComponents() {
String solution = "<contact class='dynamic-proxy'>\n" + if (StringUtils.hasText(System.getProperty("running.in.docker"))) {
"<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n" + String solution =
" <handler class='java.beans.EventHandler'>\n" + "<contact class='dynamic-proxy'>\n"
" <target class='java.lang.ProcessBuilder'>\n" + + "<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n"
" <command>\n" + + " <handler class='java.beans.EventHandler'>\n"
" <string>calc.exe</string>\n" + + " <target class='java.lang.ProcessBuilder'>\n"
" </command>\n" + + " <command>\n"
" </target>\n" + + " <string>calc.exe</string>\n"
" <action>start</action>\n" + + " </command>\n"
" </handler>\n" + + " </target>\n"
"</contact>"; + " <action>start</action>\n"
+ " </handler>\n"
+ "</contact>";
startLesson("VulnerableComponents"); startLesson("VulnerableComponents");
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
@ -82,6 +97,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true); checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
checkResults("/VulnerableComponents/"); checkResults("/VulnerableComponents/");
} }
}
@Test @Test
public void insecureLogin() { public void insecureLogin() {
@ -114,10 +130,20 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
checkResults("/auth-bypass/"); checkResults("/auth-bypass/");
startLesson("HttpProxies"); startLesson("HttpProxies");
MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true") MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then() .get(
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true)); url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
checkResults("/HttpProxies/"); checkResults("/HttpProxies/");
} }
@ -141,7 +167,8 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
.post(url("/WebGoat/CrossSiteScripting/phone-home-xss")) .post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
.then() .then()
.statusCode(200) .statusCode(200)
.extract().path("output"); .extract()
.path("output");
String secretNumber = result.substring("phoneHome Response is ".length()); String secretNumber = result.substring("phoneHome Response is ".length());
params.clear(); params.clear();
@ -168,7 +195,6 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.put("userId", "12309746"); params.put("userId", "12309746");
checkAssignment(url("/auth-bypass/verify-account"), params, true); checkAssignment(url("/auth-bypass/verify-account"), params, true);
checkResults("/auth-bypass/"); checkResults("/auth-bypass/");
} }
@Test @Test
@ -180,7 +206,5 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.put("param2", "Main"); params.put("param2", "Main");
checkAssignment(url("/lesson-template/sample-attack"), params, true); checkAssignment(url("/lesson-template/sample-attack"), params, true);
checkResults("/lesson-template/"); checkResults("/lesson-template/");
} }
} }