dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'feature/spring-boot' of https://github.com/WebGoat/WebGoat into feature/spring-boot

Browse Source
This commit is contained in:
mayhew64 2016-11-15 19:38:26 -05:00
commit 67adddbffc
8 changed files with 78 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.MD
View File

@ -52,15 +52,27 @@ The "Easy Run" JAR file offers a no hassle approach to testing and running WebGo
wish to simply try/test/run the current development version of WebGoat wish to simply try/test/run the current development version of WebGoat
### Prerequisites: ### Prerequisites:
* Java VM 1.8 installed * Java VM 1.8 or Docker installed
## Easy Run Instructions: ## Easy Run Instructions:
#### 1. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server: #### 1. Docker image
The latest version of WebGoat is available at DockerHub, see [https://hub.docker.com/r/webgoat/webgoat-container/](https://hub.docker.com/r/webgoat/webgoat-container/).
First install Docker, then open a command shell/window and type:
```Shell
docker pull webgoat/webgoat-container
docker run -p 8080:8080 webgoat/webgoat-container
```
Wait for the Docker container to start and go to step 3.
#### 2. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server:
https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar
#### 2. Run it using java: #### 3. Run it using java:
Open a command shell/window, browse to where you downloaded the easy run jar and type: Open a command shell/window, browse to where you downloaded the easy run jar and type:
@ -177,13 +189,17 @@ To be able to see which labels are loaded through a property file, open up the d
After the reload is complete, all labels which are loaded from a property file will be __marked green__. After the reload is complete, all labels which are loaded from a property file will be __marked green__.
## Docker support ## Building a new Docker image
WebGoat now has Docker support you can build a container with the following commands: WebGoat now has Docker support you can build a container with the following commands:
```Shell ```Shell
cd WebGoat cd WebGoat/
mvn -pl webgoat-container package docker:build mvn package
cd webgoat-container
mvn docker:build
docker login
docker push webgoat/webgoat-container
``` ```
With the following command you are able to run the Docker container on your local machine: With the following command you are able to run the Docker container on your local machine:
@ -194,4 +210,3 @@ docker ps
``` ```
With the last command you are able to determine ip address to connect to. With the last command you are able to determine ip address to connect to.
At the moment the Docker image is not distributed to a Docker registry.

1
pom.xml
View File

@ -129,7 +129,6 @@
<commons-lang3.version>3.4</commons-lang3.version> <commons-lang3.version>3.4</commons-lang3.version>
<commons-logging.version>1.2</commons-logging.version> <commons-logging.version>1.2</commons-logging.version>
<coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version> <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
<ecs.version>1.4.2</ecs.version>
<guava.version>18.0</guava.version> <guava.version>18.0</guava.version>
<h2.version>1.4.190</h2.version> <h2.version>1.4.190</h2.version>
<hsqldb.version>1.8.0.10</hsqldb.version> <hsqldb.version>1.8.0.10</hsqldb.version>

5
webgoat-container/pom.xml
View File

@ -252,11 +252,6 @@
<artifactId>wsdl4j</artifactId> <artifactId>wsdl4j</artifactId>
<version>${wsdl4j.version}</version> <version>${wsdl4j.version}</version>
</dependency> </dependency>
<dependency>
<groupId>ecs</groupId>
<artifactId>ecs</artifactId>
<version>${ecs.version}</version>
</dependency>
<dependency> <dependency>
<groupId>javax.transaction</groupId> <groupId>javax.transaction</groupId>
<artifactId>javax.transaction-api</artifactId> <artifactId>javax.transaction-api</artifactId>

1
webgoat-container/src/main/docker/Dockerfile
View File

@ -1,5 +1,6 @@
FROM frolvlad/alpine-oraclejdk8:slim FROM frolvlad/alpine-oraclejdk8:slim
VOLUME /tmp VOLUME /tmp
RUN cd /root; mkdir -p .webgoat
ADD webgoat-container-8.0-SNAPSHOT.war webgoat.jar ADD webgoat-container-8.0-SNAPSHOT.war webgoat.jar
RUN sh -c 'touch /webgoat.jar' RUN sh -c 'touch /webgoat.jar'
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/webgoat.jar"] ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/webgoat.jar"]

2
webgoat-container/src/main/resources/templates/login.html
View File

@ -37,7 +37,7 @@
<form th:action="@{/login}" method='POST' style="width: 400px;"> <form th:action="@{/login}" method='POST' style="width: 400px;">
<div class="form-group"> <div class="form-group">
<label for="exampleInputEmail1">Username</label> <label for="exampleInputEmail1">Username</label>
<input type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'/> <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'/>
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="exampleInputPassword1">Password</label> <label for="exampleInputPassword1">Password</label>

63
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
