dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactoring (#1201)

Browse Source 
* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>
This commit is contained in:
Nanne Baars
2022-04-09 14:56:12 +02:00
committed by GitHub
parent f3d8206a07
commit 711649924b
1130 changed files with 3540 additions and 7643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
src/main/resources/application-webgoat.properties Normal file
View File

@ -0,0 +1,62 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.servlet.context-path=/WebGoat
server.servlet.session.persistent=false
server.port=${webgoat.port:8080}
server.address=${webgoat.host}
webgoat.host=${WEBGOAT_HOST:127.0.0.1}
spring.application.name=WebGoat
server.ssl.key-store-type=${WEBGOAT_KEYSTORE_TYPE:PKCS12}
server.ssl.key-store=${WEBGOAT_KEYSTORE:classpath:goatkeystore.pkcs12}
server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.banner.location=classpath:banner.txt
logging.level.org.thymeleaf=INFO
logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
logging.level.org.thymeleaf.TemplateEngine.TIMER=INFO
logging.level.org.thymeleaf.TemplateEngine.cache.TEMPLATE_CACHE=INFO
logging.level.org.springframework.web=INFO
logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=DEBUG
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.build.version=@project.version@
webgoat.email=webgoat@owasp.org
webgoat.emaillist=owasp-webgoat@lists.owasp.org
webgoat.feedback.address=webgoat@owasp.org
webgoat.feedback.address.html=<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>
webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en
webwolf.host=${WEBWOLF_HOST:127.0.0.1}
webwolf.port=${WEBWOLF_PORT:9090}
webwolf.url=http://${webwolf.host}:${webwolf.port}
webwolf.landingpage.url=${webwolf.url}/landing
webwolf.mail.url=${webwolf.url}/mail
spring.jackson.serialization.indent_output=true
spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
exclude.categories=${EXCLUDE_CATEGORIES:none,none}
#exclude based on the enum of the Category
exclude.lessons=${EXCLUDE_LESSONS:none,none}
#exclude based on the class name of a lesson e.g.: LessonTemplate
management.health.db.enabled=true
management.endpoint.health.show-details=always
management.endpoints.web.exposure.include=env, health,configprops

48
src/main/resources/application-webwolf.properties Normal file
View File

@ -0,0 +1,48 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.port=${webwolf.port:9090}
server.address=${webwolf.host}
spring.application.name=WebWolf
webwolf.host=${WEBWOLF_HOST:127.0.0.1}
management.server.port=-1
server.servlet.session.cookie.name=WEBWOLFSESSION
server.servlet.session.timeout=6000
spring.flyway.enabled=false
spring.thymeleaf.prefix=classpath:/webwolf/templates/
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.messages.basename=i18n/messages
spring.jmx.enabled=false
logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webwolf=TRACE
management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
management.endpoint.httptrace.enabled=true
spring.thymeleaf.cache=false
multipart.enabled=true
multipart.file-size-threshold=0 #
multipart.location=${java.io.tmpdir}
multipart.max-file-size=1Mb
multipart.max-request-size=1Mb
webgoat.build.version=@project.version@
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
spring.jackson.serialization.indent_output=true
spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webwolf/src/main/resources/static/

6
src/main/resources/banner.txt Normal file
View File

@ -0,0 +1,6 @@
__ __ _ _____ _
\ \ / / | | / ____| | |
\ \ /\ / / ___ | |__ | | __ ___ __ _ | |_
\ \/ \/ / / _ \ | '_ \ | | |_ | / _ \ / _' | | __|
\ /\ / | __/ | |_) | | |__| | | (_) | | (_| | | |_
\/ \/ \___| |_.__/ \_____| \___/ \__,_| \__|

66
src/main/resources/db/container/V1__init.sql Normal file
View File

@ -0,0 +1,66 @@
-- This statement is here the schema is always created even if we use Flyway directly like in test-cases
-- For the normal WebGoat server there is a bean which already provided the schema (and creates it see DatabaseInitialization)
CREATE SCHEMA IF NOT EXISTS CONTAINER;
CREATE SEQUENCE CONTAINER.HIBERNATE_SEQUENCE;
CREATE TABLE CONTAINER.ASSIGNMENT (
ID BIGINT NOT NULL PRIMARY KEY,
NAME VARCHAR(255),
PATH VARCHAR(255)
);
CREATE TABLE CONTAINER.LESSON_TRACKER(
ID BIGINT NOT NULL PRIMARY KEY,
LESSON_NAME VARCHAR(255),
NUMBER_OF_ATTEMPTS INTEGER NOT NULL
);
CREATE TABLE CONTAINER.LESSON_TRACKER_ALL_ASSIGNMENTS(
LESSON_TRACKER_ID BIGINT NOT NULL,
ALL_ASSIGNMENTS_ID BIGINT NOT NULL,
PRIMARY KEY(LESSON_TRACKER_ID,ALL_ASSIGNMENTS_ID),
CONSTRAINT FKNHIDKE27BCJHI8C7WJ9QW6Y3Q FOREIGN KEY(ALL_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID),
CONSTRAINT FKBM51QSDJ7N17O2DNATGAMW7D FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
CONSTRAINT UK_SYGJY2S8O8DDGA2K5YHBMUVEA UNIQUE(ALL_ASSIGNMENTS_ID)
);
CREATE TABLE CONTAINER.LESSON_TRACKER_SOLVED_ASSIGNMENTS(
LESSON_TRACKER_ID BIGINT NOT NULL,
SOLVED_ASSIGNMENTS_ID BIGINT NOT NULL,
PRIMARY KEY(LESSON_TRACKER_ID,SOLVED_ASSIGNMENTS_ID),
CONSTRAINT FKPP850U1MG09YKKL2EQGM0TRJK FOREIGN KEY(SOLVED_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID),
CONSTRAINT FKNKRWGA1UHLOQ6732SQXHXXSCR FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
CONSTRAINT UK_9WFYDUY3TVE1XD05LWOUEG0C1 UNIQUE(SOLVED_ASSIGNMENTS_ID)
);
CREATE TABLE CONTAINER.USER_TRACKER(
ID BIGINT NOT NULL PRIMARY KEY,
USERNAME VARCHAR(255)
);
CREATE TABLE CONTAINER.USER_TRACKER_LESSON_TRACKERS(
USER_TRACKER_ID BIGINT NOT NULL,
LESSON_TRACKERS_ID BIGINT NOT NULL,
PRIMARY KEY(USER_TRACKER_ID,LESSON_TRACKERS_ID),
CONSTRAINT FKQJSTCA3YND3OHP35D50PNUH3H FOREIGN KEY(LESSON_TRACKERS_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
CONSTRAINT FKC9GX8INK7LRC79XC77O2MN9KE FOREIGN KEY(USER_TRACKER_ID) REFERENCES CONTAINER.USER_TRACKER(ID),
CONSTRAINT UK_5D8N5I3IC26CVF7DF7N95DOJB UNIQUE(LESSON_TRACKERS_ID)
);
CREATE TABLE CONTAINER.WEB_GOAT_USER(
USERNAME VARCHAR(255) NOT NULL PRIMARY KEY,
PASSWORD VARCHAR(255),
ROLE VARCHAR(255)
);
CREATE TABLE CONTAINER.EMAIL(
ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,
CONTENTS VARCHAR(1024),
RECIPIENT VARCHAR(255),
SENDER VARCHAR(255),
TIME TIMESTAMP,
TITLE VARCHAR(255)
);
ALTER TABLE CONTAINER.EMAIL ALTER COLUMN ID RESTART WITH 2;

1
src/main/resources/db/container/V2__version.sql Normal file
View File

@ -0,0 +1 @@
ALTER TABLE CONTAINER.LESSON_TRACKER ADD VERSION INTEGER;

BIN
src/main/resources/goatkeystore.pkcs12 Normal file
View File

Binary file not shown.

