dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactoring (#1201)

Browse Source 
* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>
This commit is contained in:
Nanne Baars
2022-04-09 14:56:12 +02:00
committed by GitHub
parent f3d8206a07
commit 711649924b
1130 changed files with 3540 additions and 7643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/main/resources/lessons/cia/documentation/CIA_availability.adoc Normal file
View File

@ -0,0 +1,24 @@
== Availability
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times.
{nbsp} +
=== Examples that compromise availability:
** denial-of-service attacks (DOS)
** hardware failures
** fire or other natural disasters
** software or network misconfigurations
{nbsp} +
=== Examples of methods ensuring availability
** intrusion detection systems (IDSs)
** network traffic control
** firewalls
** physical security of hardware and underlying infrastructure
*** protection against fire, water, and other elements
** hardware maintenance
** redundancy

25
src/main/resources/lessons/cia/documentation/CIA_confidentiality.adoc Normal file
View File

@ -0,0 +1,25 @@
== Confidentiality
Confidentiality is "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still access the resources they have been granted permissions for.
Although confidentiality is similar to "privacy," these two words are not interchangeable. Instead, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
{nbsp} +
=== Examples that compromise confidentiality:
** a hacker gets access to the password database of a company
** a sensitive email is sent to the incorrect individual
** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
{nbsp} +
=== Examples of methods ensuring confidentiality
** data encryption
** properly implemented authentication and access control
*** securely stored passwords
*** multi-factor authentication (MFA)
*** biometric verification
** minimizing the number of places/times the information appears
** physical security controls such as properly secured server rooms

21
src/main/resources/lessons/cia/documentation/CIA_integrity.adoc Normal file
View File

@ -0,0 +1,21 @@
== Integrity
Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not change during transit, and unauthorized entities should not alter the data.
{nbsp} +
=== Examples that compromise integrity:
** human error when entering data
** errors during data transmission
** software bugs and hardware failures
** hackers change information that they should not have access to
{nbsp} +
=== Examples of methods ensuring the integrity
** well functioning authentication methods and access control
** checking integrity with hash functions
** backups and redundancy
** auditing and logging

7
src/main/resources/lessons/cia/documentation/CIA_intro.adoc Normal file
View File

@ -0,0 +1,7 @@
== The CIA Triad
The CIA Triad (confidentiality, integrity, availability) is a model for information security.
The three elements of the triad are considered the most crucial information security components and should guarantee in any secure system. +
Serious consequences can result if even one of these elements is breached.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.

3
src/main/resources/lessons/cia/documentation/CIA_quiz.adoc Normal file
View File

@ -0,0 +1,3 @@
Now it's time for a quiz! Answer the following question to check if you understood the topic.
Today, most systems are protected by a firewall. A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

43
src/main/resources/lessons/cia/html/CIA.html Normal file
View File

@ -0,0 +1,43 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<span id="quiz_id" data-quiz_id="cia"></span>
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="cia/quiz" role="form">
<div id="q_container"></div>
<br />
<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
</form>
</div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

1
src/main/resources/lessons/cia/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1 @@
4.cia.title=CIA Triad

40
src/main/resources/lessons/cia/js/questions_cia.json Normal file
View File

@ -0,0 +1,40 @@
{
"questions": [
{
"text": "How could an intruder harm the security goal of confidentiality?",
"solutions": {
"1": "By deleting all the databases.",
"2": "By stealing a database where general configuration information for the system is stored.",
"3": "By stealing a database where names and emails are stored and uploading it to a website.",
"4": "Confidentiality can't be harmed by an intruder."
}
},
{
"text": "How could an intruder harm the security goal of integrity?",
"solutions": {
"1": "By changing the names and emails of one or more users stored in a database.",
"2": "By listening to incoming and outgoing network traffic.",
"3": "By bypassing the access control mechanisms used to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database."
}
},
{
"text": "How could an intruder harm the security goal of availability?",
"solutions": {
"1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.",
"2": "By redirecting sensitive emails to other individuals.",
"3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
"4": "By launching a denial of service attack on the servers."
}
},
{
"text": "What happens if at least one of the CIA security goals is harmed?",
"solutions": {
"1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.",
"2": "The system's security is compromised even if only one goal is harmed.",
"3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.",
"4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed."
}
}
]
}