dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

exclude web assets from spring security

Browse Source 
format reportBug.jsp
This commit is contained in:
lawson89 2014-06-11 21:56:43 -04:00
parent a0d4a02f0a
commit 80dae15f70
4 changed files with 215 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
java/org/owasp/webgoat/HammerHead.java
View File

@ -180,7 +180,8 @@ public class HammerHead extends HttpServlet {
request.getSession().setAttribute("course", mySession.getCourse());
String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage);
request.getRequestDispatcher(viewPage).forward(request, response);
logger.debug("Screen: " + screen);
request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) {
logger.error("Error handling request", t);
screen = new ErrorScreen(mySession, t);

4
webapp/WEB-INF/spring-security.xml
View File

@ -11,6 +11,10 @@
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
-->
<http pattern="/css/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" />

142
webapp/reportBug.jsp
View File

@ -1,71 +1,71 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession) session
.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for taking the time to improve WebGoat!</p>
<p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p>
<p>There are several ways to report a bug, fix a bug, or get help.</p>
<b>To report a bug:</b>
<ol>
<li>File a WebGoat defect using <a
href="http://code.google.com/p/webgoat/issues/list">Google Code
WebGoat Issues</a>. Please be as specific as possible. If you have a
recommended solution for a bug, include the solution in the bug report.</li>
</ol>
<b>To get help:</b>
<ol>
<li>Look in the <a
href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>,
the most common problems are in the FAQ. The FAQ also allows user comments,
but it is not monitored like the WebGoat mailing list.</li>
<li>Send an email to the <a
href="mailto: owasp-webgoat@lists.owasp.org?subject=WebGoat Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">WebGoat
mail list</a>. The WebGoat mail list is the preferred method to ask for
help. It is likely that someone has already experienced the issue you
are seeing. In order to post to the list you must be <a
href="https://lists.owasp.org/mailman/listinfo/owasp-webgoat">subscribed</a>
to the WebGoat Mail List.</li>
<li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">Bruce
Mayhew</a></li>
</ol>
<b>To fix a bug, typo, or enhance WebGoat:</b>
<ol>
<li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce
Mayhew</a>. This will start the discussion of getting you added to the <a
href="http://code.google.com/p/webgoat/people/list">WebGoat
Contributers List</a>. Once you become a WebGoat contributor, you can fix
as many bugs/lessons as you desire.</li>
</ol>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a>
</div>
</div>
</div>
</div>
</body>
</html>
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession) session
.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for taking the time to improve WebGoat!</p>
<p>The lesson you were on was: <%=webSession.getCurrentLesson().getName()%></p>
<p>There are several ways to report a bug, fix a bug, or get help.</p>
<b>To report a bug:</b>
<ol>
<li>File a WebGoat defect using <a
href="http://code.google.com/p/webgoat/issues/list">Google Code
WebGoat Issues</a>. Please be as specific as possible. If you have a
recommended solution for a bug, include the solution in the bug report.</li>
</ol>
<b>To get help:</b>
<ol>
<li>Look in the <a
href="http://code.google.com/p/webgoat/wiki/FAQ">FAQ</a>,
the most common problems are in the FAQ. The FAQ also allows user comments,
but it is not monitored like the WebGoat mailing list.</li>
<li>Send an email to the <a
href="mailto: owasp-webgoat@lists.owasp.org?subject=WebGoat Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">WebGoat
mail list</a>. The WebGoat mail list is the preferred method to ask for
help. It is likely that someone has already experienced the issue you
are seeing. In order to post to the list you must be <a
href="https://lists.owasp.org/mailman/listinfo/owasp-webgoat">subscribed</a>
to the WebGoat Mail List.</li>
<li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Direct Help Request - Lesson:
<%=webSession.getCurrentLesson().getName()%>">Bruce
Mayhew</a></li>
</ol>
<b>To fix a bug, typo, or enhance WebGoat:</b>
<ol>
<li>Send an email to <a
href="mailto: <%=webSession.getWebgoatContext().getFeedbackAddress()%>?subject=WebGoat Contributor Request">Bruce
Mayhew</a>. This will start the discussion of getting you added to the <a
href="http://code.google.com/p/webgoat/people/list">WebGoat
Contributers List</a>. Once you become a WebGoat contributor, you can fix
as many bugs/lessons as you desire.</li>
</ol>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a>
</div>
</div>
</div>
</div>
</body>
</html>

276
webapp/webgoat.jsp
View File

@ -1,138 +1,138 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div>
</td>
<td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style1">
WebGoat Authors </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Bruce Mayhew </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Jeff Williams </span></div>
</td>
</tr>
<tr>
<td width="50%">
<div align="center"><span class="style1"><br />
WebGoat Design Team </span></div>
</td>
<td width="50%">
<div align="center"><span class="style1"><br />
V5.4 Lesson Contributers </span></div>
</td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div>
<div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Bruce Mayhew</div>
</td>
<td valign="top">
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Yiannis Pavlosoglou</div>
<div align="center" class="style2"></div>
</td>
</tr>
<tr>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks
for V5.4</span></div>
</td>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation
Contributers</span></div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
<div align="center" class="style2">To all who have sent comments</div>
</td>
<td>
<div align="center" class="style2">
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
<div align="center" class="style2">
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
<div align="center" class="style2">
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="style2">
<form id="form" name="form" method="post" action="attack"><input
type="submit" name="start" value="Start WebGoat" /></form>
</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</html>
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div>
</td>
<td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style1">
WebGoat Authors </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Bruce Mayhew </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Jeff Williams </span></div>
</td>
</tr>
<tr>
<td width="50%">
<div align="center"><span class="style1"><br />
WebGoat Design Team </span></div>
</td>
<td width="50%">
<div align="center"><span class="style1"><br />
V5.4 Lesson Contributers </span></div>
</td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div>
<div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Bruce Mayhew</div>
</td>
<td valign="top">
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Yiannis Pavlosoglou</div>
<div align="center" class="style2"></div>
</td>
</tr>
<tr>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks
for V5.4</span></div>
</td>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation
Contributers</span></div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
<div align="center" class="style2">To all who have sent comments</div>
</td>
<td>
<div align="center" class="style2">
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
<div align="center" class="style2">
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
<div align="center" class="style2">
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="style2">
<form id="form" name="form" method="post" action="attack"><input
type="submit" name="start" value="Start WebGoat" /></form>
</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</html>