Fixing challenges intro and challenge 3

2017-04-09 05:51:46 +02:00 · 2017-04-09 05:51:46 +02:00 · b10817564e
commit b10817564e
parent 4e3ca68d08
3 changed files with 33 additions and 6 deletions
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
@ -2,22 +2,33 @@ package org.owasp.webgoat.plugin.challenge3;

 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.EvictingQueue;
+import com.google.common.io.Files;
+import lombok.SneakyThrows;
 import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormat;
+import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.plugin.Flag;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;

+import javax.annotation.PostConstruct;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamReader;
+import java.io.File;
 import java.io.IOException;
 import java.io.StringReader;
+import java.nio.charset.Charset;
 import java.util.Collection;

 import static org.springframework.http.MediaType.ALL_VALUE;
@ -32,16 +43,32 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
@AssignmentPath("/challenge/3")
 public class Assignment3 extends AssignmentEndpoint {

+    @Value("${webgoat.server.directory}")
+    private String webGoatHomeDirectory;
    @Autowired
    private WebSession webSession;
+    private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
+
    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
+    private static final String secretContents = "Congratulations you may now collect your flag";

    static {
-        comments.add(new Comment("webgoat", DateTime.now().toString(), "Silly cat...."));
-        comments.add(new Comment("guest", DateTime.now().toString(), "I think I will use this picture in one of my projects."));
+        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
+        comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
        comments.add(new Comment("guest", DateTime.now().toString(), "Lol!! :-)."));
    }

+    @PostConstruct
+    @SneakyThrows
+    public void copyFile() {
+        File targetDirectory = new File(webGoatHomeDirectory, "/challenges");
+        if (!targetDirectory.exists()) {
+            targetDirectory.mkdir();
+        }
+        Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
+    }
+
+
    @RequestMapping(method = GET, produces = APPLICATION_JSON_VALUE)
    @ResponseBody
    public Collection<Comment> retrieveComments() {
@ -60,7 +87,7 @@ public class Assignment3 extends AssignmentEndpoint {
        }
        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
            comment = parseXml(commentStr);
-            comment.setDateTime(DateTime.now().toString());
+            comment.setDateTime(DateTime.now().toString(fmt));
            comment.setUser(webSession.getUserName());
        }
        if (comment != null) {
@ -74,7 +101,7 @@ public class Assignment3 extends AssignmentEndpoint {
    }

    private boolean checkSolution(Comment comment) {
-        if (comment.getComment().contains("Congratulations you may now collect your flag")) {
+        if (comment.getComment().contains(secretContents)) {
            comment.setComment("Congratulations to " + webSession.getUserName() + " for finding the flag!!");
            return true;
        }
--- a/webgoat-lessons/challenge/src/main/resources/images/boss.jpg
+++ b/webgoat-lessons/challenge/src/main/resources/images/boss.jpg
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc
@ -4,7 +4,7 @@
 In this CTF you will need to solve a couple of challenges, each challenge will give you a flag which you will
 need to post in order to gain points.

-Flags have the following format: a7179f89-906b-4fec-9d99-f15b796e7208
+Flags have the following format: `a7179f89-906b-4fec-9d99-f15b796e7208`


 Have fun!!