Forced browsing lesson does not show success #143
This commit is contained in:
Nanne Baars
parent
23a1f9e38e
commit
e1be080eea
@ -5,15 +5,29 @@
|
||||
*/
|
||||
package org.owasp.webgoat.application;
|
||||
|
||||
import com.google.common.collect.Maps;
|
||||
import org.owasp.webgoat.HammerHead;
|
||||
import org.owasp.webgoat.lessons.LessonServletMapping;
|
||||
import org.owasp.webgoat.plugins.PluginsLoader;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.config.BeanDefinition;
|
||||
import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
|
||||
import org.springframework.core.type.filter.AnnotationTypeFilter;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
import javax.servlet.ServletRegistration;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.nio.file.Paths;
|
||||
import java.sql.Driver;
|
||||
import java.sql.DriverManager;
|
||||
import java.sql.SQLException;
|
||||
import java.util.Enumeration;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.jar.Attributes;
|
||||
import java.util.jar.Manifest;
|
||||
|
||||
@ -25,15 +39,50 @@ import java.util.jar.Manifest;
|
||||
*/
|
||||
public class WebGoatServletListener implements ServletContextListener {
|
||||
|
||||
/** {@inheritDoc} */
|
||||
private static final Logger logger = LoggerFactory.getLogger(HammerHead.class);
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
ServletContext context = sce.getServletContext();
|
||||
context.log("WebGoat is starting");
|
||||
setApplicationVariables(context);
|
||||
context.log("Adding extra mappings for lessions");
|
||||
|
||||
loadPlugins(sce);
|
||||
loadServlets(sce);
|
||||
}
|
||||
|
||||
/** {@inheritDoc} */
|
||||
private void loadServlets(ServletContextEvent sce) {
|
||||
final ServletContext servletContext = sce.getServletContext();
|
||||
Map<String, Class> controllers = Maps.newHashMap();
|
||||
ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(
|
||||
false);
|
||||
provider.addIncludeFilter(new AnnotationTypeFilter(LessonServletMapping.class));
|
||||
Set<BeanDefinition> candidateComponents = provider.findCandidateComponents("org.owasp.webgoat");
|
||||
try {
|
||||
for (BeanDefinition beanDefinition : candidateComponents) {
|
||||
Class controllerClass = Class.forName(beanDefinition.getBeanClassName());
|
||||
LessonServletMapping pathAnnotation = (LessonServletMapping) controllerClass.getAnnotation(LessonServletMapping.class);
|
||||
final ServletRegistration.Dynamic dynamic = servletContext.addServlet(controllerClass.getSimpleName(), controllerClass);
|
||||
dynamic.addMapping(pathAnnotation.path());
|
||||
}
|
||||
} catch (Exception e) {
|
||||
logger.error("Error", e);
|
||||
}
|
||||
}
|
||||
|
||||
private void loadPlugins(ServletContextEvent sce) {
|
||||
String pluginPath = sce.getServletContext().getRealPath("plugin_lessons");
|
||||
String targetPath = sce.getServletContext().getRealPath("plugin_extracted");
|
||||
new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins();
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) {
|
||||
ServletContext context = sce.getServletContext();
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
|
||||
/***************************************************************************************************
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Nanne Baars
|
||||
* @created December 12, 2015
|
||||
*/
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
public @interface LessonServletMapping {
|
||||
|
||||
String path();
|
||||
}
|
||||
|
||||
|
||||
@ -1,138 +0,0 @@
|
||||
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
|
||||
errorPage=""%>
|
||||
<%@page import="org.owasp.webgoat.session.WebSession"%>
|
||||
<%
|
||||
//WebSession webSession = ((WebSession) session.getAttribute("websession"));
|
||||
%>
|
||||
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
|
||||
<title>WebGoat V5.4</title>
|
||||
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<div id="wrap">
|
||||
<div id="top"></div>
|
||||
<div id="start">
|
||||
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
|
||||
The exercises are intended to provide hands on experience with
|
||||
application penetration testing techniques. </p>
|
||||
<p>The WebGoat project is led
|
||||
by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].</p>
|
||||
|
||||
<div id="team">
|
||||
<table border="0" align="center" class="lessonText">
|
||||
<tr>
|
||||
<td width="50%">
|
||||
<div align="center"><a href="http://www.owasp.org"><img
|
||||
