dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactoring (#1201)

Browse Source 
* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>
This commit is contained in:
Nanne Baars
2022-04-09 14:56:12 +02:00
committed by GitHub
parent f3d8206a07
commit 711649924b
1130 changed files with 3540 additions and 7643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/main/resources/lessons/auth_bypass/documentation/2fa-bypass.adoc Normal file
View File

@ -0,0 +1,15 @@
== 2FA Password Reset
An excellent example of authentication bypass is a recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass). He could not receive an SMS with a code, so he opted for
an alternative method, which involved security questions. Using a proxy, removed the parameters entirely and won.
image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
=== The Scenario
You reset your password, but do it from a location or device that your provider does not recognize. So you need to answer the security questions you set up. The other issue is
Those security questions are also stored on another device (not with you), and you don't remember them.
You have already provided your username/email and opted for the alternative verification method.

15
src/main/resources/lessons/auth_bypass/documentation/bypass-intro.adoc Normal file
View File

@ -0,0 +1,15 @@
== Authentication Bypasses
Authentication Bypasses happen in many ways but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
=== Hidden inputs
The simplest form is a reliance on a hidden input in the web page/DOM.
=== Removing Parameters
Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove it from the submission altogether to see what happens.
=== Forced Browsing
If an area of a site is not appropriately protected by configuration, that area of the site may be accessed by guessing/brute-forcing.

7
src/main/resources/lessons/auth_bypass/documentation/lesson-template-video.adoc Normal file
View File

@ -0,0 +1,7 @@
=== More Content, Video too ...
You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
video::video/sample-video.m4v[width=480,start=5]
see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax

86
src/main/resources/lessons/auth_bypass/html/AuthBypass.html Normal file
View File

@ -0,0 +1,86 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/bypass-intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/2fa-bypass.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<!-- modify the action to point to the intended endpoint and set other attributes as desired -->
<script th:src="@{/lesson_js/bypass.js}" />
<form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
method="POST" name="form"
successCallback="onBypassResponse"
action="/WebGoat/auth-bypass/verify-account">
<p>Verify Your Account by answering the questions below:</p>
<p>What is the name of your favorite teacher?</p>
<input name="secQuestion0" value="" type="TEXT" /><br/>
<p>What is the name of the street you grew up on?</p>
<input name="secQuestion1" value="" type="TEXT" /><br/><br />
<input type="hidden" name="jsEnabled" value="1" />
<input type="hidden" name="verifyMethod" value="SEC_QUESTIONS" />
<input type="hidden" name="userId" value="12309746" />
<input name="submit" value="Submit" type="submit"/>
</form>
<form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
method="POST" name="form"
successCallback="onBypassResponse"
action="/WebGoat/auth-bypass/verify-account"
style="display:none"><!-- start off hidden -->
<p>Please provide a new password for your account</p>
<p>Password:</p>
<input name="newPassword" value="" type="password" /><br/>
<p>Confirm Password:</p>
<input name="newPasswordConfirm" value="" type="password" /><br/><br />
<input type="hidden" name="userId" value="12309746" />
<input name="submit" value="Submit" type="submit"/>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<!-- the attack response will include a 'feedback' and that will automatically go here -->
<div class="attack-feedback"></div>
<!-- output is intended to be a simulation of what the screen would display in an attack -->
<div class="attack-output"></div>
</div>
</div>
<!--<div class="lesson-page-wrapper">-->
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-video.adoc"></div>-->
<!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-attack.adoc"></div>-->
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
<!--</div>-->
<!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
see other lessons for other more complex examples -->
</html>

11
src/main/resources/lessons/auth_bypass/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,11 @@
auth-bypass.title=Authentication Bypasses
verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
verify-account.failed=Not quite, please try again.
verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them
auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?

BIN
src/main/resources/lessons/auth_bypass/images/firefox-proxy-config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

BIN
src/main/resources/lessons/auth_bypass/images/paypal-2fa-bypass.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

15
src/main/resources/lessons/auth_bypass/js/bypass.js Normal file
View File

@ -0,0 +1,15 @@
// need custom js for this?
webgoat.customjs.onBypassResponse = function(data) {
webgoat.customjs.jquery('#verify-account-form').hide();
webgoat.customjs.jquery('#change-password-form').show();
}
var onViewProfile = function () {
console.warn("on view profile activated")
webgoat.customjs.jquery.ajax({
method: "GET",
url: "/WebGoat/IDOR/profile",
contentType: 'application/json; charset=UTF-8'
}).then(webgoat.customjs.idorViewProfile);
}

5
src/main/resources/lessons/bypass_restrictions/css/bypass-restrictions.css Normal file
View File

@ -0,0 +1,5 @@
.bypass-input-container {
position: relative;
padding: 7px;
margin-top: 7px;
}

6
src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc Executable file
View File

@ -0,0 +1,6 @@
== Field Restrictions
In most browsers, the client has complete or almost complete control over the HTML part
of the webpage. They can alter values or restrictions to fit their preference.
=== Task
Send a request that bypasses restrictions of all four of these fields.

9
src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc Normal file
View File

@ -0,0 +1,9 @@
== Validation
There is often some mechanism in place to prevent users from sending altered
field values to the server, such as validation before sending. Most popular browsers
such as Chrome don't allow editing scripts during runtime. We will have to circumvent
the validation some other way.
=== Task
Send a request that does not fit the regular expression above the field in all fields.

10
src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc Executable file
View File

@ -0,0 +1,10 @@
== Concept
Users have a great degree of control over the web application's front-end.
They can alter HTML code, sometimes also scripts. Applications that require a certain input format should also validate on the server-side.
== Goals
* The user should have a basic knowledge of HTML
* The user should be able to tamper with a request before sending (with proxy or other tools)
* The user will be able to tamper with field restrictions and bypass client-side validation

167
src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html Executable file
View File

@ -0,0 +1,167 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org" xmlns="http://www.w3.org/1999/html">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
method="POST"
action="/WebGoat/BypassRestrictions/FieldRestrictions">
<div class="bypass-input-container"><b>Select field with two possible value</b>
<div class="input-group">
<select name="select">
<option value="option1">Option 1</option>
<option value="option2">Option 2</option>
</select>
</div>
</div>
<div class="bypass-input-container"><b>Radio button with two possible values</b>
<div class="input-group">
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br/>
<input type="radio" name="radio" value="option2"/> Option 2<br/>
</div>
</div>
<div class="bypass-input-container"><b>Checkbox: value either on or off</b>
<div class="input-group">
<input type="checkbox" name="checkbox" checked="checked"> Checkbox</input>
</div>
</div>
<div class="bypass-input-container"><b>Input restricted to max 5 characters</b>
<div class="input-group"><input type="text" value="12345" name="shortInput" maxlength="5"/>
</div>
</div>
<div class="bypass-input-container"><b>Readonly input field</b>
<div class="input-group">
<input type="text" value="change" readonly="readonly" name="readOnlyInput"/>
</div>
</div>
<br>
<input type="submit" class="btn btn-primary" value="Submit"/>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
id="frontendValidation"
method="POST"
action="/WebGoat/BypassRestrictions/frontendValidation/"
onsubmit="return validate()">
<div>
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)
</div>
<div>
<textarea cols="25" name="field1" rows="1">abc</textarea>
</div>
<p></p>
<div><strong>Field 2:</strong> exactly three digits(^[0-9]{3}$)</div>
<div>
<textarea cols="25" name="field2" rows="1">123</textarea>
</div>
<p></p>
<div><strong>Field 3:</strong> letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div>
<div>
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
</div>
<p></p>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)
</div>
<div>
<textarea cols="25" name="field4" rows="1">seven</textarea>
</div>
<p></p>
<div><strong>Field 5:</strong> simple zip code (^\d{5}$)</div>
<div>
<textarea cols="25" name="field5" rows="1">01101</textarea>
</div>
<p></p>
<div><strong>Field 6:</strong> zip with optional dash four (^\d{5}(-\d{4})?$)</div>
<div>
<textarea cols="25" name="field6" rows="1">90210-1111</textarea>
</div>
<p></p>
<div><strong>Field 7:</strong> US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div>
<div>
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
</div>
<input type="hidden" value="" name="error"/>
<p>
<button type="submit" class="btn btn-primary">Submit</button>
</p>
</form>
<script>
var regex1 = /^[a-z]{3}$/;
var regex2 = /^[0-9]{3}$/;
var regex3 = /^[a-zA-Z0-9 ]*$/;
var regex4 = /^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5 = /^\d{5}$/;
var regex6 = /^\d{5}(-\d{4})?$/;
var regex7 = /^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function () {
var msg = 'JavaScript found form errors';
var err = 0;
if (!regex1.test(document.frontendValidation.field1.value)) {
err += 1;
msg += '\n Value entered for field 1 is not correct';
}
if (!regex2.test(document.frontendValidation.field2.value)) {
err += 1;
msg += '\n Value entered for field 2 is not correct';
}
if (!regex3.test(document.frontendValidation.field3.value)) {
err += 1;
msg += '\n Value entered for field 3 is not correct';
}
if (!regex4.test(document.frontendValidation.field4.value)) {
err += 1;
msg += '\n Value entered for field 4 is not correct';
}
if (!regex5.test(document.frontendValidation.field5.value)) {
err += 1;
msg += '\n Value entered for field 5 is not correct';
}
if (!regex6.test(document.frontendValidation.field6.value)) {
err += 1;
msg += '\n Value entered for field 6 is not correct';
}
if (!regex7.test(document.frontendValidation.field7.value)) {
err += 1;
msg += '\n Value entered for field 7 is not correct';
}
document.frontendValidation.error.value = err
if (err > 0) {
alert(msg)
return false;
}
return true;
}
</script>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

4
src/main/resources/lessons/bypass_restrictions/i18n/WebGoatLabels.properties Executable file
View File

@ -0,0 +1,4 @@
bypass-restrictions.title=Bypass front-end restrictions
bypass-restrictions.intercept.success=Well done, you intercepted the request as expected
bypass-restrictions.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!

