Moved challenge2 to client-side-filtering as final assignment
This commit is contained in:
		| @ -10,7 +10,6 @@ public interface SolutionConstants { | |||||||
|  |  | ||||||
|     //TODO should be random generated when starting the server |     //TODO should be random generated when starting the server | ||||||
|     String PASSWORD = "!!webgoat_admin_1234!!"; |     String PASSWORD = "!!webgoat_admin_1234!!"; | ||||||
|     String SUPER_COUPON_CODE = "get_it_for_free"; |  | ||||||
|     String PASSWORD_TOM = "thisisasecretfortomonly"; |     String PASSWORD_TOM = "thisisasecretfortomonly"; | ||||||
|     String PASSWORD_LARRY = "larryknows"; |     String PASSWORD_LARRY = "larryknows"; | ||||||
|     String JWT_PASSWORD = "victory"; |     String JWT_PASSWORD = "victory"; | ||||||
|  | |||||||
| @ -1,39 +0,0 @@ | |||||||
| package org.owasp.webgoat.plugin.challenge2; |  | ||||||
|  |  | ||||||
| import com.google.common.collect.Lists; |  | ||||||
| import org.owasp.webgoat.lessons.Category; |  | ||||||
| import org.owasp.webgoat.lessons.NewLesson; |  | ||||||
|  |  | ||||||
| import java.util.List; |  | ||||||
|  |  | ||||||
| /** |  | ||||||
|  * @author nbaars |  | ||||||
|  * @since 3/21/17. |  | ||||||
|  */ |  | ||||||
| public class Challenge2 extends NewLesson { |  | ||||||
|  |  | ||||||
|     @Override |  | ||||||
|     public Category getDefaultCategory() { |  | ||||||
|         return Category.CHALLENGE; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     @Override |  | ||||||
|     public List<String> getHints() { |  | ||||||
|         return Lists.newArrayList(); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     @Override |  | ||||||
|     public Integer getDefaultRanking() { |  | ||||||
|         return 10; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     @Override |  | ||||||
|     public String getTitle() { |  | ||||||
|         return "challenge2.title"; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     @Override |  | ||||||
|     public String getId() { |  | ||||||
|         return "Challenge2"; |  | ||||||
|     } |  | ||||||
| } |  | ||||||
| @ -1,112 +0,0 @@ | |||||||
| <!DOCTYPE html> |  | ||||||
|  |  | ||||||
| <html xmlns:th="http://www.thymeleaf.org"> |  | ||||||
|  |  | ||||||
|  |  | ||||||
| <div class="lesson-page-wrapper"> |  | ||||||
|     <div class="adoc-content" th:replace="doc:Challenge_2.adoc"></div> |  | ||||||
|     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/> |  | ||||||
|     <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script> |  | ||||||
|     <div class="attack-container"> |  | ||||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> |  | ||||||
|  |  | ||||||
|         <div class="container-fluid"> |  | ||||||
|             <form class="attack-form" accept-charset="UNKNOWN" |  | ||||||
|                   method="POST" name="form" |  | ||||||
|                   action="/WebGoat/challenge/2" |  | ||||||
|                   enctype="application/json;charset=UTF-8"> |  | ||||||
|  |  | ||||||
|                 <input id="discount" type="hidden" value="0"/> |  | ||||||
|                 <div class="row"> |  | ||||||
|  |  | ||||||
|                     <div class="col-xs-3 item-photo"> |  | ||||||
|                         <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/> |  | ||||||
|                     </div> |  | ||||||
|                     <div class="col-xs-5" style="border:0px solid gray"> |  | ||||||
|                         <h3>Samsung Galaxy S8</h3> |  | ||||||
|                         <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> · |  | ||||||
|                             <small style="color:#337ab7">(124421 reviews)</small> |  | ||||||
|                         </h5> |  | ||||||
|  |  | ||||||
|                         <h6 class="title-price"> |  | ||||||
|                             <small>PRICE</small> |  | ||||||
|                         </h6> |  | ||||||
|                         <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3> |  | ||||||
|  |  | ||||||
|                         <div class="section"> |  | ||||||
|                             <h6 class="title-attr" style="margin-top:15px;"> |  | ||||||
|                                 <small>COLOR</small> |  | ||||||
|                             </h6> |  | ||||||
|                             <div> |  | ||||||
|                                 <div class="attr" style="width:25px;background:lightgrey;"></div> |  | ||||||
|                                 <div class="attr" style="width:25px;background:black;"></div> |  | ||||||
|                             </div> |  | ||||||
|                         </div> |  | ||||||
|                         <div class="section" style="padding-bottom:5px;"> |  | ||||||
|                             <h6 class="title-attr"> |  | ||||||
|                                 <small>CAPACITY</small> |  | ||||||
|                             </h6> |  | ||||||
