Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)
* better check on host and port for password reset and make context roots more flexible * spotless applied * removed hardcoded /WebGoat from js * removed hardcoded /WebGoat from js * fix spotless * fix scoreboard * upgrade WebWolf bootstrap version and icons and templates - part 1 * fixed more bootstrap 5 style issues and context path issues * organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed) * spotless applied * added mock bean * requires updates to properties - commented for now * requires updates to properties - commented for now * oauth secrets through env values * user creation after oauth login * integration test against non default context paths * adjusted StartupMessage * add global model element username * conditionally show login oauth links * fixed WebWolf login --------- Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
This commit is contained in:
René Zubcevic
GitHub
@ -23,7 +23,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
|
||||
method="POST" name="form"
|
||||
successCallback="onBypassResponse"
|
||||
action="/WebGoat/auth-bypass/verify-account">
|
||||
action="auth-bypass/verify-account">
|
||||
<p>Verify Your Account by answering the questions below:</p>
|
||||
|
||||
<p>What is the name of your favorite teacher?</p>
|
||||
@ -43,7 +43,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
|
||||
method="POST" name="form"
|
||||
successCallback="onBypassResponse"
|
||||
action="/WebGoat/auth-bypass/verify-account"
|
||||
action="auth-bypass/verify-account"
|
||||
style="display:none"><!-- start off hidden -->
|
||||
<p>Please provide a new password for your account</p>
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ var onViewProfile = function () {
|
||||
console.warn("on view profile activated")
|
||||
webgoat.customjs.jquery.ajax({
|
||||
method: "GET",
|
||||
url: "/WebGoat/IDOR/profile",
|
||||
url: "IDOR/profile",
|
||||
contentType: 'application/json; charset=UTF-8'
|
||||
}).then(webgoat.customjs.idorViewProfile);
|
||||
}
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
<div class="container-fluid">
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
|
||||
method="POST"
|
||||
action="/WebGoat/BypassRestrictions/FieldRestrictions">
|
||||
action="BypassRestrictions/FieldRestrictions">
|
||||
|
||||
<div class="bypass-input-container"><b>Select field with two possible value</b>
|
||||
<div class="input-group">
|
||||
@ -66,7 +66,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
|
||||
id="frontendValidation"
|
||||
method="POST"
|
||||
action="/WebGoat/BypassRestrictions/frontendValidation"
|
||||
action="BypassRestrictions/frontendValidation"
|
||||
onsubmit="return validate()">
|
||||
<div>
|
||||
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
The challenges contain more a CTF like lessons where we do not provide any explanations what you need to do, no hints
|
||||
will be provided. You can use these challenges in a CTF style where you can run WebGoat on one server and all
|
||||
participants can join and hack the challenges. A scoreboard is available at link:/WebGoat/scoreboard["/WebGoat/scoreboard",window=_blank]
|
||||
participants can join and hack the challenges. A scoreboard is available at link:scoreboard["scoreboard",window=_blank]
|
||||
|
||||
:hardbreaks:
|
||||
In this CTF you will need to solve a couple of challenges, each challenge will give you a flag which you will
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
<div class="panel-body">
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/challenge/1"
|
||||
action="challenge/1"
|
||||
style="width: 200px;">
|
||||
|
||||
<div class="form-group">
|
||||
@ -37,7 +37,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
|
||||
<form class="attack-form" method="POST" name="form" action="challenge/flag">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
|
||||
|
||||
@ -25,7 +25,7 @@
|
||||
<div class="col-lg-12">
|
||||
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/challenge/5" role="form">
|
||||
action="challenge/5" role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username_login" id="username4" tabindex="1"
|
||||
class="form-control" placeholder="Username" value=""/>
|
||||
@ -66,7 +66,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
|
||||
<form class="attack-form" method="POST" name="form" action="challenge/flag">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
<div class="col-lg-12">
|
||||
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/challenge/6" role="form">
|
||||
action="challenge/6" role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username_login" id="username4" tabindex="1"
|
||||
