diff --git a/src/main/java/org/owasp/webgoat/container/WebGoat.java b/src/main/java/org/owasp/webgoat/container/WebGoat.java
index f98b95e81..71a4aa9fc 100644
--- a/src/main/java/org/owasp/webgoat/container/WebGoat.java
+++ b/src/main/java/org/owasp/webgoat/container/WebGoat.java
@@ -33,7 +33,6 @@ package org.owasp.webgoat.container;
import java.io.File;
import org.owasp.webgoat.container.session.LessonSession;
-import org.owasp.webgoat.container.users.UserRepository;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.domain.EntityScan;
@@ -54,12 +53,6 @@ import org.springframework.web.client.RestTemplate;
@EntityScan(basePackages = "org.owasp.webgoat.container")
public class WebGoat {
- private final UserRepository userRepository;
-
- public WebGoat(UserRepository userRepository) {
- this.userRepository = userRepository;
- }
-
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
return new File(webgoatHome);
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
index 78893ee12..da3edbab5 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
@@ -25,51 +25,4 @@
package org.owasp.webgoat.container.assignments;
-import org.owasp.webgoat.container.i18n.PluginMessages;
-import org.springframework.beans.factory.annotation.Autowired;
-
-public abstract class AssignmentEndpoint {
-
- // TODO: move this to different bean.
- @Autowired private PluginMessages messages;
-
- /**
- * Convenience method for create a successful result:
- *
- * - Assignment is set to solved - Feedback message is set to 'assignment.solved'
- *
- *
Of course you can overwrite these values in a specific lesson
- *
- * @return a builder for creating a result from a lesson
- * @param assignment
- */
- protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
- return AttackResult.builder(messages)
- .lessonCompleted(true)
- .attemptWasMade()
- .feedback("assignment.solved")
- .assignment(assignment);
- }
-
- /**
- * Convenience method for create a failed result:
- *
- *
- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
- *
- *
Of course you can overwrite these values in a specific lesson
- *
- * @return a builder for creating a result from a lesson
- * @param assignment
- */
- protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
- return AttackResult.builder(messages)
- .lessonCompleted(false)
- .attemptWasMade()
- .feedback("assignment.not.solved")
- .assignment(assignment);
- }
-
- protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
- return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
- }
-}
+public abstract class AssignmentEndpoint {}
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
index 3cf353c21..2473533f4 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
@@ -30,80 +30,16 @@ import static org.apache.commons.text.StringEscapeUtils.escapeJson;
import lombok.Getter;
import org.owasp.webgoat.container.i18n.PluginMessages;
+@Getter
public class AttackResult {
- public static class AttackResultBuilder {
-
- private boolean lessonCompleted;
- private PluginMessages messages;
- private Object[] feedbackArgs;
- private String feedbackResourceBundleKey;
- private String output;
- private Object[] outputArgs;
- private AssignmentEndpoint assignment;
- private boolean attemptWasMade = false;
-
- public AttackResultBuilder(PluginMessages messages) {
- this.messages = messages;
- }
-
- public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
- this.lessonCompleted = lessonCompleted;
- this.feedbackResourceBundleKey = "lesson.completed";
- return this;
- }
-
- public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
- this.lessonCompleted = lessonCompleted;
- this.feedbackResourceBundleKey = resourceBundleKey;
- return this;
- }
-
- public AttackResultBuilder feedbackArgs(Object... args) {
- this.feedbackArgs = args;
- return this;
- }
-
- public AttackResultBuilder feedback(String resourceBundleKey) {
- this.feedbackResourceBundleKey = resourceBundleKey;
- return this;
- }
-
- public AttackResultBuilder output(String output) {
- this.output = output;
- return this;
- }
-
- public AttackResultBuilder outputArgs(Object... args) {
- this.outputArgs = args;
- return this;
- }
-
- public AttackResultBuilder attemptWasMade() {
- this.attemptWasMade = true;
- return this;
- }
-
- public AttackResult build() {
- return new AttackResult(
- lessonCompleted,
- messages.getMessage(feedbackResourceBundleKey, feedbackArgs),
- messages.getMessage(output, output, outputArgs),
- assignment.getClass().getSimpleName(),
- attemptWasMade);
- }
-
- public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
- this.assignment = assignment;
- return this;
- }
- }
-
- @Getter private boolean lessonCompleted;
- @Getter private String feedback;
- @Getter private String output;
- @Getter private final String assignment;
- @Getter private boolean attemptWasMade;
+ private boolean lessonCompleted;
+ private String feedback;
+ private Object[] feedbackArgs;
+ private String output;
+ private Object[] outputArgs;
+ private final String assignment;
+ private boolean attemptWasMade;
public AttackResult(
boolean lessonCompleted,
@@ -118,11 +54,33 @@ public class AttackResult {
this.attemptWasMade = attemptWasMade;
}
- public static AttackResultBuilder builder(PluginMessages messages) {
- return new AttackResultBuilder(messages);
+ public AttackResult(
+ boolean lessonCompleted,
+ String feedback,
+ Object[] feedbackArgs,
+ String output,
+ Object[] outputArgs,
+ String assignment,
+ boolean attemptWasMade) {
+ this.lessonCompleted = lessonCompleted;
+ this.feedback = feedback;
+ this.feedbackArgs = feedbackArgs;
+ this.output = output;
+ this.outputArgs = outputArgs;
+ this.assignment = assignment;
+ this.attemptWasMade = attemptWasMade;
}
public boolean assignmentSolved() {
return lessonCompleted;
}
+
+ public AttackResult apply(PluginMessages pluginMessages) {
+ return new AttackResult(
+ lessonCompleted,
+ pluginMessages.getMessage(feedback, feedback, feedbackArgs),
+ pluginMessages.getMessage(output, output, outputArgs),
+ assignment,
+ attemptWasMade);
+ }
}
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java
new file mode 100644
index 000000000..b7367dcdc
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java
@@ -0,0 +1,138 @@
+package org.owasp.webgoat.container.assignments;
+
+import org.owasp.webgoat.container.i18n.PluginMessages;
+
+public class AttackResultBuilder {
+
+ private PluginMessages messages;
+ private boolean lessonCompleted;
+ private Object[] feedbackArgs;
+ private String feedbackResourceBundleKey;
+ private String output;
+ private Object[] outputArgs;
+ private AssignmentEndpoint assignment;
+ private boolean attemptWasMade = false;
+ private boolean assignmentCompleted;
+
+ public AttackResultBuilder(PluginMessages messages) {
+ this.messages = messages;
+ }
+
+ public AttackResultBuilder() {}
+
+ public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
+ this.lessonCompleted = lessonCompleted;
+ this.feedbackResourceBundleKey = "lesson.completed";
+ return this;
+ }
+
+ public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
+ this.lessonCompleted = lessonCompleted;
+ this.feedbackResourceBundleKey = resourceBundleKey;
+ return this;
+ }
+
+ public AttackResultBuilder assignmentCompleted(boolean assignmentCompleted) {
+ this.assignmentCompleted = assignmentCompleted;
+ this.feedbackResourceBundleKey = "assignment.completed";
+ return this;
+ }
+
+ public AttackResultBuilder assignmentCompleted(
+ boolean assignmentCompleted, String resourceBundleKey) {
+ this.assignmentCompleted = assignmentCompleted;
+ this.feedbackResourceBundleKey = resourceBundleKey;
+ return this;
+ }
+
+ public AttackResultBuilder feedbackArgs(Object... args) {
+ this.feedbackArgs = args;
+ return this;
+ }
+
+ public AttackResultBuilder feedback(String resourceBundleKey) {
+ this.feedbackResourceBundleKey = resourceBundleKey;
+ return this;
+ }
+
+ public AttackResultBuilder output(String output) {
+ this.output = output;
+ return this;
+ }
+
+ public AttackResultBuilder outputArgs(Object... args) {
+ this.outputArgs = args;
+ return this;