|                             <div> |  | ||||||
|                                 <div class="attr2">64 GB</div> |  | ||||||
|                                 <div class="attr2">128 GB</div> |  | ||||||
|                             </div> |  | ||||||
|                         </div> |  | ||||||
|                         <div class="section" style="padding-bottom:5px;"> |  | ||||||
|                             <h6 class="title-attr"> |  | ||||||
|                                 <small>QUANTITY</small> |  | ||||||
|                             </h6> |  | ||||||
|                             <div> |  | ||||||
|                                 <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div> |  | ||||||
|                                 <input class="quantity" value="1"/> |  | ||||||
|                                 <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div> |  | ||||||
|                             </div> |  | ||||||
|                         </div> |  | ||||||
|  |  | ||||||
|                         <div class="section" style="padding-bottom:5px;"> |  | ||||||
|                             <h6 class="title-attr"> |  | ||||||
|                                 <small>CHECKOUT CODE</small> |  | ||||||
|                             </h6> |  | ||||||
|                             <!-- |  | ||||||
|                               Checkout code: webgoat, owasp, owasp-webgoat |  | ||||||
|                             --> |  | ||||||
|                             <input name="checkoutCode" class="checkoutCode" value=""/> |  | ||||||
|  |  | ||||||
|                         </div> |  | ||||||
|  |  | ||||||
|                         <div class="section" style="padding-bottom:20px;"> |  | ||||||
|                             <button type="submit" class="btn btn-success"><span style="margin-right:20px" |  | ||||||
|                                                                                 class="glyphicon glyphicon-shopping-cart" |  | ||||||
|                                                                                 aria-hidden="true"></span>Buy |  | ||||||
|                             </button> |  | ||||||
|                             <h6><a href="#"><span class="glyphicon glyphicon-heart-empty" |  | ||||||
|                                                   style="cursor:pointer;"></span> |  | ||||||
|                                 Like</a></h6> |  | ||||||
|                         </div> |  | ||||||
|                     </div> |  | ||||||
|                 </div> |  | ||||||
|  |  | ||||||
|             </form> |  | ||||||
|         </div> |  | ||||||
|         <br/> |  | ||||||
|         <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag"> |  | ||||||
|             <div class="form-group"> |  | ||||||
|                 <div class="input-group"> |  | ||||||
|                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" |  | ||||||
|                                                       style="font-size:20px"></i></div> |  | ||||||
|                     <input type="text" class="form-control" id="flag" name="flag" |  | ||||||
|                            placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> |  | ||||||
|                 </div> |  | ||||||
|                 <div class="input-group" style="margin-top: 10px"> |  | ||||||
|                     <button type="submit" class="btn btn-primary">Submit flag</button> |  | ||||||
|                 </div> |  | ||||||
|             </div> |  | ||||||
|  |  | ||||||
|         </form> |  | ||||||
|  |  | ||||||
|         <br/> |  | ||||||
|         <div class="attack-feedback"></div> |  | ||||||
|         <div class="attack-output"></div> |  | ||||||
|     </div> |  | ||||||
| </div> |  | ||||||
|  |  | ||||||
| </html> |  | ||||||
| @ -1,49 +0,0 @@ | |||||||
| package org.owasp.webgoat.plugin.challenge2; |  | ||||||
|  |  | ||||||
| import org.hamcrest.CoreMatchers; |  | ||||||
| import org.junit.Before; |  | ||||||
| import org.junit.Test; |  | ||||||
| import org.junit.runner.RunWith; |  | ||||||
| import org.mockito.runners.MockitoJUnitRunner; |  | ||||||
| import org.owasp.webgoat.assignments.AssignmentEndpointTest; |  | ||||||
| import org.owasp.webgoat.plugin.Flag; |  | ||||||
| import org.owasp.webgoat.plugin.SolutionConstants; |  | ||||||
| import org.springframework.test.web.servlet.MockMvc; |  | ||||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; |  | ||||||
|  |  | ||||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; |  | ||||||
| import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; |  | ||||||
|  |  | ||||||
| /** |  | ||||||
|  * @author nbaars |  | ||||||
|  * @since 5/2/17. |  | ||||||
|  */ |  | ||||||
| @RunWith(MockitoJUnitRunner.class) |  | ||||||
| public class Assignment2Test extends AssignmentEndpointTest { |  | ||||||
|  |  | ||||||
|     private MockMvc mockMvc; |  | ||||||
|  |  | ||||||
|     @Before |  | ||||||
|     public void setup() { |  | ||||||
