From 93620f148bb8113768a2d58979cc6f43710dbe7a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 30 May 2018 16:46:50 +0200 Subject: [PATCH] Remove challenges which are also incorporated in the lessons themselves --- .../webgoat/plugin/SolutionConstants.java | 2 - .../plugin/challenge3/Assignment3.java | 150 ---------------- .../webgoat/plugin/challenge3/Challenge3.java | 39 ----- .../webgoat/plugin/challenge3/Comment.java | 24 --- .../plugin/challenge4/Assignment4.java | 17 -- .../webgoat/plugin/challenge4/Challenge4.java | 39 ----- .../webgoat/plugin/challenge4/Views.java | 16 -- .../owasp/webgoat/plugin/challenge4/Vote.java | 49 ------ .../plugin/challenge4/VotesEndpoint.java | 124 -------------- .../src/main/resources/css/challenge3.css | 75 -------- .../src/main/resources/css/challenge4.css | 12 -- .../src/main/resources/html/Challenge3.html | 72 -------- .../src/main/resources/html/Challenge4.html | 75 -------- .../resources/i18n/WebGoatLabels.properties | 1 - .../src/main/resources/images/cat.jpg | Bin 9095 -> 0 bytes .../src/main/resources/js/challenge3.js | 45 ----- .../src/main/resources/js/challenge4.js | 84 --------- .../resources/lessonPlans/en/Challenge_3.adoc | 1 - .../resources/lessonPlans/en/Challenge_4.adoc | 1 - .../plugin/challenge4/VotesEndpointTest.java | 161 ------------------ 20 files changed, 987 deletions(-) delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java delete mode 100644 webgoat-lessons/challenge/src/main/resources/css/challenge3.css delete mode 100644 webgoat-lessons/challenge/src/main/resources/css/challenge4.css delete mode 100644 webgoat-lessons/challenge/src/main/resources/html/Challenge3.html delete mode 100644 webgoat-lessons/challenge/src/main/resources/html/Challenge4.html delete mode 100644 webgoat-lessons/challenge/src/main/resources/images/cat.jpg delete mode 100644 webgoat-lessons/challenge/src/main/resources/js/challenge3.js delete mode 100644 webgoat-lessons/challenge/src/main/resources/js/challenge4.js delete mode 100644 webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc delete mode 100644 webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc delete mode 100644 webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java index 333d29b2c..79881e6e4 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java @@ -11,7 +11,5 @@ public interface SolutionConstants { //TODO should be random generated when starting the server String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD_TOM = "thisisasecretfortomonly"; - String PASSWORD_LARRY = "larryknows"; - String JWT_PASSWORD = "victory"; String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2"; } diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java deleted file mode 100644 index 2fd355bd3..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java +++ /dev/null @@ -1,150 +0,0 @@ -package org.owasp.webgoat.plugin.challenge3; - -import com.beust.jcommander.internal.Lists; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.google.common.collect.EvictingQueue; -import com.google.common.collect.Maps; -import com.google.common.io.Files; -import lombok.SneakyThrows; -import lombok.extern.slf4j.Slf4j; -import org.joda.time.DateTime; -import org.joda.time.format.DateTimeFormat; -import org.joda.time.format.DateTimeFormatter; -import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; -import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.plugin.Flag; -import org.owasp.webgoat.session.WebSession; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.http.MediaType; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestHeader; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; - -import javax.annotation.PostConstruct; -import javax.xml.bind.JAXBContext; -import javax.xml.bind.Unmarshaller; -import javax.xml.stream.XMLInputFactory; -import javax.xml.stream.XMLStreamReader; -import java.io.File; -import java.io.IOException; -import java.io.StringReader; -import java.nio.charset.Charset; -import java.util.Collection; -import java.util.Map; - -import static org.springframework.http.MediaType.ALL_VALUE; -import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; -import static org.springframework.web.bind.annotation.RequestMethod.GET; -import static org.springframework.web.bind.annotation.RequestMethod.POST; - -/** - * @author nbaars - * @since 4/8/17. - */ -@AssignmentPath("/challenge/3") -@Slf4j -public class Assignment3 extends AssignmentEndpoint { - - @Value("${webgoat.server.directory}") - private String webGoatHomeDirectory; - @Autowired - private WebSession webSession; - private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss"); - - private static final Map> userComments = Maps.newHashMap(); - private static final EvictingQueue comments = EvictingQueue.create(100); - private static final String secretContents = "Congratulations you may now collect your flag"; - - static { - comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat....")); - comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects.")); - comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-).")); - } - - @PostConstruct - @SneakyThrows - public void copyFile() { - File targetDirectory = new File(webGoatHomeDirectory); - if (!targetDirectory.exists()) { - targetDirectory.mkdir(); - } - log.info("Copied secret.txt to: {}", targetDirectory); - Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset()); - } - - @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE) - @ResponseBody - public Collection retrieveComments() { - Collection allComments = Lists.newArrayList(); - Collection xmlComments = userComments.get(webSession.getUserName()); - if (xmlComments != null) { - allComments.addAll(xmlComments); - } - allComments.addAll(comments); - return allComments; - } - - @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) - @ResponseBody - public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception { - Comment comment = null; - AttackResult attackResult = failed().build(); - if (APPLICATION_JSON_VALUE.equals(contentType)) { - comment = parseJson(commentStr); - comment.setDateTime(DateTime.now().toString(fmt)); - comment.setUser(webSession.getUserName()); - comments.add(comment); - } - if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { - //Do not show these comments to all users - comment = parseXml(commentStr); - comment.setDateTime(DateTime.now().toString(fmt)); - comment.setUser(webSession.getUserName()); - EvictingQueue comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100)); - comments.add(comment); - userComments.put(webSession.getUserName(), comments); - } - if (checkSolution(comment)) { - attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build(); - } - return