dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

All successful

Browse Source
This commit is contained in:
Nanne Baars
2019-09-20 07:59:04 +02:00
parent d7a2596670
commit e8d086ac9b
93 changed files with 293 additions and 1110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@@ -30,7 +30,7 @@
*/
package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.security.core.context.SecurityContext;
@@ -79,8 +79,8 @@ public class StartLesson {
//GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
List<? extends AbstractLesson> lessons = course.getLessons();
Optional<? extends AbstractLesson> lesson = lessons.stream()
List<? extends Lesson> lessons = course.getLessons();
Optional<? extends Lesson> lesson = lessons.stream()
.filter(l -> l.getId().equals(lessonName))
.findFirst();
ws.setCurrentLesson(lesson.get());

8
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
View File

@@ -26,8 +26,7 @@
*/
package org.owasp.webgoat.lessons;
import lombok.Getter;
import lombok.Setter;
import lombok.Value;
/**
* <p>Hint class.</p>
@@ -35,12 +34,9 @@ import lombok.Setter;
* @author rlawson
* @version $Id: $Id
*/
@Getter
@Setter
@Value
public class Hint {
private String hint;
private String lesson;
private String assignmentPath;
private int number;
}

145
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java → webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java
View File

@@ -1,63 +1,45 @@
package org.owasp.webgoat.lessons;
import com.google.common.collect.Lists;
import lombok.Setter;
import org.owasp.webgoat.session.Screen;
import java.util.List;
/**
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @version $Id: $Id
* @since October 28, 2003
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
public abstract class AbstractLesson extends Screen implements Comparable<Object> {
package org.owasp.webgoat.lessons;
import lombok.Getter;
import lombok.Setter;
import lombok.Singular;
import java.util.List;
@Getter
@Setter
public abstract class Lesson {
private static int count = 1;
private Integer id = null;
private Integer ranking;
@Setter
private List<Assignment> assignments;
public List<Assignment> getAssignments() {
if (assignments == null) {
return Lists.newArrayList();
}
return assignments;
}
/**
* Constructor for the Lesson object
*/
public AbstractLesson() {
public Lesson() {
id = ++count;
}
@@ -72,34 +54,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return className.substring(className.lastIndexOf('.') + 1);
}
/**
* <p>Setter for the field <code>ranking</code>.</p>
*
* @param ranking a {@link java.lang.Integer} object.
*/
public void setRanking(Integer ranking) {
this.ranking = ranking;
}
/**
* {@inheritDoc}
* <p>
* Description of the Method
*/
public int compareTo(Object obj) {
return this.getRanking().compareTo(((AbstractLesson) obj).getRanking());
}
/**
* {@inheritDoc}
* <p>
* Description of the Method
*/
public boolean equals(Object obj) {
return this.getScreenId() == ((AbstractLesson) obj).getScreenId();
}
/**
* Gets the category attribute of the Lesson object
*
@@ -109,13 +63,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return getDefaultCategory();
}
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected abstract Integer getDefaultRanking();
/**
* <p>getDefaultCategory.</p>
*
@@ -123,29 +70,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
protected abstract Category getDefaultCategory();
/**
* <p>getDefaultHidden.</p>
*
* @return a boolean.
*/
protected abstract boolean getDefaultHidden();
/**
* Gets the hintCount attribute of the Lesson object
*
* @return The hintCount value
*/
public int getHintCount() {
return getHints().size();
}
/**
* <p>getHints.</p>
*
* @return a {@link java.util.List} object.
*/
public abstract List<String> getHints();
/**
* Gets the title attribute of the HelloScreen object
*
@@ -153,28 +77,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public abstract String getTitle();
/**
* Gets the ranking attribute of the Lesson object
*
* @return The ranking value
*/
public Integer getRanking() {
if (ranking != null) {
return ranking;
} else {
return getDefaultRanking();
}
}
/**
* Gets the uniqueID attribute of the AbstractLesson object
*
* @return The uniqueID value
*/
public int getScreenId() {
return id.intValue();
}
/**
* <p>Returns the default "path" portion of a lesson's URL.</p>
* <p>
@@ -218,5 +120,4 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
}
public abstract String getId();
}

86
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@@ -1,86 +0,0 @@
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat.lessons;
//// TODO: 11/8/2016 remove
public abstract class LessonAdapter extends AbstractLesson {
/**
* <p>getDefaultHidden.</p>
*
* @return a boolean.
*/
protected boolean getDefaultHidden() {
return false;
}
/**
* Initiates lesson restart functionality. Lessons should override this for
* lesson specific actions
*/
public void restartLesson() {
// Do Nothing - called when restart lesson is pressed. Each lesson can do something
}
private final static Integer DEFAULT_RANKING = 1000;
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
/**
* provide a default submitMethod of lesson does not implement
*
* @return a {@link java.lang.String} object.
*/
public String getSubmitMethod() {
return "GET";
}
/**
* Fill in a descriptive title for this lesson. The title of the lesson.
* This will appear above the control area at the top of the page. This
* field will be rendered as html.
*
* @return The title value
*/
public String getTitle() {
return "Untitled Lesson " + getScreenId();
}
}