class="form-control" placeholder="Username" value=""/>
|
||||
@ -64,7 +64,7 @@
|
||||
</form>
|
||||
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="PUT" name="form"
|
||||
action="/WebGoat/challenge/6" style="display: none;" role="form">
|
||||
action="challenge/6" style="display: none;" role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username_reg" id="username" tabindex="1"
|
||||
class="form-control" placeholder="Username" value=""/>
|
||||
@ -99,7 +99,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
|
||||
<form class="attack-form" method="POST" name="form" action="challenge/flag">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
|
||||
|
||||
@ -28,7 +28,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
|
||||
|
||||
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/challenge/7" role="form">
|
||||
action="challenge/7" role="form">
|
||||
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
@ -43,7 +43,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
|
||||
value="Reset Password" type="submit"/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<p>(c) 2017 WebGoat Cloud Platform</p>
|
||||
<p>(c) 2023 WebGoat Cloud Platform</p>
|
||||
</div>
|
||||
|
||||
<input type="hidden" class="hide" name="token" id="token" value=""/>
|
||||
@ -57,7 +57,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
|
||||
</div>
|
||||
</div>
|
||||
<br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
|
||||
<form class="attack-form" method="POST" name="form" action="challenge/flag">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
|
||||
|
||||
@ -231,7 +231,7 @@
|
||||
</div>
|
||||
|
||||
<br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
|
||||
<form class="attack-form" method="POST" name="form" action="challenge/flag">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
|
||||
|
||||
@ -24,7 +24,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="DOMFollowUp"
|
||||
action="/WebGoat/ChromeDevTools/dummy">
|
||||
action="ChromeDevTools/dummy">
|
||||
<input name="successMessage" value="" type="TEXT" />
|
||||
<input name="submitMessage" value="Submit" type="SUBMIT"/>
|
||||
</form>
|
||||
@ -45,7 +45,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/ChromeDevTools/network">
|
||||
action="ChromeDevTools/network">
|
||||
<script>
|
||||
// sample custom javascript in the recommended way ...
|
||||
// a namespace has been assigned for it, but you can roll your own if you prefer
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/ChromeDevTools/network">
|
||||
action="ChromeDevTools/network">
|
||||
<table>
|
||||
<tr>
|
||||
<td>What is the number you found: </td>
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
<input type="hidden" id="user_id" value="102"/>
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
|
||||
action="/WebGoat/clientSideFiltering/attack1">
|
||||
action="clientSideFiltering/attack1">
|
||||
<link rel="stylesheet" type="text/css"
|
||||
th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
|
||||
<script th:src="@{/lesson_js/clientSideFiltering.js}"
|
||||
@ -83,7 +83,7 @@
|
||||
<div class="container-fluid">
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/clientSideFiltering/getItForFree">
|
||||
action="clientSideFiltering/getItForFree">
|
||||
|
||||
<input id="discount" type="hidden" value="0"/>
|
||||
<div class="row">
|
||||
|
||||
@ -7,10 +7,10 @@
|
||||
* JavaScript to load initial assignment tokens
|
||||
*/
|
||||
function initialise() {
|
||||
$("#sha256token").load('/WebGoat/crypto/hashing/sha256');
|
||||
$("#md5token").load('/WebGoat/crypto/hashing/md5');
|
||||
$("#basicauthtoken").load('/WebGoat/crypto/encoding/basic');
|
||||
$("#privatekey").load('/WebGoat/crypto/signing/getprivate');
|
||||
$("#sha256token").load('crypto/hashing/sha256');
|
||||
$("#md5token").load('crypto/hashing/md5');
|
||||
$("#basicauthtoken").load('crypto/encoding/basic');
|
||||
$("#privatekey").load('crypto/signing/getprivate');
|
||||
}
|
||||
$(document).ready(initialise);
|
||||
</script>
|
||||
@ -28,7 +28,7 @@ $(document).ready(initialise);
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
Now suppose you have intercepted the following header:<br/>
|
||||
<div id="basicauthtoken" ></div><br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/basic-auth">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/encoding/basic-auth">
|
||||
Then what was the username
|
||||
<input name="answer_user" value="" type="TEXT"/>
|
||||
and what was the password:
|
||||
@ -45,7 +45,7 @@ $(document).ready(initialise);
|
||||
<!-- 3. assignment xor -->
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/xor">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/encoding/xor">
