dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: upgrade to Spring Boot version 3 (#1477)

Browse Source
This commit is contained in:
Nanne Baars 2023-06-04 11:19:47 +02:00 committed by GitHub
parent ff3a2983e2
commit ca886b4818
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
126 changed files with 520 additions and 479 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -27,6 +27,8 @@ ENTRYPOINT [ "java", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"--add-opens", "java.base/java.util=ALL-UNNAMED", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"-Drunning.in.docker=true", \
"-Dwebgoat.host=0.0.0.0", \
"-Dwebwolf.host=0.0.0.0", \

8
FAQ.md Normal file
View File

@ -0,0 +1,8 @@
# FAQ for development
## Introduction
### Integration tests fail
Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.

44
pom.xml
View File

@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.1</version>
<version>3.0.5</version>
</parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat</artifactId>
<version>2023.5-SNAPSHOT</version>
@ -27,6 +27,7 @@
<url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
</license>
</licenses>
<developers>
<developer>
<id>mayhew64</id>
@ -94,7 +95,6 @@
<archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
</mailingList>
</mailingLists>
<scm>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@ -110,7 +110,8 @@
<properties>
<!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.3</asciidoctorj.version>
<bootstrap.version>5.2.3</bootstrap.version>
<!-- Upgrading needs UI work in WebWolf -->
<bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>3.3.0</cglib.version>
<!-- do not update necessary for lesson -->
<checkstyle.version>3.2.1</checkstyle.version>
@ -121,6 +122,7 @@
<guava.version>31.1-jre</guava.version>
<jacoco.version>0.8.10</jacoco.version>
<java.version>17</java.version>
<jaxb.version>2.3.1</jaxb.version>
<jjwt.version>0.9.1</jjwt.version>
<jose4j.version>0.9.3</jose4j.version>
<jquery.version>3.5.1</jquery.version>
@ -137,7 +139,7 @@
<!-- Use UTF-8 Encoding -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
<thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
<webdriver.version>5.3.2</webdriver.version>
<webgoat.port>8080</webgoat.port>
<webwolf.port>9090</webwolf.port>
@ -250,7 +252,6 @@
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
@ -269,6 +270,7 @@
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>${jaxb.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
@ -310,7 +312,11 @@
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
</dependency>
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
@ -369,8 +375,13 @@
<artifactId>jquery</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
<groupId>jakarta.xml.bind</groupId>
<artifactId>jakarta.xml.bind-api</artifactId>
</dependency>
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
@ -386,6 +397,7 @@
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
<version>3.0.0-beta-2</version>
<scope>test</scope>
</dependency>
<dependency>
@ -393,6 +405,11 @@
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-properties-migrator</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies>
<repositories>
@ -490,7 +507,8 @@
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
<exclude>src/it/java</exclude>
@ -678,6 +696,10 @@
<argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
</arguments>
<waitForInterrupt>false</waitForInterrupt>

2
src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
View File

@ -5,7 +5,6 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import java.util.Arrays;
import java.util.Map;
import lombok.SneakyThrows;
import org.apache.commons.lang3.StringUtils;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterEach;
@ -16,7 +15,6 @@ import org.junit.jupiter.api.TestFactory;
public class PasswordResetLessonIntegrationTest extends IntegrationTest {
@BeforeEach
@SneakyThrows
public void init() {
startLesson("/PasswordReset");
}

4
src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
View File

@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test"))
.post(url("/challenge/flag/"));
.post(url("/challenge/flag"));
};
ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls =
IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
var responses = executorService.invokeAll(flagCalls);

6
src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
View File

@ -27,10 +27,10 @@
*/
package org.owasp.webgoat.container;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

4
src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
View File

@ -33,6 +33,7 @@ package org.owasp.webgoat.container;
import static org.asciidoctor.Asciidoctor.Factory.create;
import io.undertow.util.Headers;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
@ -41,7 +42,6 @@ import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry;
@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
* Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
*
* <p><code>
* <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
* <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div>
* </code>
*/
@Slf4j

5
src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
View File

@ -50,12 +50,13 @@ public class DatabaseConfiguration {
}
@Bean
public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
public Function<String, Flyway> flywayLessons() {
return schema ->
Flyway.configure()
.configuration(Map.of("driver", properties.getDriverClassName()))
.schemas(schema)
.dataSource(lessonDataSource)
.cleanDisabled(false)
.dataSource(dataSource())
.locations("lessons")
.load();
}

