diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe0349d8e..667b56645 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,7 +88,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: "Build and push" - uses: docker/build-push-action@v2.4.0 + uses: docker/build-push-action@v2.7.0 with: context: ./docker file: docker/Dockerfile diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD index e7ef678f2..1515aa3cd 100644 --- a/CREATE_RELEASE.MD +++ b/CREATE_RELEASE.MD @@ -15,12 +15,11 @@ At the moment we use Gitflow, for a release you create a new release branch and ``` git checkout develop -git flow release start -mvn versions:set < -git commit -am "New release, updating pom.xml" +git flow release start git flow release publish <> +<> git flow release finish git push origin develop diff --git a/README.MD b/README.MD index 2f1547c89..3b0a76d43 100644 --- a/README.MD +++ b/README.MD @@ -1,6 +1,6 @@ # WebGoat 8: A deliberately insecure Web Application -[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat) +[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml) [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master) [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat) [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) @@ -27,46 +27,39 @@ you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.* -# Installation Instructions: +# Installation instructions: ## 1. Run using Docker -Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)). - -### Using docker run +Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf). The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. ```shell -docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf + +docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1 ``` -WebGoat will be located at: http://127.0.0.1:8080/WebGoat -WebWolf will be located at: http://127.0.0.1:9090/WebWolf +The landing page will be located at: http://localhost +WebGoat will be located at: http://localhost:8080/WebGoat +WebWolf will be located at: http://localhost:9090/WebWolf -**Important**: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises. +**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`* + +**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.* ## 2. Standalone Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) -```Shell -java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost] -java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost] +```shell +java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001] +java -Dfile.encoding=UTF-8 -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001] ``` -The latest version of WebGoat needs Java 15 or above. By default, WebGoat and Webwolf start on port 8080, 9000 and 9090 with the environment variable WEBGOAT_PORT, WEBGOAT_HSQLPORT and WEBWOLF_PORT you can set different values. -```Shell -export WEBGOAT_PORT=18080 -export WEBGOAT_HSQLPORT=19001 -export WEBWOLF_PORT=19090 -java -jar webgoat-server-8.1.0.jar -java -jar webwolf-8.1.0.jar -``` - -Use `set` instead of export if you're using Windows cmd. - +WebGoat will be located at: http://localhost:8080/WebGoat and +WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary) ## 3. Run from the sources diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 7734db368..78b1a7e15 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,25 @@ # WebGoat release notes +## Version 8.2.2 + +### New functionality + +- Docker image now supports nginx when browsing to http://localhost a landing page is shown. + +### Bug fixes + +- [#1039 jwt-7-Code review](https://github.com/WebGoat/WebGoat/issues/1039) +- [#1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct](https://github.com/WebGoat/WebGoat/issues/1031) +- [#1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error](https://github.com/WebGoat/WebGoat/issues/1027) + + +## Version 8.2.1 + +### New functionality + +- New Docker image for arm64 architecture is now available (for Apple M1) + + ## Version 8.2.0 ### New functionality diff --git a/docker/Dockerfile b/docker/Dockerfile index 31b0e9686..1437def53 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -18,12 +18,5 @@ COPY --chown=webgoat start.sh /home/webgoat EXPOSE 8080 EXPOSE 9090 -ENV WEBGOAT_PORT 8080 -ENV WEBGOAT_SSLENABLED false - -ENV GOATURL https://127.0.0.1:$WEBGOAT_PORT -ENV WOLFURL http://127.0.0.1:9090 - - WORKDIR /home/webgoat ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env diff --git a/docker/Readme.md b/docker/Readme.md index 0e6ed7941..7d0831655 100644 --- a/docker/Readme.md +++ b/docker/Readme.md @@ -9,5 +9,5 @@ docker build --no-cache --build-arg webgoat_version=8.2.0-SNAPSHOT -t webgoat/go ## Docker run ```shell -docker run -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest +docker run -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest ``` \ No newline at end of file diff --git a/docker/index.html b/docker/index.html index b0649f67b..43d3457f0 100644 --- a/docker/index.html +++ b/docker/index.html @@ -1,43 +1,70 @@ - -

OWASP WebGoat Training tools

-

- Use the following links to access the WebGoat and WebWolf applications. - Register a user using WebGoat. The same user can access WebWolf. -

- -

Use without special host name entries

- - - - - - - - - - -
WebGoat URLhttp://127.0.0.1:8080/WebGoat
WebWolf URLhttp://127.0.0.1:9090/WebWolf
- -

Use with www.webgoat.local and www.webwolf.local

-

- Add the following entries to your local hosts file on Windows (c:\Windows\System32\drivers\etc\hosts) or Linux (/etc/hosts) - -

-127.0.0.1 www.webgoat.local www.webwolf.local
-
- Then use the following URL's: -