10
webgoat-container/src/main/java/org/owasp/webgoat/plugins/CourseConfiguration.java
View File

@@ -27,9 +27,8 @@ import org.apache.commons.lang3.ArrayUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.session.Course;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@@ -40,7 +39,6 @@ import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
@@ -51,11 +49,11 @@ import static java.util.stream.Collectors.toList;
@Configuration
public class CourseConfiguration {
private final List<NewLesson> lessons;
private final List<Lesson> lessons;
private final List<AssignmentEndpoint> assignments;
private final Map<String, List<AssignmentEndpoint>> assignmentsByPackage;
public CourseConfiguration(List<NewLesson> lessons, List<AssignmentEndpoint> assignments) {
public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
this.lessons = lessons;
this.assignments = assignments;
assignmentsByPackage = this.assignments.stream().collect(groupingBy(a -> a.getClass().getPackageName()));
@@ -67,7 +65,7 @@ public class CourseConfiguration {
return new Course(lessons);
}
private List<Assignment> createAssignment(AbstractLesson lesson) {
private List<Assignment> createAssignment(Lesson lesson) {
var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
if (CollectionUtils.isEmpty(endpoints)) {
log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());

32
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginResource.java
View File

@@ -1,32 +0,0 @@
package org.owasp.webgoat.plugins;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.lessons.NewLesson;
import java.net.URL;
import java.util.List;
import java.util.stream.Collectors;
@AllArgsConstructor
@Getter
public class PluginResource {
private final URL location;
private final List<Class> classes;
public List<Class> getLessons() {
return classes.stream().filter(c -> c.getSuperclass() == NewLesson.class).collect(Collectors.toList());
}
public List<Class<AssignmentEndpoint>> getAssignments(Class lesson) {
return classes.stream().
filter(c -> c.getSuperclass() == AssignmentEndpoint.class).
filter(c -> c.getPackage().equals(lesson.getPackage())).
map(c -> (Class<AssignmentEndpoint>) c).
collect(Collectors.toList());
}
}

47
webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
View File

@@ -5,10 +5,9 @@
*/
package org.owasp.webgoat.service;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.Hint;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.WebSession;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -41,42 +40,22 @@ public class HintService {
*/
@GetMapping(path = URL_HINTS_MVC, produces = "application/json")
@ResponseBody
public List<Hint> showHint() {
AbstractLesson l = webSession.getCurrentLesson();
List<Hint> hints = createLessonHints(l);
hints.addAll(createAssignmentHints(l));
return hints;
public List<Hint> getHints() {
Lesson l = webSession.getCurrentLesson();
return createAssignmentHints(l);
}
private List<Hint> createLessonHints(AbstractLesson l) {
if ( l != null ) {
return l.getHints().stream().map(h -> createHint(h, l.getName(), null)).collect(toList());
private List<Hint> createAssignmentHints(Lesson l) {
if (l != null) {
return l.getAssignments().stream()
.map(a -> createHint(a))
.flatMap(hints -> hints.stream())
.collect(toList());
}
return Lists.newArrayList();
return List.of();
}
private List<Hint> createAssignmentHints(AbstractLesson l) {
List<Hint> hints = Lists.newArrayList();
if ( l != null) {
List<Assignment> assignments = l.getAssignments();
assignments.stream().forEach(a -> { a.getHints(); createHints(a, hints);});
}
return hints;
}
private void createHints(Assignment a, List<Hint> hints) {
hints.addAll(a.getHints().stream().map(h -> createHint(h, null, a.getPath())).collect(toList()));
}
private Hint createHint(String hintText, String lesson, String assignmentName) {
Hint hint = new Hint();
hint.setHint(hintText);
if (lesson != null) {
hint.setLesson(lesson);
} else {
hint.setAssignmentPath(assignmentName);
}
return hint;
private List<Hint> createHint(Assignment a) {
return a.getHints().stream().map(h -> new Hint(h, a.getPath())).collect(toList());
}
}

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
View File

@@ -1,7 +1,7 @@
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.LessonInfoModel;
import org.owasp.webgoat.session.WebSession;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -29,7 +29,7 @@ public class LessonInfoService {
@RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
public @ResponseBody
LessonInfoModel getLessonInfo() {
AbstractLesson lesson = webSession.getCurrentLesson();
Lesson lesson = webSession.getCurrentLesson();
return new LessonInfoModel(lesson.getTitle(), false, false, false);
}