8
src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
import org.thymeleaf.spring5.SpringTemplateEngine;
import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
import org.thymeleaf.spring5.view.ThymeleafViewResolver;
import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect;
import org.thymeleaf.spring6.SpringTemplateEngine;
import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
import org.thymeleaf.spring6.view.ThymeleafViewResolver;
import org.thymeleaf.templatemode.TemplateMode;
import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresolver.ITemplateResolver;

56
src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -37,50 +37,49 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
/** Security configuration for WebGoat. */
@Configuration
@AllArgsConstructor
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public class WebSecurityConfig {
private final UserService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
http.authorizeRequests()
.antMatchers(
"/css/**",
"/images/**",
"/js/**",
"fonts/**",
"/plugins/**",
"/registration",
"/register.mvc",
"/actuator/**")
.permitAll()
.anyRequest()
.authenticated();
security
.and()
.formLogin()
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
auth ->
auth.requestMatchers(
"/css/**",
"/images/**",
"/js/**",
"fonts/**",
"/plugins/**",
"/registration",
"/register.mvc",
"/actuator/**")
.permitAll()
.anyRequest()
.authenticated());
http.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/welcome.mvc", true)
.usernameParameter("username")
.passwordParameter("password")
.permitAll();
security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
security.and().csrf().disable();
http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
http.csrf().disable();
http.headers().cacheControl().disable();
http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
return http.build();
}
@Autowired
@ -89,15 +88,14 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
public UserDetailsService userDetailsServiceBean() {
return userDetailsService;
}
@Override
@Bean
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
public AuthenticationManager authenticationManager(
AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
@SuppressWarnings("deprecation")

2
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.asciidoc;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.web.context.request.RequestContextHolder;

3
src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
View File

@ -75,7 +75,8 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
} else {
userTracker.assignmentFailed(webSession.getCurrentLesson());
}
userTrackerRepository.saveAndFlush(userTracker);
userTrackerRepository.save(userTracker);
return attackResult;
}
}

2
src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
View File

@ -31,7 +31,7 @@
*/
package org.owasp.webgoat.container.controller;
import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.session.WebSession;
import org.springframework.stereotype.Controller;

6
src/main/java/org/owasp/webgoat/container/controller/Welcome.java
View File

@ -29,8 +29,8 @@
*/
package org.owasp.webgoat.container.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;
@ -49,7 +49,7 @@ public class Welcome {
/**
* welcome.
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param request a {@link jakarta.servlet.http.HttpServletRequest} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@GetMapping(path = {"welcome.mvc"})

11
src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
View File

@ -1,9 +1,14 @@
package org.owasp.webgoat.container.lessons;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.ArrayList;
import java.util.List;
import javax.persistence.*;
import lombok.*;
import lombok.EqualsAndHashCode;
import lombok.Getter;
/**
* ************************************************************************************************
@ -41,7 +46,7 @@ import lombok.*;
public class Assignment {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private String name;

4
src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
View File

@ -4,15 +4,13 @@ import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.sql.Connection;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder;
/**
* Handler which sets the correct schema for the currently bounded user. This way users are not
* seeing each other data and we can reset data for just one particular user.
* seeing each other data, and we can reset data for just one particular user.
*/
@Slf4j
public class LessonConnectionInvocationHandler implements InvocationHandler {
private final Connection targetConnection;

19
src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
View File

@ -1,8 +1,20 @@
package org.owasp.webgoat.container.users;
import java.util.*;
import jakarta.persistence.CascadeType;
import jakarta.persistence.Entity;
import jakarta.persistence.FetchType;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.OneToMany;
import jakarta.persistence.Version;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.persistence.*;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
@ -39,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
* @since October 29, 2003
*/
@Entity
@EqualsAndHashCode
public class LessonTracker {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Getter private String lessonName;

8
src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
View File

@ -1,11 +1,10 @@
package org.owasp.webgoat.container.users;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping;
@ -23,7 +22,6 @@ public class RegistrationController {
private UserValidator userValidator;
private UserService userService;
private AuthenticationManager authenticationManager;
@GetMapping("/registration")
public String showForm(UserForm userForm) {

