Merge branch 'develop' of github.com:misfir3/WebGoat into develop
							
								
								
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						| @ -42,4 +42,7 @@ webgoat-lessons/**/target | ||||
| **/.DS_Store | ||||
| webgoat-server/mongo-data/* | ||||
| webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml | ||||
| **/.sts4-cache/* | ||||
| **/.vscode/* | ||||
|  | ||||
| /.sonatype | ||||
| @ -20,8 +20,8 @@ git flow release publish | ||||
| Now we can make a new release, be sure you committed all your changes. | ||||
|  | ||||
| ``` | ||||
| git tag v8.0.0.M3 | ||||
| git push origin v8.0.0.M3  | ||||
| git tag v8.0.0.M15 | ||||
| git push origin v8.0.0.M15  | ||||
| ``` | ||||
|  | ||||
| Now Travis takes over and will create the release in Github and on Docker Hub.  | ||||
|  | ||||
							
								
								
									
										34
									
								
								README.MD
									
									
									
									
									
								
							
							
						
						| @ -29,7 +29,18 @@ first thing that all hackers claim.* | ||||
|  | ||||
| # Run Instructions: | ||||
|  | ||||
| ## 1. Run using Docker | ||||
| ## 1. Standalone  | ||||
|  | ||||
| Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) | ||||
|  | ||||
| ```Shell | ||||
| java -jar webgoat-server-<<version>>.jar [--server.port=8080] [--server.address=localhost] | ||||
| ``` | ||||
|  | ||||
| By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you | ||||
| can bind it to a different address (default localhost) | ||||
|  | ||||
| ## 2. Run using Docker | ||||
|  | ||||
| From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version | ||||
| [https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/). | ||||
| @ -65,27 +76,6 @@ Here you'll be able to register a new user and get started. | ||||
|  | ||||
| _Please note: this version may not be completely in sync with the develop branch._ | ||||
|  | ||||
| ## 2. Standalone  | ||||
|  | ||||
| Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) | ||||
|  | ||||
| ```Shell | ||||
| java -jar webgoat-server-<<version>>.jar | ||||
| ``` | ||||
|  | ||||
| By default WebGoat starts at port 8080 in order to change this use the following property: | ||||
|  | ||||
| ```Shell | ||||
| java -jar webgoat-server-<<version>>.jar --server.port=9090 | ||||
| ``` | ||||
|  | ||||
| You can specify one of the following arguments when starting WebGoat: | ||||
|  | ||||
| ```Shell | ||||
| java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x | ||||
| ``` | ||||
|  | ||||
| This will start WebGoat on a different port and/or different address. | ||||
|  | ||||
|  | ||||
| ## 3. Run from the sources | ||||
|  | ||||
| @ -6,6 +6,7 @@ services: | ||||
|     user: webgoat | ||||
|     environment: | ||||
|       - WEBWOLF_HOST=webwolf | ||||
|       - WEBWOLF_PORT=9090 | ||||
|       - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat | ||||
|       - spring.datasource.username=webgoat | ||||
|       - spring.datasource.password=webgoat | ||||
| @ -22,7 +23,7 @@ services: | ||||
|       - spring.datasource.driver-class-name=org.postgresql.Driver | ||||
|       - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect | ||||
|     ports: | ||||
|       - "8081:8081" | ||||
|       - "9090:9090" | ||||
|   db: | ||||
|     container_name: webgoat_db | ||||
|     image: postgres:latest | ||||
|  | ||||
| @ -5,6 +5,7 @@ services: | ||||
|     image: webgoat/webgoat-8.0 | ||||
|     environment: | ||||
|       - WEBWOLF_HOST=webwolf | ||||
|       - WEBWOLF_PORT=9090 | ||||
|       - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat | ||||
|     ports: | ||||
|       - "8080:8080" | ||||
| @ -15,7 +16,7 @@ services: | ||||
|     environment: | ||||
|           - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat | ||||
|     ports: | ||||
|       - "8081:8081" | ||||
|       - "9090:9090" | ||||
|     depends_on: | ||||
|       - db | ||||
|   db: | ||||
|  | ||||
							
								
								
									
										9
									
								
								pom.xml
									
									
									
									
									
								
							
							
						
						| @ -1,11 +1,12 @@ | ||||
| <?xml version="1.0"?> | ||||
| <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||||
| <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||
|          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||||
|  | ||||
|     <modelVersion>4.0.0</modelVersion> | ||||
|     <groupId>org.owasp.webgoat</groupId> | ||||
|     <artifactId>webgoat-parent</artifactId> | ||||
|     <packaging>pom</packaging> | ||||
|     <version>v8.0.0.M14</version> | ||||
|     <version>v8.0.0.SNAPSHOT</version> | ||||
|  | ||||
|     <name>WebGoat Parent Pom</name> | ||||
|     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> | ||||
| @ -225,7 +226,9 @@ | ||||
|                                 </goals> | ||||
|                                 <phase>generate-resources</phase> | ||||
|                                 <configuration> | ||||
|                                     <outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory> | ||||
|                                     <outputDirectory> | ||||
|                                         ${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons | ||||
|                                     </outputDirectory> | ||||
|                                     <includeArtifactIds>dist</includeArtifactIds> | ||||
|                                     <includes>*.jar</includes> | ||||
|                                 </configuration> | ||||
|  | ||||
							
								
								
									
										32
									
								
								scripts/build-all.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,32 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| cd .. | ||||
|  | ||||
| nc -zv 127.0.0.1 8080 2>/dev/null | ||||
| SUCCESS=$? | ||||
| nc -zv 127.0.0.1 9090 2>/dev/null | ||||
| SUCCESS=${SUCCESS}$? | ||||
|  | ||||
| if [[ "${SUCCESS}" -eq 00 ]] ; then | ||||
|   echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!" | ||||
|   exit 127 | ||||
| fi | ||||
|  | ||||
|  | ||||
| #mvn clean install | ||||
| #if [[ "$?" -ne 0 ]] ; then | ||||
| #  exit y$? | ||||
| #fi | ||||
|  | ||||
| cd - | ||||
| sh build_docker.sh | ||||
|  | ||||
| echo "Do you want to run docker-compose?" | ||||
| while true; do | ||||
|     read -p "Do you want to run docker-compose?" yn | ||||
|     case ${yn} in | ||||
|         [Yy]* ) sh clean-run-docker-compose.sh; break;; | ||||
|         [Nn]* ) exit;; | ||||
|         * ) echo "Please answer yes or no.";; | ||||
|     esac | ||||
| done | ||||
							
								
								
									
										10
									
								
								scripts/build_docker.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,10 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| WEBGOAT_HOME=$(pwd)/../ | ||||
|  | ||||
| cd ${WEBGOAT_HOME}/webgoat-server | ||||
| docker build -t webgoat/webgoat-8.0 . | ||||
|  | ||||
| cd ${WEBGOAT_HOME}/webwolf | ||||
| docker build -t webgoat/webwolf . | ||||
|  | ||||
							
								
								
									
										5
									
								
								scripts/clean-run-docker-compose.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,5 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| cd .. | ||||
| docker-compose rm -f | ||||
| docker-compose up | ||||
| @ -10,10 +10,10 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then | ||||
|   # If we push a tag to master this will update the LATEST Docker image and tag with the version number | ||||
|   docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . | ||||
|   docker push $REPO | ||||
| elif [ ! -z "${TRAVIS_TAG}" ]; then | ||||
|   # Creating a tag build we push it to Docker with that tag | ||||
|   docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . | ||||
|   docker push $REPO | ||||
| #elif [ ! -z "${TRAVIS_TAG}" ]; then | ||||
| #  # Creating a tag build we push it to Docker with that tag | ||||
| #  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . | ||||
| #  docker push $REPO | ||||
| #elif [ "${BRANCH}" == "develop" ]; then | ||||
| #  docker build -f Dockerfile -t $REPO:snapshot . | ||||
| #  docker push $REPO | ||||
|  | ||||
							
								
								
									
										4
									
								
								scripts/run-docker-compose.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @ -0,0 +1,4 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| cd .. | ||||
| docker-compose up | ||||
| @ -10,7 +10,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat</groupId> | ||||
|         <artifactId>webgoat-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <profiles> | ||||
|  | ||||
| @ -46,6 +46,7 @@ public enum Category { | ||||
|     INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)), | ||||
|     INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)), | ||||
|     INSECURE_STORAGE("Insecure Storage", new Integer(800)), | ||||
|     INSECURE_DESERIALIZATION("Insecure Deserialization", new Integer(850)), | ||||
|     REQUEST_FORGERIES("Request Forgeries", new Integer(900)), | ||||
|     VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)), | ||||
|     AJAX_SECURITY("AJAX Security", new Integer(1000)), | ||||
|  | ||||
| @ -2,7 +2,6 @@ package org.owasp.webgoat.lessons; | ||||
|  | ||||
| import lombok.AllArgsConstructor; | ||||
| import lombok.Getter; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
|  | ||||
| /** | ||||
|  * <p>LessonInfoModel class.</p> | ||||
|  | ||||
| @ -81,6 +81,39 @@ public class CreateDB { | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     /** | ||||
|      * Description of the Method | ||||
|      * | ||||
|      * @param connection Description of the Parameter | ||||
|      * @throws SQLException Description of the Exception | ||||
|      */ | ||||
|     private void createJWTKeys(Connection connection) throws SQLException { | ||||
|         Statement statement = connection.createStatement(); | ||||
|  | ||||
|         // Drop servers table | ||||
|         try { | ||||
|             String dropTable = "DROP TABLE jwt_keys"; | ||||
|             statement.executeUpdate(dropTable); | ||||
|         } catch (SQLException e) { | ||||
|             System.out.println("Info - Could not drop jwtkeys table"); | ||||
|         } | ||||
|  | ||||
|         // Create the new table | ||||
|         try { | ||||
|             String createTableStatement = "CREATE TABLE jwt_keys" | ||||
|                     + " (" + "id varchar(20)," | ||||
|                     + "key varchar(20))"; | ||||
|             statement.executeUpdate(createTableStatement); | ||||
|  | ||||
|             String insertData1 = "INSERT INTO jwt_keys VALUES ('webgoat_key', 'qwertyqwerty1234')"; | ||||
|             String insertData2 = "INSERT INTO jwt_keys VALUES ('webwolf_key', 'doesnotreallymatter')"; | ||||
|             statement.executeUpdate(insertData1); | ||||
|             statement.executeUpdate(insertData2); | ||||
|         } catch (SQLException e) { | ||||
|             System.out.println("Error creating product table " + e.getLocalizedMessage()); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|  | ||||
|     /** | ||||
|      * Description of the Method | ||||
| @ -975,6 +1008,7 @@ public class CreateDB { | ||||
|         createTanTable(connection); | ||||
|         createMFEImagesTable(connection); | ||||
|         createModifyWithSQLLessonTable(connection); | ||||
|         createJWTKeys(connection); | ||||
|         System.out.println("Success: creating tables."); | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -4,6 +4,7 @@ import lombok.Getter; | ||||
| import lombok.Setter; | ||||
|  | ||||
| import javax.validation.constraints.NotNull; | ||||
| import javax.validation.constraints.Pattern; | ||||
| import javax.validation.constraints.Size; | ||||
|  | ||||
| /** | ||||
| @ -16,6 +17,7 @@ public class UserForm { | ||||
|  | ||||
|     @NotNull | ||||
|     @Size(min=6, max=20) | ||||
|     @Pattern(regexp = "[a-zA-Z0-9]*", message = "can only contain letters and digits") | ||||
|     private String username; | ||||
|     @NotNull | ||||
|     @Size(min=6, max=10) | ||||
|  | ||||
| @ -11,8 +11,8 @@ spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect | ||||
| spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver | ||||
|  | ||||
|  | ||||
| logging.level.org.springframework=WARN | ||||
| logging.level.org.springframework.boot.devtools=WARN | ||||
| logging.level.org.springframework=INFO | ||||
| logging.level.org.springframework.boot.devtools=INFO | ||||
| logging.level.org.owasp=DEBUG | ||||
| logging.level.org.owasp.webgoat=TRACE | ||||
|  | ||||
| @ -37,9 +37,9 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER} | ||||
| webgoat.default.language=en | ||||
|  | ||||
| webwolf.host=${WEBWOLF_HOST:localhost} | ||||
| webwolf.port=${WEBWOLF_PORT:8081} | ||||
| webwolf.port=${WEBWOLF_PORT:9090} | ||||
| webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf | ||||
| webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing | ||||
| webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing | ||||
| webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail | ||||
|  | ||||
| spring.jackson.serialization.indent_output=true | ||||
|  | ||||
| @ -90,6 +90,8 @@ define(['jquery', | ||||
|             var prepareDataFunctionName = $(curForm).attr('prepareData'); | ||||
|             var callbackFunctionName = $(curForm).attr('callback'); | ||||
|             var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize(); | ||||
|             var additionalHeadersFunctionName =  $(curForm).attr('additionalHeaders'); | ||||
|             var additionalHeaders = (typeof webgoat.customjs[additionalHeadersFunctionName] === 'function') ? webgoat.customjs[additionalHeadersFunctionName]() : function() {}; | ||||
|             var successCallBackFunctionName = $(curForm).attr('successCallback'); | ||||
|             var failureCallbackFunctionName = $(curForm).attr('failureCallback'); | ||||
|             var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {}; | ||||
| @ -104,6 +106,7 @@ define(['jquery', | ||||
|             $.ajax({ | ||||
|                 //data:submitData, | ||||
|                 url:formUrl, | ||||
|                 headers: additionalHeaders, | ||||
|                 method:formMethod, | ||||
|                 contentType:contentType, | ||||
|                 data: submitData, | ||||
|  | ||||
| @ -123,8 +123,9 @@ | ||||
|     <section class="main-content-wrapper"> | ||||
|         <section id="main-content"> <!--ng-controller="goatLesson"--> | ||||
|             <div id="lesson-page" class="pages"> | ||||
|                 <span th:text="${numUsers}"> Users in WebGoat</span> | ||||
|                 <!-- iterate over users below -->su | ||||
|                 <span th:text="${numUsers}"></span> | ||||
|                 <span> Users in WebGoat</span> | ||||
|  | ||||
|                 <div sec:authorize="hasAuthority('WEBGOAT_ADMIN')"> | ||||
|                     <h3>WebGoat Users</h3> | ||||
|                     <div th:each="user : ${allUsers}"> | ||||
|  | ||||
| @ -1 +1,15 @@ | ||||
| <configuration /> | ||||
|  | ||||
| <!-- | ||||
| Enable below if you want to debug a unit test and see why the controller fails the configuration above is there | ||||
| to keep the Travis build going otherwise it fails with too much logging. | ||||
| //TODO we should use a different Spring profile for Travis | ||||
| --> | ||||
|  | ||||
| <!-- | ||||
| <configuration> | ||||
| <include resource="org/springframework/boot/logging/logback/base.xml"/> | ||||
| <logger name="org.springframework.web" level="DEBUG"/> | ||||
| </configuration> | ||||
|  | ||||
| --> | ||||
							
