dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed WebWolf issues with sending e-mails

Browse Source
This commit is contained in:
Nanne Baars 2017-11-15 11:58:31 +01:00
parent a543deca04
commit 6c91e7dc8a
11 changed files with 48 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -7,7 +7,7 @@ install: "/bin/true"
script:
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
- echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
- mvn clean install
- mvn clean install -q
cache:
directories:
- "$HOME/.m2"

29
CREATE_RELEASE.MD Normal file
View File

@ -0,0 +1,29 @@
## Release WebGoat
### Version numbers
For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use
`v8.0.0` and 8.0.0 in the `pom.xml`
At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
```
git checkout develop
git flow release start <version>
mvn versions:set <<version>
git commit -am "New release, updaing pom.xml"
git flow release publish
```
Now we can make a new release, be sure you committed all your changes.
```
git tag v8.0.0.M3
git push origin v8.0.0.M3
```
Now Travis takes over and will create the release in Github and on Docker Hub.

6
docker-compose.yml
View File

@ -1,12 +1,6 @@
version: '2.0'
services:
activemq:
image: webcenter/activemq:latest
ports:
- 8161:8161
- 61616:61616
- 61613:61613
mongo:
image: mongo:latest
expose:

2
webgoat-container/src/main/resources/application.properties
View File

@ -34,7 +34,7 @@ webwolf.host=${WEBWOLF_HOST:localhost}
webwolf.port=${WEBWOLF_PORT:8081}
webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
webworf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
spring.jackson.serialization.indent_output=true
spring.jackson.serialization.write-dates-as-timestamps=false

2
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
View File

@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint {
@Autowired
private RestTemplate restTemplate;
@Value("${webworf.url.mail}")
@Value("${webwolf.url.mail}")
private String webWolfMailURL;
@GetMapping("/reset-password/{link}")

6
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
View File

@ -22,7 +22,7 @@ public class MailAssignment extends AssignmentEndpoint {
private final String webWolfURL;
private RestTemplate restTemplate;
public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url}") String webWolfURL) {
public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
this.restTemplate = restTemplate;
this.webWolfURL = webWolfURL;
}
@ -36,10 +36,10 @@ public class MailAssignment extends AssignmentEndpoint {
.recipient(username)
.title("Test messages from WebWolf")
.time(LocalDateTime.now())
.contents("This is a test message from WebWolf, your unique code is" + StringUtils.reverse(username))
.contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
.sender("webgoat@owasp.org")
.build();
restTemplate.postForEntity(webWolfURL + "/WebWolf/mail", mailEvent, Object.class);
restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
} else {
return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();

5
webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
View File

@ -12,9 +12,10 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
<div class="attack-container">
<form accept-charset="UNKNOWN"
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/WebWolf/send"
action="/WebGoat/WebWolf/mail/send"
enctype="application/json;charset=UTF-8">
<div class="container-fluid">
<div class="row">

6
webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
View File

@ -2,8 +2,6 @@ package org.owasp.webwolf;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webwolf.requests.WebWolfTraceRepository;
import org.owasp.webwolf.user.UserRepository;
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.actuate.trace.TraceRepository;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@ -16,8 +14,8 @@ import org.springframework.context.annotation.Bean;
public class WebWolf extends SpringBootServletInitializer {
@Bean
public TraceRepository traceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
return new WebWolfTraceRepository(repository, userRepository);
public TraceRepository traceRepository() {
return new WebWolfTraceRepository();
}
@Override

5
webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java
View File

@ -5,9 +5,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webwolf.user.WebGoatUser;
import org.springframework.boot.actuate.trace.Trace;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@ -46,8 +44,7 @@ public class Requests {
@GetMapping
public ModelAndView get(HttpServletRequest request) {
ModelAndView m = new ModelAndView("requests");
WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
List<Tracert> traces = traceRepository.findTraceForUser(user.getUsername()).stream()
List<Tracert> traces = traceRepository.findAllTraces().stream()
.map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
m.addObject("traces", traces);

