diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java index 1eff94a0b..ff0c29d67 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java @@ -1,18 +1,25 @@ package org.owasp.webgoat; -import static org.junit.Assert.assertEquals; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.DynamicTest.dynamicTest; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.Arrays; import java.util.HashMap; import java.util.Map; -import org.junit.Test; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DynamicTest; +import org.junit.jupiter.api.TestFactory; import io.restassured.RestAssured; import io.restassured.http.ContentType; +import lombok.SneakyThrows; public class CSRFTest extends IntegrationTest { @@ -44,32 +51,33 @@ public class CSRFTest extends IntegrationTest { private String webwolfFileDir; - - @Test - public void runTests() throws IOException { - startLesson("CSRF"); - + @BeforeEach + @SneakyThrows + public void init() { + startLesson("CSRF"); webwolfFileDir = getWebWolfServerPath(); - - //Assignment 3 uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag"))); - checkAssignment3(callTrickHtml("csrf3.html")); - - //Assignment 4 uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review"))); - checkAssignment4(callTrickHtml("csrf4.html")); - - //Assignment 7 uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message"))); - checkAssignment7(callTrickHtml("csrf7.html")); - - //Assignment 8 uploadTrickHtml("csrf8.html", trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", getWebgoatUser())); - checkAssignment8(callTrickHtml("csrf8.html")); - + } + + @TestFactory + Iterable testCSRFLesson() { + return Arrays.asList( + dynamicTest("assignement 3",()-> checkAssignment3(callTrickHtml("csrf3.html"))), + dynamicTest("assignement 4",()-> checkAssignment4(callTrickHtml("csrf4.html"))), + dynamicTest("assignement 7",()-> checkAssignment7(callTrickHtml("csrf7.html"))), + dynamicTest("assignement 8",()-> checkAssignment8(callTrickHtml("csrf8.html"))) + ); + } + + @AfterEach + public void shutdown() throws IOException { + //logout(); login();//because old cookie got replaced and invalidated - checkResults("csrf"); - + startLesson("CSRF", false); + checkResults("/csrf"); } private void uploadTrickHtml(String htmlName, String htmlContent) throws IOException { @@ -217,7 +225,7 @@ public class CSRFTest extends IntegrationTest { /** * Try to register the new user. Ignore the result. */ - public void registerCSRFUser() { + private void registerCSRFUser() { RestAssured.given() .when() diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java index f4275f07e..ca2516be9 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java @@ -1,6 +1,6 @@ package org.owasp.webgoat; -import static org.junit.Assert.fail; +import static org.junit.jupiter.api.Assertions.fail; import java.nio.charset.Charset; import java.security.NoSuchAlgorithmException; @@ -13,7 +13,7 @@ import java.util.Map; import javax.xml.bind.DatatypeConverter; -import org.junit.Test; +import org.junit.jupiter.api.Test; import org.owasp.webgoat.crypto.CryptoUtil; import org.owasp.webgoat.crypto.HashingAssignment; diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java index 727c2f1d4..e1373cf0b 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java @@ -5,7 +5,7 @@ import java.util.HashMap; import java.util.Map; import org.dummy.insecure.framework.VulnerableTaskHolder; -import org.junit.Test; +import org.junit.jupiter.api.Test; import org.owasp.webgoat.deserialization.SerializationHelper; public class DeserializationTest extends IntegrationTest { diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java index fb1b2477b..18d84fe15 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java @@ -4,7 +4,7 @@ import io.restassured.RestAssured; import io.restassured.http.ContentType; import org.hamcrest.CoreMatchers; import org.junit.Assert; -import org.junit.Test; +import org.junit.jupiter.api.Test; import java.util.HashMap; import java.util.Map; diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java index 0a73f7393..34b48997b 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java @@ -8,6 +8,9 @@ import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.BeforeEach; import org.owasp.webwolf.WebWolf; import org.springframework.boot.builder.SpringApplicationBuilder; @@ -47,6 +50,7 @@ public abstract class IntegrationTest { private static boolean started = false; @BeforeClass + @BeforeAll public static void beforeAll() { if (WG_SSL) { WEBGOAT_URL = WEBGOAT_URL.replace("http:", "https:"); @@ -88,6 +92,7 @@ public abstract class IntegrationTest { } @Before + @BeforeEach public void login() { String location = given() @@ -139,6 +144,7 @@ public abstract class IntegrationTest { } @After + @AfterEach public void logout() { RestAssured.given() .when() @@ -154,6 +160,10 @@ public abstract class IntegrationTest { * @param lessonName */ public void startLesson(String lessonName) { + startLesson(lessonName, true); + } + + public void startLesson(String lessonName, boolean restart) { RestAssured.given() .when() .relaxedHTTPSValidation() @@ -162,6 +172,7 @@ public abstract class IntegrationTest { .then() .statusCode(200); + if (restart) { RestAssured.given() .when() .relaxedHTTPSValidation() @@ -169,6 +180,7 @@ public abstract class IntegrationTest { .get(url("service/restartlesson.mvc")) .then() .statusCode(200); + } } /** diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java index 958348257..8eca3134a 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java @@ -11,8 +11,8 @@ import java.util.Date; import org.hamcrest.CoreMatchers; import org.junit.Assert; -import org.junit.Before; -import org.junit.Test; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint; import com.fasterxml.jackson.databind.JsonNode; @@ -27,11 +27,6 @@ import io.jsonwebtoken.impl.TextCodec; import io.restassured.RestAssured; public class JWTLessonTest extends IntegrationTest { - - @Before - public void initTest() { - - } @Test public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException { diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java index 637bcc750..728a4069a 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java @@ -2,7 +2,7 @@ package org.owasp.webgoat; import io.restassured.RestAssured; import org.assertj.core.api.Assertions; -import org.junit.Test; +import org.junit.jupiter.api.Test; import java.util.Map; diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java index 12c536841..484ed3878 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java @@ -1,27 +1,54 @@ package org.owasp.webgoat; -import io.restassured.RestAssured; -import org.hamcrest.CoreMatchers; -import org.junit.