|         Assignment2 assignment2 = new Assignment2(); |  | ||||||
|         init(assignment2); |  | ||||||
|         new Flag().initFlags(); |  | ||||||
|         this.mockMvc = standaloneSetup(assignment2).build(); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     @Test |  | ||||||
|     public void success() throws Exception { |  | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2") |  | ||||||
|                 .param("checkoutCode", SolutionConstants.SUPER_COUPON_CODE)) |  | ||||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(2)))) |  | ||||||
|                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true))); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     @Test |  | ||||||
|     public void wrongCouponCode() throws Exception { |  | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2") |  | ||||||
|                 .param("checkoutCode", "test")) |  | ||||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved")))) |  | ||||||
|                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); |  | ||||||
|     } |  | ||||||
| } |  | ||||||
| @ -1,9 +1,9 @@ | |||||||
| package org.owasp.webgoat.plugin.challenge2; | package org.owasp.webgoat.plugin; | ||||||
| 
 | 
 | ||||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||||
|  | import org.owasp.webgoat.assignments.AssignmentHints; | ||||||
| import org.owasp.webgoat.assignments.AssignmentPath; | import org.owasp.webgoat.assignments.AssignmentPath; | ||||||
| import org.owasp.webgoat.assignments.AttackResult; | import org.owasp.webgoat.assignments.AttackResult; | ||||||
| import org.owasp.webgoat.plugin.Flag; |  | ||||||
| import org.springframework.web.bind.annotation.RequestMapping; | import org.springframework.web.bind.annotation.RequestMapping; | ||||||
| import org.springframework.web.bind.annotation.RequestMethod; | import org.springframework.web.bind.annotation.RequestMethod; | ||||||
| import org.springframework.web.bind.annotation.RequestParam; | import org.springframework.web.bind.annotation.RequestParam; | ||||||
| @ -11,22 +11,23 @@ import org.springframework.web.bind.annotation.ResponseBody; | |||||||
| 
 | 
 | ||||||
| import java.io.IOException; | import java.io.IOException; | ||||||
| 
 | 
 | ||||||
| import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; |  | ||||||
| 
 |  | ||||||
| /** | /** | ||||||
|  * @author nbaars |  * @author nbaars | ||||||
|  * @since 4/6/17. |  * @since 4/6/17. | ||||||
|  */ |  */ | ||||||
| @AssignmentPath("/challenge/2") | @AssignmentPath("/clientSideFiltering/getItForFree") | ||||||
| public class Assignment2 extends AssignmentEndpoint { | @AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"}) | ||||||
|  | public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint { | ||||||
|  | 
 | ||||||
|  |     public static final String SUPER_COUPON_CODE = "get_it_for_free"; | ||||||
| 
 | 
 | ||||||
|     @RequestMapping(method = RequestMethod.POST) |     @RequestMapping(method = RequestMethod.POST) | ||||||
|     public |     public | ||||||
|     @ResponseBody |     @ResponseBody | ||||||
|     AttackResult completed(@RequestParam String checkoutCode) throws IOException { |     AttackResult completed(@RequestParam String checkoutCode) { | ||||||
|         if (SUPER_COUPON_CODE.equals(checkoutCode)) { |         if (SUPER_COUPON_CODE.equals(checkoutCode)) { | ||||||
|             return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build(); |             return trackProgress(success().build()); | ||||||
|         } |         } | ||||||
|         return failed().build(); |         return trackProgress(failed().build()); | ||||||
|     } |     } | ||||||
| } | } | ||||||
| @ -1,4 +1,4 @@ | |||||||
| package org.owasp.webgoat.plugin.challenge2; | package org.owasp.webgoat.plugin; | ||||||
| 
 | 
 | ||||||
| import com.beust.jcommander.internal.Lists; | import com.beust.jcommander.internal.Lists; | ||||||
| import lombok.AllArgsConstructor; | import lombok.AllArgsConstructor; | ||||||
| @ -12,21 +12,21 @@ import org.springframework.web.bind.annotation.RestController; | |||||||
| import java.util.List; | import java.util.List; | ||||||
| import java.util.Optional; | import java.util.Optional; | ||||||
| 
 | 
 | ||||||
| import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; | import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE; | ||||||
| 
 | 
 | ||||||
| /** | /** | ||||||
|  * @author nbaars |  * @author nbaars | ||||||
|  * @since 4/6/17. |  * @since 4/6/17. | ||||||
|  */ |  */ | ||||||
| @RestController | @RestController | ||||||
| @RequestMapping("challenge-store") | @RequestMapping("/clientSideFiltering/challenge-store") | ||||||
| public class ShopEndpoint { | public class ShopEndpoint { | ||||||
| 
 | 
 | ||||||
|     @AllArgsConstructor |     @AllArgsConstructor | ||||||
|     private class CheckoutCodes { |     private class CheckoutCodes { | ||||||
| 
 | 
 | ||||||
|         @Getter |         @Getter | ||||||
