diff --git a/.gitignore b/.gitignore index 85137d053..549b59a14 100644 --- a/.gitignore +++ b/.gitignore @@ -44,5 +44,10 @@ webgoat-server/mongo-data/* webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml **/.sts4-cache/* **/.vscode/* - -/.sonatype \ No newline at end of file +**/.factorypath +/.sonatype +**/bin/* +webgoat.lck +webgoat.log +webgoat.properties +webgoat.script \ No newline at end of file diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties new file mode 100644 index 000000000..717934671 --- /dev/null +++ b/.mvn/wrapper/maven-wrapper.properties @@ -0,0 +1 @@ +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.4/apache-maven-3.5.4-bin.zip diff --git a/.travis.yml b/.travis.yml index 46865c92f..792680eb5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,7 +2,7 @@ services: - docker language: java jdk: -- oraclejdk8 +- openjdk11 install: "/bin/true" script: - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD index f9199020d..d7d566313 100644 --- a/CREATE_RELEASE.MD +++ b/CREATE_RELEASE.MD @@ -12,18 +12,14 @@ At the moment we use Gitflow, for a release you create a new release branch and ``` git checkout develop git flow release start -mvn versions:set < -git commit -am "New release, updaing pom.xml" +mvn versions:set < +git commit -am "New release, updating pom.xml" git flow release publish +git push --tags ``` -Now we can make a new release, be sure you committed all your changes. +Now Travis takes over and will create the release in Github and on Docker Hub. -``` -git tag v8.0.0.M15 -git push origin v8.0.0.M15 -``` - -Now Travis takes over and will create the release in Github and on Docker Hub. +NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version diff --git a/README.MD b/README.MD index ccfee85bb..fd7831eb5 100644 --- a/README.MD +++ b/README.MD @@ -34,55 +34,42 @@ first thing that all hackers claim.* Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) ```Shell -java -jar webgoat-server-<>.jar [--server.port=8080] [--server.address=localhost] +java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost] ``` By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you can bind it to a different address (default localhost) +If you use Java 9 or higher you need to run WebGoat as follows: + +```Shell +java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar +``` + ## 2. Run using Docker -From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version -[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/). -First install Docker, then open a command shell/window and type: +Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)). -```Shell -docker pull webgoat/webgoat-8.0 -docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh +### Using docker-compose + +The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) +from our Github repository. This will start both containers and it also takes care of setting up the +connection between WebGoat and WebWolf. + +```shell +curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up ``` -If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a -folder on the host system as follows: - -```Shell -docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh -``` - -where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system. - -Wait for the Docker container to start, and run `docker ps` to verify it's running. - -- If you are using `docker-machine`, verify the machine IP using `docker-machine env` -- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge` -- Otherwise, the host will be bound to localhost - -Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example: - -``` -http://192.168.99.100:8080/WebGoat -``` - -Here you'll be able to register a new user and get started. - -_Please note: this version may not be completely in sync with the develop branch._ +**Important**: the current directory on your host will be mapped into the container for keeping state. +Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running. ## 3. Run from the sources ### Prerequisites: -* Java 8 +* Java 11 * Maven > 3.2.1 * Your favorite IDE * Git, or Git support in your IDE @@ -117,7 +104,7 @@ server.address=x.x.x.x # Vagrant -We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed. +We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed. ```shell $ cd WebGoat/webgoat-images/vagrant-training @@ -125,7 +112,7 @@ We supply a complete development environment using Vagrant, to run WebGoat with ``` Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant. -The source code will be available in the home directory. +WebGoat and WebWolf will automatically start when you login to this image. # Building a new Docker image diff --git a/docker-compose-local.yml b/docker-compose-local.yml new file mode 100644 index 000000000..d94544473 --- /dev/null +++ b/docker-compose-local.yml @@ -0,0 +1,13 @@ +version: '2.1' + +services: + webgoat: + image: webgoat/webgoat-v8.0.0.snapshot + extends: + file: docker-compose.yml + service: webgoat + webwolf: + extends: + file: docker-compose.yml + service: webwolf + image: webgoat/webwolf-v8.0.0.snapshot \ No newline at end of file diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml index 919cbd509..2ff77f0b5 100644 --- a/docker-compose-postgres.yml +++ b/docker-compose-postgres.yml @@ -12,6 +12,8 @@ services: - spring.datasource.password=webgoat - spring.datasource.driver-class-name=org.postgresql.Driver - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + - webgoat.server.directory=/home/webgoat/.webgoat/ + - webgoat.user.directory=/home/webgoat/.webgoat/ ports: - "8080:8080" webwolf: @@ -24,9 +26,11 @@ services: - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect ports: - "9090:9090" - db: - container_name: webgoat_db - image: postgres:latest + webgoat_db: + image: postgres:9.4 +# Uncomment to store the state of the database on the host. +# volumes: +# - ./database:/var/lib/postgresql environment: - POSTGRES_PASSWORD=webgoat - POSTGRES_USER=webgoat diff --git a/docker-compose.yml b/docker-compose.yml index 725195504..5712b6c43 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,24 +6,13 @@ services: environment: - WEBWOLF_HOST=webwolf - WEBWOLF_PORT=9090 - - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "8080:8080" - depends_on: - - db + - "9001:9001" + volumes: + - .:/home/webgoat/.webgoat webwolf: image: webgoat/webwolf - environment: - - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "9090:9090" - depends_on: - - db - db: - image: blacklabelops/hsqldb - container_name: webgoat_db - environment: - - HSQLDB_TRACE=false - - HSQLDB_SILENT=true - - HSQLDB_DATABASE_NAME=webgoat - - HSQLDB_DATABASE_ALIAS=webgoat + command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0 \ No newline at end of file diff --git a/mvnw b/mvnw new file mode 100755 index 000000000..5551fde8e --- /dev/null +++ b/mvnw @@ -0,0 +1,286 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Maven2 Start Up Batch script +# +# Required ENV vars: +# ------------------ +# JAVA_HOME - location of a JDK home dir +# +# Optional ENV vars +# ----------------- +# M2_HOME - location of maven2's installed home dir +# MAVEN_OPTS - parameters passed to the Java VM when running Maven +# e.g. to debug Maven itself, use +# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +# MAVEN_SKIP_RC - flag to disable loading of mavenrc files +# ---------------------------------------------------------------------------- + +if [ -z "$MAVEN_SKIP_RC" ] ; then + + if [ -f /etc/mavenrc ] ; then + . /etc/mavenrc + fi + + if [ -f "$HOME/.mavenrc" ] ; then + . "$HOME/.mavenrc" + fi + +fi + +# OS specific support. $var _must_ be set to either true or false. +cygwin=false; +darwin=false; +mingw=false +case "`uname`" in + CYGWIN*) cygwin=true ;; + MINGW*) mingw=true;; + Darwin*) darwin=true + # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home + # See https://developer.apple.com/library/mac/qa/qa1170/_index.html + if [ -z "$JAVA_HOME" ]; then + if [ -x "/usr/libexec/java_home" ]; then + export JAVA_HOME="`/usr/libexec/java_home`" + else + export JAVA_HOME="/Library/Java/Home" + fi + fi + ;; +esac + +if [ -z "$JAVA_HOME" ] ; then + if [ -r /etc/gentoo-release ] ; then + JAVA_HOME=`java-config --jre-home` + fi +fi + +if [ -z "$M2_HOME" ] ; then + ## resolve links - $0 may be a link to maven's home + PRG="$0" + + # need this for relative symlinks + while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG="`dirname "$PRG"`/$link" + fi + done + + saveddir=`pwd` + + M2_HOME=`dirname "$PRG"`/.. + + # make it fully qualified + M2_HOME=`cd "$M2_HOME" && pwd` + + cd "$saveddir" + # echo Using m2 at $M2_HOME +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin ; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --unix "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --unix "$CLASSPATH"` +fi + +# For Mingw, ensure paths are in UNIX format before anything is touched +if $mingw ; then + [ -n "$M2_HOME" ] && + M2_HOME="`(cd "$M2_HOME"; pwd)`" + [ -n "$JAVA_HOME" ] && + JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" + # TODO classpath? +fi + +if [ -z "$JAVA_HOME" ]; then + javaExecutable="`which javac`" + if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then + # readlink(1) is not available as standard on Solaris 10. + readLink=`which readlink` + if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then + if $darwin ; then + javaHome="`dirname \"$javaExecutable\"`" + javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" + else + javaExecutable="`readlink -f \"$javaExecutable\"`" + fi + javaHome="`dirname \"$javaExecutable\"`" + javaHome=`expr "$javaHome" : '\(.*\)/bin'` + JAVA_HOME="$javaHome" + export JAVA_HOME + fi + fi +fi + +if [ -z "$JAVACMD" ] ; then + if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + else + JAVACMD="`which java`" + fi +fi + +if [ ! -x "$JAVACMD" ] ; then + echo "Error: JAVA_HOME is not defined correctly." >&2 + echo " We cannot execute $JAVACMD" >&2 + exit 1 +fi + +if [ -z "$JAVA_HOME" ] ; then + echo "Warning: JAVA_HOME environment variable is not set." +fi + +CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher + +# traverses directory structure from process work directory to filesystem root +# first directory with .mvn subdirectory is considered project base directory +find_maven_basedir() { + + if [ -z "$1" ] + then + echo "Path not specified to find_maven_basedir" + return 1 + fi + + basedir="$1" + wdir="$1" + while [ "$wdir" != '/' ] ; do + if [ -d "$wdir"/.mvn ] ; then + basedir=$wdir + break + fi + # workaround for JBEAP-8937 (on Solaris 10/Sparc) + if [ -d "${wdir}" ]; then + wdir=`cd "$wdir/.."; pwd` + fi + # end of workaround + done + echo "${basedir}" +} + +# concatenates all lines of a file +concat_lines() { + if [ -f "$1" ]; then + echo "$(tr -s '\n' ' ' < "$1")" + fi +} + +BASE_DIR=`find_maven_basedir "$(pwd)"` +if [ -z "$BASE_DIR" ]; then + exit 1; +fi + +########################################################################################## +# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +# This allows using the maven wrapper in projects that prohibit checking in binary data. +########################################################################################## +if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found .mvn/wrapper/maven-wrapper.jar" + fi +else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." + fi + jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar" + while IFS="=" read key value; do + case "$key" in (wrapperUrl) jarUrl="$value"; break ;; + esac + done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" + if [ "$MVNW_VERBOSE" = true ]; then + echo "Downloading from: $jarUrl" + fi + wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" + + if command -v wget > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found wget ... using wget" + fi + wget "$jarUrl" -O "$wrapperJarPath" + elif command -v curl > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found curl ... using curl" + fi + curl -o "$wrapperJarPath" "$jarUrl" + else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Falling back to using Java to download" + fi + javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" + if [ -e "$javaClass" ]; then + if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Compiling MavenWrapperDownloader.java ..." + fi + # Compiling the Java class + ("$JAVA_HOME/bin/javac" "$javaClass") + fi + if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + # Running the downloader + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Running MavenWrapperDownloader.java ..." + fi + ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") + fi + fi + fi +fi +########################################################################################## +# End of extension +########################################################################################## + +export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} +if [ "$MVNW_VERBOSE" = true ]; then + echo $MAVEN_PROJECTBASEDIR +fi +MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --path --windows "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$MAVEN_PROJECTBASEDIR" ] && + MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` +fi + +WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +exec "$JAVACMD" \ + $MAVEN_OPTS \ + -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ + "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ + ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" diff --git a/mvnw.cmd b/mvnw.cmd new file mode 100644 index 000000000..e5cfb0ae9 --- /dev/null +++ b/mvnw.cmd @@ -0,0 +1,161 @@ +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM http://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Maven2 Start Up Batch script +@REM +@REM Required ENV vars: +@REM JAVA_HOME - location of a JDK home dir +@REM +@REM Optional ENV vars +@REM M2_HOME - location of maven2's installed home dir +@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands +@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending +@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven +@REM e.g. to debug Maven itself, use +@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files +@REM ---------------------------------------------------------------------------- + +@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' +@echo off +@REM set title of command window +title %0 +@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on' +@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% + +@REM set %HOME% to equivalent of $HOME +if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") + +@REM Execute a user defined script before this one +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre +@REM check for pre script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" +if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" +:skipRcPre + +@setlocal + +set ERROR_CODE=0 + +@REM To isolate internal variables from possible post scripts, we use another setlocal +@setlocal + +@REM ==== START VALIDATION ==== +if not "%JAVA_HOME%" == "" goto OkJHome + +echo. +echo Error: JAVA_HOME not found in your environment. >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +:OkJHome +if exist "%JAVA_HOME%\bin\java.exe" goto init + +echo. +echo Error: JAVA_HOME is set to an invalid directory. >&2 +echo JAVA_HOME = "%JAVA_HOME%" >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +@REM ==== END VALIDATION ==== + +:init + +@REM Find the project base dir, i.e. the directory that contains the folder ".mvn". +@REM Fallback to current working directory if not found. + +set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% +IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir + +set EXEC_DIR=%CD% +set WDIR=%EXEC_DIR% +:findBaseDir +IF EXIST "%WDIR%"\.mvn goto baseDirFound +cd .. +IF "%WDIR%"=="%CD%" goto baseDirNotFound +set WDIR=%CD% +goto findBaseDir + +:baseDirFound +set MAVEN_PROJECTBASEDIR=%WDIR% +cd "%EXEC_DIR%" +goto endDetectBaseDir + +:baseDirNotFound +set MAVEN_PROJECTBASEDIR=%EXEC_DIR% +cd "%EXEC_DIR%" + +:endDetectBaseDir + +IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig + +@setlocal EnableExtensions EnableDelayedExpansion +for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a +@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% + +:endReadAdditionalConfig + +SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" +set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" +set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar" +FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO ( + IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B +) + +@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +@REM This allows using the maven wrapper in projects that prohibit checking in binary data. +if exist %WRAPPER_JAR% ( + echo Found %WRAPPER_JAR% +) else ( + echo Couldn't find %WRAPPER_JAR%, downloading it ... + echo Downloading from: %DOWNLOAD_URL% + powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')" + echo Finished downloading %WRAPPER_JAR% +) +@REM End of extension + +%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* +if ERRORLEVEL 1 goto error +goto end + +:error +set ERROR_CODE=1 + +:end +@endlocal & set ERROR_CODE=%ERROR_CODE% + +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost +@REM check for post script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" +if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" +:skipRcPost + +@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' +if "%MAVEN_BATCH_PAUSE%" == "on" pause + +if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% + +exit /B %ERROR_CODE% diff --git a/pom.xml b/pom.xml index aa855b919..dba2c4440 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent pom - v8.0.0.M20 + v8.0.0.M22 WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application @@ -21,7 +21,7 @@ org.springframework.boot spring-boot-starter-parent - 1.5.12.RELEASE + 1.5.18.RELEASE @@ -107,9 +107,6 @@ - 1.8 - 1.8 - UTF-8 UTF-8 @@ -129,7 +126,7 @@ 2.1 0.5 1.3.1 - 2.4 + 2.6 3.4 4.0.0 2.2.5 @@ -141,30 +138,25 @@ 2.6.3 2.6.3 6.0 - 1.2 + 1.3 1.7.12 1.3.1 4.12 + 1.18.4 1.5.4 - 3.3 - 2.19 + 3.8.0 + 2.22.0 1.6 2.6 2.10.4 2.5.2 3.0.1 - 2.19 + 2.22.0 1.6.6 2.11.7 2.1.20 2.48.2 3.2.4.RELEASE - 1.1.2 - 3.0.5 - 7.0.65 - 2.3-SNAPSHOT - 3.5.1 - 1.6.3 @@ -200,105 +192,12 @@ - - - release - - - org.owasp.webgoat.lesson - dist - 1.0 - zip - provided - plugins - - - - - - org.apache.maven.plugins - maven-dependency-plugin - - - unpack-lesson - - unpack-dependencies - - generate-resources - - - ${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons - - dist - *.jar - - - - - - org.sonatype.plugins - nexus-staging-maven-plugin - ${nexus-staging-maven-plugin.version} - true - - ossrh - https://oss.sonatype.org/ - false - - - - org.apache.maven.plugins - maven-source-plugin - ${maven-source-plugin.version} - - - attach-sources - - jar-no-fork - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - ${maven-javadoc-plugin.version} - - - attach-javadocs - - jar - - - - - - org.apache.maven.plugins - maven-gpg-plugin - ${maven-gpg-plugin.version} - - - sign-artifacts - verify - - sign - - - WebGoat - - - - - - - - - org.projectlombok lombok provided + ${lombok.version} true @@ -306,10 +205,25 @@ commons-exec 1.3 + + javax.xml.bind + jaxb-api + 2.3.0 + + + org.apache.maven.plugins + maven-compiler-plugin + ${maven-compiler-plugin.version} + + 11 + 11 + UTF-8 + + org.apache.maven.plugins maven-release-plugin @@ -342,15 +256,6 @@ true - - com.versioneye - versioneye-maven-plugin - ${versioneye-maven-plugin.version} - - a1e4a9da4ed34ee44cab - 562da95be346d7000e0369ac - - diff --git a/scripts/build-all.sh b/scripts/build-all.sh old mode 100644 new mode 100755 index a4430802e..319854ac2 --- a/scripts/build-all.sh +++ b/scripts/build-all.sh @@ -7,21 +7,23 @@ SUCCESS=$? nc -zv 127.0.0.1 9090 2>/dev/null SUCCESS=${SUCCESS}$? -if [[ "${SUCCESS}" -eq 00 ]] ; then +if [[ "${SUCCESS}" -eq 0 ]] ; then echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!" exit 127 fi -#mvn clean install -#if [[ "$?" -ne 0 ]] ; then -# exit y$? -#fi +sh mvnw clean install +if [[ "$?" -ne 0 ]] ; then + exit y$? +fi cd - sh build_docker.sh +if [[ "$?" -ne 0 ]] ; then + exit y$? +fi -echo "Do you want to run docker-compose?" while true; do read -p "Do you want to run docker-compose?" yn case ${yn} in @@ -29,4 +31,4 @@ while true; do [Nn]* ) exit;; * ) echo "Please answer yes or no.";; esac -done \ No newline at end of file +done diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index f63329476..ec5f28d9f 100644 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -2,9 +2,9 @@ WEBGOAT_HOME=$(pwd)/../ -cd ${WEBGOAT_HOME}/webgoat-server -docker build -t webgoat/webgoat-8.0 . +cd "${WEBGOAT_HOME}"/webgoat-server +docker build -t webgoat/webgoat-v8.0.0.snapshot . -cd ${WEBGOAT_HOME}/webwolf -docker build -t webgoat/webwolf . +cd "${WEBGOAT_HOME}"/webwolf +docker build -t webgoat/webwolf-v8.0.0.snapshot . diff --git a/scripts/clean-run-docker-compose.sh b/scripts/clean-run-docker-compose.sh index c804d8d36..b1e493b87 100644 --- a/scripts/clean-run-docker-compose.sh +++ b/scripts/clean-run-docker-compose.sh @@ -2,4 +2,4 @@ cd .. docker-compose rm -f -docker-compose up +docker-compose -f docker-compose-local.yml up diff --git a/scripts/start.sh b/scripts/start.sh new file mode 100644 index 000000000..3380882af --- /dev/null +++ b/scripts/start.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +DATABASE_PORT=9001 + +checkDatabaseAvailable(){ + + #for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s) + local started = $(netstat -lnt | grep ${DATABASE_PORT}) + echo $? +} + +#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0 +$(checkDatabaseAvailable) + + +#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 + + diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 8821d469d..347f7e6b1 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.M22 @@ -64,16 +64,6 @@ false - - org.apache.maven.plugins - maven-compiler-plugin - ${maven-compiler-plugin.version} - - 1.8 - 1.8 - ISO-8859-1 - - org.apache.maven.plugins maven-surefire-plugin @@ -191,7 +181,9 @@ junit ${junit.version} jar + test + diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java index ecb80bd43..df4c11e0b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java @@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor; import org.asciidoctor.extension.JavaExtensionRegistry; import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro; +import org.owasp.webgoat.asciidoc.WebWolfRootMacro; import org.owasp.webgoat.i18n.Language; import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.resourceresolver.IResourceResolver; @@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { StringWriter writer = new StringWriter(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); + extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class); extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java index 7f81d63d1..2d655ce58 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java @@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor { HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); String ip = request.getRemoteAddr(); String hostname = StringUtils.hasText(ip) ? ip : host; - return "http://" + hostname + ":" + port + "/WebWolf"; + return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : ""); + } + + protected boolean includeWebWolfContext() { + return true; } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java new file mode 100644 index 000000000..b188c2a66 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java @@ -0,0 +1,20 @@ +package org.owasp.webgoat.asciidoc; + +import java.util.Map; + +/** + * Usage in asciidoc: + *