|
||||
Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
|
||||
What would be the actual password
|
||||
<input name="answer_pwd1" value="" type="TEXT"/><br/>
|
||||
@ -62,7 +62,7 @@ $(document).ready(initialise);
|
||||
<!-- 4. weak hashing exercise -->
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/hashing">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/hashing">
|
||||
Which password belongs to this hash: <div id="md5token" ></div>
|
||||
<input name="answer_pwd1" value="" type="TEXT"/><br/>
|
||||
Which password belongs to this hash: <div id="sha256token" ></div>
|
||||
@ -87,7 +87,7 @@ $(document).ready(initialise);
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
Now suppose you have the following private key:<br/>
|
||||
<pre><div id="privatekey" ></div></pre><br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/signing/verify">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/signing/verify">
|
||||
Then what was the modulus of the public key
|
||||
<input name="modulus" value="" type="TEXT"/>
|
||||
and now provide a signature for us based on that modulus
|
||||
@ -110,7 +110,7 @@ $(document).ready(initialise);
|
||||
<!-- 8. assignment -->
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/secure/defaults">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/secure/defaults">
|
||||
What is the unencrypted message<br/>
|
||||
<input name="secretText" value="" type="TEXT"/><br/>
|
||||
and what is the name of the file that stored the password <br/>
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
method="POST" name="form1"
|
||||
target="_blank"
|
||||
successCallback=""
|
||||
action="/WebGoat/csrf/basic-get-flag">
|
||||
action="csrf/basic-get-flag">
|
||||
<input name="csrf" type="hidden" value="false"/>
|
||||
<input type="submit" name="submit"/>
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
|
||||
method="POST" name="form2"
|
||||
successCallback=""
|
||||
action="/WebGoat/csrf/confirm-flag-1">
|
||||
action="csrf/confirm-flag-1">
|
||||
|
||||
Confirm Flag Value:
|
||||
<input type="text" length="6" name="confirmFlagVal" value=""/>
|
||||
@ -93,7 +93,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-review"
|
||||
method="POST" name="review-form"
|
||||
successCallback=""
|
||||
action="/WebGoat/csrf/review">
|
||||
action="csrf/review">
|
||||
<input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
|
||||
type="text"/>
|
||||
<input class="form-control" id="reviewStars" name="stars" type="text"/>
|
||||
@ -146,7 +146,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
|
||||
method="POST"
|
||||
prepareData="feedback"
|
||||
action="/WebGoat/csrf/feedback/message"
|
||||
action="csrf/feedback/message"
|
||||
contentType="application/json">
|
||||
<div class="row">
|
||||
<div class="col-md-6">
|
||||
@ -212,7 +212,7 @@
|
||||
</div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
|
||||
method="POST" name="form2"
|
||||
action="/WebGoat/csrf/feedback">
|
||||
action="csrf/feedback">
|
||||
|
||||
Confirm Flag Value:
|
||||
<input type="text" length="6" name="confirmFlagVal" value=""/>
|
||||
@ -236,7 +236,7 @@
|
||||
</div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
|
||||
method="POST" name="form2"
|
||||
action="/WebGoat/csrf/login">
|
||||
action="csrf/login">
|
||||
|
||||
Press the button below when your are logged in as the other user<br/>
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="task"
|
||||
method="POST"
|
||||
action="/WebGoat/InsecureDeserialization/task">
|
||||
action="InsecureDeserialization/task">
|
||||
|
||||
<input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/>
|
||||
<input type="submit" value="Submit" />
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
<form class="attack-form" accept-charset="UNKNOWN" method="POST"
|
||||
action="/WebGoat/HijackSession/login">
|
||||
action="HijackSession/login">
|
||||
<div style="padding: 20px;" id="password-login">
|
||||
<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
|
||||
<fieldset>
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
|
||||
method="POST"
|
||||
action="/WebGoat/HtmlTampering/task">
|
||||
action="HtmlTampering/task">
|
||||
<script>
|
||||
var regex = /^2999.99$/;
|
||||
var price = 2999.99;
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/HttpBasics/attack1">
|
||||
action="HttpBasics/attack1">
|
||||
<div id="lessonContent">
|
||||
<form accept-charset="UNKNOWN" method="POST" name="form"
|
||||
action="#attack/307/100">
|
||||
@ -51,7 +51,7 @@
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/HttpBasics/attack2">
|
||||
action="HttpBasics/attack2">
|
||||
<script>
|
||||
// sample custom javascript in the recommended way ...
