dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed posting flags towards the server

Browse Source
This commit is contained in:
Nanne Baars 2017-04-15 14:01:34 +02:00
parent 6f633a0f78
commit 7ff5503241
7 changed files with 83 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
View File

@ -1,11 +1,14 @@
package org.owasp.webgoat.plugin; package org.owasp.webgoat.plugin;
import com.google.common.collect.Maps; import com.google.common.collect.Maps;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.assignments.Endpoint; import org.owasp.webgoat.assignments.Endpoint;
import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
@ -28,6 +31,12 @@ public class Flag extends Endpoint {
@Autowired @Autowired
private WebSession webSession; private WebSession webSession;
@AllArgsConstructor
private class FlagPosted {
@Getter
private boolean lessonCompleted;
}
@PostConstruct @PostConstruct
public void initFlags() { public void initFlags() {
IntStream.range(1, 4).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString())); IntStream.range(1, 4).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
@ -38,12 +47,14 @@ public class Flag extends Endpoint {
return "challenge/flag"; return "challenge/flag";
} }
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(HttpStatus.OK) @ResponseStatus(HttpStatus.OK)
public void postFlag(@RequestParam String flag, @RequestParam int challengeNumber) { public void postFlag(@RequestParam String flag) {
String currentChallenge = webSession.getCurrentLesson().getName();
int challengeNumber = Integer.valueOf(currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
String expectedFlag = FLAGS.get(challengeNumber); String expectedFlag = FLAGS.get(challengeNumber);
if (expectedFlag.equals(flag)) { if (expectedFlag.equals(flag)) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), "Challenge" + challengeNumber); userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
} else { } else {
userTracker.assignmentFailed(webSession.getCurrentLesson()); userTracker.assignmentFailed(webSession.getCurrentLesson());
} }

33
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java
View File

@ -1,33 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @author nbaars
* @since 4/8/17.
*/
@RestController
@RequestMapping("challenge-comments")
public class CommentsEndpoint {
//
// private final WebSession webSession;
//
// public CommentsEndpoint(WebSession webSession) {
// this.webSession = webSession;
//
// }
//
//
//
//
//
// @PostMapping
// public Collection<Comment> addComment(String comment) {
// String s = StringUtils.abbreviate(comment, 100);
// comments.add(new Comment(webSession.getUserName(), DateTime.now().toString(), s));
// return comments;
// }
}

10
webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
View File

@ -32,18 +32,22 @@
</div> </div>
</div> </div>
<form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag"> <form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group"> <div class="form-group">
<div class="input-group"> <div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div> style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flagInput1" <input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div> </div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div> </div>
<button type="submit" class="btn btn-primary">Submit flag</button>
</form> </form>
<br/> <br/>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>

25
webgoat-lessons/challenge/src/main/resources/html/Challenge2.html
View File

@ -85,19 +85,20 @@
</form> </form>
<br/> <br/>
<div> <form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
<form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag"> <div class="form-group">
<div class="form-group"> <div class="input-group">
<div class="input-group"> <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" style="font-size:20px"></i></div>
style="font-size:20px"></i></div> <input type="text" class="form-control" id="flag" name="flag"
<input type="text" class="form-control" id="flagInpu2" placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
</div> </div>
<button type="submit" class="btn btn-primary">Submit flag</button> <div class="input-group" style="margin-top: 10px">
</form> <button type="submit" class="btn btn-primary">Submit flag</button>
</div> </div>
</div>
</form>
<br/> <br/>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>

17
webgoat-lessons/challenge/src/main/resources/html/Challenge3.html
View File

@ -35,7 +35,7 @@
<div class="input-group"> <div class="input-group">
<input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/> <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
<span class="input-group-addon"> <span class="input-group-addon">
<i id="postComment" class="fa fa-edit"></i> <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
</span> </span>
</div> </div>
<ul class="comments-list"> <ul class="comments-list">
@ -45,6 +45,21 @@
</div> </div>
</div> </div>
<form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/> <br/>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>

25
webgoat-lessons/challenge/src/main/resources/html/Challenge4.html
View File

@ -85,19 +85,20 @@
</form> </form>
<br/> <br/>
<div> <form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
<form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag"> <div class="form-group">
<div class="form-group"> <div class="input-group">
<div class="input-group"> <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" style="font-size:20px"></i></div>
style="font-size:20px"></i></div> <input type="text" class="form-control" id="flag" name="flag"
<input type="text" class="form-control" placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
</div> </div>
<button type="submit" class="btn btn-primary">Submit flag</button> <div class="input-group" style="margin-top: 10px">
</form> <button type="submit" class="btn btn-primary">Submit flag</button>
</div> </div>
</div>
</form>
<br/> <br/>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>

30
webgoat-lessons/challenge/src/main/resources/js/challenge3.js
View File

@ -4,10 +4,15 @@ $(document).ready(function () {
$.ajax({ $.ajax({
type: 'POST', type: 'POST',
url: 'challenge/3', url: 'challenge/3',
data: JSON.stringify ({comment: commentInput}), data: JSON.stringify({comment: commentInput}),
contentType: "application/json", contentType: "application/json",
dataType: 'json' dataType: 'json'
}); }).then(
function () {
getChallenges();
$("#commentInput").val('');
}
)
}) })
var html = '<li class="comment">' + var html = '<li class="comment">' +
@ -23,13 +28,18 @@ $(document).ready(function () {
'</div>' + '</div>' +
'</li>'; '</li>';
$.get("challenge/3", function (result, status) { getChallenges();
for (var i = 0; i < result.length; i++) {
var comment = html.replace('USER', result[i].user);
comment = comment.replace('DATETIME', result[i].dateTime);
comment = comment.replace('COMMENT', result[i].comment);
$("#list").append(comment);
}
}); function getChallenges() {
$("#list").empty();
$.get("challenge/3", function (result, status) {
for (var i = 0; i < result.length; i++) {
var comment = html.replace('USER', result[i].user);
comment = comment.replace('DATETIME', result[i].dateTime);
comment = comment.replace('COMMENT', result[i].comment);
$("#list").append(comment);
}
});
}
}) })