From 15ea31a4df906eec5013d1c1315fd0fd0151ebaf Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Mon, 2 Aug 2021 18:46:01 +0200 Subject: [PATCH 01/17] Remove Travis badge and replace with Github actions --- README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.MD b/README.MD index 2f1547c89..b7100c1a6 100644 --- a/README.MD +++ b/README.MD @@ -1,6 +1,6 @@ # WebGoat 8: A deliberately insecure Web Application -[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat) +[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml) [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master) [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat) [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) From f22e4f55c12cf24d49b713c81c2370c4f33726d7 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 4 Aug 2021 10:15:38 +0300 Subject: [PATCH 02/17] Update release notes --- CREATE_RELEASE.MD | 1 + RELEASE_NOTES.md | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD index e7ef678f2..207689bdb 100644 --- a/CREATE_RELEASE.MD +++ b/CREATE_RELEASE.MD @@ -21,6 +21,7 @@ git commit -am "New release, updating pom.xml" git flow release publish <> +<> git flow release finish git push origin develop diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 7734db368..c7929690d 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,12 @@ # WebGoat release notes +## Version 8.2.1 + +### New functionality + +- New Docker image for arm64 architecture is now available (for Apple M1) + + ## Version 8.2.0 ### New functionality From 4ce098f39b189c656b407042582aaf687aafcc8f Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 4 Aug 2021 10:41:51 +0300 Subject: [PATCH 03/17] Pass options directly instead of setting env variables --- README.MD | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/README.MD b/README.MD index b7100c1a6..c40d4bf6a 100644 --- a/README.MD +++ b/README.MD @@ -27,14 +27,12 @@ you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.* -# Installation Instructions: +# Installation instructions: ## 1. Run using Docker Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)). -### Using docker run - The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. ```shell @@ -51,22 +49,13 @@ WebWolf will be located at: http://127.0.0.1:9090/WebWolf Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) -```Shell -java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost] -java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost] +```shell +java -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001] +java -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001] ``` -The latest version of WebGoat needs Java 15 or above. By default, WebGoat and Webwolf start on port 8080, 9000 and 9090 with the environment variable WEBGOAT_PORT, WEBGOAT_HSQLPORT and WEBWOLF_PORT you can set different values. -```Shell -export WEBGOAT_PORT=18080 -export WEBGOAT_HSQLPORT=19001 -export WEBWOLF_PORT=19090 -java -jar webgoat-server-8.1.0.jar -java -jar webwolf-8.1.0.jar -``` - -Use `set` instead of export if you're using Windows cmd. - +WebGoat will be located at: http://127.0.0.1:8080/WebGoat and +WebWolf will be located at: http://127.0.0.1:9090/WebWolf (change ports if necessary) ## 3. Run from the sources From d566080a7922deec9c1b13a7564df1b52ad75402 Mon Sep 17 00:00:00 2001 From: Arshan Dabirsiaghi Date: Mon, 12 Jul 2021 20:20:52 -0400 Subject: [PATCH 04/17] fix typo --- .../org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java index 0f48a0a70..b12fc0e2b 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java @@ -62,7 +62,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { userSessionData.setValue("xss-reflected1-complete", "false"); StringBuffer cart = new StringBuffer(); - cart.append("Thank you for shopping at WebGoat.
You're support is appreciated
"); + cart.append("Thank you for shopping at WebGoat.
Your support is appreciated
"); cart.append("

We have charged credit card:" + field1 + "
"); cart.append(" -------------------
"); cart.append(" $" + totalSale); @@ -87,4 +87,4 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { .build(); } } -} \ No newline at end of file +} From 453a09e0b405552b4090052f16f6246a68f6daf9 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 4 Aug 2021 11:17:00 +0300 Subject: [PATCH 05/17] Fix html --- docker/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/index.html b/docker/index.html index b0649f67b..31f642096 100644 --- a/docker/index.html +++ b/docker/index.html @@ -18,7 +18,7 @@ WebWolf URL http://127.0.0.1:9090/WebWolf - +