								
								
									
										2
									
								
								webgoat-images/vagrant-training/Vagrantfile
									
									
									
									
										vendored
									
									
								
							
							
						
						| @ -3,7 +3,7 @@ | ||||
| Vagrant.configure(2) do |config| | ||||
|   config.vm.box = "ubuntu/trusty64" | ||||
|   config.vm.network :forwarded_port, guest: 8080, host: 8080 | ||||
|   config.vm.network :forwarded_port, guest: 8081, host: 8081 | ||||
|   config.vm.network :forwarded_port, guest: 9090, host: 9090 | ||||
|   config.vm.provider "virtualbox" do |vb| | ||||
|   	vb.gui = false | ||||
|   	vb.memory = "4096" | ||||
|  | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
| </project> | ||||
|  | ||||
| @ -6,6 +6,6 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
| </project> | ||||
|  | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|  | ||||
|  | ||||
| @ -10,11 +10,6 @@ public interface SolutionConstants { | ||||
|  | ||||
|     //TODO should be random generated when starting the server | ||||
|     String PASSWORD = "!!webgoat_admin_1234!!"; | ||||
|     String SUPER_COUPON_CODE = "get_it_for_free"; | ||||
|     String PASSWORD_TOM = "thisisasecretfortomonly"; | ||||
|     String PASSWORD_LARRY = "larryknows"; | ||||
|     String JWT_PASSWORD = "victory"; | ||||
|     String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2"; | ||||
|     String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; | ||||
|     String TOM_EMAIL = "tom@webgoat-cloud.org"; | ||||
| } | ||||
|  | ||||
| @ -1,39 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge2; | ||||
|  | ||||
| import com.google.common.collect.Lists; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
|  | ||||
| import java.util.List; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 3/21/17. | ||||
|  */ | ||||
| public class Challenge2 extends NewLesson { | ||||
|  | ||||
|     @Override | ||||
|     public Category getDefaultCategory() { | ||||
|         return Category.CHALLENGE; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public List<String> getHints() { | ||||
|         return Lists.newArrayList(); | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public Integer getDefaultRanking() { | ||||
|         return 10; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getTitle() { | ||||
|         return "challenge2.title"; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getId() { | ||||
|         return "Challenge2"; | ||||
|     } | ||||
| } | ||||
| @ -1,150 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge3; | ||||
|  | ||||
| import com.beust.jcommander.internal.Lists; | ||||
| import com.fasterxml.jackson.databind.ObjectMapper; | ||||
| import com.google.common.collect.EvictingQueue; | ||||
| import com.google.common.collect.Maps; | ||||
| import com.google.common.io.Files; | ||||
| import lombok.SneakyThrows; | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.joda.time.DateTime; | ||||
| import org.joda.time.format.DateTimeFormat; | ||||
| import org.joda.time.format.DateTimeFormatter; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.plugin.Flag; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.beans.factory.annotation.Value; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.web.bind.annotation.RequestBody; | ||||
| import org.springframework.web.bind.annotation.RequestHeader; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.annotation.PostConstruct; | ||||
| import javax.xml.bind.JAXBContext; | ||||
| import javax.xml.bind.Unmarshaller; | ||||
| import javax.xml.stream.XMLInputFactory; | ||||
| import javax.xml.stream.XMLStreamReader; | ||||
| import java.io.File; | ||||
| import java.io.IOException; | ||||
| import java.io.StringReader; | ||||
| import java.nio.charset.Charset; | ||||
| import java.util.Collection; | ||||
| import java.util.Map; | ||||
|  | ||||
| import static org.springframework.http.MediaType.ALL_VALUE; | ||||
| import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; | ||||
| import static org.springframework.web.bind.annotation.RequestMethod.GET; | ||||
| import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/8/17. | ||||
|  */ | ||||
| @AssignmentPath("/challenge/3") | ||||
| @Slf4j | ||||
| public class Assignment3 extends AssignmentEndpoint { | ||||
|  | ||||
|     @Value("${webgoat.server.directory}") | ||||
|     private String webGoatHomeDirectory; | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|     private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss"); | ||||
|  | ||||
|     private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap(); | ||||
|     private static final EvictingQueue<Comment> comments = EvictingQueue.create(100); | ||||
|     private static final String secretContents = "Congratulations you may now collect your flag"; | ||||
|  | ||||
|     static { | ||||
|         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat....")); | ||||
|         comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects.")); | ||||
|         comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-).")); | ||||
|     } | ||||
|  | ||||
|     @PostConstruct | ||||
|     @SneakyThrows | ||||
|     public void copyFile() { | ||||
|         File targetDirectory = new File(webGoatHomeDirectory); | ||||
|         if (!targetDirectory.exists()) { | ||||
|             targetDirectory.mkdir(); | ||||
|         } | ||||
|         log.info("Copied secret.txt to: {}", targetDirectory); | ||||
|         Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset()); | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public Collection<Comment> retrieveComments() { | ||||
|         Collection<Comment> allComments = Lists.newArrayList(); | ||||
|         Collection<Comment> xmlComments = userComments.get(webSession.getUserName()); | ||||
|         if (xmlComments != null) { | ||||
|             allComments.addAll(xmlComments); | ||||
|         } | ||||
|         allComments.addAll(comments); | ||||
|         return allComments; | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) | ||||
|     @ResponseBody | ||||
|     public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception { | ||||
|         Comment comment = null; | ||||
|         AttackResult attackResult = failed().build(); | ||||
|         if (APPLICATION_JSON_VALUE.equals(contentType)) { | ||||
|             comment = parseJson(commentStr); | ||||
|             comment.setDateTime(DateTime.now().toString(fmt)); | ||||
|             comment.setUser(webSession.getUserName()); | ||||
|             comments.add(comment); | ||||
|         } | ||||
|         if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { | ||||
|             //Do not show these comments to all users | ||||
|             comment = parseXml(commentStr); | ||||
|             comment.setDateTime(DateTime.now().toString(fmt)); | ||||
|             comment.setUser(webSession.getUserName()); | ||||
|             EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100)); | ||||
|             comments.add(comment); | ||||
|             userComments.put(webSession.getUserName(), comments); | ||||
|         } | ||||
|         if (checkSolution(comment)) { | ||||
|             attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build(); | ||||
|         } | ||||
|         return attackResult; | ||||
|     } | ||||
|  | ||||
|     private boolean checkSolution(Comment comment) { | ||||
|         if (comment.getText().contains(secretContents)) { | ||||
|             comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack "); | ||||
|             comments.add(comment); | ||||
|             return true; | ||||
|         } | ||||
|         return false; | ||||
|     } | ||||
|  | ||||
|     public static Comment parseXml(String xml) throws Exception { | ||||
|         JAXBContext jc = JAXBContext.newInstance(Comment.class); | ||||
|  | ||||
|         XMLInputFactory xif = XMLInputFactory.newFactory(); | ||||
|         xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true); | ||||
|         xif.setProperty(XMLInputFactory.IS_VALIDATING, false); | ||||
|  | ||||
|         xif.setProperty(XMLInputFactory.SUPPORT_DTD, true); | ||||
|         XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml)); | ||||
|  | ||||
|         Unmarshaller unmarshaller = jc.createUnmarshaller(); | ||||
|         return (Comment) unmarshaller.unmarshal(xsr); | ||||
|     } | ||||
|  | ||||
|     private Comment parseJson(String comment) { | ||||
|         ObjectMapper mapper = new ObjectMapper(); | ||||
|         try { | ||||
|             return mapper.readValue(comment, Comment.class); | ||||
|         } catch (IOException e) { | ||||
|             return new Comment(); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|  | ||||
| } | ||||
|  | ||||
| @ -1,39 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge3; | ||||
|  | ||||
| import com.google.common.collect.Lists; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
|  | ||||
| import java.util.List; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 3/21/17. | ||||
|  */ | ||||
| public class Challenge3 extends NewLesson { | ||||
|  | ||||
|     @Override | ||||
|     public Category getDefaultCategory() { | ||||
|         return Category.CHALLENGE; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public List<String> getHints() { | ||||
|         return Lists.newArrayList(); | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public Integer getDefaultRanking() { | ||||
|         return 10; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getTitle() { | ||||
|         return "challenge3.title"; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getId() { | ||||
|         return "Challenge3"; | ||||
|     } | ||||
| } | ||||
| @ -1,24 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge3; | ||||
|  | ||||
| import lombok.AllArgsConstructor; | ||||
| import lombok.Getter; | ||||
| import lombok.NoArgsConstructor; | ||||
| import lombok.Setter; | ||||
|  | ||||
| import javax.xml.bind.annotation.XmlRootElement; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/8/17. | ||||
|  */ | ||||
| @Getter | ||||
| @Setter | ||||
| @AllArgsConstructor | ||||
| @NoArgsConstructor | ||||
| @XmlRootElement | ||||
| public class Comment { | ||||
|     private String user; | ||||
|     private String dateTime; | ||||
|     private String text; | ||||
| } | ||||
|  | ||||
| @ -1,17 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge4; | ||||
|  | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 5/3/17. | ||||
|  */ | ||||
| @AssignmentPath("/challenge/4") | ||||
| @Slf4j | ||||
| public class Assignment4 extends AssignmentEndpoint { | ||||
|  | ||||
|     //just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here | ||||
|  | ||||
| } | ||||
| @ -1,39 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge4; | ||||
|  | ||||
| import com.google.common.collect.Lists; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
|  | ||||
| import java.util.List; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 3/21/17. | ||||
|  */ | ||||
| public class Challenge4 extends NewLesson { | ||||
|  | ||||
|     @Override | ||||
|     public Category getDefaultCategory() { | ||||
|         return Category.CHALLENGE; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public List<String> getHints() { | ||||
|         return Lists.newArrayList(); | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public Integer getDefaultRanking() { | ||||
|         return 10; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getTitle() { | ||||
|         return "challenge4.title"; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getId() { | ||||
|         return "Challenge4"; | ||||
|     } | ||||
| } | ||||
| @ -1,16 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge4; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/30/17. | ||||
|  */ | ||||
| public class Views { | ||||
|     interface GuestView { | ||||
|     } | ||||
|  | ||||
|     interface UserView extends GuestView { | ||||
|     } | ||||
|  | ||||
|     interface AdminView extends UserView { | ||||
|     } | ||||
| } | ||||
| @ -1,75 +0,0 @@ | ||||
| /* Component: Posts */ | ||||
| .post .post-heading { | ||||
|     height: 95px; | ||||
|     padding: 20px 15px; | ||||
| } | ||||
| .post .post-heading .avatar { | ||||
|     width: 60px; | ||||
|     height: 60px; | ||||
|     display: block; | ||||
|     margin-right: 15px; | ||||
| } | ||||
| .post .post-heading .meta .title { | ||||
|     margin-bottom: 0; | ||||
| } | ||||
| .post .post-heading .meta .title a { | ||||
|     color: black; | ||||
| } | ||||
| .post .post-heading .meta .title a:hover { | ||||
|     color: #aaaaaa; | ||||
| } | ||||
| .post .post-heading .meta .time { | ||||
|     margin-top: 8px; | ||||
|     color: #999; | ||||
| } | ||||
| .post .post-image .image { | ||||
|     width:20%; | ||||
|     height: 40%; | ||||
| } | ||||
| .post .post-description { | ||||
|     padding: 5px; | ||||
| } | ||||
| .post .post-footer { | ||||
|     border-top: 1px solid #ddd; | ||||
|     padding: 15px; | ||||
| } | ||||
| .post .post-footer .input-group-addon a { | ||||
|     color: #454545; | ||||
| } | ||||
| .post .post-footer .comments-list { | ||||
|     padding: 0; | ||||
|     margin-top: 20px; | ||||
|     list-style-type: none; | ||||
| } | ||||
| .post .post-footer .comments-list .comment { | ||||
|     display: block; | ||||
|     width: 100%; | ||||
|     margin: 20px 0; | ||||
| } | ||||
| .post .post-footer .comments-list .comment .avatar { | ||||