*; -import org.junit.rules.TemporaryFolder; -import org.springframework.security.core.token.Sha512DigestUtils; +import static org.junit.jupiter.api.DynamicTest.dynamicTest; import java.io.File; import java.io.IOException; import java.nio.file.Files; +import java.nio.file.Path; +import java.util.Arrays; import java.util.Map; +import org.hamcrest.CoreMatchers; +import org.junit.Assert; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DynamicTest; +import org.junit.jupiter.api.TestFactory; +import org.junit.jupiter.api.io.TempDir; +import org.springframework.security.core.token.Sha512DigestUtils; + +import io.restassured.RestAssured; +import lombok.SneakyThrows; + public class PathTraversalTest extends IntegrationTest { + + //the JUnit5 way + @TempDir + Path tempDir; + + private File fileToUpload = null; + + @BeforeEach + @SneakyThrows + public void init() { + fileToUpload = Files.createFile( + tempDir.resolve("test.jpg")).toFile(); + Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); + startLesson("PathTraversal"); + } - @Rule - public TemporaryFolder temporaryFolder = new TemporaryFolder(); - - @Test + @TestFactory + Iterable testPathTraversal() { + return Arrays.asList( + dynamicTest("assignement 1 - profile upload",()-> assignment1()), + dynamicTest("assignement 2 - profile upload fix",()-> assignment2()), + dynamicTest("assignement 3 - profile upload remove user input",()-> assignment3()), + dynamicTest("assignement 4 - profile upload random pic",()-> assignment4()) + ); + } + public void assignment1() throws IOException { - startLesson("PathTraversal"); - var fileToUpload = temporaryFolder.newFile("test.jpg"); - Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); - Assert.assertThat( RestAssured.given() .when() @@ -35,12 +62,7 @@ public class PathTraversalTest extends IntegrationTest { .extract().path("lessonCompleted"), CoreMatchers.is(true)); } - @Test public void assignment2() throws IOException { - startLesson("PathTraversal"); - var fileToUpload = temporaryFolder.newFile("test.jpg"); - Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); - Assert.assertThat( RestAssured.given() .when() @@ -54,12 +76,7 @@ public class PathTraversalTest extends IntegrationTest { .extract().path("lessonCompleted"), CoreMatchers.is(true)); } - @Test public void assignment3() throws IOException { - startLesson("PathTraversal"); - var fileToUpload = temporaryFolder.newFile("test.jpg"); - Files.write(fileToUpload.toPath(), "This is a test" .getBytes()); - Assert.assertThat( RestAssured.given() .when() @@ -71,11 +88,7 @@ public class PathTraversalTest extends IntegrationTest { .statusCode(200) .extract().path("lessonCompleted"), CoreMatchers.is(true)); } - - @Test public void assignment4() throws IOException { - startLesson("PathTraversal"); - var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"; RestAssured.given().urlEncodingEnabled(false) .when() @@ -88,4 +101,10 @@ public class PathTraversalTest extends IntegrationTest { checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); } + + @AfterEach + public void shutdown() { + //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete + checkResults("/PathTraversal"); + } } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java index 07e44ff0e..982bb564c 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java @@ -3,7 +3,7 @@ package org.owasp.webgoat; import io.restassured.RestAssured; import io.restassured.response.Response; import org.assertj.core.api.Assertions; -import org.junit.Test; +import org.junit.jupiter.api.Test; import java.util.List; import java.util.Map; diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java index 5bb9b5bcf..051b89aab 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java @@ -1,10 +1,10 @@ package org.owasp.webgoat; -import org.junit.Test; - import java.util.HashMap; import java.util.Map; +import org.junit.jupiter.api.Test; + public class SqlInjectionAdvancedTest extends IntegrationTest { @Test diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java index b47254b6a..83d900435 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java @@ -1,10 +1,10 @@ package org.owasp.webgoat; -import org.junit.Test; - import java.util.HashMap; import java.util.Map; +import org.junit.jupiter.api.Test; + public class SqlInjectionLessonTest extends IntegrationTest { private static final String sql_2 = "select department from employees where last_name='Franco'"; diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java index e82b904ba..40af18a96 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java @@ -1,14 +1,13 @@ package org.owasp.webgoat; -import org.hamcrest.CoreMatchers; -import org.junit.Test; - import io.restassured.RestAssured; import io.restassured.http.ContentType; import java.util.HashMap; import java.util.Map; +import org.junit.jupiter.api.Test; + import static org.hamcrest.CoreMatchers.containsString; public class SqlInjectionMitigationTest extends IntegrationTest { diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java index 014e65a7a..2712f1baf 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java @@ -6,7 +6,7 @@ import java.io.IOException; import java.util.HashMap; import java.util.Map; -import org.junit.Test; +import org.junit.jupiter.api.Test; import io.restassured.RestAssured; diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java index b7d873c6f..8d01547d9 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java @@ -1,12 +1,12 @@ package org.owasp.webgoat; -import org.junit.Test; - import io.restassured.RestAssured; import java.util.HashMap; import java.util.Map; +import org.junit.jupiter.api.Test; + public class XSSTest extends IntegrationTest { diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java index db919a1d4..3b9ec371b 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java @@ -5,7 +5,7 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; -import org.junit.Test; +import org.junit.jupiter.api.Test; import io.restassured.RestAssured; import io.restassured.http.ContentType;