attackResult; - } - - private boolean checkSolution(Comment comment) { - if (comment.getText().contains(secretContents)) { - comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack "); - comments.add(comment); - return true; - } - return false; - } - - public static Comment parseXml(String xml) throws Exception { - JAXBContext jc = JAXBContext.newInstance(Comment.class); - - XMLInputFactory xif = XMLInputFactory.newFactory(); - xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true); - xif.setProperty(XMLInputFactory.IS_VALIDATING, false); - - xif.setProperty(XMLInputFactory.SUPPORT_DTD, true); - XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml)); - - Unmarshaller unmarshaller = jc.createUnmarshaller(); - return (Comment) unmarshaller.unmarshal(xsr); - } - - private Comment parseJson(String comment) { - ObjectMapper mapper = new ObjectMapper(); - try { - return mapper.readValue(comment, Comment.class); - } catch (IOException e) { - return new Comment(); - } - } - - -} - diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java deleted file mode 100644 index 91a05d4ea..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java +++ /dev/null @@ -1,39 +0,0 @@ -package org.owasp.webgoat.plugin.challenge3; - -import com.google.common.collect.Lists; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.NewLesson; - -import java.util.List; - -/** - * @author nbaars - * @since 3/21/17. - */ -public class Challenge3 extends NewLesson { - - @Override - public Category getDefaultCategory() { - return Category.CHALLENGE; - } - - @Override - public List getHints() { - return Lists.newArrayList(); - } - - @Override - public Integer getDefaultRanking() { - return 10; - } - - @Override - public String getTitle() { - return "challenge3.title"; - } - - @Override - public String getId() { - return "Challenge3"; - } -} diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java deleted file mode 100644 index 0ea3e0d07..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java +++ /dev/null @@ -1,24 +0,0 @@ -package org.owasp.webgoat.plugin.challenge3; - -import lombok.AllArgsConstructor; -import lombok.Getter; -import lombok.NoArgsConstructor; -import lombok.Setter; - -import javax.xml.bind.annotation.XmlRootElement; - -/** - * @author nbaars - * @since 4/8/17. - */ -@Getter -@Setter -@AllArgsConstructor -@NoArgsConstructor -@XmlRootElement -public class Comment { - private String user; - private String dateTime; - private String text; -} - diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java deleted file mode 100644 index 199ac4d62..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java +++ /dev/null @@ -1,17 +0,0 @@ -package org.owasp.webgoat.plugin.challenge4; - -import lombok.extern.slf4j.Slf4j; -import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; - -/** - * @author nbaars - * @since 5/3/17. - */ -@AssignmentPath("/challenge/4") -@Slf4j -public class Assignment4 extends AssignmentEndpoint { - - //just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here - -} diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java deleted file mode 100644 index 0e878d761..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java +++ /dev/null @@ -1,39 +0,0 @@ -package org.owasp.webgoat.plugin.challenge4; - -import com.google.common.collect.Lists; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.NewLesson; - -import java.util.List; - -/** - * @author nbaars - * @since 3/21/17. - */ -public class Challenge4 extends NewLesson { - - @Override - public Category getDefaultCategory() { - return Category.CHALLENGE; - } - - @Override - public List getHints() { - return Lists.newArrayList(); - } - - @Override - public Integer getDefaultRanking() { - return 10; - } - - @Override - public String getTitle() { - return "challenge4.title"; - } - - @Override - public String getId() { - return "Challenge4"; - } -} diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java deleted file mode 100644 index e9f47594c..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java +++ /dev/null @@ -1,16 +0,0 @@ -package org.owasp.webgoat.plugin.challenge4; - -/** - * @author nbaars - * @since 4/30/17. - */ -public class Views { - interface GuestView { - } - - interface UserView extends GuestView { - } - - interface AdminView extends UserView { - } -} diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java deleted file mode 100644 index ccb51c3b1..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java +++ /dev/null @@ -1,49 +0,0 @@ -package org.owasp.webgoat.plugin.challenge4; - -import com.fasterxml.jackson.annotation.JsonView; -import lombok.Getter; -import lombok.Setter; - -/** - * @author nbaars - * @since 5/2/17. - */ -@Getter -public class Vote { - @JsonView(Views.GuestView.class) - private final String title; - @JsonView(Views.GuestView.class) - private final String information; - @JsonView(Views.GuestView.class) - private final String imageSmall; - @JsonView(Views.GuestView.class) - private final String imageBig; - @JsonView(Views.UserView.class) - private int numberOfVotes; - @JsonView(Views.AdminView.class) - @Setter - private String flag; - @JsonView(Views.UserView.class) - private boolean votingAllowed = true; - @JsonView(Views.UserView.class) - private long average = 0; - - - public Vote(String title, String information, String imageSmall, String imageBig, int numberOfVotes, int totalVotes) { - this.title = title; - this.information = information; - this.imageSmall = imageSmall; - this.imageBig = imageBig; - this.numberOfVotes = numberOfVotes; - this.average = calculateStars(totalVotes); - } - - public void incrementNumberOfVotes(int totalVotes) { - this.numberOfVotes = this.numberOfVotes + 1; - this.average = calculateStars(totalVotes); - } - - private long calculateStars(int totalVotes) { - return Math.round(((double) numberOfVotes / (double) totalVotes) * 4); - } -} \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java deleted file mode 100644 index 619e35c13..000000000 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java +++ /dev/null @@ -1,124 +0,0 @@ -package org.owasp.webgoat.plugin.challenge4; - -import com.google.common.collect.Maps; -import io.jsonwebtoken.*; -import org.apache.commons.lang3.StringUtils; -import org.springframework.http.HttpStatus; -import org.springframework.http.ResponseEntity; -import org.springframework.http.converter.json.MappingJacksonValue; -import org.springframework.web.bind.annotation.