From 04ccf9a422eb59a4ad175427d872e4df975b4042 Mon Sep 17 00:00:00 2001 From: nbaars Date: Sun, 21 Jan 2018 17:46:43 +0100 Subject: [PATCH 01/26] New release should create a new webgoat directory with version tag inside #423 --- webgoat-container/src/main/resources/application.properties | 4 ++-- webwolf/src/main/resources/application.properties | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index 83de9b5d7..3e1389051 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -20,8 +20,8 @@ spring.resources.cache-period=0 spring.thymeleaf.cache=false webgoat.clean=false -webgoat.server.directory=${user.home}/.webgoat/ -webgoat.user.directory=${user.home}/.webgoat/ +webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ +webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.build.version=@project.version@ webgoat.build.number=@build.number@ webgoat.email=webgoat@owasp.org diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties index b169284c8..064285394 100644 --- a/webwolf/src/main/resources/application.properties +++ b/webwolf/src/main/resources/application.properties @@ -29,7 +29,8 @@ multipart.location=${java.io.tmpdir} multipart.max-file-size=1Mb multipart.max-request-size=1Mb -webgoat.server.directory=${user.home}/.webgoat/ +webgoat.build.version=@project.version@ +webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver spring.jackson.serialization.indent_output=true From b99b554522dcf39602340fc5c7e216afbe0d5d38 Mon Sep 17 00:00:00 2001 From: nbaars Date: Mon, 29 Jan 2018 15:29:48 +0100 Subject: [PATCH 02/26] Version: docker 8.0.0.M9 Multiple users can't finalize the same lesson #432 --- .../assignments/AssignmentEndpoint.java | 2 +- .../org/owasp/webgoat/lessons/Assignment.java | 27 ++++++++++++------- .../webgoat/service/LessonMenuService.java | 2 +- .../service/LessonProgressService.java | 4 +-- .../webgoat/service/ReportCardService.java | 2 +- .../webgoat/service/RestartLessonService.java | 2 +- .../owasp/webgoat/users/LessonTracker.java | 5 +++- .../org/owasp/webgoat/users/Scoreboard.java | 2 +- .../org/owasp/webgoat/users/UserTracker.java | 2 ++ .../webgoat/users/UserTrackerRepository.java | 1 + .../assignments/AssignmentEndpointTest.java | 2 +- .../service/LessonMenuServiceTest.java | 4 +-- .../service/LessonProgressServiceTest.java | 2 +- .../service/ReportCardServiceTest.java | 2 +- .../users/UserTrackerRepositoryTest.java | 6 ++--- .../org/owasp/webgoat/plugin/CSRFLogin.java | 2 +- 16 files changed, 41 insertions(+), 26 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java index c4713a054..3b02b6129 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java @@ -55,7 +55,7 @@ public abstract class AssignmentEndpoint extends Endpoint { //// TODO: 11/13/2016 events better fit? protected AttackResult trackProgress(AttackResult attackResult) { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); if (userTracker == null) { userTracker = new UserTracker(webSession.getUserName()); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java index 41758c742..d9b1f3470 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java @@ -1,11 +1,9 @@ package org.owasp.webgoat.lessons; +import com.google.common.collect.Lists; import lombok.*; -import javax.persistence.Entity; -import javax.persistence.Id; -import javax.persistence.OneToMany; -import javax.persistence.Transient; +import javax.persistence.*; import java.util.List; /** @@ -37,19 +35,30 @@ import java.util.List; * @version $Id: $Id * @since November 25, 2016 */ -@AllArgsConstructor -@RequiredArgsConstructor -@NoArgsConstructor @Getter @EqualsAndHashCode @Entity public class Assignment { - @NonNull + @Id + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; private String name; - @NonNull private String path; @Transient private List hints; + private Assignment() { + //Hibernate + } + + public Assignment(String name, String path) { + this(name, path, Lists.newArrayList()); + } + + public Assignment(String name, String path, List hints) { + this.name = name; + this.path = path; + this.hints = hints; + } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java index 097085c48..c0cfdc107 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java @@ -73,7 +73,7 @@ public class LessonMenuService { List showLeftNav() { List menu = new ArrayList<>(); List categories = course.getCategories(); - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); for (Category category : categories) { LessonMenuItem categoryItem = new LessonMenuItem(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java index fb4fe0071..c9fbf8820 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java @@ -40,7 +40,7 @@ public class LessonProgressService { @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json") @ResponseBody public Map getLessonInfo() { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson()); Map json = Maps.newHashMap(); String successMessage = ""; @@ -63,7 +63,7 @@ public class LessonProgressService { @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json") @ResponseBody public List lessonOverview() { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); AbstractLesson currentLesson = webSession.getCurrentLesson(); List result = Lists.newArrayList(); if ( currentLesson != null ) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java index 21c8c1f20..a014e11fb 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java @@ -64,7 +64,7 @@ public class ReportCardService { @GetMapping(path = "/service/reportcard.mvc", produces = "application/json") @ResponseBody public ReportCard reportCard() { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); List lessons = course.getLessons(); ReportCard reportCard = new ReportCard(); reportCard.setTotalNumberOfLessons(course.getTotalOfLessons()); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java index 4ea036996..b207b4ce1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java @@ -59,7 +59,7 @@ public class RestartLessonService { AbstractLesson al = webSession.getCurrentLesson(); log.debug("Restarting lesson: " + al); - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); userTracker.reset(al); userTrackerRepository.save(userTracker); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java index 81d5d3b23..7d1d5d859 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java @@ -47,8 +47,11 @@ import java.util.stream.Collectors; */ @Entity public class LessonTracker { - @Getter + @Id + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; + @Getter private String lessonName; @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) private final Set solvedAssignments = Sets.newHashSet(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java index aa8416d58..0b77b89c6 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java @@ -38,7 +38,7 @@ public class Scoreboard { List allUsers = userRepository.findAll(); List rankings = Lists.newArrayList(); for (WebGoatUser user : allUsers) { - UserTracker userTracker = userTrackerRepository.findOne(user.getUsername()); + UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername()); rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker))); } return rankings; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java index 64ca5fb9a..3cc8ce19c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java @@ -50,6 +50,8 @@ import java.util.stream.Collectors; public class UserTracker { @Id + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; private String user; @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) private Set lessonTrackers = Sets.newHashSet(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java index a322f9d8a..efa231d59 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java @@ -8,5 +8,6 @@ import org.springframework.data.jpa.repository.JpaRepository; */ public interface UserTrackerRepository extends JpaRepository { + UserTracker findByUser(String user); } diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java index 1f9628fb0..dc0c7a481 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java @@ -62,7 +62,7 @@ public class AssignmentEndpointTest { public void init(AssignmentEndpoint a) { messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels"); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository); ReflectionTestUtils.setField(a, "userSessionData", userSessionData); ReflectionTestUtils.setField(a, "webSession", webSession); diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java index d71126d82..196610274 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java @@ -63,7 +63,7 @@ public class LessonMenuServiceTest { when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2)); when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL)); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC)) .andExpect(status().isOk()) @@ -81,7 +81,7 @@ public class LessonMenuServiceTest { when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1)); when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL)); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC)) diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java index 2ca3e9169..cdab7c84f 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java @@ -72,7 +72,7 @@ public class LessonProgressServiceTest { @Before public void setup() { Assignment assignment = new Assignment("test", "test"); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); when(websession.getCurrentLesson()).thenReturn(lesson); when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true)); diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java index e1b6f639f..9086741ba 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java @@ -53,7 +53,7 @@ public class ReportCardServiceTest { when(course.getTotalOfLessons()).thenReturn(1); when(course.getTotalOfAssignments()).thenReturn(10); when(course.getLessons()).thenReturn(Lists.newArrayList(lesson)); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc")) .andExpect(status().isOk()) diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java index 5c8092c13..142a6c8c7 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java @@ -62,7 +62,7 @@ public class UserTrackerRepositoryTest { userTrackerRepository.save(userTracker); - userTracker = userTrackerRepository.findOne("test"); + userTracker = userTrackerRepository.findByUser("test"); Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull(); } @@ -77,7 +77,7 @@ public class UserTrackerRepositoryTest { userTrackerRepository.saveAndFlush(userTracker); - userTracker = userTrackerRepository.findOne("test"); + userTracker = userTrackerRepository.findByUser("test"); Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1); } @@ -90,7 +90,7 @@ public class UserTrackerRepositoryTest { userTracker.assignmentFailed(lesson); userTrackerRepository.saveAndFlush(userTracker); - userTracker = userTrackerRepository.findOne("test"); + userTracker = userTrackerRepository.findByUser("test"); userTracker.assignmentFailed(lesson); userTracker.assignmentFailed(lesson); userTrackerRepository.saveAndFlush(userTracker); diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java index 97edff2c1..122238bc1 100644 --- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java +++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java @@ -33,7 +33,7 @@ public class CSRFLogin extends AssignmentEndpoint { } private void markAssignmentSolvedWithRealUser(String username) { - UserTracker userTracker = userTrackerRepository.findOne(username); + UserTracker userTracker = userTrackerRepository.findByUser(username); userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName()); userTrackerRepository.save(userTracker); } From 98efc1235f9633272d8389d97d6051d7abbd43ca Mon Sep 17 00:00:00 2001 From: nbaars Date: Mon, 29 Jan 2018 15:32:02 +0100 Subject: [PATCH 03/26] By default binds to ALL network interfaces #431 --- webgoat-container/src/main/resources/application.properties | 1 + webwolf/src/main/resources/application.properties | 1 + 2 files changed, 2 insertions(+) diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index 3e1389051..440619b2d 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -3,6 +3,7 @@ server.error.path=/error.html server.session.timeout=600 server.contextPath=/WebGoat server.port=8080 +server.address=127.0.0.1 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat spring.jpa.hibernate.ddl-auto=update diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties index 064285394..abc2a98e9 100644 --- a/webwolf/src/main/resources/application.properties +++ b/webwolf/src/main/resources/application.properties @@ -3,6 +3,7 @@ server.error.path=/error.html server.session.timeout=6000 #server.contextPath=/WebWolf server.port=8081 +server.address=127.0.0.1 server.session.cookie.name = WEBWOLFSESSION spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webwolf From 13a4b69cbecdba25500e961d48486709c5a24643 Mon Sep 17 00:00:00 2001 From: nbaars Date: Mon, 29 Jan 2018 15:43:19 +0100 Subject: [PATCH 04/26] All lesson flags are displayed while running webgoat 8.0 standalone java file #430 --- .../challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java | 1 - 1 file changed, 1 deletion(-) diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java index fe9d66466..7d5c85967 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java @@ -46,7 +46,6 @@ public class Flag extends Endpoint { @PostConstruct public void initFlags() { IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString())); - FLAGS.entrySet().stream().forEach(e -> log.debug("Flag {} {}", e.getKey(), e.getValue())); } @Override From 2ae1b4955f89c4958e9264677a59255f09b22419 Mon Sep 17 00:00:00 2001 From: nbaars Date: Tue, 30 Jan 2018 07:18:05 +0100 Subject: [PATCH 05/26] By default binds to ALL network interfaces #431 Fix for Docker not binding to any address by default --- webgoat-server/Dockerfile | 15 ++++++++------- webgoat-server/start.sh | 3 --- webwolf/Dockerfile | 13 +++++++------ webwolf/start.sh | 3 --- 4 files changed, 15 insertions(+), 19 deletions(-) delete mode 100644 webgoat-server/start.sh delete mode 100644 webwolf/start.sh diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index 2f1b6f0fd..e022e1a4a 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -2,13 +2,14 @@ FROM openjdk:8-jre-slim ARG webgoat_version=8.0-SNAPSHOT -RUN useradd --home-dir /home/webgoat --create-home -U webgoat - -RUN apt-get update; apt-get install curl -y - -COPY start.sh /home/webgoat/start.sh -RUN chmod +x /home/webgoat/start.sh +RUN \ + apt-get update && apt-get install && \ + useradd --home-dir /home/webgoat --create-home -U webgoat && \ + cd /home/webgoat/; mkdir -p .webgoat USER webgoat -RUN cd /home/webgoat/; mkdir -p .webgoat COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar + +ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"] + +EXPOSE 8080 \ No newline at end of file diff --git a/webgoat-server/start.sh b/webgoat-server/start.sh deleted file mode 100644 index 491a89ef7..000000000 --- a/webgoat-server/start.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -java -jar -Djava.security.egd=file:/dev/./urandom /home/webgoat/webgoat.jar diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile index 162fe5a2c..a591b2ae5 100644 --- a/webwolf/Dockerfile +++ b/webwolf/Dockerfile @@ -2,12 +2,13 @@ FROM openjdk:8-jre-slim ARG webwolf_version=8.0-SNAPSHOT -RUN useradd --home-dir /home/webwolf --create-home -U webwolf - -RUN apt-get update; apt-get install curl -y - -COPY start.sh /home/webwolf/start.sh -RUN chmod +x /home/webwolf/start.sh +RUN \ + apt-get update && apt-get install && \ + useradd --home-dir /home/webwolf --create-home -U webwolf USER webwolf COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar + +ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.address=0.0.0.0"] + +EXPOSE 8081 diff --git a/webwolf/start.sh b/webwolf/start.sh deleted file mode 100644 index 746266068..000000000 --- a/webwolf/start.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -java -jar -Djava.security.egd=file:/dev/./urandom /home/webwolf/webwolf.jar From 58d4b81df28a523209251f3d85aa7dda0d0473b1 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 11 Apr 2018 20:22:19 +0200 Subject: [PATCH 06/26] Wrong image name mentioned in lesson for WebWolf --- scripts/deploy-webgoat.sh | 18 ++++++++++++++++++ .../lessonPlans/en/IntroductionWebWolf.adoc | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/scripts/deploy-webgoat.sh b/scripts/deploy-webgoat.sh index 652a0b9b0..b9562d0fa 100644 --- a/scripts/deploy-webgoat.sh +++ b/scripts/deploy-webgoat.sh @@ -17,6 +17,24 @@ elif [ ! -z "${TRAVIS_TAG}" ]; then #elif [ "${BRANCH}" == "develop" ]; then # docker build -f Dockerfile -t $REPO:snapshot . # docker push $REPO +else + echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}" +fi + + +export REPO=webgoat/webwolf +cd .. +cd webwolf +ls target/ + +if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then + # If we push a tag to master this will update the LATEST Docker image and tag with the version number + docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . + docker push $REPO +elif [ ! -z "${TRAVIS_TAG}" ]; then + # Creating a tag build we push it to Docker with that tag + docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . + docker push $REPO else echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}" fi \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index 37ee96c81..f48b27fb2 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -23,7 +23,7 @@ java -jar webwolf-<>.jar WebWolf is also available as a Docker container: ``` -docker pull webwolf/webwolf-8.0 +docker pull webgoat/webwolf docker run -it 8081:8081 /home/webwolf/run.sh ``` From f30db3abfc7fb584d3f358372ee5b1c0116e32f7 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 11 Apr 2018 20:45:12 +0200 Subject: [PATCH 07/26] New version number --- pom.xml | 2 +- webgoat-container/pom.xml | 2 +- webgoat-lessons/auth-bypass/pom.xml | 2 +- webgoat-lessons/bypass-restrictions/pom.xml | 2 +- webgoat-lessons/challenge/pom.xml | 2 +- webgoat-lessons/client-side-filtering/pom.xml | 2 +- webgoat-lessons/cross-site-scripting/pom.xml | 2 +- webgoat-lessons/csrf/pom.xml | 2 +- webgoat-lessons/html-tampering/pom.xml | 2 +- webgoat-lessons/http-basics/pom.xml | 2 +- webgoat-lessons/http-proxies/pom.xml | 2 +- webgoat-lessons/idor/pom.xml | 2 +- webgoat-lessons/insecure-login/pom.xml | 2 +- webgoat-lessons/jwt/pom.xml | 2 +- webgoat-lessons/missing-function-ac/pom.xml | 2 +- webgoat-lessons/pom.xml | 4 ++-- webgoat-lessons/sql-injection/pom.xml | 2 +- webgoat-lessons/vulnerable-components/pom.xml | 2 +- webgoat-lessons/webgoat-introduction/pom.xml | 2 +- webgoat-lessons/webwolf-introduction/pom.xml | 2 +- webgoat-lessons/xxe/pom.xml | 2 +- webgoat-server/pom.xml | 2 +- webwolf/pom.xml | 2 +- 23 files changed, 24 insertions(+), 24 deletions(-) diff --git a/pom.xml b/pom.xml index 972af72c8..9c45b3e67 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ org.owasp.webgoat webgoat-parent pom - 8.0.0.M3 + v8.0.0.M14 WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index d9682cb57..76f86c160 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index f0242337f..22253bee4 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index 3d05db060..8ae0f4f4c 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index a35c0b48a..60639ca63 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index 6c7af20ab..95970426a 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index e4612dbe3..71723d5b3 