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
|
||||
longdesc="http://www.owasp.org" /></a></div>
|
||||
</td>
|
||||
<td width="50%">
|
||||
<div align="center"><a href="http://www.aspectsecurity.com"><img
|
||||
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
|
||||
longdesc="http://www.aspectsecurity.com" /></a></div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="2">
|
||||
<div align="center"><span class="style1">
|
||||
WebGoat Authors </span></div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="2">
|
||||
<div align="center"><span class="style2">
|
||||
Bruce Mayhew </span></div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="2">
|
||||
<div align="center"><span class="style2">
|
||||
Jeff Williams </span></div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="50%">
|
||||
<div align="center"><span class="style1"><br />
|
||||
WebGoat Design Team </span></div>
|
||||
</td>
|
||||
<td width="50%">
|
||||
<div align="center"><span class="style1"><br />
|
||||
V5.4 Lesson Contributers </span></div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">
|
||||
<div align="center" class="style2">David Anderson</div>
|
||||
<div align="center" class="style2">Laurence Casey (Graphics)</div>
|
||||
<div align="center" class="style2">Rogan Dawes</div>
|
||||
<div align="center" class="style2">Bruce Mayhew</div>
|
||||
</td>
|
||||
<td valign="top">
|
||||
<div align="center" class="style2">Sherif Koussa</div>
|
||||
<div align="center" class="style2">Yiannis Pavlosoglou</div>
|
||||
<div align="center" class="style2"></div>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="25" valign="bottom">
|
||||
<div align="center"><span class="style1">Special Thanks
|
||||
for V5.4</span></div>
|
||||
</td>
|
||||
<td height="25" valign="bottom">
|
||||
<div align="center"><span class="style1">Documentation
|
||||
Contributers</span></div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
|
||||
<div align="center" class="style2">To all who have sent comments</div>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
<div align="center" class="style2">
|
||||
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
|
||||
<div align="center" class="style2">
|
||||
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
|
||||
<div align="center" class="style2">
|
||||
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="2">
|
||||
<div align="center" class="style2">
|
||||
<form id="form" name="form" method="get" action="start.mvc"><input
|
||||
type="submit" name="start" value="Start WebGoat" /></form>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<div align="center" class="style2"> </div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
<div align="center" class="style2"> </div>
|
||||
<div align="center" class="style2"> </div>
|
||||
<div align="center" class="style2"> </div>
|
||||
<div id="warning">WARNING<br />
|
||||
While running this program, your machine is extremely vulnerable to
|
||||
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
|
||||
<br />
|
||||
<br />
|
||||
This program is for educational purposes only. Use of these techniques
|
||||
without permission could lead to job termination, financial liability,
|
||||
and/or criminal penalties.</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@ -185,10 +185,6 @@
|
||||
<servlet-name>Catcher</servlet-name>
|
||||
<servlet-class>org.owasp.webgoat.Catcher</servlet-class>
|
||||
</servlet>
|
||||
<servlet>
|
||||
<servlet-name>conf</servlet-name>
|
||||
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
|
||||
</servlet>
|
||||
<!-- spring MVC -->
|
||||
<servlet>
|
||||
<servlet-name>mvc-dispatcher</servlet-name>
|
||||
@ -272,10 +268,6 @@
|
||||
<servlet-name>Catcher</servlet-name>
|
||||
<url-pattern>/catcher</url-pattern>
|
||||
</servlet-mapping>
|
||||
<servlet-mapping>
|
||||
<servlet-name>conf</servlet-name>
|
||||
<url-pattern>/conf</url-pattern>
|
||||
</servlet-mapping>
|
||||
<!-- Define the default session timeout for your application,
|
||||
in minutes. From a servlet or JSP page, you can modify
|
||||
the timeout for a particular session dynamically by using
|
||||
|
||||
@ -14,6 +14,6 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
<% response.sendRedirect(webSession.getCurrentLesson().getLink() +
|
||||
"&succeeded=yes");
|
||||
%>
|
||||
|
||||
<!-- http://localhost:8080/WebGoat/start.mvc#attack/12/1400&succeeded=yes -->
|
||||
</body>
|
||||
</html>
|
||||
Loading…
x
Reference in New Issue
Block a user