*; - -import javax.annotation.PostConstruct; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletResponse; -import java.util.Collection; -import java.util.Date; -import java.util.Map; -import java.util.concurrent.TimeUnit; - -import static java.util.Comparator.comparingLong; -import static java.util.Optional.ofNullable; -import static java.util.stream.Collectors.toList; -import static org.owasp.webgoat.plugin.Flag.FLAGS; -import static org.owasp.webgoat.plugin.SolutionConstants.JWT_PASSWORD; - -/** - * @author nbaars - * @since 4/23/17. - */ -@RestController -@RequestMapping("/votings") -public class VotesEndpoint { - - private static String validUsers = "TomJerrySylvester"; - - private static int totalVotes = 38929; - private Map votes = Maps.newHashMap(); - - @PostConstruct - public void initVotes() { - votes.put("Admin lost password", new Vote("Admin lost password", - "In this challenge you will need to help the admin and find the password in order to login", - "challenge1-small.png", "challenge1.png", 36000, totalVotes)); - votes.put("Vote for your favourite", - new Vote("Vote for your favourite", - "In this challenge ...", - "challenge5-small.png", "challenge5.png", 30000, totalVotes)); - votes.put("Get it for free", - new Vote("Get it for free", - "The objective for this challenge is to buy a Samsung phone for free.", - "challenge2-small.png", "challenge2.png", 20000, totalVotes)); - votes.put("Photo comments", - new Vote("Photo comments", - "n this challenge you can comment on the photo you will need to find the flag somewhere.", - "challenge3-small.png", "challenge3.png", 10000, totalVotes)); - } - - @GetMapping("/login") - public void login(@RequestParam("user") String user, HttpServletResponse response) { - if (validUsers.contains(user)) { - Map claims = Maps.newHashMap(); - claims.put("admin", "false"); - claims.put("user", user); - String token = Jwts.builder() - .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10))) - .setClaims(claims) - .signWith(SignatureAlgorithm.HS512, JWT_PASSWORD) - .compact(); - Cookie cookie = new Cookie("access_token", token); - response.addCookie(cookie); - response.setStatus(HttpStatus.OK.value()); - } else { - Cookie cookie = new Cookie("access_token", ""); - response.addCookie(cookie); - response.setStatus(HttpStatus.UNAUTHORIZED.value()); - } - } - - @GetMapping - public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) { - MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList())); - if (StringUtils.isEmpty(accessToken)) { - value.setSerializationView(Views.GuestView.class); - } else { - try { - Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); - Claims claims = (Claims) jwt.getBody(); - String user = (String) claims.get("user"); - boolean isAdmin = Boolean.valueOf((String) claims.get("admin")); - if ("Guest".equals(user) || !validUsers.contains(user)) { - value.setSerializationView(Views.GuestView.class); - } else { - ((Collection) value.getValue()).forEach(v -> v.setFlag(FLAGS.get(4))); - value.setSerializationView(isAdmin ? Views.AdminView.class : Views.UserView.class); - } - } catch (JwtException e) { - value.setSerializationView(Views.GuestView.class); - } - } - return value; - } - - @PostMapping(value = "{title}") - @ResponseBody - @ResponseStatus(HttpStatus.ACCEPTED) - public ResponseEntity vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) { - if (StringUtils.isEmpty(accessToken)) { - return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); - } else { - try { - Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); - Claims claims = (Claims) jwt.getBody(); - String user = (String) claims.get("user"); - if (validUsers.contains(user)) { - ofNullable(votes.get(title)).ifPresent(v -> v.incrementNumberOfVotes(totalVotes)); - return ResponseEntity.accepted().build(); - } else { - return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); - } - } catch (JwtException e) { - return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); - } - } - } -} diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge3.css b/webgoat-lessons/challenge/src/main/resources/css/challenge3.css deleted file mode 100644 index 3bc2ca4eb..000000000 --- a/webgoat-lessons/challenge/src/main/resources/css/challenge3.css +++ /dev/null @@ -1,75 +0,0 @@ -/* Component: Posts */ -.post .post-heading { - height: 95px; - padding: 20px 15px; -} -.post .post-heading .avatar { - width: 60px; - height: 60px; - display: block; - margin-right: 15px; -} -.post .post-heading .meta .title { - margin-bottom: 0; -} -.post .post-heading .meta .title a { - color: black; -} -.post .post-heading .meta .title a:hover { - color: #aaaaaa; -} -.post .post-heading .meta .time { - margin-top: 8px; - color: #999; -} -.post .post-image .image { - width:20%; - height: 40%; -} -.post .post-description { - padding: 5px; -} -.post .post-footer { - border-top: 1px solid #ddd; - padding: 15px; -} -.post .post-footer .input-group-addon a { - color: #454545; -} -.post .post-footer .comments-list { - padding: 0; - margin-top: 20px; - list-style-type: none; -} -.post .post-footer .comments-list .comment { - display: block; - width: 100%; - margin: 20px 0; -} -.post .post-footer .comments-list .comment .avatar { - width: 35px; - height: 35px; -} -.post .post-footer .comments-list .comment .comment-heading { - display: block; - width: 100%; -} -.post .post-footer .comments-list .comment .comment-heading .user { - font-size: 14px; - font-weight: bold; - display: inline; - margin-top: 0; - margin-right: 10px; -} -.post .post-footer .comments-list .comment .comment-heading .time { - font-size: 12px; - color: #aaa; - margin-top: 0; - display: inline; -} -.post .post-footer .comments-list .comment .comment-body { - margin-left: 50px; -} -.post .post-footer .comments-list .comment > .comments-list { - margin-left: 50px; -} \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge4.css b/webgoat-lessons/challenge/src/main/resources/css/challenge4.css deleted file mode 100644 index 590e2a4b0..000000000 --- a/webgoat-lessons/challenge/src/main/resources/css/challenge4.css +++ /dev/null @@ -1,12 +0,0 @@ -a.list-group-item { - height:auto; -} -a.list-group-item.active small { - color:#fff; -} -.stars { - margin:20px auto 1px; -} -.img-responsive { - min-width: 100%; -} \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html deleted file mode 100644 index 62255ab95..000000000 --- a/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html +++ /dev/null @@ -1,72 +0,0 @@ - - - - - -
-
- - -
-
- -
-
-
-
- user profile image -
-
-
- John Doe - uploaded a photo. -
-
24 days ago
-
-
- -
- image post -
- -
- -
-
-
- - - - -
-
    -
    -
    -
-
-
-
- -
-
-
-
- -
-
- -
-
- -
- - -
-
-
-
-
- \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html deleted file mode 100644 index f760beffe..000000000 --- a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html +++ /dev/null @@ -1,75 +0,0 @@ - - - - - -
-
- - - -
-
-
- -
- -
-
-
- - -
-
-