+ * webWolfLink:here[] will display a href with here as text + * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing + */ +public class WebWolfRootMacro extends WebWolfMacro { + + public WebWolfRootMacro(String macroName, Map config) { + super(macroName, config); + } + + protected boolean includeWebWolfContext() { + return false; + } +} diff --git a/webgoat-images/vagrant-training/Vagrantfile b/webgoat-images/vagrant-training/Vagrantfile index 4772a8904..47811f8a6 100644 --- a/webgoat-images/vagrant-training/Vagrantfile +++ b/webgoat-images/vagrant-training/Vagrantfile @@ -19,17 +19,17 @@ Vagrant.configure(2) do |config| end config.vm.provision "shell", inline: <<-SHELL - wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar - wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar + wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webgoat-server-8.0.0.M21.jar + wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webwolf-8.0.0.M21.jar sudo add-apt-repository ppa:openjdk-r/ppa sudo apt-get update sudo apt-get install openjdk-8-jre -y SHELL config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL - java -jar webgoat-server-8.0.0.RELEASE.jar & + java -jar webgoat-server-8.0.0.M21.jar --server.address=0.0.0.0 & sleep 40s - java -jar webwolf-8.0.0.RELEASE.jar + java -jar webwolf-8.0.0.M21.jar --server.address=0.0.0.0 & SHELL end diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index 460175912..0f0a1085e 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java index dd9aaeee5..fe5b77828 100644 --- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java @@ -58,7 +58,7 @@ public class AccountVerificationHelper { return false; } - if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { + if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { return false; } diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index 0d81dd53a..19d00f322 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index 58f7f9daa..565a2e6c7 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index 7f37c3064..51ab26b6c 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index a18aa3720..b552ec05c 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml index 49658a14c..46562563c 100644 --- a/webgoat-lessons/csrf/pom.xml +++ b/webgoat-lessons/csrf/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml index 47cf3df7b..0da8bb5d8 100755 --- a/webgoat-lessons/html-tampering/pom.xml +++ b/webgoat-lessons/html-tampering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc index 22eb72fa2..a7f238924 100755 --- a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc +++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc @@ -1,6 +1,6 @@ === Mitigation -In this simple example you noticed that the price is calculated server side and send to the server. The server +In this simple example you noticed that the price is calculated client-side and sent to the server. The server accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up the price of the television in your database and calculate the total price again. diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml index 9d112c91b..a20459465 100644 --- a/webgoat-lessons/http-basics/pom.xml +++ b/webgoat-lessons/http-basics/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml index 72aafac2f..fa45d71a5 100644 --- a/webgoat-lessons/http-proxies/pom.xml +++ b/webgoat-lessons/http-proxies/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index a147a7f9d..122f12cf5 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml index cf9f62c28..4e7e294f1 100755 --- a/webgoat-lessons/insecure-deserialization/pom.xml +++ b/webgoat-lessons/insecure-deserialization/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml index 7e392e4d5..cbe489fca 100755 --- a/webgoat-lessons/insecure-login/pom.xml +++ b/webgoat-lessons/insecure-login/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml index ce32296b1..4850d85b6 100644 --- a/webgoat-lessons/jwt/pom.xml +++ b/webgoat-lessons/jwt/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml index 7ac4b0b5f..12de5d3cb 100644 --- a/webgoat-lessons/missing-function-ac/pom.xml +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java index 9b01ac3d5..29be436b7 100644 --- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java @@ -1,6 +1,5 @@ package org.owasp.webgoat.plugin; -import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker; import org.owasp.webgoat.assignments.Endpoint; import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.UserSessionData; @@ -13,9 +12,6 @@ import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.HttpServletRequest; import java.sql.