|
||||
// a namespace has been assigned for it, but you can roll your own if you prefer
|
||||
|
||||
@ -24,7 +24,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
|
||||
method="POST"
|
||||
action="/WebGoat/HttpProxies/intercept-request">
|
||||
action="HttpProxies/intercept-request">
|
||||
|
||||
<input type="text" value="doesn't matter really" name="changeMe" />
|
||||
<input type="submit" value="Submit" />
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/IDOR/login">
|
||||
action="IDOR/login">
|
||||
<table>
|
||||
<tr>
|
||||
<td>user/pass</td>
|
||||
@ -57,7 +57,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="GET" name="form"
|
||||
action="/WebGoat/IDOR/profile">
|
||||
action="IDOR/profile">
|
||||
<script th:src="@{/lesson_js/idor.js}" />
|
||||
|
||||
<input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />
|
||||
@ -107,7 +107,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/IDOR/profile/alt-path">
|
||||
action="IDOR/profile/alt-path">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_inputAltPath.adoc}"></div>
|
||||
<input name="url" value="WebGoat/" type="text"/>
|
||||
<input name="submit" value="Submit" type="SUBMIT"/>
|
||||
@ -134,7 +134,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="view-other"
|
||||
method="GET" name="view-other-profile"
|
||||
action="/WebGoat/IDOR/profile/{userId}">
|
||||
action="IDOR/profile/{userId}">
|
||||
<script th:src="@{/lesson_js/idor.js}" />
|
||||
|
||||
<input name="View Profile" value="View Profile" type="submit" />
|
||||
@ -158,7 +158,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
|
||||
method="GET" name="edit-other-profile"
|
||||
action="/WebGoat/IDOR/profile/{userId}">
|
||||
action="IDOR/profile/{userId}">
|
||||
<script th:src="@{/lesson_js/idor.js}" />
|
||||
|
||||
<input name="View Profile" value="View Profile" type="submit" />
|
||||
|
||||
@ -12,7 +12,7 @@ var onViewProfile = function () {
|
||||
console.warn("on view profile activated")
|
||||
webgoat.customjs.jquery.ajax({
|
||||
method: "GET",
|
||||
url: "/WebGoat/IDOR/profile",
|
||||
url: "IDOR/profile",
|
||||
contentType: 'application/json; charset=UTF-8'
|
||||
}).then(webgoat.customjs.idorViewProfile);
|
||||
}
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
<script th:src="@{/lesson_js/credentials.js}"></script>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="task"
|
||||
method="POST"
|
||||
action="/WebGoat/InsecureLogin/task">
|
||||
action="InsecureLogin/task">
|
||||
|
||||
<button onclick="javascript:submit_secret_credentials();return false;">Log in</button>
|
||||
|
||||
@ -25,7 +25,7 @@
|
||||
<br></br>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="task"
|
||||
method="POST"
|
||||
action="/WebGoat/InsecureLogin/task">
|
||||
action="InsecureLogin/task">
|
||||
|
||||
<input type="text" value="" name="username" placeholder="username"/>
|
||||
<input type="password" value="" name="password" placeholder="password" />
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_decode.adoc}"></div>
|
||||
<div class="attack-container">
|
||||
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
|
||||
<form id="decode" class="attack-form" method="POST" name="form" action="/WebGoat/JWT/decode">
|
||||
<form id="decode" class="attack-form" method="POST" name="form" action="JWT/decode">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<br>
|
||||
<div class="row">
|
||||
@ -53,7 +53,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
successCallback="jwtSigningCallback"
|
||||
action="/WebGoat/JWT/votings">
|
||||
action="JWT/votings">
|
||||
<div class="container-fluid">
|
||||
|
||||
<div class="row">
|
||||
@ -124,7 +124,7 @@
|
||||
<div class="container-fluid">
|
||||
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/JWT/quiz"
|
||||
action="JWT/quiz"
|
||||
role="form">
|
||||
<div id="q_container"></div>
|
||||
<br/>
|
||||
@ -155,7 +155,7 @@
|
||||
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/JWT/secret">
|
||||
<form class="attack-form" method="POST" name="form" action="JWT/secret">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
|
||||
@ -192,7 +192,7 @@
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
additionalHeaders="addBearerToken"
|
||||
action="/WebGoat/JWT/refresh/checkout">
|
||||
action="JWT/refresh/checkout">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-10 col-md-offset-1">
|
||||
@ -319,7 +319,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
action="/WebGoat/JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_wOGlg-BYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ">
|
||||
action="JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_wOGlg-BYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ">
|
||||
<div class="container-fluid">
|
||||
<div id="toast"></div>
|
||||
<div class="col-sm-6 col-md-4 col-lg-3 mt-4">
|
||||
@ -385,7 +385,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
action="/WebGoat/JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8">
|
||||
action="JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8">
|
||||
<div class="container-fluid">
|
||||
<div id="toast"></div>
|
||||
<div class="col-sm-6 col-md-4 col-lg-3 mt-4">
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