Welcome back,

-
-
- -
-

Vote for your favorite

-
-
- -
-
-
-
- -
-
-
-
-
- -
-
- -
-
- -
- -
-
-
-
-
- - \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties index e79acbac5..267502639 100644 --- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties @@ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge challenge1.title=Admin lost password challenge2.title=Get it for free challenge3.title=Photo comments -challenge4.title=Voting challenge5.title=Without password challenge6.title=Creating a new account challenge7.title=Admin password reset diff --git a/webgoat-lessons/challenge/src/main/resources/images/cat.jpg b/webgoat-lessons/challenge/src/main/resources/images/cat.jpg deleted file mode 100644 index e0e1fb983d4a3215381a3373fe69b02d5ee3a73f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9095 zcmb7pS5OmN)NSZRYCs6Rm{3FSB1k7dXdxnm-m6FxlwLybq4yR*s&oNCrAjZMDDcri zh)5L$MDX|CnSbWK-hE!qoV91|ea@VRHGBR2@^=$Jr>mu-1t1^*00{mqz~5B>8bCox z24n!)Hdh>ev)fSZF2!okYSE5QR16c!Z~1#wBq zONqz{h=>XkP*PITP}8u|(XonfaBzwIe}u4zu!xA<-;V%#aspz&01*K%fRLVmh@Rl@ z5PDr`7)rLI42~2`Mod`9IW{4nROiL`+UZLQG0bLH#d=@-1y*BZ4gYJ0Q>#JtWHU^j1+Yas1%SkZ+`} z4wR^Ppjnl8WKad-Y(~PDCqMoG+ST8<(8H;dD@ZQimeEyEO8y;b*sRzZXO)@T;N!Hm z3fqs;IT_VfNhjDK^LxPysl$PFB_4Hit40OWA-+&qfb6UFH1KP5+$Ho-eJ=IxiBEV+ z(2LU;prM>bC%upfxhgi`Y~D4UBIndX;$4<5n!Uo&Jk^gyN&+UG zdl!Y|*Ca~TO##Lwxd8{Nb#!R%Kh#CaRhgt??mZ{I`c!*Z^4bi-#xy;NJ`!oIYAjt> z%alCV_l7=tU@6h9e22S{`wisyGz%tM^++BK(#$!PK8es?jZ1n(Q)NeNCo+ z=*1yZ%@@eZg)hCcnu)CcoCMFZs_d&oz-I^`Nb}Fri*D^CYNo*WjE4|~*H_vN9xcI7_2)qGCWHy{w1>n;0Qx9t{Z_m8I9 zc$Z=pHwAlHVw#jAt`-!3nf;9^MVIy)=0EV~_2HHg@ePNSZs(5W>Z$f|I4)C!LMTWY z4L2o|lI$(JdV@cf0DkX(4Z!0$fYE+0zuY!_yDb>wgRer{CwiT^*C0vb$e~QjPN(j? zw$Ca0ZIzmnrOudqzp4rN>KI?GuC=Yq?Lg%udEwUE?_Ls6TZ(a6)Jc7(g%V~;7M@k^ zo)=L?SQn#{2a|d2P34e=wc9=O!6Uv8u=EBGko&}vR4N6O1H92((+plGy=9SCgB0}3 z2^xMxcm@daq%)zdk_EOyNqBa48sZ(pb2IMlEJI1EvzvR39sd`gY}&HC_t z(eE!n3-uRpJ;L_A+}SizDz6*9_ZLu4LNsocRBVL9eC3CUo@*aw;yBbQP>>0-jBfUx zH&}XyS%foTjL?&`XTGP**=pjYxrtR^XB~CufxO}G#O1MN{uJ>q8 zOq&P+mESAJj6Y=~7W#PN)pqv1!UW4z-rTm{dr;n=E1i_o1WhY$vcWP@zNV#fE8y%F zuC`@3{J+N$b%5s`EKfZH{L==NxP5`n@jqT@V?*m^)EaPv$n3D@B68_vgSD(z;}IJh z0((Dh+~Uf%&d?_0Sh;bKw^zt}LWOVB_kV0Gqoce}J`_n*bKH4HilBi&mD@cU5_`En zcj68o(i3_p2ve_&n7c}TtDzsdjGlzBB7%=Lfr?x6IB?W!_@m%G8d{n^JQCySPhVZG zOBk_D#Eo;L*hZ`!(&YZOgV_qhc;dYSmv}T|pI&u41VeZWKPb)NGB*6<2rG-Mf3vFd zjfu$U0yF!0#4e&_b=<*Od=>8x#Ad?Ha!x|G?Z!Rc#fn>mYehIhnzE9*0R4G(hG^R6 zap&do7LRClIfs#l1YzP)h37}HblsdqUxx*DL>LFx3^+mR6~j>GYRbiaXHJuswfmg~{wApeJS_x@y`(>J<| z(onlhiMJttY^|=}Kh6T=NO{XU5XFtWH@c|OdS<+Bmu21^xI~G05dG&;jeB0X`y`gH zZ;MtnEreIKzxq+Pv)$N9>;cu~{0t9GL4m{BpK=5}S$HmvQFDpWP}Phq^gJ5SM;i`u z97<5^DV=8eTyEMopO!;+sYx650LK#XY2g~=lOpjW*1`1lPTBkDJ--9HYx6|cj4R@#KFG*i zkpG2MWnoH6V}V~VbupwGrFnAG?PSY!WW+G8;D0xi&DC>r z)X~Fyd;CKBOd4y~7?3?>j+)5am7}5WYtB2p#a zH%XR%FUx69ph_i?o@TCQF!k5;zNgN^IT`0VM4F_7Nxkf=1pVhvA4H#vvwo;V5WOaI z5$lo81(8n7dnbo<&lp#O?&5{tE451~C>~!A=u{v5A*L8<9I}Jw@7#}1y%PstcDXD8 zpA4qq7(zYvfEe0LwfLrb@AH^@&b!