Ch1 less default (#814)

* random pincode in challenge1 * unit test fix
2020-05-12 08:49:48 +02:00 · 2020-05-12 08:49:48 +02:00 · c4a046bd12
commit c4a046bd12
parent f520c3589c
6 changed files with 66 additions and 4 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
@ -3,6 +3,7 @@ package org.owasp.webgoat;

 import static org.junit.jupiter.api.Assertions.assertTrue;

+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -10,6 +11,8 @@ import java.util.Map;
 import org.junit.jupiter.api.Test;

 import io.restassured.RestAssured;
+import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
+

 public class ChallengeTest extends IntegrationTest {
 	
@ -17,10 +20,21 @@ public class ChallengeTest extends IntegrationTest {
    public void testChallenge1() {
    	startLesson("Challenge1");      
    	
+    	byte[] resultBytes = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/challenge/logo"))
+                .then()
+                .statusCode(200)
+                .extract().asByteArray();
+    	
+    	String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
    	Map<String, Object> params = new HashMap<>();
        params.clear();
        params.put("username", "admin");
-        params.put("password", "!!webgoat_admin_1234!!");
+        params.put("password", PASSWORD.replace("1234", pincode));
       
    	
        checkAssignment(url("/WebGoat/challenge/1"), params, true);
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
@ -46,7 +46,7 @@ public class Assignment1 extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
        boolean ipAddressKnown =  true;
-        boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
+        boolean passwordCorrect = "admin".equals(username) && PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE)).equals(password);
        if (passwordCorrect && ipAddressKnown) {
            return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
        } else if (passwordCorrect) {
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
@ -0,0 +1,44 @@
+package org.owasp.webgoat.challenges.challenge1;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.http.MediaType;
+import org.springframework.util.FileCopyUtils;
+
+@WebServlet(name = "ImageServlet", urlPatterns = "/challenge/logo")
+public class ImageServlet extends HttpServlet {
+	
+	private static final long serialVersionUID = 9132775506936676850L;
+	static final public int PINCODE = new SecureRandom().nextInt(10000);
+
+	@Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		
+		byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes();
+		
+		String pincode = String.format("%04d", PINCODE);
+		
+		in[81216]=(byte) pincode.charAt(0);
+		in[81217]=(byte) pincode.charAt(1);
+		in[81218]=(byte) pincode.charAt(2);
+		in[81219]=(byte) pincode.charAt(3);
+		
+	    response.setContentType(MediaType.IMAGE_PNG_VALUE);
+	    FileCopyUtils.copy(in, response.getOutputStream());
+	}
+
+	@Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		doGet(request, response);
+	}
+}
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
@ -12,7 +12,7 @@
        <div class="container-fluid">
            <div class="panel panel-default">
                <div class="panel-heading">
-                    <img th:src="@{/images/webgoat2.png}" class="img-thumbnail"/>
+                    <img th:src="@{/challenge/logo}" class="img-thumbnail"/>
                </div>
                <div class="panel-body">
                    <form class="attack-form" accept-charset="UNKNOWN"
--- a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
+++ b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
@ -29,12 +29,14 @@ import org.junit.runner.RunWith;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.owasp.webgoat.challenges.challenge1.Assignment1;
+import org.owasp.webgoat.challenges.challenge1.ImageServlet;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;

 import java.net.InetAddress;

 import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;

@ -62,7 +64,7 @@ public class Assignment1Test extends AssignmentEndpointTest {
        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
                .header("X-Forwarded-For", host)
                .param("username", "admin")
-                .param("password", SolutionConstants.PASSWORD))
+                .param("password", SolutionConstants.PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE))))
                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
    }
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@ -28,6 +28,7 @@ package org.owasp.webgoat;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.util.StringUtils;

@ -38,6 +39,7 @@ import org.springframework.util.StringUtils;
 * @date 2/21/17
 */
@SpringBootApplication(scanBasePackages = "org.owasp.webgoat")
+@ServletComponentScan
@Slf4j
 public class StartWebGoat extends SpringBootServletInitializer {