dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

exclude web assets from spring security

Browse Source 
format reportBug.jsp
This commit is contained in:
lawson89 2014-06-11 21:56:43 -04:00
parent a0d4a02f0a
commit 80dae15f70
4 changed files with 215 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
java/org/owasp/webgoat/HammerHead.java
View File

@ -180,6 +180,7 @@ public class HammerHead extends HttpServlet {
request.getSession().setAttribute("course", mySession.getCourse()); request.getSession().setAttribute("course", mySession.getCourse());
String viewPage = getViewPage(mySession); String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage); logger.debug("Forwarding to view: " + viewPage);
logger.debug("Screen: " + screen);
request.getRequestDispatcher(viewPage).forward(request, response); request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) { } catch (Throwable t) {
logger.error("Error handling request", t); logger.error("Error handling request", t);

4
webapp/WEB-INF/spring-security.xml
View File

@ -11,6 +11,10 @@
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control. NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue. That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
--> -->
<http pattern="/css/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true"> <http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" /> <intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" /> <intercept-url pattern="/logout.do" access="permitAll" />

48
webapp/reportBug.jsp
View File

@ -8,30 +8,30 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title> <title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head> </head>
<body> <body>
<div id="wrap"> <div id="wrap">
<div id="top"></div> <div id="top"></div>
<div id="start"> <div id="start">
<p>Thank you for taking the time to improve WebGoat!</p> <p>Thank you for taking the time to improve WebGoat!</p>
<p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p> <p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p>
<p>There are several ways to report a bug, fix a bug, or get help.</p> <p>There are several ways to report a bug, fix a bug, or get help.</p>
<b>To report a bug:</b> <b>To report a bug:</b>
<ol> <ol>
<li>File a WebGoat defect using <a <li>File a WebGoat defect using <a
href="http://code.google.com/p/webgoat/issues/list">Google Code href="http://code.google.com/p/webgoat/issues/list">Google Code
WebGoat Issues</a>. Please be as specific as possible. If you have a WebGoat Issues</a>. Please be as specific as possible. If you have a
recommended solution for a bug, include the solution in the bug report.</li> recommended solution for a bug, include the solution in the bug report.</li>
</ol> </ol>
<b>To get help:</b> <b>To get help:</b>
<ol> <ol>
<li>Look in the <a <li>Look in the <a
href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>, href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>,
the most common problems are in the FAQ. The FAQ also allows user comments, the most common problems are in the FAQ. The FAQ also allows user comments,
@ -48,16 +48,16 @@
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson: href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">Bruce <%=webSession.getCurrentLesson().getName()%>">Bruce
Mayhew</a></li> Mayhew</a></li>
</ol> </ol>
<b>To fix a bug, typo, or enhance WebGoat:</b> <b>To fix a bug, typo, or enhance WebGoat:</b>
<ol> <ol>
<li>Send an email to <a <li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce
Mayhew</a>. This will start the discussion of getting you added to the <a Mayhew</a>. This will start the discussion of getting you added to the <a
href="http://code.google.com/p/webgoat/people/list">WebGoat href="http://code.google.com/p/webgoat/people/list">WebGoat
Contributers List</a>. Once you become a WebGoat contributor, you can fix Contributers List</a>. Once you become a WebGoat contributor, you can fix
as many bugs/lessons as you desire.</li> as many bugs/lessons as you desire.</li>
</ol> </ol>
<div id="bottom"> <div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> | <div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
@ -65,7 +65,7 @@
</div> </div>
</div> </div>
</div> </div>
</div> </div>
</body> </body>
</html> </html>

66
webapp/webgoat.jsp
View File

@ -2,30 +2,30 @@
errorPage=""%> errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%> <%@page import="org.owasp.webgoat.session.WebSession"%>
<% <%
WebSession webSession = ((WebSession) session.getAttribute("websession")); WebSession webSession = ((WebSession) session.getAttribute("websession"));
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title> <title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head> </head>
<body> <body>
<div id="wrap"> <div id="wrap">
<div id="top"></div> <div id="top"></div>
<div id="start"> <div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws. <p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with The exercises are intended to provide hands on experience with
application penetration testing techniques. </p> application penetration testing techniques. </p>
<p>The WebGoat project is led <p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p> by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team"> <div id="team">
<table border="0" align="center" class="lessonText"> <table border="0" align="center" class="lessonText">
<tr> <tr>
<td width="50%"> <td width="50%">
<div align="center"><a href="http://www.owasp.org"><img <div align="center"><a href="http://www.owasp.org"><img
@ -119,20 +119,20 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
</td> </td>
</tr> </tr>
</table> </table>
</div> </div>
</div> </div>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br /> <div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br /> <br />
<br /> <br />
This program is for educational purposes only. Use of these techniques This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability, without permission could lead to job termination, financial liability,
and/or criminal penalties.</div> and/or criminal penalties.</div>
</div> </div>
</body> </body>
</html> </html>