8
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@@ -29,7 +29,7 @@
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonMenuItem;
import org.owasp.webgoat.lessons.LessonMenuItemType;
@@ -43,7 +43,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.stream.Collectors;
@@ -81,13 +80,12 @@ public class LessonMenuService {
categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY);
// check for any lessons for this category
List<AbstractLesson> lessons = course.getLessons(category);
List<Lesson> lessons = course.getLessons(category);
lessons = lessons.stream().sorted(Comparator.comparing(l -> l.getTitle())).collect(Collectors.toList());
for (AbstractLesson lesson : lessons) {
for (Lesson lesson : lessons) {
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());
lessonItem.setRanking(lesson.getRanking());
lessonItem.setType(LessonMenuItemType.LESSON);
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
lessonItem.setComplete(lessonTracker.isLessonSolved());

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@@ -4,7 +4,7 @@ import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.LessonInfoModel;
import org.owasp.webgoat.session.WebSession;
@@ -66,7 +66,7 @@ public class LessonProgressService {
@ResponseBody
public List<LessonOverview> lessonOverview() {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
AbstractLesson currentLesson = webSession.getCurrentLesson();
Lesson currentLesson = webSession.getCurrentLesson();
List<LessonOverview> result = Lists.newArrayList();
if ( currentLesson != null ) {
LessonTracker lessonTracker = userTracker.getLessonTracker(currentLesson);

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
View File

@@ -1,6 +1,6 @@
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,7 +31,7 @@ public class LessonTitleService {
public
@ResponseBody
String showPlan() {
AbstractLesson lesson = webSession.getCurrentLesson();
Lesson lesson = webSession.getCurrentLesson();
return lesson != null ? lesson.getTitle() : "";
}

4
webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
View File

@@ -33,7 +33,7 @@ import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.Setter;
import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.LessonTracker;
@@ -73,7 +73,7 @@ public class ReportCardService {
reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
for (AbstractLesson lesson : lessons) {
for (Lesson lesson : lessons) {
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
LessonStatistics lessonStatistics = new LessonStatistics();
lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));

4
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@@ -25,7 +25,7 @@ package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository;
@@ -56,7 +56,7 @@ public class RestartLessonService {
@RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
@ResponseStatus(value = HttpStatus.OK)
public void restartLesson() {
AbstractLesson al = webSession.getCurrentLesson();
Lesson al = webSession.getCurrentLesson();
log.debug("Restarting lesson: " + al);
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());

16
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@@ -1,7 +1,7 @@
package org.owasp.webgoat.session;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Category;
import java.util.List;
@@ -41,9 +41,9 @@ import static java.util.stream.Collectors.toList;
@Slf4j
public class Course {
private List<? extends AbstractLesson> lessons;
private List<? extends Lesson> lessons;
public Course(List<? extends AbstractLesson> lessons) {
public Course(List<? extends Lesson> lessons) {
this.lessons = lessons;
}
@@ -61,7 +61,7 @@ public class Course {
*
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson() {
public Lesson getFirstLesson() {
// Category 0 is the admin function. We want the first real category
// to be returned. This is normally the General category and the Http Basics lesson
return getLessons(getCategories().get(0)).get(0);
@@ -72,7 +72,7 @@ public class Course {
*
* @return a {@link java.util.List} object.
*/
public List<? extends AbstractLesson> getLessons() {
public List<? extends Lesson> getLessons() {
return this.lessons;
}
@@ -82,11 +82,11 @@ public class Course {
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> getLessons(Category category) {
return this.lessons.stream().filter(l -> l.getCategory() == category).sorted().collect(toList());
public List<Lesson> getLessons(Category category) {
return this.lessons.stream().filter(l -> l.getCategory() == category).collect(toList());
}
public void setLessons(List<AbstractLesson> lessons) {
public void setLessons(List<Lesson> lessons) {
this.lessons = lessons;
}

53
webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java
View File

@@ -1,53 +0,0 @@
package org.owasp.webgoat.session;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public abstract class Screen {
/**
* Constructor for the Screen object
*/
public Screen() {
}
/**
* Fill in a descriptive title for this lesson
*
* @return The title value
*/
public abstract String getTitle();
}

