dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added testcases

Browse Source
This commit is contained in:
Nanne Baars 2017-05-02 23:28:48 +02:00
parent 262d82f80b
commit 945976868b
7 changed files with 206 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
webgoat-lessons/challenge/pom.xml
View File

@ -16,5 +16,23 @@
<artifactId>jjwt</artifactId> <artifactId>jjwt</artifactId>
<version>0.7.0</version> <version>0.7.0</version>
</dependency> </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.1.3.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<type>jar</type>
<scope>test</scope>
</dependency>
</dependencies> </dependencies>
</project> </project>

2
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
View File

@ -68,7 +68,7 @@ public class Assignment1 extends AssignmentEndpoint {
return getClientIP(request).contains(ip.getHostAddress()); return getClientIP(request).contains(ip.getHostAddress());
} }
private String getClientIP(HttpServletRequest request) { public static String getClientIP(HttpServletRequest request) {
String xfHeader = request.getHeader("X-Forwarded-For"); String xfHeader = request.getHeader("X-Forwarded-For");
if (xfHeader == null) { if (xfHeader == null) {
return request.getRemoteAddr(); return request.getRemoteAddr();

4
webgoat-lessons/challenge/src/main/resources/html/Challenge2.html
View File

@ -10,7 +10,7 @@
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container"> <div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="/WebGoat/challenge/2" action="/WebGoat/challenge/2"
@ -88,7 +88,7 @@
</form> </form>
</div> </div>
<br/> <br/>
<form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag"> <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group"> <div class="form-group">
<div class="input-group"> <div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

72
webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge1/Assignment1Test.java Normal file
View File

@ -0,0 +1,72 @@
package org.owasp.webgoat.plugin.challenge1;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.plugin.Flag;
import org.owasp.webgoat.plugin.SolutionConstants;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(MockitoJUnitRunner.class)
public class Assignment1Test extends AssignmentEndpointTest {
private MockMvc mockMvc;
@Before
public void setup() {
Assignment1 assignment1 = new Assignment1();
init(assignment1);
new Flag().initFlags();
this.mockMvc = standaloneSetup(assignment1).build();
}
@Test
public void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
.header("X-Forwarded-For", "127.0.1.1")
.param("username", "admin")
.param("password", SolutionConstants.PASSWORD))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
public void wrongPassword() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
.param("username", "admin")
.param("password", "wrong"))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
public void correctPasswordXForwardHeaderMissing() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
.param("username", "admin")
.param("password", SolutionConstants.PASSWORD))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
public void correctPasswordXForwardHeaderWrong() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
.header("X-Forwarded-For", "127.0.1.2")
.param("username", "admin")
.param("password", SolutionConstants.PASSWORD))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

49
webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java Normal file
View File

@ -0,0 +1,49 @@
package org.owasp.webgoat.plugin.challenge2;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.plugin.Flag;
import org.owasp.webgoat.plugin.SolutionConstants;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(MockitoJUnitRunner.class)
public class Assignment2Test extends AssignmentEndpointTest {
private MockMvc mockMvc;
@Before
public void setup() {
Assignment2 assignment2 = new Assignment2();
init(assignment2);
new Flag().initFlags();
this.mockMvc = standaloneSetup(assignment2).build();
}
@Test
public void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
.param("checkoutCode", SolutionConstants.SUPER_COUPON_CODE))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(2))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
public void wrongCouponCode() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
.param("checkoutCode", "test"))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

63
webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/ShopEndpointTest.java Normal file
View File

@ -0,0 +1,63 @@
package org.owasp.webgoat.plugin.challenge2;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
import static org.hamcrest.Matchers.is;
import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(MockitoJUnitRunner.class)
public class ShopEndpointTest {
private MockMvc mockMvc;
@Before
public void setup() {
ShopEndpoint shopEndpoint = new ShopEndpoint();
this.mockMvc = standaloneSetup(shopEndpoint).build();
}
@Test
public void getSuperCoupon() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/" + SUPER_COUPON_CODE))
.andDo(MockMvcResultHandlers.print())
.andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE)))
.andExpect(jsonPath("$.discount", CoreMatchers.is(100)));
}
@Test
public void getCoupon() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/webgoat"))
.andDo(MockMvcResultHandlers.print())
.andExpect(jsonPath("$.code", CoreMatchers.is("webgoat")))
.andExpect(jsonPath("$.discount", CoreMatchers.is(25)));
}
@Test
public void askForUnknownCouponCode() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/does-not-exists"))
.andDo(MockMvcResultHandlers.print())
.andExpect(jsonPath("$.code", CoreMatchers.is("no")))
.andExpect(jsonPath("$.discount", CoreMatchers.is(0)));
}
@Test
public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/"))
.andDo(MockMvcResultHandlers.print())
.andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
}
}

2
webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
View File

@ -53,7 +53,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
@Test @Test
public void success() throws Exception { public void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request") mockMvc.perform(MockMvcRequestBuilders.get("/challenge/1")
.header("x-request-intercepted", "true") .header("x-request-intercepted", "true")
.param("changeMe", "Requests are tampered easily")) .param("changeMe", "Requests are tampered easily"))
.andExpect(status().isOk()).andDo(MockMvcResultHandlers.print()) .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print())