dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Images from solutions are loading again

Browse Source
This commit is contained in:
Nanne Baars 2016-04-09 13:36:06 +02:00
parent 8ff02cab6d
commit a8ea4a16e6
12 changed files with 79 additions and 308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-container/pom.xml
View File

@ -110,8 +110,8 @@
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
<source>1.8</source>
<target>1.8</target>
<encoding>ISO-8859-1</encoding>
</configuration>
</plugin>

18
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -5,9 +5,15 @@ import org.owasp.webgoat.session.WebgoatContext;
import org.springframework.boot.context.embedded.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import java.io.File;
import java.io.IOException;
/**
*
*/
@ -25,6 +31,18 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
return new ServletRegistrationBean(hammerHead, "/attack/*");
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
try {
File pluginsDir = resource.getFile().getParentFile();
registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginsDir.toString() + "/");
} catch (IOException e) {
e.printStackTrace();
}
}
@Bean
public HammerHead hammerHead(WebgoatContext context) {
return new HammerHead(context);

2
webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
View File

@ -17,7 +17,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
.authorizeRequests()
.antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll()
.antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "plugin_lessons/**").permitAll()
.antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
.antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
.anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN");

42
webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java
View File

@ -1,42 +0,0 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;
/**
* <p>Login class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
//@Controller
public class Login {
// /**
// * <p>login.</p>
// *
// * @param error a {@link java.lang.String} object.
// * @param logout a {@link java.lang.String} object.
// * @return a {@link org.springframework.web.servlet.ModelAndView} object.
// */
// @RequestMapping(path = "login.mvc", method = RequestMethod.GET)
// public ModelAndView login(
// @RequestParam(value = "error", required = false) String error,
// @RequestParam(value = "logout", required = false) String logout) {
//
// ModelAndView model = new ModelAndView();
// if (error != null) {
// model.addObject("error", "Invalid username and password!");
// }
//
// if (logout != null) {
// model.addObject("msg", "You've been logged out successfully.");
// }
// model.setViewName("login");
//
// return model;
//
// }
}

54
webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java
View File

@ -1,54 +0,0 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
/**
* <p>Logout class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
public class Logout {
final Logger logger = LoggerFactory.getLogger(Logout.class);
/**
* <p>logout.</p>
*
* @param error a {@link java.lang.String} object.
* @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(path = "logout.mvc", method = RequestMethod.GET)
public ModelAndView logout(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
logger.info("Logging user out");
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "Invalid username and password!");
}
if (logout != null) {
model.addObject("msg", "You've been logged out successfully.");
}
model.setViewName("logout");
return model;
}
}

51
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -10,10 +10,10 @@ import org.apache.ecs.html.Html;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.Title;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.owasp.webgoat.util.BeanProvider;
import org.owasp.webgoat.util.LabelManager;
@ -36,34 +36,34 @@ import java.util.List;
import java.util.Map;
/**
*************************************************************************************************
*
*
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
* @since October 28, 2003
*/
public abstract class AbstractLesson extends Screen implements Comparable<Object> {
@ -74,7 +74,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public final static String ADMIN_ROLE = "admin";
/** Constant <code>CHALLENGE_ROLE="challenge"</code> */
/**
* Constant <code>CHALLENGE_ROLE="challenge"</code>
*/
public final static String CHALLENGE_ROLE = "challenge";
/**
@ -185,7 +187,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
/**
* {@inheritDoc}
*
* <p>
* Description of the Method
*/
public int compareTo(Object obj) {
@ -194,7 +196,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
/**
* {@inheritDoc}
*
* <p>
* Description of the Method
*/
public boolean equals(Object obj) {
@ -368,6 +370,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
// @TODO we need to restrict access at the service layer
// rather than passing session object around
/**
* <p>getHintsPublic.</p>
*
@ -384,8 +387,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
* stuck on somthing silly.
*
* @param s The users WebSession
* @return The hint1 value
* @param hintNumber a int.
* @return The hint1 value
*/
public String getHint(WebSession s, int hintNumber) {
return "Hint: " + getHints(s).get(hintNumber);
@ -394,8 +397,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
/**
* Gets the instructions attribute of the AbstractLesson object
*
* @return The instructions value
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return The instructions value
*/
public abstract String getInstructions(WebSession s);
@ -567,11 +570,13 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
* @return a {@link java.lang.String} object.
*/
public String getRawSource(WebSession s) {
String src;
String src = "";
try {
logger.debug("Loading source file: " + getSourceFileName());
if (getSourceFileName() != null) {
src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false);
}
} catch (FileNotFoundException e) {
s.setMessage("Could not find source file");
@ -613,12 +618,12 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
/**
* <p>Returns the default "path" portion of a lesson's URL.</p>
*
*
* <p>
* <p>
* Legacy webgoat lesson links are of the form
* "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of
* the url, i.e., "attack" in the string above.
*
* <p>
* Newer, Spring-Controller-based classes will override this method to
* return "*.do"-styled paths.
*
@ -630,7 +635,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
/**
* Get the link that can be used to request this screen.
*
* <p>
* Rendering the link in the browser may result in Javascript sending
* additional requests to perform necessary actions or to obtain data
* relevant to the lesson or the element of the lesson selected by the
@ -651,7 +656,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
/**
* Get the link to the target servlet.
*
* <p>
* Unlike getLink() this method does not require rendering the output of
* the request to the link in order to execute the servlet's method with
* conventional HTTP query parameters.
@ -999,6 +1004,4 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
}
}