|     width: 35px; | ||||
|     height: 35px; | ||||
| } | ||||
| .post .post-footer .comments-list .comment .comment-heading { | ||||
|     display: block; | ||||
|     width: 100%; | ||||
| } | ||||
| .post .post-footer .comments-list .comment .comment-heading .user { | ||||
|     font-size: 14px; | ||||
|     font-weight: bold; | ||||
|     display: inline; | ||||
|     margin-top: 0; | ||||
|     margin-right: 10px; | ||||
| } | ||||
| .post .post-footer .comments-list .comment .comment-heading .time { | ||||
|     font-size: 12px; | ||||
|     color: #aaa; | ||||
|     margin-top: 0; | ||||
|     display: inline; | ||||
| } | ||||
| .post .post-footer .comments-list .comment .comment-body { | ||||
|     margin-left: 50px; | ||||
| } | ||||
| .post .post-footer .comments-list .comment > .comments-list { | ||||
|     margin-left: 50px; | ||||
| } | ||||
| @ -1,12 +0,0 @@ | ||||
| a.list-group-item { | ||||
|     height:auto; | ||||
| } | ||||
| a.list-group-item.active small { | ||||
|     color:#fff; | ||||
| } | ||||
| .stars { | ||||
|     margin:20px auto 1px; | ||||
| } | ||||
| .img-responsive { | ||||
|     min-width: 100%; | ||||
| } | ||||
| @ -1,112 +0,0 @@ | ||||
| <!DOCTYPE html> | ||||
|  | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:Challenge_2.adoc"></div> | ||||
|     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/> | ||||
|     <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script> | ||||
|     <div class="attack-container"> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|  | ||||
|         <div class="container-fluid"> | ||||
|             <form class="attack-form" accept-charset="UNKNOWN" | ||||
|                   method="POST" name="form" | ||||
|                   action="/WebGoat/challenge/2" | ||||
|                   enctype="application/json;charset=UTF-8"> | ||||
|  | ||||
|                 <input id="discount" type="hidden" value="0"/> | ||||
|                 <div class="row"> | ||||
|  | ||||
|                     <div class="col-xs-3 item-photo"> | ||||
|                         <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/> | ||||
|                     </div> | ||||
|                     <div class="col-xs-5" style="border:0px solid gray"> | ||||
|                         <h3>Samsung Galaxy S8</h3> | ||||
|                         <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> · | ||||
|                             <small style="color:#337ab7">(124421 reviews)</small> | ||||
|                         </h5> | ||||
|  | ||||
|                         <h6 class="title-price"> | ||||
|                             <small>PRICE</small> | ||||
|                         </h6> | ||||
|                         <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3> | ||||
|  | ||||
|                         <div class="section"> | ||||
|                             <h6 class="title-attr" style="margin-top:15px;"> | ||||
|                                 <small>COLOR</small> | ||||
|                             </h6> | ||||
|                             <div> | ||||
|                                 <div class="attr" style="width:25px;background:lightgrey;"></div> | ||||
|                                 <div class="attr" style="width:25px;background:black;"></div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|                         <div class="section" style="padding-bottom:5px;"> | ||||
|                             <h6 class="title-attr"> | ||||
|                                 <small>CAPACITY</small> | ||||
|                             </h6> | ||||
|                             <div> | ||||
|                                 <div class="attr2">64 GB</div> | ||||
|                                 <div class="attr2">128 GB</div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|                         <div class="section" style="padding-bottom:5px;"> | ||||
|                             <h6 class="title-attr"> | ||||
|                                 <small>QUANTITY</small> | ||||
|                             </h6> | ||||
|                             <div> | ||||
|                                 <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div> | ||||
|                                 <input class="quantity" value="1"/> | ||||
|                                 <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|  | ||||
|                         <div class="section" style="padding-bottom:5px;"> | ||||
|                             <h6 class="title-attr"> | ||||
|                                 <small>CHECKOUT CODE</small> | ||||
|                             </h6> | ||||
|                             <!-- | ||||
|                               Checkout code: webgoat, owasp, owasp-webgoat | ||||
|                             --> | ||||
|                             <input name="checkoutCode" class="checkoutCode" value=""/> | ||||
|  | ||||
|                         </div> | ||||
|  | ||||
|                         <div class="section" style="padding-bottom:20px;"> | ||||
|                             <button type="submit" class="btn btn-success"><span style="margin-right:20px" | ||||
|                                                                                 class="glyphicon glyphicon-shopping-cart" | ||||
|                                                                                 aria-hidden="true"></span>Buy | ||||
|                             </button> | ||||
|                             <h6><a href="#"><span class="glyphicon glyphicon-heart-empty" | ||||
|                                                   style="cursor:pointer;"></span> | ||||
|                                 Like</a></h6> | ||||
|                         </div> | ||||
|                     </div> | ||||
|                 </div> | ||||
|  | ||||
|             </form> | ||||
|         </div> | ||||
|         <br/> | ||||
|         <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag"> | ||||
|             <div class="form-group"> | ||||
|                 <div class="input-group"> | ||||
|                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" | ||||
|                                                       style="font-size:20px"></i></div> | ||||
|                     <input type="text" class="form-control" id="flag" name="flag" | ||||
|                            placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> | ||||
|                 </div> | ||||
|                 <div class="input-group" style="margin-top: 10px"> | ||||
|                     <button type="submit" class="btn btn-primary">Submit flag</button> | ||||
|                 </div> | ||||
|             </div> | ||||
|  | ||||
|         </form> | ||||
|  | ||||
|         <br/> | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
| </div> | ||||
|  | ||||
| </html> | ||||
| @ -1,72 +0,0 @@ | ||||
| <!DOCTYPE html> | ||||
|  | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div> | ||||
|     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/> | ||||
|     <script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script> | ||||
|     <div class="attack-container"> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|  | ||||
|         <div class="container-fluid"> | ||||
|             <div class="panel post"> | ||||
|                 <div class="post-heading"> | ||||
|                     <div class="pull-left image"> | ||||
|                         <img th:src="@{/images/avatar1.png}" | ||||
|                              class="img-circle avatar" alt="user profile image"/> | ||||
|                     </div> | ||||
|                     <div class="pull-left meta"> | ||||
|                         <div class="title h5"> | ||||
|                             <a href="#"><b>John Doe</b></a> | ||||
|                             uploaded a photo. | ||||
|                         </div> | ||||
|                         <h6 class="text-muted time">24 days ago</h6> | ||||
|                     </div> | ||||
|                 </div> | ||||
|  | ||||
|                 <div class="post-image"> | ||||
|                     <img th:src="@{images/cat.jpg}" class="image" alt="image post"/> | ||||
|                 </div> | ||||
|  | ||||
|                 <div class="post-description"> | ||||
|  | ||||
|                 </div> | ||||
|                 <div class="post-footer"> | ||||
|                     <div class="input-group"> | ||||
|                         <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/> | ||||
|                         <span class="input-group-addon"> | ||||
|                                 <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i> | ||||
|                             </span> | ||||
|                     </div> | ||||
|                     <ul class="comments-list"> | ||||
|                         <div id="list"> | ||||
|                         </div> | ||||
|                     </ul> | ||||
|                 </div> | ||||
|             </div> | ||||
|         </div> | ||||
|  | ||||
|         <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag"> | ||||
|             <div class="form-group"> | ||||
|                 <div class="input-group"> | ||||
|                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" | ||||
|                                                       style="font-size:20px"></i></div> | ||||
|                     <input type="text" class="form-control" id="flag" name="flag" | ||||
|                            placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> | ||||
|                 </div> | ||||
|                 <div class="input-group" style="margin-top: 10px"> | ||||
|                     <button type="submit" class="btn btn-primary">Submit flag</button> | ||||
|                 </div> | ||||
|             </div> | ||||
|  | ||||
|         </form> | ||||
|  | ||||
|  | ||||
|         <br/> | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
| </div> | ||||
| </html> | ||||
| @ -1,75 +0,0 @@ | ||||
| <!DOCTYPE html> | ||||
|  | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div> | ||||
|     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/> | ||||
|     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script> | ||||
|     <script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script> | ||||
|     <div class="attack-container"> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|         <div class="container-fluid"> | ||||
|  | ||||
|             <div class="row"> | ||||
|  | ||||
|                 <div class="well"> | ||||
|                     <div class="pull-right"> | ||||
|                         <div class="dropdown"> | ||||
|                             <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle"> | ||||
|                                 <i class="fa fa-user"></i> <span class="caret"></span> | ||||
|                             </button> | ||||
|                             <ul class="dropdown-menu dropdown-menu-left"> | ||||
|                                 <li role="presentation"><a role="menuitem" tabindex="-1" | ||||
|                                                            onclick="javascript:login('Guest')" | ||||
|                                                            th:text="Guest">current</a></li> | ||||
|                                 <li role="presentation"><a role="menuitem" tabindex="-1" | ||||
|                                                            onclick="javascript:login('Tom')" | ||||
|                                                            th:text="Tom">current</a></li> | ||||
|                                 <li role="presentation"><a role="menuitem" tabindex="-1" | ||||
|                                                            onclick="javascript:login('Jerry')" | ||||
|                                                            th:text="Jerry">current</a></li> | ||||
|                                 <li role="presentation"><a role="menuitem" tabindex="-1" | ||||
|                                                            onclick="javascript:login('Sylvester')" | ||||
|                                                            th:text="Sylvester">current</a></li> | ||||
|                             </ul> | ||||
|                         </div> | ||||
|                         <div> | ||||
|                             <p class="text-right">Welcome back, <b><span id="name"></span></b></p> | ||||
|                         </div> | ||||
|                     </div> | ||||
|  | ||||
|                     <div> | ||||
|                         <h3>Vote for your favorite</h3> | ||||
|                     </div> | ||||
|                     <div id ="votesList" class="list-group"> | ||||
|  | ||||
|                     </div> | ||||
|                 </div> | ||||
|             </div> | ||||
|         </div> | ||||
|  | ||||
|         <br/> | ||||
|         <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag"> | ||||
|             <div class="form-group"> | ||||
|                 <div class="input-group"> | ||||
|                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" | ||||
|                                                       style="font-size:20px"></i></div> | ||||
|                     <input type="text" class="form-control" id="flag" name="flag" | ||||
|                            placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> | ||||
|                 </div> | ||||
|                 <div class="input-group" style="margin-top: 10px"> | ||||