*; import java.util.HashMap; -import java.util.Map; - -import static javax.swing.UIManager.getString; public class Users extends Endpoint{ diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml index ec760f813..b6c33f442 100644 --- a/webgoat-lessons/password-reset/pom.xml +++ b/webgoat-lessons/password-reset/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java index bcd821743..a2c551687 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java @@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.plugin.PasswordResetEmail; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.PostMapping; @@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestTemplate; import java.time.LocalDateTime; -import java.util.Map; -import java.util.Optional; import static java.util.Optional.ofNullable; @@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint { @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) @ResponseBody - public AttackResult sendEmail(@RequestParam Map json) { - String email = (String) json.get("emailReset"); - if (StringUtils.isEmpty(email)) { - email = (String) json.getOrDefault("email", "unknown@webgoat.org"); - } - String password = (String) json.getOrDefault("password", ""); - int index = email.indexOf("@"); - String username = email.substring(0, index == -1 ? email.length() : index); + public AttackResult login(@RequestParam String email, @RequestParam String password) { + String emailAddress = ofNullable(email).orElse("unknown@webgoat.org"); + String username = extractUsername(emailAddress); - if (StringUtils.isEmpty(password)) { - return sendEmail(username, email); - } else { - return checkPassword(password, username); - } - } - - private AttackResult checkPassword(String password, String username) { if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) { return trackProgress(success().build()); } else { @@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint { } } + @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset") + @ResponseBody + public AttackResult resetPassword(@RequestParam String emailReset) { + String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); + return sendEmail(extractUsername(email), email); + } + + private String extractUsername(String email) { + int index = email.indexOf("@"); + return email.substring(0, index == -1 ? email.length() : index); + } + private AttackResult sendEmail(String username, String email) { if (username.equals(getWebSession().getUserName())) { PasswordResetEmail mailEvent = PasswordResetEmail.builder() diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html index 708c4c07f..e8e00e828 100644 --- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html +++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html @@ -14,16 +14,18 @@

-
-
-
-
+
+ +
+
+
-

Account +

+ Account Access

@@ -41,7 +43,8 @@ Access

- + Forgot your password?

@@ -49,6 +52,12 @@
+ + +
-
+
- +


diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties index 709165e15..063e1d3b5 100644 --- a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties @@ -15,7 +15,7 @@ password-reset-not-solved=Sorry but you did not redirect the reset link to WebWo password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf. password-reset-hint2=Look at the link, can you think how the server creates this link? password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... -password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090 +password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090? password-reset-hint5=Intercept the request and change the host header login_failed=Login failed login_failed.tom=Sorry only Tom can login at the moment \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc index 1daea2dc6..e3601c000 100644 --- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc @@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up Tom always resets his password immediately after receiving the email with the link. Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with -that password. +that password. Note: it is not possible to use OWASP ZAP for this lesson. diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html b/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html index 28c7c2f58..a5c3647b7 100644 --- a/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html +++ b/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html @@ -9,7 +9,7 @@
-
+
@@ -29,4 +29,4 @@
- \ No newline at end of file + diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index e3e19e957..bb44f17ea 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -5,12 +5,12 @@ org.owasp.webgoat.lesson webgoat-lessons-parent pom - v8.0.0.M20 + v8.0.0.M22 org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml index 32bc48b23..ac6e19f53 100644 --- a/webgoat-lessons/sql-injection/pom.xml +++ b/webgoat-lessons/sql-injection/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 409f69b6f..3b4a7ff59 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -20,14 +20,14 @@ SqlStringInjectionHint9=Intercept the request and try to specify a different ord SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens -sql-injection.5a.success=You have succeed: {0} +sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. -sql-injection.5b.success=You have succeed: {0} +sql-injection.5b.success=You have succeeded: {0} sql-injection.5b.no.results=No results matched. Try Again. -sql-injection.6a.success=You have succeed: {0} +sql-injection.6a.success=You have succeeded: {0} sql-injection.6a.no.results=No results matched. Try Again. -sql-injection.6b.success=You have succeed: {0} +sql-injection.6b.success=You have succeeded: {0} sql-injection.6b.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc index 6adb9156b..6e8ff54e0 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc @@ -1,4 +1,5 @@ In this assignment try to perform an SQL injection through the ORDER BY field. -Try to find the ip address of the `webgoat-prd` server. +Try to find the ip address of the `webgoat-prd` server, guessing the complete +ip address might take too long so we give you the last part: `xxx.130.219.202` Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection. \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java index d180ca0af..16a6db791 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java @@ -63,7 +63,7 @@ public class SqlInjectionLesson5aTest extends LessonTest { .andExpect(status().isOk()) .andExpect(jsonPath("lessonCompleted", is(true))) - .andExpect(jsonPath("$.feedback", containsString("You have succeed"))) + .andExpect(jsonPath("$.feedback", containsString("You have succeeded"))) .andExpect(jsonPath("$.output").doesNotExist()); } @@ -77,4 +77,4 @@ public class SqlInjectionLesson5aTest extends LessonTest { .