Use try with resources instead of try (#921)
* Use try with resources instead of try * Remove unused lesson * Remove unused fields
This commit is contained in:
avivmu
GitHub
parent
b219854f81
commit
74b218b2a7
@ -34,8 +34,6 @@ import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
||||
public abstract class AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private UserTrackerRepository userTrackerRepository;
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
@Autowired
|
||||
|
||||
@ -53,12 +53,6 @@ public class LabelServiceTest {
|
||||
|
||||
@Autowired
|
||||
public MockMvc mockMvc;
|
||||
@MockBean
|
||||
private Course course;
|
||||
@MockBean
|
||||
private UserService userService;
|
||||
@MockBean
|
||||
private LessonTrackerInterceptor interceptor;
|
||||
|
||||
@Test
|
||||
@WithMockUser(username = "guest", password = "guest")
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<artifactId>http-proxies</artifactId>
|
||||
<packaging>jar</packaging>
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0-SNAPSHOT</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-test</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-test</artifactId>
|
||||
<version>4.1.3.RELEASE</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>${junit.version}</version>
|
||||
<type>jar</type>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@ -1,58 +0,0 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/HttpProxies/intercept-request")
|
||||
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
public @ResponseBody
|
||||
AttackResult completed(HttpServletRequest request) throws IOException {
|
||||
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
|
||||
return trackProgress(success().feedback("http-proxies.intercept.success").build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,53 +0,0 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.beust.jcommander.internal.Lists;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.Lesson;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
* <p>
|
||||
*
|
||||
* @author WebGoat
|
||||
* @version $Id: $Id
|
||||
* @since October 12, 2016
|
||||
*/
|
||||
public class HttpProxies extends Lesson {
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
return Category.GENERAL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
return "http-proxies.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "HttpProxies";
|
||||
}
|
||||
}
|
||||
@ -1,50 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- stripped down without extra comments -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
|
||||
method="POST"
|
||||
action="/WebGoat/HttpBasics/intercept-request">
|
||||
|
||||
<input type="text" value="doesn't matter really" name="changeMe" />
|
||||
<input type="submit" value="Submit" />
|
||||
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
</html>
|
||||
@ -1,4 +0,0 @@
|
||||
http-proxies.title=HTTP Proxies
|
||||
|
||||
http-proxies.intercept.success=Well done, you tampered the request as expected
|
||||
http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
|
||||
@ -1,20 +0,0 @@
|
||||
|
||||
== HTTP Proxy Overview
|
||||
|
||||
Many times proxies are used as a way of accessing otherwise blocked content. A user might connect to server A, which relays content from server B
|
||||
... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
|
||||
HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
|
||||
use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
|
||||
relationship to proxies.
|
||||
|
||||
=== Proxy Capabilities
|
||||
|
||||
Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to
|
||||
modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and
|
||||
analyzing the security of a website.
|
||||
|
||||
=== Other Uses for Proxies
|
||||
|
||||
ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does
|
||||
not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
|
||||
CI/CD with Jenkins, Maven or other build processes.
|
||||
@ -31,9 +31,13 @@ import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import java.net.URLConnection;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
|
||||
|
||||
@RestController
|
||||
@ -47,41 +51,31 @@ public class SSRFTask2 extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
protected AttackResult furBall(String url) {
|
||||
try {
|
||||
StringBuffer html = new StringBuffer();
|
||||
|
||||
if (url.matches("http://ifconfig.pro")) {
|
||||
try {
|
||||
URL u = new URL(url);
|
||||
URLConnection urlConnection = u.openConnection();
|
||||
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
|
||||
String inputLine;
|
||||
|
||||
while ((inputLine = in.readLine()) != null) {
|
||||
html.append(inputLine);
|
||||
}
|
||||
in.close();
|
||||
} catch (Exception e) {
|
||||
String html;
|
||||
try (InputStream in = new URL(url).openStream()) {
|
||||
html = new String(in.readAllBytes(), StandardCharsets.UTF_8)
|
||||
.replaceAll("\n","<br>"); // Otherwise the \n gets escaped in the response
|
||||
} catch (MalformedURLException e) {
|
||||
return getFailedResult(e.getMessage());
|
||||
} catch (IOException e) {
|
||||
//in case the external site is down, the test and lesson should still be ok
|
||||
html.append("<html><body>Altough the http://ifconfig.pro site is down, you still managed to solve this exercise the right way!</body></html>");
|
||||
html = "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve" +
|
||||
" this exercise the right way!</body></html>";
|
||||
}
|
||||
|
||||
return success(this)
|
||||
.feedback("ssrf.success")
|
||||
.output(html.toString())
|
||||
.output(html)
|
||||
.build();
|
||||
} else {
|
||||
html.append("<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">");
|
||||
}
|
||||
var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
|
||||
return getFailedResult(html);
|
||||
}
|
||||
|
||||
private AttackResult getFailedResult(String errorMsg) {
|
||||
return failed(this)
|
||||
.feedback("ssrf.failure")
|
||||
.output(html.toString())
|
||||
.output(errorMsg)
|
||||
.build();
|
||||
}
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
return failed(this)
|
||||
.output(e.getMessage())
|
||||
.build();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
action="/WebGoat/SSRF/task1">
|
||||
<table>
|
||||
<tr>
|
||||
<td><input type="hidden" id="url" name="url" value="images/tom.png"/></td>
|
||||
<td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
|
||||
|
||||
<td><input
|
||||
name="Steal the Cheese" value="Steal the Cheese" type="SUBMIT"/></td>
|
||||
@ -37,7 +37,7 @@
|
||||
action="/WebGoat/SSRF/task2">
|
||||
<table>
|
||||
<tr>
|
||||
<td><input type="hidden" id="url" name="url" value="images/cat.png"/></td>
|
||||
<td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
|
||||
|
||||
<td><input
|
||||
name="try this" value="try this" type="SUBMIT"/></td>
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
=== Find and modify the request to display Jerry
|
||||
lick the button and figure out what happened.
|
||||
Click the button and figure out what happened.
|
||||
|
||||
@ -26,7 +26,7 @@ public class SSRFTest1 extends LessonTest {
|
||||
private SSRF ssrf;
|
||||
|
||||
@Before
|
||||
public void setup() throws Exception {
|
||||
public void setup() {
|
||||
when(webSession.getCurrentLesson()).thenReturn(ssrf);
|
||||
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
|
||||
}
|
||||
|
||||
@ -48,7 +48,7 @@ public class SSRFTest2 extends LessonTest {
|
||||
private SSRF ssrf;
|
||||
|
||||
@Before
|
||||
public void setup() throws Exception {
|
||||
public void setup() {
|
||||
when(webSession.getCurrentLesson()).thenReturn(ssrf);
|
||||
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user