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml index f3486e80e..fdc72d3f4 100644 --- a/webgoat-lessons/csrf/pom.xml +++ b/webgoat-lessons/csrf/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 \ No newline at end of file diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml index 8c1bd0cc1..f90a5c862 100755 --- a/webgoat-lessons/html-tampering/pom.xml +++ b/webgoat-lessons/html-tampering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml index 8186c300a..a77c8e0a0 100644 --- a/webgoat-lessons/http-basics/pom.xml +++ b/webgoat-lessons/http-basics/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml index ac544a8f7..0c656a7ff 100644 --- a/webgoat-lessons/http-proxies/pom.xml +++ b/webgoat-lessons/http-proxies/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml index a4218f71f..0dd3ab28f 100644 --- a/webgoat-lessons/idor/pom.xml +++ b/webgoat-lessons/idor/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 \ No newline at end of file diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml index b21689b14..4d4d9625c 100755 --- a/webgoat-lessons/insecure-login/pom.xml +++ b/webgoat-lessons/insecure-login/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml index f55f51d91..e03c3385e 100644 --- a/webgoat-lessons/jwt/pom.xml +++ b/webgoat-lessons/jwt/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml index cc0fbffd4..71d667565 100644 --- a/webgoat-lessons/missing-function-ac/pom.xml +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 5711263d3..fb6c01861 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -5,12 +5,12 @@ org.owasp.webgoat.lesson webgoat-lessons-parent pom - 8.0.0.M3 + v8.0.0.M14 org.owasp.webgoat webgoat-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml index 37283bdd5..676c9cc4e 100644 --- a/webgoat-lessons/sql-injection/pom.xml +++ b/webgoat-lessons/sql-injection/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index fa63b8c60..26f718269 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml index e21212549..c4076cf17 100644 --- a/webgoat-lessons/webgoat-introduction/pom.xml +++ b/webgoat-lessons/webgoat-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml index 395a2423f..b55a6a0eb 100644 --- a/webgoat-lessons/webwolf-introduction/pom.xml +++ b/webgoat-lessons/webwolf-introduction/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 \ No newline at end of file diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 169b86501..3ac778514 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 6bec68abb..e0449ece4 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - 8.0.0.M3 + v8.0.0.M14 diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 6e2ade92b..37126b0ba 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat webgoat-parent - 8.0.0.M3 + v8.0.0.M14 From 46fedf3764ef081d6dfcdcafa00c451ff830f8fd Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Mon, 23 Apr 2018 11:20:25 +0200 Subject: [PATCH 08/26] Fix for Docker command to start WebWolf --- .../src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index f48b27fb2..2de95e696 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -24,7 +24,7 @@ WebWolf is also available as a Docker container: ``` docker pull webgoat/webwolf -docker run -it 8081:8081 /home/webwolf/run.sh +docker run -it -p 8081:8081 webgoat/webwolf /home/webwolf/run.sh ``` This will start the application on port 8081, click webWolfLink:here[] to open WebWolf. From f4eb96fc6a2f08a59c84bfb213d3a8aeebb43f8c Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Mon, 23 Apr 2018 11:32:07 +0200 Subject: [PATCH 09/26] Add additional remark WebWolf should be running if interaction is necessary --- .../src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index 2de95e696..34940c37a 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -1,7 +1,7 @@ == Introducing WebWolf NOTE: You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without -starting WebWolf. +starting WebWolf. If you need to do an exercise with WebWolf make sure it is running along side with WebGoat. WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to make a clear distinction between what takes place on the attacked website and the actions you need to do as From 672d78eebcc11e34b648e0ee8b00ef1987b2096e Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Mon, 23 Apr 2018 16:12:50 +0200 Subject: [PATCH 10/26] Resource bundle in UTF-8 --- .../src/main/java/org/owasp/webgoat/MvcConfiguration.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java index e52cff71a..22f6fa99e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java @@ -130,6 +130,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Bean public PluginMessages pluginMessages(Messages messages, Language language) { PluginMessages pluginMessages = new PluginMessages(messages, language); + pluginMessages.setDefaultEncoding("UTF-8"); pluginMessages.setBasenames("i18n/WebGoatLabels"); return pluginMessages; } @@ -142,6 +143,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Bean public Messages messageSource(Language language) { Messages messages = new Messages(language); + messages.setDefaultEncoding("UTF-8"); messages.setBasename("classpath:i18n/messages"); return messages; } From 245ba2c3d1da2815ef8ef0bd76a42d453e58ebad Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 24 Apr 2018 20:44:05 +0200 Subject: [PATCH 11/26] Fix XXE lesson, the exact .webgoat directory including version number will be put in the lesson. --- .../webgoat/AsciiDoctorTemplateResolver.java | 2 ++ .../webgoat/asciidoc/WebGoatVersionMacro.java | 23 +++++++++++++++++++ .../main/resources/templates/main_new.html | 11 ++++----- .../lessonPlans/en/XXE_blind_assignment.adoc | 6 ++--- 4 files changed, 33 insertions(+), 9 deletions(-) create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java index 7bb02b98d..ecb80bd43 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java @@ -35,6 +35,7 @@ import com.google.common.collect.Sets; import lombok.extern.slf4j.Slf4j; import org.asciidoctor.Asciidoctor; import org.asciidoctor.extension.JavaExtensionRegistry; +import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro; import org.owasp.webgoat.i18n.Language; import org.thymeleaf.TemplateProcessingParameters; @@ -86,6 +87,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { StringWriter writer = new StringWriter(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); + extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8)); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java new file mode 100644 index 000000000..f33d06063 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java @@ -0,0 +1,23 @@ +package org.owasp.webgoat.asciidoc; + +import org.asciidoctor.ast.AbstractBlock; +import org.asciidoctor.extension.InlineMacroProcessor; +import org.springframework.core.env.Environment; +import org.springframework.util.StringUtils; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import java.util.Map; + +public class WebGoatVersionMacro extends InlineMacroProcessor { + + public WebGoatVersionMacro(String macroName, Map config) { + super(macroName, config); + } + + @Override + protected String process(AbstractBlock parent, String target, Map attributes) { + return EnvironmentExposure.getEnv().getProperty("webgoat.build.version"); + } +} diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html index 07f8143c8..dfcfd7f5e 100644 --- a/webgoat-container/src/main/resources/templates/main_new.html +++ b/webgoat-container/src/main/resources/templates/main_new.html @@ -76,14 +76,13 @@ - - -
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index e7adfae9b..2faeff57b 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -9,13 +9,13 @@ DTD. |OS |Location |Linux -|`/home/USER/.webgoat/XXE/secret.txt` +|`/home/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |Windows -|`c:/Users/USER/.webgoat/XXE/secret.txt` +|`c:/Users/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |Docker -|`/home/webgoat/.webgoat/XXE/secret.txt` +|`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |=== Try to upload this file using WebWolf landing page for example: `http://localhost:8081/WebWolf/landing?text=[contents_file]` From 76daac0db550f1e7f4749ee2e38ac3dce4800143 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 27 Apr 2018 11:29:52 +0200 Subject: [PATCH 12/26] Label was missing for HTTP basic lesson --- .../http-basics/src/main/resources/i18n/WebGoatLabels.properties | 1 + 1 file changed, 1 insertion(+) diff --git a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties index 71209ebca..a99bf8ab6 100644 --- a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties @@ -8,6 +8,7 @@ http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features http-basics.hints.http_basic_quiz.2=Try to intercept the request with OWASP ZAP +http-basics.empty=Try again, name cannot be empty. http-basics.reversed=The server has reversed your name: {0} http-basics.close=Try again: but this time enter a value before hitting go. From e422da4c64a2449ff99e240206385a0227f94490 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 27 Apr 2018 18:33:31 +0200 Subject: [PATCH 13/26] Polling for lesson updates (updates the menu and page navigation) --- .../service/LessonProgressService.java | 20 +++---- .../static/js/goatApp/model/MenuCollection.js | 54 ++++++++++--------- .../js/goatApp/view/LessonContentView.js | 7 ++- 3 files changed, 46 insertions(+), 35 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java index c9fbf8820..76e6187a5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java @@ -40,17 +40,19 @@ public class LessonProgressService { @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json") @ResponseBody public Map getLessonInfo() { - UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); - LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson()); Map