10
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

@@ -1,7 +1,7 @@
package org.owasp.webgoat.session;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder;
@@ -42,7 +42,7 @@ public class WebSession {
private final WebGoatUser currentUser;
private final WebgoatContext webgoatContext;
private AbstractLesson currentLesson;
private Lesson currentLesson;
/**
* Constructor for the WebSession object
@@ -79,16 +79,16 @@ public class WebSession {
*
* @param lesson current lesson
*/
public void setCurrentLesson(AbstractLesson lesson) {
public void setCurrentLesson(Lesson lesson) {
this.currentLesson = lesson;
}
/**
* <p> getCurrentLesson. </p>
*
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
* @return a {@link Lesson} object.
*/
public AbstractLesson getCurrentLesson() {
public Lesson getCurrentLesson() {
return this.currentLesson;
}

7
webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
View File

@@ -1,10 +1,9 @@
package org.owasp.webgoat.users;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import lombok.Getter;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import javax.persistence.*;
@@ -64,9 +63,9 @@ public class LessonTracker {
//JPA
}
public LessonTracker(AbstractLesson lesson) {
public LessonTracker(Lesson lesson) {
lessonName = lesson.getId();
allAssignments.addAll(lesson.getAssignments());
allAssignments.addAll(lesson.getAssignments() == null ? List.of() : lesson.getAssignments());
}
public Optional<Assignment> getAssignment(String name) {

12
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
View File

@@ -1,14 +1,12 @@
package org.owasp.webgoat.users;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import javax.persistence.*;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
@@ -69,7 +67,7 @@ public class UserTracker {
* @param lesson the lesson
* @return a lesson tracker created if not already present
*/
public LessonTracker getLessonTracker(AbstractLesson lesson) {
public LessonTracker getLessonTracker(Lesson lesson) {
Optional<LessonTracker> lessonTracker = lessonTrackers
.stream().filter(l -> l.getLessonName().equals(lesson.getId())).findFirst();
if (!lessonTracker.isPresent()) {
@@ -91,18 +89,18 @@ public class UserTracker {
return lessonTrackers.stream().filter(l -> l.getLessonName().equals(id)).findFirst();
}
public void assignmentSolved(AbstractLesson lesson, String assignmentName) {
public void assignmentSolved(Lesson lesson, String assignmentName) {
LessonTracker lessonTracker = getLessonTracker(lesson);
lessonTracker.incrementAttempts();
lessonTracker.assignmentSolved(assignmentName);
}
public void assignmentFailed(AbstractLesson lesson) {
public void assignmentFailed(Lesson lesson) {
LessonTracker lessonTracker = getLessonTracker(lesson);
lessonTracker.incrementAttempts();
}
public void reset(AbstractLesson al) {
public void reset(Lesson al) {
LessonTracker lessonTracker = getLessonTracker(al);
lessonTracker.reset();
}

2
webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
View File

@@ -39,7 +39,7 @@ import org.springframework.web.servlet.i18n.FixedLocaleResolver;
import java.util.Locale;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.when;
public class AssignmentEndpointTest {

21
webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
View File

@@ -8,12 +8,14 @@ import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.session.WebSession;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import java.util.List;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.service.HintService.URL_HINTS_MVC;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
@@ -28,24 +30,15 @@ public class HintServiceTest {
@Mock
private WebSession websession;
@Mock
private AbstractLesson lesson;
private Lesson lesson;
@Mock
private Assignment assignment;
@Before
public void setup() {
this.mockMvc = standaloneSetup(new HintService(websession)).build();
}
@Test
public void onlyHintsOnLesson() throws Exception {
when(lesson.getName()).thenReturn("Test lesson");
when(lesson.getHints()).thenReturn(Lists.newArrayList("hint 1", "hint 2"));
when(websession.getCurrentLesson()).thenReturn(lesson);
mockMvc.perform(MockMvcRequestBuilders.get(URL_HINTS_MVC))
.andExpect(status().isOk())
.andExpect(jsonPath("$[0].hint", CoreMatchers.is("hint 1")))
.andExpect(jsonPath("$[0].lesson", CoreMatchers.is("Test lesson")));
}
@Test
public void hintsPerAssignment() throws Exception {
Assignment assignment = Mockito.mock(Assignment.class);
@@ -54,7 +47,7 @@ public class HintServiceTest {
when(lesson.getAssignments()).thenReturn(Lists.newArrayList(assignment));
when(websession.getCurrentLesson()).thenReturn(lesson);
mockMvc.perform(MockMvcRequestBuilders.get(URL_HINTS_MVC))
.andExpect(status().isOk()).andDo(print())
.andExpect(status().isOk())
.andExpect(jsonPath("$[0].hint", CoreMatchers.is("hint 1")))
.andExpect(jsonPath("$[0].assignmentPath", CoreMatchers.is("/HttpBasics/attack1")));
}

