Fixed WebWolf issues with sending e-mails
This commit is contained in:
Nanne Baars
@ -2,8 +2,6 @@ package org.owasp.webwolf;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.requests.WebWolfTraceRepository;
|
||||
import org.owasp.webwolf.user.UserRepository;
|
||||
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.actuate.trace.TraceRepository;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
@ -16,8 +14,8 @@ import org.springframework.context.annotation.Bean;
|
||||
public class WebWolf extends SpringBootServletInitializer {
|
||||
|
||||
@Bean
|
||||
public TraceRepository traceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
|
||||
return new WebWolfTraceRepository(repository, userRepository);
|
||||
public TraceRepository traceRepository() {
|
||||
return new WebWolfTraceRepository();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -5,9 +5,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Getter;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.user.WebGoatUser;
|
||||
import org.springframework.boot.actuate.trace.Trace;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
@ -46,8 +44,7 @@ public class Requests {
|
||||
@GetMapping
|
||||
public ModelAndView get(HttpServletRequest request) {
|
||||
ModelAndView m = new ModelAndView("requests");
|
||||
WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
|
||||
List<Tracert> traces = traceRepository.findTraceForUser(user.getUsername()).stream()
|
||||
List<Tracert> traces = traceRepository.findAllTraces().stream()
|
||||
.map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
|
||||
m.addObject("traces", traces);
|
||||
|
||||
|
||||
@ -1,30 +1,17 @@
|
||||
package org.owasp.webwolf.requests;
|
||||
|
||||
import com.google.common.cache.CacheBuilder;
|
||||
import com.google.common.cache.CacheLoader;
|
||||
import com.google.common.cache.LoadingCache;
|
||||
import com.google.common.collect.EvictingQueue;
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Maps;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.user.UserRepository;
|
||||
import org.owasp.webwolf.user.WebGoatUser;
|
||||
import org.owasp.webwolf.user.WebGoatUserCookie;
|
||||
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
|
||||
import org.springframework.boot.actuate.trace.Trace;
|
||||
import org.springframework.boot.actuate.trace.TraceRepository;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
|
||||
import java.net.HttpCookie;
|
||||
import java.util.*;
|
||||
import java.util.concurrent.ConcurrentLinkedDeque;
|
||||
|
||||
import static java.util.Optional.empty;
|
||||
import static java.util.Optional.of;
|
||||
|
||||
/**
|
||||
* Keep track of all the incoming requests, we are only keeping track of request originating from
|
||||
* WebGoat and only if there is a cookie (otherwise we can never relate it back to a user).
|
||||
* WebGoat.
|
||||
*
|
||||
* @author nbaars
|
||||
* @since 8/13/17.
|
||||
@ -32,20 +19,7 @@ import static java.util.Optional.of;
|
||||
@Slf4j
|
||||
public class WebWolfTraceRepository implements TraceRepository {
|
||||
|
||||
private final LoadingCache<String, ConcurrentLinkedDeque<Trace>> cookieTraces = CacheBuilder.newBuilder()
|
||||
.maximumSize(4000).build(new CacheLoader<String, ConcurrentLinkedDeque<Trace>>() {
|
||||
@Override
|
||||
public ConcurrentLinkedDeque<Trace> load(String s) throws Exception {
|
||||
return new ConcurrentLinkedDeque<>();
|
||||
}
|
||||
});
|
||||
private final WebGoatUserToCookieRepository repository;
|
||||
private final UserRepository userRepository;
|
||||
|
||||
public WebWolfTraceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
|
||||
this.repository = repository;
|
||||
this.userRepository = userRepository;
|
||||
}
|
||||
private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
|
||||
|
||||
@Override
|
||||
public List<Trace> findAll() {
|
||||
@ -55,59 +29,19 @@ public class WebWolfTraceRepository implements TraceRepository {
|
||||
return Lists.newArrayList(trace);
|
||||
}
|
||||
|
||||
public List<Trace> findTraceForUser(String username) {
|
||||
return Lists.newArrayList(cookieTraces.getUnchecked(username));
|
||||
public List<Trace> findAllTraces() {
|
||||
return Lists.newArrayList(traces);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(Map<String, Object> map) {
|
||||
Optional<String> host = getFromHeaders("host", map);
|
||||
String path = (String) map.getOrDefault("path", "");
|
||||
if (host.isPresent() && path.contains("/landing/")) {
|
||||
Optional<String> cookie = getFromHeaders("cookie", map);
|
||||
Optional<String> user = cookie.isPresent() ? findUserBasedOnCookie(cookie.get()) : getLoggedInUser();
|
||||
user.ifPresent(u -> {
|
||||
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u);
|
||||
traces.addFirst(new Trace(new Date(), map));
|
||||
cookieTraces.put(u, traces);
|
||||
});
|
||||
//No user found based on cookie and logged in user, so add the trace to all users
|
||||
//In case of XXE no cookie will be send we cannot retrieve who is logged in.
|
||||
//Standalone this is ok, in a challenge you need to make sure the solution or secret the users need to
|
||||
//fetch is unique
|
||||
if (!user.isPresent()) {
|
||||
List<WebGoatUser> users = this.userRepository.findAll();
|
||||
users.forEach(u -> {
|
||||
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u.getUsername());
|
||||
traces.addFirst(new Trace(new Date(), map));
|
||||
cookieTraces.put(u.getUsername(), traces);
|
||||
});
|
||||
}
|
||||
if (host.isPresent() && path.contains("/landing")) {
|
||||
traces.add(new Trace(new Date(), map));
|
||||
}
|
||||
}
|
||||
|
||||
private Optional<String> findUserBasedOnCookie(String cookiesIncomingRequest) {
|
||||
//Request from WebGoat to WebWolf will contain the session cookie of WebGoat try to map it to a user
|
||||
//this mapping is added to userSession by the CookieFilter in WebGoat code
|
||||
HttpCookie cookie = HttpCookie.parse(cookiesIncomingRequest).get(0);
|
||||
Optional<WebGoatUserCookie> userToCookie = repository.findByCookie(cookie.getValue());
|
||||
Optional<String> user = userToCookie.map(u -> u.getUsername());
|
||||
|
||||
return user;
|
||||
}
|
||||
|
||||
private Optional<String> getLoggedInUser() {
|
||||
Optional<String> user = empty();
|
||||
//User is maybe logged in to WebWolf use this user
|
||||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
|
||||
WebGoatUser wg = (WebGoatUser) authentication.getPrincipal();
|
||||
user = of(wg.getUsername());
|
||||
}
|
||||
return user;
|
||||
}
|
||||
|
||||
|
||||
private Optional<String> getFromHeaders(String header, Map<String, Object> map) {
|
||||
Map<String, Object> headers = (Map<String, Object>) map.get("headers");
|
||||
if (headers != null) {
|
||||
|
||||
@ -1,14 +0,0 @@
|
||||
package org.owasp.webwolf.user;
|
||||
|
||||
import org.springframework.data.mongodb.repository.MongoRepository;
|
||||
|
||||
import java.util.Optional;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
public interface WebGoatUserToCookieRepository extends MongoRepository<WebGoatUserCookie, String> {
|
||||
|
||||
Optional<WebGoatUserCookie> findByCookie(String cookie);
|
||||
}
|
||||
Reference in New Issue
Block a user