$(document).ready(
|
||||
function(){
|
||||
$("#secrettoken").load('/WebGoat/JWT/secret/gettoken');
|
||||
$("#secrettoken").load('JWT/secret/gettoken');
|
||||
}
|
||||
);
|
||||
@ -87,7 +87,7 @@ green when the user solves the assignment. To make this work we need to add to t
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/lesson-template/sample-attack">
|
||||
action="lesson-template/sample-attack">
|
||||
<table>
|
||||
<tr>
|
||||
<td>two random params</td>
|
||||
|
||||
@ -47,7 +47,7 @@
|
||||
<!-- modify the action to point to the intended endpoint and set other attributes as desired -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/lesson-template/sample-attack">
|
||||
action="lesson-template/sample-attack">
|
||||
<table>
|
||||
<tr>
|
||||
<td>two random params</td>
|
||||
|
||||
@ -12,7 +12,7 @@ var onViewProfile = function () {
|
||||
console.warn("on view profile activated")
|
||||
webgoat.customjs.jquery.ajax({
|
||||
method: "GET",
|
||||
url: "/WebGoat/IDOR/profile",
|
||||
url: "IDOR/profile",
|
||||
contentType: 'application/json; charset=UTF-8'
|
||||
}).then(webgoat.customjs.idorViewProfile);
|
||||
}
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="task"
|
||||
method="POST"
|
||||
action="/WebGoat/LogSpoofing/log-spoofing">
|
||||
action="LogSpoofing/log-spoofing">
|
||||
|
||||
<input type="text" value="" name="username" placeholder="username"/>
|
||||
<input type="password" value="" name="password" placeholder="password"/>
|
||||
@ -38,7 +38,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="task"
|
||||
method="POST"
|
||||
action="/WebGoat/LogSpoofing/log-bleeding">
|
||||
action="LogSpoofing/log-bleeding">
|
||||
|
||||
<input type="text" value="" name="username" placeholder="username"/>
|
||||
<input type="password" value="" name="password" placeholder="password"/>
|
||||
|
||||
@ -53,7 +53,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/access-control/hidden-menu">
|
||||
action="access-control/hidden-menu">
|
||||
|
||||
<p>Hidden item 1 <input name="hiddenMenu1" value="" type="TEXT"/></p>
|
||||
<p>Hidden item 2 <input name="hiddenMenu2" value="" type="TEXT"/></p>
|
||||
@ -76,7 +76,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/access-control/user-hash">
|
||||
action="access-control/user-hash">
|
||||
|
||||
<p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
|
||||
<br/>
|
||||
@ -98,7 +98,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/access-control/user-hash-fix">
|
||||
action="access-control/user-hash-fix">
|
||||
|
||||
<p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
|
||||
<br/>
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
|
||||
<form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
|
||||
method="POST"
|
||||
action="/WebGoat/PasswordReset/simple-mail/reset">
|
||||
action="PasswordReset/simple-mail/reset">
|
||||
<div style="display: none;" id="password-reset-2">
|
||||
<h4 class="">Forgot your password?</h4>
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
<span class="help-block">Please type your e-mail address</span>
|
||||
<div class="form-group input-group">
|
||||
<span class="input-group-addon">@</span>
|
||||
<input class="form-control" placeholder="test1233@webgoat.org" name="emailReset"
|
||||
<input class="form-control" th:attr="placeholder=${username + '@webgoat.org'}" name="emailReset"
|
||||
type="email"/>
|
||||
</div>
|
||||
<button type="submit" class="btn btn-primary btn-block" id="btn-olvidado">Continue
|
||||
@ -47,7 +47,7 @@
|
||||
</form>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
|
||||
method="POST"
|
||||
action="/WebGoat/PasswordReset/simple-mail">
|
||||
action="PasswordReset/simple-mail">
|
||||
<div style="padding: 20px;" id="password-login-2">
|
||||
<h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
|
||||
Account
|
||||
@ -103,7 +103,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
action="/WebGoat/PasswordReset/questions">
|
||||
action="PasswordReset/questions">
|
||||
<div class="container-fluid">
|
||||
<div class="col-md-4">
|
||||
<article class="card-body">
|
||||
@ -143,7 +143,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/PasswordReset/SecurityQuestions">
|
||||
action="PasswordReset/SecurityQuestions">
|
||||
<select name="question">
|
||||
<option>What is your favorite animal?</option>
|
||||
<option>In what year was your mother born?</option>
|
||||
@ -175,7 +175,7 @@
|
||||
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
action="/WebGoat/PasswordReset/reset/login">
|
||||
action="PasswordReset/reset/login">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
@ -186,7 +186,7 @@
|
||||
<div style="padding: 20px;" id="password-login">
|
||||
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/PasswordReset/reset/login"
|
||||
action="PasswordReset/reset/login"
|
||||
role="form">
|
||||
<fieldset>
|
||||
<div class="form-group input-group">
|
||||
@ -222,7 +222,7 @@
|
||||
</h4>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/PasswordReset/ForgotPassword/create-password-reset-link"
|
||||
action="PasswordReset/ForgotPassword/create-password-reset-link"
|
||||
role="form">
|
||||
<fieldset>
|
||||
<span class="help-block">