|                     <button type="submit" class="btn btn-primary">Submit flag</button> | ||||
|                 </div> | ||||
|             </div> | ||||
|  | ||||
|         </form> | ||||
|  | ||||
|         <br/> | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
| </div> | ||||
|  | ||||
| </html> | ||||
| @ -1,109 +0,0 @@ | ||||
| <!DOCTYPE html> | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:Challenge_9.adoc"></div> | ||||
|     <script th:src="@{/lesson_js/challenge9.js}" language="JavaScript"></script> | ||||
|  | ||||
|     <div class="attack-container"> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|  | ||||
|         <div class="container-fluid"> | ||||
|             <div class="row"> | ||||
|                 <div class="col-md-6"> | ||||
|                     <h4 style="border-bottom: 1px solid #c5c5c5;"> | ||||
|                         <i class="glyphicon glyphicon-user"></i> | ||||
|                         Account Access | ||||
|                     </h4> | ||||
|                     <div style="padding: 20px;" id="form-login"> | ||||
|                         <form id="login-form" class="attack-form" accept-charset="UNKNOWN" | ||||
|                               method="POST" name="form" | ||||
|                               action="/WebGoat/challenge/9/login" | ||||
|                               enctype="application/json;charset=UTF-8" role="form"> | ||||
|                             <fieldset> | ||||
|                                 <div class="form-group input-group"> | ||||
|                                     <span class="input-group-addon"> @ </span> | ||||
|                                     <input class="form-control" placeholder="Email" name="email" type="email" | ||||
|                                            required="" autofocus=""/> | ||||
|                                 </div> | ||||
|                                 <div class="form-group input-group"> | ||||
|           <span class="input-group-addon"> | ||||
|             <i class="glyphicon glyphicon-lock"> | ||||
|             </i> | ||||
|           </span> | ||||
|                                     <input class="form-control" placeholder="Password" name="password" type="password" | ||||
|                                            value="" required=""/> | ||||
|                                 </div> | ||||
|                                 <div class="form-group"> | ||||
|                                     <button type="submit" class="btn btn-primary btn-block"> | ||||
|                                         Access | ||||
|                                     </button> | ||||
|                                     <p class="help-block"> | ||||
|                                         <a class="pull-right text-muted" href="#" id="login"> | ||||
|                                             <small>Forgot your password?</small> | ||||
|                                         </a> | ||||
|                                     </p> | ||||
|                                 </div> | ||||
|                             </fieldset> | ||||
|                         </form> | ||||
|                     </div> | ||||
|                     <div style="display: none;" id="form-login"> | ||||
|                         <h4 class=""> | ||||
|                             Forgot your password? | ||||
|                         </h4> | ||||
|                         <form id="login-form" class="attack-form" accept-charset="UNKNOWN" | ||||
|                               method="POST" name="form" | ||||
|                               action="/WebGoat/challenge/9/create-password-reset-link" | ||||
|                               enctype="application/json;charset=UTF-8" role="form"> | ||||
|                             <fieldset> | ||||
|         <span class="help-block"> | ||||
|           Email address you use to log in to your account | ||||
|           <br/> | ||||
|           We'll send you an email with instructions to choose a new password. | ||||
|         </span> | ||||
|                                 <div class="form-group input-group"> | ||||
|           <span class="input-group-addon"> | ||||
|             @ | ||||
|           </span> | ||||
|                                     <input class="form-control" placeholder="Email" name="email" type="email" | ||||
|                                            required=""/> | ||||
|                                 </div> | ||||
|                                 <button type="submit" class="btn btn-primary btn-block" id="btn-login"> | ||||
|                                     Continue | ||||
|                                 </button> | ||||
|                                 <p class="help-block"> | ||||
|                                     <a class="text-muted" href="#" id="forgot"> | ||||
|                                         <small>Account Access</small> | ||||
|                                     </a> | ||||
|                                 </p> | ||||
|                             </fieldset> | ||||
|                         </form> | ||||
|                     </div> | ||||
|                 </div> | ||||
|             </div> | ||||
|         </div> | ||||
|  | ||||
|         <br/> | ||||
|         <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag"> | ||||
|             <div class="form-group"> | ||||
|                 <div class="input-group"> | ||||
|                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" | ||||
|                                                       style="font-size:20px"></i></div> | ||||
|                     <input type="text" class="form-control" id="flag" name="flag" | ||||
|                            placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/> | ||||
|                 </div> | ||||
|                 <div class="input-group" style="margin-top: 10px"> | ||||
|                     <button type="submit" class="btn btn-primary">Submit flag</button> | ||||
|                 </div> | ||||
|             </div> | ||||
|  | ||||
|         </form> | ||||
|  | ||||
|         <br/> | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
| </div> | ||||
|  | ||||
| </html> | ||||
| @ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge | ||||
| challenge1.title=Admin lost password | ||||
| challenge2.title=Get it for free | ||||
| challenge3.title=Photo comments | ||||
| challenge4.title=Voting | ||||
| challenge5.title=Without password | ||||
| challenge6.title=Creating a new account | ||||
| challenge7.title=Admin password reset | ||||
| @ -22,8 +21,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again. | ||||
|  | ||||
| ip.address.unknown=IP address unknown, e-mail has been sent.  | ||||
|  | ||||
| login_failed=Login failed | ||||
| login_failed.tom=Sorry only Tom can login at the moment | ||||
|  | ||||
|  | ||||
| required4=Missing username or password, please specify both. | ||||
| user.not.larry=Please try to log in as Larry not {0}.  | ||||
| Before Width: | Height: | Size: 8.9 KiB | 
| @ -1,45 +0,0 @@ | ||||
| $(document).ready(function () { | ||||
|     $("#postComment").on("click", function () { | ||||
|         var commentInput = $("#commentInput").val(); | ||||
|         $.ajax({ | ||||
|             type: 'POST', | ||||
|             url: 'challenge/3', | ||||
|             data: JSON.stringify({text: commentInput}), | ||||
|             contentType: "application/json", | ||||
|             dataType: 'json' | ||||
|         }).then( | ||||
|             function () { | ||||
|                 getChallenges(); | ||||
|                 $("#commentInput").val(''); | ||||
|             } | ||||
|         ) | ||||
|     }) | ||||
|  | ||||
|     var html = '<li class="comment">' + | ||||
|         '<div class="pull-left">' + | ||||
|         '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' + | ||||
|         '</div>' + | ||||
|         '<div class="comment-body">' + | ||||
|         '<div class="comment-heading">' + | ||||
|         '<h4 class="user">USER</h4>' + | ||||
|         '<h5 class="time">DATETIME</h5>' + | ||||
|         '</div>' + | ||||
|         '<p>COMMENT</p>' + | ||||
|         '</div>' + | ||||
|         '</li>'; | ||||
|  | ||||
|     getChallenges(); | ||||
|  | ||||
|     function getChallenges() { | ||||
|         $("#list").empty(); | ||||
|         $.get("challenge/3", function (result, status) { | ||||
|             for (var i = 0; i < result.length; i++) { | ||||
|                 var comment = html.replace('USER', result[i].user); | ||||
|                 comment = comment.replace('DATETIME', result[i].dateTime); | ||||
|                 comment = comment.replace('COMMENT', result[i].text); | ||||
|                 $("#list").append(comment); | ||||
|             } | ||||
|  | ||||
|         }); | ||||
|     } | ||||
| }) | ||||
| @ -1,10 +0,0 @@ | ||||
| $(document).ready(function() { | ||||
|     $('#login').click(function(e) { | ||||
|         e.preventDefault(); | ||||
|         $('div#form-login').toggle('500'); | ||||
|     }); | ||||
|     $('#forgot').click(function(e) { | ||||
|         e.preventDefault(); | ||||
|         $('div#form-login').toggle('500'); | ||||
|     }); | ||||
| }); | ||||
| @ -1 +0,0 @@ | ||||
| Changing language can help you find the 'secret' file | ||||
| @ -1 +0,0 @@ | ||||
| Try to change to a different user, maybe you can find the flag? | ||||
| @ -1,3 +0,0 @@ | ||||
| Tom always resets his password immediately after receiving the email with the link. | ||||
| Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with | ||||
| that password. | ||||
| @ -1,49 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge2; | ||||
|  | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.runners.MockitoJUnitRunner; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpointTest; | ||||
| import org.owasp.webgoat.plugin.Flag; | ||||
| import org.owasp.webgoat.plugin.SolutionConstants; | ||||
| import org.springframework.test.web.servlet.MockMvc; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
|  | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||
| import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 5/2/17. | ||||
|  */ | ||||
| @RunWith(MockitoJUnitRunner.class) | ||||
| public class Assignment2Test extends AssignmentEndpointTest { | ||||
|  | ||||
|     private MockMvc mockMvc; | ||||
|  | ||||
|     @Before | ||||
|     public void setup() { | ||||
|         Assignment2 assignment2 = new Assignment2(); | ||||
|         init(assignment2); | ||||
|         new Flag().initFlags(); | ||||
|         this.mockMvc = standaloneSetup(assignment2).build(); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void success() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2") | ||||
|                 .param("checkoutCode", SolutionConstants.SUPER_COUPON_CODE)) | ||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(2)))) | ||||
|                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true))); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void wrongCouponCode() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2") | ||||
|                 .param("checkoutCode", "test")) | ||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved")))) | ||||
|                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); | ||||
|     } | ||||
| } | ||||
| @ -1,161 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin.challenge4; | ||||
|  | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.runners.MockitoJUnitRunner; | ||||
| import org.owasp.webgoat.plugin.Flag; | ||||
| import org.springframework.test.web.servlet.MockMvc; | ||||
| import org.springframework.test.web.servlet.MvcResult; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
|  | ||||
| import javax.servlet.http.Cookie; | ||||
|  | ||||
| import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; | ||||
| import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 5/2/17. | ||||
|  */ | ||||
| @RunWith(MockitoJUnitRunner.class) | ||||
| public class VotesEndpointTest { | ||||
|  | ||||
|     private MockMvc mockMvc; | ||||
|  | ||||
|     @Before | ||||
|     public void setup() { | ||||
|         VotesEndpoint votesEndpoint = new VotesEndpoint(); | ||||
|         votesEndpoint.initVotes(); | ||||
|         new Flag().initFlags(); | ||||
|         this.mockMvc = standaloneSetup(votesEndpoint).build(); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void loginWithUnknownUser() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "uknown")) | ||||
|                 .andExpect(unauthenticated()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void loginWithTomShouldGiveJwtToken() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "Tom")) | ||||
|                 .andExpect(status().isOk()).andExpect(cookie().exists("access_token")); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void loginWithGuestShouldNotGiveJwtToken() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "Guest")) | ||||
|                 .andExpect(unauthenticated()).andExpect(cookie().value("access_token", "")); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void userShouldSeeMore() throws Exception { | ||||
|         MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "Tom")) | ||||
|                 .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn(); | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings") | ||||
|                 .cookie(mvcResult.getResponse().getCookie("access_token"))) | ||||