{X*BViUx3ozbZd@e>r>;g}*E?GAMiJ}=pqKq? zgSm!}xM_Y5#yIT{u*as;e46K&#e^v>s0i4hUiteFV{G2DRZJFtA|NK?(ngc`oTTua z1m+r@8F6s8D0ZDqf_8CjQI3;fc?Y=FAd*TVwTgZLVC)})L z;wB;{EE%#G1T#k*u~Kuejuyr+YvCtdW-{{q|qaQid=q!@I$0 zbi8*+wC|7D?vFp6AEg>EJI%FKljVwdu%xp)WDHQ7_?8-QsnTG~d$wWc10tFAnK8~R zzE@55+VLcR%BPdt5}TG19op2shEy6Htkhb>zu}6+LOrhMhomjQUl8J@a>Zi~Uy02Q z3a!vF;4yf|9f^LQj8dR4J%YOR`wmp%`V%@ zM?gq-VzDbM_xQh@2-Qo~K#^EWpFK8n*{mvV`8}3CNJCvthc(R3cml1MT}dT}<7&6i zT$LWkj2KLSDmi@Gb-lsiu+_icv}X3VO)B5{e8(g{bCb(B7Usnea5&7oc#BwcBK7Qe z)N0=RAda5)Q`UvGrMZeNt{?;PNn)eMPW6w8ph?8y)mVxn({$ z+)}xv-(|kqs=@dXeLQV%GMPP>>pi<+Rh2ozrjQh=I2AnA9X*RKQ)z{jCg%$p_r)#j@a!h`-GIT!# zp>hTAMkl-YTW44%M7o+Vy*4Fg*Lp;3F*T2K5xTe$LN+X9 z*OKP>)qqyna4!PN5v7GYrB!xHHnA30X;|xoAcgQ$|ICqZcTVNPPt)HlqnyMd{h9X6 z6zg&Xw8bJ$v9SDTZly4nWHZBAQ#5j%KM^LqOEl~|i=9(Rr6dvCp+#A5>wOy}*kV26 z;Hlz%PP=0^Ztk>>(p1_WtQ|vpJ);0Xnn9YI$%{GodM)Fe4m@G)C~E#VdGUOWbyc%$ zQ+*_8gYUZREXCdlcRp3c1ypd_7EcYeLoq`PhQSgJC0bJWwy7K%5h7*x_@SKp+fqLJ zOMDmB>!DcB&q#GSv&3N+#8(JK@Hmt$*`skq0M6(wC)KjW@w>9V@cuLB&_BS({w@n6 z8_;=CIWHxi@?G9JAvK)Wr2gud%snvR%}j`sbVvMHLAS2GQ3WQj#WrYuMEduh2k)YY zI%5lMui*BQKYFtL2L4aUpPaVVa0S!?veIcDyo_?vGTw*9rF<=2q%fgAgpR4%(KtcW z@Cs-}t4HE{pkR0mk0t{U(Y}oV#dil3E4G8bS}g?*7P%JL_0*J_O&&a7N#$6Q9+aJ6 zn!HGT4n2C4dSNHo8{|(ltNR#T0zSLea57UeOfjI_dmLNBw!_-Sg5RPfeoOnyZp-!I zm#w|bE7iA9@0ukNow77s}xOg#H4u?90IglsSznmoT$^e44foVUGLf&tYLL z!t5b~^Ck3%6g2yk1s6(*J4x}Zd~NeI@@jM4zIm`oe(Al0_Zs4;jc)HA;uS-h$!Y3! z(3CuF*tbt-_tqmcS#$m0mQ%BvCd}-NbUl|&!rW5MFSq~9@L!frE(C^0;z0&BgUAxk*a_uhnoo(EFInsb{l!X2FGHP46x+>Y#3%pJ2J2e+CL&Gz) zQi&Yc1vM1_@HUZGnu|5s&~zhJ2jcgnidj;N=^Sh5rH_Uv&*(l>D1GJ?A? zo#*mt_6T#;)NNMDF^lA;g4uFY^pyFfCTz1{gh3BAIhJTXd9Af?<)1Q?m5c=W%6}?q zk~`C%S~52tEyBJQ1V@Q;kKAaw9ddM{Jb$b5Fpxl2Ow{D89}~fT?B*%6?O0%Cml_R9 z?aj@39WkWSzT#px18)s&KW4;H!PXt#A=@twp)Js2Y^7QZQr6aso%i=#ndh(a_LlVQ zv_9^_jyr~2sDid!=DW_WHG^ewTBwfuwKPFE*P}^&_jIhlgc*-bJad?ahTQ8bWdm`d zK!LGft*Z00-)hk-V3U1XpyG>nQXvH2mirr;i8omrOB6n0G1O+qv^E4ZKm`F`&KiHm z*XcA$s^Q1+PWDHOZQneKB$3w_wP8^y$q)727QY1bB4Z(}GTI3j@n0KTYT||ln;aIL zlDa>AB;U+yHQcK-qd&;*8Mr|77yIxU3)b!=iN8P-h+Jl6DMpeE(f zj#FL0DZ=O{NJ}O0Io^gL%is0JJf~Uf?tnJ|PhlL#;Oda5*(}JTE+5)JPq91Yxh;cI z@093wZI6U)wy#={2j3$`#fxH0#!E7wx6YQ>OxbTZNi&dNa_<^<`O|8j-1*-QuA=;8 zwHuUruI?f|Pt{h_@aR?P$t;Z5`##&aDA7&jGNET`L8iM(?sfD#r7+L61#0e;dPV}Z|huL=a2xueHBpwi%OBJrWVTxlWAd!XgoqXIlFo`qdjNPwLpOI z9w$!6CfS5bmQJ9z4#;Za#BNL{0bE>u@C1=7r84Fk6aB>(_JT(^Ln^ z4w?OUJW#LE`_X&wh<5v6;Z@Gb7F7fLR)5?Q0Rx%kH*Y*W%a`3i@vBQSUzQ_bzof`K zKlZwiOXECM66KKhaBh=48XAA1&+<6BXs#-^Gy#Y}qTTRHx*)+>)Ba;}?vlbmsY_U2 z)OV(EGu^UD<>$GiafpwjkC_#&)X|u-WHCBPLM&Bz%yHw4xmvA8$Ey$HiZ!cj`%IlW zuuL)Mtefs1>kb@^OgkdSPG{n~`t=mQA_Cu{P4x@s8@yeQq{5Q)1JjcIJgD|`SRDfnf(7F0Skqo1F>`{QzhmkRxJAro5ow(sPw zQjQ8}uBAz_vaUB_Am1g;EJbC@bZArZrFg??#L#7tT{y~6$3$xMME=yZV{YY>J0^4) z8yRmRr=8gJl1AY?()kds?4!t}i(BbfS!z#b%If+f_$Jl3wBW6=5I?i14}YrjgCLGU zfPr_U{PQ8HS3|3Ala3ce(35jM#>XAPywxYk0$K+J$un>=EVSOZS3%i(_*rzyR$)M> zM0~bvksmQ;pH|I5#FN_Zk>qQ(yJitM`*Xkt=9h^MdrK+T17z``!xLAeDTJC$*>6mp zHy@JQMQ;mcmNKkytJE)UcoWfxJ5qToCgq+crh`$bq4(Nes%MrCblbxTP0PHw{{kGz zcC4H6VtGxP6K}I5D7<_`<%=GY1I=!