dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

interim missing function ac commit, traversing dev. env.

Browse Source
This commit is contained in:
Jason White 2017-08-08 09:28:09 -06:00
parent 06bf690a3a
commit 8df1d53471
8 changed files with 250 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -72,6 +72,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
registry.addViewController("/lesson_content").setViewName("lesson_content"); registry.addViewController("/lesson_content").setViewName("lesson_content");
registry.addViewController("/start.mvc").setViewName("main_new"); registry.addViewController("/start.mvc").setViewName("main_new");
registry.addViewController("/scoreboard").setViewName("scoreboard"); registry.addViewController("/scoreboard").setViewName("scoreboard");
//registry.addViewController("/list_users").setViewName("list_users");
} }

43
webgoat-container/src/main/java/org/owasp/webgoat/controller/ListUsers.java Normal file
View File

@ -0,0 +1,43 @@
package org.owasp.webgoat.controller;
import com.sun.corba.se.spi.activation.EndPointInfo;
import org.owasp.webgoat.assignments.*;
import org.owasp.webgoat.session.UserSessionData;
import org.owasp.webgoat.users.UserService;
import org.owasp.webgoat.users.WebGoatUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
/**
* Created by jason on 1/5/17.
*/
@Controller
public class ListUsers {
@Autowired
private UserService userService;
@RequestMapping(path = {"list_users", "/"}, method = {RequestMethod.GET,RequestMethod.POST})
public ModelAndView listUsers(HttpServletRequest request) {
ModelAndView model = new ModelAndView();
model.setViewName("list_users");
List<WebGoatUser> allUsers = userService.getAllUsers();
model.addObject("numUsers",allUsers.size());
model.addObject("allUsers",allUsers);
return model;
}
}

5
webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
View File

@ -2,6 +2,8 @@ package org.owasp.webgoat.users;
import org.springframework.data.mongodb.repository.MongoRepository; import org.springframework.data.mongodb.repository.MongoRepository;
import java.util.List;
/** /**
* @author nbaars * @author nbaars
* @since 3/19/17. * @since 3/19/17.
@ -9,4 +11,7 @@ import org.springframework.data.mongodb.repository.MongoRepository;
public interface UserRepository extends MongoRepository<WebGoatUser, String> { public interface UserRepository extends MongoRepository<WebGoatUser, String> {
WebGoatUser findByUsername(String username); WebGoatUser findByUsername(String username);
List<WebGoatUser> findAll();
} }

12
webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
View File

@ -5,6 +5,8 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import java.util.List;
/** /**
* @author nbaars * @author nbaars
* @since 3/19/17. * @since 3/19/17.
@ -31,4 +33,14 @@ public class UserService implements UserDetailsService {
userRepository.save(new WebGoatUser(username, password)); userRepository.save(new WebGoatUser(username, password));
userTrackerRepository.save(new UserTracker(username)); userTrackerRepository.save(new UserTracker(username));
} }
public void addUser(String username, String password, String role) {
userRepository.save(new WebGoatUser(username,password,role));
userTrackerRepository.save(new UserTracker(username));
}
public List<WebGoatUser> getAllUsers () {
return userRepository.findAll();
}
} }

6
webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
View File

@ -37,6 +37,12 @@ public class WebGoatUser implements UserDetails {
createUser(); createUser();
} }
public WebGoatUser(String username, String password, String role) {
this.username = username;
this.password = password;
this.role = role;
}
public void createUser() { public void createUser() {
this.user = new User(username, password, getAuthorities()); this.user = new User(username, password, getAuthorities());
} }

181
webgoat-container/src/main/resources/templates/list_users.html Normal file
View File