16
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
View File

@@ -29,9 +29,8 @@ import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.LessonTracker;
@@ -40,8 +39,7 @@ import org.owasp.webgoat.users.UserTrackerRepository;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.service.LessonMenuService.URL_LESSONMENU_MVC;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
@@ -71,14 +69,14 @@ public class LessonMenuServiceTest {
@Test
public void lessonsShouldBeOrdered() throws Exception {
NewLesson l1 = Mockito.mock(NewLesson.class);
NewLesson l2 = Mockito.mock(NewLesson.class);
Lesson l1 = Mockito.mock(Lesson.class);
Lesson l2 = Mockito.mock(Lesson.class);
when(l1.getTitle()).thenReturn("ZA");
when(l2.getTitle()).thenReturn("AA");
when(lessonTracker.isLessonSolved()).thenReturn(false);
when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
@@ -89,12 +87,12 @@ public class LessonMenuServiceTest {
@Test
public void lessonCompleted() throws Exception {
NewLesson l1 = Mockito.mock(NewLesson.class);
Lesson l1 = Mockito.mock(Lesson.class);
when(l1.getTitle()).thenReturn("ZA");
when(lessonTracker.isLessonSolved()).thenReturn(true);
when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))

9
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
View File

@@ -6,7 +6,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.LessonTracker;
@@ -20,8 +20,7 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import java.util.List;
import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -61,7 +60,7 @@ public class LessonProgressServiceTest {
private MockMvc mockMvc;
@Mock
private AbstractLesson lesson;
private Lesson lesson;
@Mock
private UserTracker userTracker;
@Mock
@@ -75,7 +74,7 @@ public class LessonProgressServiceTest {
public void setup() {
Assignment assignment = new Assignment("test", "test", List.of());
when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
when(websession.getCurrentLesson()).thenReturn(lesson);
when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTrackerRepository, websession)).build();

11
webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
View File

@@ -1,13 +1,12 @@
package org.owasp.webgoat.service;
import com.beust.jcommander.internal.Lists;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.LessonTracker;
@@ -20,8 +19,8 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import java.util.List;
import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -36,7 +35,7 @@ public class ReportCardServiceTest {
@Mock
private UserTracker userTracker;
@Mock
private AbstractLesson lesson;
private Lesson lesson;
@Mock
private LessonTracker lessonTracker;
@Mock
@@ -60,7 +59,7 @@ public class ReportCardServiceTest {
when(course.getTotalOfAssignments()).thenReturn(10);
when(course.getLessons()).thenAnswer(x -> List.of(lesson));
when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.totalNumberOfLessons", is(1)))

8
webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
View File

@@ -2,7 +2,7 @@ package org.owasp.webgoat.session;
import com.google.common.collect.Lists;
import org.junit.Test;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.users.LessonTracker;
@@ -47,7 +47,7 @@ public class LessonTrackerTest {
@Test
public void allAssignmentsSolvedShouldMarkLessonAsComplete() {
AbstractLesson lesson = mock(AbstractLesson.class);
Lesson lesson = mock(Lesson.class);
when(lesson.getAssignments()).thenReturn(Lists.newArrayList(new Assignment("assignment", "assignment", List.of(""))));
LessonTracker lessonTracker = new LessonTracker(lesson);
lessonTracker.assignmentSolved("assignment");
@@ -57,7 +57,7 @@ public class LessonTrackerTest {
@Test
public void noAssignmentsSolvedShouldMarkLessonAsInComplete() {
AbstractLesson lesson = mock(AbstractLesson.class);
Lesson lesson = mock(Lesson.class);
Assignment a1 = new Assignment("a1");
Assignment a2 = new Assignment("a2");
List<Assignment> assignments = Lists.newArrayList(a1, a2);
@@ -72,7 +72,7 @@ public class LessonTrackerTest {
@Test
public void solvingSameAssignmentShouldNotAddItTwice() {
AbstractLesson lesson = mock(AbstractLesson.class);
Lesson lesson = mock(Lesson.class);
Assignment a1 = new Assignment("a1");
List<Assignment> assignments = Lists.newArrayList(a1);
when(lesson.getAssignments()).thenReturn(assignments);

3
webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java
View File

@@ -3,7 +3,7 @@ package org.owasp.webgoat.users;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import static org.mockito.Matchers.any;
@@ -24,5 +24,4 @@ public class UserServiceTest {
UserService userService = new UserService(userRepository, userTrackerRepository);
userService.loadUserByUsername("unknown");
}
}

14
webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java
View File

@@ -6,7 +6,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
import org.springframework.test.context.junit4.SpringRunner;
@@ -17,23 +17,13 @@ import java.util.List;
@RunWith(SpringRunner.class)
public class UserTrackerRepositoryTest {
private class TestLesson extends NewLesson {
private class TestLesson extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.AJAX_SECURITY;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 12;
}
@Override
public String getTitle() {
return "test";

