dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

exclude web assets from spring security

Browse Source 
format reportBug.jsp
This commit is contained in:
lawson89 2014-06-11 21:56:43 -04:00
parent a0d4a02f0a
commit 80dae15f70
4 changed files with 215 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
java/org/owasp/webgoat/HammerHead.java
View File

@ -180,7 +180,8 @@ public class HammerHead extends HttpServlet {
request.getSession().setAttribute("course", mySession.getCourse()); request.getSession().setAttribute("course", mySession.getCourse());
String viewPage = getViewPage(mySession); String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage); logger.debug("Forwarding to view: " + viewPage);
request.getRequestDispatcher(viewPage).forward(request, response); logger.debug("Screen: " + screen);
request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) { } catch (Throwable t) {
logger.error("Error handling request", t); logger.error("Error handling request", t);
screen = new ErrorScreen(mySession, t); screen = new ErrorScreen(mySession, t);

4
webapp/WEB-INF/spring-security.xml
View File

@ -11,6 +11,10 @@
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control. NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue. That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
--> -->
<http pattern="/css/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true"> <http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" /> <intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" /> <intercept-url pattern="/logout.do" access="permitAll" />

142
webapp/reportBug.jsp
View File

@ -1,71 +1,71 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java" <%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%> errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%> <%@page import="org.owasp.webgoat.session.WebSession"%>
<% <%
WebSession webSession = ((WebSession) session WebSession webSession = ((WebSession) session
.getAttribute("websession")); .getAttribute("websession"));
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title> <title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head> </head>
<body> <body>
<div id="wrap"> <div id="wrap">
<div id="top"></div> <div id="top"></div>
<div id="start"> <div id="start">
<p>Thank you for taking the time to improve WebGoat!</p> <p>Thank you for taking the time to improve WebGoat!</p>
<p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p> <p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p>
<p>There are several ways to report a bug, fix a bug, or get help.</p> <p>There are several ways to report a bug, fix a bug, or get help.</p>
<b>To report a bug:</b> <b>To report a bug:</b>
<ol> <ol>
<li>File a WebGoat defect using <a <li>File a WebGoat defect using <a
href="http://code.google.com/p/webgoat/issues/list">Google Code href="http://code.google.com/p/webgoat/issues/list">Google Code
WebGoat Issues</a>. Please be as specific as possible. If you have a WebGoat Issues</a>. Please be as specific as possible. If you have a
recommended solution for a bug, include the solution in the bug report.</li> recommended solution for a bug, include the solution in the bug report.</li>
</ol> </ol>
<b>To get help:</b> <b>To get help:</b>
<ol> <ol>
<li>Look in the <a <li>Look in the <a
href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>, href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>,
the most common problems are in the FAQ. The FAQ also allows user comments, the most common problems are in the FAQ. The FAQ also allows user comments,
but it is not monitored like the WebGoat mailing list.</li> but it is not monitored like the WebGoat mailing list.</li>
<li>Send an email to the <a <li>Send an email to the <a
href="mailto: owasp-webgoat@lists.owasp.org?subject=WebGoat Help Request - Lesson: href="mailto: owasp-webgoat@lists.owasp.org?subject=WebGoat Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">WebGoat <%=webSession.getCurrentLesson().getName()%>">WebGoat
mail list</a>. The WebGoat mail list is the preferred method to ask for mail list</a>. The WebGoat mail list is the preferred method to ask for
help. It is likely that someone has already experienced the issue you help. It is likely that someone has already experienced the issue you
are seeing. In order to post to the list you must be <a are seeing. In order to post to the list you must be <a
href="https://lists.owasp.org/mailman/listinfo/owasp-webgoat">subscribed</a> href="https://lists.owasp.org/mailman/listinfo/owasp-webgoat">subscribed</a>
to the WebGoat Mail List.</li> to the WebGoat Mail List.</li>
<li>Send an email to <a <li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson: href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">Bruce <%=webSession.getCurrentLesson().getName()%>">Bruce
Mayhew</a></li> Mayhew</a></li>
</ol> </ol>
<b>To fix a bug, typo, or enhance WebGoat:</b> <b>To fix a bug, typo, or enhance WebGoat:</b>
<ol> <ol>
<li>Send an email to <a <li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce
Mayhew</a>. This will start the discussion of getting you added to the <a Mayhew</a>. This will start the discussion of getting you added to the <a
href="http://code.google.com/p/webgoat/people/list">WebGoat href="http://code.google.com/p/webgoat/people/list">WebGoat
Contributers List</a>. Once you become a WebGoat contributor, you can fix Contributers List</a>. Once you become a WebGoat contributor, you can fix
as many bugs/lessons as you desire.</li> as many bugs/lessons as you desire.</li>
</ol> </ol>
<div id="bottom"> <div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> | <div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> <a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a>
</div> </div>
</div> </div>
</div> </div>
</div> </div>
</body> </body>
</html> </html>