BIN
src/main/resources/lessons/challenges/challenge7/git.zip Normal file
View File

Binary file not shown.

96
src/main/resources/lessons/challenges/css/challenge6.css Normal file
View File

@ -0,0 +1,96 @@
.panel-login {
border-color: #ccc;
-webkit-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
-moz-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
}
.panel-login>.panel-heading {
color: #00415d;
background-color: #fff;
border-color: #fff;
text-align:center;
}
.panel-login>.panel-heading a{
text-decoration: none;
color: #666;
font-weight: bold;
font-size: 15px;
-webkit-transition: all 0.1s linear;
-moz-transition: all 0.1s linear;
transition: all 0.1s linear;
}
.panel-login>.panel-heading a.active{
color: #029f5b;
font-size: 18px;
}
.panel-login>.panel-heading hr{
margin-top: 10px;
margin-bottom: 0px;
clear: both;
border: 0;
height: 1px;
background-image: -webkit-linear-gradient(left,rgba(0, 0, 0, 0),rgba(0, 0, 0, 0.15),rgba(0, 0, 0, 0));
background-image: -moz-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
background-image: -ms-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
background-image: -o-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
}
.panel-login input[type="text"],.panel-login input[type="email"],.panel-login input[type="password"] {
height: 45px;
border: 1px solid #ddd;
font-size: 16px;
-webkit-transition: all 0.1s linear;
-moz-transition: all 0.1s linear;
transition: all 0.1s linear;
}
.panel-login input:hover,
.panel-login input:focus {
outline:none;
-webkit-box-shadow: none;
-moz-box-shadow: none;
box-shadow: none;
border-color: #ccc;
}
.btn-login {
background-color: #59B2E0;
outline: none;
color: #fff;
font-size: 14px;
height: auto;
font-weight: normal;
padding: 14px 0;
text-transform: uppercase;
border-color: #59B2E6;
}
.btn-login:hover,
.btn-login:focus {
color: #fff;
background-color: #53A3CD;
border-color: #53A3CD;
}
.forgot-password {
text-decoration: underline;
color: #888;
}
.forgot-password:hover,
.forgot-password:focus {
text-decoration: underline;
color: #666;
}
.btn-register {
background-color: #1CB94E;
outline: none;
color: #fff;
font-size: 14px;
height: auto;
font-weight: normal;
padding: 14px 0;
text-transform: uppercase;
border-color: #1CB94A;
}
.btn-register:hover,
.btn-register:focus {
color: #fff;
background-color: #1CA347;
border-color: #1CA347;
}

43
src/main/resources/lessons/challenges/css/challenge8.css Normal file
View File

@ -0,0 +1,43 @@
.btn-grey{
background-color:#D8D8D8;
color:#FFF;
}
.rating-block{
background-color:#FAFAFA;
border:1px solid #EFEFEF;
padding:15px 15px 20px 15px;
border-radius:3px;
}
.bold{
font-weight:700;
}
.padding-bottom-7{
padding-bottom:7px;
}
.review-block{
background-color:#FAFAFA;
border:1px solid #EFEFEF;
padding:15px;
border-radius:3px;
margin-bottom:15px;
}
.review-block-name{
font-size:12px;
margin:10px 0;
}
.review-block-date{
font-size:12px;
}
.review-block-rate{
font-size:13px;
margin-bottom:15px;
}
.review-block-title{
font-size:15px;
font-weight:700;
margin-bottom:10px;
}
.review-block-description{
font-size:13px;
}

11
src/main/resources/lessons/challenges/db/migration/V2018_09_26_1__users.sql Normal file
View File

@ -0,0 +1,11 @@
--Challenge 5 - Creating tables for users
CREATE TABLE challenge_users(
userid varchar(250),
email varchar(30),
password varchar(30)
);
INSERT INTO challenge_users VALUES ('larry', 'larry@webgoat.org', 'larryknows');
INSERT INTO challenge_users VALUES ('tom', 'tom@webgoat.org', 'thisisasecretfortomonly');
INSERT INTO challenge_users VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**');
INSERT INTO challenge_users VALUES ('eve', 'eve@webgoat.org', '**********');

1
src/main/resources/lessons/challenges/documentation/Challenge_1.adoc Normal file
View File

@ -0,0 +1 @@
The admin forgot where the password is stashed, can you help?

1
src/main/resources/lessons/challenges/documentation/Challenge_5.adoc Normal file
View File

@ -0,0 +1 @@
Can you login as Larry?

1
src/main/resources/lessons/challenges/documentation/Challenge_6.adoc Normal file
View File

@ -0,0 +1 @@
Can you login as Tom? It may be a little harder than it was for Larry.

1
src/main/resources/lessons/challenges/documentation/Challenge_7.adoc Normal file
View File

@ -0,0 +1 @@
Try to reset the password for admin.

1
src/main/resources/lessons/challenges/documentation/Challenge_8.adoc Normal file
View File

@ -0,0 +1 @@
Can you still vote?

29
src/main/resources/lessons/challenges/documentation/Challenge_introduction.adoc Normal file
View File

@ -0,0 +1,29 @@
=== Welcome to the WebGoat challenge (CTF)
==== Introduction
The challenges contain more a CTF like lessons where we do not provide any explanations what you need to do, no hints
will be provided. You can use these challenges in a CTF style where you can run WebGoat on one server and all
participants can join and hack the challenges. A scoreboard is available at link:/WebGoat/scoreboard["/WebGoat/scoreboard",window=_blank]
:hardbreaks:
In this CTF you will need to solve a couple of challenges, each challenge will give you a flag which you will
need to post in order to gain points.
Flags have the following format: `a7179f89-906b-4fec-9d99-f15b796e7208`
==== Rules
- Do not try to hack the competition infrastructure. If you happen to find a bug or vulnerability please send us
an e-mail.
- Play fair, do not try sabotage other competing teams, or in any way hindering the progress of another team.
- Brute forcing of challenges / flags is not allowed.
:hardbreaks:
*Have fun!!*
Team WebGoat
image::images/boss.jpg[]

9
src/main/resources/lessons/challenges/html/Challenge.html Normal file
View File

@ -0,0 +1,9 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div>
</html>

63
src/main/resources/lessons/challenges/html/Challenge1.html Normal file
View File

@ -0,0 +1,63 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="panel panel-default">
<div class="panel-heading">
<img th:src="@{/challenge/logo}" class="img-thumbnail"/>
</div>
<div class="panel-body">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/1"
style="width: 200px;">
<div class="form-group">
<label for="exampleInputEmail1" th:text="#{username}">Username</label>
<input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
id="exampleInputEmail1" placeholder="Username" name='username' value="admin"/>
</div>
<div class="form-group">
<label for="exampleInputPassword1" th:text="#{password}">Password</label>
<input type="password" class="form-control" id="exampleInputPassword1"
placeholder="Password"
name='password'/>
</div>
<button class="btn btn-primary btn-block" type="submit" th:text="#{sign.in}">Sign in</button>
</form>
</div>
</div>
</div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

90
src/main/resources/lessons/challenges/html/Challenge5.html Normal file
View File

@ -0,0 +1,90 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-6">
<div class="panel panel-login">
<div class="panel-heading">
<div class="row">
<div class="col-xs-6">
<a href="#" class="active" id="login-form-link">Login</a>
</div>
</div>
<hr/>
</div>
<div class="panel-body">
<div class="row">
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/5" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
</div>
<div class="form-group">
<input type="password" name="password_login" id="password4" tabindex="2"
class="form-control" placeholder="Password"/>
</div>
<div class="form-group text-center">
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
<label for="remember"> Remember me</label>
</div>
<div class="form-group">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<input type="submit" name="login-submit" id="login-submit"
tabindex="4" class="form-control btn-primary"
value="Log In"/>
</div>
</div>
</div>
<div class="form-group">
<div class="row">
<div class="col-lg-12">
<div class="text-center">
<a href="#" tabindex="5" class="forgot-password">Forgot
Password?</a>
</div>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

123
src/main/resources/lessons/challenges/html/Challenge6.html Normal file
View File