6
src/main/java/org/owasp/webgoat/container/users/UserForm.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.users;
import javax.validation.constraints.NotNull;
import javax.validation.constraints.Pattern;
import javax.validation.constraints.Size;
import jakarta.validation.constraints.NotNull;
import jakarta.validation.constraints.Pattern;
import jakarta.validation.constraints.Size;
import lombok.Getter;
import lombok.Setter;

13
src/main/java/org/owasp/webgoat/container/users/UserTracker.java
View File

@ -1,11 +1,19 @@
package org.owasp.webgoat.container.users;
import jakarta.persistence.CascadeType;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.FetchType;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.OneToMany;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.persistence.*;
import lombok.EqualsAndHashCode;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
@ -43,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
*/
@Slf4j
@Entity
@EqualsAndHashCode
public class UserTracker {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(name = "username")

6
src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
View File

@ -1,10 +1,10 @@
package org.owasp.webgoat.container.users;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.Collection;
import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

4
src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
View File

@ -22,13 +22,13 @@
package org.owasp.webgoat.lessons.authbypass;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;

14
src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
View File

@ -26,8 +26,6 @@ import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.UserTracker;
import org.owasp.webgoat.container.users.UserTrackerRepository;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
@ -38,25 +36,17 @@ import org.springframework.web.bind.annotation.RestController;
@AllArgsConstructor
public class FlagController extends AssignmentEndpoint {
private final UserTrackerRepository userTrackerRepository;
private final WebSession webSession;
private final Flags flags;
@PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult postFlag(@RequestParam String flag) {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
final AttackResult attackResult;
if (expectedFlag.isCorrect(flag)) {
userTracker.assignmentSolved(
webSession.getCurrentLesson(), "Assignment" + expectedFlag.number());
attackResult = success(this).feedback("challenge.flag.correct").build();
return success(this).feedback("challenge.flag.correct").build();
} else {
userTracker.assignmentFailed(webSession.getCurrentLesson());
attackResult = failed(this).feedback("challenge.flag.incorrect").build();
return failed(this).feedback("challenge.flag.incorrect").build();
}
userTrackerRepository.save(userTracker);
return attackResult;
}
}

2
src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
View File

@ -1,9 +1,9 @@
package org.owasp.webgoat.lessons.challenges.challenge7;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.LocalDateTime;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
View File

@ -1,9 +1,9 @@
package org.owasp.webgoat.lessons.challenges.challenge8;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

2
src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
View File

@ -22,6 +22,7 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
import jakarta.annotation.PostConstruct;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
@ -31,7 +32,6 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.MediaType;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

4
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
View File

@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Map;
import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.csrf;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;

2
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
View File

@ -22,7 +22,7 @@
package org.owasp.webgoat.lessons.csrf;
import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
View File

@ -25,6 +25,7 @@ package org.owasp.webgoat.lessons.csrf;
import static org.springframework.http.MediaType.ALL_VALUE;
import com.google.common.collect.Lists;
import jakarta.servlet.http.HttpServletRequest;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
@ -32,7 +33,6 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;

4
src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.hijacksession;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
View File

@ -22,7 +22,7 @@
package org.owasp.webgoat.lessons.httpproxies;
import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.HttpMethod;

2
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.idor;
import jakarta.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;

6
src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
View File

@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.TextCodec;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.logging;
import jakarta.annotation.PostConstruct;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.UUID;
import javax.annotation.PostConstruct;
import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.passwordreset;
import jakarta.servlet.http.HttpServletRequest;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Value;

4
src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
View File

@ -1,7 +1,7 @@
package org.owasp.webgoat.lessons.passwordreset.resetlink;
import javax.validation.constraints.NotNull;
import javax.validation.constraints.Size;
import jakarta.validation.constraints.NotNull;
import jakarta.validation.constraints.Size;
import lombok.Getter;
import lombok.Setter;

4
src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
View File

@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons.pathtraversal;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
@ -8,8 +10,6 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.util.Base64;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

4
src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.spoofcookie;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import jakarta.annotation.PostConstruct;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.annotation.PostConstruct;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.*;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.xss;
import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.UserSessionData;