276
webapp/webgoat.jsp
View File

@ -1,138 +1,138 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java" <%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%> errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%> <%@page import="org.owasp.webgoat.session.WebSession"%>
<% <%
WebSession webSession = ((WebSession) session.getAttribute("websession")); WebSession webSession = ((WebSession) session.getAttribute("websession"));
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title> <title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head> </head>
<body> <body>
<div id="wrap"> <div id="wrap">
<div id="top"></div> <div id="top"></div>
<div id="start"> <div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws. <p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with The exercises are intended to provide hands on experience with
application penetration testing techniques. </p> application penetration testing techniques. </p>
<p>The WebGoat project is led <p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p> by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team"> <div id="team">
<table border="0" align="center" class="lessonText"> <table border="0" align="center" class="lessonText">
<tr> <tr>
<td width="50%"> <td width="50%">
<div align="center"><a href="http://www.owasp.org"><img <div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation" border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div> longdesc="http://www.owasp.org" /></a></div>
</td> </td>
<td width="50%"> <td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img <div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security" border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div> longdesc="http://www.aspectsecurity.com" /></a></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="2"> <td colspan="2">
<div align="center"><span class="style1"> <div align="center"><span class="style1">
WebGoat Authors </span></div> WebGoat Authors </span></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="2"> <td colspan="2">
<div align="center"><span class="style2"> <div align="center"><span class="style2">
Bruce Mayhew </span></div> Bruce Mayhew </span></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="2"> <td colspan="2">
<div align="center"><span class="style2"> <div align="center"><span class="style2">
Jeff Williams </span></div> Jeff Williams </span></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="50%"> <td width="50%">
<div align="center"><span class="style1"><br /> <div align="center"><span class="style1"><br />
WebGoat Design Team </span></div> WebGoat Design Team </span></div>
</td> </td>
<td width="50%"> <td width="50%">
<div align="center"><span class="style1"><br /> <div align="center"><span class="style1"><br />
V5.4 Lesson Contributers </span></div> V5.4 Lesson Contributers </span></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top"> <td valign="top">
<div align="center" class="style2">David Anderson</div> <div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div> <div align="center" class="style2">Laurence Casey (Graphics)</div>
<div align="center" class="style2">Rogan Dawes</div> <div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Bruce Mayhew</div> <div align="center" class="style2">Bruce Mayhew</div>
</td> </td>
<td valign="top"> <td valign="top">
<div align="center" class="style2">Sherif Koussa</div> <div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Yiannis Pavlosoglou</div> <div align="center" class="style2">Yiannis Pavlosoglou</div>
<div align="center" class="style2"></div> <div align="center" class="style2"></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td height="25" valign="bottom"> <td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks <div align="center"><span class="style1">Special Thanks
for V5.4</span></div> for V5.4</span></div>
</td> </td>
<td height="25" valign="bottom"> <td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation <div align="center"><span class="style1">Documentation
Contributers</span></div> Contributers</span></div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td> <td>
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div> <div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
<div align="center" class="style2">To all who have sent comments</div> <div align="center" class="style2">To all who have sent comments</div>
</td> </td>
<td> <td>
<div align="center" class="style2"> <div align="center" class="style2">
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div> <a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
<div align="center" class="style2"> <div align="center" class="style2">
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div> <a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
<div align="center" class="style2"> <div align="center" class="style2">
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a> <a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
</div> </div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="2"> <td colspan="2">
<div align="center" class="style2"> <div align="center" class="style2">
<form id="form" name="form" method="post" action="attack"><input <form id="form" name="form" method="post" action="attack"><input
type="submit" name="start" value="Start WebGoat" /></form> type="submit" name="start" value="Start WebGoat" /></form>
</div> </div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td> <td>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
</td> </td>
</tr> </tr>
</table> </table>
</div> </div>
</div> </div>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div> <div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br /> <div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br /> <br />
<br /> <br />
This program is for educational purposes only. Use of these techniques This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability, without permission could lead to job termination, financial liability,
and/or criminal penalties.</div> and/or criminal penalties.</div>
</div> </div>
</body> </body>
</html> </html>