@ -0,0 +1,123 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-6">
<div class="panel panel-login">
<div class="panel-heading">
<div class="row">
<div class="col-xs-6">
<a href="#" class="active" id="login-form-link">Login</a>
</div>
<div class="col-xs-6">
<a href="#" id="register-form-link">Register</a>
</div>
</div>
<hr/>
</div>
<div class="panel-body">
<div class="row">
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/6" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
</div>
<div class="form-group">
<input type="password" name="password_login" id="password4" tabindex="2"
class="form-control" placeholder="Password"/>
</div>
<div class="form-group text-center">
<input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
<label for="remember"> Remember me</label>
</div>
<div class="form-group">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<input type="submit" name="login-submit" id="login-submit"
tabindex="4" class="form-control btn-primary"
value="Log In"/>
</div>
</div>
</div>
<div class="form-group">
<div class="row">
<div class="col-lg-12">
<div class="text-center">
<a href="#" tabindex="5" class="forgot-password">Forgot
Password?</a>
</div>
</div>
</div>
</div>
</form>
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
method="PUT" name="form"
action="/WebGoat/challenge/6" style="display: none;" role="form">
<div class="form-group">
<input type="text" name="username_reg" id="username" tabindex="1"
class="form-control" placeholder="Username" value=""/>
</div>
<div class="form-group">
<input type="email" name="email_reg" id="email" tabindex="1"
class="form-control" placeholder="Email Address" value=""/>
</div>
<div class="form-group">
<input type="password" name="password_reg" id="password" tabindex="2"
class="form-control" placeholder="Password"/>
</div>
<div class="form-group">
<input type="password" name="confirm_password_reg" id="confirm-password"
tabindex="2" class="form-control" placeholder="Confirm Password"/>
</div>
<div class="form-group">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<input type="submit" name="register-submit" id="register-submit"
tabindex="4" class="form-control btn btn-primary"
value="Register Now"/>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

81
src/main/resources/lessons/challenges/html/Challenge7.html Normal file
View File

@ -0,0 +1,81 @@
<!DOCTYPE html>
<!--
** Revision history (automatically added by: /challenge/7/.git/hooks)
2e29cacb85ce5066b8d011bb9769b666812b2fd9 Updated copyright to 2017
ac937c7aab89e042ca32efeb00d4ca08a95b50d6 Removed hardcoded key
f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
-->
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-4">
<div class="panel panel-default">
<div class="panel-body">
<div class="text-center">
<h3><i class="fa fa-lock fa-4x"></i></h3>
<h2 class="text-center">Forgot Password?</h2>
<p>You can reset your password here.</p>
<div class="panel-body">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/7" role="form">
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><i
class="glyphicon glyphicon-envelope color-blue"></i></span>
<input id="email" name="email" placeholder="email address"
class="form-control" type="email"/>
</div>
</div>
<div class="form-group">
<input name="recover-submit" class="btn btn-lg btn-primary btn-block"
value="Reset Password" type="submit"/>
</div>
<div class="form-group">
<p>(c) 2017 WebGoat Cloud Platform</p>
</div>
<input type="hidden" class="hide" name="token" id="token" value=""/>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

255
src/main/resources/lessons/challenges/html/Challenge8.html Normal file
View File

@ -0,0 +1,255 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
<script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container">
<div class="row">
<div class="col-sm-3">
<div class="rating-block">
<h4>Average user rating</h4>
<h2 class="bold padding-bottom-7">4.3
<small>/ 5</small>
</h2>
<button id="star1" onClick="doVote(1)" type="button" class="btn btn-warning btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star2" onClick="doVote(2)" type="button" class="btn btn-warning btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star3" onClick="doVote(3)" type="button" class="btn btn-warning btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star4" onClick="doVote(4)" type="button" class="btn btn-default btn-grey btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button id="star5" onClick="doVote(5)" type="button" class="btn btn-default btn-grey btn-sm" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
</div>
<div class="col-sm-3">
<h4>Rating breakdown</h4>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">5 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar5" class="progress-bar progress-bar-success" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">5</span>
</div>
</div>
</div>
<div id="nrOfVotes5" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">4 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar4" class="progress-bar progress-bar-primary" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">4</span>
</div>
</div>
</div>
<div id="nrOfVotes4" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">3 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar3" class="progress-bar progress-bar-info" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">4</span>
</div>
</div>
</div>
<div id="nrOfVotes3" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">2 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar2" class="progress-bar progress-bar-warning" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">2</span>
</div>
</div>
</div>
<div id="nrOfVotes2" class="pull-right" style="margin-left:10px;">0</div>
</div>
<div class="pull-left">
<div class="pull-left" style="width:35px; line-height:1;">
<div style="height:9px; margin:5px 0;">1 <span class="glyphicon glyphicon-star"></span>
</div>
</div>
<div class="pull-left" style="width:180px;">
<div class="progress" style="height:9px; margin:8px 0;">
<div id="progressBar1" class="progress-bar progress-bar-danger" role="progressbar" aria-valuenow="5"
aria-valuemin="0" aria-valuemax="5">
<span class="sr-only">4</span>
</div>
</div>
</div>
<div id="nrOfVotes1" class="pull-right" style="margin-left:10px;">0</div>
</div>
</div>
</div>
<div class="row">
<div class="col-sm-7">
<hr/>
<div id = "voteResultMsg" class="alert alert-dismissable" style="display: none;">
</div>
<div class="alert alert-info">
Please login or register in order to vote (comments are disabled)
</div>
<div class="review-block">
<div class="row">
<div class="col-sm-3">
<img src="images/user1.png" class="img-rounded"/>
<div class="review-block-name"><a href="#">nktailor</a></div>
<div class="review-block-date">August 22, 2017<br/>1 day ago</div>
</div>
<div class="col-sm-9">
<div class="review-block-rate">
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
<div class="review-block-title">WebGoat rocks!</div>
<div class="review-block-description">This is a great tool to learn about security
and have some fun with a couple challenges.
</div>
</div>
</div>
<hr/>
<div class="row">
<div class="col-sm-3">
<img src="images/user3.png" class="img-rounded"/>
<div class="review-block-name"><a href="#">Sarah</a></div>
<div class="review-block-date">July 29, 2017<br/>12 day ago</div>
</div>
<div class="col-sm-9">
<div class="review-block-rate">
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-default btn-grey btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
<div class="review-block-title">Nice</div>
<div class="review-block-description">I liked it and learned a couple of things.
Still some bugs sometimes though.
</div>
</div>
</div>
<hr/>
<div class="row">
<div class="col-sm-3">
<img src="images/user2.png" class="img-rounded"/>
<div class="review-block-name"><a href="#">Tom</a></div>
<div class="review-block-date">January 27, 2017<br/>100 days ago</div>
</div>
<div class="col-sm-9">
<div class="review-block-rate">
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-warning btn-xs" aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-default btn-grey btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
<button type="button" class="btn btn-default btn-grey btn-xs"
aria-label="Left Align">
<span class="glyphicon glyphicon-star" aria-hidden="true"></span>
</button>
</div>
<div class="review-block-title">WebGoat is great</div>
<div class="review-block-description">WebGoat teaches you web security with some great
lessons
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

27
src/main/resources/lessons/challenges/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,27 @@
challenge0.title=WebGoat Challenge
challenge1.title=Admin lost password
challenge2.title=Get it for free
challenge3.title=Photo comments
challenge5.title=Without password
challenge6.title=Creating a new account
challenge7.title=Admin password reset
challenge8.title=Without account
challenge9.title=Changing password
challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
challenge.close=This is not the correct password for Larry, please try again.
email.send=An e-mail has been send to {0}
user.exists=User {0} already exists please try to register with a different username.
user.created=User {0} created, please proceed to the login page.
input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters.
challenge.flag.correct=Congratulations you have solved the challenge!!
challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
ip.address.unknown=IP address unknown, e-mail has been sent.
required4=Missing username or password, please specify both.
user.not.larry=Please try to log in as Larry not {0}.