json = Maps.newHashMap(); - String successMessage = ""; - boolean lessonCompleted = false; - if (lessonTracker != null) { - lessonCompleted = lessonTracker.isLessonSolved(); - successMessage = "LessonCompleted"; //@todo we still use this?? + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); + if (webSession.getCurrentLesson() != null) { + LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson()); + String successMessage = ""; + boolean lessonCompleted = false; + if (lessonTracker != null) { + lessonCompleted = lessonTracker.isLessonSolved(); + successMessage = "LessonCompleted"; //@todo we still use this?? + } + json.put("lessonCompleted", lessonCompleted); + json.put("successMessage", successMessage); } - json.put("lessonCompleted", lessonCompleted); - json.put("successMessage", successMessage); return json; } diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js b/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js index 709c557f7..c4c01c70a 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js @@ -1,29 +1,33 @@ define(['jquery', - 'underscore', - 'backbone', - 'goatApp/model/MenuModel'], - function($,_,Backbone,MenuModel) { + 'underscore', + 'backbone', + 'goatApp/model/MenuModel'], + function ($, _, Backbone, MenuModel) { - return Backbone.Collection.extend({ - model: MenuModel, - url:'service/lessonmenu.mvc', - initialize: function () { - var self = this; - this.fetch(); - }, + return Backbone.Collection.extend({ + model: MenuModel, + url: 'service/lessonmenu.mvc', - onDataLoaded: function() { - this.trigger('menuData:loaded'); - }, + initialize: function () { + var self = this; + this.fetch(); + setInterval(function () { + this.fetch() + }.bind(this), 5000); + }, - fetch: function() { - var self=this; - Backbone.Collection.prototype.fetch.apply(this,arguments).then( - function(data) { - this.models = data; - self.onDataLoaded(); - } - ); - } - }); -}); \ No newline at end of file + onDataLoaded: function () { + this.trigger('menuData:loaded'); + }, + + fetch: function () { + var self = this; + Backbone.Collection.prototype.fetch.apply(this, arguments).then( + function (data) { + this.models = data; + self.onDataLoaded(); + } + ); + } + }); + }); \ No newline at end of file diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js index 65f45a63e..d246b8110 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js @@ -25,6 +25,9 @@ define(['jquery', self.navToPage(page); } }); + setInterval(function () { + this.updatePagination(); + }.bind(this), 5000); }, findPage: function(assignment) { @@ -60,7 +63,9 @@ define(['jquery', }, updatePagination: function() { - this.paginationControlView.updateCollection(); + if ( this.paginationControlView != undefined ) { + this.paginationControlView.updateCollection(); + } }, getCurrentPage: function () { From e4ca0c4836ce8f3c0c13f93bfd9cfc4881763d95 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 27 Apr 2018 19:26:01 +0200 Subject: [PATCH 14/26] Make report working again --- .../org/owasp/webgoat/service/ReportCardService.java | 4 +++- .../src/main/resources/templates/main_new.html | 10 ++++++---- .../owasp/webgoat/service/ReportCardServiceTest.java | 5 ++++- .../org/owasp/webgoat/plugin/ClientSideFiltering.java | 2 +- .../src/main/resources/i18n/WebGoatLabels.properties | 1 + .../org/owasp/webgoat/plugin/CrossSiteScripting.java | 2 +- .../src/main/resources/i18n/WebGoatLabels.properties | 1 + .../webgoat/plugin/advanced/SqlInjectionAdvanced.java | 2 +- .../webgoat/plugin/introduction/SqlInjection.java | 2 +- .../plugin/mitigation/SqlInjectionMitigations.java | 2 +- .../src/main/resources/i18n/WebGoatLabels.properties | 6 ++++++ .../src/main/java/org/owasp/webgoat/plugin/XXE.java | 2 +- .../src/main/resources/i18n/WebGoatLabels.properties | 1 + 13 files changed, 28 insertions(+), 12 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java index a014e11fb..0337467b1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java @@ -32,6 +32,7 @@ import com.google.common.collect.Lists; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.Setter; +import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; @@ -57,6 +58,7 @@ public class ReportCardService { private final WebSession webSession; private final UserTrackerRepository userTrackerRepository; private final Course course; + private final PluginMessages pluginMessages; /** * Endpoint which generates the report card for the current use to show the stats on the solved lessons @@ -74,7 +76,7 @@ public class ReportCardService { for (AbstractLesson lesson : lessons) { LessonTracker lessonTracker = userTracker.getLessonTracker(lesson); LessonStatistics lessonStatistics = new LessonStatistics(); - lessonStatistics.setName(lesson.getTitle()); + lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle())); lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts()); lessonStatistics.setSolved(lessonTracker.isLessonSolved()); reportCard.lessonStatistics.add(lessonStatistics); diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html index dfcfd7f5e..eadb722c3 100644 --- a/webgoat-container/src/main/resources/templates/main_new.html +++ b/webgoat-container/src/main/resources/templates/main_new.html @@ -89,10 +89,12 @@ - + + + diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java index 9086741ba..e3c03ad17 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java @@ -6,6 +6,7 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.runners.MockitoJUnitRunner; +import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; @@ -40,10 +41,12 @@ public class ReportCardServiceTest { private UserTrackerRepository userTrackerRepository; @Mock private WebSession websession; + @Mock + private PluginMessages pluginMessages; @Before public void setup() { - this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course)).build(); + this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build(); } @Test diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java index 98a7c4172..84596b1ba 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java @@ -56,7 +56,7 @@ public class ClientSideFiltering extends NewLesson { @Override public String getTitle() { - return "Client side filtering"; + return "client.side.filtering.title"; } @Override diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties index a5a163cad..e9a044325 100644 --- a/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties @@ -1,3 +1,4 @@ +client.side.filtering.title=Client side filtering ClientSideFilteringSelectUser=Select user: ClientSideFilteringUserID=User ID ClientSideFilteringFirstName=First Name diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java index 609fb49cd..c1453a112 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java @@ -60,7 +60,7 @@ public class CrossSiteScripting extends NewLesson { @Override public String getTitle() { - return "Cross Site Scripting"; + return "xss.title"; } @Override diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties index 9d3490287..3f6a96ee2 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties @@ -1,4 +1,5 @@ # XSS success, failure messages and hints +xss.title=Cross Site Scripting xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue. xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy) xss-reflected-5b-success=Correct ... because
  • The script was not triggered by the URL/QueryString
  • Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java index 3df685705..5313ac86b 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java @@ -53,7 +53,7 @@ public class SqlInjectionAdvanced extends NewLesson { @Override public String getTitle() { - return "SQL Injection (advanced)"; + return "sql.advanced.title"; } @Override diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java index d5df3c88a..63d7b0041 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java @@ -60,7 +60,7 @@ public class SqlInjection extends NewLesson { @Override public String getTitle() { - return "SQL Injection"; + return "sql.injection.title"; } @Override diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java index 463c4dfdc..2546bfb7f 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java @@ -53,7 +53,7 @@ public class SqlInjectionMitigations extends NewLesson { @Override public String getTitle() { - return "SQL Injection (mitigations)"; + return "sql.mitigation.title"; } @Override diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 8f4c69431..409f69b6f 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -1,6 +1,12 @@ #StringSqlInjection.java StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query. EnterLastName=Enter your last name: + +sql.injection.title=SQL Injection +sql.mitigation.title=SQL Injection (mitigation) +sql.advanced.title=SQL Injection (advanced) + + NoResultsMatched=No results matched. Try Again. SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command. SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:

"SELECT * FROM user_data WHERE last_name = "accountName" diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java index 43ebad5ac..b35433e30 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java @@ -58,7 +58,7 @@ public class XXE extends NewLesson { @Override public String getTitle() { - return "XXE"; + return "xxe.title"; } @Override diff --git a/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties index 877a3774c..5ef01ab9d 100644 --- a/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties @@ -22,6 +22,7 @@ # projects. #