6
src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
View File

@ -22,7 +22,8 @@
package org.owasp.webgoat.lessons.xxe;
import javax.xml.bind.annotation.XmlRootElement;
import jakarta.xml.bind.annotation.XmlRootElement;
import jakarta.xml.bind.annotation.XmlType;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
@ -37,7 +38,8 @@ import lombok.ToString;
@Setter
@AllArgsConstructor
@NoArgsConstructor
@XmlRootElement
@XmlRootElement(name = "comment")
@XmlType
@ToString
public class Comment {
private String user;

6
src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
View File

@ -26,6 +26,8 @@ import static java.util.Optional.empty;
import static java.util.Optional.of;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.xml.bind.JAXBContext;
import jakarta.xml.bind.JAXBException;
import java.io.IOException;
import java.io.StringReader;
import java.time.LocalDateTime;
@ -36,8 +38,6 @@ import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import org.owasp.webgoat.container.session.WebSession;
@ -93,7 +93,7 @@ public class CommentsCache {
* progress etc). In real life the XmlMapper bean defined above will be used automatically and the
* Comment class can be directly used in the controller method (instead of a String)
*/
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
protected Comment parseXml(String xml) throws XMLStreamException, JAXBException {
var jc = JAXBContext.newInstance(Comment.class);
var xif = XMLInputFactory.newInstance();

5
src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
View File

@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -60,8 +60,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
public AttackResult createNewUser(
HttpServletRequest request,
@RequestBody String commentStr,
@RequestHeader("Content-Type") String contentType)
throws Exception {
@RequestHeader("Content-Type") String contentType) {
AttackResult attackResult = failed(this).build();
if (APPLICATION_JSON_VALUE.equals(contentType)) {

2
src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
View File

@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequest;
import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

2
src/main/java/org/owasp/webgoat/webwolf/FileServer.java
View File

@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
import static org.springframework.http.MediaType.ALL_VALUE;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;

2
src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.webwolf;
import jakarta.annotation.PostConstruct;
import java.io.File;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;

47
src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
View File

@ -29,54 +29,49 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
/** Security configuration for WebGoat. */
/** Security configuration for WebWolf. */
@Configuration
@AllArgsConstructor
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public class WebSecurityConfig {
private final UserService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
http.authorizeRequests()
.antMatchers(HttpMethod.POST, "/fileupload")
.authenticated()
.antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
.authenticated()
.and()
.authorizeRequests()
.anyRequest()
.permitAll();
security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
security.and().logout().permitAll();
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
http.authorizeHttpRequests(
auth ->
auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
http.authorizeHttpRequests().anyRequest().permitAll();
http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
http.logout().permitAll();
return http.build();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
auth.userDetailsService(userDetailsService);
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
public UserDetailsService userDetailsServiceBean() {
return userDetailsService;
}
@Override
@Bean
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
public AuthenticationManager authenticationManager(
AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
@Bean

4
src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
View File

@ -23,7 +23,7 @@
package org.owasp.webgoat.webwolf;
import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
public class WebWolf {
@Bean
public HttpTraceRepository traceRepository() {
public HttpExchangeRepository traceRepository() {
return new WebWolfTraceRepository();
}
}

6
src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
View File

@ -23,10 +23,14 @@
package org.owasp.webgoat.webwolf.mailbox;
import com.fasterxml.jackson.annotation.JsonIgnore;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import java.io.Serializable;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
import javax.persistence.*;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;

2
src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
View File

@ -24,7 +24,6 @@ package org.owasp.webgoat.webwolf.mailbox;
import java.util.List;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
@ -38,7 +37,6 @@ import org.springframework.web.servlet.ModelAndView;
@RestController
@RequiredArgsConstructor
@Slf4j
public class MailboxController {
private final MailboxRepository mailboxRepository;

2
src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.webwolf.requests;
import jakarta.servlet.http.HttpServletRequest;
import java.util.concurrent.Callable;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;

11
src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
View File

@ -32,8 +32,7 @@ import lombok.Getter;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.boot.actuate.trace.http.HttpTrace;
import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
import org.springframework.boot.actuate.web.exchanges.HttpExchange;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
@ -78,8 +77,8 @@ public class Requests {
return model;
}
private boolean allowedTrace(HttpTrace t, UserDetails user) {
Request req = t.getRequest();
private boolean allowedTrace(HttpExchange t, UserDetails user) {
HttpExchange.Request req = t.getRequest();
boolean allowed = true;
/* do not show certain traces to other users in a classroom setup */
if (req.getUri().getPath().contains("/files")
@ -95,11 +94,11 @@ public class Requests {
return allowed;
}
private String path(HttpTrace t) {
private String path(HttpExchange t) {
return (String) t.getRequest().getUri().getPath();
}
private String toJsonString(HttpTrace t) {
private String toJsonString(HttpExchange t) {
try {
return objectMapper.writeValueAsString(t);
} catch (JsonProcessingException e) {