Use with www.webgoat.local and www.webwolf.local

From 9a37a27a3c1e27fd2e5099a6d594b6ad3a6e0da3 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 14 Aug 2021 12:19:39 +0200 Subject: [PATCH 06/17] Add explicit file encoding to the java command to prevent errors like: "It seems the application is startd on a OS with non default UTF-8 encoding:Cp1252" " --- README.MD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.MD b/README.MD index c40d4bf6a..c98846f8d 100644 --- a/README.MD +++ b/README.MD @@ -50,8 +50,8 @@ WebWolf will be located at: http://127.0.0.1:9090/WebWolf Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) ```shell -java -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001] -java -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001] +java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001] +java -Dfile.encoding=UTF-8 -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001] ``` WebGoat will be located at: http://127.0.0.1:8080/WebGoat and From 9cc0ae5c385665eea33f903ace1dbae3783348d5 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 22 Aug 2021 18:17:48 +0200 Subject: [PATCH 07/17] Add `-it` to Docker command so ctrl+c is working directly --- README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.MD b/README.MD index c98846f8d..bcbf80786 100644 --- a/README.MD +++ b/README.MD @@ -36,7 +36,7 @@ Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. ```shell -docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf +docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1 ``` WebGoat will be located at: http://127.0.0.1:8080/WebGoat From c8fad669734a0f2cef2976e42822a51a7e0c9537 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 14 Aug 2021 12:33:28 +0200 Subject: [PATCH 08/17] #1024: Update landing page --- docker/Dockerfile | 7 --- docker/Readme.md | 2 +- docker/index.html | 107 +++++++++++++++++++++++++++++----------------- docker/start.sh | 2 +- 4 files changed, 69 insertions(+), 49 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 31b0e9686..1437def53 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -18,12 +18,5 @@ COPY --chown=webgoat start.sh /home/webgoat EXPOSE 8080 EXPOSE 9090 -ENV WEBGOAT_PORT 8080 -ENV WEBGOAT_SSLENABLED false - -ENV GOATURL https://127.0.0.1:$WEBGOAT_PORT -ENV WOLFURL http://127.0.0.1:9090 - - WORKDIR /home/webgoat ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env diff --git a/docker/Readme.md b/docker/Readme.md index 0e6ed7941..7d0831655 100644 --- a/docker/Readme.md +++ b/docker/Readme.md @@ -9,5 +9,5 @@ docker build --no-cache --build-arg webgoat_version=8.2.0-SNAPSHOT -t webgoat/go ## Docker run ```shell -docker run -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest +docker run -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest ``` \ No newline at end of file diff --git a/docker/index.html b/docker/index.html index 31f642096..43d3457f0 100644 --- a/docker/index.html +++ b/docker/index.html @@ -1,43 +1,70 @@ - -

OWASP WebGoat Training tools

-

- Use the following links to access the WebGoat and WebWolf applications. - Register a user using WebGoat. The same user can access WebWolf. -

- -

Use without special host name entries

- - - - - - - - - - -
WebGoat URLhttp://127.0.0.1:8080/WebGoat
WebWolf URLhttp://127.0.0.1:9090/WebWolf
- -

Use with www.webgoat.local and www.webwolf.local

-

- Add the following entries to your local hosts file on Windows (c:\Windows\System32\drivers\etc\hosts) or Linux (/etc/hosts) - -

-127.0.0.1 www.webgoat.local www.webwolf.local
-
- Then use the following URL's: -

- - - - - - - - - -
WebGoat URLhttp://www.webgoat.local/WebGoat
WebWolf URLhttp://www.webwolf.local/WebWolf
- + + + + + + + +

+
+ Landing page for WebGoat and WebWolf +
+

+
+ WebGoat is a deliberately insecure web application maintained by OWASP designed + to teach web + application security lessons. + + This program is a demonstration of common server-side application flaws. The + exercises are intended to be used by people to learn about application security and + penetration testing techniques. +
+ +
+ +