# +xxe.title=XXE xxe.simple.output=Welcome {0} you can now login to our website xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed From 8b8a89a8ab838c487d54cd5b718d04dbedf985c2 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 28 Apr 2018 16:01:57 +0200 Subject: [PATCH 15/26] Add extra informational message when a failure occurs while sending an email from WebGoat to WebWolf. --- .../service/ReportCardServiceTest.java | 1 + .../owasp/webgoat/plugin/MailAssignment.java | 7 +- .../resources/i18n/WebGoatLabels.properties | 2 +- webwolf/pom.xml | 4 + .../java/org/owasp/webwolf/mailbox/Email.java | 9 +- .../webwolf/mailbox/MailboxController.java | 13 +-- .../mailbox/MailboxControllerTest.java | 98 +++++++++++++++++++ 7 files changed, 121 insertions(+), 13 deletions(-) create mode 100644 webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java index e3c03ad17..f35c4131d 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java @@ -47,6 +47,7 @@ public class ReportCardServiceTest { @Before public void setup() { this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build(); + when(pluginMessages.getMessage(anyString())).thenReturn("Test"); } @Test diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java index 54e17a9c2..c10321e74 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java +++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java @@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestTemplate; import java.time.LocalDateTime; @@ -39,7 +40,11 @@ public class MailAssignment extends AssignmentEndpoint { .contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username)) .sender("webgoat@owasp.org") .build(); - restTemplate.postForEntity(webWolfURL, mailEvent, Object.class); + try { + restTemplate.postForEntity(webWolfURL, mailEvent, Object.class); + } catch (RestClientException e ) { + return informationMessage().feedback("webwolf.email_failed").output(e.getMessage()).build(); + } return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build(); } else { return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build(); diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties index 20947800b..0981f2a08 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties @@ -2,7 +2,7 @@ webwolf.title=WebWolf webwolf.email_send=An email has been send to {0} please check your inbox. webwolf.code_incorrect=That is not the correct code: {0}, please try again. - +webwolf.email_failed=There was an error while sending the e-mail. Is WebWolf running? webwolf.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username. diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 37126b0ba..2b606b952 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -85,6 +85,10 @@ spring-boot-starter-test test + + org.springframework.security + spring-security-test + diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java index d721bc5d5..c97e0ba4e 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java +++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java @@ -1,5 +1,8 @@ package org.owasp.webwolf.mailbox; +import com.fasterxml.jackson.annotation.JsonIgnore; +import lombok.AllArgsConstructor; +import lombok.Builder; import lombok.Data; import lombok.NoArgsConstructor; @@ -13,6 +16,8 @@ import java.time.format.DateTimeFormatter; * @since 8/20/17. */ @Data +@Builder +@AllArgsConstructor @Entity @NoArgsConstructor public class Email implements Serializable { @@ -20,7 +25,7 @@ public class Email implements Serializable { @Id @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id; - private LocalDateTime time; + private LocalDateTime time = LocalDateTime.now(); @Column(length = 1024) private String contents; private String sender; @@ -28,7 +33,7 @@ public class Email implements Serializable { private String recipient; public String getSummary() { - return "-" + this.contents.substring(0, 50); + return "-" + this.contents.substring(0, Math.min(50, contents.length())); } public LocalDateTime getTimestamp() { diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java index 52ec55959..b4f149db2 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java +++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java @@ -7,6 +7,7 @@ import org.owasp.webwolf.user.WebGoatUser; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.User; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; @@ -25,12 +26,11 @@ import java.util.concurrent.Callable; @Slf4j public class MailboxController { - private final UserRepository userRepository; private final MailboxRepository mailboxRepository; @GetMapping(value = "/WebWolf/mail") public ModelAndView mail() { - WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); + User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); ModelAndView modelAndView = new ModelAndView(); List emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername()); if (emails != null && !emails.isEmpty()) { @@ -44,13 +44,8 @@ public class MailboxController { @PostMapping(value = "/mail") public Callable> sendEmail(@RequestBody Email email) { return () -> { - if (userRepository.findByUsername(email.getRecipient()) != null) { - mailboxRepository.save(email); - return ResponseEntity.status(HttpStatus.CREATED).build(); - } else { - log.trace("Mail received for unknown user: {}", email.getRecipient()); - return ResponseEntity.notFound().build(); - } + mailboxRepository.save(email); + return ResponseEntity.status(HttpStatus.CREATED).build(); }; } diff --git a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java new file mode 100644 index 000000000..3c554a68d --- /dev/null +++ b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java @@ -0,0 +1,98 @@ +package org.owasp.webwolf.mailbox; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.Lists; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mockito; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.boot.test.mock.mockito.MockBean; +import org.springframework.http.MediaType; +import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.test.context.junit4.SpringRunner; +import org.springframework.test.web.servlet.MockMvc; + +import java.time.LocalDateTime; +import java.time.format.DateTimeFormatter; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.not; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; + +@RunWith(SpringRunner.class) +@WebMvcTest(MailboxController.class) +public class MailboxControllerTest { + + @Autowired + private MockMvc mvc; + @MockBean + private MailboxRepository mailbox; + @Autowired + private ObjectMapper objectMapper; + + @JsonIgnoreProperties("time") + public static class EmailMixIn { + } + + @Before + public void setup() { + objectMapper.addMixIn(Email.class, EmailMixIn.class); + } + + @Test + @WithMockUser + public void sendingMailShouldStoreIt() throws Exception { + Email email = Email.builder() + .contents("This is a test mail") + .recipient("test1234@webgoat.org") + .sender("hacker@webgoat.org") + .title("Click this mail") + .time(LocalDateTime.now()) + .build(); + this.mvc.perform(post("/mail").contentType(MediaType.APPLICATION_JSON).content(objectMapper.writeValueAsBytes(email))) + .andExpect(status().isOk()); + } + + @Test + @WithMockUser(username = "test1234") + public void userShouldBeAbleToReadOwnEmail() throws Exception { + Email email = Email.builder() + .contents("This is a test mail") + .recipient("test1234@webgoat.org") + .sender("hacker@webgoat.org") + .title("Click this mail") + .time(LocalDateTime.now()) + .build(); + Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email)); + + this.mvc.perform(get("/WebWolf/mail")) + .andExpect(status().isOk()) + .andExpect(view().name("mailbox")) + .andExpect(content().string(containsString("Click this mail"))) + .andExpect(content().string(containsString(DateTimeFormatter.ofPattern("h:mm a").format(email.getTimestamp())))); + } + + @Test + @WithMockUser(username = "test1233") + public void differentUserShouldNotBeAbleToReadOwnEmail() throws Exception { + Email email = Email.builder() + .contents("This is a test mail") + .recipient("test1234@webgoat.org") + .sender("hacker@webgoat.org") + .title("Click this mail") + .time(LocalDateTime.now()) + .build(); + Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email)); + + this.mvc.perform(get("/WebWolf/mail")) + .andExpect(status().isOk()) + .andExpect(view().name("mailbox")) + .andExpect(content().string(not(containsString("Click this mail")))); + } + +} \ No newline at end of file From 32927c8109155654fa546afeb9b35182a8c7bbd5 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 28 Apr 2018 16:02:09 +0200 Subject: [PATCH 16/26] Bumped Spring Boot version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9c45b3e67..170e98a18 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ org.springframework.boot spring-boot-starter-parent - 1.5.9.RELEASE + 1.5.12.RELEASE From 11ffa5702c1d6cafdbfd6fdb791008fbbe1b9283 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 29 Apr 2018 15:02:19 +0200 Subject: [PATCH 17/26] Added "WebWolf" enabled to the lessons which support the usage of WebWolf --- .../src/main/resources/static/css/main.css | 13 +++++++++++++ .../main/resources/html/WebWolfIntroduction.html | 2 ++ .../src/main/resources/images/wolf-enabled.png | Bin 0 -> 6828 bytes .../lessonPlans/en/IntroductionWebWolf.adoc | 14 ++++++++++++-- .../xxe/src/main/resources/html/XXE.html | 1 + .../src/main/resources/images/wolf-enabled.png | Bin 0 -> 6828 bytes 6 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 webgoat-lessons/webwolf-introduction/src/main/resources/images/wolf-enabled.png create mode 100644 webgoat-lessons/xxe/src/main/resources/images/wolf-enabled.png diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css index d9347acb8..59f674616 100644 --- a/webgoat-container/src/main/resources/static/css/main.css +++ b/webgoat-container/src/main/resources/static/css/main.css @@ -1066,6 +1066,7 @@ span.show-next-page, span.show-prev-page { /* ATTACK DISPLAY */ .attack-container { + position: relative; background-color: #f1f1f1; border: 2px solid #a66; border-radius: 12px; @@ -1150,4 +1151,16 @@ div.captured-flag { height: 117px; width: 1268px; margin-bottom: 20px; +} + +#content { + position:relative; +} + +.webwolf-enabled { + position:absolute; + top: 10px; + right: 25px; + width: 42px; + height: 47px; } \ No newline at end of file diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html b/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html index fc443b7c7..70586184c 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html @@ -12,6 +12,7 @@

+