65
src/main/resources/i18n/messages.properties Normal file
View File

@ -0,0 +1,65 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
lesson.completed=Congratulations. You have successfully completed this lesson.
assignment.solved=Congratulations. You have successfully completed the assignment.
assignment.not.solved=Sorry the solution is not correct, please try again.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
Go!=Go!
password=Password
password.confirm=Confirm password
username=Username
logged_out=You've been logged out successfully.
invalid_username_password=Invalid username and password.
login.page.title=Login Page
accounts.build.in=The following accounts are built into WebGoat
accounts.table.account=Account
accounts.table.user=User
accounts.table.password=Password
logout=Logout
version=Version
build=Build
report.card=Report card
about=About WebGoat
contact=Contact Us
show.hints=Show hints
lesson.overview=Lesson overview
reset.lesson=Reset lesson
sign.in=Sign in
register.new=Register new user
sign.up=Sign up
register.title=Register
not.empty=This field is required.
username.size=Please use between 6 and 10 characters.
username.duplicate=User already exists.
password.size=Password should at least contain 6 characters
password.diff=The passwords do not match.
security.enabled=Security enabled, you can try the previous challenges and see the effect!
security.disabled=Security enabled, you can try the previous challenges and see the effect!

32
src/main/resources/i18n/messages_de.properties Normal file
View File

@ -0,0 +1,32 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
RestartLesson=Lektion neu beginnen
SolutionVideos=L\u00f6sungsvideos
ErrorGenerating=Fehler beim Generieren von
InvalidData=Ung\u00fcltige Daten
Go!=Los gehts!

32
src/main/resources/i18n/messages_fr.properties Normal file
View File

@ -0,0 +1,32 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
RestartLesson=Recommencer cette le\u00e7on
SolutionVideos=Solution vid\u00e9os
ErrorGenerating=Error generating
InvalidData=Donn\u00e9e invalide
Go!=Go!

49
src/main/resources/i18n/messages_nl.properties Normal file
View File

@ -0,0 +1,49 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
LessonCompleted=Gefeliciteerd, je hebt de les succesvol afgerond.
RestartLesson=Herstart de les
SolutionVideos=Video oplossingen
ErrorGenerating=Fout opgetreden tijdens generatie
InvalidData=Ongeldige invoer
Go!=Go!
password=Wachtwoord
username=Gebruikersnaam
logged_out=Je bent succesvol uitgelogd.
invalid_username_password=Ongeldige gebruikersnaam/wachtwoord combinatie
login.page.title=Inlog pagina
accounts.build.in=De volgende account zijn standaard beschikbaar binnen WebGoat
accounts.table.account=Account
accounts.table.user=Gebruikersnaam
accounts.table.password=Wachtwoord
logout=Uitloggen
version=Versie
build=Build
report.card=Rapport
about=Over WebGoat
contact=Neem contact met ons op
show.hints=Toon hints
lesson.overview=Overzicht les
reset.lesson=Herstart les
sign.in=Log in

32
src/main/resources/i18n/messages_ru.properties Normal file
View File

@ -0,0 +1,32 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

15
src/main/resources/lessons/auth_bypass/documentation/2fa-bypass.adoc Normal file
View File

@ -0,0 +1,15 @@
== 2FA Password Reset
An excellent example of authentication bypass is a recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass). He could not receive an SMS with a code, so he opted for
an alternative method, which involved security questions. Using a proxy, removed the parameters entirely and won.
image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
=== The Scenario
You reset your password, but do it from a location or device that your provider does not recognize. So you need to answer the security questions you set up. The other issue is
Those security questions are also stored on another device (not with you), and you don't remember them.
You have already provided your username/email and opted for the alternative verification method.

15
src/main/resources/lessons/auth_bypass/documentation/bypass-intro.adoc Normal file
View File

@ -0,0 +1,15 @@
== Authentication Bypasses
Authentication Bypasses happen in many ways but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
=== Hidden inputs
The simplest form is a reliance on a hidden input in the web page/DOM.
=== Removing Parameters
Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove it from the submission altogether to see what happens.
=== Forced Browsing
If an area of a site is not appropriately protected by configuration, that area of the site may be accessed by guessing/brute-forcing.

7
src/main/resources/lessons/auth_bypass/documentation/lesson-template-video.adoc Normal file
View File

@ -0,0 +1,7 @@
=== More Content, Video too ...
You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
video::video/sample-video.m4v[width=480,start=5]
see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax

86
src/main/resources/lessons/auth_bypass/html/AuthBypass.html Normal file
View File

@ -0,0 +1,86 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/bypass-intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/2fa-bypass.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<!-- modify the action to point to the intended endpoint and set other attributes as desired -->
<script th:src="@{/lesson_js/bypass.js}" />
<form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
method="POST" name="form"
successCallback="onBypassResponse"
action="/WebGoat/auth-bypass/verify-account">
<p>Verify Your Account by answering the questions below:</p>
<p>What is the name of your favorite teacher?</p>
<input name="secQuestion0" value="" type="TEXT" /><br/>
<p>What is the name of the street you grew up on?</p>
<input name="secQuestion1" value="" type="TEXT" /><br/><br />
<input type="hidden" name="jsEnabled" value="1" />
<input type="hidden" name="verifyMethod" value="SEC_QUESTIONS" />
<input type="hidden" name="userId" value="12309746" />
<input name="submit" value="Submit" type="submit"/>
</form>
<form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
method="POST" name="form"
successCallback="onBypassResponse"
action="/WebGoat/auth-bypass/verify-account"
style="display:none"><!-- start off hidden -->
<p>Please provide a new password for your account</p>
<p>Password:</p>
<input name="newPassword" value="" type="password" /><br/>
<p>Confirm Password:</p>
<input name="newPasswordConfirm" value="" type="password" /><br/><br />
<input type="hidden" name="userId" value="12309746" />
<input name="submit" value="Submit" type="submit"/>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<!-- the attack response will include a 'feedback' and that will automatically go here -->
<div class="attack-feedback"></div>
<!-- output is intended to be a simulation of what the screen would display in an attack -->
<div class="attack-output"></div>
</div>
</div>
<!--<div class="lesson-page-wrapper">-->
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-video.adoc"></div>-->
<!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-attack.adoc"></div>-->
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
<!--</div>-->
<!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
see other lessons for other more complex examples -->
</html>

11
src/main/resources/lessons/auth_bypass/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,11 @@
auth-bypass.title=Authentication Bypasses
verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
verify-account.failed=Not quite, please try again.
verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them
auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?

BIN
src/main/resources/lessons/auth_bypass/images/firefox-proxy-config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

BIN
src/main/resources/lessons/auth_bypass/images/paypal-2fa-bypass.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

15
src/main/resources/lessons/auth_bypass/js/bypass.js Normal file
View File

@ -0,0 +1,15 @@
// need custom js for this?
webgoat.customjs.onBypassResponse = function(data) {
webgoat.customjs.jquery('#verify-account-form').hide();
webgoat.customjs.jquery('#change-password-form').show();
}
var onViewProfile = function () {
console.warn("on view profile activated")
webgoat.customjs.jquery.ajax({
method: "GET",
url: "/WebGoat/IDOR/profile",
contentType: 'application/json; charset=UTF-8'
}).then(webgoat.customjs.idorViewProfile);
}

5
src/main/resources/lessons/bypass_restrictions/css/bypass-restrictions.css Normal file
View File

@ -0,0 +1,5 @@
.bypass-input-container {
position: relative;
padding: 7px;
margin-top: 7px;
}

6
src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc Executable file
View File

@ -0,0 +1,6 @@
== Field Restrictions
In most browsers, the client has complete or almost complete control over the HTML part
of the webpage. They can alter values or restrictions to fit their preference.
=== Task
Send a request that bypasses restrictions of all four of these fields.

9
src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc Normal file
View File

@ -0,0 +1,9 @@
== Validation
There is often some mechanism in place to prevent users from sending altered
field values to the server, such as validation before sending. Most popular browsers
such as Chrome don't allow editing scripts during runtime. We will have to circumvent
the validation some other way.
=== Task
Send a request that does not fit the regular expression above the field in all fields.

10
src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc Executable file
View File

@ -0,0 +1,10 @@
== Concept
Users have a great degree of control over the web application's front-end.
They can alter HTML code, sometimes also scripts. Applications that require a certain input format should also validate on the server-side.
== Goals
* The user should have a basic knowledge of HTML
* The user should be able to tamper with a request before sending (with proxy or other tools)
* The user will be able to tamper with field restrictions and bypass client-side validation

167
src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html Executable file
View File

@ -0,0 +1,167 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org" xmlns="http://www.w3.org/1999/html">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
method="POST"
action="/WebGoat/BypassRestrictions/FieldRestrictions">
<div class="bypass-input-container"><b>Select field with two possible value</b>
<div class="input-group">
<select name="select">
<option value="option1">Option 1</option>
<option value="option2">Option 2</option>
</select>
</div>
</div>
<div class="bypass-input-container"><b>Radio button with two possible values</b>
<div class="input-group">
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br/>
<input type="radio" name="radio" value="option2"/> Option 2<br/>
</div>
</div>
<div class="bypass-input-container"><b>Checkbox: value either on or off</b>
<div class="input-group">
<input type="checkbox" name="checkbox" checked="checked"> Checkbox</input>
</div>
</div>
<div class="bypass-input-container"><b>Input restricted to max 5 characters</b>
<div class="input-group"><input type="text" value="12345" name="shortInput" maxlength="5"/>
</div>
</div>
<div class="bypass-input-container"><b>Readonly input field</b>
<div class="input-group">
<input type="text" value="change" readonly="readonly" name="readOnlyInput"/>
</div>
</div>
<br>
<input type="submit" class="btn btn-primary" value="Submit"/>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
id="frontendValidation"
method="POST"
action="/WebGoat/BypassRestrictions/frontendValidation/"
onsubmit="return validate()">
<div>
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)
</div>
<div>
<textarea cols="25" name="field1" rows="1">abc</textarea>
</div>
<p></p>
<div><strong>Field 2:</strong> exactly three digits(^[0-9]{3}$)</div>
<div>
<textarea cols="25" name="field2" rows="1">123</textarea>
</div>
<p></p>
<div><strong>Field 3:</strong> letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div>
<div>
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
</div>
<p></p>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)
</div>
<div>
<textarea cols="25" name="field4" rows="1">seven</textarea>
</div>
<p></p>
<div><strong>Field 5:</strong> simple zip code (^\d{5}$)</div>
<div>
<textarea cols="25" name="field5" rows="1">01101</textarea>
</div>
<p></p>
<div><strong>Field 6:</strong> zip with optional dash four (^\d{5}(-\d{4})?$)</div>
<div>
<textarea cols="25" name="field6" rows="1">90210-1111</textarea>
</div>
<p></p>
<div><strong>Field 7:</strong> US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div>
<div>
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
</div>
<input type="hidden" value="" name="error"/>
<p>
<button type="submit" class="btn btn-primary">Submit</button>
</p>
</form>
<script>
var regex1 = /^[a-z]{3}$/;
var regex2 = /^[0-9]{3}$/;
var regex3 = /^[a-zA-Z0-9 ]*$/;
var regex4 = /^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5 = /^\d{5}$/;
var regex6 = /^\d{5}(-\d{4})?$/;
var regex7 = /^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function () {
var msg = 'JavaScript found form errors';
var err = 0;
if (!regex1.test(document.frontendValidation.field1.value)) {
err += 1;
msg += '\n Value entered for field 1 is not correct';
}
if (!regex2.test(document.frontendValidation.field2.value)) {
err += 1;
msg += '\n Value entered for field 2 is not correct';
}
if (!regex3.test(document.frontendValidation.field3.value)) {
err += 1;
msg += '\n Value entered for field 3 is not correct';
}
if (!regex4.test(document.frontendValidation.field4.value)) {
err += 1;
msg += '\n Value entered for field 4 is not correct';
}
if (!regex5.test(document.frontendValidation.field5.value)) {
err += 1;
msg += '\n Value entered for field 5 is not correct';
}
if (!regex6.test(document.frontendValidation.field6.value)) {
err += 1;
msg += '\n Value entered for field 6 is not correct';
}
if (!regex7.test(document.frontendValidation.field7.value)) {
err += 1;
msg += '\n Value entered for field 7 is not correct';
}
document.frontendValidation.error.value = err
if (err > 0) {
alert(msg)
return false;
}
return true;
}
</script>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

4
src/main/resources/lessons/bypass_restrictions/i18n/WebGoatLabels.properties Executable file
View File

@ -0,0 +1,4 @@
bypass-restrictions.title=Bypass front-end restrictions
bypass-restrictions.intercept.success=Well done, you intercepted the request as expected
bypass-restrictions.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!

BIN
src/main/resources/lessons/challenges/challenge7/git.zip Normal file
View File

Binary file not shown.

96
src/main/resources/lessons/challenges/css/challenge6.css Normal file
View File

@ -0,0 +1,96 @@
.panel-login {
border-color: #ccc;
-webkit-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
-moz-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
}
.panel-login>.panel-heading {
color: #00415d;
background-color: #fff;
border-color: #fff;
text-align:center;
}
.panel-login>.panel-heading a{
text-decoration: none;
color: #666;
font-weight: bold;
font-size: 15px;
-webkit-transition: all 0.1s linear;
-moz-transition: all 0.1s linear;
transition: all 0.1s linear;
}
.panel-login>.panel-heading a.active{
color: #029f5b;
font-size: 18px;
}
.panel-login>.panel-heading hr{
margin-top: 10px;
margin-bottom: 0px;
clear: both;
border: 0;
height: 1px;
background-image: -webkit-linear-gradient(left,rgba(0, 0, 0, 0),rgba(0, 0, 0, 0.15),rgba(0, 0, 0, 0));
background-image: -moz-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
background-image: -ms-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
background-image: -o-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
}
.panel-login input[type="text"],.panel-login input[type="email"],.panel-login input[type="password"] {
height: 45px;
border: 1px solid #ddd;
font-size: 16px;
-webkit-transition: all 0.1s linear;
-moz-transition: all 0.1s linear;
transition: all 0.1s linear;
}
.panel-login input:hover,
.panel-login input:focus {
outline:none;
-webkit-box-shadow: none;
-moz-box-shadow: none;
box-shadow: none;
border-color: #ccc;
}
.btn-login {
background-color: #59B2E0;
outline: none;
color: #fff;
font-size: 14px;
height: auto;
font-weight: normal;
padding: 14px 0;
text-transform: uppercase;
border-color: #59B2E6;
}
.btn-login:hover,
.btn-login:focus {
color: #fff;
background-color: #53A3CD;
border-color: #53A3CD;
}
.forgot-password {
text-decoration: underline;
color: #888;
}
.forgot-password:hover,
.forgot-password:focus {
text-decoration: underline;
color: #666;
}
.btn-register {
background-color: #1CB94E;
outline: none;
color: #fff;
font-size: 14px;
height: auto;
font-weight: normal;
padding: 14px 0;
text-transform: uppercase;
border-color: #1CB94A;
}
.btn-register:hover,
.btn-register:focus {
color: #fff;
background-color: #1CA347;
border-color: #1CA347;
}

43
src/main/resources/lessons/challenges/css/challenge8.css Normal file
View File

@ -0,0 +1,43 @@
.btn-grey{
background-color:#D8D8D8;
color:#FFF;
}
.rating-block{
background-color:#FAFAFA;
border:1px solid #EFEFEF;
padding:15px 15px 20px 15px;
border-radius:3px;
}
.bold{
font-weight:700;
}
.padding-bottom-7{
padding-bottom:7px;
}
.review-block{
background-color:#FAFAFA;
border:1px solid #EFEFEF;
padding:15px;
border-radius:3px;
margin-bottom:15px;
}
.review-block-name{
font-size:12px;
margin:10px 0;
}
.review-block-date{
font-size:12px;
}
.review-block-rate{
font-size:13px;
margin-bottom:15px;
}
.review-block-title{
font-size:15px;
font-weight:700;
margin-bottom:10px;
}
.review-block-description{
font-size:13px;
}

11
src/main/resources/lessons/challenges/db/migration/V2018_09_26_1__users.sql Normal file
View File

@ -0,0 +1,11 @@
--Challenge 5 - Creating tables for users
CREATE TABLE challenge_users(
userid varchar(250),
email varchar(30),
password varchar(30)
);
INSERT INTO challenge_users VALUES ('larry', 'larry@webgoat.org', 'larryknows');
INSERT INTO challenge_users VALUES ('tom', 'tom@webgoat.org', 'thisisasecretfortomonly');
INSERT INTO challenge_users VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**');
INSERT INTO challenge_users VALUES ('eve', 'eve@webgoat.org', '**********');

1
src/main/resources/lessons/challenges/documentation/Challenge_1.adoc Normal file
View File

@ -0,0 +1 @@
The admin forgot where the password is stashed, can you help?

