dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: JWT kid/jku lessons (#1949)

Browse Source 
* refactor: rewrite hints

Use active voice and fix grammar issues.

* fix: use Thymeleaf `th:action`

* fix: JWT kid/jku lessons

Split the JavaScript into two files they pointed to the same URL

The JWTs are now valid, they parse successfully.

The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap.

Closes: #1715

* fix: update to latest pre-commit version

* fix: increase timeouts for server to start during integration tests
This commit is contained in:
Nanne Baars
2024-11-07 15:45:33 +01:00
committed by GitHub
parent d59153d6d7
commit e1e00bca73
46 changed files with 133 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/main/resources/lessons/sqlinjection/html/SqlInjection.html
View File

@ -15,7 +15,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack2"
th:action="@{/SqlInjection/attack2}"
autocomplete="off">
<table>
<tr>
@ -39,7 +39,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack3"
th:action="@{/SqlInjection/attack3}"
autocomplete="off">
<table>
<tr>
@ -63,7 +63,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack4"
th:action="@{/SqlInjection/attack4}"
autocomplete="off">
<table>
<tr>
@ -87,7 +87,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack5"
th:action="@{/SqlInjection/attack5}"
autocomplete="off">
<table>
<tr>
@ -143,7 +143,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/assignment5a">
th:action="@{/SqlInjection/assignment5a}">
<table>
<tr>
<td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
@ -188,7 +188,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/assignment5b">
th:action="@{/SqlInjection/assignment5b}">
<table>
<tr>
<td>Login_Count:</td>
@ -216,7 +216,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack8"
th:action="@{/SqlInjection/attack8}"
autocomplete="off">
<table>
<tr>
@ -244,7 +244,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack9"
th:action="@{/SqlInjection/attack9}"
autocomplete="off">
<table>
<tr>
@ -273,7 +273,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjection/attack10"
th:action="@{/SqlInjection/attack10}"
autocomplete="off">
<table>
<tr>

10
src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
View File

@ -20,7 +20,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjectionAdvanced/attack6a">
th:action="@{/SqlInjectionAdvanced/attack6a}">
<table>
<tr>
<td>Name:</td>
@ -33,7 +33,7 @@
</form>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjectionAdvanced/attack6b">
th:action="@{/SqlInjectionAdvanced/attack6b}">
<table>
<tr>
<td>Password:</td>
@ -79,7 +79,7 @@
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjectionAdvanced/challenge_Login"
th:action="@{/SqlInjectionAdvanced/Challenge_Login}"
role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
@ -115,7 +115,7 @@
</form>
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
method="PUT" name="form"
action="SqlInjectionAdvanced/challenge"
th:action="@{/SqlInjectionAdvanced/challenge}"
style="display: none;" role="form">
<div class="form-group">
<input type="text" name="username_reg" id="username" tabindex="1"
@ -168,7 +168,7 @@
<div class="container-fluid">
<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjectionAdvanced/quiz"
th:action="@{/SqlInjectionAdvanced/quiz}"
role="form">
<div id="q_container"></div>
<br />

12
src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
View File

@ -23,7 +23,7 @@
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc}"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10a">
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack10a}">
<div>
<p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
<p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
@ -42,7 +42,7 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc}"></div>
<div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10b">
<form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack10b}">
<div>
<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
@ -72,7 +72,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlOnlyInputValidation/attack"
th:action="@{/SqlInjectionMitigations/attack}"
enctype="application/json;charset=UTF-8">
<table>
<tr>
@ -95,7 +95,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlOnlyInputValidationOnKeywords/attack"
th:action="@{/SqlInjectionMitigations/attack}"
enctype="application/json;charset=UTF-8">
<table>
<tr>
@ -124,7 +124,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="SqlInjectionMitigations/attack12a">
th:action="@{/SqlInjectionMitigations/attack12a}">
<div class="container-fluid">
<div class="row">
<div class="panel panel-primary">
@ -173,7 +173,7 @@
<br/>
</div>
</form>
<form class="attack-form" method="POST" name="form" action="SqlInjectionMitigations/attack12a">
<form class="attack-form" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack12a}">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon">IP address webgoat-prd server:</div>