View File

@ -4,12 +4,11 @@ package org.owasp.webgoat.plugin;
* *
*/ */
import org.apache.ecs.html.TD; import com.google.common.collect.Lists;
import org.apache.ecs.html.TR; import com.google.common.collect.Maps;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.Endpoint; import org.owasp.webgoat.lessons.Endpoint;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody;
import org.w3c.dom.Node; import org.w3c.dom.Node;
import org.w3c.dom.NodeList; import org.w3c.dom.NodeList;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
@ -24,11 +23,14 @@ import javax.xml.xpath.XPathFactory;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.IOException; import java.io.IOException;
import java.util.List;
import java.util.Map;
public class Salaries extends Endpoint { public class Salaries extends Endpoint {
@RequestMapping(method = RequestMethod.GET) @RequestMapping(produces = {"application/json"})
public void invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { @ResponseBody
public List<Map<String, Object>> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String userId = req.getParameter("userId"); String userId = req.getParameter("userId");
NodeList nodes = null; NodeList nodes = null;
File d = new File(getPluginDirectory(), "ClientSideFiltering/html/employees.xml"); File d = new File(getPluginDirectory(), "ClientSideFiltering/html/employees.xml");
@ -52,49 +54,18 @@ public class Salaries extends Endpoint {
} catch (XPathExpressionException e) { } catch (XPathExpressionException e) {
e.printStackTrace(); e.printStackTrace();
} }
int nodesLength = nodes.getLength();
TR tr;
int COLUMNS = 5; int COLUMNS = 5;
List json = Lists.newArrayList();
Table t2 = null; java.util.Map<String, Object> employeeJson = Maps.newHashMap();
if (nodesLength > 0) { for (int i = 0; i < nodes.getLength(); i++) {
t2 = new Table().setCellSpacing(0).setCellPadding(0) if (i != 0 && i % COLUMNS == 0) {
.setBorder(1).setWidth("90%").setAlign("center"); employeeJson = Maps.newHashMap();
tr = new TR(); json.add(employeeJson);
tr.addElement(new TD().addElement("UserID")); }
tr.addElement(new TD().addElement("First Name"));
tr.addElement(new TD().addElement("Last Name"));
tr.addElement(new TD().addElement("SSN"));
tr.addElement(new TD().addElement("Salary"));
t2.addElement(tr);
}
tr = new TR();
for (int i = 0; i < nodesLength; i++) {
Node node = nodes.item(i); Node node = nodes.item(i);
employeeJson.put(node.getNodeName(), node.getTextContent());
if (i % COLUMNS == 0) {
tr = new TR();
tr.setID(node.getTextContent());
//tr.setStyle("display: none");
}
tr.addElement(new TD().addElement(node.getTextContent()));
if (i % COLUMNS == (COLUMNS - 1)) {
t2.addElement(tr);
}
}
if (t2 != null) {
resp.getWriter().println(t2.toString());
} else {
resp.getWriter().println("No Results");
} }
return json;
} }
@Override @Override

10
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<Employees> <Employees>
<Employee > <Employee>
<UserID>101</UserID> <UserID>101</UserID>
<FirstName>Larry</FirstName> <FirstName>Larry</FirstName>
<LastName>Stooge</LastName> <LastName>Stooge</LastName>
@ -37,8 +37,8 @@
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation> <DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate> <DisciplinaryDate>101013</DisciplinaryDate>
<Managers> <Managers>
<Manager>112</Manager> <Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
<UserID>103</UserID> <UserID>103</UserID>
@ -248,7 +248,7 @@
<DisciplinaryExplanation></DisciplinaryExplanation> <DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate> <DisciplinaryDate>112005</DisciplinaryDate>
<Managers> <Managers>
<Manager>112</Manager> <Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
</Employees> </Employees>

21
webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js
View File

@ -15,8 +15,27 @@ function fetchUserData() {
function ajaxFunction(userId) { function ajaxFunction(userId) {
$.get("clientSideFiltering/salaries?userId=" + userId, function (result, status) { $.get("clientSideFiltering/salaries?userId=" + userId, function (result, status) {
var html = "<table border = '1' width = '90%' align = 'center'";
html = html + '<tr>';
html = html + '<td>UserID</td>';
html = html + '<td>First Name</td>';
html = html + '<td>Last Name</td>';
html = html + '<td>SSN</td>';
html = html + '<td>Salary</td>';
for (var i = 0; i < result.length; i++) {
html = html + '<tr id = "' + result[i].UserID + '"</tr>';
html = html + '<td>' + result[i].UserID + '</td>';
html = html + '<td>' + result[i].FirstName + '</td>';
html = html + '<td>' + result[i].LastName + '</td>';
html = html + '<td>' + result[i].SSN + '</td>';
html = html + '<td>' + result[i].Salary + '</td>';
html = html + '</tr>';
}
html = html + '</tr></table>';
var newdiv = document.createElement("div"); var newdiv = document.createElement("div");
newdiv.innerHTML = result; newdiv.innerHTML = html;
var container = document.getElementById("hiddenEmployeeRecords"); var container = document.getElementById("hiddenEmployeeRecords");
container.appendChild(newdiv); container.appendChild(newdiv);
}); });