Click on one of the images to go to WebGoat or WebWolf

+ +
+
+ +
+ + +
+ + diff --git a/docker/start.sh b/docker/start.sh index 26798f2b5..c55d92646 100644 --- a/docker/start.sh +++ b/docker/start.sh @@ -11,6 +11,6 @@ sleep 10 echo "Starting WebWolf..." java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log & -echo "Browse to http://localhost" to get started >> webgoat.log +echo "Browse to http://localhost to get started" >> webgoat.log tail -300f webgoat.log From f7871942dad1f38858c997402be1fc87addfa832 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 25 Aug 2021 18:44:54 +0200 Subject: [PATCH 09/17] Add mapping for localhost:80 to nginx --- README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.MD b/README.MD index bcbf80786..279162753 100644 --- a/README.MD +++ b/README.MD @@ -36,7 +36,7 @@ Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. ```shell -docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1 +docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1 ``` WebGoat will be located at: http://127.0.0.1:8080/WebGoat From 0e08c4bde09517b71bae75a31f887e030f3461d0 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 25 Aug 2021 18:59:07 +0200 Subject: [PATCH 10/17] Update documentation related to Docker --- README.MD | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/README.MD b/README.MD index 279162753..3b0a76d43 100644 --- a/README.MD +++ b/README.MD @@ -31,18 +31,22 @@ first thing that all hackers claim.* ## 1. Run using Docker -Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)). +Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf). The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. ```shell + docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1 ``` -WebGoat will be located at: http://127.0.0.1:8080/WebGoat -WebWolf will be located at: http://127.0.0.1:9090/WebWolf +The landing page will be located at: http://localhost +WebGoat will be located at: http://localhost:8080/WebGoat +WebWolf will be located at: http://localhost:9090/WebWolf -**Important**: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises. +**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`* + +**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.* ## 2. Standalone @@ -54,8 +58,8 @@ java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.1.jar [--server.port=8080] [- java -Dfile.encoding=UTF-8 -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001] ``` -WebGoat will be located at: http://127.0.0.1:8080/WebGoat and -WebWolf will be located at: http://127.0.0.1:9090/WebWolf (change ports if necessary) +WebGoat will be located at: http://localhost:8080/WebGoat and +WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary) ## 3. Run from the sources From 6aaa7433027944ac88f5700c0fc8881fa47634ba Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 29 Aug 2021 13:56:42 +0200 Subject: [PATCH 11/17] Fix vulnerable components lesson for Java 16. --- docker/start.sh | 12 +++++++++++- .../en/VulnerableComponents_content5a.adoc | 2 ++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/docker/start.sh b/docker/start.sh index c55d92646..b1194e169 100644 --- a/docker/start.sh +++ b/docker/start.sh @@ -4,7 +4,17 @@ cd /home/webgoat service nginx start sleep 1 echo "Starting WebGoat..." -java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webgoat.log & + +java \ + -Duser.home=/home/webgoat \ + -Dfile.encoding=UTF-8 \ + --add-opens java.base/java.util=ALL-UNNAMED \ + --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ + --add-opens java.base/java.text=ALL-UNNAMED \ + --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ + --add-opens java.base/sun.nio.ch=ALL-UNNAMED \ + --add-opens java.base/java.io=ALL-UNNAMED \ + -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log & sleep 10 diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc index ef89632e1..48b4b334f 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc @@ -1,5 +1,7 @@ == Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream) +NOTE: This lesson only works when you are using the Docker image of WebGoat. + WebGoat uses an XML document to add contacts to a contacts database. [source,xml] ---- From 8e47eac263dc64db723aa56862774d3e1f10fb90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Aug 2021 09:07:55 +0000 Subject: [PATCH 12/17] Bump docker/build-push-action from 2.4.0 to 2.7.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.4.0 to 2.7.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v2.4.0...v2.7.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe0349d8e..667b56645 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,7 +88,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: "Build and push" - uses: docker/build-push-action@v2.4.0 + uses: docker/build-push-action@v2.7.0 with: context: ./docker file: docker/Dockerfile From 14ab2faeaf5471b7e75e33d4f2a8b5064661507f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Aug 2021 21:05:37 +0000 Subject: [PATCH 13/17] Bump jsoup in /webgoat-lessons/cross-site-scripting Bumps [jsoup](https://github.com/jhy/jsoup) from 1.13.1 to 1.14.2. - [Release notes](https://github.com/jhy/jsoup/releases) - [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES) - [Commits](https://github.com/jhy/jsoup/compare/jsoup-1.13.1...jsoup-1.14.2) --- updated-dependencies: - dependency-name: org.jsoup:jsoup dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- webgoat-lessons/cross-site-scripting/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index 668cbc22a..bc82c23fa 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -13,7 +13,7 @@ org.jsoup jsoup - 1.13.1 + 1.14.2 From a14e84d5c5c363e8bcfb3a633fefbe3b9b6206fd Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 5 Sep 2021 12:06:08 +0200 Subject: [PATCH 14/17] #1039: Fix token Replace `name` with `user` and add `admin` --- .../main/resources/lessonPlans/en/JWT_libraries_assignment.