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
|
||||
<form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
|
||||
<form role="form" method="POST" action="PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
|
||||
<h2 class="sign_up_title">Reset your password</h2>
|
||||
<div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
|
||||
<input type="hidden" name="resetLink" th:field="*{resetLink}" />
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
informationalCallback="profileUploadCallback"
|
||||
prepareData="profileUpload"
|
||||
enctype="multipart/form-data"
|
||||
action="/WebGoat/PathTraversal/profile-upload">
|
||||
action="PathTraversal/profile-upload">
|
||||
<div class="preview text-center">
|
||||
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
|
||||
height="200" id="preview"/>
|
||||
@ -76,7 +76,7 @@
|
||||
informationalCallback="profileUploadCallbackFix"
|
||||
prepareData="profileUploadFix"
|
||||
enctype="multipart/form-data"
|
||||
action="/WebGoat/PathTraversal/profile-upload-fix">
|
||||
action="PathTraversal/profile-upload-fix">
|
||||
<div class="preview text-center">
|
||||
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
|
||||
height="200" id="previewFix"/>
|
||||
@ -131,7 +131,7 @@
|
||||
informationalCallback="profileUploadCallbackRemoveUserInput"
|
||||
prepareData="profileUploadRemoveUserInput"
|
||||
enctype="multipart/form-data"
|
||||
action="/WebGoat/PathTraversal/profile-upload-remove-user-input">
|
||||
action="PathTraversal/profile-upload-remove-user-input">
|
||||
<div class="preview text-center">
|
||||
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
|
||||
height="200" id="previewRemoveUserInput"/>
|
||||
@ -189,7 +189,7 @@
|
||||
|
||||
|
||||
<br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/PathTraversal/random">
|
||||
<form class="attack-form" method="POST" name="form" action="PathTraversal/random">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
@ -227,7 +227,7 @@
|
||||
|
||||
prepareData="profileZipSlip"
|
||||
enctype="multipart/form-data"
|
||||
action="/WebGoat/PathTraversal/zip-slip">
|
||||
action="PathTraversal/zip-slip">
|
||||
<div class="preview text-center">
|
||||
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
|
||||
height="200" id="previewZipSlip"/>
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SecurePasswords/assignment"
|
||||
action="SecurePasswords/assignment"
|
||||
autocomplete="off">
|
||||
|
||||
<div class="input-group input-group">
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
<form class="attack-form" accept-charset="UNKNOWN" method="POST"
|
||||
action="/WebGoat/SpoofCookie/login">
|
||||
action="SpoofCookie/login">
|
||||
<div style="padding: 20px;" id="password-login">
|
||||
<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
|
||||
<fieldset>
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack2"
|
||||
action="SqlInjection/attack2"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
@ -39,7 +39,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack3"
|
||||
action="SqlInjection/attack3"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
@ -63,7 +63,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack4"
|
||||
action="SqlInjection/attack4"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
@ -87,7 +87,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack5"
|
||||
action="SqlInjection/attack5"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
@ -143,7 +143,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/assignment5a">
|
||||
action="SqlInjection/assignment5a">
|
||||
<table>
|
||||
<tr>
|
||||
<td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
|
||||
@ -188,7 +188,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/assignment5b">
|
||||
action="SqlInjection/assignment5b">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Login_Count:</td>
|
||||
@ -216,7 +216,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack8"
|
||||
action="SqlInjection/attack8"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
@ -244,7 +244,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack9"
|
||||
action="SqlInjection/attack9"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
@ -273,7 +273,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack10"
|
||||
action="SqlInjection/attack10"
|
||||
autocomplete="off">
|
||||
<table>
|
||||
<tr>
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjectionAdvanced/attack6a">
|
||||
action="SqlInjectionAdvanced/attack6a">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Name:</td>
|
||||
@ -33,7 +33,7 @@
|
||||
</form>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjectionAdvanced/attack6b">
|
||||
action="SqlInjectionAdvanced/attack6b">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Password:</td>
|
||||
@ -79,7 +79,7 @@
|
||||
<div class="col-lg-12">
|
||||
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjectionAdvanced/challenge_Login"
|
||||
action="SqlInjectionAdvanced/challenge_Login"
|
||||
role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username_login" id="username4" tabindex="1"
|
||||
@ -115,7 +115,7 @@
|
||||
</form>
|
||||
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="PUT" name="form"
|
||||
