From 6c25cf8e433db70aab9a1785f5331165adc914c3 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 3 Mar 2020 21:37:24 +0100 Subject: [PATCH] Add path traversal lesson --- .../assignments/AssignmentEndpoint.java | 4 +- .../webgoat/assignments/AttackResult.java | 15 +- .../org/owasp/webgoat/PathTraversalTest.java | 100 +++++++++ .../src/main/resources/html/AuthBypass.html | 4 +- .../resources/html/BypassRestrictions.html | 4 +- .../src/main/resources/html/Challenge1.html | 3 +- .../src/main/resources/html/Challenge5.html | 3 +- .../src/main/resources/html/Challenge6.html | 6 +- .../src/main/resources/html/Challenge7.html | 3 +- .../main/resources/html/ChromeDevTools.html | 9 +- .../cia/src/main/resources/html/CIA.html | 3 +- .../resources/html/ClientSideFiltering.html | 3 +- .../main/resources/html/CommandInjection.html | 3 +- .../resources/html/CrossSiteScripting.html | 15 +- .../html/CrossSiteScriptingMitigation.html | 4 +- .../html/CrossSiteScriptingStored.html | 3 +- .../csrf/src/main/resources/html/CSRF.html | 12 +- .../main/resources/html/HtmlTampering.html | 3 +- .../src/main/resources/html/HttpBasics.html | 8 +- .../src/main/resources/html/HttpProxies.html | 3 +- .../idor/src/main/resources/html/IDOR.html | 18 +- .../html/InsecureDeserialization.html | 3 +- .../main/resources/html/InsecureLogin.html | 6 +- .../jwt/src/main/resources/html/JWT.html | 9 +- .../main/resources/html/PasswordReset.html | 19 +- webgoat-lessons/path-traversal/pom.xml | 11 + .../webgoat/path_traversal/PathTraversal.java | 41 ++++ .../webgoat/path_traversal/ProfileUpload.java | 41 ++++ .../path_traversal/ProfileUploadBase.java | 93 ++++++++ .../path_traversal/ProfileUploadFix.java | 35 +++ .../ProfileUploadRemoveUserInput.java | 29 +++ .../ProfileUploadRetrieval.java | 88 ++++++++ .../src/main/resources/css/path_traversal.css | 57 +++++ .../main/resources/html/PathTraversal.html | 212 ++++++++++++++++++ .../resources/i18n/WebGoatLabels.properties | 46 ++++ .../src/main/resources/images/account.png | Bin 0 -> 8246 bytes .../src/main/resources/images/cats/1.jpg | Bin 0 -> 45017 bytes .../src/main/resources/images/cats/10.jpg | Bin 0 -> 30978 bytes .../src/main/resources/images/cats/2.jpg | Bin 0 -> 111122 bytes .../src/main/resources/images/cats/3.jpg | Bin 0 -> 88540 bytes .../src/main/resources/images/cats/4.jpg | Bin 0 -> 44158 bytes .../src/main/resources/images/cats/5.jpg | Bin 0 -> 55654 bytes .../src/main/resources/images/cats/6.jpg | Bin 0 -> 40226 bytes .../src/main/resources/images/cats/7.jpg | Bin 0 -> 121353 bytes .../src/main/resources/images/cats/8.jpg | Bin 0 -> 66214 bytes .../src/main/resources/images/cats/9.jpg | Bin 0 -> 55232 bytes .../src/main/resources/js/path_traversal.js | 62 +++++ .../lessonPlans/en/PathTraversal_intro.adoc | 37 +++ .../en/PathTraversal_retrieval.adoc | 6 + .../lessonPlans/en/PathTraversal_upload.adoc | 12 + .../en/PathTraversal_upload_fix.adoc | 11 + .../en/PathTraversal_upload_fixed.adoc | 12 + .../en/PathTraversal_upload_mitigation.adoc | 42 ++++ ...athTraversal_upload_remove_user_input.adoc | 14 ++ .../path_traversal/ProfileUploadFixTest.java | 58 +++++ .../ProfileUploadRemoveUserInputTest.java | 55 +++++ .../ProfileUploadRetrievalTest.java | 76 +++++++ .../path_traversal/ProfileUploadTest.java | 56 +++++ .../src/test/resources/banner.txt | 0 webgoat-lessons/pom.xml | 1 + .../main/resources/html/SecurePasswords.html | 1 - .../src/main/resources}/css/quiz.css | 0 .../src/main/resources/html/SqlInjection.html | 13 +- .../resources/html/SqlInjectionAdvanced.html | 12 +- .../html/SqlInjectionMitigations.html | 7 +- .../src/main/resources}/js/quiz.js | 0 .../ssrf/src/main/resources/html/SSRF.html | 6 +- .../resources/html/VulnerableComponents.html | 5 +- .../main/resources/html/LessonTemplate.html | 3 +- .../en/lesson-template-attack.adoc | 3 +- .../resources/html/WebWolfIntroduction.html | 9 +- webgoat-server/pom.xml | 15 +- 72 files changed, 1286 insertions(+), 146 deletions(-) create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java create mode 100644 webgoat-lessons/path-traversal/pom.xml create mode 100644 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/PathTraversal.java create mode 100644 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java create mode 100644 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java create mode 100644 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java create mode 100644 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java create mode 100644 webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java create mode 100644 webgoat-lessons/path-traversal/src/main/resources/css/path_traversal.css create mode 100644 webgoat-lessons/path-traversal/src/main/resources/html/PathTraversal.html create mode 100644 webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/account.png create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/1.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/10.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/2.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/3.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/4.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/5.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/6.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/7.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/8.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/images/cats/9.jpg create mode 100644 webgoat-lessons/path-traversal/src/main/resources/js/path_traversal.js create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc create mode 100644 webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc create mode 100644 webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java create mode 100644 webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java create mode 100644 webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java create mode 100644 webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java create mode 100644 webgoat-lessons/path-traversal/src/test/resources/banner.txt rename {webgoat-container/src/main/resources/static => webgoat-lessons/sql-injection/src/main/resources}/css/quiz.css (100%) rename {webgoat-container/src/main/resources/static => webgoat-lessons/sql-injection/src/main/resources}/js/quiz.js (100%) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java index 823c04d6d..32b905952 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java @@ -64,7 +64,7 @@ public abstract class AssignmentEndpoint { * @param assignment */ protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) { - return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved").assignment(assignment); + return AttackResult.builder(messages).lessonCompleted(true).attemptWasMade().feedback("assignment.solved").assignment(assignment); } /** @@ -79,7 +79,7 @@ public abstract class AssignmentEndpoint { * @param assignment */ protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) { - return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved").assignment(assignment); + return AttackResult.builder(messages).lessonCompleted(false).attemptWasMade().feedback("assignment.not.solved").assignment(assignment); } protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java index 87dbac643..1bc48609e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java @@ -29,8 +29,6 @@ import lombok.Getter; import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.i18n.PluginMessages; -import java.util.Objects; - public class AttackResult { @@ -43,6 +41,7 @@ public class AttackResult { private String output; private Object[] outputArgs; private AssignmentEndpoint assignment; + private boolean attemptWasMade = false; public AttackResultBuilder(PluginMessages messages) { this.messages = messages; @@ -80,8 +79,13 @@ public class AttackResult { return this; } + public AttackResultBuilder attemptWasMade() { + this.attemptWasMade = true; + return this; + } + public AttackResult build() { - return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName()); + return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName(), attemptWasMade); } public AttackResultBuilder assignment(AssignmentEndpoint assignment) { @@ -98,12 +102,15 @@ public class AttackResult { private String output; @Getter private final String assignment; + @Getter + private boolean attemptWasMade; - public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment) { + public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) { this.lessonCompleted = lessonCompleted; this.feedback = StringEscapeUtils.escapeJson(feedback); this.output = StringEscapeUtils.escapeJson(output); this.assignment = assignment; + this.attemptWasMade = attemptWasMade; } public static AttackResultBuilder builder(PluginMessages messages) { diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java new file mode 100644 index 000000000..728b35df4 --- /dev/null +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java @@ -0,0 +1,100 @@ +package org.owasp.webgoat; + +import io.restassured.RestAssured; +import org.hamcrest.CoreMatchers; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; +import org.springframework.security.core.token.Sha512DigestUtils; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.util.Map; + +public class PathTraversalTest extends IntegrationTest { + + private static String OS = System.getProperty("os.name").toLowerCase(); + @Rule + public TemporaryFolder temporaryFolder = new TemporaryFolder(); + private File folder; + + @Before + public void setup() throws IOException { + this.folder = temporaryFolder.newFolder(); + } + + @Test + public void assignment1() throws IOException { + startLesson("PathTraversal"); + var fileToUpload = temporaryFolder.newFile("test.jpg"); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + + Assert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) + .param("fullName", "../John Doe") + .post("/WebGoat/PathTraversal/profile-upload") + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(true)); + } + + @Test + public void assignment2() throws IOException { + startLesson("PathTraversal"); + var fileToUpload = temporaryFolder.newFile("test.jpg"); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + + Assert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) + .param("fullNameFix", "..././John Doe") + .post("/WebGoat/PathTraversal/profile-upload-fix") + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(true)); + } + + @Test + public void assignment3() throws IOException { + startLesson("PathTraversal"); + var fileToUpload = temporaryFolder.newFile("test.jpg"); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + + Assert.assertThat( + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .multiPart("uploadedFileRetrieval", "../test.jpg", Files.readAllBytes(fileToUpload.toPath())) + .post("/WebGoat/PathTraversal/profile-upload-remove-user-input") + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(true)); + } + + @Test + public void assignment4() throws IOException { + startLesson("PathTraversal"); + + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .get("/WebGoat/PathTraversal/random?id=../../path-traversal-secret") + .then() + .statusCode(200) + .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); + + checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); + } +} diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html b/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html index 88a7c908b..dcea54734 100644 --- a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html +++ b/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html @@ -23,8 +23,7 @@
+ action="/WebGoat/auth-bypass/verify-account">

Verify Your Account by answering the questions below:

What is the name of your favorite teacher?

@@ -45,7 +44,6 @@ method="POST" name="form" successCallback="onBypassResponse" action="/WebGoat/auth-bypass/verify-account" - enctype="application/json;charset=UTF-8" style="display:none">

Please provide a new password for your account

diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html b/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html index c27984c4f..06ef097db 100755 --- a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html @@ -16,8 +16,7 @@
+ action="/WebGoat/BypassRestrictions/FieldRestrictions">
Select field with two possible values
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html index f34af864e..d6e174e20 100644 --- a/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html +++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html @@ -29,8 +29,7 @@
+ action="/WebGoat/challenge/6" role="form">
@@ -65,8 +64,7 @@