14
src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
View File

@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
import java.util.ArrayList;
import java.util.List;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.actuate.trace.http.HttpTrace;
import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
import org.springframework.boot.actuate.web.exchanges.HttpExchange;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
/**
* Keep track of all the incoming requests, we are only keeping track of request originating from
@ -37,9 +37,9 @@ import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
* @since 8/13/17.
*/
@Slf4j
public class WebWolfTraceRepository implements HttpTraceRepository {
public class WebWolfTraceRepository implements HttpExchangeRepository {
private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
private final List<String> exclusionList =
List.of(
"/tmpdir",
@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
"/mail");
@Override
public List<HttpTrace> findAll() {
public List<HttpExchange> findAll() {
return List.of();
}
public List<HttpTrace> findAllTraces() {
public List<HttpExchange> findAllTraces() {
return new ArrayList<>(traces);
}
@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
}
@Override
public void add(HttpTrace httpTrace) {
public void add(HttpExchange httpTrace) {
var path = httpTrace.getRequest().getUri().getPath();
if (!isInExclusionList(path)) {
traces.add(httpTrace);

6
src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.webwolf.user;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.Collection;
import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;

14
src/main/resources/application-webgoat.properties
View File

@ -13,11 +13,12 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.banner.location=classpath:banner.txt
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.open-in-view=false
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.jpa.properties.hibernate.default_schema=CONTAINER
logging.level.org.thymeleaf=INFO
logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@ -28,6 +29,7 @@ logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=DEBUG
logging.level.org.hidbernate.SQL=DEBUG
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@ -51,11 +53,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
exclude.categories=${EXCLUDE_CATEGORIES:none,none}
#exclude based on the enum of the Category
exclude.categories=${EXCLUDE_CATEGORIES:none,none}
exclude.lessons=${EXCLUDE_LESSONS:none,none}
#exclude based on the class name of a lesson e.g.: LessonTemplate
exclude.lessons=${EXCLUDE_LESSONS:none,none}
management.health.db.enabled=true
management.endpoint.health.show-details=always

3
src/main/resources/application-webwolf.properties
View File

@ -18,6 +18,7 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.jpa.open-in-view=false
spring.messages.basename=i18n/messages
spring.jmx.enabled=false
@ -26,7 +27,7 @@ logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webwolf=TRACE
management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
management.endpoint.httptrace.enabled=true
spring.thymeleaf.cache=false

4
src/main/resources/db/container/V3__id.sql Normal file
View File

@ -0,0 +1,4 @@
ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);

8
src/main/resources/lessons/authbypass/html/AuthBypass.html
View File

@ -4,14 +4,14 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -72,9 +72,9 @@
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
<!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>-->
<!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
<!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>-->
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->

6
src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
View File

@ -6,12 +6,12 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -59,7 +59,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

2
src/main/resources/lessons/challenges/html/Challenge.html
View File

@ -3,7 +3,7 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
</div>
</html>

2
src/main/resources/lessons/challenges/html/Challenge1.html
View File

@ -3,7 +3,7 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="attack-container">

2
src/main/resources/lessons/challenges/html/Challenge5.html
View File

@ -4,7 +4,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

2
src/main/resources/lessons/challenges/html/Challenge6.html
View File

@ -4,7 +4,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
<div class="attack-container">

2
src/main/resources/lessons/challenges/html/Challenge7.html
View File

@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">

2
src/main/resources/lessons/challenges/html/Challenge8.html
View File

@ -3,7 +3,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
<script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>

12
src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
View File

@ -4,22 +4,22 @@
<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div>
</div>
<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div>
</div>
<!-- 3 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div>
</div>
<!-- 4 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -35,12 +35,12 @@
<!-- 5 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div>
</div>
<!-- 6 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"

10
src/main/resources/lessons/cia/html/CIA.html
View File

@ -3,19 +3,19 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
@ -23,7 +23,7 @@
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">

