From d7a2596670c8169e1d4f3c7bbfc06453cbf346c9 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 19 Sep 2019 07:54:30 +0200 Subject: [PATCH] Update lesson template --- .../webgoat/template/LessonTemplate.java | 2 + .../en/lesson-template-attack.adoc | 122 +++++++++++++++++- .../lessonPlans/en/lesson-template-intro.adoc | 2 +- 3 files changed, 124 insertions(+), 2 deletions(-) diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java b/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java index 28c0e514a..00d15dbec 100644 --- a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java +++ b/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.template; import com.beust.jcommander.internal.Lists; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.NewLesson; +import org.springframework.stereotype.Component; import java.util.List; @@ -35,6 +36,7 @@ import java.util.List; * @version $Id: $Id * @since January 3, 2017 */ +@Component public class LessonTemplate extends NewLesson { @Override diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc b/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc index 38da6689b..fb07ed7d4 100644 --- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc +++ b/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc @@ -1,3 +1,123 @@ === Attack Explanation -Explanation of attack here ... Instructions etc. \ No newline at end of file +Each lesson can contain multiple assignments, first let's define a lesson class in Java + +[source] +---- +@Component +public class LessonTemplate extends NewLesson { + @Override + public Category getDefaultCategory() { + return Category.GENERAL; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 30; + } + + @Override + public String getTitle() { + return "lesson-template.title"; + } + + @Override + public String getId() { + return "LessonTemplate"; + } +} +---- + +This implementation is quite straightforward. Now for an assignment you need to implement: + +[source] +---- +@RestController +public class SampleAttack extends AssignmentEndpoint { + + String secretValue = "secr37Value"; + + //UserSessionData is bound to session and can be used to persist data across multiple assignments + @Autowired + UserSessionData userSessionData; + + + @GetMapping(path = "/lesson-template/sample-attack", produces = {"application/json"}) + @ResponseBody + public AttackResult completed(String param1, String param2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + if (userSessionData.getValue("some-value") != null) { + // do any session updating you want here ... or not, just comment/example here + //return trackProgress(failed().feedback("lesson-template.sample-attack.failure-2").build()); + } + + //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure' + if (secretValue.equals(param1)) { + return trackProgress(success() + .output("Custom Output ...if you want, for success") + .feedback("lesson-template.sample-attack.success") + .build()); + //lesson-template.sample-attack.success is defined in src/main/resources/i18n/WebGoatLabels.properties + } + + // else + return trackProgress(failed() + .feedback("lesson-template.sample-attack.failure-2") + .output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want") + .build()); + } + + @GetMapping("lesson-template/shop/{user}") + @ResponseBody + public List getItemsInBasket(@PathVariable("user") String user) { + .... + } +} +---- + +As you can see an assignment is a REST controller which need to at least have one method with the following signature: + +[source] +---- +@RequestMapping(method = "...", path = "/lesson-template/solution") +@ResponseBody +public AttackResult solve(String param) { + ... +} +---- + +Other endpoints can be added in the assignment to support different cases for the assignment. + +### Glue between html and assignment + +We mentioned a lesson can consist of multiple assignments, WebGoat picks them up automatically and the UI displays +a navigation bar on top of every lesson. A page with an assignment will be red in the beginning and will become +green when the user solves the assignment. To make this work in the html we need to add: + +[source] +---- +div class="attack-container"> +
+ + + + + +
+ .... +
+ + +---- + +So the `action` of the form should match the method which defines the check if the lesson has been solved or not +see `public AttackResult solved()` + +That's it you now successfully created your first WebGoat lesson. \ No newline at end of file diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc b/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc index acf3e5bb9..eafc0d840 100644 --- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc +++ b/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc @@ -13,7 +13,7 @@ You should set up all content so that it is these *.adoc files. === Images -Images can be refereneced as below including setting style (recommended to use lesson-image as the style). The root is {lesson}/src/main/resources +Images can be referenced as below including setting style (recommended to use lesson-image as the style). The root is {lesson}/src/main/resources image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]