diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java index 40b1ba555..d54a307cf 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java @@ -2,18 +2,17 @@ package org.owasp.webgoat.asciidoc; import org.asciidoctor.ast.ContentNode; import org.asciidoctor.extension.InlineMacroProcessor; -import org.springframework.core.env.Environment; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; import javax.servlet.http.HttpServletRequest; +import java.util.HashMap; import java.util.Map; /** * Usage in asciidoc: *

* webWolfLink:here[] will display a href with here as text - * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing */ public class WebWolfMacro extends InlineMacroProcessor { @@ -26,14 +25,22 @@ public class WebWolfMacro extends InlineMacroProcessor { } @Override - public String process(ContentNode contentNode, String target, Map attributes) { - Environment env = EnvironmentExposure.getEnv(); - String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port")); + public Object process(ContentNode contentNode, String linkText, Map attributes) { + var env = EnvironmentExposure.getEnv(); + var hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port")); + var target = (String) attributes.getOrDefault("target", "home"); + var href = hostname + "/" + target; + //are we using noLink in webWolfLink:landing[noLink]? Then display link with full href if (displayCompleteLinkNoFormatting(attributes)) { - return hostname + (hostname.endsWith("/") ? "" : "/") + target; + linkText = href; } - return "" + target + ""; + + var options = new HashMap(); + options.put("type", ":link"); + options.put("target", href); + attributes.put("window", "_blank"); + return createPhraseNode(contentNode, "anchor", linkText, attributes, options).convert(); } private boolean displayCompleteLinkNoFormatting(Map attributes) { @@ -41,9 +48,9 @@ public class WebWolfMacro extends InlineMacroProcessor { } /** - * Determine the host from the hostname and ports that were used. + * Determine the host from the hostname and ports that were used. * The purpose is to make it possible to use the application behind a reverse proxy. For instance in the docker - * compose/stack version with webgoat webwolf and nginx proxy. + * compose/stack version with webgoat webwolf and nginx proxy. * You do not have to use the indicated hostname, but if you do, you should define two hosts aliases * 127.0.0.1 www.webgoat.local www.webwolf.local */ @@ -51,11 +58,11 @@ public class WebWolfMacro extends InlineMacroProcessor { HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); host = request.getHeader("Host"); int semicolonIndex = host.indexOf(":"); - if (semicolonIndex==-1 || host.endsWith(":80")) { - host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local"); + if (semicolonIndex == -1 || host.endsWith(":80")) { + host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local"); } else { - host = host.substring(0, semicolonIndex); - host = host.concat(":").concat(port); + host = host.substring(0, semicolonIndex); + host = host.concat(":").concat(port); } return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : ""); } diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc index 423e289e3..5a111fbc4 100644 --- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc +++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc @@ -1,6 +1,6 @@ == Decoding a JWT token -Let's try decoding a JWT token, for this you can use the webWolfLink:JWT[] functionality inside WebWolf. +Let's try decoding a JWT token, for this you can use the webWolfLink:JWT[target=jwt] functionality inside WebWolf. Given the following token: [source] diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc index 3915b08bc..b2952ce64 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc @@ -13,7 +13,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi [source, subs="macros, specialcharacters"] ---- - + ---- Now submit the form change the xml using to: @@ -22,7 +22,7 @@ Now submit the form change the xml using to: ---- + %remote; ]> diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index a6e060d9e..e7d2d112a 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -11,6 +11,6 @@ In the previous page we showed you how you can ping a server with a XXE attack, |=== -Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]` +Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink,target=landing]` (NOTE: this endpoint is under your full control) Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson. \ No newline at end of file