|                 .andExpect(jsonPath("$.[*].numberOfVotes").exists()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void guestShouldNotSeeNumberOfVotes() throws Exception { | ||||
|         MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "Guest")) | ||||
|                 .andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn(); | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings") | ||||
|                 .cookie(mvcResult.getResponse().getCookie("access_token"))) | ||||
|                 .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void adminShouldSeeFlags() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings") | ||||
|                 .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ."))) | ||||
|                 .andExpect(jsonPath("$.[*].flag").isNotEmpty()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void votingIsNotAllowedAsGuest() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")) | ||||
|                 .andExpect(unauthenticated()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void normalUserShouldBeAbleToVote() throws Exception { | ||||
|         MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "Tom")) | ||||
|                 .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn(); | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free") | ||||
|                 .cookie(mvcResult.getResponse().getCookie("access_token"))); | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/") | ||||
|                 .cookie(mvcResult.getResponse().getCookie("access_token"))) | ||||
|                 .andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001))); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void votingForUnknownLessonShouldNotCrash() throws Exception { | ||||
|         MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login") | ||||
|                 .param("user", "Tom")) | ||||
|                 .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn(); | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE") | ||||
|                 .cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void votingWithInvalidToken() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE") | ||||
|                 .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void gettingVotesWithInvalidToken() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/") | ||||
|                 .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void gettingVotesWithUnknownUserInToken() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/") | ||||
|                 .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9."))) | ||||
|                 .andExpect(unauthenticated()) | ||||
|                 .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void gettingVotesForUnknownShouldWork() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/") | ||||
|                 .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9."))) | ||||
|                 .andExpect(unauthenticated()) | ||||
|                 .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/") | ||||
|                 .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0."))) | ||||
|                 .andExpect(status().isOk()) | ||||
|                 .andExpect(jsonPath("$.[*].numberOfVotes").exists()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void gettingVotesWithEmptyToken() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/votings/") | ||||
|                 .cookie(new Cookie("access_token", ""))) | ||||
|                 .andExpect(status().isOk()) | ||||
|                 .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist()); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void votingAsUnknownUserShouldNotBeAllowed() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free") | ||||
|                 .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9."))) | ||||
|                 .andExpect(unauthenticated()); | ||||
|     } | ||||
| } | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
| </project> | ||||
|  | ||||
| @ -1,9 +1,9 @@ | ||||
| package org.owasp.webgoat.plugin.challenge2; | ||||
| package org.owasp.webgoat.plugin; | ||||
| 
 | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.plugin.Flag; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| @ -11,22 +11,23 @@ import org.springframework.web.bind.annotation.ResponseBody; | ||||
| 
 | ||||
| import java.io.IOException; | ||||
| 
 | ||||
| import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; | ||||
| 
 | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/6/17. | ||||
|  */ | ||||
| @AssignmentPath("/challenge/2") | ||||
| public class Assignment2 extends AssignmentEndpoint { | ||||
| @AssignmentPath("/clientSideFiltering/getItForFree") | ||||
| @AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"}) | ||||
| public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint { | ||||
| 
 | ||||
|     public static final String SUPER_COUPON_CODE = "get_it_for_free"; | ||||
| 
 | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String checkoutCode) throws IOException { | ||||
|     AttackResult completed(@RequestParam String checkoutCode) { | ||||
|         if (SUPER_COUPON_CODE.equals(checkoutCode)) { | ||||
|             return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build(); | ||||
|             return trackProgress(success().build()); | ||||
|         } | ||||
|         return failed().build(); | ||||
|         return trackProgress(failed().build()); | ||||
|     } | ||||
| } | ||||
| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin.challenge2; | ||||
| package org.owasp.webgoat.plugin; | ||||
| 
 | ||||
| import com.beust.jcommander.internal.Lists; | ||||
| import lombok.AllArgsConstructor; | ||||
| @ -12,21 +12,21 @@ import org.springframework.web.bind.annotation.RestController; | ||||
| import java.util.List; | ||||
| import java.util.Optional; | ||||
| 
 | ||||
| import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; | ||||
| import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE; | ||||
| 
 | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/6/17. | ||||
|  */ | ||||
| @RestController | ||||
| @RequestMapping("challenge-store") | ||||
| @RequestMapping("/clientSideFiltering/challenge-store") | ||||
| public class ShopEndpoint { | ||||
| 
 | ||||
|     @AllArgsConstructor | ||||
|     private class CheckoutCodes { | ||||
| 
 | ||||
|         @Getter | ||||
|         private List<CheckoutCode> codes = Lists.newArrayList(); | ||||
|         private List<CheckoutCode> codes; | ||||
| 
 | ||||
|         public Optional<CheckoutCode> get(String code) { | ||||
|             return codes.stream().filter(c -> c.getCode().equals(code)).findFirst(); | ||||
| @ -73,7 +73,96 @@ | ||||
|         <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> | ||||
|     </div> | ||||
| </div> | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <div class="adoc-content" th:replace="doc:ClientSideFiltering_final.adoc"></div> | ||||
|     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/> | ||||
|     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script> | ||||
|     <div class="attack-container"> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|  | ||||
|         <div class="container-fluid"> | ||||
|             <form class="attack-form" accept-charset="UNKNOWN" | ||||
|                   method="POST" name="form" | ||||
|                   action="/WebGoat/clientSideFiltering/getItForFree" | ||||
|                   enctype="application/json;charset=UTF-8"> | ||||
|  | ||||
|                 <input id="discount" type="hidden" value="0"/> | ||||
|                 <div class="row"> | ||||
|  | ||||
|                     <div class="col-xs-3 item-photo"> | ||||
|                         <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/> | ||||
|                     </div> | ||||
|                     <div class="col-xs-5" style="border:0px solid gray"> | ||||
|                         <h3>Samsung Galaxy S8</h3> | ||||
|                         <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> · | ||||
|                             <small style="color:#337ab7">(124421 reviews)</small> | ||||
|                         </h5> | ||||
|  | ||||
|                         <h6 class="title-price"> | ||||
|                             <small>PRICE</small> | ||||
|                         </h6> | ||||
|                         <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3> | ||||
|  | ||||
|                         <div class="section"> | ||||
|                             <h6 class="title-attr" style="margin-top:15px;"> | ||||
|                                 <small>COLOR</small> | ||||
|                             </h6> | ||||
|                             <div> | ||||
|                                 <div class="attr" style="width:25px;background:lightgrey;"></div> | ||||
|                                 <div class="attr" style="width:25px;background:black;"></div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|                         <div class="section" style="padding-bottom:5px;"> | ||||
|                             <h6 class="title-attr"> | ||||
|                                 <small>CAPACITY</small> | ||||
|                             </h6> | ||||
|                             <div> | ||||
|                                 <div class="attr2">64 GB</div> | ||||
|                                 <div class="attr2">128 GB</div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|                         <div class="section" style="padding-bottom:5px;"> | ||||
|                             <h6 class="title-attr"> | ||||
|                                 <small>QUANTITY</small> | ||||
|                             </h6> | ||||
|                             <div> | ||||
|                                 <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div> | ||||
|                                 <input class="quantity" value="1"/> | ||||
|                                 <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div> | ||||
|                             </div> | ||||
|                         </div> | ||||
|  | ||||
|                         <div class="section" style="padding-bottom:5px;"> | ||||
|                             <h6 class="title-attr"> | ||||
|                                 <small>CHECKOUT CODE</small> | ||||
|                             </h6> | ||||
|                             <!-- | ||||
|                               Checkout code: webgoat, owasp, owasp-webgoat | ||||
|                             --> | ||||
|                             <input name="checkoutCode" class="checkoutCode" value=""/> | ||||
|  | ||||
|                         </div> | ||||
|  | ||||
|                         <div class="section" style="padding-bottom:20px;"> | ||||
|                             <button type="submit" class="btn btn-success"><span style="margin-right:20px" | ||||
|                                                                                 class="glyphicon glyphicon-shopping-cart" | ||||
|                                                                                 aria-hidden="true"></span>Buy | ||||
|                             </button> | ||||
|                             <h6><a href="#"><span class="glyphicon glyphicon-heart-empty" | ||||
|                                                   style="cursor:pointer;"></span> | ||||
|                                 Like</a></h6> | ||||
|                         </div> | ||||
|                     </div> | ||||
|                 </div> | ||||
|  | ||||
|             </form> | ||||
|         </div> | ||||
|         <br/> | ||||
|         <br/> | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
| </div> | ||||
|  | ||||
| </html> | ||||
|  | ||||
|  | ||||
| @ -26,3 +26,7 @@ ClientSideFilteringHint10=Stage 2: Your filter operator should look something li | ||||
| ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO,  .  Or at least you shouldn't have access to the CEO's information.  For this exercise, examine the contents of the page to see what extra information you can find. | ||||
| ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem.  Modify the server to only return results that Moe Stooge is allowed to see. | ||||
| ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew... | ||||
|  | ||||
| client.side.filtering.free.hint1=Look through the webpage inspect the sources etc | ||||
| client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend | ||||
| client.side.fiterling.free.hint3=One of the responses contains the answer | ||||
|  | ||||
| Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB | 
| Before Width: | Height: | Size: 11 KiB After Width: | Height: | Size: 11 KiB | 
| @ -38,7 +38,7 @@ $(document).ready(function () { | ||||
|     }) | ||||
|     $(".checkoutCode").on("blur", function () { | ||||
|         var checkoutCode = $(".checkoutCode").val(); | ||||
|         $.get("challenge-store/coupons/" + checkoutCode, function (result, status) { | ||||
|         $.get("clientSideFiltering/challenge-store/coupons/" + checkoutCode, function (result, status) { | ||||
|             var discount = result.discount; | ||||
|             if (discount > 0) { | ||||
|                 $('#discount').text(discount); | ||||
| @ -0,0 +1,49 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.runners.MockitoJUnitRunner; | ||||
| import org.owasp.webgoat.plugins.LessonTest; | ||||
| import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; | ||||