+ }
+
+ public AttackResultBuilder attemptWasMade() {
+ this.attemptWasMade = true;
+ return this;
+ }
+
+ public AttackResult build() {
+ return new AttackResult(
+ lessonCompleted,
+ feedbackResourceBundleKey,
+ feedbackArgs,
+ output,
+ outputArgs,
+ assignment.getClass().getSimpleName(),
+ attemptWasMade);
+ }
+
+ public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
+ this.assignment = assignment;
+ return this;
+ }
+
+ /**
+ * Convenience method for create a successful result:
+ *
+ *
- Assignment is set to solved - Feedback message is set to 'assignment.solved'
+ *
+ *
Of course you can overwrite these values in a specific lesson
+ *
+ * @return a builder for creating a result from a lesson
+ * @param assignment
+ */
+ public AttackResultBuilder oldSuccess(AssignmentEndpoint assignment) {
+ return this.lessonCompleted(true)
+ .assignmentCompleted(true)
+ .attemptWasMade()
+ .feedback("assignment.solved")
+ .assignment(assignment);
+ }
+
+ public static AttackResultBuilder success(AssignmentEndpoint assignment) {
+ return new AttackResultBuilder()
+ .lessonCompleted(true)
+ .assignmentCompleted(true)
+ .attemptWasMade()
+ .feedback("assignment.solved")
+ .assignment(assignment);
+ }
+
+ /**
+ * Convenience method for create a failed result:
+ *
+ *
- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
+ *
+ *
Of course you can overwrite these values in a specific lesson
+ *
+ * @return a builder for creating a result from a lesson
+ * @param assignment
+ */
+ public static AttackResultBuilder failed(AssignmentEndpoint assignment) {
+ return new AttackResultBuilder()
+ .lessonCompleted(false)
+ .assignmentCompleted(true)
+ .attemptWasMade()
+ .feedback("assignment.not.solved")
+ .assignment(assignment);
+ }
+
+ public static AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
+ return new AttackResultBuilder().lessonCompleted(false).assignment(assignment);
+ }
+}
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java
new file mode 100644
index 000000000..eea080c81
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java
@@ -0,0 +1,41 @@
+package org.owasp.webgoat.container.assignments;
+
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.springframework.core.MethodParameter;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
+
+/** This class intercepts the response body and applies the plugin messages to the attack result. */
+@RestControllerAdvice
+public class AttackResultMessageResponseBodyAdvice implements ResponseBodyAdvice {
+
+ private final PluginMessages pluginMessages;
+
+ public AttackResultMessageResponseBodyAdvice(PluginMessages pluginMessages) {
+ this.pluginMessages = pluginMessages;
+ }
+
+ @Override
+ public boolean supports(
+ MethodParameter returnType, Class> converterType) {
+ return true;
+ }
+
+ @Override
+ public Object beforeBodyWrite(
+ Object body,
+ MethodParameter returnType,
+ MediaType selectedContentType,
+ Class> selectedConverterType,
+ ServerHttpRequest request,
+ ServerHttpResponse response) {
+ if (body instanceof AttackResult a) {
+ return a.apply(pluginMessages);
+ }
+ return body;
+ }
+}
diff --git a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
index 14e9a2888..8210e459f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.authbypass;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
index 2ea8db965..0178d5a2a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
index 9d2c048eb..cbf2f3948 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
index f887030a5..d7af3d9df 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
@@ -22,7 +22,9 @@
package org.owasp.webgoat.lessons.challenges;
-import lombok.AllArgsConstructor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PathVariable;
@@ -32,11 +34,14 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
-@AllArgsConstructor
public class FlagController extends AssignmentEndpoint {
private final Flags flags;
+ public FlagController(Flags flags) {
+ this.flags = flags;
+ }
+
@PostMapping(path = "/challenge/flag/{flagNumber}")
@ResponseBody
public AttackResult postFlag(@PathVariable int flagNumber, @RequestParam String flag) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
index de99c4470..84456ff31 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
@@ -1,8 +1,9 @@
package org.owasp.webgoat.lessons.challenges.challenge1;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
-import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags;
@@ -42,11 +43,14 @@ import org.springframework.web.bind.annotation.RestController;
* @since August 11, 2016
*/
@RestController
-@RequiredArgsConstructor
public class Assignment1 extends AssignmentEndpoint {
private final Flags flags;
+ public Assignment1(Flags flags) {
+ this.flags = flags;
+ }
+
@PostMapping("/challenge/1")
@ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
index c8b3f3d10..d1d00b854 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.challenges.challenge5;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import lombok.RequiredArgsConstructor;
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
index a641bff28..96c0c9bda 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons.challenges.challenge7;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
index dea467589..491c2d7a7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.chromedevtools;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
index 7441ab4a5..817e20dbc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.chromedevtools;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
index fa01b43e5..377c12a2c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.cia;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.GetMapping;
@@ -11,7 +14,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
public class CIAQuiz extends AssignmentEndpoint {
- String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
+ private final String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
boolean[] guesses = new boolean[solutions.length];
@PostMapping("/cia/quiz")
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
index fbe11da93..f786deb54 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
index 9db150279..9bd11d61b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -41,7 +44,6 @@ import org.springframework.web.bind.annotation.RestController;
"client.side.filtering.free.hint3"
})
public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
-
public static final String SUPER_COUPON_CODE = "get_it_for_free";
@PostMapping("/clientSideFiltering/getItForFree")
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
index 437e89959..23546e4ca 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64;
import java.util.Random;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
index 266c53ffa..dde490858 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
@@ -40,7 +43,6 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
public class HashingAssignment extends AssignmentEndpoint {
-
public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
@RequestMapping(path = "/crypto/hashing/md5", produces = MediaType.TEXT_HTML_VALUE)
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
index bb28f4202..01cad0b34 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.security.NoSuchAlgorithmException;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
index ffcb739a5..64d62c481 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
index d7e3ed94d..e77c5b093 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
index 4ec61916c..00ea70878 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
@@ -22,11 +22,13 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@@ -36,7 +38,11 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
public class CSRFConfirmFlag1 extends AssignmentEndpoint {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public CSRFConfirmFlag1(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping(
path = "/csrf/confirm-flag-1",
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
index 9023c3b16..5960b430e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.http.Cookie;