|         private List<CheckoutCode> codes = Lists.newArrayList(); |         private List<CheckoutCode> codes; | ||||||
| 
 | 
 | ||||||
|         public Optional<CheckoutCode> get(String code) { |         public Optional<CheckoutCode> get(String code) { | ||||||
|             return codes.stream().filter(c -> c.getCode().equals(code)).findFirst(); |             return codes.stream().filter(c -> c.getCode().equals(code)).findFirst(); | ||||||
| @ -73,7 +73,96 @@ | |||||||
|         <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> |         <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> | ||||||
|     </div> |     </div> | ||||||
| </div> | </div> | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:ClientSideFiltering_final.adoc"></div> | ||||||
|  |     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/> | ||||||
|  |     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script> | ||||||
|  |     <div class="attack-container"> | ||||||
|  |         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||||
|  |  | ||||||
|  |         <div class="container-fluid"> | ||||||
|  |             <form class="attack-form" accept-charset="UNKNOWN" | ||||||
|  |                   method="POST" name="form" | ||||||
|  |                   action="/WebGoat/clientSideFiltering/getItForFree" | ||||||
|  |                   enctype="application/json;charset=UTF-8"> | ||||||
|  |  | ||||||
|  |                 <input id="discount" type="hidden" value="0"/> | ||||||
|  |                 <div class="row"> | ||||||
|  |  | ||||||
|  |                     <div class="col-xs-3 item-photo"> | ||||||
|  |                         <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/> | ||||||
|  |                     </div> | ||||||
|  |                     <div class="col-xs-5" style="border:0px solid gray"> | ||||||
|  |                         <h3>Samsung Galaxy S8</h3> | ||||||
|  |                         <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> · | ||||||
|  |                             <small style="color:#337ab7">(124421 reviews)</small> | ||||||
|  |                         </h5> | ||||||
|  |  | ||||||
|  |                         <h6 class="title-price"> | ||||||
|  |                             <small>PRICE</small> | ||||||
|  |                         </h6> | ||||||
|  |                         <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3> | ||||||
|  |  | ||||||
|  |                         <div class="section"> | ||||||
|  |                             <h6 class="title-attr" style="margin-top:15px;"> | ||||||
|  |                                 <small>COLOR</small> | ||||||
|  |                             </h6> | ||||||
|  |                             <div> | ||||||
|  |                                 <div class="attr" style="width:25px;background:lightgrey;"></div> | ||||||
|  |                                 <div class="attr" style="width:25px;background:black;"></div> | ||||||
|  |                             </div> | ||||||
|  |                         </div> | ||||||
|  |                         <div class="section" style="padding-bottom:5px;"> | ||||||
|  |                             <h6 class="title-attr"> | ||||||
|  |                                 <small>CAPACITY</small> | ||||||
|  |                             </h6> | ||||||
|  |                             <div> | ||||||
|  |                                 <div class="attr2">64 GB</div> | ||||||
|  |                                 <div class="attr2">128 GB</div> | ||||||
|  |                             </div> | ||||||
|  |                         </div> | ||||||
|  |                         <div class="section" style="padding-bottom:5px;"> | ||||||
|  |                             <h6 class="title-attr"> | ||||||
|  |                                 <small>QUANTITY</small> | ||||||
|  |                             </h6> | ||||||
|  |                             <div> | ||||||
|  |                                 <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div> | ||||||
|  |                                 <input class="quantity" value="1"/> | ||||||
|  |                                 <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div> | ||||||
|  |                             </div> | ||||||
|  |                         </div> | ||||||
|  |  | ||||||
|  |                         <div class="section" style="padding-bottom:5px;"> | ||||||
|  |                             <h6 class="title-attr"> | ||||||
|  |                                 <small>CHECKOUT CODE</small> | ||||||
|  |                             </h6> | ||||||
|  |                             <!-- | ||||||
|  |                               Checkout code: webgoat, owasp, owasp-webgoat | ||||||
|  |                             --> | ||||||
|  |                             <input name="checkoutCode" class="checkoutCode" value=""/> | ||||||
|  |  | ||||||
|  |                         </div> | ||||||