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc index 6e8cea7fb..1937f084e 100644 --- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc +++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc @@ -4,7 +4,7 @@ Now let's look at a code review and try to think on an attack with the `alg: non [source] ---- -eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. +eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlciI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0. ---- [source%linenums, java] From 825193bbb51c32d4db4c33254fc1fbf688deeb10 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 5 Sep 2021 13:14:27 +0200 Subject: [PATCH 15/17] Update to latest lombok version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6231aea47..893e45538 100644 --- a/pom.xml +++ b/pom.xml @@ -131,7 +131,7 @@ 3.4 2.6 30.1-jre - 1.18.4 + 1.18.20 3.8.0 2.22.0 3.1.2 From 7ec6826abc899d7327909f40e51eed770989a987 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 5 Sep 2021 13:54:23 +0200 Subject: [PATCH 16/17] #1031: Fix lesson - Hints not shown - Add more hints - Incorrect grant statement in lesson as example (removed it) --- .../sql_injection/introduction/SqlInjectionLesson5.java | 4 ++-- .../src/main/resources/i18n/WebGoatLabels.properties | 6 ++++-- .../lessonPlans/en/SqlInjection_introduction_content4.adoc | 3 --- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java index 557f510c1..970209122 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java @@ -39,7 +39,7 @@ import java.sql.Statement; @RestController -@AssignmentHints(value = {"SqlStringInjectionHint5-a"}) +@AssignmentHints(value = {"SqlStringInjectionHint5-1", "SqlStringInjectionHint5-2", "SqlStringInjectionHint5-3", "SqlStringInjectionHint5-4"}) public class SqlInjectionLesson5 extends AssignmentEndpoint { private final LessonDataSource dataSource; @@ -50,7 +50,7 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint { @PostConstruct public void createUser() { - // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (DROP first will throw error if user does not exists) + // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (using DROP first will throw error if user does not exists) try (Connection connection = dataSource.getConnection()) { try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) { statement.execute(); diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 22ab599cf..103820d34 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -24,8 +24,10 @@ SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing databa SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size)) SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size); -SqlStringInjectionHint5-1=Take a look at how to use a grant statement. -SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom +SqlStringInjectionHint5-1=Take a look at how to use a grant statement (WebGoat uses HSQLDB) +SqlStringInjectionHint5-2=You can grant to a user or a role. +SqlStringInjectionHint5-3=Try to grant 'select' privilege to 'unauthorized_user'. +SqlStringInjectionHint5-4=Use 'grant select on <
> to <>' to solve the assignment. sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc index 552965523..eb529ef28 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc @@ -8,9 +8,6 @@ If an attacker successfully "injects" DCL type SQL commands into a database, he * DCL commands are used to implement access control on database objects. * GRANT - give a user access privileges on database objects * REVOKE - withdraw user privileges that were previously given using GRANT -* Example: -** GRANT CREATE TABLE TO operator; -** This statement gives all users of the operator-role the privilege to create new tables in the database. Try to grant rights to the table `grant_rights` to user `unauthorized_user`: From e75cfbeb110e3d3a2ca3c8fee2754992d89c419d Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 5 Sep 2021 14:41:28 +0200 Subject: [PATCH 17/17] Adding release notes for version 8.2.2 --- CREATE_RELEASE.MD | 4 +--- RELEASE_NOTES.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD index 207689bdb..1515aa3cd 100644 --- a/CREATE_RELEASE.MD +++ b/CREATE_RELEASE.MD @@ -15,9 +15,7 @@ At the moment we use Gitflow, for a release you create a new release branch and ``` git checkout develop -git flow release start -mvn versions:set < -git commit -am "New release, updating pom.xml" +git flow release start git flow release publish <> diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index c7929690d..78b1a7e15 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,18 @@ # WebGoat release notes +## Version 8.2.2 + +### New functionality + +- Docker image now supports nginx when browsing to http://localhost a landing page is shown. + +### Bug fixes + +- [#1039 jwt-7-Code review](https://github.com/WebGoat/WebGoat/issues/1039) +- [#1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct](https://github.com/WebGoat/WebGoat/issues/1031) +- [#1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error](https://github.com/WebGoat/WebGoat/issues/1027) + + ## Version 8.2.1 ### New functionality