@@ -34,7 +37,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -46,8 +48,13 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
public class CSRFFeedback extends AssignmentEndpoint {
- @Autowired private LessonSession userSessionData;
- @Autowired private ObjectMapper objectMapper;
+ private final LessonSession userSessionData;
+ private final ObjectMapper objectMapper;
+
+ public CSRFFeedback(LessonSession userSessionData, ObjectMapper objectMapper) {
+ this.userSessionData = userSessionData;
+ this.objectMapper = objectMapper;
+ }
@PostMapping(
value = "/csrf/feedback/message",
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
index 11e1438fa..665efc6ee 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
index 2dc315bab..33e7fb8bc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.csrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import com.google.common.collect.Lists;
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
index d44823fdc..df7c4d0fb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.deserialization;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InvalidClassException;
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
index 8fae4e89d..ab1a583d8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.hijacksession;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
@@ -30,7 +33,6 @@ import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
@@ -52,10 +54,13 @@ import org.springframework.web.bind.annotation.RestController;
"hijacksession.hints.5"
})
public class HijackSessionAssignment extends AssignmentEndpoint {
-
private static final String COOKIE_NAME = "hijack_cookie";
- @Autowired HijackSessionAuthenticationProvider provider;
+ private final HijackSessionAuthenticationProvider provider;
+
+ public HijackSessionAssignment(HijackSessionAuthenticationProvider provider) {
+ this.provider = provider;
+ }
@PostMapping(path = "/HijackSession/login")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
index 8a0ba7103..0cd73c037 100644
--- a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.htmltampering;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
index 883f14f31..c1d56e171 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.httpbasics;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
index c6c14ad73..ce80179e7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.httpbasics;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AssignmentPath;
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
index 7330c747b..f8f85a7f8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.httpproxies;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
index f91099742..00885761b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
index 39207dcf4..720491c5d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
@@ -23,11 +23,13 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -48,7 +50,11 @@ import org.springframework.web.bind.annotation.RestController;
})
public class IDOREditOtherProfile extends AssignmentEndpoint {
- @Autowired private LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public IDOREditOtherProfile(LessonSession lessonSession) {
+ this.userSessionData = lessonSession;
+ }
@PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
index dd9d6e23c..77158c43d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -37,14 +40,13 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"idor.hints.idor_login"})
public class IDORLogin extends AssignmentEndpoint {
-
private final LessonSession lessonSession;
public IDORLogin(LessonSession lessonSession) {
this.lessonSession = lessonSession;
}
- private Map> idorUserInfo = new HashMap<>();
+ private final Map> idorUserInfo = new HashMap<>();
public void initIDORInfo() {
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
index c5a82846c..0be4563bb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@@ -23,12 +23,13 @@
package org.owasp.webgoat.lessons.idor;
-import jakarta.servlet.http.HttpServletResponse;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -48,13 +49,17 @@ import org.springframework.web.bind.annotation.RestController;
})
public class IDORViewOtherProfile extends AssignmentEndpoint {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public IDORViewOtherProfile(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@GetMapping(
path = "/IDOR/profile/{userId}",
produces = {"application/json"})
@ResponseBody
- public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
+ public AttackResult completed(@PathVariable("userId") String userId) {
Object obj = userSessionData.getValue("idor-authenticated-as");
if (obj != null && obj.equals("tom")) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
index c6c09bf23..5897fa868 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
@@ -27,7 +27,6 @@ import java.util.HashMap;
import java.util.Map;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@@ -36,7 +35,11 @@ import org.springframework.web.bind.annotation.RestController;
@Slf4j
public class IDORViewOwnProfile {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public IDORViewOwnProfile(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@GetMapping(
path = {"/IDOR/own", "/IDOR/profile"},
@@ -60,7 +63,7 @@ public class IDORViewOwnProfile {
"You do not have privileges to view the profile. Authenticate as tom first please.");
}
} catch (Exception ex) {
- log.error("something went wrong", ex.getMessage());
+ log.error("something went wrong: {}", ex.getMessage());
}
return details;
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
index df1d9781e..964657c8a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
@@ -23,11 +23,13 @@
package org.owasp.webgoat.lessons.idor;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -40,8 +42,11 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.ownProfileAltUrl3"
})
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
+ private final LessonSession userSessionData;
- @Autowired LessonSession userSessionData;
+ public IDORViewOwnProfileAltUrl(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping("/IDOR/profile/alt-path")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
index 8d39a594d..8478105b5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.insecurelogin;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.HttpStatus;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
index 9b27236cb..d052000d2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
index abcd08edd..d0286a24c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.GetMapping;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
index 4efc9db09..2f114b04b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.ResponseEntity.ok;
import io.jsonwebtoken.Claims;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
index 0e688c049..595026474 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.jwt;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
index e1ac1a0d2..ec69ad3e4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@@ -25,6 +25,8 @@ package org.owasp.webgoat.lessons.jwt;
import static java.util.Comparator.comparingLong;
import static java.util.Optional.ofNullable;
import static java.util.stream.Collectors.toList;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
@@ -72,7 +74,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
private static String validUsers = "TomJerrySylvester";
private static int totalVotes = 38929;
- private Map votes = new HashMap<>();
+ private final Map votes = new HashMap<>();
@PostConstruct
public void initVotes() {
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
index 4272b79ca..9d85cf960 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
index 56b88c9f4..41909057d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.Jwt;
@@ -54,7 +57,6 @@ import org.springframework.web.bind.annotation.RestController;
})
@RequestMapping("/JWT/")
public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
-
private final LessonDataSource dataSource;
private JWTHeaderKIDEndpoint(LessonDataSource dataSource) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