_nTbgqa!ZW4|4B*5KQ?Xja3k-jL57Q1R+fU< zY~HeU_vWCli_?;wdy^&41thi1eexKJuTU$m10bG0LyE(;6c z_jcK*TW+9~;Vt1ZJF)CA$PZP`yt2*;*~XzXS&O274_p3be}eOLv@3xs^HGhOii~%s zOVY1ret5(ImmKwuekAUmUKHXRztY~YEEGK)9kfGXn9vAP*cgZ27dh~e@k4nNvZ7wK zIRegNG<{m+iF%vYMpzQA2zNhc1)`NjEcJ57v-bCBT&-(Z6BQB!HoLs-2iePU7}!8N zFE;r>ZJr7HkMBdt6hl7(o|Ds5z?+E_?#zrV49Fju4WLnpn>8aTdA`>HwiuoApsk2T zUg_%W*M6mD$PlYDJ8R1=SBn->{`CX*kg`!xtLx2Kxx!aOyo0^v{m!o+)rD-bnTM;Q zNRlmdjlT~Es=cu`S2Phk?qnXhYMDiqKI_z7g~8iI7Sf-HbN3*JWahPZSSjM}>ajb& zN5b(Wnj>Z3Ka?AH3X%V6K{|x5I(;7@E!2xReR)_SpZX-G#oejLAK&RXrjpOi-5}~f znjf^K1Bf968ZK^|KP>cmQsI=x!@LI(LM5-Z;+s+lX~6A&m5c4h=C~epS76qS zQqGnRI7_Lb&YQ(BsEF9917xn5q!$duw^donIUC&U|3n<)^$8%g_s_O1>$&^jZ~1UZ zJegvy?SgKmbF)~UsCaWw(g2$36)0-1_SeEVa*x+~OsbRYqJu&9Zbmhr;`-AIhc9`- z&Pjg(GVS33Q}<54iBVR@ zrcRaZMRggT1=yLSQH2#Z(l{JfZzfT}lD>u{*zK^1b+BpFn%+Ri+)E`_GQktARloco zN6re$hZJ$^MC+pnzNKr*QpXMyw9R>Wfgxzs35B4Hz!dfyP-aLu0*8g{2ZLhlYr2NuIR<33VFHNrHm; z0j}WS`26FWj!RQH7be-#wjn~L*WIg#G>k2U{#BV{%hdQ_F2I0?aPCNfiJC5%m zDA`w(3Y@3Ft(0Qp!9#?qeSV=7(K~VDy@aTK7|-oix_jpj9E;~Y+hx|X@dw$jqH=^S z^~Ij7MqiU>D-gtbvL!v1|JwJ23ggbM3?K!mGqxe+hyT0f1Z7^n{t{;#fL^A24`oXg zH;DtZE%gy=0okL33Ji7N~oISFa-uZoq#*NIUTZ#33sW9cNa8^n{OOeML;3kxmGH9nXfAO`8x1Oqz6M zBLdJ;h~ww%J&wLg%B?D+w&4%GOT_hPAXDN!(8fVu7jwz@%xcY65O3rGOImB9n` z{d~9L8Q$JJ4?YZ6Q8m)hmvx-uPA_{0Bv;G zE>HUptp~ry-bAlLmkPlH*ikhccoO4;h1db2Y9N~W@tj9Pvy0dM#~<`dMI@`1okmqk z^5+40Pebj!mP@w1VxS68xVhO+(#cX!tBR1@n38}oX5x2KzNo|{FIg!`3R?_Z+ht*b z?5)tyyO6#6Rl;ov_NX`VMYU1(Lsh)z0gh>1o13oU=nJqdeLO zPNGV(Dt~G$y<#Omsj8CWgs!)zvvD)+%b~sZZ`@oPq&4QKU*TJYa+)-q%@2&siV?(U zylb!mVYh9UTzZj9jgEQs#P3MQ&D5Af;0zSTZiyC*mbRf^Z`LJfn%uf`6xBq4v;2%z zIz5$boL4lK-~!oi!%JBUFJKwZ3On=L+h#PnxfAT9=%tpA^GkNtZv~055%>Yo@UPP| z;mfym;T_)t-ZoV_nfM)B1-~uHEpChNa_LLi9&`WIKGlliUqK|e|B4YYf!t5O{Mux% zVy455ZB${a>X%;ojFrKKjO9Gh!6cBk$k=fR^=z1 zpFP@P!rmI~E#g=C9NrPg9T9!W<%vL(jNG*tH>W>xi!(>#$3`oFs-_xd(#D_x4Omdz1{5!NSZ0 zrDwpi;v*j+i--rLG^azk0kt1zU#V0ibH?$^ka?{GTBNBbKi~*g0{io$k!0(Ok*NPL zK@0{+bcENwHFdIt9(&B%?X_At2~J>egi&{BspF3RJT9g#*u)yV6qm3`5UnH4UT_c( z*4L@&QOF#eR;;3YGFoZ$RA|^5qobGh>Yo|F()_1v9%{SQMK(YI{9-$k|L^-)iYH)P z$G}^$_t{oT$xF0;-m0{Izjzk&6~bIo8}?H+#-j)kY16Ap>~Lv+Pp0IvQ-_CJP3NBk?q=2LK97Rb(qz#A0s+nYOEdPD?*#yl=^+UgKAag1hDJv{jvNjb3O$KUGATS{?w%0ZDjgona&UAZhNxr9=1M zwbU5%F(j{f0zA;Q+D<&5MO0?j%)C{J^(N@8q|{)o9`_TN{P|FP5I;&Fh$Np0i^;&i zU}e=3ajkBv$c`q@dW{ABf)U3F{N-q6mH;DWAs|%~uc!4Nin=`52fg`RAh=GQ(3NCS zK%9!b|9o4%&k*TIRC9ry+(XC76G%v={RJ2&aoMq1QHaCgN9p;(?ujumX1V{ohD6Cy z_MI_kk25YI)45_!M!0D8$vR-Ni=4S{r5Q|0B+sT?)G-0C^*!=agM^I<+S82*RHlp@ z9TNYrm+yS|uq)2XQJx+7BBG1|<8lyDBP=OcuJQy?bHHOyWn7kCOk?@bWg#3T7`(*da~z^CM2AJ*>1- zHz!~6nba&gR#y!J%t#^#qzT?`5dRpNKJ+2kX?NP`U>Aoh%ecytr-=q3->gx;@5^%( zBOIP#VvH4T5@e6{$wKJuk}(&Z+L>{G+y-jdb_YffNmBf$V~3|8iI(41@f$mj@U&YS zeOk6fI;GZssIos!Kvodr115N%j?a&$T;KHC0Xdi3f;UlBS zmdd%isE3{hz1hH%S1r$(_9z+cp3toM*k^Si#`@4KL2b6 zIN6!5Dl6HCc5&n>lB' + - '
' + - 'avatar' + - '
' + - '
' + - '
' + - '