-
- - - - - - - - -
WebGoat URLhttp://www.webgoat.local/WebGoat
WebWolf URLhttp://www.webwolf.local/WebWolf
- + + + + + + + +

+
+ Landing page for WebGoat and WebWolf +
+

+
+ WebGoat is a deliberately insecure web application maintained by OWASP designed + to teach web + application security lessons. + + This program is a demonstration of common server-side application flaws. The + exercises are intended to be used by people to learn about application security and + penetration testing techniques. +
+ +
+ +

Click on one of the images to go to WebGoat or WebWolf

+ +
+
+ +
+ + +
+ + diff --git a/docker/start.sh b/docker/start.sh index 26798f2b5..b1194e169 100644 --- a/docker/start.sh +++ b/docker/start.sh @@ -4,13 +4,23 @@ cd /home/webgoat service nginx start sleep 1 echo "Starting WebGoat..." -java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webgoat.log & + +java \ + -Duser.home=/home/webgoat \ + -Dfile.encoding=UTF-8 \ + --add-opens java.base/java.util=ALL-UNNAMED \ + --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ + --add-opens java.base/java.text=ALL-UNNAMED \ + --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ + --add-opens java.base/sun.nio.ch=ALL-UNNAMED \ + --add-opens java.base/java.io=ALL-UNNAMED \ + -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log & sleep 10 echo "Starting WebWolf..." java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log & -echo "Browse to http://localhost" to get started >> webgoat.log +echo "Browse to http://localhost to get started" >> webgoat.log tail -300f webgoat.log diff --git a/pom.xml b/pom.xml index 6231aea47..893e45538 100644 --- a/pom.xml +++ b/pom.xml @@ -131,7 +131,7 @@ 3.42.630.1-jre - 1.18.4 + 1.18.203.8.02.22.03.1.2 diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index 668cbc22a..bc82c23fa 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -13,7 +13,7 @@ org.jsoupjsoup - 1.13.1 + 1.14.2 diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java index 0f48a0a70..b12fc0e2b 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java @@ -62,7 +62,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { userSessionData.setValue("xss-reflected1-complete", "false"); StringBuffer cart = new StringBuffer(); - cart.append("Thank you for shopping at WebGoat.
You're support is appreciated
"); + cart.append("Thank you for shopping at WebGoat.
Your support is appreciated
"); cart.append("

We have charged credit card:" + field1 + "
"); cart.append(" -------------------
"); cart.append(" $" + totalSale); @@ -87,4 +87,4 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { .build(); } } -} \ No newline at end of file +} diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc index 6e8cea7fb..1937f084e 100644 --- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc +++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc @@ -4,7 +4,7 @@ Now let's look at a code review and try to think on an attack with the `alg: non [source] ---- -eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. +eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlciI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0. ---- [source%linenums, java] diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java index 557f510c1..970209122 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java @@ -39,7 +39,7 @@ import java.sql.Statement; @RestController -@AssignmentHints(value = {"SqlStringInjectionHint5-a"}) +@AssignmentHints(value = {"SqlStringInjectionHint5-1", "SqlStringInjectionHint5-2", "SqlStringInjectionHint5-3", "SqlStringInjectionHint5-4"}) public class SqlInjectionLesson5 extends AssignmentEndpoint { private final LessonDataSource dataSource; @@ -50,7 +50,7 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint { @PostConstruct public void createUser() { - // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (DROP first will throw error if user does not exists) + // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (using DROP first will throw error if user does not exists) try (Connection connection = dataSource.getConnection()) { try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) { statement.execute(); diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 22ab599cf..103820d34 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -24,8 +24,10 @@ SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing databa SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size)) SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size); -SqlStringInjectionHint5-1=Take a look at how to use a grant statement. -SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom +SqlStringInjectionHint5-1=Take a look at how to use a grant statement (WebGoat uses HSQLDB) +SqlStringInjectionHint5-2=You can grant to a user or a role. +SqlStringInjectionHint5-3=Try to grant 'select' privilege to 'unauthorized_user'. +SqlStringInjectionHint5-4=Use 'grant select on <

> to <>' to solve the assignment. sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc index 552965523..eb529ef28 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc @@ -8,9 +8,6 @@ If an attacker successfully "injects" DCL type SQL commands into a database, he * DCL commands are used to implement access control on database objects. * GRANT - give a user access privileges on database objects * REVOKE - withdraw user privileges that were previously given using GRANT -* Example: -** GRANT CREATE TABLE TO operator; -** This statement gives all users of the operator-role the privilege to create new tables in the database. Try to grant rights to the table `grant_rights` to user `unauthorized_user`: diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc index ef89632e1..48b4b334f 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc @@ -1,5 +1,7 @@ == Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream) +NOTE: This lesson only works when you are using the Docker image of WebGoat. + WebGoat uses an XML document to add contacts to a contacts database. [source,xml] ----