Moved lessons to this project.
This commit is contained in:
Nanne Baars
@ -0,0 +1,69 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.beust.jcommander.internal.Lists;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.NewLesson;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
* <p>
|
||||
*
|
||||
* @author WebGoat
|
||||
* @version $Id: $Id
|
||||
* @since October 12, 2016
|
||||
*/
|
||||
public class HttpBasics extends NewLesson {
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
return Category.GENERAL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getHints(WebSession webSession) {
|
||||
return Lists.newArrayList("Type in your name and press 'go'",
|
||||
"Turn on Show Parameters or other features",
|
||||
"Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>",
|
||||
"Press the Show Lesson Plan button to view a lesson summary",
|
||||
"Press the Show Solution button to view a lesson solution",
|
||||
"Use OWASP ZAP to intercept the request and see the type of HTTP command");
|
||||
}
|
||||
|
||||
@Override
|
||||
public Integer getDefaultRanking() {
|
||||
return 1;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
return "HTTP Basics";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "HttpBasics";
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,65 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.lessons.LessonEndpoint;
|
||||
import org.owasp.webgoat.lessons.LessonEndpointMapping;
|
||||
import org.owasp.webgoat.lessons.model.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
|
||||
@LessonEndpointMapping
|
||||
public class HttpBasicsLesson extends LessonEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String person, HttpServletRequest request) throws IOException {
|
||||
if (!person.toString().equals("")) {
|
||||
return AttackResult.success("The server has reversed your name: " + new StringBuffer(person).reverse().toString());
|
||||
} else {
|
||||
return AttackResult.failed("You are close, try again");
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getPath() {
|
||||
return "/HttpBasics/attack1";
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,73 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.owasp.webgoat.lessons.LessonEndpoint;
|
||||
import org.owasp.webgoat.lessons.LessonEndpointMapping;
|
||||
import org.owasp.webgoat.lessons.model.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
|
||||
@LessonEndpointMapping
|
||||
public class HttpBasicsQuiz extends LessonEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
|
||||
if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
|
||||
return AttackResult.success();
|
||||
} else {
|
||||
StringBuffer message = new StringBuffer();
|
||||
if (!"POST".equals(answer.toUpperCase())) {
|
||||
message.append("The HTTP Command is incorrect. ");
|
||||
}
|
||||
if (!magic_answer.equals(magic_num)){
|
||||
message.append("The magic number is incorrect. ");
|
||||
}
|
||||
return AttackResult.failed("You are close, try again. " + message.toString());
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getPath() {
|
||||
return "/HttpBasics/attack2";
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,86 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_plan.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this block for each 'page' of content -->
|
||||
<!-- sample ascii doc content for second page -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_content1.adoc"></div>
|
||||
<!-- if including attack, reuse this section, leave classes in place -->
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/HttpBasics/attack1"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div id="lessonContent">
|
||||
<form accept-charset="UNKNOWN" method="POST" name="form"
|
||||
action="#attack/307/100" enctype="">
|
||||
Enter Your Name: <input name="person" value="" type="TEXT"/><input
|
||||
name="SUBMIT" value="Go!" type="SUBMIT"/>
|
||||
</form>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_content2.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<div id="lessonContent">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/HttpBasics/attack2"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<script>
|
||||
// sample custom javascript in the recommended way ...
|
||||
// a namespace has been assigned for it, but you can roll your own if you prefer
|
||||
webgoat.customjs.assignRandomVal = function () {
|
||||
var x = Math.floor((Math.random() * 100) + 1);
|
||||
document.getElementById("magic_num").value = x;
|
||||
};
|
||||
webgoat.customjs.assignRandomVal();
|
||||
</script>
|
||||
<input type="hidden" name="magic_num" id="magic_num" value="foo" />
|
||||
<table>
|
||||
<tr>
|
||||
<td>Was the HTTP command a POST or a GET:</td>
|
||||
<td><input name="answer" value="" type="TEXT" /></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>What is the magic number:</td>
|
||||
<td><input name="magic_answer" value="" type="TEXT" /><input
|
||||
name="SUBMIT" value="Go!" type="SUBMIT" /></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
</div>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
</div>
|
||||
</html>
|
||||
@ -0,0 +1,29 @@
|
||||
<div align="Center">
|
||||
<p><b>Lehrplan:</b> Http Basics </p>
|
||||
</div>
|
||||
|
||||
<p><b>Lehrinhalt:</b> </p>
|
||||
Diese Lektion stellt die Verständnis-Grundlagen für den Datentransport zwischen Browser und Webapplikation dar.<br>
|
||||
<div align="Left">
|
||||
<p>
|
||||
<b>So funktioniert HTTP:</b>
|
||||
</p>
|
||||
Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem K<>rper.
