Ch1 less default (#814)

* random pincode in challenge1 * unit test fix
2020-05-12 08:49:48 +02:00 · 2020-05-12 08:49:48 +02:00 · c4a046bd12
commit c4a046bd12
parent f520c3589c
6 changed files with 66 additions and 4 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
@ -3,6 +3,7 @@ package org.owasp.webgoat;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -10,6 +11,8 @@ import java.util.Map;
 import org.junit.jupiter.api.Test;
 import io.restassured.RestAssured;
 import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
 public class ChallengeTest extends IntegrationTest {
@ -17,10 +20,21 @@ public class ChallengeTest extends IntegrationTest {
    public void testChallenge1() {
    	startLesson("Challenge1");      
    	byte[] resultBytes = 
        		RestAssured.given()
                .when()
                .relaxedHTTPSValidation()
                .cookie("JSESSIONID", getWebGoatCookie())
                .get(url("/WebGoat/challenge/logo"))
                .then()
                .statusCode(200)
                .extract().asByteArray();
    	String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
    	Map<String, Object> params = new HashMap<>();
        params.clear();
        params.put("username", "admin");
-        params.put("password", "!!webgoat_admin_1234!!");
+        params.put("password", PASSWORD.replace("1234", pincode));
        checkAssignment(url("/WebGoat/challenge/1"), params, true);
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
@ -46,7 +46,7 @@ public class Assignment1 extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
        boolean ipAddressKnown =  true;
-        boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
+        boolean passwordCorrect = "admin".equals(username) && PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE)).equals(password);
        if (passwordCorrect && ipAddressKnown) {
            return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
        } else if (passwordCorrect) {
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
@ -0,0 +1,44 @@
 package org.owasp.webgoat.challenges.challenge1;
 import java.io.IOException;
 import java.security.SecureRandom;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
 import org.springframework.util.FileCopyUtils;
@WebServlet(name = "ImageServlet", urlPatterns = "/challenge/logo")
 public class ImageServlet extends HttpServlet {
 	private static final long serialVersionUID = 9132775506936676850L;
 	static final public int PINCODE = new SecureRandom().nextInt(10000);
 	@Override
 	protected void doGet(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes();
 		String pincode = String.format("%04d", PINCODE);
 		in[81216]=(byte) pincode.charAt(0);
 		in[81217]=(byte) pincode.charAt(1);
 		in[81218]=(byte) pincode.charAt(2);
 		in[81219]=(byte) pincode.charAt(3);
 	    response.setContentType(MediaType.IMAGE_PNG_VALUE);
 	    FileCopyUtils.copy(in, response.getOutputStream());
 	}
 	@Override
 	protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		doGet(request, response);
 	}
 }
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
@ -12,7 +12,7 @@
        <div class="container-fluid">
            <div class="panel panel-default">
                <div class="panel-heading">
-                    <img th:src="@{/images/webgoat2.png}" class="img-thumbnail"/>
+                    <img th:src="@{/challenge/logo}" class="img-thumbnail"/>
                </div>
                <div class="panel-body">
                    <form class="attack-form" accept-charset="UNKNOWN"
--- a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
+++ b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
@ -29,12 +29,14 @@ import org.junit.runner.RunWith;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.owasp.webgoat.challenges.challenge1.Assignment1;
 import org.owasp.webgoat.challenges.challenge1.ImageServlet;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import java.net.InetAddress;
 import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
@ -62,7 +64,7 @@ public class Assignment1Test extends AssignmentEndpointTest {
        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
                .header("X-Forwarded-For", host)
                .param("username", "admin")
-                .param("password", SolutionConstants.PASSWORD))
+                .param("password", SolutionConstants.PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE))))
                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
    }
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@ -28,6 +28,7 @@ package org.owasp.webgoat;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.util.StringUtils;
@ -38,6 +39,7 @@ import org.springframework.util.StringUtils;
 * @date 2/21/17
 */
@SpringBootApplication(scanBasePackages = "org.owasp.webgoat")
@ServletComponentScan
@Slf4j
 public class StartWebGoat extends SpringBootServletInitializer {