1
src/main/resources/lessons/challenges/documentation/Challenge_5.adoc Normal file
View File

@ -0,0 +1 @@
Can you login as Larry?

1
src/main/resources/lessons/challenges/documentation/Challenge_6.adoc Normal file
View File

@ -0,0 +1 @@
Can you login as Tom? It may be a little harder than it was for Larry.

1
src/main/resources/lessons/challenges/documentation/Challenge_7.adoc Normal file
View File

@ -0,0 +1 @@
Try to reset the password for admin.

1
src/main/resources/lessons/challenges/documentation/Challenge_8.adoc Normal file
View File

@ -0,0 +1 @@
Can you still vote?

29
src/main/resources/lessons/challenges/documentation/Challenge_introduction.adoc Normal file
View File

@ -0,0 +1,29 @@
=== Welcome to the WebGoat challenge (CTF)
==== Introduction
The challenges contain more a CTF like lessons where we do not provide any explanations what you need to do, no hints
will be provided. You can use these challenges in a CTF style where you can run WebGoat on one server and all
participants can join and hack the challenges. A scoreboard is available at link:/WebGoat/scoreboard["/WebGoat/scoreboard",window=_blank]
:hardbreaks:
In this CTF you will need to solve a couple of challenges, each challenge will give you a flag which you will
need to post in order to gain points.
Flags have the following format: `a7179f89-906b-4fec-9d99-f15b796e7208`
==== Rules
- Do not try to hack the competition infrastructure. If you happen to find a bug or vulnerability please send us
an e-mail.
- Play fair, do not try sabotage other competing teams, or in any way hindering the progress of another team.
- Brute forcing of challenges / flags is not allowed.
:hardbreaks:
*Have fun!!*
Team WebGoat
image::images/boss.jpg[]

9
src/main/resources/lessons/challenges/html/Challenge.html Normal file
View File

@ -0,0 +1,9 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div>
</html>

63
src/main/resources/lessons/challenges/html/Challenge1.html Normal file
View File

@ -0,0 +1,63 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="panel panel-default">
<div class="panel-heading">
<img th:src="@{/challenge/logo}" class="img-thumbnail"/>
</div>
<div class="panel-body">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/1"
style="width: 200px;">
<div class="form-group">
<label for="exampleInputEmail1" th:text="#{username}">Username</label>
<input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
id="exampleInputEmail1" placeholder="Username" name='username' value="admin"/>
</div>
<div class="form-group">
<label for="exampleInputPassword1" th:text="#{password}">Password</label>
<input type="password" class="form-control" id="exampleInputPassword1"
placeholder="Password"
name='password'/>
</div>
<button class="btn btn-primary btn-block" type="submit" th:text="#{sign.in}">Sign in</button>
</form>
</div>
</div>
</div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

90
src/main/resources/lessons/challenges/html/Challenge5.html Normal file
View File

@ -0,0 +1,90 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-6">
<div class="panel panel-login">
<div class="panel-heading">
<div class="row">
<div class="col-xs-6">
<a href="#" class="active" id="login-form-link">Login</a>
</div>
</div>
<hr/>
</div>
<div class="panel-body">
<div class="row">
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/5" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
</div>
<div class="form-group">
<input type="password" name="password_login" id="password4" tabindex="2"
class="form-control" placeholder="Password"/>
</div>
<div class="form-group text-center">
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
<label for="remember"> Remember me</label>
</div>
<div class="form-group">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<input type="submit" name="login-submit" id="login-submit"
tabindex="4" class="form-control btn-primary"
value="Log In"/>
</div>
</div>
</div>
<div class="form-group">
<div class="row">
<div class="col-lg-12">
<div class="text-center">
<a href="#" tabindex="5" class="forgot-password">Forgot
Password?</a>
</div>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

123
src/main/resources/lessons/challenges/html/Challenge6.html Normal file
View File

@ -0,0 +1,123 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-6">
<div class="panel panel-login">
<div class="panel-heading">
<div class="row">
<div class="col-xs-6">
<a href="#" class="active" id="login-form-link">Login</a>
</div>
<div class="col-xs-6">
<a href="#" id="register-form-link">Register</a>
</div>
</div>
<hr/>
</div>
<div class="panel-body">
<div class="row">
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/6" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
</div>
<div class="form-group">
<input type="password" name="password_login" id="password4" tabindex="2"
class="form-control" placeholder="Password"/>
</div>
<div class="form-group text-center">
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
<label for="remember"> Remember me</label>
</div>
<div class="form-group">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<input type="submit" name="login-submit" id="login-submit"
tabindex="4" class="form-control btn-primary"
value="Log In"/>
</div>
</div>
</div>
<div class="form-group">
<div class="row">
<div class="col-lg-12">
<div class="text-center">
<a href="#" tabindex="5" class="forgot-password">Forgot
Password?</a>
</div>
</div>
</div>
</div>
</form>
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
method="PUT" name="form"
action="/WebGoat/challenge/6" style="display: none;" role="form">
<div class="form-group">
<input type="text" name="username_reg" id="username" tabindex="1"
class="form-control" placeholder="Username" value=""/>
</div>
<div class="form-group">
<input type="email" name="email_reg" id="email" tabindex="1"
class="form-control" placeholder="Email Address" value=""/>
</div>
<div class="form-group">
<input type="password" name="password_reg" id="password" tabindex="2"
class="form-control" placeholder="Password"/>
</div>
<div class="form-group">
<input type="password" name="confirm_password_reg" id="confirm-password"
tabindex="2" class="form-control" placeholder="Confirm Password"/>
</div>
<div class="form-group">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<input type="submit" name="register-submit" id="register-submit"
tabindex="4" class="form-control btn btn-primary"
value="Register Now"/>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

81
src/main/resources/lessons/challenges/html/Challenge7.html Normal file
View File

@ -0,0 +1,81 @@
<!DOCTYPE html>
<!--
** Revision history (automatically added by: /challenge/7/.git/hooks)
2e29cacb85ce5066b8d011bb9769b666812b2fd9 Updated copyright to 2017
ac937c7aab89e042ca32efeb00d4ca08a95b50d6 Removed hardcoded key
f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
-->
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-4">
<div class="panel panel-default">
<div class="panel-body">
<div class="text-center">
<h3><i class="fa fa-lock fa-4x"></i></h3>
<h2 class="text-center">Forgot Password?</h2>
<p>You can reset your password here.</p>
<div class="panel-body">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/7" role="form">
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><i
class="glyphicon glyphicon-envelope color-blue"></i></span>
<input id="email" name="email" placeholder="email address"
class="form-control" type="email"/>
</div>
</div>
<div class="form-group">
<input name="recover-submit" class="btn btn-lg btn-primary btn-block"
value="Reset Password" type="submit"/>
</div>
<div class="form-group">
<p>(c) 2017 WebGoat Cloud Platform</p>
</div>
<input type="hidden" class="hide" name="token" id="token" value=""/>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

255
src/main/resources/lessons/challenges/html/Challenge8.html Normal file
View File