BIN
src/main/resources/lessons/challenges/images/avatar1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
src/main/resources/lessons/challenges/images/boss.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
src/main/resources/lessons/challenges/images/challenge1-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
src/main/resources/lessons/challenges/images/challenge1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
src/main/resources/lessons/challenges/images/challenge2-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
src/main/resources/lessons/challenges/images/challenge2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 164 KiB

BIN
src/main/resources/lessons/challenges/images/challenge3-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
src/main/resources/lessons/challenges/images/challenge3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
src/main/resources/lessons/challenges/images/challenge4-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

BIN
src/main/resources/lessons/challenges/images/challenge4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
src/main/resources/lessons/challenges/images/challenge5-small.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
src/main/resources/lessons/challenges/images/challenge5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

BIN
src/main/resources/lessons/challenges/images/hi-five-cat.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
src/main/resources/lessons/challenges/images/user1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
src/main/resources/lessons/challenges/images/user2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
src/main/resources/lessons/challenges/images/user3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
src/main/resources/lessons/challenges/images/webgoat2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

6
src/main/resources/lessons/challenges/js/bootstrap.min.js vendored Normal file
View File

File diff suppressed because one or more lines are too long

18
src/main/resources/lessons/challenges/js/challenge6.js Normal file
View File

@ -0,0 +1,18 @@
$(function() {
$('#login-form-link').click(function(e) {
$("#login-form").delay(100).fadeIn(100);
$("#register-form").fadeOut(100);
$('#register-form-link').removeClass('active');
$(this).addClass('active');
e.preventDefault();
});
$('#register-form-link').click(function(e) {
$("#register-form").delay(100).fadeIn(100);
$("#login-form").fadeOut(100);
$('#login-form-link').removeClass('active');
$(this).addClass('active');
e.preventDefault();
});
});

57
src/main/resources/lessons/challenges/js/challenge8.js Normal file
View File

@ -0,0 +1,57 @@
$(document).ready(function () {
loadVotes();
average();
})
function loadVotes() {
$.get("challenge/8/votes/", function (votes) {
var totalVotes = 0;
for (var i = 1; i <= 5; i++) {
totalVotes = totalVotes + votes[i];
}
console.log(totalVotes);
for (var i = 1; i <= 5; i++) {
var percent = votes[i] * 100 / totalVotes;
console.log(percent);
var progressBar = $('#progressBar' + i);
progressBar.width(Math.round(percent) * 2 + '%');
$("#nrOfVotes" + i).html(votes[i]);
}
}
);
}
function average() {
$.get("challenge/8/votes/average", function (average) {
for (var i = 1; i <= 5; i++) {
var number = average["average"];
$("#star" + i).removeClass('btn-warning');
$("#star" + i).removeClass('btn-default');
$("#star" + i).removeClass('btn-grey');
if (i <= number) {
$("#star" + i).addClass('btn-warning');
} else {
$("#star" + i).addClass('btn-grey');
}
}
}
);
}
function doVote(stars) {
$("#voteResultMsg").hide();
$.get("challenge/8/vote/" + stars, function (result) {
if (result["error"]) {
$("#voteResultMsg").addClass('alert-danger alert-dismissable');
} else {
$("#voteResultMsg").addClass('alert-success alert-dismissable');
}
$("#voteResultMsg").html(result["message"]);
$("#voteResultMsg").show();
})
loadVotes();
average();
}

8
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc Normal file
View File

@ -0,0 +1,8 @@
== Try It! Using the console
Let us try it. Use the console in the dev tools and call the javascript function *webgoat.customjs.phoneHome()*. +
You should get a response in the console. Your result should look something like this:
`phone home said
{"lessonCompleted:true, ... ,"output":"phone home response is..."`
Paste the random number, after that, in the text field below.
(Make sure you got the most recent number since it is randomly generated each time you call the function)

6
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc Normal file
View File

@ -0,0 +1,6 @@
== Try It! Working with the Network tab
In this assignment, you need to find a specific HTTP request and read a randomized number.
To start, click the first button. This will generate an HTTP request. Try to find the specific HTTP request.
The request should contain a field: `networkNum:`
Copy the number displayed afterward into the input field below and click on the check button.

17
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc Normal file
View File

@ -0,0 +1,17 @@
== The Console tab
In the console tab, you can see anything that a loaded JavaScript file may have printed out.
Do not worry if you see something in red. While that is an error, it has probably resolved itself.
Through the console tab, it is also possible for you to run your line of JavaScript code.
Start by clearing the console using the shortcut `CTRL+L.`
To run your JavaScript, click inside of the console and write something like:
`console.log("Hello WebGoat!");` Hit enter. `Hello WebGoat` should now appear in your console.
The console also allows you to do some basic arithmetic. If you type, for example, `1+3` and hit
enter, the console should display 4.
Note: You may see an `undefined` in the console. You can safely ignore this statement,
it only means that the JavaScript function you have called did not return anything, therefore `undefined.`
image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]

22
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc Normal file
View File

@ -0,0 +1,22 @@
== The Elements Tab
The elements tab allows you to look at the HTML and CSS code used to define and style the website.
=== HTML source
If you hover over one line, you can see that a part of the website turns blue. That means that
this particular HTML line defines this section of the website.
The elements tab allows you to make changes to every single HTML element. For example, if you click inside
a paragraph (<p>...</p>) Tag, you can edit the content of the website. If you have made your changes and then click enter
Chrome will update the website to show your edits. You can also change the HTML Tag used,
the classes and id's a tag has, and much more.
image::images/ChromeDev_Elements.jpg[DeveloperToolsElements,500,350,style="lesson-image"]
=== CSS source
You can find information about the CSS used to style the
website under the HTML source. Like the HTML, you can also edit the CSS and, therefore, adjust the website's styling.
You can edit specific values or turn off individual styling.
image::images/ChromeDev_Elements_CSS.jpg[DeveloperToolsElementsCSS,500,350,style="lesson-image"]

19
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc Normal file
View File

@ -0,0 +1,19 @@
== Google Chrome Developer Tools
To complete certain assignments, you sometimes may have to look at the JavaScript
source code or run a JavaScript command on your own.
To do that, Google Chrome has a set of tools that allow you to do that and much more.
While these tools are not specific to Google Chrome, almost every modern browser has a bunch
of its own. Our introduction will focus on the ones found in Google Chrome.
You can, however still use the browser of your choice, like Firefox or Safari, although some steps of this tutorial
maybe different for you.
Keep in mind that the following tutorial is not there to teach everything about these tools.
This tutorial will only focus on the essential knowledge to complete specific assignments.
Also, if you are already familiar with these tools, you can safely skip these lessons.
To get started: *open the developer tools*. There are multiple ways to open them:
1. Right-click anywhere in the browser window and select the option _"Inspect"_.
2. Go to the browser menu (three dots in the top right corner), then go to _"More tools"_ and select the option _"Developer tools"_.
3. Use the keyboard shortcut _Ctrl + Shift + I_

16
src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc Normal file
View File

@ -0,0 +1,16 @@
== The Sources tab
In the sources tab, you can check out the file system and view all the HTML, CSS, and JavaScript files used to
create the website. Click on a file to view its contents.
image::images/ChromeDev_Sources.jpg[DeveloperToolsSources,400,500,style="lesson-image"]
== The Network tab
In the Network tab, you can view HTTP requests and responses the website has performed.
Just click on it if you want more detailed information on a particular request.
The "Timeline" above the blue dots represents when these requests and responses have been performed.
You can also see the Requests done in a specific time frame simply by clicking and dragging on the timeline. The window
below will only show the requests and responses done in that time frame.
image::images/ChromeDev_Network.jpg[DeveloperToolsNetwork,400,500,style="lesson-image"]

85
src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html Normal file
View File

@ -0,0 +1,85 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc"></div>
</div>
<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc"></div>
</div>
<!-- 3 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc"></div>
</div>
<!-- 4 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
action="/WebGoat/ChromeDevTools/dummy">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 5 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc"></div>
</div>
<!-- 6 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/ChromeDevTools/network">
<script>
// sample custom javascript in the recommended way ...
// a namespace has been assigned for it, but you can roll your own if you prefer
document.getElementById("btn").addEventListener("click", function() {
document.getElementById("networkNum").value = Math.random() * 100;
document.getElementById("networkNumCopy").value = document.getElementById("networkNum").value;
});
</script>
<input type="hidden" name="networkNum" id="networkNum" value="foo" />
<table>
<tr>
<td>Click this button to make a request:</td>
<td><input id="btn" name="SUBMIT" value="Go!" type="SUBMIT" /></td>
<td></td>
</tr>
</table>
</form>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/ChromeDevTools/network">
<table>
<tr>
<td>What is the number you found: </td>
<td><input name="number" type="text"/></td>
<td><input type="submit" name="Submit" value="check"/></td>
<td></td>
</tr>
</table>
<input type="hidden" name="network_num" id="networkNumCopy" value="foo" />
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

11
src/main/resources/lessons/chrome_dev_tools/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,11 @@
3.chrome-dev-tools.title=Developer Tools
xss-dom-message-success=Correct!
xss-dom-message-failure=Incorrect.
network.request=You made a HTTP Request.
network.success=Correct, Well Done.
network.failed=That is not correct, try again.
networkHint1=Clear all Requests from the network button, then make the request. The you should be able to figure out, which request holds the data.
networkHint2=The name of the request is "dummy"

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Clear.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Ex.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements_CSS.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Network.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

BIN
src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Sources.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

24
src/main/resources/lessons/cia/documentation/CIA_availability.adoc Normal file
View File

@ -0,0 +1,24 @@
== Availability
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times.
{nbsp} +
=== Examples that compromise availability:
** denial-of-service attacks (DOS)
** hardware failures
** fire or other natural disasters
** software or network misconfigurations
{nbsp} +
=== Examples of methods ensuring availability
** intrusion detection systems (IDSs)
** network traffic control
** firewalls
** physical security of hardware and underlying infrastructure
*** protection against fire, water, and other elements
** hardware maintenance
** redundancy

25
src/main/resources/lessons/cia/documentation/CIA_confidentiality.adoc Normal file
View File