2
webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
View File

@@ -3,7 +3,7 @@ package org.owasp.webgoat.users;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.validation.BeanPropertyBindingResult;
import org.springframework.validation.Errors;

2
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java
View File

@@ -31,7 +31,7 @@ import java.util.Map;
public class AccountVerificationHelper {
//simulating database storage of verification credentials
private static final Integer verifyUserId = new Integer(1223445);
private static final Integer verifyUserId = 1223445;
private static final Map<String,String> userSecQuestions = new HashMap<>();
static {
userSecQuestions.put("secQuestion0","Dr. Watson");

17
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java
View File

@@ -22,31 +22,18 @@
package org.owasp.webgoat.auth_bypass;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class AuthBypass extends NewLesson {
public class AuthBypass extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.AUTHENTICATION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 30;
}
@Override
public String getTitle() {
return "auth-bypass.title";

17
webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java
View File

@@ -22,30 +22,17 @@
package org.owasp.webgoat.bypass_restrictions;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class BypassRestrictions extends NewLesson {
public class BypassRestrictions extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CLIENT_SIDE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 2;
}
@Override
public String getTitle() {
return "bypass-restrictions.title";

6
webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
View File

@@ -4,6 +4,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -20,9 +21,12 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class BypassRestrictionsFrontendValidationTest extends LessonTest {
@Autowired
private BypassRestrictions bypassRestrictions;
@Before
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new BypassRestrictions());
when(webSession.getCurrentLesson()).thenReturn(bypassRestrictions);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java
View File

@@ -1,32 +1,19 @@
package org.owasp.webgoat.challenges;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
import org.owasp.webgoat.lessons.Lesson;
/**
* @author nbaars
* @since 3/21/17.
*/
public class ChallengeIntro extends NewLesson {
public class ChallengeIntro extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge0.title";

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java
View File

@@ -1,34 +1,21 @@
package org.owasp.webgoat.challenges.challenge1;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
@Component
public class Challenge1 extends NewLesson {
public class Challenge1 extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge1.title";

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java
View File

@@ -22,35 +22,22 @@
package org.owasp.webgoat.challenges.challenge5;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
@Component
public class Challenge5 extends NewLesson {
public class Challenge5 extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge5.title";

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge6/Challenge6.java
View File

@@ -1,34 +1,21 @@
package org.owasp.webgoat.challenges.challenge6;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
@Component
public class Challenge6 extends NewLesson {
public class Challenge6 extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge6.title";

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java
View File

@@ -1,34 +1,21 @@
package org.owasp.webgoat.challenges.challenge7;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
@Component
public class Challenge7 extends NewLesson {
public class Challenge7 extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge7.title";

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java
View File

@@ -1,34 +1,21 @@
package org.owasp.webgoat.challenges.challenge8;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
@Component
public class Challenge8 extends NewLesson {
public class Challenge8 extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge8.title";

17
webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java
View File

@@ -22,35 +22,22 @@
package org.owasp.webgoat.chrome_dev_tools;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author TMelzer
* @since 30.11.18
*/
@Component
public class ChromeDevTools extends NewLesson {
public class ChromeDevTools extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 4;
}
@Override
public String getTitle() {
return "chrome-dev-tools.title";

7
webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java
View File

@@ -17,6 +17,7 @@ import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author Benedikt Stuhrmann
* @since 13/03/19.
@@ -25,18 +26,16 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
public class ChromeDevToolsTest extends LessonTest {
@Autowired
private WebgoatContext context;
private ChromeDevTools cdt;
@Before
public void setup() {
ChromeDevTools cdt = new ChromeDevTools();
when(webSession.getCurrentLesson()).thenReturn(cdt);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void NetworkAssignmentTest_Success() throws Exception{
public void NetworkAssignmentTest_Success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/ChromeDevTools/network")
.param("network_num", "123456")
.param("number", "123456"))

19
webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java
View File

@@ -1,34 +1,21 @@
package org.owasp.webgoat.cia;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author BenediktStuhrmann
* @since 11/2/18.
*/
@Component
public class CIA extends NewLesson {
public class CIA extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 3;
}
@Override
public String getTitle() {
return "cia.title";
@@ -38,4 +25,4 @@ public class CIA extends NewLesson {
public String getId() {
return "CIA";
}
}
}

4
webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java
View File

@@ -24,13 +24,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
public class CIAQuizTest extends LessonTest {
@Autowired
private WebgoatContext context;
private CIA cia;
@Before
public void setup() {
CIA cia = new CIA();
when(webSession.getCurrentLesson()).thenReturn(cia);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

