dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

exclude web assets from spring security

Browse Source 
format reportBug.jsp
This commit is contained in:
lawson89 2014-06-11 21:56:43 -04:00
parent a0d4a02f0a
commit 80dae15f70
4 changed files with 215 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
java/org/owasp/webgoat/HammerHead.java
View File

@ -180,6 +180,7 @@ public class HammerHead extends HttpServlet {
request.getSession().setAttribute("course", mySession.getCourse());
String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage);
logger.debug("Screen: " + screen);
request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) {
logger.error("Error handling request", t);

4
webapp/WEB-INF/spring-security.xml
View File

@ -11,6 +11,10 @@
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
-->
<http pattern="/css/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" />

48
webapp/reportBug.jsp
View File

@ -8,30 +8,30 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for taking the time to improve WebGoat!</p>
<p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p>
<p>There are several ways to report a bug, fix a bug, or get help.</p>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for taking the time to improve WebGoat!</p>
<p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p>
<p>There are several ways to report a bug, fix a bug, or get help.</p>
<b>To report a bug:</b>
<ol>
<b>To report a bug:</b>
<ol>
<li>File a WebGoat defect using <a
href="http://code.google.com/p/webgoat/issues/list">Google Code
WebGoat Issues</a>. Please be as specific as possible. If you have a
recommended solution for a bug, include the solution in the bug report.</li>
</ol>
<b>To get help:</b>
<ol>
</ol>
<b>To get help:</b>
<ol>
<li>Look in the <a
href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>,
the most common problems are in the FAQ. The FAQ also allows user comments,
@ -48,16 +48,16 @@
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">Bruce
Mayhew</a></li>
</ol>
<b>To fix a bug, typo, or enhance WebGoat:</b>
<ol>
</ol>
<b>To fix a bug, typo, or enhance WebGoat:</b>
<ol>
<li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce
Mayhew</a>. This will start the discussion of getting you added to the <a
href="http://code.google.com/p/webgoat/people/list">WebGoat
Contributers List</a>. Once you become a WebGoat contributor, you can fix
as many bugs/lessons as you desire.</li>
</ol>
</ol>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
@ -65,7 +65,7 @@
</div>
</div>
</div>
</div>
</body>
</div>
</div>
</body>
</html>

66
webapp/webgoat.jsp
View File

@ -2,30 +2,30 @@
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession) session.getAttribute("websession"));
WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
@ -119,20 +119,20 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</html>