Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)
* better check on host and port for password reset and make context roots more flexible * spotless applied * removed hardcoded /WebGoat from js * removed hardcoded /WebGoat from js * fix spotless * fix scoreboard * upgrade WebWolf bootstrap version and icons and templates - part 1 * fixed more bootstrap 5 style issues and context path issues * organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed) * spotless applied * added mock bean * requires updates to properties - commented for now * requires updates to properties - commented for now * oauth secrets through env values * user creation after oauth login * integration test against non default context paths * adjusted StartupMessage * add global model element username * conditionally show login oauth links * fixed WebWolf login --------- Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
This commit is contained in:
René Zubcevic
GitHub
@ -7,10 +7,10 @@
|
||||
* JavaScript to load initial assignment tokens
|
||||
*/
|
||||
function initialise() {
|
||||
$("#sha256token").load('/WebGoat/crypto/hashing/sha256');
|
||||
$("#md5token").load('/WebGoat/crypto/hashing/md5');
|
||||
$("#basicauthtoken").load('/WebGoat/crypto/encoding/basic');
|
||||
$("#privatekey").load('/WebGoat/crypto/signing/getprivate');
|
||||
$("#sha256token").load('crypto/hashing/sha256');
|
||||
$("#md5token").load('crypto/hashing/md5');
|
||||
$("#basicauthtoken").load('crypto/encoding/basic');
|
||||
$("#privatekey").load('crypto/signing/getprivate');
|
||||
}
|
||||
$(document).ready(initialise);
|
||||
</script>
|
||||
@ -28,7 +28,7 @@ $(document).ready(initialise);
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
Now suppose you have intercepted the following header:<br/>
|
||||
<div id="basicauthtoken" ></div><br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/basic-auth">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/encoding/basic-auth">
|
||||
Then what was the username
|
||||
<input name="answer_user" value="" type="TEXT"/>
|
||||
and what was the password:
|
||||
@ -45,7 +45,7 @@ $(document).ready(initialise);
|
||||
<!-- 3. assignment xor -->
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/xor">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/encoding/xor">
|
||||
Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
|
||||
What would be the actual password
|
||||
<input name="answer_pwd1" value="" type="TEXT"/><br/>
|
||||
@ -62,7 +62,7 @@ $(document).ready(initialise);
|
||||
<!-- 4. weak hashing exercise -->
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/hashing">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/hashing">
|
||||
Which password belongs to this hash: <div id="md5token" ></div>
|
||||
<input name="answer_pwd1" value="" type="TEXT"/><br/>
|
||||
Which password belongs to this hash: <div id="sha256token" ></div>
|
||||
@ -87,7 +87,7 @@ $(document).ready(initialise);
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
Now suppose you have the following private key:<br/>
|
||||
<pre><div id="privatekey" ></div></pre><br/>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/signing/verify">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/signing/verify">
|
||||
Then what was the modulus of the public key
|
||||
<input name="modulus" value="" type="TEXT"/>
|
||||
and now provide a signature for us based on that modulus
|
||||
@ -110,7 +110,7 @@ $(document).ready(initialise);
|
||||
<!-- 8. assignment -->
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/secure/defaults">
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/secure/defaults">
|
||||
What is the unencrypted message<br/>
|
||||
<input name="secretText" value="" type="TEXT"/><br/>
|
||||
and what is the name of the file that stored the password <br/>
|
||||
|
||||
Reference in New Issue
Block a user