index e1ef39d34..7015888ca 100644
--- a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
@@ -22,13 +22,15 @@
package org.owasp.webgoat.lessons.lessontemplate;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.List;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
@@ -40,11 +42,13 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"lesson-template.hints.1", "lesson-template.hints.2", "lesson-template.hints.3"})
public class SampleAttack extends AssignmentEndpoint {
+ private static final String secretValue = "secr37Value";
- String secretValue = "secr37Value";
+ private final LessonSession userSessionData;
- // UserSessionData is bound to session and can be used to persist data across multiple assignments
- @Autowired LessonSession userSessionData;
+ public SampleAttack(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping("/lesson-template/sample-attack")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
index a338407bf..5eee7b450 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
@@ -22,7 +22,9 @@
package org.owasp.webgoat.lessons.logging;
-import jakarta.annotation.PostConstruct;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.UUID;
@@ -39,12 +41,11 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
public class LogBleedingTask extends AssignmentEndpoint {
- Logger log = LoggerFactory.getLogger(this.getClass().getName());
- private String password;
+ private static final Logger log = LoggerFactory.getLogger(LogBleedingTask.class);
+ private final String password;
- @PostConstruct
- public void generatePassword() {
- password = UUID.randomUUID().toString();
+ public LogBleedingTask() {
+ this.password = UUID.randomUUID().toString();
log.info(
"Password for admin: {}",
Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
index 0fe3b3559..b88abf073 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.logging;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
index 8cf11a6fb..1ef798fe2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.missingac;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
index 8417ae059..28eb11cf6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
@@ -22,9 +22,10 @@
package org.owasp.webgoat.lessons.missingac;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
-import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -40,11 +41,14 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hash.hint4",
"access-control.hash.hint5"
})
-@RequiredArgsConstructor
public class MissingFunctionACYourHash extends AssignmentEndpoint {
private final MissingAccessControlUserRepository userRepository;
+ public MissingFunctionACYourHash(MissingAccessControlUserRepository userRepository) {
+ this.userRepository = userRepository;
+ }
+
@PostMapping(
path = "/access-control/user-hash",
produces = {"application/json"})
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
index 8db5c5b7c..3027b860b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.missingac;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
index 8568b97ec..9e441a7de 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.passwordreset;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
index eae7e4cfe..8b6c18908 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.passwordreset;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.util.StringUtils.hasText;
import com.google.common.collect.Maps;
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
index fd293287c..5fe6cd84d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.passwordreset;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.util.UUID;
import org.owasp.webgoat.container.CurrentUsername;
@@ -47,9 +50,9 @@ import org.springframework.web.client.RestTemplate;
public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
private final RestTemplate restTemplate;
- private String webWolfHost;
- private String webWolfPort;
- private String webWolfURL;
+ private final String webWolfHost;
+ private final String webWolfPort;
+ private final String webWolfURL;
private final String webWolfMailURL;
public ResetLinkAssignmentForgotPassword(
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
index 044689717..63d17ea1f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
@@ -23,12 +23,13 @@
package org.owasp.webgoat.lessons.passwordreset;
import static java.util.Optional.of;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -43,7 +44,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
public class SecurityQuestionAssignment extends AssignmentEndpoint {
- @Autowired private TriedQuestions triedQuestions;
+ private final TriedQuestions triedQuestions;
private static Map questions;
@@ -90,6 +91,10 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint {
questions.put("What is your favorite color?", "Can easily be guessed.");
}
+ public SecurityQuestionAssignment(TriedQuestions triedQuestions) {
+ this.triedQuestions = triedQuestions;
+ }
+
@PostMapping("/PasswordReset/SecurityQuestions")
@ResponseBody
public AttackResult completed(@RequestParam String question) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
index 9e74fadd5..32554f417 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.passwordreset;
import static java.util.Optional.ofNullable;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.time.LocalDateTime;
import org.apache.commons.lang3.StringUtils;
@@ -44,7 +47,6 @@ import org.springframework.web.client.RestTemplate;
*/
@RestController
public class SimpleMailAssignment extends AssignmentEndpoint {
-
private final String webWolfURL;
private RestTemplate restTemplate;
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
index d17a9b912..78662b46e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
@@ -1,5 +1,9 @@
package org.owasp.webgoat.lessons.pathtraversal;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -7,7 +11,6 @@ import java.nio.file.Files;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
-import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.SneakyThrows;
import org.apache.commons.io.FilenameUtils;
@@ -21,11 +24,14 @@ import org.springframework.util.FileSystemUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.multipart.MultipartFile;
-@AllArgsConstructor
@Getter
public class ProfileUploadBase extends AssignmentEndpoint {
- private String webGoatHomeDirectory;
+ private final String webGoatHomeDirectory;
+
+ public ProfileUploadBase(String webGoatHomeDirectory) {
+ this.webGoatHomeDirectory = webGoatHomeDirectory;
+ }
protected AttackResult execute(MultipartFile file, String fullName, String username) {
if (file.isEmpty()) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
index 37ee58f10..02674c12b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.lessons.pathtraversal;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
@@ -41,7 +44,6 @@ import org.springframework.web.bind.annotation.RestController;
})
@Slf4j
public class ProfileUploadRetrieval extends AssignmentEndpoint {
-
private final File catPicturesDirectory;
public ProfileUploadRetrieval(@Value("${webgoat.server.directory}") String webGoatHomeDirectory) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
index f6422a306..891d6bafd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
@@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons.pathtraversal;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
diff --git a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
index 5b9932d36..3178407d0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.securepasswords;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn;
import java.text.DecimalFormat;
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
index d8bda9007..437641fbf 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
@@ -23,6 +23,10 @@
package org.owasp.webgoat.lessons.spoofcookie;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 95f86ca02..19c0d953b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.*;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
index bdfcc88f2..f071ae6d6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -40,7 +43,6 @@ import org.springframework.web.bind.annotation.RestController;