6
src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
View File

@ -2,10 +2,10 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div>
<br/>
@ -74,7 +74,7 @@
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
<script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
<div class="attack-container">

18
src/main/resources/lessons/cryptography/html/Cryptography.html
View File

@ -18,11 +18,11 @@ $(document).ready(initialise);
<body>
<!-- 1. overview -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div>
</div>
<!-- 2. encoding -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div>
<!-- 2. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -41,7 +41,7 @@ $(document).ready(initialise);
</div>
<!-- 3. encoding xor -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div>
<!-- 3. assignment xor -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -58,7 +58,7 @@ $(document).ready(initialise);
<!-- 4. hashing -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div>
<!-- 4. weak hashing exercise -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -76,12 +76,12 @@ $(document).ready(initialise);
<!-- 5. encryption -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div>
</div>
<!-- 6. signing -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div>
<!-- 6. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -101,12 +101,12 @@ $(document).ready(initialise);
<!-- 7. keystores -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div>
</div>
<!-- 8. security defaults -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div>
<!-- 8. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -123,7 +123,7 @@ $(document).ready(initialise);
</div>
<!-- 9. postquantum -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div>
</div>
</body>
</html>

20
src/main/resources/lessons/csrf/html/CSRF.html
View File

@ -3,15 +3,15 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_GET.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc}"></div>
<form accept-charset="UNKNOWN" id="basic-csrf-get"
method="POST" name="form1"
@ -23,7 +23,7 @@
</form>
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc}"></div>
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@ -54,7 +54,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Reviews.adoc}"></div>
<!-- comment area -->
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@ -121,15 +121,15 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Frameworks.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_JSON.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_ContentType.adoc}"></div>
<script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
<div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@ -227,7 +227,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Login.adoc}"></div>
<div class="attack-container">
<div class="assignment-success">
@ -251,7 +251,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc}"></div>
</div>

10
src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
View File

@ -3,24 +3,24 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task"

4
src/main/resources/lessons/hijacksession/html/HijackSession.html
View File

@ -7,12 +7,12 @@
<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_plan.adoc}"></div>
</div>
<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_content0.adoc}"></div>
<div class="attack-container">
<div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>

2
src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
View File

@ -7,7 +7,7 @@
<div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content -->
<!-- include content here ... will be first page/tab multiple -->
<div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
<div class="adoc-content" th:replace="~{doc:HijackSession_solution.adoc}"></div>
</div>

6
src/main/resources/lessons/htmltampering/html/HtmlTampering.html
View File

@ -3,12 +3,12 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
@ -143,6 +143,6 @@
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc}"></div>
</div>
</html>

6
src/main/resources/lessons/httpbasics/html/HttpBasics.html
View File

@ -6,13 +6,13 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpbasics/documentation/HttpBasics_plan.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content -->
<!-- sample ascii doc content for second page -->
<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_content1.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpbasics/documentation/HttpBasics_content1.adoc}"></div>
<!-- if including attack, reuse this section, leave classes in place -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -42,7 +42,7 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_content2.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpbasics/documentation/HttpBasics_content2.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->

18
src/main/resources/lessons/httpproxies/html/HttpProxies.html
View File

@ -3,23 +3,23 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/0overview.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/0overview.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/1proxysetupsteps.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/1proxysetupsteps.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/3browsersetup.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/3browsersetup.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/6assignment.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/6assignment.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@ -36,15 +36,15 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/7resend.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/7resend.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/8httpsproxy.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/8httpsproxy.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/9manual.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/9manual.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/10burp.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/10burp.adoc}"></div>
</div>
</html>

18
src/main/resources/lessons/idor/html/IDOR.html
View File

@ -4,14 +4,14 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_login.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_login.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -46,7 +46,7 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewDiffs.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_viewDiffs.adoc}"></div>
<div class="nonattack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -76,7 +76,7 @@
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_whatDiffs.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_whatDiffs.adoc}"></div>
<!-- modify the action to point to the intended endpoint -->
<form class="attack-form"
method="POST" name="diff-form"
@ -96,7 +96,7 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewOwnAltPath.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_viewOwnAltPath.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -108,7 +108,7 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/IDOR/profile/alt-path">
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_inputAltPath.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_inputAltPath.adoc}"></div>
<input name="url" value="WebGoat/" type="text"/>
<input name="submit" value="Submit" type="SUBMIT"/>
</form>
@ -123,7 +123,7 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewOtherProfile.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_viewOtherProfile.adoc}"></div>
<div class="nonattack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -147,7 +147,7 @@
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_editOtherProfile.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_editOtherProfile.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -176,7 +176,7 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_mitigation.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_mitigation.adoc}"></div>
</div>
</html>