19
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.client_side_filtering;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,25 +34,13 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class ClientSideFiltering extends NewLesson {
public class ClientSideFiltering extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CLIENT_SIDE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList("Many sites attempt to restrict access to resources by role.",
"Developers frequently make mistakes implementing this scheme.",
"Attempt combinations of users, roles, and resources.");
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "client.side.filtering.title";

6
webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
View File

@@ -5,6 +5,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -21,14 +22,13 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
private MockMvc mockMvc;
@Autowired
private ClientSideFiltering clientSideFiltering;
@Before
public void setup() {
ClientSideFiltering clientSideFiltering = new ClientSideFiltering();
when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test

4
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java
View File

@@ -2,7 +2,7 @@ package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.AbstractLesson;
import java.util.List;
@@ -35,7 +35,7 @@ import java.util.List;
* @version $Id: $Id
* @since October 12, 2016
*/
public class HttpProxies extends NewLesson {
public class HttpProxies extends AbstractLesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;

18
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java
View File

@@ -23,30 +23,16 @@
package org.owasp.webgoat.xss;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class CrossSiteScripting extends NewLesson {
public class CrossSiteScripting extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.XSS;
}
@Override
public List<String> getHints() {
List<String> hints = new ArrayList<String>();
return hints;
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "xss.title";

18
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingMitigation.java
View File

@@ -23,28 +23,14 @@
package org.owasp.webgoat.xss;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import java.util.ArrayList;
import java.util.List;
public class CrossSiteScriptingMitigation extends NewLesson {
public class CrossSiteScriptingMitigation extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.XSS;
}
@Override
public List<String> getHints() {
List<String> hints = new ArrayList<String>();
return hints;
}
@Override
public Integer getDefaultRanking() {
return 3;
}
@Override
public String getTitle() {
return "xss-mitigation.title";

18
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingStored.java
View File

@@ -23,28 +23,14 @@
package org.owasp.webgoat.xss;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import java.util.ArrayList;
import java.util.List;
public class CrossSiteScriptingStored extends NewLesson {
public class CrossSiteScriptingStored extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.XSS;
}
@Override
public List<String> getHints() {
List<String> hints = new ArrayList<String>();
return hints;
}
@Override
public Integer getDefaultRanking() {
return 2;
}
@Override
public String getTitle() {
return "xss-stored.title";

6
webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingTest.java
View File

@@ -28,10 +28,13 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.lessons.Assignment;
import org.owasp.webgoat.xss.DOMCrossSiteScripting;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import java.util.List;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -48,7 +51,8 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
DOMCrossSiteScripting domXss = new DOMCrossSiteScripting();
init(domXss);
this.mockMvc = standaloneSetup(domXss).build();
when(webSession.getCurrentLesson()).thenReturn(new CrossSiteScripting());
CrossSiteScripting xss = new CrossSiteScripting();
when(webSession.getCurrentLesson()).thenReturn(xss);
when(userSessionData.getValue("randValue")).thenReturn(randVal);
}

4
webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java
View File

@@ -26,16 +26,14 @@ import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.xss.StoredXssComments;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;

14
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRF.java
View File

@@ -24,7 +24,7 @@ package org.owasp.webgoat.csrf;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
@@ -33,22 +33,12 @@ import java.util.List;
* Created by jason on 9/29/17.
*/
@Component
public class CSRF extends NewLesson {
public class CSRF extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.REQUEST_FORGERIES;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() { return "csrf.title"; }

7
webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/csrf/CSRFFeedbackTest.java
View File

@@ -27,6 +27,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -46,13 +47,13 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class CSRFFeedbackTest extends LessonTest {
@Autowired
private CSRF csrf;
@Before
public void setup() {
CSRF csrf = new CSRF();
when(webSession.getCurrentLesson()).thenReturn(csrf);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
when(webSession.getCurrentLesson()).thenReturn(new CSRF());
}
@Test

17
webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTampering.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.html_tampering;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,22 +34,12 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class HtmlTampering extends NewLesson {
public class HtmlTampering extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.CLIENT_SIDE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 3;
}
@Override
public String getTitle() {
return "html-tampering.title";

17
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasics.java
View File

@@ -22,30 +22,17 @@
package org.owasp.webgoat.http_basics;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class HttpBasics extends NewLesson {
public class HttpBasics extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "http-basics.title";

17
webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpProxies.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.http_proxies;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,22 +34,12 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class HttpProxies extends NewLesson {
public class HttpProxies extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 2;
}
@Override
public String getTitle() {
return "http-proxies.title";

17
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOR.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.idor;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,23 +34,13 @@ import java.util.List;
* @since January 3, 2017
*/
@Component
public class IDOR extends NewLesson {
public class IDOR extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.ACCESS_CONTROL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 20;
}
@Override
public String getTitle() {
return "idor.title";