| import org.springframework.test.web.servlet.MockMvc; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
| import org.springframework.test.web.servlet.setup.MockMvcBuilders; | ||||
|  | ||||
| import static org.mockito.Mockito.when; | ||||
| import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 5/2/17. | ||||
|  */ | ||||
| @RunWith(SpringJUnit4ClassRunner.class) | ||||
| public class ClientSideFilteringFreeAssignmentTest extends LessonTest { | ||||
|  | ||||
|     private MockMvc mockMvc; | ||||
|  | ||||
|     @Before | ||||
|     public void setup() { | ||||
|         ClientSideFiltering clientSideFiltering = new ClientSideFiltering(); | ||||
|         when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering); | ||||
|         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); | ||||
|         when(webSession.getUserName()).thenReturn("unit-test"); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void success() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree") | ||||
|                 .param("checkoutCode", SUPER_COUPON_CODE)) | ||||
|                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true))); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void wrongCouponCode() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree") | ||||
|                 .param("checkoutCode", "test")) | ||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved")))) | ||||
|                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); | ||||
|     } | ||||
| } | ||||
| @ -1,4 +1,4 @@ | ||||
| package org.owasp.webgoat.plugin.challenge2; | ||||
| package org.owasp.webgoat.plugin; | ||||
| 
 | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Before; | ||||
| @ -9,7 +9,7 @@ import org.springframework.test.web.servlet.MockMvc; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
| 
 | ||||
| import static org.hamcrest.Matchers.is; | ||||
| import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; | ||||
| import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||
| import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; | ||||
| 
 | ||||
| @ -30,28 +30,28 @@ public class ShopEndpointTest { | ||||
| 
 | ||||
|     @Test | ||||
|     public void getSuperCoupon() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/" + SUPER_COUPON_CODE)) | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/" + SUPER_COUPON_CODE)) | ||||
|                 .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE))) | ||||
|                 .andExpect(jsonPath("$.discount", CoreMatchers.is(100))); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void getCoupon() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/webgoat")) | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/webgoat")) | ||||
|                 .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat"))) | ||||
|                 .andExpect(jsonPath("$.discount", CoreMatchers.is(25))); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void askForUnknownCouponCode() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/does-not-exists")) | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/does-not-exists")) | ||||
|                 .andExpect(jsonPath("$.code", CoreMatchers.is("no"))) | ||||
|                 .andExpect(jsonPath("$.discount", CoreMatchers.is(0))); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception { | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/")) | ||||
|         mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/")) | ||||
|                 .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free"))); | ||||
|     } | ||||
| 
 | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|     <build> | ||||
|        <plugins> | ||||
|  | ||||
| @ -6,6 +6,6 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
| </project> | ||||
| @ -6,12 +6,9 @@ import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.GetMapping; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
|  | ||||
| /** | ||||
|  * Created by jason on 9/29/17. | ||||
|  */ | ||||
| @ -24,12 +21,16 @@ public class CSRFConfirmFlag1 extends AssignmentEndpoint { | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|     @PostMapping(produces = {"application/json"}) | ||||
|     public @ResponseBody AttackResult completed(String confirmFlagVal) { | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(String confirmFlagVal) { | ||||
|  | ||||
|         if (confirmFlagVal.equals(userSessionData.getValue("csrf-get-success").toString())) { | ||||
|             return success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build(); | ||||
|         Object userSessionDataStr = userSessionData.getValue("csrf-get-success"); | ||||
|         if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) { | ||||
|             return trackProgress( | ||||
|                     success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build() | ||||
|             ); | ||||
|         } | ||||
|  | ||||
|         return  failed().feedback("").build(); | ||||
|         return trackProgress(failed().build()); | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -64,8 +64,12 @@ public class CSRFFeedback extends AssignmentEndpoint { | ||||
|  | ||||
|     private boolean hostOrRefererDifferentHost(HttpServletRequest request) { | ||||
|         String referer = request.getHeader("referer"); | ||||
|         String host = request.getHeader("host"); | ||||
|         return !StringUtils.contains(referer, host); | ||||
|         String origin = request.getHeader("origin"); | ||||
|         if (referer != null) { | ||||
|             return !referer.contains(origin); | ||||
|         } else { | ||||
|             return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     private boolean requestContainsWebGoatCookie(Cookie[] cookies) { | ||||
|  | ||||
| @ -40,12 +40,22 @@ public class CSRFGetFlag extends Endpoint { | ||||
|         String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer"); | ||||
|         String[] refererArr = referer.split("/"); | ||||
|  | ||||
|         if (referer.equals("NULL") && req.getParameter("csrf").equals("true")) { | ||||
|  | ||||
|  | ||||
|         if (referer.equals("NULL")) { | ||||
|             if (req.getParameter("csrf").equals("true")) { | ||||
|                 Random random = new Random(); | ||||
|                 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); | ||||
|                 response.put("success", true); | ||||
|                 response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success")); | ||||
|                 response.put("flag", userSessionData.getValue("csrf-get-success")); | ||||
|             } else { | ||||
|                 Random random = new Random(); | ||||
|                 userSessionData.setValue("csrf-get-success", random.nextInt(65536)); | ||||
|                 response.put("success", true); | ||||
|                 response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success")); | ||||
|                 response.put("flag", userSessionData.getValue("csrf-get-success")); | ||||
|             } | ||||
|         } else if (refererArr[2].equals(host)) { | ||||
|             response.put("success", false); | ||||
|             response.put("message", "Appears the request came from the original host"); | ||||
|  | ||||
| @ -1,69 +0,0 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.Endpoint; | ||||
| import org.owasp.webgoat.i18n.PluginMessages; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.servlet.http.HttpServletResponse; | ||||
| import java.io.IOException; | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
| import java.util.Random; | ||||
|  | ||||
| /** | ||||
|  * Created by jason on 9/30/17. | ||||
|  */ | ||||
|  | ||||
| public class CSRFGetXhrFlag extends Endpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     UserSessionData userSessionData; | ||||
|     @Autowired | ||||
|     private PluginMessages pluginMessages; | ||||
|  | ||||
|     @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET) | ||||
|     @ResponseBody | ||||
|     public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { | ||||
|  | ||||
|         Map<String,Object> response = new HashMap<>(); | ||||
|  | ||||
|         String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host"); | ||||
| //        String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin"); | ||||
| //        Integer serverPort = (req.getServerPort() < 1) ? 0 : req.getServerPort(); | ||||
| //        String serverName = (req.getServerName() == null) ? "NULL" : req.getServerName(); | ||||
|         String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer"); | ||||
|         String[] refererArr = referer.split("/"); | ||||
|  | ||||
|         if (referer.equals("NULL") && req.getParameter("csrf").equals("true")) { | ||||
|             Random random = new Random(); | ||||
|             userSessionData.setValue("csrf-get-success", random.nextInt(65536)); | ||||
|             response.put("success",true); | ||||
|             response.put("message",pluginMessages.getMessage("csrf-get-null-referer.success")); | ||||
|             response.put("flag",userSessionData.getValue("csrf-get-success")); | ||||
|         }  else if (refererArr[2].equals(host)) { | ||||
|             response.put("success", false); | ||||
|             response.put("message", "Appears the request came from the original host"); | ||||
|             response.put("flag", null); | ||||
|         } else { | ||||
|             Random random = new Random(); | ||||
|             userSessionData.setValue("csrf-get-success", random.nextInt(65536)); | ||||
|             response.put("success",true); | ||||
|             response.put("message",pluginMessages.getMessage("csrf-get-other-referer.success")); | ||||
|             response.put("flag",userSessionData.getValue("csrf-get-success")); | ||||
|         } | ||||
|  | ||||
|         return response; | ||||
|  | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getPath() { | ||||
|         return "/csrf/get-xhr-flag"; | ||||
|     } | ||||
| } | ||||
| @ -115,22 +115,13 @@ public class ForgedReviews extends AssignmentEndpoint { | ||||
|         userReviews.put(webSession.getUserName(), reviews); | ||||
|         //short-circuit | ||||
|         if (validateReq == null || !validateReq.equals(weakAntiCSRF)) { | ||||
|             return failed().feedback("csrf-you-forgot-something").build(); | ||||
|             return trackProgress(failed().feedback("csrf-you-forgot-something").build()); | ||||
|         } | ||||
|         //we have the spoofed files | ||||
|         if (referer != "NULL" && refererArr[2].equals(host) ) { | ||||
|             return (failed().feedback("csrf-same-host").build()); | ||||
|             return trackProgress(failed().feedback("csrf-same-host").build()); | ||||
|         } else { | ||||
|             return (success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure") | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     private Review parseJson(String comment) { | ||||
|         ObjectMapper mapper = new ObjectMapper(); | ||||
|         try { | ||||
|             return mapper.readValue(comment, Review.class); | ||||
|         } catch (IOException e) { | ||||
|             return new Review(); | ||||
|             return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure") | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -15,6 +15,7 @@ | ||||
|  | ||||
|     <form accept-charset="UNKNOWN" id="basic-csrf-get" | ||||
|           method="GET" name="form1" | ||||
|           target="_blank" | ||||
|           successCallback="" | ||||
|           action="/WebGoat/csrf/basic-get-flag" | ||||
|           enctype="application/json;charset=UTF-8"> | ||||
| @ -26,10 +27,12 @@ | ||||
|     <div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div> | ||||
|  | ||||
|     <div class="attack-container"> | ||||
|         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/> | ||||
|         <div class="assignment-success"> | ||||
|             <i class="fa fa-2 fa-check hidden" aria-hidden="true"> | ||||
|             </i> | ||||
|         </div> | ||||
|         <br/> | ||||
|         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1" | ||||
|               method="POST" name="form2" | ||||
|               successCallback="" | ||||
| @ -40,7 +43,10 @@ | ||||
|             <input type="text" length="6" name="confirmFlagVal" value=""/> | ||||
|  | ||||
|             <input name="submit" value="Submit" type="submit"/> | ||||
|  | ||||
|             <br/> | ||||
|             <br/> | ||||
|             <br/> | ||||
|             <br/> | ||||
|         </form> | ||||
|  | ||||
|         <div class="attack-feedback"></div> | ||||
| @ -56,9 +62,9 @@ | ||||
|     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/> | ||||
|     <script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script> | ||||
|  | ||||
|     <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|  | ||||
|     <div class="attack-container"> | ||||
|         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/> | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|         <div class="container-fluid"> | ||||
|             <div class="panel post"> | ||||
|                 <div class="post-heading"> | ||||
| @ -133,6 +139,7 @@ | ||||
|   padding: 7px; | ||||
|   margin-top:7px; | ||||
|   padding:5px;"> | ||||
|         <div class="attack-container"> | ||||
|             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|             <div class="container-fluid"> | ||||