action="/WebGoat/SqlInjectionAdvanced/challenge"
|
||||
action="SqlInjectionAdvanced/challenge"
|
||||
style="display: none;" role="form">
|
||||
<div class="form-group">
|
||||
<input type="text" name="username_reg" id="username" tabindex="1"
|
||||
@ -168,7 +168,7 @@
|
||||
<div class="container-fluid">
|
||||
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjectionAdvanced/quiz"
|
||||
action="SqlInjectionAdvanced/quiz"
|
||||
role="form">
|
||||
<div id="q_container"></div>
|
||||
<br />
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc}"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a">
|
||||
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10a">
|
||||
<div>
|
||||
<p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
|
||||
<p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
|
||||
@ -42,7 +42,7 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc}"></div>
|
||||
<div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
|
||||
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b">
|
||||
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10b">
|
||||
<div>
|
||||
<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
|
||||
<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
|
||||
@ -72,7 +72,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlOnlyInputValidation/attack"
|
||||
action="SqlOnlyInputValidation/attack"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
@ -95,7 +95,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlOnlyInputValidationOnKeywords/attack"
|
||||
action="SqlOnlyInputValidationOnKeywords/attack"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
@ -124,7 +124,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjectionMitigations/attack12a">
|
||||
action="SqlInjectionMitigations/attack12a">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="panel panel-primary">
|
||||
@ -173,7 +173,7 @@
|
||||
<br/>
|
||||
</div>
|
||||
</form>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack12a">
|
||||
<form class="attack-form" method="POST" name="form" action="SqlInjectionMitigations/attack12a">
|
||||
<div class="form-group">
|
||||
<div class="input-group">
|
||||
<div class="input-group-addon">IP address webgoat-prd server:</div>
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SSRF/task1">
|
||||
action="SSRF/task1">
|
||||
<table>
|
||||
<tr>
|
||||
<td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
|
||||
@ -34,7 +34,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SSRF/task2">
|
||||
action="SSRF/task2">
|
||||
<table>
|
||||
<tr>
|
||||
<td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
|
||||
|
||||
@ -99,7 +99,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/VulnerableComponents/attack1">
|
||||
action="VulnerableComponents/attack1">
|
||||
<div id="lessonContent">
|
||||
<form accept-charset="UNKNOWN" method="POST" name="form"
|
||||
action="#attack/307/100">
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
|
||||
<form class="attack-form" accept-charset="UNKNOWN" style="position:relative;top:150px"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/WebWolf/mail">
|
||||
action="WebWolf/mail">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
@ -39,7 +39,7 @@
|
||||
<!-- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" style="position:relative;top:-50px"
|
||||
method="POST" name="secondform"
|
||||
action="/WebGoat/WebWolf/mail/send">
|
||||
action="WebWolf/mail/send">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
@ -47,7 +47,7 @@
|
||||
<span class="input-group-addon">
|
||||
@
|
||||
</span>
|
||||
<input class="form-control" placeholder="test1233@webgoat.org" name="email" type="email"
|
||||
<input class="form-control" th:attr="placeholder=${username + '@webgoat.org'}" name="email" type="email"
|
||||
required=""/>
|
||||
</div>
|
||||
<button type="submit" class="btn btn-primary btn-block" id="btn-login">
|
||||
@ -70,13 +70,13 @@
|
||||
<div class="attack-container">
|
||||
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<a href="/WebGoat/WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>
|
||||
<a href="WebWolf/landing/password-reset" target="_blank">Click here to reset your password</a>
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/WebWolf/landing">
|
||||
action="WebWolf/landing">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
|
||||
<form role="form" method="GET" th:action="${webwolfUrl}">
|
||||
<form role="form" method="GET" th:action="${webwolfLandingPageUrl}">
|
||||
<h2 class="sign_up_title">Reset your password</h2>
|
||||
<input type="hidden" name="uniqueCode" th:value="${uniqueCode}"/>
|
||||
<div class="form-group">
|
||||
@ -23,7 +23,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<div>
|
||||
<a href="https://github.com/WebGoat">(c) 2017 WebGoat Company</a>
|
||||
<a href="https://github.com/WebGoat">(c) 2023 WebGoat Company</a>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<div id="lessonContent">
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/CrossSiteScripting/attack1">
|
||||
action="CrossSiteScripting/attack1">
|
||||
<table>
|
||||
<tr>
|
||||
<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
|
||||
@ -46,7 +46,7 @@
|
||||
<div id="lessonContent">
