diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java index 823c04d6d..32b905952 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java @@ -64,7 +64,7 @@ public abstract class AssignmentEndpoint { * @param assignment */ protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) { - return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved").assignment(assignment); + return AttackResult.builder(messages).lessonCompleted(true).attemptWasMade().feedback("assignment.solved").assignment(assignment); } /** @@ -79,7 +79,7 @@ public abstract class AssignmentEndpoint { * @param assignment */ protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) { - return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved").assignment(assignment); + return AttackResult.builder(messages).lessonCompleted(false).attemptWasMade().feedback("assignment.not.solved").assignment(assignment); } protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java index 87dbac643..1bc48609e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java @@ -29,8 +29,6 @@ import lombok.Getter; import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.i18n.PluginMessages; -import java.util.Objects; - public class AttackResult { @@ -43,6 +41,7 @@ public class AttackResult { private String output; private Object[] outputArgs; private AssignmentEndpoint assignment; + private boolean attemptWasMade = false; public AttackResultBuilder(PluginMessages messages) { this.messages = messages; @@ -80,8 +79,13 @@ public class AttackResult { return this; } + public AttackResultBuilder attemptWasMade() { + this.attemptWasMade = true; + return this; + } + public AttackResult build() { - return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName()); + return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName(), attemptWasMade); } public AttackResultBuilder assignment(AssignmentEndpoint assignment) { @@ -98,12 +102,15 @@ public class AttackResult { private String output; @Getter private final String assignment; + @Getter + private boolean attemptWasMade; - public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment) { + public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) { this.lessonCompleted = lessonCompleted; this.feedback = StringEscapeUtils.escapeJson(feedback); this.output = StringEscapeUtils.escapeJson(output); this.assignment = assignment; + this.attemptWasMade = attemptWasMade; } public static AttackResultBuilder builder(PluginMessages messages) { diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java new file mode 100644 index 000000000..728b35df4 --- /dev/null +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java @@ -0,0 +1,100 @@ +package org.owasp.webgoat; + +import io.restassured.RestAssured; +import org.hamcrest.CoreMatchers; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; +import org.springframework.security.core.token.Sha512DigestUtils; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.util.Map; + +public class PathTraversalTest extends IntegrationTest { + + private static String OS = System.getProperty("os.name").toLowerCase(); + @Rule + public TemporaryFolder temporaryFolder = new TemporaryFolder(); + private File folder; + + @Before + public void setup() throws IOException { + this.folder = temporaryFolder.newFolder(); + } + + @Test + public void assignment1() throws IOException { + startLesson("PathTraversal"); + var fileToUpload = temporaryFolder.newFile("test.jpg"); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + + Assert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) + .param("fullName", "../John Doe") + .post("/WebGoat/PathTraversal/profile-upload") + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(true)); + } + + @Test + public void assignment2() throws IOException { + startLesson("PathTraversal"); + var fileToUpload = temporaryFolder.newFile("test.jpg"); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + + Assert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) + .param("fullNameFix", "..././John Doe") + .post("/WebGoat/PathTraversal/profile-upload-fix") + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(true)); + } + + @Test + public void assignment3() throws IOException { + startLesson("PathTraversal"); + var fileToUpload = temporaryFolder.newFile("test.jpg"); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + + Assert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .multiPart("uploadedFileRetrieval", "../test.jpg", Files.readAllBytes(fileToUpload.toPath())) + .post("/WebGoat/PathTraversal/profile-upload-remove-user-input") + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(true)); + } + + @Test + public void assignment4() throws IOException { + startLesson("PathTraversal"); + + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .get("/WebGoat/PathTraversal/random?id=../../path-traversal-secret") + .then() + .statusCode(200) + .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); + + checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); + } +} diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html b/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html index 88a7c908b..dcea54734 100644 --- a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html +++ b/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html @@ -23,8 +23,7 @@
+ action="/WebGoat/auth-bypass/verify-account">

Verify Your Account by answering the questions below:

What is the name of your favorite teacher?

@@ -45,7 +44,6 @@ method="POST" name="form" successCallback="onBypassResponse" action="/WebGoat/auth-bypass/verify-account" - enctype="application/json;charset=UTF-8" style="display:none">

Please provide a new password for your account

diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html b/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html index c27984c4f..06ef097db 100755 --- a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html @@ -16,8 +16,7 @@
+ action="/WebGoat/BypassRestrictions/FieldRestrictions">
Select field with two possible values
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html index f34af864e..d6e174e20 100644 --- a/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html +++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html @@ -29,8 +29,7 @@
+ action="/WebGoat/challenge/6" role="form">
@@ -65,8 +64,7 @@