Solved issue with POST in vulnerable components lesson

2017-02-07 23:38:57 +01:00 · 2017-02-07 23:38:57 +01:00 · 8d3b028acc
commit 8d3b028acc
parent a00546638a
5 changed files with 121 additions and 22 deletions
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@ -44,6 +44,30 @@
            <classifier>tests</classifier>
            <scope>test</scope>
        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>1.10.19</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
    </dependencies>
    <dependencyManagement>
        <dependencies>
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ b/webgoat-lessons/vulnerable-components/pom.xml
@ -11,9 +11,14 @@
 	<dependencies>
 		<dependency>
 			<groupId>com.thoughtworks.xstream</groupId>
-			<artifactId>XStream</artifactId>
+			<artifactId>xstream</artifactId>
 			<version>1.4.7</version>
 		</dependency>
-	</dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+        </dependency>
+
+    </dependencies>

 </project>
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
+++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
@ -1,17 +1,15 @@
 package org.owasp.webgoat.plugin;

-import java.io.IOException;
-
-import javax.servlet.http.HttpServletRequest;
-
+import com.thoughtworks.xstream.XStream;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-import com.thoughtworks.xstream.XStream;
+
+import java.io.IOException;

 /**
 * *************************************************************************************************
@ -51,7 +49,7 @@ import com.thoughtworks.xstream.XStream;
 public class VulnerableComponentsLesson extends AssignmentEndpoint {

 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
+	public @ResponseBody AttackResult completed(@RequestBody String payload) throws IOException {
 		String process = "open"; 		
 		String arguments = "/Applications/Calculator.app";		
 		
--- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
+++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
@ -131,23 +131,35 @@
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+				<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+				<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+				<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+				<form class="attack-form" accept-charset="UNKNOWN"
+					  method="POST" name="form"
+					  action="/WebGoat/VulnerableComponents/attack1"
+					  enctype="application/json;charset=UTF-8">
+							Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
+								name="SUBMIT" value="Go!" type="SUBMIT"/>
+				</form>
+				<!-- do not remove the two following div's, this is where your feedback/output will land -->
+				<div class="attack-feedback"></div>
+				<div class="attack-output"></div>
+				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+			</div>
+
+		</div>
+
+
+
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-			<form class="attack-form" accept-charset="UNKNOWN"
-				method="POST" name="form"
-				action="/WebGoat/VulnerableComponents/attack1"
-				enctype="application/json;charset=UTF-8">
-				<div id="lessonContent">
-					<form accept-charset="UNKNOWN" method="POST" name="form"
-						action="#attack/307/100" enctype="">
-						Enter Your XML payload: <input name="paylod" value="" type="TEXT"/><input
-							name="SUBMIT" value="Go!" type="SUBMIT"/>
-					</form>
-				</div>
-			</form>
+
 			<!-- do not remove the two following div's, this is where your feedback/output will land -->
 			<div class="attack-feedback"></div>
 			<div class="attack-output"></div>
--- a/webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat/plugin/VulnerableComponentsLessonTest.java
+++ b/webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat/plugin/VulnerableComponentsLessonTest.java
@ -0,0 +1,60 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.plugin;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+/**
+ * @author nbaars
+ * @date 2/7/17
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class VulnerableComponentsLessonTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        VulnerableComponentsLesson vulnerableComponentsLesson = new VulnerableComponentsLesson();
+        init(vulnerableComponentsLesson);
+        this.mockMvc = standaloneSetup(vulnerableComponentsLesson).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+//        mockMvc.perform(MockMvcRequestBuilders.post("/VulnerableComponents/attack1").content("Test"))
+//                .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print())
+//                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.success"))))
+//                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+}