59
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java
View File

@ -1,59 +0,0 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.lessons.model;
/**
* Model component for the Http Basics lesson. Using a model
* for that simple lesson is architectural overkill. We do it anyway
* for illustrative purposes - to demonstrate the pattern that we will
* use for more complex lessons.
*
* @version $Id: $Id
* @author dm
*/
public class HttpBasicsModel {
private String personName;
/**
* <p>Getter for the field <code>personName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getPersonName() {
return personName;
}
/**
* <p>Setter for the field <code>personName</code>.</p>
*
* @param personName a {@link java.lang.String} object.
*/
public void setPersonName(String personName) {
this.personName = personName;
}
}

37
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java
View File

@ -1,37 +0,0 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.lessons.model;
/**
* <p>SourceListing class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
public class SourceListing {
private String source;
/**
* <p>Getter for the field <code>source</code>.</p>
*
* @return the source
*/
public String getSource() {
return source;
}
/**
* <p>Setter for the field <code>source</code>.</p>
*
* @param source the source to set
*/
public void setSource(String source) {
this.source = source;
}
}

61
webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java
View File

@ -1,61 +0,0 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.application.Application;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>ApplicationService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
public class ApplicationService extends BaseService {
/**
* Returns global application info
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.application.Application} object.
*/
@RequestMapping(path = "/application.mvc", produces = "application/json")
public @ResponseBody
Application showApplication(HttpSession session) {
Application app = Application.getInstance();
return app;
}
}

24
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -70,17 +70,19 @@ public class WebgoatContext {
* @return The databaseConnectionString value
*/
public String getDatabaseConnectionString() {
if (realConnectionString == null) {
try {
String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
System.out.println("PATH: " + path);
realConnectionString = databaseConnectionString.replaceAll("PATH", path);
System.out.println("Database Connection String: " + realConnectionString);
} catch (Exception e) {
logger.error("Couldn't open database: check web.xml database parameters", e);
}
}
return realConnectionString;
return this.databaseConnectionString;
//
// if (realConnectionString == null) {
// try {
// String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
// System.out.println("PATH: " + path);
// realConnectionString = databaseConnectionString.replaceAll("PATH", path);
// System.out.println("Database Connection String: " + realConnectionString);
// } catch (Exception e) {
// logger.error("Couldn't open database: check web.xml database parameters", e);
// }
// }
// return realConnectionString;
}
/**

1
webgoat-container/src/main/resources/plugin_lessons/ReadMe.txt Normal file
View File

@ -0,0 +1 @@
Lesson plugins stored under this directory.

2
webgoat-container/src/main/resources/templates/lesson_content.html
View File

@ -2,7 +2,7 @@
<html xmlns:th="http://www.thymeleaf.org">
<div id="lessonInstructions" th:utext="${instructions}"></div>
<div id="message" class="info" th:text="${message}"></div>
<div id="message" class="info" th:utext="${message}"></div>
<br/>
<div th:utext="${lesson.content}"></div>
</html>