diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java index 3c7d42f44..78100bc59 100644 --- a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java +++ b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java @@ -3,41 +3,37 @@ package org.owasp.webgoat.plugin; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.ResponseBody; - -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; +import org.springframework.web.bind.MissingServletRequestParameterException; +import org.springframework.web.bind.annotation.*; /** * ************************************************************************************************* - * - * + *

+ *

* This file is part of WebGoat, an Open Web Application Security Project * utility. For details, please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) any later * version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. - * + *

* You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place - Suite 330, Boston, MA 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * for free software projects. - * + *

* For details, please see http://webgoat.github.io * * @author Bruce Mayhew WebGoat @@ -46,18 +42,25 @@ import java.io.IOException; @AssignmentPath("/HttpProxies/intercept-request") public class HttpBasicsInterceptRequest extends AssignmentEndpoint { - @RequestMapping(method = RequestMethod.GET) - public @ResponseBody - AttackResult completed(HttpServletRequest request) { - String header = null; - String param = null; - if (request != null && (header = request.getHeader("x-request-intercepted")) != null - && header.toLowerCase().equals("true") - && (param = request.getParameter("changeMe")) != null - && param.equals("Requests are tampered easily")) { + @GetMapping + @ResponseBody + public AttackResult completed(@RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue, + @RequestParam(value = "changeMe", required = false) String paramValue) { + if (headerValue != null && paramValue != null && headerValue && "Requests are tampered easily".equalsIgnoreCase(paramValue)) { return trackProgress(success().feedback("http-proxies.intercept.success").build()); - } else { + } else { return trackProgress(failed().feedback("http-proxies.intercept.failure").build()); } - } + } + + @PostMapping + @ResponseBody + public AttackResult post() { + return trackProgress(failed().feedback("http-proxies.intercept.failure").build()); + } + + @ExceptionHandler(MissingServletRequestParameterException.class) + public AttackResult handleMissingParams() { + return trackProgress(failed().feedback("http-proxies.intercept.failure").build()); + } } diff --git a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java b/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java index 3de39b512..c6e8cc294 100644 --- a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java +++ b/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java @@ -69,4 +69,32 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest { .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure")))) .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); } + + @Test + public void missingParam() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request") + .header("x-request-intercepted", "false")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure")))) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); + } + + @Test + public void missingHeader() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request") + .param("changeMe", "Requests are tampered easily")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure")))) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); + } + + @Test + public void whenPostAssignmentShouldNotPass() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post("/HttpProxies/intercept-request") + .header("x-request-intercepted", "true") + .param("changeMe", "Requests are tampered easily")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure")))) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); + } } \ No newline at end of file