From 80dae15f709e3c49be8d6ec245222edbd566d512 Mon Sep 17 00:00:00 2001 From: lawson89 Date: Wed, 11 Jun 2014 21:56:43 -0400 Subject: [PATCH] exclude web assets from spring security format reportBug.jsp --- java/org/owasp/webgoat/HammerHead.java | 3 +- webapp/WEB-INF/spring-security.xml | 4 + webapp/reportBug.jsp | 142 ++++++------- webapp/webgoat.jsp | 276 ++++++++++++------------- 4 files changed, 215 insertions(+), 210 deletions(-) diff --git a/java/org/owasp/webgoat/HammerHead.java b/java/org/owasp/webgoat/HammerHead.java index 14f446d32..e92137bde 100644 --- a/java/org/owasp/webgoat/HammerHead.java +++ b/java/org/owasp/webgoat/HammerHead.java @@ -180,7 +180,8 @@ public class HammerHead extends HttpServlet { request.getSession().setAttribute("course", mySession.getCourse()); String viewPage = getViewPage(mySession); logger.debug("Forwarding to view: " + viewPage); - request.getRequestDispatcher(viewPage).forward(request, response); + logger.debug("Screen: " + screen); + request.getRequestDispatcher(viewPage).forward(request, response); } catch (Throwable t) { logger.error("Error handling request", t); screen = new ErrorScreen(mySession, t); diff --git a/webapp/WEB-INF/spring-security.xml b/webapp/WEB-INF/spring-security.xml index 7036b0f66..009b8f2d3 100644 --- a/webapp/WEB-INF/spring-security.xml +++ b/webapp/WEB-INF/spring-security.xml @@ -11,6 +11,10 @@ NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control. That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue. --> + + + + diff --git a/webapp/reportBug.jsp b/webapp/reportBug.jsp index c1b098d57..917965bd9 100644 --- a/webapp/reportBug.jsp +++ b/webapp/reportBug.jsp @@ -1,71 +1,71 @@ -<%@ page contentType="text/html; charset=ISO-8859-1" language="java" - errorPage=""%> -<%@page import="org.owasp.webgoat.session.WebSession"%> -<% - WebSession webSession = ((WebSession) session - .getAttribute("websession")); -%> - - - - - -WebGoat V5.4 - - - - - -
-
-
-

Thank you for taking the time to improve WebGoat!

-

The lesson you were on was: <%=webSession.getCurrentLesson().getName()%>

-

There are several ways to report a bug, fix a bug, or get help.

- -To report a bug: -
    -
  1. File a WebGoat defect using Google Code - WebGoat Issues. Please be as specific as possible. If you have a - recommended solution for a bug, include the solution in the bug report.
    2. -
-To get help: -
    -
  1. Look in the FAQ, - the most common problems are in the FAQ. The FAQ also allows user comments, - but it is not monitored like the WebGoat mailing list.
    2. -
  2. Send an email to the WebGoat - mail list. The WebGoat mail list is the preferred method to ask for - help. It is likely that someone has already experienced the issue you - are seeing. In order to post to the list you must be subscribed - to the WebGoat Mail List.
    3. -
  3. Send an email to Bruce - Mayhew
    4. -
-To fix a bug, typo, or enhance WebGoat: -
    -
  1. Send an email to Bruce - Mayhew. This will start the discussion of getting you added to the WebGoat - Contributers List. Once you become a WebGoat contributor, you can fix - as many bugs/lessons as you desire.
    2. -
- - - -
-
- - +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + errorPage=""%> +<%@page import="org.owasp.webgoat.session.WebSession"%> +<% + WebSession webSession = ((WebSession) session + .getAttribute("websession")); +%> + + + + + + WebGoat V5.4 + + + + + +
+
+
+

Thank you for taking the time to improve WebGoat!

+

The lesson you were on was: <%=webSession.getCurrentLesson().getName()%>

+

There are several ways to report a bug, fix a bug, or get help.