@ -0,0 +1,181 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta http-equiv="Expires" CONTENT="-1"/>
<meta http-equiv="Pragma" CONTENT="no-cache"/>
<meta http-equiv="Cache-Control" CONTENT="no-cache"/>
<meta http-equiv="Cache-Control" CONTENT="no-store"/>
<!--[if lt IE 7]>
<id class="no-js lt-ie9 lt-ie8 lt-ie7"/> <![endif]-->
<!--[if IE 7]>
<id class="no-js lt-ie9 lt-ie8"/> <![endif]-->
<!--[if IE 8]>
<id class="no-js lt-ie9"/> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/coderay.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/lessons.css}"/>
<!-- end of CSS -->
<!-- JS -->
<script src="js/modernizr-2.6.2.min.js"/>
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="js/html5shiv.js"/>
<script src="js/respond.min.js"/>
<![endif]-->
<!-- Require.js used to load js asynchronously -->
<script src="js/libs/require.min.js" data-main="js/main.js"/>
<meta http-equiv="Content-Type" content="text/id; charset=ISO-8859-1"/>
<title>WebGoat</title>
</head>
<body>
<section id="container">
<header id="header">
<!--logo start-->
<div class="brand">
<a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
<button type="button" class="btn btn-default" id="toggle-menu" data-toggle="tooltip" data-placement="right"
title="Toggle Navigation">
<i class="fa fa-bars"></i>
</button>
</div><!--toggle navigation end-->
<div id="lesson-title-wrapper">
</div><!--lesson title end-->
<div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
<div class="dropdown" style="display:inline">
<button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="user-menu">
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/logout}"
th:text="#{logout}">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: <span
th:text="${#authentication.name}"></span></a>
</li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role:
<span sec:authorize="hasAuthority('WEBGOAT_USER')">User</span>
<span sec:authorize="hasAuthority('WEBGOAT_ADMIN')">Admin</span>
</a>
</li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
th:text="#{version}">Version: <span
th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
</li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
th:text="#{build}">Build:
<span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
</ul>
</div>
<div style="display:inline" id="settings">
<!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">-->
<!--<i class="fa fa-cog"></i>-->
<!--</button>-->
<button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
th:title="#{report.card}">
<a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
</button>
<!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
<!--title="User management">-->
<!--<i class="fa fa-users"></i>-->
<!--</button>-->
</div>
<button type="button" id="about-button" class="btn btn-default right_nav_button" th:title="#{about}"
data-toggle="modal" data-target="#about-modal">
<i class="fa fa-info"></i>
</button>
<a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
<button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip"
th:title="#{contact}">
<i class="fa fa-envelope"></i>
</button>
</a>
</div>
</header>
<aside class="sidebar">
<div id="menu-container"></div>
</aside>
<!--sidebar left end-->
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content"> <!--ng-controller="goatLesson"-->
<div id="lesson-page" class="pages">
TEST ... <span th:text="${numUsers}"> Users in WebGoat</span>
<div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">Admin sees this ...
</div>
<div id="lesson-helps-wrapper" class="panel">
<div class="lesson-help" id="lesson-plan-row">
<div class="col-md-12">
<h4>Lesson Plan</h4>
<div class="panel">
<div class="panel-body" id="lesson-plan-content">
<!-- allowing jQuery to handle this one -->
</div>
</div>
</div>
</div>
<div class="lesson-help" id="lesson-solution-row">
<div class="col-md-12">
<h4>Lesson Solution</h4>
<div class="panel">
<div class="panel-body" id="lesson-solution-content">
</div>
</div>
</div>
</div>
<div class="lesson-help" id="lesson-source-row">
<div class="col-md-12">
<h4>Lesson Source Code</h4>
<div class="panel">
<div class="panel-body" id="lesson-source-content">
</div>
</div>
</div>
</div>
</div>
</div>
<div id="report-card-page" class="pages" style="display: none;">
</div>
</section>
</section>
</section>
<!-- About WebGoat Modal -->
<div class="modal" id="about-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog modal-lg">
<div class="modal-content" th:replace="about :: about"></div>
</div>
</div>
</body>
</html>

4
webgoat-container/src/main/resources/templates/main_new.html
View File

@ -71,8 +71,8 @@
th:text="${#authentication.name}"></span></a> th:text="${#authentication.name}"></span></a>
</li> </li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role:
<span sec:authorize="hasRole('WEBGOAT_USER')">User</span> <span sec:authorize="hasAuthority('WEBGOAT_USER')">User</span>
<span sec:authorize="hasRole('WEBGOAT_ADMIN')">Admin</span> <span sec:authorize="hasAuthority('WEBGOAT_ADMIN')">Admin</span>
</a> </a>
</li> </li>
<li role="presentation" class="divider"></li> <li role="presentation" class="divider"></li>

54
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java
View File

@ -1,54 +0,0 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
/**
* Created by jason on 1/5/17.
*/
@AssignmentPath("/access-control/list-users")
@AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
public class MissingACListUsers extends AssignmentEndpoint {
//UserSessionData is bound to session and can be used to persist data across multiple assignments
@Autowired
UserSessionData userSessionData;
@PostMapping(produces = {"application/json"})
public @ResponseBody
AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
//overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
if (hiddenMenu1.equals("List Users") && hiddenMenu2.equals("Add User")) {
return trackProgress(success()
.output("")
.feedback("access-control.hidden-menus.success")
.build());
}
if (hiddenMenu1.equals("Add User") && hiddenMenu2.equals("List Users")) {
return trackProgress(success()
.output("")
.feedback("access-control.hidden-menus.close")
.build());
}
return trackProgress(failed()
.feedback("access-control.hidden-menus.failure")
.output("")
.build());
}
}