@ -0,0 +1,25 @@
== Confidentiality
Confidentiality is "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still access the resources they have been granted permissions for.
Although confidentiality is similar to "privacy," these two words are not interchangeable. Instead, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
{nbsp} +
=== Examples that compromise confidentiality:
** a hacker gets access to the password database of a company
** a sensitive email is sent to the incorrect individual
** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
{nbsp} +
=== Examples of methods ensuring confidentiality
** data encryption
** properly implemented authentication and access control
*** securely stored passwords
*** multi-factor authentication (MFA)
*** biometric verification
** minimizing the number of places/times the information appears
** physical security controls such as properly secured server rooms

21
src/main/resources/lessons/cia/documentation/CIA_integrity.adoc Normal file
View File

@ -0,0 +1,21 @@
== Integrity
Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not change during transit, and unauthorized entities should not alter the data.
{nbsp} +
=== Examples that compromise integrity:
** human error when entering data
** errors during data transmission
** software bugs and hardware failures
** hackers change information that they should not have access to
{nbsp} +
=== Examples of methods ensuring the integrity
** well functioning authentication methods and access control
** checking integrity with hash functions
** backups and redundancy
** auditing and logging

7
src/main/resources/lessons/cia/documentation/CIA_intro.adoc Normal file
View File

@ -0,0 +1,7 @@
== The CIA Triad
The CIA Triad (confidentiality, integrity, availability) is a model for information security.
The three elements of the triad are considered the most crucial information security components and should guarantee in any secure system. +
Serious consequences can result if even one of these elements is breached.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.

3
src/main/resources/lessons/cia/documentation/CIA_quiz.adoc Normal file
View File

@ -0,0 +1,3 @@
Now it's time for a quiz! Answer the following question to check if you understood the topic.
Today, most systems are protected by a firewall. A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

43
src/main/resources/lessons/cia/html/CIA.html Normal file
View File

@ -0,0 +1,43 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<span id="quiz_id" data-quiz_id="cia"></span>
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="cia/quiz" role="form">
<div id="q_container"></div>
<br />
<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
</form>
</div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

1
src/main/resources/lessons/cia/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1 @@
4.cia.title=CIA Triad

40
src/main/resources/lessons/cia/js/questions_cia.json Normal file
View File

@ -0,0 +1,40 @@
{
"questions": [
{
"text": "How could an intruder harm the security goal of confidentiality?",
"solutions": {
"1": "By deleting all the databases.",
"2": "By stealing a database where general configuration information for the system is stored.",
"3": "By stealing a database where names and emails are stored and uploading it to a website.",
"4": "Confidentiality can't be harmed by an intruder."
}
},
{
"text": "How could an intruder harm the security goal of integrity?",
"solutions": {
"1": "By changing the names and emails of one or more users stored in a database.",
"2": "By listening to incoming and outgoing network traffic.",
"3": "By bypassing the access control mechanisms used to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database."
}
},
{
"text": "How could an intruder harm the security goal of availability?",
"solutions": {
"1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.",
"2": "By redirecting sensitive emails to other individuals.",
"3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
"4": "By launching a denial of service attack on the servers."
}
},
{
"text": "What happens if at least one of the CIA security goals is harmed?",
"solutions": {
"1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.",
"2": "The system's security is compromised even if only one goal is harmed.",
"3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.",
"4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed."
}
}
]
}

3
src/main/resources/lessons/client_side_filtering/css/clientSideFiltering-stage1.css Normal file
View File

@ -0,0 +1,3 @@
#lesson_wrapper {height: 435px;width: 500px;}
#lesson_header {background-image: url(../images/lesson1_header.jpg); width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 490px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}

33
src/main/resources/lessons/client_side_filtering/css/clientSideFilteringFree.css Normal file
View File

@ -0,0 +1,33 @@
ul > li{margin-right:25px;font-weight:lighter;cursor:pointer}
li.active{border-bottom:3px solid silver;}
.item-photo{display:flex;justify-content:center;align-items:center;border-right:1px solid #f6f6f6;}
.menu-items{list-style-type:none;font-size:11px;display:inline-flex;margin-bottom:0px;margin-top:20px}
.btn-success{width:100%;border-radius:0px;}
.section{width:100%;margin-left:-15px;padding:2px;padding-left:15px;padding-right:15px;background:#f8f9f9}
.title-price{margin-top:30px;margin-bottom:0px;color:black}
.title-attr{margin-top:0px;margin-bottom:0px;color:black;}
.btn-minus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-right:0px;}
.btn-plus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-left:0px;}
div.section > div {width:100%;display:inline-flex;}
div.section > div > input {margin:0px;padding-left:5px;font-size:10px;padding-right:5px;max-width:18%;text-align:center;}
.attr,.attr2{cursor:pointer;margin-right:5px;height:20px;font-size:11px;padding:2px;border:1px solid gray;border-radius:2px;}
.attr.active,.attr2.active{ border:2px solid orange;}
@media (max-width: 426px) {
.container {margin-top:0px !important;}
.container > .row{padding:0px !important;}
.container > .row > .col-xs-12.col-sm-5{
padding-right:0px ;
}
.container > .row > .col-xs-12.col-sm-9 > div > p{
padding-left:0px !important;
padding-right:0px !important;
}
.container > .row > .col-xs-12.col-sm-9 > div > ul{
padding-left:10px !important;
}
.section{width:104%;}
.menu-items{padding-left:0px;}
}

5
src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc Normal file
View File

@ -0,0 +1,5 @@
== Salary manager
You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information,
except the CEO, Neville Bartholomew. Or at least you should not have access to the CEO's information. For this assignment,
examine the page's contents to see what extra information you can find.

1
src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc Normal file
View File

@ -0,0 +1 @@
No need to pay if you know the code ...

6
src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc Normal file
View File

@ -0,0 +1,6 @@
== Client side filtering
It is always a good practice to send only information to the client they are supposed
to have access to. In this lesson, too much information is being sent to the client, creating
a serious access control problem. For this exercise, your mission is to exploit the extraneous information returned
by the server to discover information to which you should not have access.

169
src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,169 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc"></div>
<br/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<input type="hidden" id="user_id" value="102"/>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
action="/WebGoat/clientSideFiltering/attack1">
<link rel="stylesheet" type="text/css"
th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
<script th:src="@{/lesson_js/clientSideFiltering.js}"
language="JavaScript"></script>
<input id="userID" value="101" name="userID" type="HIDDEN"/>
<div id="lesson_wrapper">
<div id="lesson_header"></div>
<div class="lesson_workspace"><br/><br/>
<p>Select user: <select id="UserSelect" onfocus="fetchUserData()" name="UserSelect"
onchange="selectUser()">
<option value="0" label="Choose Employee">Choose Employee</option>
<option value="101" label="Larry Stooge">Larry Stooge</option>
<option value="103" label="Curly Stooge">Curly Stooge</option>
<option value="104" label="Eric Walker">Eric Walker</option>
<option value="105" label="Tom Cat">Tom Cat</option>
<option value="106" label="Jerry Mouse">Jerry Mouse</option>
<option value="107" label="David Giambi">David Giambi</option>
<option value="108" label="Bruce McGuirre">Bruce McGuirre</option>
<option value="109" label="Sean Livingston">Sean Livingston</option>
<option value="110" label="Joanne McDougal">Joanne McDougal</option>
</select></p>
<p></p>
<table style="display: none" id="hiddenEmployeeRecords" align="center" border="1"
cellpadding="2"
cellspacing="0" width="90%">
<div>
</div>
</table>
<table align="center" border="1" cellpadding="2" cellspacing="0" width="90%">
<tbody>
<tr>
<td>User ID</td>
<td>First Name</td>
<td>Last Name</td>
<td>SSN</td>
<td>Salary</td>
</tr>
<tr id="employeeRecord"></tr>
</tbody>
</table>
</div>
</div>
<table cellpadding="2" cellspacing="0">
<tbody>
<tr>
<td>What is Neville Bartholomew's salary?</td>
<td><input id="answer" name="answer" value="" type="TEXT"/></td>
<td align="LEFT"><input name="SUBMIT" value="Submit Answer" type="SUBMIT"/></td>
</tr>
</tbody>
</table>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
<script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/clientSideFiltering/getItForFree">
<input id="discount" type="hidden" value="0"/>
<div class="row">
<div class="col-xs-3 item-photo">
<img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
</div>
<div class="col-xs-5" style="border:0px solid gray">
<h3>Samsung Galaxy S8</h3>
<h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
<small style="color:#337ab7">(124421 reviews)</small>
</h5>
<h6 class="title-price">
<small>PRICE</small>
</h6>
<h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
<div class="section">
<h6 class="title-attr" style="margin-top:15px;">
<small>COLOR</small>
</h6>
<div>
<div class="attr" style="width:25px;background:lightgrey;"></div>
<div class="attr" style="width:25px;background:black;"></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CAPACITY</small>
</h6>
<div>
<div class="attr2">64 GB</div>
<div class="attr2">128 GB</div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>QUANTITY</small>
</h6>
<div>
<div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
<input class="quantity" value="1"/>
<div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CHECKOUT CODE</small>
</h6>
<!--
Checkout code: webgoat, owasp, owasp-webgoat
-->
<input name="checkoutCode" class="checkoutCode" value=""/>
</div>
<div class="section" style="padding-bottom:20px;">
<button type="submit" class="btn btn-success"><span style="margin-right:20px"
class="glyphicon glyphicon-shopping-cart"
aria-hidden="true"></span>Buy
</button>
<h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
style="cursor:pointer;"></span>
Like</a></h6>
</div>
</div>
</div>
</form>
</div>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

