From 99435a107320df6e3cdca06afac813f48b4b86ca Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Fri, 19 Jul 2019 12:16:06 +0200
Subject: [PATCH] increased sql form fields and fixed chrome progress
---
.../owasp/webgoat/plugin/NetworkDummy.java | 14 ++++++-
.../owasp/webgoat/plugin/NetworkLesson.java | 10 ++++-
.../main/resources/html/ChromeDevTools.html | 41 ++++---------------
.../src/main/resources/html/SqlInjection.html | 8 ++--
4 files changed, 33 insertions(+), 40 deletions(-)
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
index 9a462f77a..e5efd285d 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
@@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
@@ -21,7 +22,16 @@ public class NetworkDummy extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
- AttackResult completed(@RequestParam String networkNum) throws IOException {
- return trackProgress(failed().feedback("network.request").build());
+ AttackResult completed(@RequestParam String successMessage) throws IOException {
+
+ UserSessionData userSessionData = getUserSessionData();
+ String answer = (String) userSessionData.getValue("randValue");
+
+ if (successMessage!=null && successMessage.equals(answer)) {
+ return trackProgress(success().feedback("xss-dom-message-success").build());
+ } else {
+ return trackProgress(failed().feedback("xss-dom-message-failure").build());
+ }
+
}
}
\ No newline at end of file
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
index 41071eaff..1969e53e9 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
@@ -4,6 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
@@ -21,7 +22,7 @@ import java.io.IOException;
@AssignmentHints({"networkHint1", "networkHint2"})
public class NetworkLesson extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
+ @RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
public
@ResponseBody
AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
@@ -31,4 +32,11 @@ public class NetworkLesson extends AssignmentEndpoint {
return trackProgress(failed().feedback("network.failed").build());
}
}
+
+ @RequestMapping(method = RequestMethod.POST, params="networkNum")
+ public
+ @ResponseBody
+ ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
+ return ResponseEntity.ok().build();
+ }
}
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html b/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
index d8d576bb6..807cc5a4b 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
@@ -2,25 +2,29 @@
<html xmlns:th="http://www.thymeleaf.org">
+<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_intro.adoc"></div>
</div>
+<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_elements.adoc"></div>
</div>
+<!-- 3 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_console.adoc"></div>
</div>
+<!-- 4 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
- action="/WebGoat/CrossSiteScripting/dom-follow-up"
+ action="/WebGoat/ChromeDevTools/dummy"
enctype="application/json;charset=UTF-8">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
@@ -30,17 +34,19 @@
</div>
</div>
+<!-- 5 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_sources.adoc"></div>
</div>
+<!-- 6 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment_Network.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
- action="/WebGoat/ChromeDevTools/dummy"
+ action="/WebGoat/ChromeDevTools/network"
enctype="application/json;charset=UTF-8">
<script>
// sample custom javascript in the recommended way ...
@@ -79,35 +85,4 @@
</div>
</div>
-<!--
-<div class="lesson-page-wrapper">
- <div class="attack-container">
- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
- <form class="attack-form" accept-charset="UNKNOWN"
- method="POST" name="form"
- action="/WebGoat/HttpBasics/attack1"
- enctype="application/json;charset=UTF-8">
- <script>
- console.log("in listener");
- document.getElementById("butn").addEventListener("click", function() {
- document.getElementById("inp").value = Math.random() * 100;
- });
- </script>
- <table>
- <tr>
- <td>Click this Button to make a request</td>
- <td><Button id="butn"></Button></td>
- <td><input id="inp" name="networkNumber" value="" type="hidden"/><input
- name="SUBMIT" value="Go!" type="SUBMIT" /></td>
- </tr>
- <tr>
- <td>The Network Number is:</td>
- <td><input name="number" value="" type="text" /></td>
- <td><button type="submit" formaction="/WebGoat/ChromeDevTools/network">Check</button></td>
- </tr>
- </table>
- </form>
- </div>
-</div>
--->
</html>
\ No newline at end of file
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
index 862a35991..a4f5dd7f2 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@@ -21,7 +21,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
- <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+ <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
@@ -46,7 +46,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
- <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+ <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
@@ -71,7 +71,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
- <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+ <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
@@ -96,7 +96,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
- <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+ <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>