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved")))) .andExpect(jsonPath("$.output", is("malformed string: '1''"))); } -} \ No newline at end of file +} diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java index 6e089f236..cee8e8c13 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java @@ -28,7 +28,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { private WebgoatContext context; @Before - public void setup() throws Exception { + public void setup() { SqlInjection sql = new SqlInjection(); when(webSession.getCurrentLesson()).thenReturn(sql); @@ -44,6 +44,40 @@ public class SqlInjectionLesson12aTest extends LessonTest { .andExpect(status().isOk()); } + @Test + public void addressCorrectShouldOrderByHostname() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); + } + @Test public void trueShouldSortByHostname() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") @@ -63,21 +97,13 @@ public class SqlInjectionLesson12aTest extends LessonTest { } @Test - public void passwordIncorrectShouldOrderByHostname() throws Exception { + public void addressIncorrectShouldOrderByHostname() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); } - @Test - public void passwordCorrectShouldOrderByHostname() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") - .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) - - .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); - } - @Test public void postingCorrectAnswerShouldPassTheLesson() throws Exception { mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a") diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index b38a8e124..e04800aee 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml index 864d625a2..e12d7cf05 100644 --- a/webgoat-lessons/webgoat-introduction/pom.xml +++ b/webgoat-lessons/webgoat-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml index ef1890980..afffd26bf 100644 --- a/webgoat-lessons/webwolf-introduction/pom.xml +++ b/webgoat-lessons/webwolf-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index bf15f54c3..77f3f3452 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -23,8 +23,8 @@ website. The following items are supported in WebWolf: * Receiving email * Landing page for incoming requests -WebWolf runs as a separate web application and is started automatically when using the Docker image. If you -are not using the Docker image you will need to download the jar file and start it: +WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser webWolfLink:here[] to open WebWolf. +If you want to use the standalone version, you will need to download the jar file and start it: ``` java -jar webwolf-<>.jar [--server.port=9090] [--server.address=localhost] @@ -33,17 +33,7 @@ java -jar webwolf-<>.jar [--server.port=9090] [--server.address=localho By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you can bind it to a different address (default localhost) -WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need -to find out the ip address of the Docker container. - -``` -WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`) -docker pull webgoat/webwolf -docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 9090:9090 webgoat/webwolf /home/webwolf/run.sh -``` - -Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If -you start WebGoat as Docker container you need to start WebWolf as Docker container as well. +Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. This will start the application on port 9090, click webWolfLink:here[] to open WebWolf. diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 4351432b6..b5870e3b1 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.M22 @@ -15,6 +15,11 @@ commons-lang 2.6 + + org.glassfish.jaxb + jaxb-runtime + 2.3.0 + com.github.tomakehurst diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc index 72c9e4886..e8cfe8f71 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc @@ -5,7 +5,7 @@ Or the resource you are trying to read contains illegal XML character which caus Let's start with an example, in this case we reference an external DTD which we control on our own server. As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example -use this server to ping it using `webWolfLink:landing[noLink]` +use this server to ping it using `webWolfRootLink:landing[noLink]` How do we use this endpoint to verify whether we can perform XXE? @@ -14,7 +14,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi [source, subs="macros, specialcharacters"] ---- - + ---- Now submit the form change the xml using to: @@ -37,7 +37,7 @@ Now in WebWolf browse to 'Incoming requests' and you will see: ---- { "method" : "GET", - "path" : "/ping", + "path" : "/landing", "headers" : { "request" : { "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index dd5ae4194..168d26426 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -18,6 +18,6 @@ DTD. |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |=== -Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]` +Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]` (NOTE: this endpoint is under your full control) Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson. \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc index e269ec948..4b8b0f3f7 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc @@ -2,6 +2,7 @@ An XML Entity allows tags to be defined that will be replaced by content when the XML Document is parsed. In general there are three types of entities: + * internal entities * external