"SqlInjectionChallengeHint4"
})
public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
-
private final LessonDataSource dataSource;
public SqlInjectionChallengeLogin(LessonDataSource dataSource) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
index 1de70b5ca..78c9351dd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
@@ -47,7 +50,6 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-advanced-6a-5"
})
public class SqlInjectionLesson6a extends AssignmentEndpoint {
-
private final LessonDataSource dataSource;
private static final String YOUR_QUERY_WAS = "" + e.getMessage() + " ")
.build();
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
index fbe551427..e2e44b95f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -37,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"})
public class SqlInjectionLesson10a extends AssignmentEndpoint {
- private String[] results = {
+ private static final String[] results = {
"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"
};
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
index 325d376bb..d3c413f5e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
index 453f0e3e1..e9cd2c6fb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@@ -68,7 +71,7 @@ public class SqlInjectionLesson13 extends AssignmentEndpoint {
return failed(this).build();
} catch (SQLException e) {
log.error("Failed", e);
- return (failed(this).build());
+ return failed(this).build();
}
}
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
index 4cfec6337..2ed20811d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -52,7 +54,9 @@ public class SqlOnlyInputValidation extends AssignmentEndpoint {
return new AttackResult(
attackResult.isLessonCompleted(),
attackResult.getFeedback(),
+ attackResult.getFeedbackArgs(),
attackResult.getOutput(),
+ attackResult.getOutputArgs(),
getClass().getSimpleName(),
true);
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
index 3a324bc65..55ba0bfd8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -58,7 +60,9 @@ public class SqlOnlyInputValidationOnKeywords extends AssignmentEndpoint {
return new AttackResult(
attackResult.isLessonCompleted(),
attackResult.getFeedback(),
+ attackResult.getFeedbackArgs(),
attackResult.getOutput(),
+ attackResult.getOutputArgs(),
getClass().getSimpleName(),
true);
}
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
index 3a07664f3..27be6645e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.ssrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
index 35f9491f7..18afec778 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.ssrf;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
index ad1a91cc4..cdbdbdcd9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.vulnerablecomponents;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import com.thoughtworks.xstream.XStream;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
index 72a04bebd..954a3f8f8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
@@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
-import jakarta.servlet.http.HttpServletRequest;
-import java.net.URI;
-import java.net.URISyntaxException;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -42,9 +42,11 @@ import org.springframework.web.servlet.ModelAndView;
*/
@RestController
public class LandingAssignment extends AssignmentEndpoint {
+ private final String landingPageUrl;
- @Value("${webwolf.landingpage.url}")
- private String landingPageUrl;
+ public LandingAssignment(@Value("${webwolf.landingpage.url}") String landingPageUrl) {
+ this.landingPageUrl = landingPageUrl;
+ }
@PostMapping("/WebWolf/landing")
@ResponseBody
@@ -56,9 +58,7 @@ public class LandingAssignment extends AssignmentEndpoint {
}
@GetMapping("/WebWolf/landing/password-reset")
- public ModelAndView openPasswordReset(
- HttpServletRequest request, @CurrentUsername String username) throws URISyntaxException {
- URI uri = new URI(request.getRequestURL().toString());
+ public ModelAndView openPasswordReset(@CurrentUsername String username) {
ModelAndView modelAndView = new ModelAndView();
modelAndView.addObject(
"webwolfLandingPageUrl", landingPageUrl.replace("//landing", "/landing"));
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
index 241428ae1..12d969764 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
@@ -22,6 +22,10 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
index 114632ef5..3d5495e70 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
index 58ec12fc9..aebf897cb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@@ -22,13 +22,15 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.util.function.Predicate;
import java.util.regex.Pattern;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -48,7 +50,12 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
Pattern.compile(
".*.*", Pattern.CASE_INSENSITIVE)
.asMatchPredicate();
- @Autowired LessonSession userSessionData;
+
+ private final LessonSession userSessionData;
+
+ public CrossSiteScriptingLesson5a(LessonSession lessonSession) {
+ this.userSessionData = lessonSession;
+ }
@GetMapping("/CrossSiteScripting/attack5a")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
index f4378bd72..b3dcd86a9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
@@ -22,11 +22,13 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -41,7 +43,11 @@ import org.springframework.web.bind.annotation.RestController;
"xss-reflected-6a-hint-4"
})
public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
- @Autowired LessonSession userSessionData;
+ private final LessonSession userSessionData;
+
+ public CrossSiteScriptingLesson6a(LessonSession userSessionData) {
+ this.userSessionData = userSessionData;
+ }
@PostMapping("/CrossSiteScripting/attack6a")
@ResponseBody
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
index e193d262a..a83a73667 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import java.io.IOException;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,7 +37,9 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
- String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
+ private static final String[] solutions = {
+ "Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"
+ };
boolean[] guesses = new boolean[solutions.length];
@PostMapping("/CrossSiteScripting/quiz")
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
index e4e44f33e..0c1471ada 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
index 5d3efc960..f8c0df318 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java
index 574c7a401..e192d1153 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java
@@ -23,6 +23,9 @@
package org.owasp.webgoat.lessons.xss.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java
index cd9341d9f..ac0e4e34e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss.mitigation;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
index f64857cce..8deb210f0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -22,6 +22,9 @@
package org.owasp.webgoat.lessons.xss.stored;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
index bfa1dd5a6..d02c86589 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.xss.stored;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -49,7 +51,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
public class StoredXssComments extends AssignmentEndpoint {
- private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
+ private static final DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
private static final Map> userComments = new HashMap<>();
private static final List comments = new ArrayList<>();
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
index 967634afa..748c43996 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
@@ -2,6 +2,8 @@ package org.owasp.webgoat.lessons.xxe;
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
index cca470c61..0214eb0c8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
@@ -24,6 +24,8 @@ package org.owasp.webgoat.lessons.xxe;
import static java.util.Optional.empty;
