Let user-composed (CSRF) attacks send one-request actions, as opposed to the address bar MVC links requesting lessons. The lesson display servlets have javascript that requests data and actions.

2015-11-07 03:56:34 -05:00
parent 05a1f5dd3a
commit de71f2700e
2 changed files with 87 additions and 6 deletions
--- a/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java
@ -0,0 +1,62 @@
+package org.owasp.webgoat.lessons;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.hamcrest.CoreMatchers;
+import org.junit.Test;
+import org.owasp.webgoat.session.WebSession;
+
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertThat;
+
+public class AbstractLessonTest  {
+
+    private AbstractLesson lesson = new AbstractLesson() {
+        protected Element createContent(WebSession s) {
+            return new ElementContainer();
+        }
+        public Category getCategory() {
+            return Category.XSS;
+        }
+        protected Integer getDefaultRanking() { 
+            return new Integer(5);
+        }
+        protected Category getDefaultCategory() {
+            return Category.INTRODUCTION;
+        }
+        protected boolean getDefaultHidden() {
+            return false;
+        }
+        protected List<String> getHints(WebSession s) {
+            return Arrays.<String>asList();
+        }
+        public String getInstructions(WebSession s) {
+            return "Instructions";
+        }
+        public String getTitle() {
+            return "title";
+        }
+        public String getCurrentAction(WebSession s) {
+            return "an action";
+        }
+        public void restartLesson() {
+        }
+        public void setCurrentAction(WebSession s, String lessonScreen) {
+        }
+    };
+
+    @Test
+    public void testLinks() {
+        String mvcLink = lesson.getLink();
+        assertThat(mvcLink, CoreMatchers.startsWith("#attack/"));
+        assertThat(mvcLink, CoreMatchers.endsWith("/900"));
+
+        String srvLink = lesson.getServletLink();
+        assertThat(srvLink, CoreMatchers.startsWith("attack?Screen="));
+        assertThat(srvLink, CoreMatchers.endsWith("&menu=900"));
+    }
+}
+
+