From 6dc679e7b8c1c567a8985abb40fe00699d0d9b65 Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Mon, 14 Oct 2019 21:14:18 +0200
Subject: [PATCH] final tests and fixed the issue of getting the name of the
 loggedinuser

---
 .../test/java/org/owasp/webgoat/CSRFTest.java | 79 ++++++++++++++++++-
 .../org/owasp/webgoat/csrf/CSRFLogin.java     |  7 +-
 2 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
index 86fd00e8c..f2ae9dd2a 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
@@ -34,6 +34,14 @@ public class CSRFTest extends IntegrationTest {
 			"<input type=\"submit\" value=\"assignment 7\"/>\n" + 
 			"</form></body></html>";
 	
+	private static final String trickHTML8 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" + 
+			"<input type=\"hidden\" name=\"username\" value=\"csrf-USERNAME\"/>\n" + 
+			"<input type=\"hidden\" name=\"password\" value=\"password\"/>\n" + 
+			"<input type=\"hidden\" name=\"matchingPassword\" value=\"password\"/>\n" + 
+			"<input type=\"hidden\" name=\"agree\" value=\"agree\"/>\n" + 
+			"<input type=\"submit\" value=\"assignment 8\"/>\n" + 
+			"</form></body></html>";
+	
     private String webwolfFileDir;
 	
 	
@@ -55,7 +63,12 @@ public class CSRFTest extends IntegrationTest {
         uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message")));
         checkAssignment7(callTrickHtml("csrf7.html"));
         
-        //checkResults("/csrf");
+        //Assignment 8
+        uploadTrickHtml("csrf8.html", trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", getWebgoatUser()));
+        checkAssignment8(callTrickHtml("csrf8.html"));
+        
+        login();//because old cookie got replaced and invalidated
+        checkResults("csrf");
         
     }
     
@@ -156,4 +169,68 @@ public class CSRFTest extends IntegrationTest {
         	
     }
     
+    private void checkAssignment8(String goatURL) {
+    	
+    	//first make sure there is an attack csrf- user
+    	registerCSRFUser();
+    	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("username", "csrf-"+getWebgoatUser());
+        params.put("password","password");
+        	
+        //login and get the new cookie
+    	String newCookie = RestAssured.given()
+            	.when()
+            	.relaxedHTTPSValidation()
+            	.cookie("JSESSIONID", getWebGoatCookie())
+            	.header("Referer", webWolfUrl("/files/fake.html"))
+            	.params(params)
+            	.log().all()
+            	.post(goatURL)            	
+            	.then().log().all()
+            	.extract().cookie("JSESSIONID");
+  
+    	//select the lesson
+    	RestAssured.given()
+        	.when()
+        	.relaxedHTTPSValidation()
+        	.cookie("JSESSIONID", newCookie)
+        	.get(url("CSRF.lesson.lesson"))
+        	.then()
+        	.statusCode(200);
+    	
+    	//click on the assignment
+    	boolean result = RestAssured.given()
+            	.when()
+            	.relaxedHTTPSValidation()
+            	.cookie("JSESSIONID", newCookie)
+            	.log().all()
+            	.post(url("/csrf/login"))            	
+            	.then()
+            	.log().all()
+            	.statusCode(200)
+            	.extract().path("lessonCompleted");
+    	
+    	//vaidate the result
+    	assertEquals(true, result);
+        	
+    }
+    
+    /**
+     * Try to register the new user. Ignore the result.
+     */
+    public void registerCSRFUser() {
+    	
+       RestAssured.given()
+                    .when()
+                    .relaxedHTTPSValidation()
+                    .formParam("username", "csrf-"+getWebgoatUser())
+                    .formParam("password", "password")
+                    .formParam("matchingPassword", "password")
+                    .formParam("agree", "agree")
+                    .post(url("register.mvc"));
+        
+    }
+    
 }
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
index 3cfa14bdb..5070dbbe3 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
@@ -22,9 +22,10 @@
 
 package org.owasp.webgoat.csrf;
 
+import javax.servlet.http.HttpServletRequest;
+
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.users.UserTracker;
 import org.owasp.webgoat.users.UserTrackerRepository;
@@ -46,8 +47,8 @@ public class CSRFLogin extends AssignmentEndpoint {
 
     @PostMapping(path = "/csrf/login", produces = {"application/json"})
     @ResponseBody
-    public AttackResult completed() {
-        String userName = getWebSession().getUserName();
+    public AttackResult completed(HttpServletRequest request) {
+        String userName = request.getUserPrincipal().getName();
         if (userName.startsWith("csrf")) {
             markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
             return trackProgress(success().feedback("csrf-login-success").build());