32
src/main/resources/lessons/client_side_filtering/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,32 @@
client.side.filtering.title=Client side filtering
ClientSideFilteringSelectUser=Select user:
ClientSideFilteringUserID=User ID
ClientSideFilteringFirstName=First Name
ClientSideFilteringLastName=Last Name
ClientSideFilteringSSN=SSN
ClientSideFilteringSalary=Salary
ClientSideFilteringErrorGenerating=Error generating
ClientSideFilteringStage1Complete=Stage 1 completed.
ClientSideFilteringStage1Question=What is Neville Bartholomew's salary?
ClientSideFilteringStage1SubmitAnswer=Submit Answer
ClientSideFilteringStage2Finish=Click here when you believe you have completed the lesson.
ClientSideFilteringChoose=Choose employee
ClientSideFilteringHint1=The information displayed when an employee is chosen from the drop down menu is stored on the client side.
ClientSideFilteringHint2=Use Firebug to find where the information is stored on the client side.
ClientSideFilteringHint3=Examine the hidden table to see if there is anyone listed who is not in the drop down menu.
ClientSideFilteringHint4=Look in the last row of the hidden table.
ClientSideFilteringHint5a=Stage 1: You can access the server directly
ClientSideFilteringHint5b=here
ClientSideFilteringHint5c=to see what results are being returned
ClientSideFilteringHint6=Stage 2: The server uses an XPath query against an XML database.
ClientSideFilteringHint7=Stage 2: The query currently returns all of the contents of the database.
ClientSideFilteringHint8=Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102
ClientSideFilteringHint9=Stage 2: Try using a filter operator.
ClientSideFilteringHint10=Stage 2: Your filter operator should look something like: [Managers/Manager/text()=
ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, . Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find.
ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see.
ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew...
client.side.filtering.free.hint1=Look through the web page inspect the sources etc
client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend
client.side.filtering.free.hint3=One of the responses contains the answer

BIN
src/main/resources/lessons/client_side_filtering/images/lesson1_header.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
src/main/resources/lessons/client_side_filtering/images/lesson1_workspace.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
src/main/resources/lessons/client_side_filtering/images/samsung-black.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
src/main/resources/lessons/client_side_filtering/images/samsung-grey.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

42
src/main/resources/lessons/client_side_filtering/js/clientSideFiltering.js Normal file
View File

@ -0,0 +1,42 @@
var dataFetched = false;
function selectUser() {
var newEmployeeID = $("#UserSelect").val();
document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
}
function fetchUserData() {
if (!dataFetched) {
dataFetched = true;
ajaxFunction(document.getElementById("userID").value);
}
}
function ajaxFunction(userId) {
$.get("clientSideFiltering/salaries?userId=" + userId, function (result, status) {
var html = "<table border = '1' width = '90%' align = 'center'";
html = html + '<tr>';
html = html + '<td>UserID</td>';
html = html + '<td>First Name</td>';
html = html + '<td>Last Name</td>';
html = html + '<td>SSN</td>';
html = html + '<td>Salary</td>';
for (var i = 0; i < result.length; i++) {
html = html + '<tr id = "' + result[i].UserID + '"</tr>';
html = html + '<td>' + result[i].UserID + '</td>';
html = html + '<td>' + result[i].FirstName + '</td>';
html = html + '<td>' + result[i].LastName + '</td>';
html = html + '<td>' + result[i].SSN + '</td>';
html = html + '<td>' + result[i].Salary + '</td>';
html = html + '</tr>';
}
html = html + '</tr></table>';
var newdiv = document.createElement("div");
newdiv.innerHTML = html;
var container = document.getElementById("hiddenEmployeeRecords");
container.appendChild(newdiv);
});
}

64
src/main/resources/lessons/client_side_filtering/js/clientSideFilteringFree.js Normal file
View File

@ -0,0 +1,64 @@
$(document).ready(function () {
//-- Click on detail
$("ul.menu-items > li").on("click", function () {
$("ul.menu-items > li").removeClass("active");
$(this).addClass("active");
})
$(".attr,.attr2").on("click", function () {
var clase = $(this).attr("class");
$("." + clase).removeClass("active");
$(this).addClass("active");
})
//-- Click on QUANTITY
$(".btn-minus").on("click", function () {
var now = $(".quantity").val();
if ($.isNumeric(now)) {
if (parseInt(now) - 1 > 0) {
now--;
}
$(".quantity").val(now);
$('#price').text(now * 899);
} else {
$(".quantity").val("1");
$('#price').text(899);
}
calculate();
})
$(".btn-plus").on("click", function () {
var now = $(".quantity").val();
if ($.isNumeric(now)) {
$(".quantity").val(parseInt(now) + 1);
} else {
$(".quantity").val("1");
}
calculate();
})
$(".checkoutCode").on("blur", function () {
var checkoutCode = $(".checkoutCode").val();
$.get("clientSideFiltering/challenge-store/coupons/" + checkoutCode, function (result, status) {
var discount = result.discount;
if (discount > 0) {
$('#discount').text(discount);
calculate();
} else {
$('#discount').text(0);
calculate();
}
});
})
function calculate() {
var d = $('#discount').text();
var price = $('#price').val();
var quantity = parseInt($(".quantity").val());
if (d > 0) {
$('#price').text((quantity * (899 - (899 * d / 100))).toFixed(2));
} else {
$('#price').text(quantity * 899);
}
}
})

84
src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html Normal file
View File

@ -0,0 +1,84 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Client Side Filtering</title>
<link rel="stylesheet" type="text/css" href="formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Client Side Filtering</p>
<p><b>Concept / Topic To Teach:</b><br/>
It is always a good practice to send to the client
only information which they are supposed to have access to.
In this lesson, too much information is being sent to the
client, creating a serious access control problem.
</p>
<p><b>General Goal(s):</b><br/>
For this exercise, your mission is exploit the extraneous
information being returned by the server to discover information
to which you should not have access.
</p>
<b>Solution:</b><br/>
<p>
This Lab consists of two Stages. In the first Stage you have to
get sensitive information . In the second one you have to fix the problem.<br/>
</p>
<b>Stage 1</b>
<p>
Use Firebug to solve this stage. If you are using IE you can try it with
IEWatch.</p>
First use any person from the list and see what you get. After doing this you
can search for a specific person in Firebug. Make sure you find the hidden table with
the information, including the salary and so on. In the same table you will find
Neville.
<img src="ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" /><br>
<font size="2"><b>Inspect HTML on Firebug</b></font>
<p>
Now write the salary into the text edit box and submit your answer!
</p>
<b>Stage 2</b>
<p>
In this stage you have to modify the clientSideFiltering.jsp which you will find under
the WebContent in the lessons/Ajax folder. The Problem is that
the server sends all information to the client. As you could see
even if it is hidden it is easy to find the sensitive date. In this
stage you will add a filter to the XPath queries. In this file you will find
following construct:<br><br></p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee/UserID | ");<br>
sb.append("/Employees/Employee/FirstName | ");<br>
sb.append("/Employees/Employee/LastName | ");<br>
sb.append("/Employees/Employee/SSN | ");<br>
sb.append("/Employees/Employee/Salary ");<br>
String expression = sb.toString();<br>
</code>
<p>
This string will be used for the XPath query. You have to guarantee that a manger only
can see employees which are working for him. To archive this you can use
filters in XPath. Following code will exactly do this:</p>
<code>
StringBuffer sb = new StringBuffer();<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
String expression = sb.toString();<br>
</code>
<p>
Now only information is sent to your client you are authorized for. You can click on the button.
</p>
</body>
</html>

BIN
src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

29
src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc Normal file
View File

@ -0,0 +1,29 @@
= Cryptography Basics
== Concept
This lesson explains different types of cryptography techniques that are commonly used in web applications.
== Goals
The goal is to get familiar with the following forms of techniques:
* link:start.mvc#lesson/Crypto.lesson/1[Encoding]
* link:start.mvc#lesson/Crypto.lesson/3[Hashing]
* link:start.mvc#lesson/Crypto.lesson/4[Encryption]
* link:start.mvc#lesson/Crypto.lesson/5[Signing]
* link:start.mvc#lesson/Crypto.lesson/6[Keystores]
* link:start.mvc#lesson/Crypto.lesson/7[Security defaults]
* link:start.mvc#lesson/Crypto.lesson/8[Post quantum crypto]
=== Assignments
After the explanation of an item there will be several assignments.