@ -0,0 +1,255 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
<script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container">
<div class="row">
<div class="col-sm-3">
<div class="rating-block">
<h4>Average user rating</h4>
<h2 class="bold padding-bottom-7">4.3
<small>/ 5</small>
</h2>
<button id="star1" onClick="doVote(1)" type="button" class="btn btn-warning btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star2" onClick="doVote(2)" type="button" class="btn btn-warning btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star3" onClick="doVote(3)" type="button" class="btn btn-warning btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star4" onClick="doVote(4)" type="button" class="btn btn-default btn-grey btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star5" onClick="doVote(5)" type="button" class="btn btn-default btn-grey btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
</div>
<div class="col-sm-3">
<h4>Rating breakdown</h4>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">5 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar5" class="progress-bar progress-bar-success" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">5</span>
</div>
</div>
</div>
<div id="nrOfVotes5" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">4 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar4" class="progress-bar progress-bar-primary" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">4</span>
</div>
</div>
</div>
<div id="nrOfVotes4" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">3 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar3" class="progress-bar progress-bar-info" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">4</span>
</div>
</div>
</div>
<div id="nrOfVotes3" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">2 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar2" class="progress-bar progress-bar-warning" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">2</span>
</div>
</div>
</div>
<div id="nrOfVotes2" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">1 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar1" class="progress-bar progress-bar-danger" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">4</span>
</div>
</div>
</div>
<div id="nrOfVotes1" class="pull-right" style="margin-left:10px;">0</div>
</div>
</div>
</div>
<div class="row">
<div class="col-sm-7">
<hr/>
<div id = "voteResultMsg" class="alert alert-dismissable" style="display: none;">
</div>
<div class="alert alert-info">
Please login or register in order to vote (comments are disabled)
</div>
<div class="review-block">
<div class="row">
<div class="col-sm-3">
<img src="images/user1.png" class="img-rounded"/>
<div class="review-block-name"><a href="#">nktailor</a></div>
<div class="review-block-date">August 22, 2017<br/>1 day ago</div>
</div>
<div class="col-sm-9">
<div class="review-block-rate">
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
<div class="review-block-title">WebGoat rocks!</div>
<div class="review-block-description">This is a great tool to learn about security
and have some fun with a couple challenges.
</div>
</div>
</div>
<hr/>
<div class="row">
<div class="col-sm-3">
<img src="images/user3.png" class="img-rounded"/>
<div class="review-block-name"><a href="#">Sarah</a></div>
<div class="review-block-date">July 29, 2017<br/>12 day ago</div>
</div>
<div class="col-sm-9">
<div class="review-block-rate">
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-default btn-grey btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
<div class="review-block-title">Nice</div>
<div class="review-block-description">I liked it and learned a couple of things.
Still some bugs sometimes though.
</div>
</div>
</div>
<hr/>
<div class="row">
<div class="col-sm-3">
<img src="images/user2.png" class="img-rounded"/>
<div class="review-block-name"><a href="#">Tom</a></div>
<div class="review-block-date">January 27, 2017<br/>100 days ago</div>
</div>
<div class="col-sm-9">
<div class="review-block-rate">
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-default btn-grey btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-default btn-grey btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
<div class="review-block-title">WebGoat is great</div>
<div class="review-block-description">WebGoat teaches you web security with some great
lessons
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

27
src/main/resources/lessons/challenges/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,27 @@
challenge0.title=WebGoat Challenge
challenge1.title=Admin lost password
challenge2.title=Get it for free
challenge3.title=Photo comments
challenge5.title=Without password
challenge6.title=Creating a new account
challenge7.title=Admin password reset
challenge8.title=Without account
challenge9.title=Changing password
challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
challenge.close=This is not the correct password for Larry, please try again.
email.send=An e-mail has been send to {0}
user.exists=User {0} already exists please try to register with a different username.
user.created=User {0} created, please proceed to the login page.
input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters.
challenge.flag.correct=Congratulations you have solved the challenge!!
challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
ip.address.unknown=IP address unknown, e-mail has been sent.
required4=Missing username or password, please specify both.
user.not.larry=Please try to log in as Larry not {0}.

BIN
src/main/resources/lessons/challenges/images/avatar1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
src/main/resources/lessons/challenges/images/boss.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
src/main/resources/lessons/challenges/images/challenge1-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
src/main/resources/lessons/challenges/images/challenge1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
src/main/resources/lessons/challenges/images/challenge2-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
src/main/resources/lessons/challenges/images/challenge2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 164 KiB

BIN
src/main/resources/lessons/challenges/images/challenge3-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
src/main/resources/lessons/challenges/images/challenge3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
src/main/resources/lessons/challenges/images/challenge4-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

BIN
src/main/resources/lessons/challenges/images/challenge4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
src/main/resources/lessons/challenges/images/challenge5-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
src/main/resources/lessons/challenges/images/challenge5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

BIN
src/main/resources/lessons/challenges/images/hi-five-cat.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
src/main/resources/lessons/challenges/images/user1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
src/main/resources/lessons/challenges/images/user2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
src/main/resources/lessons/challenges/images/user3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
src/main/resources/lessons/challenges/images/webgoat2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

6
src/main/resources/lessons/challenges/js/bootstrap.min.js vendored Normal file
View File

File diff suppressed because one or more lines are too long

18
src/main/resources/lessons/challenges/js/challenge6.js Normal file
View File

@ -0,0 +1,18 @@
$(function() {
$('#login-form-link').click(function(e) {
$("#login-form").delay(100).fadeIn(100);
$("#register-form").fadeOut(100);
$('#register-form-link').removeClass('active');
$(this).addClass('active');
e.preventDefault();
});
$('#register-form-link').click(function(e) {
$("#register-form").delay(100).fadeIn(100);
$("#login-form").fadeOut(100);
$('#login-form-link').removeClass('active');
$(this).addClass('active');
e.preventDefault();
});
});

57
src/main/resources/lessons/challenges/js/challenge8.js Normal file
View File

@ -0,0 +1,57 @@
$(document).ready(function () {
loadVotes();
average();
})
function loadVotes() {
$.get("challenge/8/votes/", function (votes) {
var totalVotes = 0;
for (var i = 1; i <= 5; i++) {
totalVotes = totalVotes + votes[i];
}
console.log(totalVotes);
for (var i = 1; i <= 5; i++) {
var percent = votes[i] * 100 / totalVotes;
console.log(percent);
var progressBar = $('#progressBar' + i);
progressBar.width(Math.round(percent) * 2 + '%');
$("#nrOfVotes" + i).html(votes[i]);
}
}
);
}
function average() {
$.get("challenge/8/votes/average", function (average) {
for (var i = 1; i <= 5; i++) {
var number = average["average"];
$("#star" + i).removeClass('btn-warning');
$("#star" + i).removeClass('btn-default');
$("#star" + i).removeClass('btn-grey');
if (i <= number) {
$("#star" + i).addClass('btn-warning');
} else {
$("#star" + i).addClass('btn-grey');
}
}
}
);
}
function doVote(stars) {
$("#voteResultMsg").hide();
$.get("challenge/8/vote/" + stars, function (result) {
if (result["error"]) {
$("#voteResultMsg").addClass('alert-danger alert-dismissable');
} else {
$("#voteResultMsg").addClass('alert-success alert-dismissable');
}
$("#voteResultMsg").html(result["message"]);
$("#voteResultMsg").show();
})
loadVotes();
average();
}

8
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc Normal file
View File

@ -0,0 +1,8 @@
== Try It! Using the console
Let us try it. Use the console in the dev tools and call the javascript function *webgoat.customjs.phoneHome()*. +
You should get a response in the console. Your result should look something like this:
`phone home said
{"lessonCompleted:true, ... ,"output":"phone home response is..."`
Paste the random number, after that, in the text field below.
(Make sure you got the most recent number since it is randomly generated each time you call the function)

6
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc Normal file
View File

@ -0,0 +1,6 @@
== Try It! Working with the Network tab
In this assignment, you need to find a specific HTTP request and read a randomized number.
To start, click the first button. This will generate an HTTP request. Try to find the specific HTTP request.
The request should contain a field: `networkNum:`
Copy the number displayed afterward into the input field below and click on the check button.

