dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Getting the attack verification to work

Browse Source
This commit is contained in:
Nanne Baars
2016-08-08 19:38:24 +02:00
parent 34ffa62535
commit c0ab7b7d1c
6 changed files with 126 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@ -33,8 +33,9 @@ package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.plugins.YmlBasedLesson;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
@ -51,10 +52,6 @@ import java.util.Optional;
@Controller
public class StartLesson {
//simple filter can be removed after ECS removal
private static final String refactored = "ClientSideFiltering AccessControlMatrix";
/**
* <p>start.</p>
*
@ -95,4 +92,33 @@ public class StartLesson {
model.addObject("lesson", lesson.get());
return model;
}
//// FIXME: 8/8/2016 duplicate code
@RequestMapping(value = {"*.attack"}, produces = "text/html")
public ModelAndView attack(HttpServletRequest request) {
// I will set here the thymeleaf fragment location based on the resource requested.
ModelAndView model = new ModelAndView();
SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".attack"));
WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
List<AbstractLesson> lessons = ws.getCourse()
.getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring
Optional<AbstractLesson> lesson = lessons.stream()
.filter(l -> l.getId().equals(lessonName))
.findFirst();
model.setViewName("lesson_content");
YmlBasedLesson ymlBasedLesson = (YmlBasedLesson) lesson.get();
if (ymlBasedLesson.getLessonAttack().attack()) {
UserTracker userTracker = UserTracker.instance();
LessonTracker lessonTracker = userTracker.getLessonTracker(ws, lesson.get());
lessonTracker.setCompleted(true);
model.addObject("message", ws.getMessage());
}
model.addObject("lesson", lesson.get());
return model;
}
}