4
src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
View File

@ -6,12 +6,12 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/insecurelogin/documentation/InsecureLogin_Task.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/insecurelogin/documentation/InsecureLogin_Task.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<script th:src="@{/lesson_js/credentials.js}"></script>

28
src/main/resources/lessons/jwt/html/JWT.html
View File

@ -3,14 +3,14 @@
<html xmlns:th="http://www.thymeleaf.org">
<body>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_plan.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_structure.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_structure.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_decode.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_decode.adoc}"></div>
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<form id="decode" class="attack-form" method="POST" name="form" action="/WebGoat/JWT/decode">
@ -35,10 +35,10 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_login_to_token.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_login_to_token.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_signing.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_signing.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
<script th:src="@{/lesson_js/jwt-voting.js}" language="JavaScript"></script>
@ -102,7 +102,7 @@
<div class="lesson-page-wrapper">
<div class="lesson-page-solution">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_signing_solution.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_signing_solution.adoc}"></div>
</div>
</div>
@ -112,7 +112,7 @@
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions_jwt.json}"/>
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_assignment.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_libraries_assignment.adoc}"></div>
<div class="attack-container">
<div class="attack-feedback"></div>
<div class="attack-output"></div>
@ -134,18 +134,18 @@
<div class="lesson-page-wrapper">
<div class="lesson-page-solution">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_assignment2.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_libraries_assignment2.adoc}"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-solution">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_solution.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_libraries_solution.adoc}"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_weak_keys"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_weak_keys}"></div>
<script th:src="@{/lesson_js/jwt-weak-keys.js}" language="JavaScript"></script>
<pre id="secrettoken"></pre>
@ -173,11 +173,11 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_refresh.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_refresh.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_refresh_assignment.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_refresh_assignment.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@ -299,7 +299,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_final.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_final.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@ -359,7 +359,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_mitigation.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_mitigation.adoc}"></div>
</div>
</body>

2
src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
View File

@ -82,7 +82,7 @@ green when the user solves the assignment. To make this work we need to add to t
[source]
----
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lesson-template-attack.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"

12
src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
View File

@ -9,16 +9,16 @@ green when the user solves the assignment. To make this work we need to add:
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
lesson-template-intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/
lesson-template-intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
lesson-template-content.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/
lesson-template-content.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
lesson-template-lesson-class.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/
lesson-template-lesson-class.adoc}"></div>
</div>
</html>
----

4
src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc
View File

@ -5,7 +5,7 @@ You can include multiple adoc files in one page, by including them in the same `
[source]
----
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
<div class="adoc-content" th:replace="doc:lesson-template-video-more.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lesson-template-video.adoc}"></div>
<div class="adoc-content" th:replace="~{doc:lesson-template-video-more.adoc}"></div>
</div>
----

16
src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
View File

@ -4,38 +4,38 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-content.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-content.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-video.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-video.adoc}"></div>
<!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-video-more.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-video-more.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-glue.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-glue.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-attack.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-attack.adoc}"></div>
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
<div class="attack-container">
@ -71,7 +71,7 @@
see other lessons for other more complex examples -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-database.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-database.adoc}"></div>
</div>
</html>

10
src/main/resources/lessons/logging/html/LogSpoofing.html
View File

@ -6,12 +6,12 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:lessons/logging/documentation/logging_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/logging_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:lessons/logging/documentation/logSpoofing_Task.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/logSpoofing_Task.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
@ -30,10 +30,10 @@
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/logging/documentation/sensitive_logging_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/sensitive_logging_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/logging/documentation/logReading_Task.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/logReading_Task.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
@ -50,6 +50,6 @@
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/logging/documentation/more_logging.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/more_logging.adoc}"></div>
</div>
</html>

8
src/main/resources/lessons/missingac/html/MissingFunctionAC.html
View File

@ -1,12 +1,12 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-01-intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-01-intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc}"></div>
<div class="attack-container">
<nav class="navbar navbar-default">
@ -70,7 +70,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-03-users.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-03-users.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -92,7 +92,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