USER

' + - '
DATETIME
' + - '
' + - '

COMMENT

' + - '
' + - ''; - - getChallenges(); - - function getChallenges() { - $("#list").empty(); - $.get("challenge/3", function (result, status) { - for (var i = 0; i < result.length; i++) { - var comment = html.replace('USER', result[i].user); - comment = comment.replace('DATETIME', result[i].dateTime); - comment = comment.replace('COMMENT', result[i].text); - $("#list").append(comment); - } - - }); - } -}) \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge4.js b/webgoat-lessons/challenge/src/main/resources/js/challenge4.js deleted file mode 100644 index 5c9d6a38d..000000000 --- a/webgoat-lessons/challenge/src/main/resources/js/challenge4.js +++ /dev/null @@ -1,84 +0,0 @@ -$(document).ready(function () { - login('Guest'); -}) - -function login(user) { - $("#name").text(user); - $.ajax({ - url: "votings/login?user=" + user, - complete: function (result, status) { - getVotings(); - } - }); -} - -var html = '' + - '
' + - '
' + - 'placehold.it/350x250' + - '
' + - '
' + - '
' + - '

TITLE

' + - '

INFORMATION

' + - '
' + - '
' + - '

NO_VOTES' + - ' votes' + - '

' + - '' + - '
' + - '' + - '' + - '' + - '' + - '
' + - '