|
||||
Der Client initiiert eine Transaktion wie folgt:<br>
|
||||
<br>
|
||||
Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
|
||||
</div>
|
||||
<br>
|
||||
<ul>GET /index.html?param=value HTTP/1.0</ul>
|
||||
Als nächstes sendet der Client optionale Kopfzeilen (Header) um den Server über die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
|
||||
<br>
|
||||
<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
|
||||
Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
|
||||
<br>
|
||||
<p><b>Grundsätzliche(s) Ziel(e):</b> </p>
|
||||
<!-- Start Instructions -->
|
||||
Geben Sie Ihren Namen in das Eingabefeld ein und dr<64>cken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zur<75>ckschicken. Dies stellt eine vollständige HTTP Transaktion dar!
|
||||
<br/><br/>
|
||||
Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Kn<4B>pfe für Hinweise (Hints), für das Anzeigen von Parametern(Parameters) oder Cookies und für das Anzeigen von Java-Quellcode ausprobiert werden.
|
||||
Au<EFBFBD>erdem, können Sie hier WebScarab gut ausprobieren.
|
||||
<!-- Stop Instructions -->
|
||||
@ -0,0 +1,8 @@
|
||||
|
||||
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
|
||||
|
||||
The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
|
||||
|
||||
== Try It!
|
||||
|
||||
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
|
||||
@ -0,0 +1,4 @@
|
||||
== The Quiz
|
||||
|
||||
What type of HTTP command did WebGoat use for this lesson. A POST or a GET.
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
= HTTP Basics
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson presents the basics for understanding the transfer of data between the browser and the web application and how to trap a request/response with a HTTP proxy.
|
||||
|
||||
== Goals
|
||||
|
||||
The user should become familiar with the features of WebGoat by manipulating the above
|
||||
buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using
|
||||
link:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project[OWASP Zed Attack Proxy] for the first time.
|
||||
|
||||
=== How HTTP works:
|
||||
|
||||
All HTTP transactions follow the same general format. Each client request and server response has three parts: the request or response line, a header section and the entity body.
|
||||
|
||||
The client initiates a transaction as follows:
|
||||
|
||||
* The client contacts the server and sends a document request. A GET request can have url parameters and those parameters will be available in the web access logs.
|
||||
|
||||
** GET /index.html?param=value HTTP/1.0
|
||||
|
||||
* Next, the client sends optional header information to inform the server of its configuration and the document formats it will accept.
|
||||
|
||||
** User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*
|
||||
|
||||
* In a POST request, the user supplied data will follow the optional headers and is not part of the contained within the POST URL.
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
<div align="Center">
|
||||
<p><b>Название урока:</b> Основы Http </p>
|
||||
</div>
|
||||
|
||||
<p><b>Тема изучения:</b> </p>
|
||||
В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
|
||||
<div align="Left">
|
||||
<p>
|
||||
<b>Как работает HTTP:</b>
|
||||
</p>
|
||||
Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
|
||||
строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
|
||||
<br>
|
||||
Он соединяется с сервером и отправляет запрос для получения документа <br>
|
||||
</div>
|
||||
<br>
|
||||
<ul>GET /index.html?param=value HTTP/1.0</ul>
|
||||
Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
|
||||
(например какие кодировки и типы документов поддерживаются клиентом).<br>
|
||||
<br>
|
||||
<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
|
||||
После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
|
||||
предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
|
||||
<p><b>Основные цели и задачи:</b> </p>
|
||||
<!-- Start Instructions -->
|
||||
Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
|
||||
полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
|
||||
полученных из HTTP-запроса.
|
||||
<br/><br/>
|
||||
Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса,
|
||||
отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
|
||||
запросов вы можете использовать WebScarab.
|
||||
<!-- Stop Instructions -->
|
||||
@ -0,0 +1,5 @@
|
||||
= HTTP Basics
|
||||
|
||||
== Solution
|
||||
|
||||
Solution goes here
|
||||
@ -0,0 +1,14 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this block for each 'page' of content -->
|
||||
<!-- include content here ... will be first page/tab multiple -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
|
||||
</div>
|
||||
|
||||
|
||||
</html>
|
||||
@ -0,0 +1,2 @@
|
||||
EnterYourName=Enter your Name
|
||||
Go!=Go!
|
||||
@ -0,0 +1,2 @@
|
||||
EnterYourName=Geben Sie Ihren Namen ein
|
||||
Go!=Los gehts!
|
||||
@ -0,0 +1,2 @@
|
||||
EnterYourName=Entrez votre nom
|
||||
Go!=Go!
|
||||
@ -0,0 +1,2 @@
|
||||
EnterYourName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0435 \u0438\u043c\u044f
|
||||
Go!=\u0412\u043f\u0435\u0440\u0451\u0434!
|
||||
Reference in New Issue
Block a user