17
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc Normal file
View File

@ -0,0 +1,17 @@
== The Console tab
In the console tab, you can see anything that a loaded JavaScript file may have printed out.
Do not worry if you see something in red. While that is an error, it has probably resolved itself.
Through the console tab, it is also possible for you to run your line of JavaScript code.
Start by clearing the console using the shortcut `CTRL+L.`
To run your JavaScript, click inside of the console and write something like:
`console.log("Hello WebGoat!");` Hit enter. `Hello WebGoat` should now appear in your console.
The console also allows you to do some basic arithmetic. If you type, for example, `1+3` and hit
enter, the console should display 4.
Note: You may see an `undefined` in the console. You can safely ignore this statement,
it only means that the JavaScript function you have called did not return anything, therefore `undefined.`
image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]

22
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc Normal file
View File

@ -0,0 +1,22 @@
== The Elements Tab
The elements tab allows you to look at the HTML and CSS code used to define and style the website.
=== HTML source
If you hover over one line, you can see that a part of the website turns blue. That means that
this particular HTML line defines this section of the website.
The elements tab allows you to make changes to every single HTML element. For example, if you click inside
a paragraph (<p>...</p>) Tag, you can edit the content of the website. If you have made your changes and then click enter
Chrome will update the website to show your edits. You can also change the HTML Tag used,
the classes and id's a tag has, and much more.
image::images/ChromeDev_Elements.jpg[DeveloperToolsElements,500,350,style="lesson-image"]
=== CSS source
You can find information about the CSS used to style the
website under the HTML source. Like the HTML, you can also edit the CSS and, therefore, adjust the website's styling.
You can edit specific values or turn off individual styling.
image::images/ChromeDev_Elements_CSS.jpg[DeveloperToolsElementsCSS,500,350,style="lesson-image"]

19
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc Normal file
View File

@ -0,0 +1,19 @@
== Google Chrome Developer Tools
To complete certain assignments, you sometimes may have to look at the JavaScript
source code or run a JavaScript command on your own.
To do that, Google Chrome has a set of tools that allow you to do that and much more.
While these tools are not specific to Google Chrome, almost every modern browser has a bunch
of its own. Our introduction will focus on the ones found in Google Chrome.
You can, however still use the browser of your choice, like Firefox or Safari, although some steps of this tutorial
maybe different for you.
Keep in mind that the following tutorial is not there to teach everything about these tools.
This tutorial will only focus on the essential knowledge to complete specific assignments.
Also, if you are already familiar with these tools, you can safely skip these lessons.
To get started: *open the developer tools*. There are multiple ways to open them:
1. Right-click anywhere in the browser window and select the option _"Inspect"_.
2. Go to the browser menu (three dots in the top right corner), then go to _"More tools"_ and select the option _"Developer tools"_.
3. Use the keyboard shortcut _Ctrl + Shift + I_

16
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc Normal file
View File

@ -0,0 +1,16 @@
== The Sources tab
In the sources tab, you can check out the file system and view all the HTML, CSS, and JavaScript files used to
create the website. Click on a file to view its contents.
image::images/ChromeDev_Sources.jpg[DeveloperToolsSources,400,500,style="lesson-image"]
== The Network tab
In the Network tab, you can view HTTP requests and responses the website has performed.
Just click on it if you want more detailed information on a particular request.
The "Timeline" above the blue dots represents when these requests and responses have been performed.
You can also see the Requests done in a specific time frame simply by clicking and dragging on the timeline. The window
below will only show the requests and responses done in that time frame.
image::images/ChromeDev_Network.jpg[DeveloperToolsNetwork,400,500,style="lesson-image"]

85
src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html Normal file
View File

@ -0,0 +1,85 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc"></div>
</div>
<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc"></div>
</div>
<!-- 3 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc"></div>
</div>
<!-- 4 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
action="/WebGoat/ChromeDevTools/dummy">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 5 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc"></div>
</div>
<!-- 6 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/ChromeDevTools/network">
<script>
// sample custom javascript in the recommended way ...
// a namespace has been assigned for it, but you can roll your own if you prefer
document.getElementById("btn").addEventListener("click", function() {
document.getElementById("networkNum").value = Math.random() * 100;
document.getElementById("networkNumCopy").value = document.getElementById("networkNum").value;
});
</script>
<input type="hidden" name="networkNum" id="networkNum" value="foo" />
<table>
<tr>
<td>Click this button to make a request:</td>
<td><input id="btn" name="SUBMIT" value="Go!" type="SUBMIT" /></td>
<td></td>
</tr>
</table>
</form>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/ChromeDevTools/network">
<table>
<tr>
<td>What is the number you found: </td>
<td><input name="number" type="text"/></td>
<td><input type="submit" name="Submit" value="check"/></td>
<td></td>
</tr>
</table>
<input type="hidden" name="network_num" id="networkNumCopy" value="foo" />
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

11
src/main/resources/lessons/chrome_dev_tools/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,11 @@
3.chrome-dev-tools.title=Developer Tools
xss-dom-message-success=Correct!
xss-dom-message-failure=Incorrect.
network.request=You made a HTTP Request.
network.success=Correct, Well Done.
network.failed=That is not correct, try again.
networkHint1=Clear all Requests from the network button, then make the request. The you should be able to figure out, which request holds the data.
networkHint2=The name of the request is "dummy"

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Clear.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Ex.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements_CSS.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Network.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Sources.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

24
src/main/resources/lessons/cia/documentation/CIA_availability.adoc Normal file
View File

@ -0,0 +1,24 @@
== Availability
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times.
{nbsp} +
=== Examples that compromise availability:
** denial-of-service attacks (DOS)
** hardware failures
** fire or other natural disasters
** software or network misconfigurations
{nbsp} +
=== Examples of methods ensuring availability
** intrusion detection systems (IDSs)
** network traffic control
** firewalls
** physical security of hardware and underlying infrastructure
*** protection against fire, water, and other elements
** hardware maintenance
** redundancy

25
src/main/resources/lessons/cia/documentation/CIA_confidentiality.adoc Normal file
View File

@ -0,0 +1,25 @@
== Confidentiality
Confidentiality is "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still access the resources they have been granted permissions for.
Although confidentiality is similar to "privacy," these two words are not interchangeable. Instead, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
{nbsp} +
=== Examples that compromise confidentiality:
** a hacker gets access to the password database of a company
** a sensitive email is sent to the incorrect individual
** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
{nbsp} +
=== Examples of methods ensuring confidentiality
** data encryption
** properly implemented authentication and access control
*** securely stored passwords
*** multi-factor authentication (MFA)
*** biometric verification
** minimizing the number of places/times the information appears
** physical security controls such as properly secured server rooms

21
src/main/resources/lessons/cia/documentation/CIA_integrity.adoc Normal file
View File

@ -0,0 +1,21 @@
== Integrity
Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not change during transit, and unauthorized entities should not alter the data.
{nbsp} +
=== Examples that compromise integrity:
** human error when entering data
** errors during data transmission
** software bugs and hardware failures
** hackers change information that they should not have access to
{nbsp} +
=== Examples of methods ensuring the integrity
** well functioning authentication methods and access control
** checking integrity with hash functions
** backups and redundancy
** auditing and logging

7
src/main/resources/lessons/cia/documentation/CIA_intro.adoc Normal file
View File

@ -0,0 +1,7 @@
== The CIA Triad
The CIA Triad (confidentiality, integrity, availability) is a model for information security.
The three elements of the triad are considered the most crucial information security components and should guarantee in any secure system. +
Serious consequences can result if even one of these elements is breached.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.