Average AVERAGE /4

' + - '
' + - '
' + - ''; - -function getVotings() { - $("#votesList").empty(); - $.get("votings/", function (result, status) { - for (var i = 0; i < result.length; i++) { - var voteTemplate = html.replace('IMAGE_SMALL', result[i].imageSmall); - if (i === 0) { - voteTemplate = voteTemplate.replace('ACTIVE', 'active'); - voteTemplate = voteTemplate.replace('BUTTON', 'btn-default'); - } else { - voteTemplate = voteTemplate.replace('ACTIVE', ''); - voteTemplate = voteTemplate.replace('BUTTON', 'btn-primary'); - } - voteTemplate = voteTemplate.replace(/TITLE/g, result[i].title); - voteTemplate = voteTemplate.replace('INFORMATION', result[i].information || ''); - voteTemplate = voteTemplate.replace('NO_VOTES', result[i].numberOfVotes || ''); - voteTemplate = voteTemplate.replace('AVERAGE', result[i].average || ''); - - var hidden = (result[i].numberOfVotes === undefined ? 'hidden' : ''); - voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_VOTES/g, hidden); - hidden = (result[i].average === undefined ? 'hidden' : ''); - voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_RATING/g, hidden); - - $("#votesList").append(voteTemplate); - } - }) -} - -function vote(title) { - var user = $("#name").text(); - if (user === 'Guest') { - alert("As a guest you are not allowed to vote, please login first.") - } else { - $.ajax({ - type: 'POST', - url: 'votings/' + title - }).then( - function () { - getVotings(); - } - ) - } -} - - diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc deleted file mode 100644 index 396cbfa0f..000000000 --- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc +++ /dev/null @@ -1 +0,0 @@ -Changing language can help you find the 'secret' file \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc deleted file mode 100644 index 883d4be45..000000000 --- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc +++ /dev/null @@ -1 +0,0 @@ -Try to change to a different user, maybe you can find the flag? \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java deleted file mode 100644 index 322cf8873..000000000 --- a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java +++ /dev/null @@ -1,161 +0,0 @@ -package org.owasp.webgoat.plugin.challenge4; - -import org.hamcrest.CoreMatchers; -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mockito.runners.MockitoJUnitRunner; -import org.owasp.webgoat.plugin.Flag; -import org.springframework.test.web.servlet.MockMvc; -import org.springframework.test.web.servlet.MvcResult; -import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; - -import javax.servlet.http.Cookie; - -import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; -import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; - -/** - * @author nbaars - * @since 5/2/17. - */ -@RunWith(MockitoJUnitRunner.class) -public class VotesEndpointTest { - - private MockMvc mockMvc; - - @Before - public void setup() { - VotesEndpoint votesEndpoint = new VotesEndpoint(); - votesEndpoint.initVotes(); - new Flag().initFlags(); - this.mockMvc = standaloneSetup(votesEndpoint).build(); - } - - @Test - public void loginWithUnknownUser() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "uknown")) - .andExpect(unauthenticated()); - } - - @Test - public void loginWithTomShouldGiveJwtToken() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "Tom")) - .andExpect(status().isOk()).andExpect(cookie().exists("access_token")); - } - - @Test - public void loginWithGuestShouldNotGiveJwtToken() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "Guest")) - .andExpect(unauthenticated()).andExpect(cookie().value("access_token", "")); - } - - @Test - public void userShouldSeeMore() throws Exception { - MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "Tom")) - .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn(); - mockMvc.perform(MockMvcRequestBuilders.get("/votings") - .cookie(mvcResult.getResponse().getCookie("access_token"))) - .andExpect(jsonPath("$.[*].numberOfVotes").exists()); - } - - @Test - public void guestShouldNotSeeNumberOfVotes() throws Exception { - MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "Guest")) - .andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn(); - mockMvc.perform(MockMvcRequestBuilders.get("/votings") - .cookie(mvcResult.getResponse().getCookie("access_token"))) - .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); - } - - @Test - public void adminShouldSeeFlags() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings") - .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ."))) - .andExpect(jsonPath("$.[*].flag").isNotEmpty()); - } - - @Test - public void votingIsNotAllowedAsGuest() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")) - .andExpect(unauthenticated()); - } - - @Test - public void normalUserShouldBeAbleToVote() throws Exception { - MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "Tom")) - .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn(); - mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free") - .cookie(mvcResult.getResponse().getCookie("access_token"))); - mockMvc.perform(MockMvcRequestBuilders.get("/votings/") - .cookie(mvcResult.getResponse().getCookie("access_token"))) - .andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001))); - } - - @Test - public void votingForUnknownLessonShouldNotCrash() throws Exception { - MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") - .param("user", "Tom")) - .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn(); - mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE") - .cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted()); - } - - @Test - public void votingWithInvalidToken() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE") - .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated()); - } - - @Test - public void gettingVotesWithInvalidToken() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/") - .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated()); - } - - @Test - public void gettingVotesWithUnknownUserInToken() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/") - .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9."))) - .andExpect(unauthenticated()) - .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); - } - - @Test - public void gettingVotesForUnknownShouldWork() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/") - .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9."))) - .andExpect(unauthenticated()) - .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); - } - - @Test - public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/") - .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0."))) - .andExpect(status().isOk()) - .andExpect(jsonPath("$.[*].numberOfVotes").exists()); - } - - @Test - public void gettingVotesWithEmptyToken() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.get("/votings/") - .cookie(new Cookie("access_token", ""))) - .andExpect(status().isOk()) - .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); - } - - @Test - public void votingAsUnknownUserShouldNotBeAllowed() throws Exception { - mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free") - .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9."))) - .andExpect(unauthenticated()); - } -} \ No newline at end of file