entities * parameter entities. @@ -34,6 +35,7 @@ may be exploited by dereferencing a malicious URI, possibly allowing arbitrary c local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released. In general we can distinguish the following kind of XXE attacks: + * Classic: in this case an external entity is included in a local DTD * Blind: no output and or errors are shown in the response * Error: try to get the content of a resource in the error message \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java index 621fdd1b3..606b51318 100644 --- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java +++ b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java @@ -89,7 +89,34 @@ public class BlindSendFileAssignmentTest extends LessonTest { "%remote;" + "]>" + "test&send;"; + performXXE(xml); + } + @Test + public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception { + File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); + //Host DTD on WebWolf site + String dtd = "\n" + + "\">\n"; + webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd")) + .willReturn(aResponse() + .withStatus(200) + .withBody(dtd))); + webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200))); + + //Make the request from WebGoat + String xml = "" + + "\n" + + "" + + "%remote;" + + "%all;" + + "]>" + + "test&send;"; + performXXE(xml); + } + + private void performXXE(String xml) throws Exception { //Call with XXE injection mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind") .content(xml)) diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index 85562dba0..f1b910e52 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -1,6 +1,6 @@ -FROM openjdk:8-jre-slim +FROM openjdk:11.0.1-jre-slim-stretch -ARG webgoat_version=v8.0.0.SNAPSHOT +ARG webgoat_version=v8.0.0-SNAPSHOT RUN \ apt-get update && apt-get install && \ @@ -10,5 +10,7 @@ USER webgoat RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version} COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar -ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"] -EXPOSE 8080 \ No newline at end of file +EXPOSE 8080 + +ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar"] +CMD ["--server.port=8080", "--server.address=0.0.0.0"] \ No newline at end of file diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 2f4447c55..1744d990c 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.M22 @@ -203,11 +203,13 @@ - - org.springframework.boot - spring-boot-devtools - true - + + + + + + + org.postgresql postgresql diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java index fe42f1c97..adcac776b 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java @@ -1,5 +1,6 @@ package org.owasp.webgoat; +import lombok.extern.slf4j.Slf4j; import org.hsqldb.server.Server; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; @@ -17,6 +18,7 @@ import javax.sql.DataSource; * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database */ @Configuration +@Slf4j @ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true") public class HSQLDBDatabaseConfig { @@ -27,7 +29,7 @@ public class HSQLDBDatabaseConfig { public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory, @Value("${hsqldb.silent:true}") boolean silent, @Value("${hsqldb.trace:false}") boolean trace) { - + log.info("Starting internal database on port {} ...", hsqldbPort); Server server = new Server(); server.setDatabaseName(0, "webgoat"); server.setDatabasePath(0, directory + "/data/webgoat"); diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java index 34bde941a..473114c0e 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java @@ -24,17 +24,22 @@ */ package org.owasp.webgoat; +import lombok.extern.slf4j.Slf4j; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; /** + * Main entry point, this project is here to get all the lesson jars included to the final jar file + * * @author nbaars * @date 2/21/17 */ @SpringBootApplication +@Slf4j public class StartWebGoat { public static void main(String[] args) { + log.info("Starting WebGoat with args: {}", args); SpringApplication.run(WebGoat.class, args); } } diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile index 060f6ee9a..46598e803 100644 --- a/webwolf/Dockerfile +++ b/webwolf/Dockerfile @@ -1,6 +1,6 @@ -FROM openjdk:8-jre-slim +FROM openjdk:11.0.1-jre-slim-stretch -ARG webwolf_version=v8.0.0.SNAPSHOT +ARG webwolf_version=v8.0.0-SNAPSHOT RUN \ apt-get update && apt-get install && \ @@ -8,7 +8,9 @@ RUN \ USER webwolf COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar - -ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.port=9090", "--server.address=0.0.0.0"] +COPY start-webwolf.sh /home/webwolf EXPOSE 9090 + +ENTRYPOINT ["/home/webwolf/start-webwolf.sh"] +CMD ["--server.port=9090", "--server.address=0.0.0.0"] \ No newline at end of file diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 8bcddea79..4a2e40c0a 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.M22 @@ -26,7 +26,7 @@ commons-io commons-io - LATEST + ${commons-io.version} org.springframework.boot @@ -57,11 +57,13 @@ org.springframework.boot spring-boot-starter-data-jpa - - org.springframework.boot - spring-boot-devtools - true - + + + + + + + org.webjars @@ -103,9 +105,9 @@ maven-compiler-plugin ${maven-compiler-plugin.version} - 1.8 - 1.8 - ISO-8859-1 + 11 + 11 + UTF-8 diff --git a/webwolf/start-webwolf.sh b/webwolf/start-webwolf.sh new file mode 100755 index 000000000..31f0235e4 --- /dev/null +++ b/webwolf/start-webwolf.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Script to start WebWolf, it needs a valid database connection from WebGoat so we wait 8 seconds before starting +# WebWolf application + +echo " Waiting for database to be available..." +sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar $@ \ No newline at end of file