From 0aa94a71e593bfad1b5a10145b621d49e5a29ba5 Mon Sep 17 00:00:00 2001 From: Jason White Date: Tue, 28 Jun 2016 16:20:40 +0200 Subject: [PATCH 1/4] initial support for separation of content from attack in UI --- .../src/main/resources/static/css/main.css | 6 ++++++ .../js/goatApp/controller/LessonController.js | 12 +++++++++--- .../static/js/goatApp/view/HelpControlsView.js | 8 ++++---- .../static/js/goatApp/view/LessonContentView.js | 15 ++++++++++----- 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css index c05467ad1..dc79eafd1 100644 --- a/webgoat-container/src/main/resources/static/css/main.css +++ b/webgoat-container/src/main/resources/static/css/main.css @@ -925,4 +925,10 @@ cookie-container { .help-button { margin-right:4px; +} + +/* ATTACK DISPLAY */ + +div.attack-container { + display:none; } \ No newline at end of file diff --git a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js index 17f77bbab..911db2f08 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js @@ -98,10 +98,11 @@ define(['jquery', hasPlan:this.lessonInfoModel.get('hasPlan'), hasSolution:this.lessonInfoModel.get('hasSolution'), hasSource:this.lessonInfoModel.get('hasSource'), - hasHints:(this.lessonInfoModel.get('numberHints') > 0), + hasHints:(this.lessonInfoModel.get('numberHints') > 0) + //hasAttack:this.lessonInfo.get('hasAttack') // TODO: add attack options }); - this.listenTo(this.helpControlsView,'plan:show',this.hideShowHelps); + this.listenTo(this.helpControlsView,'attack:show',this.hideShowAttack); this.listenTo(this.helpControlsView,'solution:show',this.hideShowHelps); this.listenTo(this.helpControlsView,'hints:show',this.onShowHints) this.listenTo(this.helpControlsView,'source:show',this.hideShowHelps); @@ -128,7 +129,6 @@ define(['jquery', this.lessonHintView = new HintView(); this.cookieView = new CookieView(); - //TODO: instantiate model with values (not sure why was not working before) var paramModel = new ParamModel({}); paramModel.set('scrParam',this.lessonContent.get('scrParam')); @@ -180,6 +180,12 @@ define(['jquery', this.lessonHintView.render(); }; + this.hideShowAttack = function (options) { // will likely expand this to encompass + if (options.show) { + $('div.attack-container').show(); + } + }; + this.restartLesson = function() { var self=this; var fragment = "attack/" + self.scr + "/" + self.menu; diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js index 2a3e6da6b..86235a16f 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js @@ -29,8 +29,8 @@ function($,_,Backbone) { if (this.hasSolution) { this.$el.find('#show-solution-button').unbind().on('click',_.bind(this.showSolution,this)).show(); } - if (this.hasPlan) { - this.$el.find('#show-plan-button').unbind().on('click',_.bind(this.showPlan,this)).show(); + if (true) { //FIXME: change to this.hasAttack + this.$el.find('#show-attack-button').unbind().on('click',_.bind(this.showAttack,this)).show(); } if (this.hasHints) { this.$el.find('#show-hints-button').unbind().on('click',_.bind(this.showHints,this)).show(); @@ -48,8 +48,8 @@ function($,_,Backbone) { this.trigger('solution:show','solution'); }, - showPlan: function() { - this.trigger('plan:show','plan'); + showAttack: function() { + this.trigger('attack:show',{show:true}); }, showHints: function() { diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js index d51bf5946..5528ef31c 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js @@ -25,14 +25,14 @@ define(['jquery', //TODO: reimplement this in custom fashion maybe? makeFormsAjax: function () { var options = { - success:this.reLoadView.bind(this), + success:this.onAttackExecution.bind(this), url: this.model.urlRoot, type:'GET' // $.ajax options can be used here too, for example: //timeout: 3000 }; //hook forms //TODO: clarify form selectors later - $("form").ajaxForm(options); + $("form.attack").ajaxForm(options); }, ajaxifyAttackHref: function() { // rewrite any links with hrefs point to relative attack URLs @@ -54,10 +54,15 @@ define(['jquery', }); }, - reLoadView: function(content) { - this.model.setContent(content); - this.render(); + onAttackExecution: function(feedback) { + console.log('attack executed') + this.renderFeedback(feedback); + }, + + renderFeedback: function(feedback) { + this.$el.find('feedback').html(feedback); } + }); From 3f37b06d1fa0be453edfa01a4b1a9970b9e03a55 Mon Sep 17 00:00:00 2001 From: Jason White Date: Tue, 28 Jun 2016 16:21:14 +0200 Subject: [PATCH 2/4] initial support for separation of content from attack in UI --- .../src/main/resources/templates/main_new.html | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html index ad9585803..beea32f46 100644 --- a/webgoat-container/src/main/resources/templates/main_new.html +++ b/webgoat-container/src/main/resources/templates/main_new.html @@ -113,13 +113,12 @@ - - + +

Hints

From 501ec1f9e0edf675359767a7ffb4105a28d4231f Mon Sep 17 00:00:00 2001 From: Jason White Date: Tue, 28 Jun 2016 16:22:50 +0200 Subject: [PATCH 3/4] Turning off caching in spring boot for dev purposes --- .../src/main/java/org/owasp/webgoat/WebSecurityConfig.java | 1 + 1 file changed, 1 insertion(+) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java index bd1e5a5f8..6d6e9db31 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java @@ -64,6 +64,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { security.and() .logout() .permitAll(); + http.headers().cacheControl().disable(); } From a8ac2d7a0cc01f2e070909e6b3eb396c44a613dd Mon Sep 17 00:00:00 2001 From: Jason White Date: Wed, 29 Jun 2016 10:39:54 +0200 Subject: [PATCH 4/4] moving attack form to modal/overlay ... initial cut --- .../static/js/goatApp/controller/LessonController.js | 7 ++++++- .../resources/static/js/goatApp/view/LessonContentView.js | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js index 911db2f08..4fedc2bf5 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js @@ -182,7 +182,12 @@ define(['jquery', this.hideShowAttack = function (options) { // will likely expand this to encompass if (options.show) { - $('div.attack-container').show(); + $('div#attack-container').show(); + $('div#attack-container div.modal-header button.close, #about-modal div.modal-footer button').unbind('click').on('click', function() { + $('div#attack-container').hide(200); + }); + //this.lessonView.makeFormsAjax(); + //this.lessonView.ajaxifyAttackHref(); } }; diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js index 5528ef31c..fedb09450 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js @@ -32,14 +32,14 @@ define(['jquery', //timeout: 3000 }; //hook forms //TODO: clarify form selectors later - $("form.attack").ajaxForm(options); + $("form.attack-form").ajaxForm(options); }, ajaxifyAttackHref: function() { // rewrite any links with hrefs point to relative attack URLs var self = this; // The current LessonAdapter#getLink() generates a hash-mark link. It will not match the mask below. // Besides, the new MVC code registers an event handler that will reload the lesson according to the route. - $.each($('a[href^="attack?"]'),function(i,el) { + $.each($('a[href^="attack?"]'),function(i,el) { //FIXME: need to figure out what to do here ... var url = $(el).attr('href'); $(el).unbind('click').attr('href','#').attr('link',url); //TODO pull currentMenuId