33
src/main/resources/lessons/cryptography/documentation/defaults.adoc Normal file
View File

@ -0,0 +1,33 @@
= Security defaults
A big problem in all kinds of systems is the use of default configurations.
E.g. default username/passwords in routers, default passwords for keystores, default unencrypted mode, etc.
== Java cacerts
Did you ever *_changeit_*? Putting a password on the cacerts file has some implications. It is important when the trusted certificate authorities need to be protected and an unknown self signed certificate authority cannot be added too easily.
== Protecting your id_rsa private key
Are you using an ssh key for GitHub and or other sites and are you leaving it unencrypted on your disk? Or even on your cloud drive? By default, the generation of an ssh key pair leaves the private key unencrypted. Which makes it easy to use and if stored in a place where only you can go, it offers sufficient protection. However, it is better to encrypt the key. When you want to use the key, you would have to provide the password again.
== SSH username/password to your server
When you are getting a virtual server from some hosting provider, there are usually a lot of not so secure defaults. One of which is that ssh to the server runs on the default port 22 and allows username/password attempts. One of the first things you should do, is to change the configuration that you cannot ssh as user root, and you cannot ssh using username/password, but only with a valid and strong ssh key. If not, then you will notice continuous brute force attempts to login to your server.
== Assignment
In this exercise you need to retrieve a secret that has accidentally been left inside a docker container image. With this secret, you can decrypt the following message: *U2FsdGVkX199jgh5oANElFdtCxIEvdEvciLi+v+5loE+VCuy6Ii0b+5byb5DXp32RPmT02Ek1pf55ctQN+DHbwCPiVRfFQamDmbHBUpD7as=*.
You can decrypt the message by logging in to the running container (docker exec ...) and getting access to the password file located in /root. Then use the openssl command inside the container (for portability issues in openssl on Windows/Mac/Linux)
You can find the secret in the following docker image, which you can start as:
docker run -d webgoat/assignments:findthesecret
[source]
----
echo "U2FsdGVkX199jgh5oANElFdtCxIEvdEvciLi+v+5loE+VCuy6Ii0b+5byb5DXp32RPmT02Ek1pf55ctQN+DHbwCPiVRfFQamDmbHBUpD7as=" | openssl enc -aes-256-cbc -d -a -kfile ....
----

26
src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc Normal file
View File

@ -0,0 +1,26 @@
= Cryptography Basics
== Base64 Encoding
Encoding is not realy cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding.
Base64 encoding is a technique used to transform all kinds of bytes to a specific range of bytes. This specific range is the ASCII readable bytes.
This way you can transfer binary data such as secret or private keys more easily. You could even print these out or write them down.
Encoding is also reversible. So if you have the encoded version, you can create the original version.
On wikipedia you can find more details. Basically it goes through all the bytes and transforms each set of 6 bits into a readable byte (8 bits). The result is that the size of the encoded bytes is increased with about 33%.
Hello ==> SGVsbG8=
0x4d 0x61 ==> TWE=
=== Basic Authentication
Basic authentication is sometimes used by web applications. This uses base64 encoding. Therefore, it is important to at least use Transport Layer Security (TLS or more commonly known as https) to protect others from reading the username password that is sent to the server.
$echo -n "myuser:mypassword" | base64
bXl1c2VyOm15cGFzc3dvcmQ=
The HTTP header will look like:
Authorization: Basic bXl1c2VyOm15cGFzc3dvcmQ=

25
src/main/resources/lessons/cryptography/documentation/encoding_plan2.adoc Normal file
View File

@ -0,0 +1,25 @@
= Cryptography Basics
== Other Encoding
Also other encodings are used.
=== URL encoding
URL encoding is used a lot when sending form data and request parameters to the server. Since spaces are not allowed in a URL, this is then replaced by %20. Similar replacements are made for other characters.
=== HTML encoding
HTML encoding ensures that text is displayed as-is in the browser and not interpreted by the browser as HTML.
=== UUEncode
The Unix-2-Unix encoding has been used to send email attachments.
=== XOR encoding
Sometimes encoding is used as a first and simple obfuscation technique for storing passwords. IBM WebSphere Application Server e.g. uses a specific implementation of XOR encoding to store passwords in configuration files. IBM recommends to protect access to these files and to replace the default XOR encoding by your own custom encryption. However when these recommendations are not followed, these defaults can become a vulnerability.
== Assignment
Now let's see if you are able to find out the original password from this default XOR encoded string.

32
src/main/resources/lessons/cryptography/documentation/encryption.adoc Normal file
View File

@ -0,0 +1,32 @@
= Encryption
== Symmetric encryption
Symmetric encryption is based on a shared secret that is used for both encryption as well as decryption. Therefore, both parties (that are involved in exchanging secrets) share the same key.
Example protocols are:
* AES
* 3DES
== Asymmetric encryption
Asymmetric encryption is based on mathematical principles that consist of a key pair. The two keys are usually called a private key and a public key. The private key needs to be protected very well and is only known to one party. All others can freely use the public key. Something encrypted with the private key can be decrypted by all that have the public key, and something encrypted with the public key can only be decrypted with the private key.
Example protocols are:
* RSA
* DSA
== HTTPS uses both symmetric and asymmetric keys
Here is a short description of what happens if you open your browser and go to an https site.
* Your browser connects to the server and gets the webserver certificate
* Your browser checks if it trusts the certificate issuer by checking if the issuer certificate is in its trust store. This trust store is managed by operating system and browser updates. And on some corporate networks it is managed by the company. From the certificate the browser obtains the public key.
* The browser now generates random bytes to be used to generate a symmetric key and encrypts this with the public key of the server. So only the server can decrypt it.
* At the end of this process both the browser and the webserver will use the exchanged symmetric key (in the asymmetric key exchange process) to encrypt and decrypt messages that are sent back and forth between the browser and the webserver.
Symmetric keys are used because it can be used more easily with large sets of data and requires less processing power in doing so. However, the information on these pages is just for a basic understanding of cryptography. Look on the internet for more detailed information about these topics.

20
src/main/resources/lessons/cryptography/documentation/hashing_plan.adoc Normal file
View File

@ -0,0 +1,20 @@
= Cryptography Basics
== Plain Hashing
Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques.
If the original data is changed by even one byte, the resulting hash is also different.
So in a way it looks like a secure technique. However, it is NOT and even NEVER a good solution when using it for passwords. The problem here is that you can generate passwords from dictionaries and calculate all kinds of variants from these passwords. For each password you can calculate a hash. This can all be stored in large databases. So whenever you find a hash that could be a password, you just look up the hash in the database and find out the password.
Some hashing algorithms should no longer be used: MD5, SHA-1
For these hashes it is possible to change the payload in such a way that it still results in the same hash. This takes a lot of computing power, but is still a feasible option.
== Salted Hashes
Plain passwords should obviously not be stored in a database. And the same goes for plain hashes.
The https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[OWASP Password Storage Cheat Sheet,window=_blank] explains what should be used when password related information needs to be stored securely.
== Assignment
Now let's see if you can find what passwords matches which plain (unsalted) hashes.

35
src/main/resources/lessons/cryptography/documentation/keystores.adoc Normal file
View File

@ -0,0 +1,35 @@
= Keystores &amp; Truststores
A keystore is a place where you store keys. Besides *_keystore_* the term *_truststore_* is also used frequently. A truststore is the same thing as a keystore. Only it usually contains only the certificates (so basically only public keys and issuer information) of trusted certificates or certificate authorities.
== File based keystores
A file based keystore is something that in the end has the keys on a file system.
Storing public certificates in a file based keystore is very common
== Database keystores
Keys and especially public certificates can of course also be stored in a database.
== Hardware keystore
A hardware keystore is a system that has some sort of hardware which contain the actual keys.
This is typically done in high end security environments where the private key is really private.
In comparison with file based or database keystores, it is impossible to make a copy of the keystore to send it to some unknown and untrusted environment.
Some certificate authorities that are used to provide you with a server certificate for your website, also create the private keys for you (as-a-service). However, it is by definition no longer considered a private key. For all keystore types, you should keep the private key private and use a certificate signing request to order your signing or server certificates.
== Managed keystores in operating system, browser and other applications
When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorites is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed.
Not only the browser maitains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In coporate environments, these are usually maintained by the company and also contain company root certificates.
== Extra check for website certificates using DNS CAA records
Some companies inspect all or most internet traffic. Even the ones were you think you have an end-2-end secured connection. This works as follows. An employee opens a browser and googles some information. The browser will use https and go to the site of google. The link looks real and the lock is shown in the browser. However, if you would inspect the certificate, you might notice that it has been issued by one of your companies root CA's! So you have established an end-2-end secure connection with a server of your company, and that server has the secure connection with google.
In order to prevent such man in the middle connections to your server, modern browsers now will also check the DNS CAA records to see whether or not a certain issuer is allowed for a certain website.
More information: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization[Wiki DNS CAA,window=_blank]
== Free certificates from Let's encrypt
https://letsencrypt.org[Let's encrypt,,window=_blank] is a free, automated and open Certificate Authority. It allows you to create valid certificates for the websites that you control. By following and implementing a certain protocol, your identity is checked and a certificate will be issued. The certificates are free of charge and this is done to stimulate the use of authorised certificates and to lower the use of self-signed certificates on the internet. Certificates are valid for 90 days, so they need to be automatically renewed. (Which makes sure that the proof of identity/ownership also takes place frequently)