|                 <div class="row"> | ||||
| @ -165,7 +172,8 @@ | ||||
|                                         <div class="form-group"> | ||||
|                                             <label for="subject"> | ||||
|                                                 Subject</label> | ||||
|                                         <select id="subject" name="subject" class="form-control" required="required"> | ||||
|                                             <select id="subject" name="subject" class="form-control" | ||||
|                                                     required="required"> | ||||
|                                                 <option value="na" selected="">Choose One:</option> | ||||
|                                                 <option value="service">General Customer Service</option> | ||||
|                                                 <option value="suggestions">Suggestions</option> | ||||
| @ -177,7 +185,8 @@ | ||||
|                                         <div class="form-group"> | ||||
|                                             <label for="name"> | ||||
|                                                 Message</label> | ||||
|                                         <textarea name="message" id="message" class="form-control" rows="9" cols="25" | ||||
|                                             <textarea name="message" id="message" class="form-control" rows="9" | ||||
|                                                       cols="25" | ||||
|                                                       required="required" | ||||
|                                                       placeholder="Message"></textarea> | ||||
|                                         </div> | ||||
| @ -193,6 +202,9 @@ | ||||
|                     </div> | ||||
|                 </div> | ||||
|             </div> | ||||
|             <div class="attack-feedback"></div> | ||||
|             <div class="attack-output"></div> | ||||
|         </div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="attack-container"> | ||||
| @ -211,7 +223,6 @@ | ||||
|             <input name="submit" value="Submit" type="submit"/> | ||||
|  | ||||
|         </form> | ||||
|  | ||||
|         <div class="attack-feedback"></div> | ||||
|         <div class="attack-output"></div> | ||||
|     </div> | ||||
|  | ||||
| @ -13,9 +13,14 @@ match and this will ensure the server the request is running on the same domain. | ||||
|  | ||||
| Remember the session cookie should always be defined with http-only flag. | ||||
|  | ||||
| Another effective defense can be to add a custom request header to each call. This will work if all the interactions | ||||
| == Custom headers not safe | ||||
|  | ||||
| Another defense can be to add a custom request header to each call. This will work if all the interactions | ||||
| with the server are performed with JavaScript. On the server side you only need to check the presence of this header | ||||
| if this header is not present deny the request. | ||||
| Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed | ||||
| as well. You can read about: http://insert-blogspot.nl/2018/05/adobe-reader-pdf-client-side-request.html?m=1[Adobe Reader PDF - Client Side Request Injection] | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| @ -4,7 +4,20 @@ The impact is limited only by what the logged in user can do (if the site/functi | ||||
| The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances.  Sadly, many consumer-grade routers | ||||
| have also proven vulnerable to CSRF. | ||||
|  | ||||
| == CSRF Solution | ||||
| == CSRF solutions | ||||
|  | ||||
| === Same site cookie attribute | ||||
|  | ||||
| This is a new extension which modern browsers support which limits the scope of the cookie such that it will only be | ||||
| attached to requests if those requests are 'same-site' | ||||
| For example requests for `http://webgoat.org/something` will attach same-site cookies if the request is initiated from | ||||
| `webgoat.org`. | ||||
| There are two modes, strict and lax. The first one does not allow cross site request, this means when you are on | ||||
| github.com and you want to like it through Facebook (and Facebook specifies same-site as strict) you will be | ||||
| redirected to the login page, because the browser does not attach the cookie for Facebook. | ||||
| More information can be found here: www.sjoerdlangkemper.nl/2016/04/14/preventin-csrf-with-samesite-cookie-attribute/ | ||||
|  | ||||
| === Other protections | ||||
|  | ||||
| Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks.  For example, Spring and | ||||
| Tomcat have this on by default.  As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks. | ||||
|  | ||||
| @ -3,7 +3,7 @@ | ||||
| A lot of web applications implement no protection against CSRF they are somehow protected by the fact that | ||||
| they only work with `application/json` as content type. The only way to make a request with this content-type from the | ||||
| browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards | ||||
| the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin | ||||
| the server (remember the CSRF request will be cross origin). If the pre-flight response does not allow the cross origin | ||||
| request the browser will not make the call. | ||||
|  | ||||
| To make a long answer short: this is *not* a valid protection against CSRF. | ||||
|  | ||||
| @ -46,13 +46,10 @@ public class CSRFFeedbackTest extends LessonTest { | ||||
|         mockMvc.perform(post("/csrf/feedback/message") | ||||
|                 .contentType(MediaType.TEXT_PLAIN) | ||||
|                 .cookie(new Cookie("JSESSIONID", "test")) | ||||
|                 .header("host", "localhost:8080") | ||||
|                 .header("origin", "localhost:8080") | ||||
|                 .header("referer", "webgoat.org") | ||||
|                 .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}")) | ||||
|                 .andExpect(jsonPath("lessonCompleted", is(true))) | ||||
|                 .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: "))); | ||||
|     } | ||||
|  | ||||
|  | ||||
|  | ||||
| } | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <dependencies> | ||||
|  | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
| </project> | ||||
|  | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <dependencies> | ||||
|  | ||||
| @ -48,7 +48,7 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint { | ||||
|  | ||||
| 	@RequestMapping(method = RequestMethod.GET) | ||||
| 	public @ResponseBody | ||||
| 	AttackResult completed(HttpServletRequest request) throws IOException { | ||||
| 	AttackResult completed(HttpServletRequest request) { | ||||
| 		String header = null; | ||||
| 		String param = null; | ||||
| 		if (request != null && (header = request.getHeader("x-request-intercepted")) != null | ||||
|  | ||||
| @ -3,36 +3,27 @@ | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
|         <!-- include content here. Content will be presented via asciidocs files, | ||||
|         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
| 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here. Content will be presented via asciidocs files, | ||||
|         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
| 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div> | ||||
| 	</div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
|         <!-- include content here. Content will be presented via asciidocs files, | ||||
|         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
| 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here. Content will be presented via asciidocs files, | ||||
|         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
| 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div> | ||||
| 	</div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <!-- stripped down without extra comments --> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro5.adoc"></div> | ||||
|         <div class="attack-container"> | ||||
|             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request" | ||||
| @ -48,4 +39,8 @@ | ||||
|             <div class="attack-output"></div> | ||||
|         </div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro6.adoc"></div> | ||||
|     </div> | ||||
| </html> | ||||
|  | ||||
| After Width: | Height: | Size: 176 KiB | 
| After Width: | Height: | Size: 39 KiB | 
| After Width: | Height: | Size: 56 KiB | 
| After Width: | Height: | Size: 170 KiB | 
| After Width: | Height: | Size: 60 KiB | 
| @ -1,26 +1,25 @@ | ||||
| === Use the intercept | ||||
| === Exclude WebGoat internal requests | ||||
|  | ||||
| To intercept a request, you start by clicking the green button. This will set a break point for the next request. | ||||
| Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat | ||||
| framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat. | ||||
|  | ||||
| image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] | ||||
| Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below: | ||||
|  | ||||
| image::images/zap_exclude.png[Select URL from history,style="lesson-image"] | ||||
|  | ||||
| {nbsp} | ||||
|  | ||||
| A new window will open and add the following entries: | ||||
|  | ||||
| ``` | ||||
| http://localhost:8080/WebGoat/service/.* | ||||
| http://localhost:8080/WebGoat/.*.lesson.lesson | ||||
| ``` | ||||
|  | ||||
| Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests. | ||||
|  | ||||
|  | ||||
| *NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore. | ||||
| That's part of what hackers do ... explore! | ||||
| image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"] | ||||
|  | ||||
| Once you are intercepting requests and a request is made, it should look something like this: | ||||
|  | ||||
| image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"] | ||||
|  | ||||
| === Intercept and modify a request | ||||
|  | ||||
| Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint), | ||||
| modify it as follows. | ||||
|  | ||||
| * Change the Method to GET | ||||
| * Add a header 'x-request-intercepted:true' | ||||
| * Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes) | ||||
|  | ||||
| Then let the request continue through (by hitting the play button). | ||||
|  | ||||
| NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself. | ||||
| @ -0,0 +1,26 @@ | ||||
| === Use the intercept | ||||
|  | ||||
| To intercept a request, you start by clicking the green button. This will set a break point for the next request. | ||||
|  | ||||
| image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] | ||||
|  | ||||
|  | ||||
| *NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore. | ||||
| That's part of what hackers do ... explore! | ||||
|  | ||||
| Once you are intercepting requests and a request is made, it should look something like this: | ||||
|  | ||||
| image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"] | ||||
|  | ||||
| === Intercept and modify a request | ||||
|  | ||||
| Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint), | ||||
| modify it as follows. | ||||
|  | ||||
| * Change the Method to GET | ||||
| * Add a header 'x-request-intercepted:true' | ||||
| * Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes) | ||||
|  | ||||
| Then let the request continue through (by hitting the play button). | ||||
|  | ||||
| NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself. | ||||
| @ -0,0 +1,29 @@ | ||||
| === Use the "Edit and resend" functionality in ZAP | ||||
|  | ||||
| Another way to send a request again instead of clicking in WebGoat on a button and intercept the request there is also | ||||
| an option to resend the same request again from within ZAP. | ||||
| This may significantly help you to solve an assignment because you do not have to switch to ZAP enable the intercept button | ||||
| and go back to WebGoat and perform the request again from within the browser. | ||||
|  | ||||
| Let's look at an example, we are going to use the e-mail example from the WebWolf introduction lesson. This lesson | ||||
| will generate a request for `/WebGoat/WebWolf/mail`, in the "History" window select the URL you want to resend right click | ||||
| on the URL and select `Open/Resend with Request Editor`. You can also find the request in the left pane of ZAP as indicated | ||||
| with the red arrow in the image below: | ||||
|  | ||||
| image::images/zap_edit_and_resend.png[Open/Resend with Request Editor,style="lesson-image"] | ||||
|  | ||||
| {nbsp} | ||||
|  | ||||
| A new window will open and here you can modify the request for example change the e-mail address to someone else and send it again. | ||||
| In the response tab you can inspect the response of the request. In some assignments the response will show a solved message | ||||
| but sometimes you get a code/flag which you need to submit in WebGoat in order to complete the assignment. Always be on the | ||||
| lookout for the response. If you solved the assignment by make a request in this way WebGoat will automatically mark | ||||
| the lesson as solved. | ||||
|  | ||||
| image::images/zap_edit_and_send.png[Open/Resend with Request Editor,style="lesson-image"] | ||||
|  | ||||
| {nbsp} | ||||
|  | ||||
| image::images/zap_edit_and_response.png[Open/Resend response,style="lesson-image"] | ||||
|  | ||||
|  | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
| </project> | ||||
							
