#353 - lesson template/guide

webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/LessonTemplate.java

@@ -0,0 +1,65 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author misfir3
+ * @version $Id: $Id
+ * @since January 3, 2017
+ */
+public class LessonTemplate extends NewLesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.GENERAL;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 30;
+    }
+
+    @Override
+    public String getTitle() {
+        return "lesson-template.title";
+    }
+
+    @Override
+    public String getId() {
+        return "LessonTemplate";
+    }
+
+}

webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/SampleAttack.java

@@ -0,0 +1,62 @@
+package org.owasp.webgoat.plugin;
+
+import com.google.common.collect.Lists;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+
+import java.util.Map;
+
+/**
+ * Created by jason on 1/5/17.
+ */
+
+@AssignmentPath("/lesson-template/sample-attack")
+public class SampleAttack extends AssignmentEndpoint {
+
+    String secretValue = "secr37Value";
+
+    //UserSessionData is bound to session and can be used to persist data across multiple assignments
+    @Autowired
+    UserSessionData userSessionData;
+
+
+    @GetMapping(produces = {"application/json"})
+    public @ResponseBody
+    AttackResult completed(String param1, String param2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+
+
+        if (userSessionData.getValue("some-value") != null) {
+            // do any session updating you want here ... or not, just comment/example here
+            //return trackProgress(failed().feedback("lesson-template.sample-attack.failure-2").build());
+        }
+
+        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
+        if (secretValue.equals(param1)) {
+            return trackProgress(success()
+                    .output("Custom Output ...if you want, for success")
+                    .feedback("lesson-template.sample-attack.success")
+                    .build());
+            //lesson-template.sample-attack.success is defined in src/main/resources/i18n/WebGoatLabels.properties
+        }
+
+        // else
+        return trackProgress(failed()
+                .feedback("lesson-template.sample-attack.failure-2")
+                .output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want")
+                .build());
+    }
+
+}

webgoat-lessons/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html

@@ -0,0 +1,54 @@
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:lesson-template-intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
+        <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
+        <div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
+
+        <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+
+            <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
+            <script th:src="@{/lesson_js/idor.js}" />
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="GET" name="form"
+                  action="/WebGoat/lesson-template/sample-attack"  
+                  enctype="application/json;charset=UTF-8">
+                <table>
+                    <tr>
+                        <td>two random params</td>
+                        <td>parameter 1:<input name="param1" value="" type="TEXT" /></td>
+                        <td>parameter 2:<input name="param2" value="" type="TEXT" /></td>
+                        <td>
+                            <input
+                                name="submit" value="Submit" type="SUBMIT"/>
+                        </td>
+                    </tr>
+                </table>
+            </form>
+            <!-- do not remove the two following div's, this is where your feedback/output will land -->
+            <!-- the attack response will include a 'feedback' and that will automatically go here -->
+            <div class="attack-feedback"></div>
+            <!-- output is intended to be a simulation of what the screen would display in an attack -->
+            <div class="attack-output"></div>
+        </div>
+    </div>
+
+    <!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
+        see other lessons for other more complex examples -->
+
+</html>

webgoat-lessons/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1,7 @@
+lesson-template.title=Lesson Template
+
+lesson-template.sample-attack.failure-1=Sample failure message
+lesson-template.sample-attack.failure-2=Sample failure message 2
+
+lesson-template.sample-attack.success=Sample success message
+

webgoat-lessons/webgoat-lesson-template/src/main/resources/js/idor.js

@@ -0,0 +1,18 @@
+// need custom js for this?
+
+webgoat.customjs.idorViewProfile = function(data) {
+    webgoat.customjs.jquery('#idor-profile').html(
+        'name:' + data.name + '<br/>'+
+        'color:' + data.color + '<br/>'+
+        'size:' + data.size + '<br/>'
+    );
+}
+
+var onViewProfile = function () {
+    console.warn("on view profile activated")
+    webgoat.customjs.jquery.ajax({
+        method: "GET",
+        url: "/WebGoat/IDOR/profile",
+        contentType: 'application/json; charset=UTF-8'
+     }).then(webgoat.customjs.idorViewProfile);
+}

webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc

@@ -0,0 +1,3 @@
+=== Attack Explanation
+
+Explanation of attack here ... Instructions etc.

webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc

@@ -0,0 +1,19 @@
+
+== Lesson Template Intro
+
+This is the lesson template intro.
+
+=== Sub-heading
+
+Check asciidoc for syntax, but more = means smaller headings.  You can *bold* text and other things.
+
+=== Structuring files
+
+You should set up all content so that it is these *.adoc files.
+
+=== Images
+
+Images can be refereneced as below including setting style (recommended to use lesson-image as the style). The root is {lesson}/src/main/resources
+
+image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
+

webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc

@@ -0,0 +1,7 @@
+=== More Content, Video too ...
+
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
+
+video::video/sample-video.m4v[width=480,start=5]
+
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax