diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java index 5d44247dd..749db2fc1 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java @@ -2,22 +2,33 @@ package org.owasp.webgoat.plugin.challenge3; import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.collect.EvictingQueue; +import com.google.common.io.Files; +import lombok.SneakyThrows; import org.joda.time.DateTime; +import org.joda.time.format.DateTimeFormat; +import org.joda.time.format.DateTimeFormatter; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.plugin.Flag; import org.owasp.webgoat.session.WebSession; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.http.MediaType; -import org.springframework.web.bind.annotation.*; +import org.springframework.web.bind.annotation.RequestBody; +import org.springframework.web.bind.annotation.RequestHeader; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; +import javax.annotation.PostConstruct; import javax.xml.bind.JAXBContext; import javax.xml.bind.Unmarshaller; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLStreamReader; +import java.io.File; import java.io.IOException; import java.io.StringReader; +import java.nio.charset.Charset; import java.util.Collection; import static org.springframework.http.MediaType.ALL_VALUE; @@ -32,16 +43,32 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; @AssignmentPath("/challenge/3") public class Assignment3 extends AssignmentEndpoint { + @Value("${webgoat.server.directory}") + private String webGoatHomeDirectory; @Autowired private WebSession webSession; + private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss"); + private static final EvictingQueue comments = EvictingQueue.create(100); + private static final String secretContents = "Congratulations you may now collect your flag"; static { - comments.add(new Comment("webgoat", DateTime.now().toString(), "Silly cat....")); - comments.add(new Comment("guest", DateTime.now().toString(), "I think I will use this picture in one of my projects.")); + comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat....")); + comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects.")); comments.add(new Comment("guest", DateTime.now().toString(), "Lol!! :-).")); } + @PostConstruct + @SneakyThrows + public void copyFile() { + File targetDirectory = new File(webGoatHomeDirectory, "/challenges"); + if (!targetDirectory.exists()) { + targetDirectory.mkdir(); + } + Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset()); + } + + @RequestMapping(method = GET, produces = APPLICATION_JSON_VALUE) @ResponseBody public Collection retrieveComments() { @@ -60,7 +87,7 @@ public class Assignment3 extends AssignmentEndpoint { } if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { comment = parseXml(commentStr); - comment.setDateTime(DateTime.now().toString()); + comment.setDateTime(DateTime.now().toString(fmt)); comment.setUser(webSession.getUserName()); } if (comment != null) { @@ -74,7 +101,7 @@ public class Assignment3 extends AssignmentEndpoint { } private boolean checkSolution(Comment comment) { - if (comment.getComment().contains("Congratulations you may now collect your flag")) { + if (comment.getComment().contains(secretContents)) { comment.setComment("Congratulations to " + webSession.getUserName() + " for finding the flag!!"); return true; } diff --git a/webgoat-lessons/challenge/src/main/resources/images/boss.jpg b/webgoat-lessons/challenge/src/main/resources/images/boss.jpg index ec432e31a..3fcd1c36e 100644 Binary files a/webgoat-lessons/challenge/src/main/resources/images/boss.jpg and b/webgoat-lessons/challenge/src/main/resources/images/boss.jpg differ diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc index e007d5caa..3f4d14759 100644 --- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc +++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc @@ -4,7 +4,7 @@ In this CTF you will need to solve a couple of challenges, each challenge will give you a flag which you will need to post in order to gain points. -Flags have the following format: a7179f89-906b-4fec-9d99-f15b796e7208 +Flags have the following format: `a7179f89-906b-4fec-9d99-f15b796e7208` Have fun!!