diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index f9e4f76ae..d2f86a151 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -242,6 +242,12 @@ ${junit.version} jar + + com.github.fakemongo + fongo + 2.1.0 + test + diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java index 6af1770f3..28d0524fb 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java @@ -33,7 +33,6 @@ package org.owasp.webgoat.controller; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; -import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; @@ -77,8 +76,8 @@ public class StartLesson { // I will set here the thymeleaf fragment location based on the resource requested. ModelAndView model = new ModelAndView(); SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring - GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next(); - String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson + //GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next(); + String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson")); List lessons = course.getLessons(); Optional lesson = lessons.stream() diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java index eb200b354..1336fa326 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java @@ -1,6 +1,6 @@ package org.owasp.webgoat.lessons; -import lombok.Getter; +import com.google.common.collect.Lists; import lombok.Setter; import org.owasp.webgoat.session.Screen; @@ -44,10 +44,16 @@ public abstract class AbstractLesson extends Screen implements Comparable assignments; + public List getAssignments() { + if (assignments == null) { + return Lists.newArrayList(); + } + return assignments; + } + /** * Constructor for the Lesson object */ diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index 4119f9887..5ac2c63c3 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -29,6 +29,7 @@ webgoat.database.driver=org.hsqldb.jdbcDriver webgoat.database.connection.string=jdbc:hsqldb:mem:{USER} webgoat.default.language=en + spring.data.mongodb.database=webgoat spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/ diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java new file mode 100644 index 000000000..049d38697 --- /dev/null +++ b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java @@ -0,0 +1,42 @@ +package org.owasp.webgoat.plugins; + +import org.junit.Before; +import org.owasp.webgoat.i18n.Language; +import org.owasp.webgoat.i18n.Messages; +import org.owasp.webgoat.session.WebSession; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.context.embedded.LocalServerPort; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.mock.mockito.MockBean; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.web.context.WebApplicationContext; + +import java.util.Locale; + +import static org.mockito.Mockito.when; + +/** + * @author nbaars + * @since 5/20/17. + */ +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +public abstract class LessonTest { + + @LocalServerPort + protected int localPort; + protected MockMvc mockMvc; + @Autowired + protected WebApplicationContext wac; + @Autowired + protected Messages messages; + @MockBean + protected WebSession webSession; + @MockBean + private Language language; + + @Before + public void init() { + when(language.getLocale()).thenReturn(Locale.US); + } + +} diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java new file mode 100644 index 000000000..5946104b4 --- /dev/null +++ b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java @@ -0,0 +1,23 @@ +package org.owasp.webgoat.plugins; + +import com.github.fakemongo.Fongo; +import com.mongodb.MongoClient; +import org.springframework.context.annotation.Configuration; +import org.springframework.data.mongodb.config.AbstractMongoConfiguration; + +/** + * Using Fongo for embedded in memory MongoDB testing + */ +@Configuration +public class TestConfig extends AbstractMongoConfiguration { + + @Override + protected String getDatabaseName() { + return "test"; + } + + @Override + public MongoClient mongo() throws Exception { + return new Fongo(getDatabaseName()).getMongo(); + } +} \ No newline at end of file diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 51babeab6..f19b0ba3c 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -33,11 +33,19 @@ ${project.version} provided jar + + + + de.flapdoodle.embed + de.flapdoodle.embed.mongo + + - - - + + + org.owasp.webgoat @@ -45,6 +53,14 @@ ${project.version} tests test + + + + de.flapdoodle.embed + de.flapdoodle.embed.mongo + + junit @@ -70,6 +86,12 @@ 4.1.3.RELEASE test + + com.github.fakemongo + fongo + 2.1.0 + test + org.owasp.encoder encoder @@ -119,6 +141,6 @@ - - + + diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java index 3214757c6..3a3ddb74f 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java @@ -1,8 +1,9 @@ package org.owasp.webgoat.plugin; +import com.beust.jcommander.internal.Lists; import com.google.common.base.Joiner; import lombok.SneakyThrows; -import org.apache.commons.lang.exception.ExceptionUtils; +import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; @@ -59,9 +60,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint { @Value("${webgoat.user.directory}") private String webGoatHomeDirectory; @Autowired - private WebSession webSession; - @Autowired private Comments comments; + @Autowired + private WebSession webSession; @PostConstruct @SneakyThrows @@ -76,20 +77,20 @@ public class BlindSendFileAssignment extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody - public AttackResult createNewUser(@RequestBody String commentStr) throws Exception { - String error = "Parsing successful contents not send to server"; + public AttackResult addComment(@RequestBody String commentStr) throws Exception { + String error = "Parsing successful contents not send to attacker"; try { Comment comment = comments.parseXml(commentStr); comments.addComment(comment, false); } catch (Exception e) { - error = ExceptionUtils.getFullStackTrace(e); + error = StringEscapeUtils.escapeJson(e.toString()); } - File logFile = new File(webGoatHomeDirectory, "/XXE/log.txt"); - List lines = Files.readAllLines(Paths.get(logFile.toURI())); + File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt"); + List lines = logFile.exists() ? Files.readAllLines(Paths.get(logFile.toURI())) : Lists.newArrayList(); boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent(); - logFile.delete(); if (solved) { + logFile.delete(); return trackProgress(success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build()); } else { return trackProgress(failed().output(error).build()); diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java index ec37961f7..c09fa0377 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java @@ -2,12 +2,10 @@ package org.owasp.webgoat.plugin; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.assignments.Endpoint; +import org.owasp.webgoat.session.WebSession; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; -import org.springframework.web.bind.annotation.RequestHeader; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.*; import java.io.File; import java.io.FileNotFoundException; @@ -47,6 +45,8 @@ public class Ping extends Endpoint { @Value("${webgoat.user.directory}") private String webGoatHomeDirectory; + @Autowired + private WebSession webSession; @Override public String getPath() { @@ -58,7 +58,7 @@ public class Ping extends Endpoint { public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { String logLine = String.format("%s %s %s", "GET", userAgent, text); log.debug(logLine); - File logFile = new File(webGoatHomeDirectory, "/XXE/log.tdxt"); + File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt"); try { try (PrintWriter pw = new PrintWriter(logFile)) { pw.println(logLine); diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html index 2ad34cf5d..21b4aa916 100644 --- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html +++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html @@ -2,7 +2,6 @@ -