+ + To report a bug: +
    +
  1. File a WebGoat defect using Google Code + WebGoat Issues. Please be as specific as possible. If you have a + recommended solution for a bug, include the solution in the bug report.
    2. +
+ To get help: +
    +
  1. Look in the FAQ, + the most common problems are in the FAQ. The FAQ also allows user comments, + but it is not monitored like the WebGoat mailing list.
    2. +
  2. Send an email to the WebGoat + mail list. The WebGoat mail list is the preferred method to ask for + help. It is likely that someone has already experienced the issue you + are seeing. In order to post to the list you must be subscribed + to the WebGoat Mail List.
    3. +
  3. Send an email to Bruce + Mayhew
    4. +
+ To fix a bug, typo, or enhance WebGoat: +
    +
  1. Send an email to Bruce + Mayhew. This will start the discussion of getting you added to the WebGoat + Contributers List. Once you become a WebGoat contributor, you can fix + as many bugs/lessons as you desire.
    2. +
+ + + +
+
+ + diff --git a/webapp/webgoat.jsp b/webapp/webgoat.jsp index 087da93fd..d33401a2d 100644 --- a/webapp/webgoat.jsp +++ b/webapp/webgoat.jsp @@ -1,138 +1,138 @@ -<%@ page contentType="text/html; charset=ISO-8859-1" language="java" - errorPage=""%> -<%@page import="org.owasp.webgoat.session.WebSession"%> -<% -WebSession webSession = ((WebSession) session.getAttribute("websession")); -%> - - - - - -WebGoat V5.4 - - - - - -
-
-
-

Thank you for using WebGoat! This program is a demonstration of common web application flaws. -The exercises are intended to provide hands on experience with -application penetration testing techniques.

-

The WebGoat project is led -by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.

- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
OWASP Foundation
- 		-
Aspect Security
-
-
- WebGoat Authors
-
-
- Bruce Mayhew
-
-
- Jeff Williams
-
-

- WebGoat Design Team
- 		-

- V5.4 Lesson Contributers
-
-
David Anderson
-
Laurence Casey (Graphics)
-
Rogan Dawes
-
Bruce Mayhew
- 		-
Sherif Koussa
-
Yiannis Pavlosoglou
-
- -
-
Special Thanks - for V5.4
- 		-
Documentation - Contributers
-
-
Brian Ciomei (Multitude of bug fixes)
-
To all who have sent comments
- - 		-
- Erwin Geirnaert
-
- Aung Khant
-
- Sherif Koussa -
-
-
-
-
-
-
 
-
-
-
-
 
-
 
-
 
-
WARNING
-While running this program, your machine is extremely vulnerable to -attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. -
-
-This program is for educational purposes only. Use of these techniques -without permission could lead to job termination, financial liability, -and/or criminal penalties.
-
- - +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + errorPage=""%> +<%@page import="org.owasp.webgoat.session.WebSession"%> +<% + WebSession webSession = ((WebSession) session.getAttribute("websession")); +%> + + + + + + WebGoat V5.4 + + + + + +
+
+
+

Thank you for using WebGoat! This program is a demonstration of common web application flaws. + The exercises are intended to provide hands on experience with + application penetration testing techniques.

+

The WebGoat project is led + by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
OWASP Foundation
+ 		+
Aspect Security
+
+
+ WebGoat Authors
+
+
+ Bruce Mayhew
+
+
+ Jeff Williams
+
+

+ WebGoat Design Team
+ 		+

+ V5.4 Lesson Contributers
+
+
David Anderson
+
Laurence Casey (Graphics)
+
Rogan Dawes
+
Bruce Mayhew
+ 		+
Sherif Koussa
+
Yiannis Pavlosoglou
+
+ +
+
Special Thanks + for V5.4
+ 		+
Documentation + Contributers
+
+
Brian Ciomei (Multitude of bug fixes)
+
To all who have sent comments
+ + 		+
+ Erwin Geirnaert
+
+ Aung Khant
+
+ Sherif Koussa +
+
+
+
+
+
+
 
+
+
+
+
 
+
 
+
 
+
WARNING
+ While running this program, your machine is extremely vulnerable to + attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. +
+
+ This program is for educational purposes only. Use of these techniques + without permission could lead to job termination, financial liability, + and/or criminal penalties.
+
+ +