dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change spring stuff to mvc extension instead of do

Browse Source 
show splash screen after login
This commit is contained in:
rlawson 2014-08-06 09:28:57 -04:00
parent ba9b60a99c
commit abd594beae
11 changed files with 197 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
java/org/owasp/webgoat/HammerHead.java
View File

@ -390,7 +390,8 @@ public class HammerHead extends HttpServlet {
// System.out.println( "HH Creating new WebSession: " ); // System.out.println( "HH Creating new WebSession: " );
session = new WebSession(webgoatContext, context); session = new WebSession(webgoatContext, context);
// Ensure splash screen shows on any restart // Ensure splash screen shows on any restart
hs.removeAttribute(WELCOMED); // rlawson - removed this since we show splash screen at login now
//hs.removeAttribute(WELCOMED);
hs.setAttribute(WebSession.SESSION, session); hs.setAttribute(WebSession.SESSION, session);
// reset timeout // reset timeout
hs.setMaxInactiveInterval(sessionTimeoutSeconds); hs.setMaxInactiveInterval(sessionTimeoutSeconds);

2
java/org/owasp/webgoat/controller/Login.java
View File

@ -18,7 +18,7 @@ import org.springframework.web.servlet.ModelAndView;
@Controller @Controller
public class Login { public class Login {
@RequestMapping(value = "login.do", method = RequestMethod.GET) @RequestMapping(value = "login.mvc", method = RequestMethod.GET)
public ModelAndView login( public ModelAndView login(
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) { @RequestParam(value = "logout", required = false) String logout) {

2
java/org/owasp/webgoat/controller/Logout.java
View File

@ -22,7 +22,7 @@ public class Logout {
final Logger logger = LoggerFactory.getLogger(Logout.class); final Logger logger = LoggerFactory.getLogger(Logout.class);
@RequestMapping(value = "logout.do", method = RequestMethod.GET) @RequestMapping(value = "logout.mvc", method = RequestMethod.GET)
public ModelAndView logout( public ModelAndView logout(
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) { @RequestParam(value = "logout", required = false) String logout) {

44
java/org/owasp/webgoat/controller/Welcome.java Normal file
View File

@ -0,0 +1,44 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
/**
*
* @author rlawson
*/
@Controller
public class Welcome {
private static final String WELCOMED = "welcomed";
@RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
public ModelAndView welcome(HttpServletRequest request,
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
// set the welcome attribute
// this is so the attack servlet does not also
// send them to the welcome page
HttpSession session = request.getSession();
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
}
//@TODO put stuff here the welcome page needs to access
ModelAndView model = new ModelAndView();
model.setViewName("welcome");
return model;
}
}

2
java/org/owasp/webgoat/service/DummyService.java
View File

@ -18,7 +18,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller @Controller
public class DummyService extends BaseService{ public class DummyService extends BaseService{
@RequestMapping(value = "/first.do", produces = "application/json") @RequestMapping(value = "/first.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody
List<String> firstNames() { List<String> firstNames() {
List<String> test = new ArrayList<String>(); List<String> test = new ArrayList<String>();

2
java/org/owasp/webgoat/service/HintService.java
View File

@ -28,7 +28,7 @@ public class HintService extends BaseService {
* @param session * @param session
* @return * @return
*/ */
@RequestMapping(value = "/hint.do", produces = "application/json") @RequestMapping(value = "/hint.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody
List<Hint> showHint(HttpSession session) { List<Hint> showHint(HttpSession session) {
List<Hint> listHints = new ArrayList<Hint>(); List<Hint> listHints = new ArrayList<Hint>();

2
java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -32,7 +32,7 @@ public class LessonMenuService extends BaseService {
* @param session * @param session
* @return * @return
*/ */
@RequestMapping(value = "/lessonmenu.do", produces = "application/json") @RequestMapping(value = "/lessonmenu.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody
List<LessonMenuItem> showLeftNav(HttpSession session) { List<LessonMenuItem> showLeftNav(HttpSession session) {
//TODO - need Links, rank, title //TODO - need Links, rank, title

2
webapp/WEB-INF/pages/login.jsp
View File

@ -59,7 +59,7 @@
</form> </form>
<div class="panel panel-info" style="max-width: 300px; margin: 0 auto 20px;"> <div class="panel panel-info" style="max-width: 300px; margin: 0 auto 20px;">
<div class="panel-heading"> <div class="panel-heading">
Logon with one of the following accounts Login with one of the following accounts
</div> </div>
<div class="panel-body"> <div class="panel-body">
<!-- Table --> <!-- Table -->

138
webapp/WEB-INF/pages/welcome.jsp Normal file
View File

@ -0,0 +1,138 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
//WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div>
</td>
<td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style1">
WebGoat Authors </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Bruce Mayhew </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Jeff Williams </span></div>
</td>
</tr>
<tr>
<td width="50%">
<div align="center"><span class="style1"><br />
WebGoat Design Team </span></div>
</td>
<td width="50%">
<div align="center"><span class="style1"><br />
V5.4 Lesson Contributers </span></div>
</td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div>
<div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Bruce Mayhew</div>
</td>
<td valign="top">
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Yiannis Pavlosoglou</div>
<div align="center" class="style2"></div>
</td>
</tr>
<tr>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks
for V5.4</span></div>
</td>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation
Contributers</span></div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
<div align="center" class="style2">To all who have sent comments</div>
</td>
<td>
<div align="center" class="style2">
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
<div align="center" class="style2">
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
<div align="center" class="style2">
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="style2">
<form id="form" name="form" method="post" action="attack"><input
type="submit" name="start" value="Start WebGoat" /></form>
</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</html>

12
webapp/WEB-INF/spring-security.xml
View File

@ -16,18 +16,18 @@
<http pattern="/javascript/**" security="none"/> <http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/> <http pattern="/favicon.ico" security="none"/>
<http use-expressions="true"> <http use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" /> <intercept-url pattern="/login.mvc" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" /> <intercept-url pattern="/logout.mvc" access="permitAll" />
<intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" /> <intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" /> <intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_WEBGOAT_USER','ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" /> <intercept-url pattern="/**" access="hasAnyRole('ROLE_WEBGOAT_USER','ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
<form-login <form-login
login-page="/login.do" login-page="/login.mvc"
default-target-url="/attack" default-target-url="/welcome.mvc"
authentication-failure-url="/login.do?error" authentication-failure-url="/login.mvc?error"
username-parameter="username" username-parameter="username"
password-parameter="password" /> password-parameter="password" />
<logout logout-url="/j_spring_security_logout" logout-success-url="/logout.do" /> <logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
<!-- enable csrf protection --> <!-- enable csrf protection -->
<!--csrf/--> <!--csrf/-->
</http> </http>

2
webapp/WEB-INF/web.xml
View File

@ -222,7 +222,7 @@
<servlet-mapping> <servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name> <servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.do</url-pattern> <url-pattern>*.mvc</url-pattern>
</servlet-mapping> </servlet-mapping>
<listener> <listener>