owasp top10-2021 (#1235)

src/main/java/org/owasp/webgoat/container/lessons/Category.java

@@ -39,36 +39,19 @@ public enum Category {
     INTRODUCTION("Introduction", 5),
     GENERAL("General", 100),
     
-    INJECTION("(A1) Injection", 300),
+    A1("(A1) Broken Access Control", 301),
-    AUTHENTICATION("(A2) Broken Authentication", 302),
+    A2("(A2) Cryptographic Failures", 302),
-    INSECURE_COMMUNICATION("(A3) Sensitive Data Exposure", 303),
+    A3("(A3) Injection", 303),
-    XXE("(A4) XML External Entities (XXE)", 304),
-    ACCESS_CONTROL("(A5) Broken Access Control", 305),
 
-    XSS("(A7) Cross-Site Scripting (XSS)", 307),
+    A5("(A5) Security Misconfiguration", 305),
-    INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308),
+    A6("(A6) Vuln & Outdated Components", 306),
-    VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309),
+    A7("(A7) Identity & Auth Failure", 307),
-    SESSION_MANAGEMENT("(A10) Session Management Flaws", 310),
+    A8("(A8) Software & Data Integrity", 308),
+    A9("(A9) Security Logging Failures", 309),
+    A10("(A10) Server-side Request Forgery", 310),    
     
-    REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
-
-    
-    REQ_FORGERIES("Request Forgeries", 450),
-    
-    INSECURE_CONFIGURATION("Insecure Configuration", 600),
-    INSECURE_STORAGE("Insecure Storage", 800),
-    
-    
-    AJAX_SECURITY("AJAX Security", 1000),
-    BUFFER_OVERFLOW("Buffer Overflows", 1100),
-    CODE_QUALITY("Code Quality", 1200),
-    CONCURRENCY("Concurrency", 1300),
-    ERROR_HANDLING("Improper Error Handling", 1400),
-    DOS("Denial of Service", 1500),
-    MALICIOUS_EXECUTION("Malicious Execution", 1600),
     CLIENT_SIDE("Client side", 1700),
-    WEB_SERVICES("Web Services", 1900),
+
-    ADMIN_FUNCTIONS("Admin Functions", 2000),
     CHALLENGE("Challenges", 3000);
 
     @Getter

src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java

@@ -31,7 +31,7 @@ public class AuthBypass extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class Cryptography extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.GENERAL;
+        return Category.A2;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java

@@ -33,7 +33,7 @@ import org.springframework.stereotype.Component;
 public class CSRF extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.REQUEST_FORGERIES;
+        return Category.A10;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java

@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class InsecureDeserialization extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INSECURE_DESERIALIZATION;
+        return Category.A8;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java

@@ -38,7 +38,7 @@ public class HijackSession extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.SESSION_MANAGEMENT;
+        return Category.A1;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java

@@ -38,7 +38,7 @@ public class IDOR extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.ACCESS_CONTROL;
+        return Category.A1;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java

@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class InsecureLogin extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INSECURE_COMMUNICATION;
+        return Category.A7;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java

@@ -35,7 +35,7 @@ public class JWT extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java

@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class LogSpoofing extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INSECURE_CONFIGURATION;
+        return Category.A9;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java

@@ -34,7 +34,7 @@ public class MissingFunctionAC extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.ACCESS_CONTROL;
+        return Category.A1;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class PasswordReset extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java

@@ -31,7 +31,7 @@ public class PathTraversal extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION;
+        return Category.A3;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java

@@ -35,7 +35,7 @@ public class SecurePasswords extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java

@@ -37,7 +37,7 @@ public class SpoofCookie extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.SESSION_MANAGEMENT;
+        return Category.A1;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class SqlInjectionAdvanced extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION; 
+        return Category.A3; 
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class SqlInjection extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION;
+        return Category.A3;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class SqlInjectionMitigations extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION;
+        return Category.A3;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java

@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class SSRF extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.REQUEST_FORGERIES;
+        return Category.A10;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class VulnerableComponents extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.VULNERABLE_COMPONENTS;
+        return Category.A6;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java

@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class CrossSiteScripting extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.XSS;
+        return Category.A3;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java

@@ -28,7 +28,7 @@ import org.owasp.webgoat.container.lessons.Lesson;
 public class CrossSiteScriptingMitigation extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.XSS;
+        return Category.A3;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java

@@ -28,7 +28,7 @@ import org.owasp.webgoat.container.lessons.Lesson;
 public class CrossSiteScriptingStored extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.XSS;
+        return Category.A3;
     }
 
     @Override

src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java

@@ -31,7 +31,7 @@ public class XXE extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.XXE;
+        return Category.A5;
     }
 
     @Override

src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java

@@ -77,7 +77,7 @@ public class LessonMenuServiceTest {
         when(l2.getTitle()).thenReturn("AA");
         when(lessonTracker.isLessonSolved()).thenReturn(false);
         when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
-        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
+        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
         when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
         when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
 
@@ -93,7 +93,7 @@ public class LessonMenuServiceTest {
         when(l1.getTitle()).thenReturn("ZA");
         when(lessonTracker.isLessonSolved()).thenReturn(true);
         when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
-        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
+        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
         when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
         when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
 

src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java

@@ -20,7 +20,7 @@ class UserTrackerRepositoryTest {
 
         @Override
         public Category getDefaultCategory() {
-            return Category.AJAX_SECURITY;
+            return Category.CLIENT_SIDE;
         }
 
         @Override

src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java

@@ -26,8 +26,6 @@ import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.StreamException;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.vulnerable_components.Contact;
-import org.owasp.webgoat.lessons.vulnerable_components.ContactImpl;
 
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;