dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add path traversal lesson

Browse Source
This commit is contained in:
Nanne Baars
2020-03-03 21:37:24 +01:00
committed by Nanne Baars
parent c4c28f544f
commit 6c25cf8e43
72 changed files with 1286 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
webgoat-lessons/sql-injection/src/main/resources/css/quiz.css Normal file
View File

@ -0,0 +1,67 @@
.attack-container.quiz {
background: none;
border: none;
}
#q_container p {
font-weight: bold;
}
#q_container .quiz_question {
border: solid 2px white;
padding: 4px;
margin: 5px 2px 20px 2px;
box-shadow: 0px 1px 3px 1px #e4e4e4;
}
#q_container .quiz_question label {
font-weight: normal;
position: relative;
top: -2px;
}
#q_container .quiz_question input {
-webkit-appearance: none;
-moz-appearance: none;
appearance: none;
border: 2px solid #dadada;
background: white;
width: 15px;
height: 15px;
margin-right: 6px;
}
#q_container .quiz_question input:checked {
background: #51b7ff;
}
#q_container .quiz_question input:hover,
#q_container .quiz_question label:hover {
cursor: pointer;
}
#q_container .quiz_question.correct {
border: solid 2px #ddf7dd;
background: #ddf7dd;
transition: all 300ms ease-in-out;
}
#q_container .quiz_question.incorrect {
border: solid 2px #f5d3d3;
background: #f5d3d3;
transition: all 300ms ease-in-out;
}
input[name='Quiz_solutions'] {
background: white;
border: 1px solid gray;
padding: 7px 10px;
transition: 300ms all ease-in-out;
}
input[name='Quiz_solutions']:hover {
background: #51b7ff;
color: white;
border-color: white;
transition: 300ms all ease-in-out;
}

13
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
View File

@ -16,7 +16,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack2"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
@ -41,7 +40,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack3"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
@ -66,7 +64,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack4"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
@ -91,7 +88,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack5"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
@ -147,8 +143,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/assignment5a"
enctype="application/json;charset=UTF-8">
action="/WebGoat/SqlInjection/assignment5a">
<table>
<tr>
<td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
@ -193,8 +188,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/assignment5b"
enctype="application/json;charset=UTF-8">
action="/WebGoat/SqlInjection/assignment5b">
<table>
<tr>
<td>Login_Count:</td>
@ -223,7 +217,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack8"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
@ -252,7 +245,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack9"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
@ -282,7 +274,6 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjection/attack10"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>

12
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
View File

@ -20,8 +20,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjectionAdvanced/attack6a"
enctype="application/json;charset=UTF-8">
action="/WebGoat/SqlInjectionAdvanced/attack6a">
<table>
<tr>
<td>Name:</td>
@ -34,8 +33,7 @@
</form>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjectionAdvanced/attack6b"
enctype="application/json;charset=UTF-8">
action="/WebGoat/SqlInjectionAdvanced/attack6b">
<table>
<tr>
<td>Password:</td>
@ -82,7 +80,7 @@
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjectionAdvanced/challenge_Login"
enctype="application/json;charset=UTF-8" role="form">
role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
@ -118,7 +116,7 @@
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
method="PUT" name="form"
action="/WebGoat/SqlInjectionAdvanced/challenge"
enctype="application/json;charset=UTF-8" style="display: none;" role="form">
style="display: none;" role="form">
<div class="form-group">
<input type="text" name="username_reg" id="username" tabindex="1"
class="form-control" placeholder="Username" value=""/>
@ -171,7 +169,7 @@
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjectionAdvanced/quiz"
enctype="application/json;charset=UTF-8" role="form">
role="form">
<div id="q_container"></div>
<br />
<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>

7
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
View File

@ -23,7 +23,7 @@
<div class="adoc-content" th:replace="doc:SqlInjection_jdbc_completion.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a" enctype="application/json;charset=UTF-8">
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a">
<div>
<p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
<p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
@ -42,7 +42,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
<div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b" enctype="application/json;charset=UTF-8">
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b">
<div>
<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
@ -78,8 +78,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SqlInjectionMitigations/attack12a"
enctype="application/json;charset=UTF-8">
action="/WebGoat/SqlInjectionMitigations/attack12a">
<div class="container-fluid">
<div class="row">
<div class="panel panel-primary">

59
webgoat-lessons/sql-injection/src/main/resources/js/quiz.js Normal file
View File

@ -0,0 +1,59 @@
/**
This is the basic javascript that can be used for a quiz assignment. It is made for single choice quizzes (tho a multiple choice extension should be easy to make).
Basic steps for implementing a quiz:
1. HTML: include this js script file for the assignment, build a basic form, where you include a #q_container div element, create a submit button with "Quiz_solutions" as name attribute
2. JSON: Create a JSON-file with the name questions_lesson_name.json, include a span element #quiz_id with lesson_name as the data-quiz_id attribute. Build a JSON file like the one in sql-injection -> resources -> js
3. Java: Create a normal assignment that has a String[] where the correct solutions are contained in the form of "Solution [i]", replace [i] with the position of the solution beginning at 1.
The request parameters will contain the answer in full text with "Solution [i]" in front of the text. Use them to check the answers validity.
4. CSS: include the css/quiz.css file for styling.
**/
$(function () {
var json = "";
var client = new XMLHttpRequest();
var quiz_id = document.getElementById("quiz_id").getAttribute("data-quiz_id");
client.open('GET', '/WebGoat/lesson_js/questions_' + quiz_id + '.json');
client.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
json += client.responseText;
console.log("entry");
let questionsJson = json;
var questionsObj = JSON.parse(questionsJson);
let html = "";
jQuery.each(questionsObj, function(i, obj) {
jQuery.each(obj, function(j, quest) {
html += "<div id='question_" + j + "' class='quiz_question' name='question'><p>" + (j+1) + ".&nbsp;" + quest.text + "</p>";
html += "<fieldset>";
jQuery.each(quest.solutions, function(k, solution) {
solution = "Solution " + k + ": " + solution;
html += '<input id="question_' + j + '_' + k + '_input" type="radio" name="question_' + j +'_solution" value="' + solution + '" required><label for="question_' + j + '_' + k + '_input">' + solution + '</label><br>';
});
html += "</fieldset></div>";
});
});
document.getElementById("q_container").innerHTML = html;
}
}
client.send();
});
$(document).ready( () => {
$("#q_container").closest(".attack-container").addClass("quiz");
$("#q_container").closest("form").on("submit", function(e) {
setTimeout(getFeedback, 200, this);
}); // end listener
}); // end ready
function getFeedback(context) {
$.ajax({
url: $(context).attr("action")
}).done( (result) => {
if (!result) return;
for(let i=0; i<result.length; i++) {
if (result[i] === true)
$("#q_container .quiz_question:nth-of-type(" + (i+1) + ")").removeClass("incorrect").addClass("correct");
else if (result[i] === false)
$("#q_container .quiz_question:nth-of-type(" + (i+1) + ")").removeClass("correct").addClass("incorrect");
}
}); // end ajax-done
} // end getFeedback