import static java.util.Optional.of;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -36,7 +38,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -53,9 +54,6 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
"Windows", "Program Files (x86)", "Program Files", "pagefile.sys"
};
- @Value("${webgoat.server.directory}")
- private String webGoatHomeDirectory;
-
private final CommentsCache comments;
public ContentTypeAssignment(CommentsCache comments) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
index f9ca3af16..ecf7698e3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.xxe;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -32,7 +34,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -56,12 +57,6 @@ public class SimpleXXE extends AssignmentEndpoint {
"Windows", "Program Files (x86)", "Program Files", "pagefile.sys"
};
- @Value("${webgoat.server.directory}")
- private String webGoatHomeDirectory;
-
- @Value("${webwolf.landingpage.url}")
- private String webWolfURL;
-
private final CommentsCache comments;
public SimpleXXE(CommentsCache comments) {
diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
index e11f3ca98..f7c9b9a2e 100644
--- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
@@ -19,7 +19,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
public AttackResult completed(@RequestParam("param1") String param1, @RequestParam("param2") String param2) { <6>
if (userSessionData.getValue("some-value") != null) {
// do any session updating you want here ... or not, just comment/example here
- //return failed(this).feedback("lesson-template.sample-attack.failure-2").build();
+ //return builder.failed(this).feedback("lesson-template.sample-attack.failure-2").build();
}
//overly simple example for success. See other existing lessons for ways to detect 'success' or 'failure'
@@ -32,7 +32,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
}
// else
- return failed(this) // <8>
+ return builder.failed(this) // <8>
.feedback("lesson-template.sample-attack.failure-2")
.output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want")
.build();
diff --git a/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java b/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
deleted file mode 100644
index 74caee5df..000000000
--- a/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2017 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- */
-
-package org.owasp.webgoat.container.assignments;
-
-import java.util.Locale;
-import org.mockito.Mock;
-import org.owasp.webgoat.WithWebGoatUser;
-import org.owasp.webgoat.container.i18n.Language;
-import org.owasp.webgoat.container.i18n.Messages;
-import org.owasp.webgoat.container.i18n.PluginMessages;
-import org.owasp.webgoat.container.users.UserProgress;
-import org.owasp.webgoat.container.users.UserProgressRepository;
-import org.springframework.context.support.ClassPathXmlApplicationContext;
-import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.web.servlet.i18n.FixedLocaleResolver;
-
-// Do not remove is the base class for all assignments tests
-
-@WithWebGoatUser
-public class AssignmentEndpointTest {
-
- @Mock protected UserProgress userTracker;
- @Mock protected UserProgressRepository userTrackerRepository;
-
- private Language language =
- new Language(new FixedLocaleResolver()) {
- @Override
- public Locale getLocale() {
- return Locale.ENGLISH;
- }
- };
- protected Messages messages = new Messages(language);
- protected PluginMessages pluginMessages =
- new PluginMessages(messages, language, new ClassPathXmlApplicationContext());
-
- public void init(AssignmentEndpoint a) {
- messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
- ReflectionTestUtils.setField(a, "messages", pluginMessages);
- }
-}
diff --git a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
index c3a9378a6..a9d03074f 100644
--- a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
+++ b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
@@ -22,6 +22,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
/**
@@ -57,5 +58,6 @@ public abstract class LessonTest {
(WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
flywayLessons.apply(user.getUsername()).migrate();
lessonInitializers.forEach(init -> init.initialize(user));
+ this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
index 291baff2a..edd8f58a8 100644
--- a/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
@@ -25,30 +25,13 @@
package org.owasp.webgoat.lessons.authbypass;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.container.session.LessonSession;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
-@ExtendWith(MockitoExtension.class)
-public class BypassVerificationTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
-
- @BeforeEach
- public void setup() {
- VerifyAccount verifyAccount = new VerifyAccount(new LessonSession());
- init(verifyAccount);
- this.mockMvc = standaloneSetup(verifyAccount).build();
- }
+class BypassVerificationTest extends LessonTest {
@Test
- public void placeHolder() {
+ void placeHolder() {
assert (true);
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
index 3d360edfe..c792ffc58 100644
--- a/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
@@ -23,33 +23,22 @@
package org.owasp.webgoat.lessons.challenges;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import java.net.InetAddress;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.challenges.challenge1.Assignment1;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.challenges.challenge1.ImageServlet;
-import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-@ExtendWith(MockitoExtension.class)
-class Assignment1Test extends AssignmentEndpointTest {
+class Assignment1Test extends LessonTest {
- private MockMvc mockMvc;
- private Flags flags;
+ @Autowired private Flags flags;
@BeforeEach
- void setup() {
- flags = new Flags();
- Assignment1 assignment1 = new Assignment1(flags);
- init(assignment1);
- this.mockMvc = standaloneSetup(assignment1).build();
- }
+ public void setup() {}
@Test
void success() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java b/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java
index 0cd7fa945..8a13df1bb 100644
--- a/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java
@@ -27,44 +27,28 @@ import static org.hamcrest.Matchers.equalTo;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.http.HttpStatus;
-import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.web.client.RestTemplate;
-@ExtendWith(MockitoExtension.class)
-public class Assignment7Test extends AssignmentEndpointTest {
- private MockMvc mockMvc;
-
+class Assignment7Test extends LessonTest {
private static final String CHALLENGE_PATH = "/challenge/7";
private static final String RESET_PASSWORD_PATH = CHALLENGE_PATH + "/reset-password";
private static final String GIT_PATH = CHALLENGE_PATH + "/.git";
- @Mock private RestTemplate restTemplate;
+ @MockBean private RestTemplate restTemplate;
@Value("${webwolf.mail.url}")
String webWolfMailURL;
- @BeforeEach
- void setup() {
- Assignment7 assignment7 = new Assignment7(new Flags(), restTemplate, webWolfMailURL);
- init(assignment7);
- mockMvc = standaloneSetup(assignment7).build();
- }
-
@Test
@DisplayName("Reset password test")
void resetPasswordTest() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
index 7d5f65d24..e0d1e5f9c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
@@ -6,9 +6,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.hamcrest.Matchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -16,7 +14,6 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
* @author Benedikt Stuhrmann
* @since 13/03/19.
*/
-@ExtendWith(SpringExtension.class)
public class ChromeDevToolsTest extends LessonTest {
@BeforeEach
diff --git a/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
index a6da02a83..4f56116b9 100644
--- a/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
@@ -5,26 +5,19 @@ import static org.hamcrest.CoreMatchers.is;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
/**
* @author Benedikt Stuhrmann
* @since 13/03/19.