14
src/main/resources/lessons/passwordreset/html/PasswordReset.html
View File

@ -3,10 +3,10 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_plan.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_simple.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_simple.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@ -90,11 +90,11 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_known_questions.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_known_questions.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@ -138,7 +138,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -168,7 +168,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_host_header.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_host_header.adoc}"></div>
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -260,6 +260,6 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_mitigation.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_mitigation.adoc}"></div>
</div>
</html>

16
src/main/resources/lessons/pathtraversal/html/PathTraversal.html
View File

@ -5,11 +5,11 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_upload.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
@ -63,7 +63,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
@ -118,7 +118,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
@ -174,7 +174,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc}"></div>
<div class="attack-container">
<div class="container-fluid">
@ -212,11 +212,11 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
@ -271,7 +271,7 @@
<div class="lesson-page-wrapper">
<div class="lesson-page-solution">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc}"></div>
</div>
</div>

12
src/main/resources/lessons/securepasswords/html/SecurePasswords.html
View File

@ -3,19 +3,19 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_1.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_1.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_2.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_2.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -39,11 +39,11 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_3.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_3.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_4.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_4.adoc}"></div>
</div>
<script>

4
src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
View File

@ -9,12 +9,12 @@
<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/spoofcookie/documentation/SpoofCookie_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/spoofcookie/documentation/SpoofCookie_plan.adoc}"></div>
</div>
<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/spoofcookie/documentation/SpoofCookie_content0.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/spoofcookie/documentation/SpoofCookie_content0.adoc}"></div>
<div class="attack-container">
<div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>

2
src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html
View File

@ -7,7 +7,7 @@
<div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content -->
<!-- include content here ... will be first page/tab multiple -->
<div class="adoc-content" th:replace="doc:SpoofCookie_solution.adoc"></div>
<div class="adoc-content" th:replace="~{doc:SpoofCookie_solution.adoc}"></div>
</div>

28
src/main/resources/lessons/sqlinjection/html/SqlInjection.html
View File

@ -5,12 +5,12 @@
<!--Page 1-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc}"></div>
</div>
<!--Page 2-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -34,7 +34,7 @@
<!--Page 3-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -58,7 +58,7 @@
<!--Page 4-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -82,7 +82,7 @@
<!--Page 5-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -106,7 +106,7 @@
<!--Page 6-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc}"></div>
<div>
<label for="username-preview">Username:</label>
<input id="preview-input" type="text" name="username" val=""/>
@ -123,22 +123,22 @@
});
</script>
</div>
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc}"></div>
</div>
<!--Page 7-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc}"></div>
</div>
<!--Page 8-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc}"></div>
</div>
<!--Page 9-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -183,7 +183,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -211,7 +211,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -239,7 +239,7 @@
<!--Page 10-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -267,7 +267,7 @@
<!--Page 11-->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

12
src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
View File

@ -5,17 +5,17 @@
<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc}"></div>
</div>
<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content6.adoc}"></div>
</div>
<!-- 3 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6a.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content6a.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -51,10 +51,10 @@
<!-- 4 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6c.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content6c.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_challenge.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_challenge.adoc}"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge.css}"/>
<script th:src="@{/lesson_js/challenge.js}" language="JavaScript"></script>
<div class="attack-container">
@ -162,7 +162,7 @@
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_quiz.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_quiz.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">

26
src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
View File

@ -4,23 +4,23 @@
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content7.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content7.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content8.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content8.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content9.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content9.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content10.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content10.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a">
@ -40,7 +40,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc}"></div>
<div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b">
<div>
@ -60,14 +60,14 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content11.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content11.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content12.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12a.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content12a.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -90,7 +90,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12b.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content12b.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -114,11 +114,11 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content13.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content13.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_order_by.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_order_by.adoc}"></div>
<script th:src="@{/lesson_js/assignment13.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -191,7 +191,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content14.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content14.adoc}"></div>
</div>
</html>

8
src/main/resources/lessons/ssrf/html/SSRF.html
View File

@ -3,11 +3,11 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Intro.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Intro.adoc}"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task1.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Task1.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -29,7 +29,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task2.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Task2.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
@ -51,6 +51,6 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Prevent.adoc"></div>
<div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Prevent.adoc}"></div>
</div>
</html>

Some files were not shown because too many files have changed in this diff Show More