dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated XXE lesson so it also uses WebWolf

Browse Source
This commit is contained in:
Nanne Baars
2017-10-07 13:46:34 +02:00
parent 94caba7eb1
commit 8a982dedb5
13 changed files with 180 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
View File

@ -3,6 +3,7 @@ package org.owasp.webwolf;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webwolf.requests.WebWolfTraceRepository;
import org.owasp.webwolf.user.UserRepository;
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.actuate.trace.TraceRepository;
@ -25,8 +26,8 @@ import javax.jms.ConnectionFactory;
public class WebWolf extends SpringBootServletInitializer {
@Bean
public TraceRepository traceRepository(WebGoatUserToCookieRepository repository) {
return new WebWolfTraceRepository(repository);
public TraceRepository traceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
return new WebWolfTraceRepository(repository, userRepository);
}
@Override

24
webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java Normal file
View File

@ -0,0 +1,24 @@
package org.owasp.webwolf.requests;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpServletRequest;
@Controller
@Slf4j
@RequestMapping("/landing/**")
public class LandingPage {
@RequestMapping(method = { RequestMethod.POST, RequestMethod.GET, RequestMethod.DELETE, RequestMethod.PATCH, RequestMethod.PUT})
@ResponseStatus(HttpStatus.OK)
public void ok(HttpServletRequest request) {
log.trace("Incoming request for: {}", request.getRequestURL());
}
}

52
webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java
View File

@ -6,6 +6,7 @@ import com.google.common.cache.LoadingCache;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webwolf.user.UserRepository;
import org.owasp.webwolf.user.WebGoatUser;
import org.owasp.webwolf.user.WebGoatUserCookie;
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
@ -18,6 +19,7 @@ import java.net.HttpCookie;
import java.util.*;
import java.util.concurrent.ConcurrentLinkedDeque;
import static java.util.Optional.empty;
import static java.util.Optional.of;
/**
@ -38,9 +40,11 @@ public class WebWolfTraceRepository implements TraceRepository {
}
});
private final WebGoatUserToCookieRepository repository;
private final UserRepository userRepository;
public WebWolfTraceRepository(WebGoatUserToCookieRepository repository) {
public WebWolfTraceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
this.repository = repository;
this.userRepository = userRepository;
}
@Override
@ -58,18 +62,27 @@ public class WebWolfTraceRepository implements TraceRepository {
@Override
public void add(Map<String, Object> map) {
Optional<String> host = getFromHeaders("host", map);
Optional<String> referer = getFromHeaders("referer", map);
if (host.isPresent() && referer.orElse("").contains("WebGoat")) {
String path = (String) map.getOrDefault("path", "");
if (host.isPresent() && path.contains("/landing/")) {
Optional<String> cookie = getFromHeaders("cookie", map);
cookie.ifPresent(c -> {
Optional<String> user = findUserBasedOnCookie(c);
user.ifPresent(u -> {
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u);
traces.addFirst(new Trace(new Date(), map));
cookieTraces.put(u, traces);
});
Optional<String> user = cookie.isPresent() ? findUserBasedOnCookie(cookie.get()) : getLoggedInUser();
user.ifPresent(u -> {
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u);
traces.addFirst(new Trace(new Date(), map));
cookieTraces.put(u, traces);
});
//No user found based on cookie and logged in user, so add the trace to all users
//In case of XXE no cookie will be send we cannot retrieve who is logged in.
//Standalone this is ok, in a challenge you need to make sure the solution or secret the users need to
//fetch is unique
if (!user.isPresent()) {
List<WebGoatUser> users = this.userRepository.findAll();
users.forEach(u -> {
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u.getUsername());
traces.addFirst(new Trace(new Date(), map));
cookieTraces.put(u.getUsername(), traces);
});
}
}
}
@ -80,13 +93,16 @@ public class WebWolfTraceRepository implements TraceRepository {
Optional<WebGoatUserCookie> userToCookie = repository.findByCookie(cookie.getValue());
Optional<String> user = userToCookie.map(u -> u.getUsername());
if (!user.isPresent()) {
//User is maybe logged in to WebWolf use this user
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
WebGoatUser wg = (WebGoatUser) authentication.getPrincipal();
user = of(wg.getUsername());
}
return user;
}
private Optional<String> getLoggedInUser() {
Optional<String> user = empty();
//User is maybe logged in to WebWolf use this user
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
WebGoatUser wg = (WebGoatUser) authentication.getPrincipal();
user = of(wg.getUsername());
}
return user;
}

2
webwolf/src/main/resources/application.properties
View File

@ -1,6 +1,6 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.session.timeout=600
server.session.timeout=6000
#server.contextPath=/WebWolf
server.port=8081
server.session.cookie.name = WEBWOLFSESSION