*/
-public class CIAQuizTest extends LessonTest {
-
- @BeforeEach
- public void setup() {
- this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
- }
+class CIAQuizTest extends LessonTest {
@Test
- public void allAnswersCorrectIsSuccess() throws Exception {
+ void allAnswersCorrectIsSuccess() throws Exception {
String[] solution0 = {"Solution 3"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -42,7 +35,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void oneAnswerWrongIsFailure() throws Exception {
+ void oneAnswerWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -60,7 +53,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void twoAnswersWrongIsFailure() throws Exception {
+ void twoAnswersWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -78,7 +71,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void threeAnswersWrongIsFailure() throws Exception {
+ void threeAnswersWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 1"};
@@ -96,7 +89,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void allAnswersWrongIsFailure() throws Exception {
+ void allAnswersWrongIsFailure() throws Exception {
String[] solution0 = {"Solution 2"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 3"};
@@ -114,7 +107,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void allAnswersCorrectGetResultsReturnsTrueTrueTrueTrue() throws Exception {
+ void allAnswersCorrectGetResultsReturnsTrueTrueTrueTrue() throws Exception {
String[] solution0 = {"Solution 3"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -138,7 +131,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void firstAnswerFalseGetResultsReturnsFalseTrueTrueTrue() throws Exception {
+ void firstAnswerFalseGetResultsReturnsFalseTrueTrueTrue() throws Exception {
String[] solution0 = {"Solution 2"};
String[] solution1 = {"Solution 1"};
String[] solution2 = {"Solution 4"};
@@ -162,7 +155,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void secondAnswerFalseGetResultsReturnsTrueFalseTrueTrue() throws Exception {
+ void secondAnswerFalseGetResultsReturnsTrueFalseTrueTrue() throws Exception {
String[] solution0 = {"Solution 3"};
String[] solution1 = {"Solution 2"};
String[] solution2 = {"Solution 4"};
@@ -186,7 +179,7 @@ public class CIAQuizTest extends LessonTest {
}
@Test
- public void allAnswersFalseGetResultsReturnsFalseFalseFalseFalse() throws Exception {
+ void allAnswersFalseGetResultsReturnsFalseFalseFalseFalse() throws Exception {
String[] solution0 = {"Solution 1"};
String[] solution1 = {"Solution 2"};
String[] solution2 = {"Solution 1"};
diff --git a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
index b9ba65a95..e7d562a67 100644
--- a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
@@ -30,9 +30,7 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -40,7 +38,6 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
* @author nbaars
* @since 5/2/17.
*/
-@ExtendWith(SpringExtension.class)
public class ShopEndpointTest extends LessonTest {
private MockMvc mockMvc;
diff --git a/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
index 802c8c672..59e59e1f4 100644
--- a/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
@@ -3,32 +3,17 @@ package org.owasp.webgoat.lessons.deserialization;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.dummy.insecure.framework.VulnerableTaskHolder;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-@ExtendWith(MockitoExtension.class)
-class DeserializeTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
+class DeserializeTest extends LessonTest {
private static String OS = System.getProperty("os.name").toLowerCase();
- @BeforeEach
- void setup() {
- InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
- init(insecureTask);
- this.mockMvc = standaloneSetup(insecureTask).build();
- }
-
@Test
void success() throws Exception {
if (OS.indexOf("win") > -1) {
@@ -75,8 +60,7 @@ class DeserializeTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(
- pluginMessages.getMessage("insecure-deserialization.invalidversion"))))
+ CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@@ -90,7 +74,7 @@ class DeserializeTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.expired"))))
+ CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
@@ -104,8 +88,7 @@ class DeserializeTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(
- pluginMessages.getMessage("insecure-deserialization.stringobject"))))
+ CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
.andExpect(jsonPath("$.lessonCompleted", is(false)));
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
index c5f05d4d5..6c23013ed 100644
--- a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
@@ -28,20 +28,14 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.lenient;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import jakarta.servlet.http.Cookie;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
-import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -50,27 +44,14 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
* @author Angel Olle Blazquez
*
*/
+class HijackSessionAssignmentTest extends LessonTest {
-@ExtendWith(MockitoExtension.class)
-class HijackSessionAssignmentTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
private static final String COOKIE_NAME = "hijack_cookie";
private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login";
- @Mock Authentication authenticationMock;
+ @MockBean Authentication authenticationMock;
- @Mock HijackSessionAuthenticationProvider providerMock;
-
- HijackSessionAssignment assignment;
-
- @BeforeEach
- void setup() {
- assignment = new HijackSessionAssignment();
- init(assignment);
- ReflectionTestUtils.setField(assignment, "provider", new HijackSessionAuthenticationProvider());
- mockMvc = standaloneSetup(assignment).build();
- }
+ @MockBean HijackSessionAuthenticationProvider providerMock;
@Test
void testValidCookie() throws Exception {
@@ -78,7 +59,6 @@ class HijackSessionAssignmentTest extends AssignmentEndpointTest {
lenient()
.when(providerMock.authenticate(any(Authentication.class)))
.thenReturn(authenticationMock);
- ReflectionTestUtils.setField(assignment, "provider", providerMock);
Cookie cookie = new Cookie(COOKIE_NAME, "value");
@@ -94,6 +74,10 @@ class HijackSessionAssignmentTest extends AssignmentEndpointTest {
@Test
void testBlankCookie() throws Exception {
+ lenient().when(authenticationMock.isAuthenticated()).thenReturn(false);
+ lenient()
+ .when(providerMock.authenticate(any(Authentication.class)))
+ .thenReturn(authenticationMock);
ResultActions result =
mockMvc.perform(
MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
diff --git a/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
index 4ba92bf70..77a6ddf42 100644
--- a/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
@@ -24,31 +24,19 @@ package org.owasp.webgoat.lessons.httpproxies;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@ExtendWith(MockitoExtension.class)
-public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
-
- @BeforeEach
- public void setup() {
- HttpBasicsInterceptRequest httpBasicsInterceptRequest = new HttpBasicsInterceptRequest();
- init(httpBasicsInterceptRequest);
- this.mockMvc = standaloneSetup(httpBasicsInterceptRequest).build();
- }
+public class HttpBasicsInterceptRequestTest extends LessonTest {
@Test
- public void success() throws Exception {
+ void success() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -58,12 +46,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.success"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.success"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
- public void failure() throws Exception {
+ void failure() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -73,12 +61,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void missingParam() throws Exception {
+ void missingParam() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -87,12 +75,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void missingHeader() throws Exception {
+ void missingHeader() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
@@ -101,12 +89,12 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void whenPostAssignmentShouldNotPass() throws Exception {
+ void whenPostAssignmentShouldNotPass() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/HttpProxies/intercept-request")
@@ -116,7 +104,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+ CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
index 7972c7b9e..5abb6fdaf 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