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="GET" name="xss-5a"
|
||||
action="/WebGoat/CrossSiteScripting/attack5a">
|
||||
action="CrossSiteScripting/attack5a">
|
||||
<center>
|
||||
<h4>Shopping Cart</h4>
|
||||
</center>
|
||||
@ -133,7 +133,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="DOMTestRoute"
|
||||
action="/WebGoat/CrossSiteScripting/attack6a">
|
||||
action="CrossSiteScripting/attack6a">
|
||||
<input name="DOMTestRoute" value="" type="TEXT" />
|
||||
<input name="SubmitTestRoute" value="Submit" type="SUBMIT"/>
|
||||
</form>
|
||||
@ -148,7 +148,7 @@
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="DOMFollowUp"
|
||||
action="/WebGoat/CrossSiteScripting/dom-follow-up">
|
||||
action="CrossSiteScripting/dom-follow-up">
|
||||
<input name="successMessage" value="" type="TEXT" />
|
||||
<input name="submitMessage" value="Submit" type="SUBMIT"/>
|
||||
</form>
|
||||
@ -168,7 +168,7 @@
|
||||
<div class="container-fluid">
|
||||
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/CrossSiteScripting/quiz" role="form">
|
||||
action="CrossSiteScripting/quiz" role="form">
|
||||
<div id="q_container"></div>
|
||||
<br />
|
||||
<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8b.adoc}"></div>
|
||||
<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
|
||||
<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3">
|
||||
<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="CrossSiteScripting/attack3">
|
||||
<div>
|
||||
<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor"></div>
|
||||
<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
|
||||
@ -41,7 +41,7 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8c.adoc}"></div>
|
||||
<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
|
||||
<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack4">
|
||||
<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="CrossSiteScripting/attack4">
|
||||
<div>
|
||||
<div id="editor2" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor2"></div>
|
||||
<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
|
||||
|
||||
@ -67,7 +67,7 @@
|
||||
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="DOMFollowUp"
|
||||
action="/WebGoat/CrossSiteScriptingStored/stored-xss-follow-up">
|
||||
action="CrossSiteScriptingStored/stored-xss-follow-up">
|
||||
<input name="successMessage" value="" type="TEXT" />
|
||||
<input name="submitMessage" value="Submit" type="SUBMIT"/>
|
||||
</form>
|
||||
|
||||
@ -17,7 +17,7 @@ xss-reflected-6a-failure=Sorry that is not correct. Look at the example again to
|
||||
xss-reflected-6a-hint-1=To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the <i>Developer Tools</i> Lesson in the general category.)
|
||||
xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
|
||||
xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
|
||||
xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
|
||||
xss-reflected-6a-hint-4=Still did not find it? Check the <a href="js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
|
||||
xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site.
|
||||
xss-dom-message-success=Correct, I hope you did not cheat, using the console!
|
||||
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
|
||||
|
||||
@ -3,7 +3,7 @@ $(document).ready(function () {
|
||||
var commentInput = $("#commentInput").val();
|
||||
$.ajax({
|
||||
type: 'POST',
|
||||
url: '/WebGoat/CrossSiteScriptingStored/stored-xss',
|
||||
url: 'CrossSiteScriptingStored/stored-xss',
|
||||
data: JSON.stringify({text: commentInput}),
|
||||
contentType: "application/json",
|
||||
dataType: 'json'
|
||||
@ -32,7 +32,7 @@ $(document).ready(function () {
|
||||
|
||||
function getChallenges() {
|
||||
$("#list").empty();
|
||||
$.get('/WebGoat/CrossSiteScriptingStored/stored-xss', function (result, status) {
|
||||
$.get('CrossSiteScriptingStored/stored-xss', function (result, status) {
|
||||
for (var i = 0; i < result.length; i++) {
|
||||
var comment = html.replace('USER', result[i].user);
|
||||
comment = comment.replace('DATETIME', result[i].dateTime);
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
successCallback="simpleXXECallback"
|
||||
failureCallback="simpleXXECallback"
|
||||
contentType="application/xml"
|
||||
action="/WebGoat/xxe/simple">
|
||||
action="xxe/simple">
|
||||
<div class="container-fluid">
|
||||
<div class="panel post">
|
||||
<div class="post-heading">
|
||||
@ -166,7 +166,7 @@
|
||||
prepareData="blindXXE"
|
||||
successCallback="blindXXECallback"
|
||||
failureCallback="blindXXECallback"
|
||||
action="/WebGoat/xxe/blind"
|
||||
action="xxe/blind"
|
||||
contentType="application/xml">
|
||||
<div class="container-fluid">
|
||||
<div class="panel post">
|
||||
@ -221,7 +221,7 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_static_code_analysis.adoc}"></div>
|
||||
<br/>
|
||||
<a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/service/enable-security.mvc');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
|
||||
<a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('service/enable-security.mvc');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
|
||||
</div>
|
||||
|
||||
</body>
|
||||
|
||||
Reference in New Issue
Block a user