3
src/main/resources/lessons/cia/documentation/CIA_quiz.adoc Normal file
View File

@ -0,0 +1,3 @@
Now it's time for a quiz! Answer the following question to check if you understood the topic.
Today, most systems are protected by a firewall. A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

43
src/main/resources/lessons/cia/html/CIA.html Normal file
View File

@ -0,0 +1,43 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<span id="quiz_id" data-quiz_id="cia"></span>
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="cia/quiz" role="form">
<div id="q_container"></div>
<br />
<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
</form>
</div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

1
src/main/resources/lessons/cia/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1 @@
4.cia.title=CIA Triad

40
src/main/resources/lessons/cia/js/questions_cia.json Normal file
View File

@ -0,0 +1,40 @@
{
"questions": [
{
"text": "How could an intruder harm the security goal of confidentiality?",
"solutions": {
"1": "By deleting all the databases.",
"2": "By stealing a database where general configuration information for the system is stored.",
"3": "By stealing a database where names and emails are stored and uploading it to a website.",
"4": "Confidentiality can't be harmed by an intruder."
}
},
{
"text": "How could an intruder harm the security goal of integrity?",
"solutions": {
"1": "By changing the names and emails of one or more users stored in a database.",
"2": "By listening to incoming and outgoing network traffic.",
"3": "By bypassing the access control mechanisms used to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database."
}
},
{
"text": "How could an intruder harm the security goal of availability?",
"solutions": {
"1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.",
"2": "By redirecting sensitive emails to other individuals.",
"3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
"4": "By launching a denial of service attack on the servers."
}
},
{
"text": "What happens if at least one of the CIA security goals is harmed?",
"solutions": {
"1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.",
"2": "The system's security is compromised even if only one goal is harmed.",
"3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.",
"4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed."
}
}
]
}

3
src/main/resources/lessons/client_side_filtering/css/clientSideFiltering-stage1.css Normal file
View File

@ -0,0 +1,3 @@
#lesson_wrapper {height: 435px;width: 500px;}
#lesson_header {background-image: url(../images/lesson1_header.jpg); width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 490px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}

33
src/main/resources/lessons/client_side_filtering/css/clientSideFilteringFree.css Normal file
View File

@ -0,0 +1,33 @@
ul > li{margin-right:25px;font-weight:lighter;cursor:pointer}
li.active{border-bottom:3px solid silver;}
.item-photo{display:flex;justify-content:center;align-items:center;border-right:1px solid #f6f6f6;}
.menu-items{list-style-type:none;font-size:11px;display:inline-flex;margin-bottom:0px;margin-top:20px}
.btn-success{width:100%;border-radius:0px;}
.section{width:100%;margin-left:-15px;padding:2px;padding-left:15px;padding-right:15px;background:#f8f9f9}
.title-price{margin-top:30px;margin-bottom:0px;color:black}
.title-attr{margin-top:0px;margin-bottom:0px;color:black;}
.btn-minus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-right:0px;}
.btn-plus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-left:0px;}
div.section > div {width:100%;display:inline-flex;}
div.section > div > input {margin:0px;padding-left:5px;font-size:10px;padding-right:5px;max-width:18%;text-align:center;}
.attr,.attr2{cursor:pointer;margin-right:5px;height:20px;font-size:11px;padding:2px;border:1px solid gray;border-radius:2px;}
.attr.active,.attr2.active{ border:2px solid orange;}
@media (max-width: 426px) {
.container {margin-top:0px !important;}
.container > .row{padding:0px !important;}
.container > .row > .col-xs-12.col-sm-5{
padding-right:0px ;
}
.container > .row > .col-xs-12.col-sm-9 > div > p{
padding-left:0px !important;
padding-right:0px !important;
}
.container > .row > .col-xs-12.col-sm-9 > div > ul{
padding-left:10px !important;
}
.section{width:104%;}
.menu-items{padding-left:0px;}
}

5
src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc Normal file
View File

@ -0,0 +1,5 @@
== Salary manager
You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information,
except the CEO, Neville Bartholomew. Or at least you should not have access to the CEO's information. For this assignment,
examine the page's contents to see what extra information you can find.

1
src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc Normal file
View File

@ -0,0 +1 @@
No need to pay if you know the code ...

6
src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc Normal file
View File

@ -0,0 +1,6 @@
== Client side filtering
It is always a good practice to send only information to the client they are supposed
to have access to. In this lesson, too much information is being sent to the client, creating
a serious access control problem. For this exercise, your mission is to exploit the extraneous information returned
by the server to discover information to which you should not have access.

169
src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,169 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc"></div>
<br/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<input type="hidden" id="user_id" value="102"/>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
action="/WebGoat/clientSideFiltering/attack1">
<link rel="stylesheet" type="text/css"
th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
<script th:src="@{/lesson_js/clientSideFiltering.js}"
language="JavaScript"></script>
<input id="userID" value="101" name="userID" type="HIDDEN"/>
<div id="lesson_wrapper">
<div id="lesson_header"></div>
<div class="lesson_workspace"><br/><br/>
<p>Select user: <select id="UserSelect" onfocus="fetchUserData()" name="UserSelect"
onchange="selectUser()">
<option value="0" label="Choose Employee">Choose Employee</option>
<option value="101" label="Larry Stooge">Larry Stooge</option>
<option value="103" label="Curly Stooge">Curly Stooge</option>
<option value="104" label="Eric Walker">Eric Walker</option>
<option value="105" label="Tom Cat">Tom Cat</option>
<option value="106" label="Jerry Mouse">Jerry Mouse</option>
<option value="107" label="David Giambi">David Giambi</option>
<option value="108" label="Bruce McGuirre">Bruce McGuirre</option>
<option value="109" label="Sean Livingston">Sean Livingston</option>
<option value="110" label="Joanne McDougal">Joanne McDougal</option>
</select></p>
<p></p>
<table style="display: none" id="hiddenEmployeeRecords" align="center" border="1"
cellpadding="2"
cellspacing="0" width="90%">
<div>
</div>
</table>
<table align="center" border="1" cellpadding="2" cellspacing="0" width="90%">
<tbody>
<tr>
<td>User ID</td>
<td>First Name</td>
<td>Last Name</td>
<td>SSN</td>
<td>Salary</td>
</tr>
<tr id="employeeRecord"></tr>
</tbody>
</table>
</div>
</div>
<table cellpadding="2" cellspacing="0">
<tbody>
<tr>
<td>What is Neville Bartholomew's salary?</td>
<td><input id="answer" name="answer" value="" type="TEXT"/></td>
<td align="LEFT"><input name="SUBMIT" value="Submit Answer" type="SUBMIT"/></td>
</tr>
</tbody>
</table>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
<script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/clientSideFiltering/getItForFree">
<input id="discount" type="hidden" value="0"/>
<div class="row">
<div class="col-xs-3 item-photo">
<img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
</div>
<div class="col-xs-5" style="border:0px solid gray">
<h3>Samsung Galaxy S8</h3>
<h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
<small style="color:#337ab7">(124421 reviews)</small>
</h5>
<h6 class="title-price">
<small>PRICE</small>
</h6>
<h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
<div class="section">
<h6 class="title-attr" style="margin-top:15px;">
<small>COLOR</small>
</h6>
<div>
<div class="attr" style="width:25px;background:lightgrey;"></div>
<div class="attr" style="width:25px;background:black;"></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CAPACITY</small>
</h6>
<div>
<div class="attr2">64 GB</div>
<div class="attr2">128 GB</div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>QUANTITY</small>
</h6>
<div>
<div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
<input class="quantity" value="1"/>
<div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CHECKOUT CODE</small>
</h6>
<!--
Checkout code: webgoat, owasp, owasp-webgoat
-->
<input name="checkoutCode" class="checkoutCode" value=""/>
</div>
<div class="section" style="padding-bottom:20px;">
<button type="submit" class="btn btn-success"><span style="margin-right:20px"
class="glyphicon glyphicon-shopping-cart"
aria-hidden="true"></span>Buy
</button>
<h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
style="cursor:pointer;"></span>
Like</a></h6>
</div>
</div>
</div>
</form>
</div>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