+
Click here to reset your password diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/images/wolf-enabled.png b/webgoat-lessons/webwolf-introduction/src/main/resources/images/wolf-enabled.png new file mode 100644 index 0000000000000000000000000000000000000000..d343c07d9a9cd66a32b4fcccd4b05f16dbcd7cdd GIT binary patch literal 6828 zcmV;d8dK$oP)_y=GL0k3IWQnui7;M*1aU4P(T*$OLQ7%&@I-Sdf6z-a{BtL;ev zh67KVVO}{#n!j~II}1^r0^9@i^3aeSfC-FZ8%FUMkJGGet7_?FMlm~7`1k(@%y;$W zwGl;i32=w0w6D|x7Xvd0sMq#YmDB(~2L?y@%)}Ny4@FkD6CMf%Tn${3GXvibj3;2d zwzaC_Qs6rlpSup(FC7a^LAHz9L-a+lnhHgAv013dBfkPp))m95A#A_OhMvH??uUW_ zCjwXJ*w82D_@$sk;~?O6+&Vs3t$5dz5!D{ZN=fIO8@vgaM8MtJ_6kdX#4D$#!)tCp z7Q~v}2}>Mj=aZf%MbfMSh7<6Lw!y;D4)`;$pX2Mk4(#N*o4dR~q5|j&{KU9lDaGQ9 z1VmL5mc#L5zzE>$1$+Rbfm5{|7K*{Z_Y=DIBG(hMYe~j4-3P8B$o-sA5q1Y21-41( z`hRmLtbikcQ63xfdBo}Vam&y52L4;yWbQc$IiT1l!S8S=ESTo8G2Z~bK)^M?A!clC zbGrC^<3z0FbFTbLWUng8XV`3B;tqrrFpBJsf0UyMm`uQOQ`aT}Zbuv~=S93$H{f(_ zqq$>W;5lRyIB8xW#xatXJ=PSDjrs!u9&2Ujx&$~BSx%3_+1gHX#Y8jwPwPa*Q*l0A zyF~--h6LL1bzXI8$nRGpfoP(z8$lvVw2FHU1!m&-_*GuY9DL7kZNFX*1Ie?n_VTP=j{!dl z5mg=VQ`{V9*-hK8mkb3C$h)xmc~qxWz!_yu{C?e`(fex~_L8q;{Qd1+2+Jq;o(n=_ z0|pEMu5|c)-L(ySM-SxWcb0T=AuL~_EG_}ZTZ`N$%LRcdg>P18^1}Urw$&>9Jg-!C3?x@*h!& zAeJNNrk)M?+;Yl$)n8VDIFFNsFP$+x8|{x1l)FXVF#NDS^I<8Lg{_Ur}2 z@XHb0Nsskc2kJg6^e;Ax>q+x3ZvbB_bKNU}Aqg9Bv9@V1xRkV#&8H}=1r925qX|bH zCazURT=yg16^$W(dq7GP+4RFIKGUy)&fTp@KDI# zbVhsu(+I&fPuq2-)Bx9mcY##5k1s6o%X`E@W$KW;RO8Bst6b)ftASlpFy2dg7Atd( z13u?ry`1z|0Ka!sp?cs>0?V#FU^H^nJ`En!cAY5=z;sXR=1f@k6FneHn7HnWEG~)l z_tO-I1+%qnXUawR;bqYp-Q5UF78ZWzuwpjix}NloalAyJ^Q#Qm3BNOh_HrXE;TFf0 zD~W4d1-;ebq#H!@C)&0%WjcQ6vhGTZQxq*D;Xa8Z?{Y1!I|(>0L{vS1TT?VzBa-<~ z$%fJ7BlKKPH^LGwPoRP&ah=r0?{5V9rf9J1&CplLX2BvaqlF#Z2`k`1XeE?$d`kOV zUvKe!X96drXsowME}xQ8o@v0qoYb{PoW|Z77Xi=UeuK8w^cIIA@c@UWEGmFY30SS| zI};8AF33@Rd)t1n^{~B<^A@A%3XDvs!UKUZz@DV*ANB}vA&*B-)~v*)FUcl}OM>Ts zCtS_3w(PQBD$s*ng&a|7(l(w6R}gd4H3O{o*xDAB`1DPHLJXUlkf^$PL?jyq1Cw)D z@15NXOT@JZ3GkBlxBPSh?$!34>4HU_3Tta|%|aG4^2#rfoW)8u^Z~}_wC??}4BT0n zPhPq4Y(FbspMO%_V!qYAg|onHDDUDRGODY`U_wp0qeDG zXG&{_UzZs%jQ|E9@gg6>&y1pbCo8PYJ=e*&^MX%mq2jw{u|h?aJtZ&kcYr&AvB+xM z#cX|g`x+$ZkZ*k2=0kRSNCBTlj$G{OnGqV1w5q?;_UsMaOj#N-+BpM4LW^h1v%qK4 z5tfLnGm@X`Jp4FTeLpaTfH$-)=Zf*bU8J95ILZj97w}#>!rCmbk-&9iml^RjU}|V2 zUBy?%0{7y7gyR#bn{_o3$<*VQnq4UP!FCqk#jlPiwj! zIehs5aBpZ{VkHk8g)DsKEy2aH5E8XHHDPTnvU*?-B#iK2U>C$Czxx&j-iWN~EjRO~ z7lDPq0^_%+7!J9pa$`% zXf8;(P9Ld~HKj!C%>^ot>0?#0qze+hySZTHJ$g5gcdZlxMUlC~;|z>_t6QIi(^i0KF{52`6u&n6WX^fW!vk){jp zr0qh9NjKn)Y7|y`WEJl;57ybG%qIK~X`4np$VDoWPunpa`fB0(lEM^D)* z1?#c0@Vux&mc_3GKCRDB@sth7w#`P{UL#G$An7N6tD;gor#&%NozoIlFC;J19Aptf zQSyLwY{xX_SO){Mv5e2AC>dfM!zAe*>kQLNsi+j+nGf6!tli?@R{L1dbATrFT#uG~ zlu4%D_62?gyc4I#N@`Vb5-vaEFRY zQQQjaYe*O5> zQb1-SL5`deWrKJKvKg#-i*s#MWgscEiYTxxjS$T5`s%@m|VHl2W8g)Z|cK{TxQ0w`A)zuRA7meM@b>+*>VhV6R;SDCl7K7-BWdf$}(XMHHv<)RFq zTP@;#_NYDwnvtxbUa>+SigkGvKk_Dz2If`yvl!%)sJf{*Vi#YWmTQsNkE^TnIqa0S zvBS`baC}blq#jMc4}m>_KUU#$_{b+=^;BKN<_P@qT6q;X1egMRP-Uxv-Uw?4)kSRT zfnz`%tdRw4A;aIuq^<-UqCCO z7I@6_dw9V&VST82aK->&R6+0Ud5`P10r-b+!dkC-aLSZ|-q))h*X`vj7Guf@YprU* zDdS1@j8;}OdR(_fS$t_ZVQo+?IJfsD1-!4-9@lNYkHT7`T5!%u$a1y{D;*a4D6Dm= z1LxEsQG#k!SgG)w_E^=!0l?V>x*u2V?U>hG z=&P{O7z(~$#R68(7NHrK)#BfpfG1;KcfPN}N`u8fyDDr<|E4(mgmLFsPt*F*j-@f} zyUbT%bxENPPgL=oLJ?*sFcn#twFiFifto#Fl8j%-FwB3&<&hbh)dsBMqc4BQjaTh&=!_kA)xj$ck# zNd}tyUnC99;EeA5ZQwiR|7QVTAieWv_Y`bcYr7vekG5C-;zYK3&WP4qVf9Yvdp|^u za}Ot*n87`N1e`$Y zn~yV*06IzXM~dfz+28RnkeE}11-=_Bsmv53&Gm04-Do{4DIa&D9g^ujsXAOm@%WpC z9sU$@y*lFMUmobQv3e%du(r%}@lcAQT1w^1w>^<1;3VpCV!=dJ3#_uR!;~_^KwJC1 z?YqJDNuW_}Y|+IpNl8@CAxW{Lu)kT%a9x)@3nr{REo`u!@U5J$#IWzZzPxSPB8fy@ zKW6jBT|Ma}1A7n&{QqXe&pic9bzGPAc$8e)5uda8%)^9duHP?4eZ1cvywLHRdN~qm zxx}YZ=&5cYo`Y`<@QB0uETDMYX<>(x%Um-~V)Bu`8|+5Mjr{Z$*B_U#sBXZ`QvLuW zw~~uGO)r?JY7h_dC^lF__=a-t820@L@!0U1-#TpMb6Yg>j==aoW1kZaI0ln~*(`q<7nQiTU}4f{AJ%;+YeLSxDriFbMUe~ z63>Ozo8-eBq{&2!&&)3K`@X=C76esF&s6&pb6op9< z|9+VnI)-t0jQYF-yqE{W*?JeBO)`$FTb9+pp()$rKHRu;6`|L%ak{;^g6sZSOi0J7huQ5h%pJ07gB1h=wq--Y_%eXyF1L#m?y;bSO6h=p2OpH1`nI{7-jPS?2cT#;_yBm!CiKaw5dZ<<3!zGEcdbpnsXB# z5&R~PUH?yM+mqld+#fAzS+2*Agb5uZ4vnLfsX1v2!;yWcsP{Lh%ys+6wBOhAD6B4K zVpzI~CeyW-hB1pt&PC}=&up=sS$s(1e)G^c{%CPuuT^l}Gh^EB_`I$H)gaji$FOyr zf(FYsSh?~JexF;K46MMtTh=I#@41)dv%a;0YyTvs?WR#Mh9n@WMHw$rR7!8tbGy9v zH%T_~a2!5wc~6zhA>-QduA&L+2*(ZUe$vUu<&yJoyCHs?r}ufH<^5E$^7#bu54IMH zvm7?4Ysqg`$B{^=Y8Q5BB3^_dpM=#&Wy|2db}%2W^UYv!*8g32Bdh{WL1IeeHT%X~ zBd*1c=CiJX;JBpG;xh{<@68VJy=dx*@5|{GH^qF@%tIm|6@~3_7bnEGl`fmp!j+zn zY9M~#)?wja!>$eA9#@_d`FuWh}=I4;#l|S3JXxzw7KBfGri8vRs@!|WjrJXhuWopq7 z@y1^#KXEi%GMadKp4JdOOG=VN3D7y;;`$wt6X-U!+Per1W&qLlX2wvx9EG?n6=BnO zWQ2OJ2Rd1N$1Rq2I;9AWB}(qBStysq5Y`4@cTeu4KH^KlChF2;OFR9jC~x6P-&%uI zSJWVRy5jgy`VucA%A(9=mUGjpb!|GGDs_;IL3iXBMV!zCml7|VybGcnN_^OIUTW(O zwh;IMaAaQR^iwOm+0m+}tvD#=e5+LMCYw{$?SXX>>bZ_^$LbnnKXiA*srx4E@)@^v z6z6H+8|34}1R%TWmF&aRs+K;+)wnxileSBk&2so{=7n-LFw@lgJ>spFMlG8VPobf{ zH;!Lba5HzRhT2>Jc-~Qi`8Se;JZU}&e3y7`M?RD$-~l{Nr&>u+k@HkTZL*)EAz`z5 z^Cy)QVkqLu)Rc2UwUzyGGO~B(4V5Gu+gJ4y$_=Anc1(iCd3Ix%BoiAKV24&Ew-zUE3eKnM2SSAd&*=MR`v+dae3aJmW zk8>BW)C?Kc5I^tLKQidyyOQ6;3~4{}dyykgk&@!sM7JroDY=Q_96alSq^+5R1QBiR zMbu5(U*Q=8{1x~gDU>V09=RLoLgGbFaN?}DD)#M{L(xGs^0}T2}$Gm zVhjVf_2%jc9EbP@&Y}F?pO*ZUb%^tDY${C<=3CC99nCWH`M^EETMms|T9R!Cd=|I@ z34yjr8(vkERkRW%D(WWKVk$ehxDj#OT$++_wnvU1^gtr?4n*RH4>tcza%j37$v!fG zV#Z2T%CiKCx$%LGu=*peE|oGJ2_0=qFSCd+(3I|o*GD&G|ERO+Eqan{LUBc@ggcM} zz>)cq#p+4ay^?w)D99Y#d4Frsl2$p~Mp!?v_@ZxCcsHAGRO a()j;X%($zc4fA;b0000
+
_y=GL0k3IWQnui7;M*1aU4P(T*$OLQ7%&@I-Sdf6z-a{BtL;ev zh67KVVO}{#n!j~II}1^r0^9@i^3aeSfC-FZ8%FUMkJGGet7_?FMlm~7`1k(@%y;$W zwGl;i32=w0w6D|x7Xvd0sMq#YmDB(~2L?y@%)}Ny4@FkD6CMf%Tn${3GXvibj3;2d zwzaC_Qs6rlpSup(FC7a^LAHz9L-a+lnhHgAv013dBfkPp))m95A#A_OhMvH??uUW_ zCjwXJ*w82D_@$sk;~?O6+&Vs3t$5dz5!D{ZN=fIO8@vgaM8MtJ_6kdX#4D$#!)tCp z7Q~v}2}>Mj=aZf%MbfMSh7<6Lw!y;D4)`;$pX2Mk4(#N*o4dR~q5|j&{KU9lDaGQ9 z1VmL5mc#L5zzE>$1$+Rbfm5{|7K*{Z_Y=DIBG(hMYe~j4-3P8B$o-sA5q1Y21-41( z`hRmLtbikcQ63xfdBo}Vam&y52L4;yWbQc$IiT1l!S8S=ESTo8G2Z~bK)^M?A!clC zbGrC^<3z0FbFTbLWUng8XV`3B;tqrrFpBJsf0UyMm`uQOQ`aT}Zbuv~=S93$H{f(_ zqq$>W;5lRyIB8xW#xatXJ=PSDjrs!u9&2Ujx&$~BSx%3_+1gHX#Y8jwPwPa*Q*l0A zyF~--h6LL1bzXI8$nRGpfoP(z8$lvVw2FHU1!m&-_*GuY9DL7kZNFX*1Ie?n_VTP=j{!dl z5mg=VQ`{V9*-hK8mkb3C$h)xmc~qxWz!_yu{C?e`(fex~_L8q;{Qd1+2+Jq;o(n=_ z0|pEMu5|c)-L(ySM-SxWcb0T=AuL~_EG_}ZTZ`N$%LRcdg>P18^1}Urw$&>9Jg-!C3?x@*h!& zAeJNNrk)M?+;Yl$)n8VDIFFNsFP$+x8|{x1l)FXVF#NDS^I<8Lg{_Ur}2 z@XHb0Nsskc2kJg6^e;Ax>q+x3ZvbB_bKNU}Aqg9Bv9@V1xRkV#&8H}=1r925qX|bH zCazURT=yg16^$W(dq7GP+4RFIKGUy)&fTp@KDI# zbVhsu(+I&fPuq2-)Bx9mcY##5k1s6o%X`E@W$KW;RO8Bst6b)ftASlpFy2dg7Atd( z13u?ry`1z|0Ka!sp?cs>0?V#FU^H^nJ`En!cAY5=z;sXR=1f@k6FneHn7HnWEG~)l z_tO-I1+%qnXUawR;bqYp-Q5UF78ZWzuwpjix}NloalAyJ^Q#Qm3BNOh_HrXE;TFf0 zD~W4d1-;ebq#H!@C)&0%WjcQ6vhGTZQxq*D;Xa8Z?{Y1!I|(>0L{vS1TT?VzBa-<~ z$%fJ7BlKKPH^LGwPoRP&ah=r0?{5V9rf9J1&CplLX2BvaqlF#Z2`k`1XeE?$d`kOV zUvKe!X96drXsowME}xQ8o@v0qoYb{PoW|Z77Xi=UeuK8w^cIIA@c@UWEGmFY30SS| zI};8AF33@Rd)t1n^{~B<^A@A%3XDvs!UKUZz@DV*ANB}vA&*B-)~v*)FUcl}OM>Ts zCtS_3w(PQBD$s*ng&a|7(l(w6R}gd4H3O{o*xDAB`1DPHLJXUlkf^$PL?jyq1Cw)D z@15NXOT@JZ3GkBlxBPSh?$!34>4HU_3Tta|%|aG4^2#rfoW)8u^Z~}_wC??}4BT0n zPhPq4Y(FbspMO%_V!qYAg|onHDDUDRGODY`U_wp0qeDG zXG&{_UzZs%jQ|E9@gg6>&y1pbCo8PYJ=e*&^MX%mq2jw{u|h?aJtZ&kcYr&AvB+xM z#cX|g`x+$ZkZ*k2=0kRSNCBTlj$G{OnGqV1w5q?;_UsMaOj#N-+BpM4LW^h1v%qK4 z5tfLnGm@X`Jp4FTeLpaTfH$-)=Zf*bU8J95ILZj97w}#>!rCmbk-&9iml^RjU}|V2 zUBy?%0{7y7gyR#bn{_o3$<*VQnq4UP!FCqk#jlPiwj! zIehs5aBpZ{VkHk8g)DsKEy2aH5E8XHHDPTnvU*?-B#iK2U>C$Czxx&j-iWN~EjRO~ z7lDPq0^_%+7!J9pa$`% zXf8;(P9Ld~HKj!C%>^ot>0?#0qze+hySZTHJ$g5gcdZlxMUlC~;|z>_t6QIi(^i0KF{52`6u&n6WX^fW!vk){jp zr0qh9NjKn)Y7|y`WEJl;57ybG%qIK~X`4np$VDoWPunpa`fB0(lEM^D)* z1?#c0@Vux&mc_3GKCRDB@sth7w#`P{UL#G$An7N6tD;gor#&%NozoIlFC;J19Aptf zQSyLwY{xX_SO){Mv5e2AC>dfM!zAe*>kQLNsi+j+nGf6!tli?@R{L1dbATrFT#uG~ zlu4%D_62?gyc4I#N@`Vb5-vaEFRY zQQQjaYe*O5> zQb1-SL5`deWrKJKvKg#-i*s#MWgscEiYTxxjS$T5`s%@m|VHl2W8g)Z|cK{TxQ0w`A)zuRA7meM@b>+*>VhV6R;SDCl7K7-BWdf$}(XMHHv<)RFq zTP@;#_NYDwnvtxbUa>+SigkGvKk_Dz2If`yvl!%)sJf{*Vi#YWmTQsNkE^TnIqa0S zvBS`baC}blq#jMc4}m>_KUU#$_{b+=^;BKN<_P@qT6q;X1egMRP-Uxv-Uw?4)kSRT zfnz`%tdRw4A;aIuq^<-UqCCO z7I@6_dw9V&VST82aK->&R6+0Ud5`P10r-b+!dkC-aLSZ|-q))h*X`vj7Guf@YprU* zDdS1@j8;}OdR(_fS$t_ZVQo+?IJfsD1-!4-9@lNYkHT7`T5!%u$a1y{D;*a4D6Dm= z1LxEsQG#k!SgG)w_E^=!0l?V>x*u2V?U>hG z=&P{O7z(~$#R68(7NHrK)#BfpfG1;KcfPN}N`u8fyDDr<|E4(mgmLFsPt*F*j-@f} zyUbT%bxENPPgL=oLJ?*sFcn#twFiFifto#Fl8j%-FwB3&<&hbh)dsBMqc4BQjaTh&=!_kA)xj$ck# zNd}tyUnC99;EeA5ZQwiR|7QVTAieWv_Y`bcYr7vekG5C-;zYK3&WP4qVf9Yvdp|^u za}Ot*n87`N1e`$Y zn~yV*06IzXM~dfz+28RnkeE}11-=_Bsmv53&Gm04-Do{4DIa&D9g^ujsXAOm@%WpC z9sU$@y*lFMUmobQv3e%du(r%}@lcAQT1w^1w>^<1;3VpCV!=dJ3#_uR!;~_^KwJC1 z?YqJDNuW_}Y|+IpNl8@CAxW{Lu)kT%a9x)@3nr{REo`u!@U5J$#IWzZzPxSPB8fy@ zKW6jBT|Ma}1A7n&{QqXe&pic9bzGPAc$8e)5uda8%)^9duHP?4eZ1cvywLHRdN~qm zxx}YZ=&5cYo`Y`<@QB0uETDMYX<>(x%Um-~V)Bu`8|+5Mjr{Z$*B_U#sBXZ`QvLuW zw~~uGO)r?JY7h_dC^lF__=a-t820@L@!0U1-#TpMb6Yg>j==aoW1kZaI0ln~*(`q<7nQiTU}4f{AJ%;+YeLSxDriFbMUe~ z63>Ozo8-eBq{&2!&&)3K`@X=C76esF&s6&pb6op9< z|9+VnI)-t0jQYF-yqE{W*?JeBO)`$FTb9+pp()$rKHRu;6`|L%ak{;^g6sZSOi0J7huQ5h%pJ07gB1h=wq--Y_%eXyF1L#m?y;bSO6h=p2OpH1`nI{7-jPS?2cT#;_yBm!CiKaw5dZ<<3!zGEcdbpnsXB# z5&R~PUH?yM+mqld+#fAzS+2*Agb5uZ4vnLfsX1v2!;yWcsP{Lh%ys+6wBOhAD6B4K zVpzI~CeyW-hB1pt&PC}=&up=sS$s(1e)G^c{%CPuuT^l}Gh^EB_`I$H)gaji$FOyr zf(FYsSh?