dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First steps for challenge 2

Browse Source
This commit is contained in:
Nanne Baars 2017-04-08 08:04:16 +02:00
parent ebf2f9d864
commit d1bf80a670
8 changed files with 258 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java Normal file
View File

@ -0,0 +1,31 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException;
import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
/**
* @author nbaars
* @since 4/6/17.
*/
@AssignmentPath("/challenge/2")
public class Challenge2 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String couponCode) throws IOException {
if (SUPER_COUPON_CODE.equals(couponCode)) {
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
}
return failed().build();
}
}

71
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java Normal file
View File

@ -0,0 +1,71 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.apache.commons.lang3.RandomStringUtils;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RestController;
import java.util.List;
import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
/**
* @author nbaars
* @since 4/6/17.
*/
@RestController
public class ShopEndpoint {
@AllArgsConstructor
private class CouponCodes {
@Getter
private List<CouponCode> codes = Lists.newArrayList();
public boolean contains(String code) {
return codes.stream().anyMatch(c -> c.getCode().equals(code));
}
}
@AllArgsConstructor
@Getter
private class CouponCode {
private String code;
private int discount;
}
private CouponCodes couponCodes;
public ShopEndpoint() {
List<CouponCode> codes = Lists.newArrayList();
for (int i = 0; i < 9; i++) {
codes.add(new CouponCode(RandomStringUtils.random(10), i * 100));
}
this.couponCodes = new CouponCodes(codes);
}
@GetMapping(value = "/coupons/{user}", produces = MediaType.APPLICATION_JSON_VALUE)
public CouponCodes getDiscountCodes(@PathVariable String user) {
if ("Tom".equals(user)) {
return couponCodes;
}
return null;
}
@GetMapping(value = "/coupons/valid/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
public boolean isValidCouponCode(@PathVariable String code) {
return couponCodes.contains(code);
}
@GetMapping(value = "/coupons", produces = MediaType.APPLICATION_JSON_VALUE)
public CouponCodes coupons() {
List<CouponCode> all = Lists.newArrayList();
all.addAll(this.couponCodes.getCodes());
all.add(new CouponCode(SUPER_COUPON_CODE, 100));
return new CouponCodes(all);
}
}

1
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
View File

@ -9,5 +9,6 @@ package org.owasp.webgoat.plugin;
public interface SolutionConstants { public interface SolutionConstants {
String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD = "!!webgoat_admin_1234!!";
String SUPER_COUPON_CODE = "get_if_for_free";
} }

33
webgoat-lessons/challenge/src/main/resources/css/challenge2.css Normal file
View File

@ -0,0 +1,33 @@
ul > li{margin-right:25px;font-weight:lighter;cursor:pointer}
li.active{border-bottom:3px solid silver;}
.item-photo{display:flex;justify-content:center;align-items:center;border-right:1px solid #f6f6f6;}
.menu-items{list-style-type:none;font-size:11px;display:inline-flex;margin-bottom:0px;margin-top:20px}
.btn-success{width:100%;border-radius:0px;}
.section{width:100%;margin-left:-15px;padding:2px;padding-left:15px;padding-right:15px;background:#f8f9f9}
.title-price{margin-top:30px;margin-bottom:0px;color:black}
.title-attr{margin-top:0px;margin-bottom:0px;color:black;}
.btn-minus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-right:0px;}
.btn-plus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-left:0px;}
div.section > div {width:100%;display:inline-flex;}
div.section > div > input {margin:0px;padding-left:5px;font-size:10px;padding-right:5px;max-width:18%;text-align:center;}
.attr,.attr2{cursor:pointer;margin-right:5px;height:20px;font-size:10px;padding:2px;border:1px solid gray;border-radius:2px;}
.attr.active,.attr2.active{ border:1px solid orange;}
@media (max-width: 426px) {
.container {margin-top:0px !important;}
.container > .row{padding:0px !important;}
.container > .row > .col-xs-12.col-sm-5{
padding-right:0px ;
}
.container > .row > .col-xs-12.col-sm-9 > div > p{
padding-left:0px !important;
padding-right:0px !important;
}
.container > .row > .col-xs-12.col-sm-9 > div > ul{
padding-left:10px !important;
}
.section{width:104%;}
.menu-items{padding-left:0px;}
}

93
webgoat-lessons/challenge/src/main/resources/html/Challenge.html
View File

@ -36,11 +36,13 @@
</div> </div>
</div> </div>
<form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag"> <form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group"> <div class="form-group">
<div class="input-group"> <div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" style="font-size:20px"></i></div> <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
<input type="text" class="form-control" id="flagInput" placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flagInput1"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div> </div>
</div> </div>
<button type="submit" class="btn btn-primary">Submit flag</button> <button type="submit" class="btn btn-primary">Submit flag</button>
@ -49,7 +51,90 @@
<br/> <br/>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
</div> </div>
</div> </div>
<div class="lesson-page-wrapper">
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
<script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container">
<div class="row">
<div class="col-xs-3 item-photo">
<img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
</div>
<div class="col-xs-5" style="border:0px solid gray">
<h3>Samsung Galaxy S8 Plus 64GB Android Phone</h3>
<h5 style="color:#337ab7">Manufacturer <a href="http://www.samsung.com">Samsung</a> ·
<small style="color:#337ab7">(5054 reviews)</small>
</h5>
<h6 class="title-price">
<small>PRICE</small>
</h6>
<h3 style="margin-top:0px;">US $899</h3>
<div class="section">
<h6 class="title-attr" style="margin-top:15px;">
<small>COLOR</small>
</h6>
<div>
<div class="attr" style="width:25px;background:#5a5a5a;"></div>
<div class="attr" style="width:25px;background:white;"></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CAPACITY</small>
</h6>
<div>
<div class="attr2">16 GB</div>
<div class="attr2">32 GB</div>
</div>
</div>
<div class="section" style="padding-bottom:20px;">
<h6 class="title-attr">
<small>QUANTITY</small>
</h6>
<div>
<div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
<input value="1"/>
<div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
</div>
</div>
<div class="section" style="padding-bottom:20px;">
<button class="btn btn-success"><span style="margin-right:20px"
class="glyphicon glyphicon-shopping-cart"
aria-hidden="true"></span>Buy
</button>
<h6><a href="#"><span class="glyphicon glyphicon-heart-empty" style="cursor:pointer;"></span>
Like</a></h6>
</div>
</div>
</div>
</div>
<br/>
<div>
<form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flagInpu2"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
</div>
<button type="submit" class="btn btn-primary">Submit flag</button>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html> </html>

BIN
webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

33
webgoat-lessons/challenge/src/main/resources/js/challenge2.js Normal file
View File

@ -0,0 +1,33 @@
$(document).ready(function(){
//-- Click on detail
$("ul.menu-items > li").on("click",function(){
$("ul.menu-items > li").removeClass("active");
$(this).addClass("active");
})
$(".attr,.attr2").on("click",function(){
var clase = $(this).attr("class");
$("." + clase).removeClass("active");
$(this).addClass("active");
})
//-- Click on QUANTITY
$(".btn-minus").on("click",function(){
var now = $(".section > div > input").val();
if ($.isNumeric(now)){
if (parseInt(now) -1 > 0){ now--;}
$(".section > div > input").val(now);
}else{
$(".section > div > input").val("1");
}
})
$(".btn-plus").on("click",function(){
var now = $(".section > div > input").val();
if ($.isNumeric(now)){
$(".section > div > input").val(parseInt(now)+1);
}else{
$(".section > div > input").val("1");
}
})
})