80
webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java
View File

@ -1,30 +1,17 @@
package org.owasp.webwolf.requests;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.EvictingQueue;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webwolf.user.UserRepository;
import org.owasp.webwolf.user.WebGoatUser;
import org.owasp.webwolf.user.WebGoatUserCookie;
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
import org.springframework.boot.actuate.trace.Trace;
import org.springframework.boot.actuate.trace.TraceRepository;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import java.net.HttpCookie;
import java.util.*;
import java.util.concurrent.ConcurrentLinkedDeque;
import static java.util.Optional.empty;
import static java.util.Optional.of;
/**
* Keep track of all the incoming requests, we are only keeping track of request originating from
* WebGoat and only if there is a cookie (otherwise we can never relate it back to a user).
* WebGoat.
*
* @author nbaars
* @since 8/13/17.
@ -32,20 +19,7 @@ import static java.util.Optional.of;
@Slf4j
public class WebWolfTraceRepository implements TraceRepository {
private final LoadingCache<String, ConcurrentLinkedDeque<Trace>> cookieTraces = CacheBuilder.newBuilder()
.maximumSize(4000).build(new CacheLoader<String, ConcurrentLinkedDeque<Trace>>() {
@Override
public ConcurrentLinkedDeque<Trace> load(String s) throws Exception {
return new ConcurrentLinkedDeque<>();
}
});
private final WebGoatUserToCookieRepository repository;
private final UserRepository userRepository;
public WebWolfTraceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
this.repository = repository;
this.userRepository = userRepository;
}
private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
@Override
public List<Trace> findAll() {
@ -55,59 +29,19 @@ public class WebWolfTraceRepository implements TraceRepository {
return Lists.newArrayList(trace);
}
public List<Trace> findTraceForUser(String username) {
return Lists.newArrayList(cookieTraces.getUnchecked(username));
public List<Trace> findAllTraces() {
return Lists.newArrayList(traces);
}
@Override
public void add(Map<String, Object> map) {
Optional<String> host = getFromHeaders("host", map);
String path = (String) map.getOrDefault("path", "");
if (host.isPresent() && path.contains("/landing/")) {
Optional<String> cookie = getFromHeaders("cookie", map);
Optional<String> user = cookie.isPresent() ? findUserBasedOnCookie(cookie.get()) : getLoggedInUser();
user.ifPresent(u -> {
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u);
traces.addFirst(new Trace(new Date(), map));
cookieTraces.put(u, traces);
});
//No user found based on cookie and logged in user, so add the trace to all users
//In case of XXE no cookie will be send we cannot retrieve who is logged in.
//Standalone this is ok, in a challenge you need to make sure the solution or secret the users need to
//fetch is unique
if (!user.isPresent()) {
List<WebGoatUser> users = this.userRepository.findAll();
users.forEach(u -> {
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u.getUsername());
traces.addFirst(new Trace(new Date(), map));
cookieTraces.put(u.getUsername(), traces);
});
}
if (host.isPresent() && path.contains("/landing")) {
traces.add(new Trace(new Date(), map));
}
}
private Optional<String> findUserBasedOnCookie(String cookiesIncomingRequest) {
//Request from WebGoat to WebWolf will contain the session cookie of WebGoat try to map it to a user
//this mapping is added to userSession by the CookieFilter in WebGoat code
HttpCookie cookie = HttpCookie.parse(cookiesIncomingRequest).get(0);
Optional<WebGoatUserCookie> userToCookie = repository.findByCookie(cookie.getValue());
Optional<String> user = userToCookie.map(u -> u.getUsername());
return user;
}
private Optional<String> getLoggedInUser() {
Optional<String> user = empty();
//User is maybe logged in to WebWolf use this user
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
WebGoatUser wg = (WebGoatUser) authentication.getPrincipal();
user = of(wg.getUsername());
}
return user;
}
private Optional<String> getFromHeaders(String header, Map<String, Object> map) {
Map<String, Object> headers = (Map<String, Object>) map.get("headers");
if (headers != null) {

14
webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUserToCookieRepository.java
View File

@ -1,14 +0,0 @@
package org.owasp.webwolf.user;
import org.springframework.data.mongodb.repository.MongoRepository;
import java.util.Optional;
/**
* @author nbaars
* @since 8/20/17.
*/
public interface WebGoatUserToCookieRepository extends MongoRepository<WebGoatUserCookie, String> {
Optional<WebGoatUserCookie> findByCookie(String cookie);
}