~JexF;K46MMtTh=I#@41)dv%a;0YyTvs?WR#Mh9n@WMHw$rR7!8tbGy9v zH%T_~a2!5wc~6zhA>-QduA&L+2*(ZUe$vUu<&yJoyCHs?r}ufH<^5E$^7#bu54IMH zvm7?4Ysqg`$B{^=Y8Q5BB3^_dpM=#&Wy|2db}%2W^UYv!*8g32Bdh{WL1IeeHT%X~ zBd*1c=CiJX;JBpG;xh{<@68VJy=dx*@5|{GH^qF@%tIm|6@~3_7bnEGl`fmp!j+zn zY9M~#)?wja!>$eA9#@_d`FuWh}=I4;#l|S3JXxzw7KBfGri8vRs@!|WjrJXhuWopq7 z@y1^#KXEi%GMadKp4JdOOG=VN3D7y;;`$wt6X-U!+Per1W&qLlX2wvx9EG?n6=BnO zWQ2OJ2Rd1N$1Rq2I;9AWB}(qBStysq5Y`4@cTeu4KH^KlChF2;OFR9jC~x6P-&%uI zSJWVRy5jgy`VucA%A(9=mUGjpb!|GGDs_;IL3iXBMV!zCml7|VybGcnN_^OIUTW(O zwh;IMaAaQR^iwOm+0m+}tvD#=e5+LMCYw{$?SXX>>bZ_^$LbnnKXiA*srx4E@)@^v z6z6H+8|34}1R%TWmF&aRs+K;+)wnxileSBk&2so{=7n-LFw@lgJ>spFMlG8VPobf{ zH;!Lba5HzRhT2>Jc-~Qi`8Se;JZU}&e3y7`M?RD$-~l{Nr&>u+k@HkTZL*)EAz`z5 z^Cy)QVkqLu)Rc2UwUzyGGO~B(4V5Gu+gJ4y$_=Anc1(iCd3Ix%BoiAKV24&Ew-zUE3eKnM2SSAd&*=MR`v+dae3aJmW zk8>BW)C?Kc5I^tLKQidyyOQ6;3~4{}dyykgk&@!sM7JroDY=Q_96alSq^+5R1QBiR zMbu5(U*Q=8{1x~gDU>V09=RLoLgGbFaN?}DD)#M{L(xGs^0}T2}$Gm zVhjVf_2%jc9EbP@&Y}F?pO*ZUb%^tDY${C<=3CC99nCWH`M^EETMms|T9R!Cd=|I@ z34yjr8(vkERkRW%D(WWKVk$ehxDj#OT$++_wnvU1^gtr?4n*RH4>tcza%j37$v!fG zV#Z2T%CiKCx$%LGu=*peE|oGJ2_0=qFSCd+(3I|o*GD&G|ERO+Eqan{LUBc@ggcM} zz>)cq#p+4ay^?w)D99Y#d4Frsl2$p~Mp!?v_@ZxCcsHAGRO a()j;X%($zc4fA;b0000 Date: Tue, 1 May 2018 21:54:28 +0200 Subject: [PATCH 18/26] XXE lesson not showing correct link for WebWolf --- .../org/owasp/webgoat/asciidoc/WebWolfMacro.java | 14 ++++++++++++++ .../java/org/owasp/webgoat/users/UserTracker.java | 1 + .../main/resources/lessonPlans/en/XXE_blind.adoc | 11 +++++------ .../lessonPlans/en/XXE_blind_assignment.adoc | 2 +- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java index 88b2ab5fb..7f81d63d1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java @@ -10,6 +10,12 @@ import org.springframework.web.context.request.ServletRequestAttributes; import javax.servlet.http.HttpServletRequest; import java.util.Map; +/** + * Usage in asciidoc: + *

+ * webWolfLink:here[] will display a href with here as text + * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing + */ public class WebWolfMacro extends InlineMacroProcessor { public WebWolfMacro(String macroName, Map config) { @@ -20,9 +26,17 @@ public class WebWolfMacro extends InlineMacroProcessor { protected String process(AbstractBlock parent, String target, Map attributes) { Environment env = EnvironmentExposure.getEnv(); String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port")); + + if (displayCompleteLinkNoFormatting(attributes)) { + return hostname + (hostname.endsWith("/") ? "" : "/") + target; + } return "" + target + ""; } + private boolean displayCompleteLinkNoFormatting(Map attributes) { + return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent(); + } + /** * Look at the remote address from received from the browser first. This way it will also work if you run * the browser in a Docker container and WebGoat on your local machine. diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java index 3cc8ce19c..1cc4920ea 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java @@ -52,6 +52,7 @@ public class UserTracker { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; + @Column(name = "username") private String user; @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) private Set lessonTrackers = Sets.newHashSet(); diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc index c8114bc1c..72c9e4886 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc @@ -1,4 +1,3 @@ - == Blind XXE In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page. @@ -6,25 +5,25 @@ Or the resource you are trying to read contains illegal XML character which caus Let's start with an example, in this case we reference an external DTD which we control on our own server. As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example -use this server to ping it using `http://localhost:8081/ping?text=HelloWorld +use this server to ping it using `webWolfLink:landing[noLink]` How do we use this endpoint to verify whether we can perform XXE? We can again use WebWolf to host a file called `attack.dtd`, create this file with the following contents: -[source] +[source, subs="macros, specialcharacters"] ---- - + ---- Now submit the form change the xml using to: -[source] +[source, subs="macros, specialcharacters"] ---- + %remote; ]> diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index 2faeff57b..dd5ae4194 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -18,6 +18,6 @@ DTD. |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |=== -Try to upload this file using WebWolf landing page for example: `http://localhost:8081/WebWolf/landing?text=[contents_file]` +Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]` (NOTE: this endpoint is under your full control) Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson. \ No newline at end of file From 0e160c19f5b047c4f416548dacca74852c5eb166 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 1 May 2018 21:58:43 +0200 Subject: [PATCH 19/26] Docker-compose for postgres and hsqldb --- docker-compose-postgres.yml | 35 +++++++++++++++++++++++++++++++++++ docker-compose.yml | 29 +++++++++++++++++++++-------- webgoat-server/pom.xml | 5 +++++ webwolf/pom.xml | 5 +++++ 4 files changed, 66 insertions(+), 8 deletions(-) create mode 100644 docker-compose-postgres.yml diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml new file mode 100644 index 000000000..7ecc68403 --- /dev/null +++ b/docker-compose-postgres.yml @@ -0,0 +1,35 @@ +version: '2.0' + +services: + webgoat: + image: webgoat/webgoat-8.0 + user: webgoat + environment: + - WEBWOLF_HOST=webwolf + - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat + - spring.datasource.username=webgoat + - spring.datasource.password=webgoat + - spring.datasource.driver-class-name=org.postgresql.Driver + - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + ports: + - "8080:8080" + webwolf: + image: webgoat/webwolf + environment: + - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat + - spring.datasource.username=webgoat + - spring.datasource.password=webgoat + - spring.datasource.driver-class-name=org.postgresql.Driver + - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + ports: + - "8081:8081" + db: + container_name: webgoat_db + image: postgres:latest + environment: + - POSTGRES_PASSWORD=webgoat + - POSTGRES_USER=webgoat + - POSTGRES_DB=webgoat + ports: + - "5432:5432" + diff --git a/docker-compose.yml b/docker-compose.yml index 9b0769407..8d2bcdee3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,15 +1,28 @@ -version: '2.0' +version: '2.1' services: webgoat: - build: webgoat-server/ - command: "sh /home/webgoat/start.sh" + image: webgoat/webgoat-8.0 + environment: + - WEBWOLF_HOST=webwolf + - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "8080:8080" - webwolf: - build: webwolf/ - command: "sh /home/webwolf/start.sh" depends_on: - - webgoat + - db + webwolf: + image: webgoat/webwolf + environment: + - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - - "8081:8081" \ No newline at end of file + - "8081:8081" + depends_on: + - db + db: + image: blacklabelops/hsqldb + container_name: webgoat_db + environment: + - HSQLDB_TRACE=false + - HSQLDB_SILENT=true + - HSQLDB_DATABASE_NAME=webgoat + - HSQLDB_DATABASE_ALIAS=webgoat diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index e0449ece4..483c3a0b6 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -198,6 +198,11 @@ spring-boot-devtools true + + org.postgresql + postgresql + 42.2.2 + diff --git a/webwolf/pom.xml b/webwolf/pom.xml index 2b606b952..ee2728a35 100644 --- a/webwolf/pom.xml +++ b/webwolf/pom.xml @@ -78,6 +78,11 @@ hsqldb ${hsqldb.version} + + org.postgresql + postgresql + 42.2.2 + From 6b4a488c8cbc290a3c0b381013b0a300f2eb637e Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 1 May 2018 22:00:07 +0200 Subject: [PATCH 20/26] Users shared now between WebGoat and WebWolf by starting HSQLDB as standalone database --- pom.xml | 2 +- .../src/main/resources/application.properties | 5 +- webgoat-server/Dockerfile | 5 +- .../owasp/webgoat/HSQLDBDatabaseConfig.java | 51 +++++++++++++++++++ .../java/org/owasp/webgoat/StartWebGoat.java | 3 -- .../webwolf/mailbox/MailboxController.java | 3 +- .../src/main/resources/application.properties | 3 +- .../src/main/resources/templates/login.html | 2 +- 8 files changed, 63 insertions(+), 11 deletions(-) create mode 100644 webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java diff --git a/pom.xml b/pom.xml index 170e98a18..4b75535ed 100644 --- a/pom.xml +++ b/pom.xml @@ -135,7 +135,7 @@ 2.2.4 18.0 1.4.190 - 2.3.2 + 2.3.4 1.3.1 2.6.3 2.6.3 diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index 440619b2d..35b177ddd 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -5,8 +5,10 @@ server.contextPath=/WebGoat server.port=8080 server.address=127.0.0.1 -spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat +spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat spring.jpa.hibernate.ddl-auto=update +spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect +spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver logging.level.org.springframework=WARN @@ -20,6 +22,7 @@ security.enable-csrf=false spring.resources.cache-period=0 spring.thymeleaf.cache=false +webgoat.start.hsqldb=true webgoat.clean=false webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile index e022e1a4a..860bb1b3f 100644 --- a/webgoat-server/Dockerfile +++ b/webgoat-server/Dockerfile @@ -4,12 +4,11 @@ ARG webgoat_version=8.0-SNAPSHOT RUN \ apt-get update && apt-get install && \ - useradd --home-dir /home/webgoat --create-home -U webgoat && \ - cd /home/webgoat/; mkdir -p .webgoat + useradd --home-dir /home/webgoat --create-home -U webgoat USER webgoat +RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version} COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"] - EXPOSE 8080 \ No newline at end of file diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java new file mode 100644 index 000000000..fe42f1c97 --- /dev/null +++ b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java @@ -0,0 +1,51 @@ +package org.owasp.webgoat; + +import org.hsqldb.server.Server; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.autoconfigure.jdbc.DataSourceBuilder; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.DependsOn; +import org.springframework.context.annotation.Primary; + +import javax.sql.DataSource; + + +/** + * Rationale for this class: when the HSQLDB is started with jdbc:file:// it is only accessible from within the same + * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database + */ +@Configuration +@ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true") +public class HSQLDBDatabaseConfig { + + @Value("${hsqldb.port:9001}") + private int hsqldbPort; + + @Bean(initMethod = "start", destroyMethod = "stop") + public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory, + @Value("${hsqldb.silent:true}") boolean silent, + @Value("${hsqldb.trace:false}") boolean trace) { + + Server server = new Server(); + server.setDatabaseName(0, "webgoat"); + server.setDatabasePath(0, directory + "/data/webgoat"); + server.setDaemon(true); + server.setTrace(trace); + server.setSilent(silent); + server.setPort(hsqldbPort); + return server; + } + + @Primary + @Bean + @DependsOn("hsqlStandalone") + public DataSource dataSource(@Value("${spring.datasource.driver-class-name}") String driverClass, + @Value("${spring.datasource.url}") String url) { + return DataSourceBuilder.create() + .driverClassName(driverClass) + .url(url) + .build(); + } +} diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java index a615d5b74..34bde941a 100644 --- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java +++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java @@ -37,7 +37,4 @@ public class StartWebGoat { public static void main(String[] args) { SpringApplication.run(WebGoat.class, args); } - - - } diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java index b4f149db2..169b5f189 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java +++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java @@ -8,6 +8,7 @@ import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; @@ -30,7 +31,7 @@ public class MailboxController { @GetMapping(value = "/WebWolf/mail") public ModelAndView mail() { - User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); + UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); ModelAndView modelAndView = new ModelAndView(); List emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername()); if (emails != null && !emails.isEmpty()) { diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties index abc2a98e9..6ee162172 100644 --- a/webwolf/src/main/resources/application.properties +++ b/webwolf/src/main/resources/application.properties @@ -6,7 +6,8 @@ server.port=8081 server.address=127.0.0.1 server.session.cookie.name = WEBWOLFSESSION -spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webwolf +spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat +spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.hibernate.ddl-auto=update spring.messages.basename=i18n/messages diff --git a/webwolf/src/main/resources/templates/login.html b/webwolf/src/main/resources/templates/login.html index 755831691..f651a437f 100644 --- a/webwolf/src/main/resources/templates/login.html +++ b/webwolf/src/main/resources/templates/login.html @@ -45,7 +45,7 @@

-
+
From a1db8e8bd9ab1788a143fe968046b874040d0865 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 2 May 2018 09:29:52 +0200 Subject: [PATCH 21/26] Added documentation how to mount the data directory of WebGoat running in Docker to your host system. --- README.MD | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.MD b/README.MD index 32bd67755..d0ff4809e 100644 --- a/README.MD +++ b/README.MD @@ -40,6 +40,15 @@ docker pull webgoat/webgoat-8.0 docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh ``` +If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a +folder on the host system as follows: + +```Shell +docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh +``` + +where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system. + Wait for the Docker container to start, and run `docker ps` to verify it's running. - If you are using `docker-machine`, verify the machine IP using `docker-machine env` From 6209b3fe8d576446dabae165df26388ad23eb90b Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 2 May 2018 21:25:44 +0200 Subject: [PATCH 22/26] Updated lesson for starting WebWolf as a Docker container --- .../resources/lessonPlans/en/IntroductionWebWolf.adoc | 10 ++++++++-- webwolf/src/main/resources/application.properties | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc index 7bfdf1524..0bbd39bc1 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc @@ -30,12 +30,18 @@ are not using the Docker image you will need to download the jar file and start java -jar webwolf-<>.jar ``` -WebWolf is also available as a Docker container: +WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need +to find out the ip address of the Docker container. ``` +WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`) docker pull webgoat/webwolf -docker run -it -p 8081:8081 webgoat/webwolf /home/webwolf/run.sh +docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 8081:8081 webgoat/webwolf /home/webwolf/run.sh ``` +Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If +you start WebGoat as Docker container you need to start WebWolf as Docker container as well. + + This will start the application on port 8081, click webWolfLink:here[] to open WebWolf. First thing you need to do is register a new user within WebWolf. \ No newline at end of file diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties index 6ee162172..2d8f6dded 100644 --- a/webwolf/src/main/resources/application.properties +++ b/webwolf/src/main/resources/application.properties @@ -6,7 +6,7 @@ server.port=8081 server.address=127.0.0.1 server.session.cookie.name = WEBWOLFSESSION -spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat +spring.datasource.url=jdbc:hsqldb:hsql://${webgoat.server.address:localhost}:9001/webgoat spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.hibernate.ddl-auto=update spring.messages.basename=i18n/messages From 84e3fcde07d5d67409dde1afbd719e0a03a800ba Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 2 May 2018 21:34:17 +0200 Subject: [PATCH 23/26] Added .sonatype (author: @maurycupitt) --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index fb3ff0300..917e56a8c 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ webgoat-lessons/**/target **/.DS_Store webgoat-server/mongo-data/* webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml +/.sonatype \ No newline at end of file From 9aa674e326d6d51b4bd20fe5c789bea1571e2d00 Mon Sep 17 00:00:00 2001 From: miig Date: Wed, 14 Mar 2018 21:53:57 +0100 Subject: [PATCH 24/26] stringfy object so it's visible in the console --- .../src/main/resources/static/js/goatApp/view/GoatRouter.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js index 54aa52828..84a23334f 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js @@ -67,7 +67,7 @@ define(['jquery', contentType: 'application/x-www-form-urlencoded; charset=UTF-8', success: function (data) { //devs leave stuff like this in all the time - console.log('phone home said ' + data); + console.log('phone home said ' + JSON.stringify(data)); } }); } From 5d28ef9fbe96cd6fa56ca8905eff3cc410804ec8 Mon Sep 17 00:00:00 2001 From: miig Date: Wed, 14 Mar 2018 21:52:18 +0100 Subject: [PATCH 25/26] small fix for CSRF content type lesson descrption --- .../src/main/resources/lessonPlans/en/CSRF_ContentType.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc index 3e9f217c6..735e320bc 100644 --- a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc +++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc @@ -8,11 +8,11 @@ In this assignment you need to achieve to POST the following JSON message to our [source] ---- -POST /csrf/feedback HTTP/1.1 +POST /csrf/feedback/message HTTP/1.1 { "name" : "WebGoat", - "email" : "webgoat@webgoat.org" + "email" : "webgoat@webgoat.org", "content" : "WebGoat is the best!!" } ---- From 6a5ca43e7e25e1967eb8d9916c5c238adc70e117 Mon Sep 17 00:00:00 2001 From: pjhggns Date: Fri, 2 Mar 2018 12:20:08 -0800 Subject: [PATCH 26/26] Strip out slash-escaped JSON sequence received in client. The server will slash-escape some JSON related characters before sending. Need to strip them out before using, on the client side. --- .../static/js/goatApp/view/LessonContentView.js | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js index d246b8110..3fca490f0 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js @@ -151,14 +151,23 @@ define(['jquery', return false; }, + removeSlashesFromJSON: function(str) { + // slashes are leftover escapes from JSON serialization by server + // for every two char sequence starting with backslash, + // replace them in the text with second char only + return str.replace(/\\(.)/g, "$1"); + }, + renderFeedback: function(feedback) { - this.$curFeedback.html(polyglot.t(feedback) || ""); + var s = this.removeSlashesFromJSON(feedback); + this.$curFeedback.html(polyglot.t(s) || ""); this.$curFeedback.show(400) }, renderOutput: function(output) { - this.$curOutput.html(polyglot.t(output) || ""); + var s = this.removeSlashesFromJSON(output); + this.$curOutput.html(polyglot.t(s) || ""); this.$curOutput.show(400) },