dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #59 from nbaars/master

Browse Source 
Lab - DOM-based cross-site scripting: Java Source produces XSS alert #38
This commit is contained in:
misfir3 2015-09-09 06:29:42 -04:00
commit 85f18bc6d5
8 changed files with 35 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pom.xml
View File

@ -15,6 +15,5 @@
<modules>
<module>webgoat-container</module>
<module>webgoat-classloader</module>
<!-- <module>webgoat-release</module> -->
</modules>
</project>

44
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons;
import com.google.common.base.Joiner;
import org.apache.commons.io.IOUtils;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
@ -14,37 +16,39 @@ import org.owasp.webgoat.session.WebSession;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* <p>
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@ -69,25 +73,21 @@ public abstract class LessonAdapter extends AbstractLesson {
ec.addElement(new P());
ec
.addElement(new StringElement(
"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
+ "In fact, most lessons can be created by following the easy to use instructions in the "
+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+ "If you would prefer, send your lesson ideas to "
+ getWebgoatContext().getFeedbackAddressHTML()));
String fileName = s.getContext().getRealPath("WEB-INF/classes/New Lesson Instructions.txt");
if (fileName != null) {
try {
try (InputStream is = Thread.currentThread().getContextClassLoader()
.getResourceAsStream("New Lesson Instructions.txt")) {
if (is != null) {
PRE pre = new PRE();
BufferedReader in = new BufferedReader(new FileReader(fileName));
String line = null;
while ((line = in.readLine()) != null) {
pre.addElement(line + "\n");
}
pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is)));
ec.addElement(pre);
} catch (Exception e) {
e.printStackTrace();
}
} catch (IOException e) {
e.printStackTrace();
}
return (ec);
}
@ -140,9 +140,9 @@ public abstract class LessonAdapter extends AbstractLesson {
/**
* Gets the credits attribute of the AbstractLesson object
*
* @deprecated Credits are in the about page. This method s no
* longer called from WebGoat
* @return The credits value
* @deprecated Credits are in the about page. This method s no
* longer called from WebGoat
*/
public Element getCredits() {
return new StringElement();

5
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -16,9 +16,6 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import static java.nio.file.StandardOpenOption.APPEND;
import static java.nio.file.StandardOpenOption.CREATE;
import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING;
import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith;
import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName;
import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles;
@ -94,7 +91,7 @@ public class Plugin {
Path propertiesPath = createPropertiesDirectory();
LabelProvider.updatePluginResources(propertiesPath);
PluginFileUtils.createDirsIfNotExists(file.getParent());
Files.write(propertiesPath.resolve(file.getFileName()), lines, CREATE, (reload ? APPEND : TRUNCATE_EXISTING));
Files.write(propertiesPath.resolve(file.getFileName()), lines);
} catch (IOException io) {
throw new PluginLoadingFailure("Property file detected, but unable to copy the properties", io);
}

14
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -30,9 +30,7 @@
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
@ -40,6 +38,11 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
/**
*
* @author rlawson
@ -61,10 +64,7 @@ public class SourceService extends BaseService {
if (source == null) {
source = "No source listing found";
}
return source;
//SourceListing sl = new SourceListing();
//sl.setSource(source);
//return sl;
return StringEscapeUtils.escapeHtml4(source);
}
/**

9
webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp
View File

@ -37,7 +37,8 @@
<!-- Require.js used to load js asynchronously -->
<script src="js/libs/require.min.js" data-main="js/main.js"></script>
<script src="js/jquery/jquery-1.10.2.min.js"></script>
<script src="plugins/bootstrap/js/bootstrap.min.js"></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat</title>
</head>
@ -59,10 +60,10 @@
</div><!--lesson title end-->
<div class="user-nav pull-right" style="margin-right: 75px;">
<div class="dropdown" style="display:inline">
<button type="button" class="btn btn-default dropdown-toggle" id="dropdownMenu1" >
<button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="dropdownMenu1" >
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left" role="menu" aria-labelledby="dropdownMenu1">
<ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
@ -73,7 +74,7 @@
</ul>
</div>
<button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" title="About WebGoat">
<button type="button" data-toggle="modal" data-target="#aboutModal" class="btn btn-default right_nav_button" title="About WebGoat">
<i class="fa fa-info"></i>
</button>
<a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">

4
webgoat-release/.gitignore vendored
View File

@ -1,4 +0,0 @@
target/
.idea/
*.iml
dependency-reduced-pom.xml

18
webgoat-release/README.md
View File

@ -1,18 +0,0 @@
# Releasing WebGoat
## Introduction
This project will create a release for WebGoat ready for distribution.
This project creates a war with all the lessons included.
## Details
The following steps happen during the release:
* Download the webgoat-container.war from the repository
* Unpack the war
* Download the dist-plugin.zip from the repository
* Unpack the lessons
* Build the war again (webgoat-release-${version}.war)
* Create the executable jar (webgoat-release-${version}-war-exec.jar)

119
webgoat-release/pom.xml
View File

@ -1,119 +0,0 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>webgoat-release</name>
<modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-release</artifactId>
<packaging>war</packaging>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>7.0-SNAPSHOT</version>
</parent>
<!-- Shared version number properties -->
<properties>
<tiles.version>2.2.2</tiles.version>
<!-- If run from Bamboo this will be replaced with the bamboo build number -->
<build.number>local</build.number>
<lessons.version>1.0</lessons.version>
<war.output.dir>${project.build.directory}/war/</war.output.dir>
<lessons.output.dir>${war.output.dir}/plugin_lessons</lessons.output.dir>
</properties>
<!--
Step 1: Unpack the container WAR file
Step 2: Use the zip file and unpack it
Step 3: Build a new WAR file and install it in the repository
-->
<build>
<plugins>
<!-- Unpack the container.war and dist-plugins.jar -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.10</version>
<executions>
<execution>
<id>unpack-war</id>
<phase>generate-resources</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-container</artifactId>
<version>${project.version}</version>
<type>war</type>
</artifactItem>
</artifactItems>
<outputDirectory>${war.output.dir}</outputDirectory>
</configuration>
</execution>
<execution>
<id>unpack-lessons-zip</id>
<phase>generate-resources</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<skip>false</skip>
<artifactItems>
<artifactItem>
<includes>**/*.jar</includes>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>dist</artifactId>
<version>${lessons.version}</version>
<type>zip</type>
<classifier>plugins</classifier>
</artifactItem>
</artifactItems>
<outputDirectory>${lessons.output.dir}</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
<!-- Create the war -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.4</version>
<configuration>
<warSourceDirectory>${war.output.dir}</warSourceDirectory>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
<manifestEntries>
<Specification-Title>${project.name}</Specification-Title>
<Specification-Version>${project.version}</Specification-Version>
<Implementation-Version>${build.number}</Implementation-Version>
</manifestEntries>
</archive>
</configuration>
</plugin>
<!-- Create the executable jar -->
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.1</version>
<configuration>
<url>http://localhost:8080/manager</url>
<path>/WebGoat</path>
<attachArtifactClassifier>exec</attachArtifactClassifier>
</configuration>
<executions>
<execution>
<id>tomcat-run</id>
<goals>
<goal>exec-war-only</goal>
</goals>
<phase>package</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>