|  |  | ||||||
|  |                         <div class="section" style="padding-bottom:20px;"> | ||||||
|  |                             <button type="submit" class="btn btn-success"><span style="margin-right:20px" | ||||||
|  |                                                                                 class="glyphicon glyphicon-shopping-cart" | ||||||
|  |                                                                                 aria-hidden="true"></span>Buy | ||||||
|  |                             </button> | ||||||
|  |                             <h6><a href="#"><span class="glyphicon glyphicon-heart-empty" | ||||||
|  |                                                   style="cursor:pointer;"></span> | ||||||
|  |                                 Like</a></h6> | ||||||
|  |                         </div> | ||||||
|  |                     </div> | ||||||
|  |                 </div> | ||||||
|  |  | ||||||
|  |             </form> | ||||||
|  |         </div> | ||||||
|  |         <br/> | ||||||
|  |         <br/> | ||||||
|  |         <div class="attack-feedback"></div> | ||||||
|  |         <div class="attack-output"></div> | ||||||
|  |     </div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
| </html> | </html> | ||||||
|  |  | ||||||
|  | |||||||
| @ -26,3 +26,7 @@ ClientSideFilteringHint10=Stage 2: Your filter operator should look something li | |||||||
| ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO,  .  Or at least you shouldn't have access to the CEO's information.  For this exercise, examine the contents of the page to see what extra information you can find. | ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO,  .  Or at least you shouldn't have access to the CEO's information.  For this exercise, examine the contents of the page to see what extra information you can find. | ||||||
| ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem.  Modify the server to only return results that Moe Stooge is allowed to see. | ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem.  Modify the server to only return results that Moe Stooge is allowed to see. | ||||||
| ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew... | ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew... | ||||||
|  |  | ||||||
|  | client.side.filtering.free.hint1=Look through the webpage inspect the sources etc | ||||||
|  | client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend | ||||||
|  | client.side.fiterling.free.hint3=One of the responses contains the answer | ||||||
|  | |||||||
| Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB | 
| Before Width: | Height: | Size: 11 KiB After Width: | Height: | Size: 11 KiB | 
| @ -38,7 +38,7 @@ $(document).ready(function () { | |||||||
|     }) |     }) | ||||||
|     $(".checkoutCode").on("blur", function () { |     $(".checkoutCode").on("blur", function () { | ||||||
|         var checkoutCode = $(".checkoutCode").val(); |         var checkoutCode = $(".checkoutCode").val(); | ||||||
|         $.get("challenge-store/coupons/" + checkoutCode, function (result, status) { |         $.get("clientSideFiltering/challenge-store/coupons/" + checkoutCode, function (result, status) { | ||||||
|             var discount = result.discount; |             var discount = result.discount; | ||||||
|             if (discount > 0) { |             if (discount > 0) { | ||||||
|                 $('#discount').text(discount); |                 $('#discount').text(discount); | ||||||
| @ -0,0 +1,49 @@ | |||||||
|  | package org.owasp.webgoat.plugin; | ||||||
|  |  | ||||||
|  | import org.hamcrest.CoreMatchers; | ||||||
|  | import org.junit.Before; | ||||||
|  | import org.junit.Test; | ||||||
|  | import org.junit.runner.RunWith; | ||||||
|  | import org.mockito.runners.MockitoJUnitRunner; | ||||||
|  | import org.owasp.webgoat.plugins.LessonTest; | ||||||
|  | import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; | ||||||
|  | import org.springframework.test.web.servlet.MockMvc; | ||||||
|  | import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||||
|  | import org.springframework.test.web.servlet.setup.MockMvcBuilders; | ||||||
|  |  | ||||||
|  | import static org.mockito.Mockito.when; | ||||||
|  | import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE; | ||||||
|  | import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |  * @author nbaars | ||||||
|  |  * @since 5/2/17. | ||||||
|  |  */ | ||||||
|  | @RunWith(SpringJUnit4ClassRunner.class) | ||||||
|  | public class ClientSideFilteringFreeAssignmentTest extends LessonTest { | ||||||
|  |  | ||||||
|  |     private MockMvc mockMvc; | ||||||
|  |  | ||||||
|  |     @Before | ||||||
|  |     public void setup() { | ||||||
|  |         ClientSideFiltering clientSideFiltering = new ClientSideFiltering(); | ||||||
|  |         when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering); | ||||||
|  |         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); | ||||||