@@ -65,7 +65,6 @@ public class JWTRefreshEndpointTest extends LessonTest {
.andReturn();
Map tokens =
objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
- String accessToken = tokens.get("access_token");
String refreshToken = tokens.get("refresh_token");
// Now create a new refresh token for Tom based on Toms old access token and send the refresh
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
index d55c08814..01f381839 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
@@ -23,31 +23,16 @@
package org.owasp.webgoat.lessons.missingac;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.springframework.test.web.servlet.MockMvc;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-@ExtendWith(MockitoExtension.class)
-public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
-
- private MockMvc mockMvc;
-
- @BeforeEach
- public void setup() {
- MissingFunctionACHiddenMenus hiddenMenus = new MissingFunctionACHiddenMenus();
- init(hiddenMenus);
- this.mockMvc = standaloneSetup(hiddenMenus).build();
- }
+class MissingFunctionACHiddenMenusTest extends LessonTest {
@Test
- public void HiddenMenusSuccess() throws Exception {
+ void HiddenMenusSuccess() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/access-control/hidden-menu")
@@ -56,12 +41,12 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.success"))))
+ CoreMatchers.is(messages.getMessage("access-control.hidden-menus.success"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
- public void HiddenMenusClose() throws Exception {
+ void HiddenMenusClose() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/access-control/hidden-menu")
@@ -70,12 +55,12 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.close"))))
+ CoreMatchers.is(messages.getMessage("access-control.hidden-menus.close"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
@Test
- public void HiddenMenusFailure() throws Exception {
+ void HiddenMenusFailure() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/access-control/hidden-menu")
@@ -84,7 +69,7 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
.andExpect(
jsonPath(
"$.feedback",
- CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.failure"))))
+ CoreMatchers.is(messages.getMessage("access-control.hidden-menus.failure"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}
diff --git a/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
index 23ac86607..6d07a9118 100644
--- a/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
@@ -7,18 +7,15 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ResourceLoader;
import org.springframework.http.HttpHeaders;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-@ExtendWith(SpringExtension.class)
class ResetLinkAssignmentTest extends LessonTest {
@Value("${webwolf.host}")
diff --git a/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
index 1bc0e8b33..26ce4ed23 100644
--- a/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
@@ -6,15 +6,12 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.mock.web.MockHttpSession;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-@ExtendWith(SpringExtension.class)
public class SecurityQuestionAssignmentTest extends LessonTest {
private MockMvc mockMvc;
diff --git a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
index 9d5e7055e..9e0302af6 100644
--- a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
@@ -28,22 +28,17 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import jakarta.servlet.http.Cookie;
import java.util.stream.Stream;
import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
-import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -53,21 +48,12 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
*
*/
-@ExtendWith(MockitoExtension.class)
-class SpoofCookieAssignmentTest extends AssignmentEndpointTest {
+class SpoofCookieAssignmentTest extends LessonTest {
- private MockMvc mockMvc;
private static final String COOKIE_NAME = "spoof_auth";
private static final String LOGIN_CONTEXT_PATH = "/SpoofCookie/login";
private static final String ERASE_COOKIE_CONTEXT_PATH = "/SpoofCookie/cleanup";
- @BeforeEach
- void setup() {
- SpoofCookieAssignment spoofCookieAssignment = new SpoofCookieAssignment();
- init(spoofCookieAssignment);
- mockMvc = standaloneSetup(spoofCookieAssignment).build();
- }
-
@Test
@DisplayName("Lesson completed")
void success() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
deleted file mode 100644
index 9dd008dde..000000000
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webgoat.lessons.sqlinjection;
-
-import org.junit.jupiter.api.BeforeEach;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-public class SqlLessonTest extends LessonTest {
-
- @BeforeEach
- public void setup() {
- this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
- }
-}
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
index 8bb4444e2..329c28875 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
@@ -27,14 +27,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
-public class SqlInjectionLesson10Test extends SqlLessonTest {
+public class SqlInjectionLesson10Test extends LessonTest {
private String completedError = "JSON path \"lessonCompleted\"";
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
index c71cc2d6c..177fbb79a 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
@@ -27,10 +27,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson2Test extends SqlLessonTest {
+public class SqlInjectionLesson2Test extends LessonTest {
@Test
public void solution() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
index 3dcaafbc8..256957a99 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
@@ -30,11 +30,11 @@ import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.LessonDataSource;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson5Test extends SqlLessonTest {
+public class SqlInjectionLesson5Test extends LessonTest {
@Autowired private LessonDataSource dataSource;
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
index db48b6643..23ead11be 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
@@ -29,10 +29,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson5aTest extends SqlLessonTest {
+public class SqlInjectionLesson5aTest extends LessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
index 4ca0469b8..d28b47b53 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
@@ -28,10 +28,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson6aTest extends SqlLessonTest {
+public class SqlInjectionLesson6aTest extends LessonTest {
@Test
public void wrongSolution() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
index 6bb702178..6e6921449 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
@@ -27,10 +27,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlInjectionLesson6bTest extends SqlLessonTest {
+public class SqlInjectionLesson6bTest extends LessonTest {
@Test
public void submitCorrectPassword() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
index 8ab7e242e..0152e106f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
@@ -28,14 +28,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
-public class SqlInjectionLesson8Test extends SqlLessonTest {
+public class SqlInjectionLesson8Test extends LessonTest {
@Test
public void oneAccount() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
index 44438f6c0..9cac06a8c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
@@ -28,14 +28,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author Benedikt Stuhrmann
* @since 11/07/18.
*/
-public class SqlInjectionLesson9Test extends SqlLessonTest {
+public class SqlInjectionLesson9Test extends LessonTest {
private final String completedError = "JSON path \"lessonCompleted\"";
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
index c319ba89e..9155c7d65 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
@@ -5,14 +5,14 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
* @author nbaars
* @since 5/21/17.
*/
-public class SqlInjectionLesson13Test extends SqlLessonTest {
+public class SqlInjectionLesson13Test extends LessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
index c160f2a94..2442ccbfa 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
@@ -6,10 +6,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
+public class SqlOnlyInputValidationOnKeywordsTest extends LessonTest {
@Test
public void solve() throws Exception {
@@ -40,6 +40,6 @@ public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
containsString(
"unexpected token: *