								
								
									
										27
									
								
								webgoat-lessons/insecure-deserialization/pom.xml
									
									
									
									
									
										Executable file
									
								
							
							
						
						| @ -0,0 +1,27 @@ | ||||
| <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||
|          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||||
|     <modelVersion>4.0.0</modelVersion> | ||||
|     <artifactId>insecure-deserialization</artifactId> | ||||
|     <packaging>jar</packaging> | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <dependencies> | ||||
|         <dependency> | ||||
|             <groupId>org.springframework.boot</groupId> | ||||
|             <artifactId>spring-boot-starter-test</artifactId> | ||||
|             <scope>test</scope> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.springframework.security</groupId> | ||||
|             <artifactId>spring-security-test</artifactId> | ||||
|             <version>4.1.3.RELEASE</version> | ||||
|             <scope>test</scope> | ||||
|         </dependency> | ||||
|  | ||||
|     </dependencies> | ||||
|  | ||||
| </project> | ||||
| @ -0,0 +1,63 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.beust.jcommander.internal.Lists; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
|  | ||||
| import java.util.List; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************ | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, | ||||
|  * please see http://www.owasp.org/ | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under the terms of the | ||||
|  * GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||||
|  * License, or (at your option) any later version. | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||||
|  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||||
|  * General Public License for more details. | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with this program; if | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software | ||||
|  * projects. | ||||
|  * <p> | ||||
|  * | ||||
|  * @author WebGoat | ||||
|  * @version $Id: $Id | ||||
|  * @since October 12, 2016 | ||||
|  */ | ||||
| public class InsecureDeserialization extends NewLesson { | ||||
|     @Override | ||||
|     public Category getDefaultCategory() { | ||||
|         return Category.INSECURE_DESERIALIZATION; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public List<String> getHints() { | ||||
|         return Lists.newArrayList(); | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public Integer getDefaultRanking() { | ||||
|         return 1; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getTitle() { | ||||
|         return "insecure-deserialization.title"; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getId() { | ||||
|         return "InsecureDeserialization"; | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,90 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.IOException; | ||||
| import java.io.ObjectInputStream; | ||||
| import java.io.ByteArrayInputStream; | ||||
| import java.util.Base64; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************* | ||||
|  * | ||||
|  * | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project | ||||
|  * utility. For details, please see http://www.owasp.org/ | ||||
|  * | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  * | ||||
|  * This program is free software; you can redistribute it and/or modify it under | ||||
|  * the terms of the GNU General Public License as published by the Free Software | ||||
|  * Foundation; either version 2 of the License, or (at your option) any later | ||||
|  * version. | ||||
|  * | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT | ||||
|  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||||
|  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||||
|  * details. | ||||
|  * | ||||
|  * You should have received a copy of the GNU General Public License along with | ||||
|  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple | ||||
|  * Place - Suite 330, Boston, MA 02111-1307, USA. | ||||
|  * | ||||
|  * Getting Source ============== | ||||
|  * | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository | ||||
|  * for free software projects. | ||||
|  * | ||||
|  * For details, please see http://webgoat.github.io | ||||
|  * | ||||
|  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/InsecureDeserialization/task") | ||||
| public class InsecureDeserializationTask extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String token) throws IOException { | ||||
|         String b64token; | ||||
|         byte [] data; | ||||
|         ObjectInputStream ois; | ||||
|         Object o; | ||||
|         long before, after; | ||||
|         int delay; | ||||
|  | ||||
|         b64token = token.replace('-', '+').replace('_', '/'); | ||||
|         try { | ||||
|             data = Base64.getDecoder().decode(b64token); | ||||
|             ois = new ObjectInputStream( new ByteArrayInputStream(data) ); | ||||
|         } catch (Exception e) { | ||||
|             return trackProgress(failed().build()); | ||||
|         } | ||||
|  | ||||
|         before = System.currentTimeMillis(); | ||||
|         try { | ||||
|             o = ois.readObject(); | ||||
|         } catch (Exception e) { | ||||
|             o = null; | ||||
|         } | ||||
|         after = System.currentTimeMillis(); | ||||
|         ois.close(); | ||||
|  | ||||
|         delay = (int)(after - before); | ||||
|         if ( delay > 7000 ) { | ||||
|             return trackProgress(failed().build()); | ||||
|         } | ||||
|         if ( delay < 3000 ) { | ||||
|             return trackProgress(failed().build()); | ||||
|         }  | ||||
|         return trackProgress(success().build()); | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,41 @@ | ||||
| <!DOCTYPE html> | ||||
|  | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:InsecureDeserialization_Intro.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:InsecureDeserialization_WhatIs.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:InsecureDeserialization_SimpleExploit.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:InsecureDeserialization_GadgetChain.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <!-- stripped down without extra comments --> | ||||
|         <div class="adoc-content" th:replace="doc:InsecureDeserialization_Task.adoc"></div> | ||||
|         <div class="attack-container"> | ||||
|             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|             <script th:src="@{/lesson_js/credentials.js}" | ||||
|                     language="JavaScript"></script> | ||||
|             <form class="attack-form" accept-charset="UNKNOWN" name="task" | ||||
|                   method="POST" | ||||
|                   action="/WebGoat/InsecureDeserialization/task" | ||||
|                   enctype="application/json;charset=UTF-8"> | ||||
|  | ||||
|                 <input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/> | ||||
|                 <input type="submit" value="Submit" /> | ||||
|  | ||||
|             </form> | ||||
|             <div class="attack-feedback"></div> | ||||
|             <div class="attack-output"></div> | ||||
|         </div> | ||||
|     </div> | ||||
| </html> | ||||
| @ -0,0 +1,4 @@ | ||||
| insecure-deserialization.title=Insecure Deserialization | ||||
|  | ||||
| insecure-deserialization.intercept.success=Dangerous object received! | ||||
| insecure-deserialization.intercept.failure=Try again | ||||
| @ -0,0 +1,6 @@ | ||||
| function submit_secret_credentials() { | ||||
|     var xhttp = new XMLHttpRequest(); | ||||
|     xhttp['open']('POST', '#attack/307/100', true); | ||||
| 	//sending the request is obfuscated, to descourage js reading | ||||
| 	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]})) | ||||
| } | ||||
| @ -0,0 +1,5 @@ | ||||
| == What is a Gadgets Chain | ||||
|  | ||||
| It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserializaded, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain". | ||||
|  | ||||
| Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code. | ||||
| @ -0,0 +1,10 @@ | ||||
|  | ||||
| == Concept | ||||
|  | ||||
| This lesson describes what is Serialization and how it can be manipulated to perform tasks that were not the original intent of the developer. | ||||
|  | ||||
| == Goals | ||||
| * The user should have a basic understanding of Java programming language | ||||
| * The user will be able to detect insecure deserialization vulnerabilities | ||||
| * The user will be able to exploit insecure deserialization vulnerabilities | ||||
| * Exploiting deserialization is slightly different in other programming languages such as PHP or Python, but the key concepts learnt here also applies to all of them | ||||
| @ -0,0 +1,46 @@ | ||||
| == The Simplest Exploit | ||||
|  | ||||
| === Vulnerable code | ||||
|  | ||||
| The following is a well-known example for a Java Deserialization vulnerability. | ||||
|  | ||||
| [source,java] | ||||
| ---- | ||||
| InputStream is = request.getInputStream(); | ||||
| ObjectInputStream ois = new ObjectInputStream(is); | ||||
| AcmeObject acme = (AcmeObject)ois.readObject(); | ||||
| ---- | ||||
|  | ||||
| It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs. | ||||
| If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to performe those actions. | ||||
|  | ||||
| === Class included in ClassPath | ||||
|  | ||||
| Attackers need to find a class in the classpath that supports serialization and with dangerous implementations on `readObject()`. | ||||
|  | ||||
| [source,java] | ||||
| ---- | ||||
| public class GadgetObject implements Serializable { | ||||
|     String cmd; | ||||
|  | ||||
|     private void readObject( ObjectInputStream stream ) throws Exception { | ||||
|         Runtime.getRuntime().exec(cmd); | ||||
|     } | ||||
| } | ||||
| ---- | ||||
|  | ||||
| === Exploit | ||||
|  | ||||
| If the java class shown above exists, attackers can serialize that object and obtain Remote Code Execution. | ||||
|  | ||||
| [source,java] | ||||
| ---- | ||||
| GadgetObject go = new GadgetObject(); | ||||
| go.cmd = "touch /tmp/pwned.txt"; | ||||
|  | ||||
| ByteArrayOutputStream bos = new ByteArrayOutputStream(); | ||||
| ObjectOutputStream oos = new ObjectOutputStream(bos); | ||||
| oos.writeObject(go); | ||||
| oos.flush(); | ||||
| byte[] exploit = bos.toByteArray(); | ||||
| ---- | ||||
| @ -0,0 +1,8 @@ | ||||
| === Let's try | ||||
| The following input box receives a serialized object (a string) and it deserialzes it. | ||||
|  | ||||
| ``` | ||||
| rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l | ||||
| ``` | ||||
|  | ||||
| Try to change this serialized object in order to delay the page response for exactly 5 seconds. | ||||
| @ -0,0 +1,23 @@ | ||||
| == What is Serialization | ||||
|  | ||||
| Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML. | ||||
|  | ||||
| ---- | ||||
| a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} | ||||
| ---- | ||||
|  | ||||
| === Native Serialization | ||||
|  | ||||
| Many programming languages offer a native capability for serializing objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks. | ||||
|  | ||||
| === Known Affected Programming Languages | ||||
| * PHP | ||||
| * Python | ||||
| * Ruby | ||||
| * Java | ||||
| * C | ||||
| * C++ | ||||
|  | ||||
| === Data, not Code | ||||
|  | ||||
| ONLY data is serialized. Code is not serialized itself. Deserialization creates a new object and copies all the data from the byte stream, in order to obtain and object identical to the object that was serialized. | ||||
| @ -6,7 +6,7 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <dependencies> | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
|  | ||||
| == Concept | ||||
| Encryption is a very inportant tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data. | ||||
| Encryption is a very important tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data. | ||||
|  | ||||
| == Goals | ||||
| * The user should have a basic understanding of packet sniffer usage | ||||
|  | ||||
| @ -6,7 +6,21 @@ | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>v8.0.0.M14</version> | ||||
|         <version>v8.0.0.SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
|     <dependencies> | ||||
|         <dependency> | ||||
|             <groupId>io.jsonwebtoken</groupId> | ||||
|             <artifactId>jjwt</artifactId> | ||||
|             <version>0.7.0</version> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.springframework.security</groupId> | ||||
|             <artifactId>spring-security-test</artifactId> | ||||
|             <version>4.1.3.RELEASE</version> | ||||
|             <scope>test</scope> | ||||
|         </dependency> | ||||
|     </dependencies> | ||||
|  | ||||
| </project> | ||||
|  | ||||
| @ -0,0 +1,106 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.google.common.base.Charsets; | ||||
| import io.jsonwebtoken.*; | ||||
| import io.jsonwebtoken.impl.TextCodec; | ||||
| import org.apache.commons.lang3.StringUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.PathVariable; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.sql.Connection; | ||||
| import java.sql.ResultSet; | ||||
| import java.sql.SQLException; | ||||
|  | ||||
| /** | ||||
|  * <pre> | ||||
|  *  { | ||||
|  *      "typ": "JWT", | ||||
|  *      "kid": "webgoat_key", | ||||
|  *      "alg": "HS256" | ||||
|  *  } | ||||
|  *  { | ||||
|  *       "iss": "WebGoat Token Builder", | ||||
|  *       "iat": 1524210904, | ||||
|  *       "exp": 1618905304, | ||||
|  *       "aud": "webgoat.org", | ||||
|  *       "sub": "jerry@webgoat.com", | ||||
|  *       "username": "Jerry", | ||||
|  *       "Email": "jerry@webgoat.com", | ||||
|  *       "Role": [ | ||||
|  *       "Cat" | ||||
|  *       ] | ||||
|  *  } | ||||
|  * </pre> | ||||
|  * | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @AssignmentPath("/JWT/final") | ||||
| @AssignmentHints({"jwt-final-hint1", "jwt-final-hint2", "jwt-final-hint3", "jwt-final-hint4", "jwt-final-hint5", "jwt-final-hint6"}) | ||||
| public class JWTFinalEndpoint extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|  | ||||
|     @PostMapping("follow/{user}") | ||||
|     public @ResponseBody | ||||
|     String follow(@PathVariable("user") String user) { | ||||
|         if ("Jerry".equals(user)) { | ||||
|             return "Following yourself seems redundant"; | ||||
|         } else { | ||||
|             return "You are now following Tom"; | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @PostMapping("delete") | ||||
|     public @ResponseBody | ||||
|     AttackResult resetVotes(@RequestParam("token") String token) { | ||||
|         if (StringUtils.isEmpty(token)) { | ||||
|             return trackProgress(failed().feedback("jwt-invalid-token").build()); | ||||
|         } else { | ||||
|             try { | ||||
|                 final String[] errorMessage = {null}; | ||||
|                 Jwt jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { | ||||
|                     @Override | ||||
|                     public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) { | ||||
|                         final String kid = (String) header.get("kid"); | ||||
|                         try { | ||||
|                             Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|                             ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'"); | ||||
|                             while (rs.next()) { | ||||
|                                 return TextCodec.BASE64.decode(rs.getString(1)); | ||||
|                             } | ||||
|                         } catch (SQLException e) { | ||||
|                             errorMessage[0] = e.getMessage(); | ||||
|                         } | ||||
|                         return null; | ||||
|                     } | ||||
|                 }).parse(token); | ||||
|                 if (errorMessage[0] != null) { | ||||
|                     return trackProgress(failed().output(errorMessage[0]).build()); | ||||
|                 } | ||||
|                 Claims claims = (Claims) jwt.getBody(); | ||||
|                 String username = (String) claims.get("username"); | ||||
|                 if ("Jerry".equals(username)) { | ||||
|                     return trackProgress(failed().feedback("jwt-final-jerry-account").build()); | ||||
|                 } | ||||
|                 if ("Tom".equals(username)) { | ||||
|                     return trackProgress(success().build()); | ||||
|                 } else { | ||||
|                     return trackProgress(failed().feedback("jwt-final-not-tom").build()); | ||||
|                 } | ||||
|             } catch (JwtException e) { | ||||
|                 return trackProgress(failed().feedback("jwt-invalid-token").output(e.toString()).build()); | ||||
|             } | ||||
|         } | ||||
|     } | ||||
| } | ||||