|  |         when(webSession.getUserName()).thenReturn("unit-test"); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @Test | ||||||
|  |     public void success() throws Exception { | ||||||
|  |         mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree") | ||||||
|  |                 .param("checkoutCode", SUPER_COUPON_CODE)) | ||||||
|  |                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true))); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @Test | ||||||
|  |     public void wrongCouponCode() throws Exception { | ||||||
|  |         mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree") | ||||||
|  |                 .param("checkoutCode", "test")) | ||||||
|  |                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved")))) | ||||||
|  |                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); | ||||||
|  |     } | ||||||
|  | } | ||||||
| @ -1,4 +1,4 @@ | |||||||
| package org.owasp.webgoat.plugin.challenge2; | package org.owasp.webgoat.plugin; | ||||||
| 
 | 
 | ||||||
| import org.hamcrest.CoreMatchers; | import org.hamcrest.CoreMatchers; | ||||||
| import org.junit.Before; | import org.junit.Before; | ||||||
| @ -9,7 +9,7 @@ import org.springframework.test.web.servlet.MockMvc; | |||||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||||
| 
 | 
 | ||||||
| import static org.hamcrest.Matchers.is; | import static org.hamcrest.Matchers.is; | ||||||
| import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; | import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE; | ||||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||||
| import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; | import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; | ||||||
| 
 | 
 | ||||||
| @ -30,28 +30,28 @@ public class ShopEndpointTest { | |||||||
| 
 | 
 | ||||||
|     @Test |     @Test | ||||||
|     public void getSuperCoupon() throws Exception { |     public void getSuperCoupon() throws Exception { | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/" + SUPER_COUPON_CODE)) |         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/" + SUPER_COUPON_CODE)) | ||||||
|                 .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE))) |                 .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE))) | ||||||
|                 .andExpect(jsonPath("$.discount", CoreMatchers.is(100))); |                 .andExpect(jsonPath("$.discount", CoreMatchers.is(100))); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     @Test |     @Test | ||||||
|     public void getCoupon() throws Exception { |     public void getCoupon() throws Exception { | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/webgoat")) |         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/webgoat")) | ||||||
|                 .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat"))) |                 .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat"))) | ||||||
|                 .andExpect(jsonPath("$.discount", CoreMatchers.is(25))); |                 .andExpect(jsonPath("$.discount", CoreMatchers.is(25))); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     @Test |     @Test | ||||||
|     public void askForUnknownCouponCode() throws Exception { |     public void askForUnknownCouponCode() throws Exception { | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/does-not-exists")) |         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/does-not-exists")) | ||||||
|                 .andExpect(jsonPath("$.code", CoreMatchers.is("no"))) |                 .andExpect(jsonPath("$.code", CoreMatchers.is("no"))) | ||||||
|                 .andExpect(jsonPath("$.discount", CoreMatchers.is(0))); |                 .andExpect(jsonPath("$.discount", CoreMatchers.is(0))); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     @Test |     @Test | ||||||
|     public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception { |     public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception { | ||||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/")) |         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/")) | ||||||
|                 .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free"))); |                 .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free"))); | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
| @ -28,7 +28,6 @@ public class SimpleXXETest extends LessonTest { | |||||||
|         when(webSession.getUserName()).thenReturn("unit-test"); |         when(webSession.getUserName()).thenReturn("unit-test"); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|     @Test |     @Test | ||||||
|     public void workingAttack() throws Exception { |     public void workingAttack() throws Exception { | ||||||
|         //Call with XXE injection |         //Call with XXE injection | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user