32
src/main/resources/lessons/client_side_filtering/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,32 @@
client.side.filtering.title=Client side filtering
ClientSideFilteringSelectUser=Select user:
ClientSideFilteringUserID=User ID
ClientSideFilteringFirstName=First Name
ClientSideFilteringLastName=Last Name
ClientSideFilteringSSN=SSN
ClientSideFilteringSalary=Salary
ClientSideFilteringErrorGenerating=Error generating
ClientSideFilteringStage1Complete=Stage 1 completed.
ClientSideFilteringStage1Question=What is Neville Bartholomew's salary?
ClientSideFilteringStage1SubmitAnswer=Submit Answer
ClientSideFilteringStage2Finish=Click here when you believe you have completed the lesson.
ClientSideFilteringChoose=Choose employee
ClientSideFilteringHint1=The information displayed when an employee is chosen from the drop down menu is stored on the client side.
ClientSideFilteringHint2=Use Firebug to find where the information is stored on the client side.
ClientSideFilteringHint3=Examine the hidden table to see if there is anyone listed who is not in the drop down menu.
ClientSideFilteringHint4=Look in the last row of the hidden table.
ClientSideFilteringHint5a=Stage 1: You can access the server directly
ClientSideFilteringHint5b=here
ClientSideFilteringHint5c=to see what results are being returned
ClientSideFilteringHint6=Stage 2: The server uses an XPath query against an XML database.
ClientSideFilteringHint7=Stage 2: The query currently returns all of the contents of the database.
ClientSideFilteringHint8=Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102
ClientSideFilteringHint9=Stage 2: Try using a filter operator.
ClientSideFilteringHint10=Stage 2: Your filter operator should look something like: [Managers/Manager/text()=
ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, . Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find.
ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see.
ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew...
client.side.filtering.free.hint1=Look through the web page inspect the sources etc
client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend
client.side.filtering.free.hint3=One of the responses contains the answer

BIN
src/main/resources/lessons/client_side_filtering/images/lesson1_header.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
src/main/resources/lessons/client_side_filtering/images/lesson1_workspace.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
src/main/resources/lessons/client_side_filtering/images/samsung-black.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
src/main/resources/lessons/client_side_filtering/images/samsung-grey.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

42
src/main/resources/lessons/client_side_filtering/js/clientSideFiltering.js Normal file
View File

@ -0,0 +1,42 @@
var dataFetched = false;
function selectUser() {
var newEmployeeID = $("#UserSelect").val();
document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
}
function fetchUserData() {
if (!dataFetched) {
dataFetched = true;
ajaxFunction(document.getElementById("userID").value);
}
}
function ajaxFunction(userId) {
$.get("clientSideFiltering/salaries?userId=" + userId, function (result, status) {
var html = "<table border = '1' width = '90%' align = 'center'";
html = html + '<tr>';
html = html + '<td>UserID</td>';
html = html + '<td>First Name</td>';
html = html + '<td>Last Name</td>';
html = html + '<td>SSN</td>';
html = html + '<td>Salary</td>';
for (var i = 0; i < result.length; i++) {
html = html + '<tr id = "' + result[i].UserID + '"</tr>';
html = html + '<td>' + result[i].UserID + '</td>';
html = html + '<td>' + result[i].FirstName + '</td>';
html = html + '<td>' + result[i].LastName + '</td>';
html = html + '<td>' + result[i].SSN + '</td>';
html = html + '<td>' + result[i].Salary + '</td>';
html = html + '</tr>';
}
html = html + '</tr></table>';
var newdiv = document.createElement("div");
newdiv.innerHTML = html;
var container = document.getElementById("hiddenEmployeeRecords");
container.appendChild(newdiv);
});
}

64
src/main/resources/lessons/client_side_filtering/js/clientSideFilteringFree.js Normal file
View File

@ -0,0 +1,64 @@
$(document).ready(function () {
//-- Click on detail
$("ul.menu-items > li").on("click", function () {
$("ul.menu-items > li").removeClass("active");
$(this).addClass("active");
})
$(".attr,.attr2").on("click", function () {
var clase = $(this).attr("class");
$("." + clase).removeClass("active");
$(this).addClass("active");
})
//-- Click on QUANTITY
$(".btn-minus").on("click", function () {
var now = $(".quantity").val();
if ($.isNumeric(now)) {
if (parseInt(now) - 1 > 0) {
now--;
}
$(".quantity").val(now);
$('#price').text(now * 899);
} else {
$(".quantity").val("1");
$('#price').text(899);
}
calculate();
})
$(".btn-plus").on("click", function () {
var now = $(".quantity").val();
if ($.isNumeric(now)) {
$(".quantity").val(parseInt(now) + 1);
} else {
$(".quantity").val("1");
}
calculate();
})
$(".checkoutCode").on("blur", function () {
var checkoutCode = $(".checkoutCode").val();
$.get("clientSideFiltering/challenge-store/coupons/" + checkoutCode, function (result, status) {
var discount = result.discount;
if (discount > 0) {
$('#discount').text(discount);
calculate();
} else {
$('#discount').text(0);
calculate();
}
});
})
function calculate() {
var d = $('#discount').text();
var price = $('#price').val();
var quantity = parseInt($(".quantity").val());
if (d > 0) {
$('#price').text((quantity * (899 - (899 * d / 100))).toFixed(2));
} else {
$('#price').text(quantity * 899);
}
}
})

84
src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,84 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Client Side Filtering</title>
<link rel="stylesheet" type="text/css" href="formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Client Side Filtering</p>
<p><b>Concept / Topic To Teach:</b><br/>
It is always a good practice to send to the client
only information which they are supposed to have access to.
In this lesson, too much information is being sent to the
client, creating a serious access control problem.
</p>
<p><b>General Goal(s):</b><br/>
For this exercise, your mission is exploit the extraneous
information being returned by the server to discover information
to which you should not have access.
</p>
<b>Solution:</b><br/>
<p>
This Lab consists of two Stages. In the first Stage you have to
get sensitive information . In the second one you have to fix the problem.<br/>
</p>
<b>Stage 1</b>
<p>
Use Firebug to solve this stage. If you are using IE you can try it with
IEWatch.</p>
First use any person from the list and see what you get. After doing this you
can search for a specific person in Firebug. Make sure you find the hidden table with
the information, including the salary and so on. In the same table you will find
Neville.
<img src="ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" /><br>
<font size="2"><b>Inspect HTML on Firebug</b></font>
<p>
Now write the salary into the text edit box and submit your answer!
</p>
<b>Stage 2</b>
<p>
In this stage you have to modify the clientSideFiltering.jsp which you will find under
the WebContent in the lessons/Ajax folder. The Problem is that
the server sends all information to the client. As you could see
even if it is hidden it is easy to find the sensitive date. In this
stage you will add a filter to the XPath queries. In this file you will find
following construct:<br><br></p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee/UserID | ");<br>
sb.append("/Employees/Employee/FirstName | ");<br>
sb.append("/Employees/Employee/LastName | ");<br>
sb.append("/Employees/Employee/SSN | ");<br>
sb.append("/Employees/Employee/Salary ");<br>
String expression = sb.toString();<br>
</code>
<p>
This string will be used for the XPath query. You have to guarantee that a manger only
can see employees which are working for him. To archive this you can use
filters in XPath. Following code will exactly do this:</p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
String expression = sb.toString();<br>
</code>
<p>
Now only information is sent to your client you are authorized for. You can click on the button.
</p>
</body>
</html>

BIN
src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

29
src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc Normal file
View File

@ -0,0 +1,29 @@
= Cryptography Basics
== Concept
This lesson explains different types of cryptography techniques that are commonly used in web applications.
== Goals
The goal is to get familiar with the following forms of techniques:
* link:start.mvc#lesson/Crypto.lesson/1[Encoding]
* link:start.mvc#lesson/Crypto.lesson/3[Hashing]
* link:start.mvc#lesson/Crypto.lesson/4[Encryption]
* link:start.mvc#lesson/Crypto.lesson/5[Signing]
* link:start.mvc#lesson/Crypto.lesson/6[Keystores]
* link:start.mvc#lesson/Crypto.lesson/7[Security defaults]
* link:start.mvc#lesson/Crypto.lesson/8[Post quantum crypto]
=== Assignments
After the explanation of an item there will be several assignments.

Some files were not shown because too many files have changed in this diff Show More