7
src/main/resources/lessons/cryptography/documentation/postquantum.adoc Normal file
View File

@ -0,0 +1,7 @@
= Post Quantum
== Post quantum cryptography
Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communicatation using quantum vulnerable cryptoraphy is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for.
Mathematics has answers for the post quantum era. New cryptography is already available and should be used NOW in order to minimize threats. You can read more on this on Wikipedia: https://en.wikipedia.org/wiki/Post-quantum_cryptography[Post quatum on Wikipedia,window=_blank]

40
src/main/resources/lessons/cryptography/documentation/signing.adoc Normal file
View File

@ -0,0 +1,40 @@
= Signing
A signature is a hash that can be used to check the validity of some data. The signature can be supplied separately from the data that it validates, or in the case of CMS or SOAP can be included in the same file. (Where parts of that file contain the data and parts contain the signature).
Signing is used when integrity is important. It is meant to be a guarantee that data sent from Party-A to Party-B was not altered. So Party-A signs the data by calculating the hash of the data and encrypting that hash using an asymmetric private key. Party-B can then verify the data by calculating the hash of the data and decrypting the signature to compare if both hashes are the same.
== RAW signatures
A raw signature is usually calculated by Party-A as follows:
* create a hash of the data (e.g. SHA-256 hash)
* encrypt the hash using an asymmetric private key (e.g. RSA 2048 bit key)
* (optionally) encode the binary encrypted hash using base64 encoding
Party-B will have to get the certificate with the public key as well. This might have been exchanged before. So at least 3 files are involved: the data, the signature and the certificate.
== CMS signatures
A CMS signature is a standardized way to send data + signature + certificate with the public key all in one file from Party-A to Party-B. As long as the certificate is valid and not revoked, Party-B can use the supplied public key to verify the signature.
== SOAP signatures
A SOAP signature also contains data and the signature and optionally the certificate. All in one XML payload. There are special steps involved in calculating the hash of the data. This has to do with the fact that the SOAP XML sent from system to system might introduce extra elements or timestamps.
Also, SOAP Signing offers the possibility to sign different parts of the message by different parties.
== Email signatures
Sending emails is not very difficult. You have to fill in some data and send it to a server that forwards it, and eventually it will end up at its destination. However, it is possible to send emails with a FROM field that is not your own email address. In order to guarantee to your receiver that you really sent this email, you can sign your email. A trusted third party will check your identity and issue an email signing certificate. You install the private key in your email application and configure it to sign emails that you send out. The certificate is issued on a specific email address and all others that receive this email will see an indication that the sender is verified, because their tools will verify the signature using the public certificate that was issued by the trusted third party.
== PDF or Word or other signatures
Adobe PDF documents and Microsoft Word documents are also examples of things that support signing. The signature is also inside the same document as the data so there is some description on what is part of the data and what is part of the metadata.
Governments usually send official documents with a PDF that contains a certificate.
== Assignment
Here is a simple assignment. A private RSA key is sent to you. Determine the modulus of the RSA key as a hex string, and calculate a signature for that hex string using the key. The exercise requires some experience with OpenSSL. You can search on the Internet for useful commands and/or use the HINTS button to get some tips.

129
src/main/resources/lessons/cryptography/html/Cryptography.html Normal file
View File

@ -0,0 +1,129 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<header>
<script>
/**
* JavaScript to load initial assignment tokens
*/
function initialise() {
$("#sha256token").load('/WebGoat/crypto/hashing/sha256');
$("#md5token").load('/WebGoat/crypto/hashing/md5');
$("#basicauthtoken").load('/WebGoat/crypto/encoding/basic');
$("#privatekey").load('/WebGoat/crypto/signing/getprivate');
}
$(document).ready(initialise);
</script>
</header>
<body>
<!-- 1. overview -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
</div>
<!-- 2. encoding -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
<!-- 2. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
Now suppose you have intercepted the following header:<br/>
<div id="basicauthtoken" ></div><br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/basic-auth">
Then what was the username
<input name="answer_user" value="" type="TEXT"/>
and what was the password:
<input name="answer_pwd" value="" type="TEXT"/>
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 3. encoding xor -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
<!-- 3. assignment xor -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/xor">
Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
What would be the actual password
<input name="answer_pwd1" value="" type="TEXT"/><br/>
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 4. hashing -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
<!-- 4. weak hashing exercise -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/hashing">
Which password belongs to this hash: <div id="md5token" ></div>
<input name="answer_pwd1" value="" type="TEXT"/><br/>
Which password belongs to this hash: <div id="sha256token" ></div>
<input name="answer_pwd2" value="" type="TEXT"/>
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 5. encryption -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
</div>
<!-- 6. signing -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
<!-- 6. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
Now suppose you have the following private key:<br/>
<pre><div id="privatekey" ></div></pre><br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/signing/verify">
Then what was the modulus of the public key
<input name="modulus" value="" type="TEXT"/>
and now provide a signature for us based on that modulus
<input name="signature" value="" type="TEXT"/>
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 7. keystores -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
</div>
<!-- 8. security defaults -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
<!-- 8. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/secure/defaults">
What is the unencrypted message<br/>
<input name="secretText" value="" type="TEXT"/><br/>
and what is the name of the file that stored the password <br/>
<input name="secretFileName" value="" type="TEXT"/>
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<!-- 9. postquantum -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
</div>
</body>
</html>

32
src/main/resources/lessons/cryptography/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,32 @@
6.crypto.title=Crypto Basics
crypto-encoding.empty=Try again, did you decode it properly?
crypto-encoding.success=Congratulations. That was easy, right?
crypto-hashing.empty=Try again.
crypto-hashing.oneok=Try again. You got 1 right.
crypto-hashing.success=Congratulations. You found it!
crypto-hashing.hints.1=Guess the type of hashing from the length of the hash.
crypto-hashing.hints.2=Find a online hash database or just google on the hash itself.
crypto-signing.hints.1=Use openssl to get the public key from the private key. Apparently both private and public key information are stored.
crypto-signing.hints.2=Use the private key to sign the "modulus" value of the public key.
crypto-signing.hints.3=Actually the "modulus" of the public key is the same as the private key. You could use openssl rsa -in test.key -pubout > test.pub and then openssl rsa -in test.pub -pubin -modulus -noout or other components.
crypto-signing.hints.4=Make sure that you do not take hidden characters into account. You might want to use echo -n "00AE89..." | openssl dgst -sign somekey -sha256 ... and do not forget to base64 encode the outcome
crypto-signing.notok=The signature does not match the data (modulus)
crypto-signing.modulusnotok=The modulus is not correct
crypto-signing.success=Congratulations. You found it!
crypto-encoding-xor.empty=Try again. This is not right
crypto-encoding-xor.success=Congratulations.
crypto-encoding-xor.hints.1=Did you look for online decoders for WebSphere encoded password?
crypto-secure-defaults.hints.1=After starting the docker container enter the container using docker exec -ti _dockerid_ /bin/bash
crypto-secure-defaults.hints.2=Try to gain access to /root. Try to become user root by su -
crypto-secure-defaults.hints.3=Try to change the /etc/shadow file using docker cp
crypto-secure-defaults.success=Congratulations, you did it!
crypto-secure-defaults.messagenotok=The unencrypted message is not correct, try again. The filename of the password file is correct.
crypto-secure-defaults.notok=Try again or read some of the hints.

75
src/main/resources/lessons/csrf/css/reviews.css Normal file
View File

@ -0,0 +1,75 @@
/* Component: Posts */
.post .post-heading {
height: 95px;
padding: 20px 15px;
}
.post .post-heading .avatar {
width: 60px;
height: 60px;
display: block;
margin-right: 15px;
}
.post .post-heading .meta .title {
margin-bottom: 0;
}
.post .post-heading .meta .title a {
color: black;
}
.post .post-heading .meta .title a:hover {
color: #aaaaaa;
}
.post .post-heading .meta .time {
margin-top: 8px;
color: #999;
}
.post .post-image .image {
width:20%;
height: 40%;
}
.post .post-description {
padding: 5px;
}
.post .post-footer {
border-top: 1px solid #ddd;
padding: 15px;
}
.post .post-footer .input-group-addon a {
color: #454545;
}
.post .post-footer .comments-list {
padding: 0;
margin-top: 20px;
list-style-type: none;
}
.post .post-footer .comments-list .comment {
display: block;
width: 100%;
margin: 20px 0;
}
.post .post-footer .comments-list .comment .avatar {
width: 35px;
height: 35px;
}
.post .post-footer .comments-list .comment .comment-heading {
display: block;
width: 100%;
}
.post .post-footer .comments-list .comment .comment-heading .user {
font-size: 14px;
font-weight: bold;
display: inline;
margin-top: 0;
margin-right: 10px;
}
.post .post-footer .comments-list .comment .comment-heading .time {
font-size: 12px;
color: #aaa;
margin-top: 0;
display: inline;
}
.post .post-footer .comments-list .comment .comment-body {
margin-left: 50px;
}
.post .post-footer .comments-list .comment > .comments-list {
margin-left: 50px;
}

Some files were not shown because too many files have changed in this diff Show More