Added Test for Developer Tools

webgoat-lessons/chrome-dev-tools/src/Test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java

@@ -0,0 +1,56 @@
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.Matchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.session.WebgoatContext;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.hamcrest.CoreMatchers.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+/**
+ * @author Benedikt Stuhrmann
+ * @since 13/03/19.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class ChromeDevToolsTest extends LessonTest {
+
+    @Autowired
+    private WebgoatContext context;
+
+    @Before
+    public void setup() {
+        ChromeDevTools cdt = new ChromeDevTools();
+        when(webSession.getCurrentLesson()).thenReturn(cdt);
+        when(webSession.getWebgoatContext()).thenReturn(context);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    }
+
+    @Test
+    public void NetworkAssignmentTest_Success() throws Exception{
+        mockMvc.perform(MockMvcRequestBuilders.post("/ChromeDevTools/network")
+                .param("network_num", "123456")
+                .param("number", "123456"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", Matchers.is(true)));
+    }
+
+    @Test
+    public void NetworkAssignmentTest_Fail() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/ChromeDevTools/network")
+                .param("network_num", "123456")
+                .param("number", "654321"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", Matchers.is(false)));
+    }
+
+}

webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java

@@ -21,7 +21,7 @@ public class NetworkDummy extends AssignmentEndpoint {
   @RequestMapping(method = RequestMethod.POST)
   public
   @ResponseBody
-  AttackResult completed(@RequestParam String network_num) throws IOException {
+  AttackResult completed(@RequestParam String networkNum) throws IOException {
     return trackProgress(failed().feedback("network.request").build());
   }
 }

webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java

@@ -26,7 +26,7 @@ public class NetworkLesson extends AssignmentEndpoint {
   @ResponseBody
   AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
     if(network_num.equals(number)) {
-      return trackProgress(success().feedback("network.success").build());
+      return trackProgress(success().feedback("network.success").output("").build());
     } else {
       return trackProgress(failed().feedback("network.failed").build());
     }

webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html

@@ -50,7 +50,7 @@
                     document.getElementById("networkNumCopy").value = document.getElementById("networkNum").value;
                 });
             </script>
-            <input type="hidden" name="network_num" id="networkNum" value="foo" />
+            <input type="hidden" name="networkNum" id="networkNum" value="foo" />
             <table>
                 <tr>
                     <td>Click this button to make a request:</td>

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java

@@ -1,6 +1,5 @@
 package org.owasp.webgoat.plugin.introduction;
 
-import org.hsqldb.lib.MultiValueHashMap;
 import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Test;
@@ -12,7 +11,6 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.util.LinkedMultiValueMap;
-import org.springframework.util.MultiValueMap;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
@@ -81,7 +79,7 @@ public class SqlInjectionLesson5aTest extends LessonTest {
             .andExpect(status().isOk())
             .andExpect(jsonPath("lessonCompleted", is(true)))
             .andExpect(jsonPath("$.feedback", containsString("You have succeed")))
-            .andExpect(jsonPath("$.output").doesNotExist());
+            .andExpect(jsonPath("$.output").exists());
   }
 
   @Test
@@ -96,6 +94,7 @@ public class SqlInjectionLesson5aTest extends LessonTest {
             .andExpect(status().isOk())
             .andExpect(jsonPath("lessonCompleted", is(false)))
             .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved"))))
-            .andExpect(jsonPath("$.output", is("malformed string: '1''")));
+            .andExpect(jsonPath("$.output", is("malformed string: '1''<br> Your query was: SELECT * FROM user_data WHERE" +
+                    " first_name = 'John' and last_name = 'Smith' OR '1' = '1''")));
   }
 }

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java

@@ -44,7 +44,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.output", is("column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES operation")));
+                .andExpect(jsonPath("$.output", containsString("column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES operation")));
     }
 
     @Test
@@ -60,10 +60,9 @@ public class SqlInjectionLesson6aTest extends LessonTest {
     @Test
     public void correctSolution() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
-                .param("userid_6a", "Smith' union select 1,password, '1','2','3', '4',1 from user_system_data --"))
-
+                .param("userid_6a", "Smith'; SELECT * from user_system_data; --"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)))
+                .andExpect(jsonPath("$.lessonCompleted", is(false)))
                 .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
     }
 
@@ -83,7 +82,6 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                 .param("userid_6a", "S'; Select * from user_system_data; --"))
 
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.output", containsString("To succesfully complete this Assignement you have to use a UNION")));
+                .andExpect(jsonPath("$.feedback", containsString("UNION")));
     }
 }