17
webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserialization.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.deserialization;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,22 +34,12 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class InsecureDeserialization extends NewLesson {
public class InsecureDeserialization extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INSECURE_DESERIALIZATION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "insecure-deserialization.title";

17
webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLogin.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.insecure_login;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,22 +34,12 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class InsecureLogin extends NewLesson {
public class InsecureLogin extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INSECURE_COMMUNICATION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "insecure-login.title";

17
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWT.java
View File

@@ -22,35 +22,22 @@
package org.owasp.webgoat.jwt;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author nbaars
* @since 3/22/17.
*/
@Component
public class JWT extends NewLesson {
public class JWT extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.AUTHENTICATION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 40;
}
@Override
public String getTitle() {
return "jwt.title";

7
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
View File

@@ -7,6 +7,8 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.core.AutoConfigureCache;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -25,12 +27,13 @@ public class JWTFinalEndpointTest extends LessonTest {
private static final String TOKEN_JERRY = "eyJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTNTEyIn0.eyJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImVtYWlsIjoiamVycnlAd2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IkplcnJ5In0.xBc5FFwaOcuxjdr_VJ16n8Jb7vScuaZulNTl66F2MWF1aBe47QsUosvbjWGORNcMPiPNwnMu1Yb0WZVNrp2ZXA";
@Autowired
private JWT jwt;
@Before
public void setup() {
JWT jwt = new JWT();
when(webSession.getCurrentLesson()).thenReturn(jwt);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test

5
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
View File

@@ -29,6 +29,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MvcResult;
@@ -46,9 +47,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class JWTRefreshEndpointTest extends LessonTest {
@Autowired
private JWT jwt;
@Before
public void setup() {
JWT jwt = new JWT();
when(webSession.getCurrentLesson()).thenReturn(jwt);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");

5
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
View File

@@ -29,6 +29,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -47,9 +48,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class JWTSecretKeyEndpointTest extends LessonTest {
@Autowired
private JWT jwt;
@Before
public void setup() {
JWT jwt = new JWT();
when(webSession.getCurrentLesson()).thenReturn(jwt);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");

5
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
View File

@@ -30,6 +30,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MvcResult;
@@ -53,9 +54,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class JWTVotesEndpointTest extends LessonTest {
@Autowired
private JWT jwt;
@Before
public void setup() {
JWT jwt = new JWT();
when(webSession.getCurrentLesson()).thenReturn(jwt);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");

17
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java
View File

@@ -22,31 +22,18 @@
package org.owasp.webgoat.missing_ac;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
@Component
public class MissingFunctionAC extends NewLesson {
public class MissingFunctionAC extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.ACCESS_CONTROL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 40;
}
@Override
public String getTitle() {
return "missing-function-access-control.title";

1
webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java
View File

@@ -36,7 +36,6 @@ import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

17
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordReset.java
View File

@@ -23,29 +23,16 @@
package org.owasp.webgoat.password_reset;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class PasswordReset extends NewLesson {
public class PasswordReset extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.AUTHENTICATION;
}
@Override
public List<String> getHints() {
return new ArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "password-reset.title";

7
webgoat-lessons/password-reset/src/main/test/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignmentTest.java
View File

@@ -6,6 +6,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -17,10 +18,12 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class SecurityQuestionAssignmentTest extends LessonTest {
@Autowired
private PasswordReset passwordReset;
@Before
public void setup() {
PasswordReset assignment = new PasswordReset();
Mockito.when(webSession.getCurrentLesson()).thenReturn(assignment);
Mockito.when(webSession.getCurrentLesson()).thenReturn(passwordReset);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
Mockito.when(webSession.getUserName()).thenReturn("unit-test");
}

17
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswords.java
View File

@@ -22,35 +22,22 @@
package org.owasp.webgoat.secure_password;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @author BenediktStuhrmann
* @since 12/2/18.
*/
@Component
public class SecurePasswords extends NewLesson {
public class SecurePasswords extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.AUTHENTICATION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 3;
}
@Override
public String getTitle() {
return "secure-passwords.title";

17
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionAdvanced.java
View File

@@ -23,29 +23,16 @@
package org.owasp.webgoat.sql_injection.advanced;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class SqlInjectionAdvanced extends NewLesson {
public class SqlInjectionAdvanced extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INJECTION;
}
@Override
public List<String> getHints() {
return new ArrayList<>();
}
@Override
public Integer getDefaultRanking() {
return 2;
}
@Override
public String getTitle() {
return "sql.advanced.title";

24
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjection.java
View File

@@ -22,37 +22,17 @@
package org.owasp.webgoat.sql_injection.introduction;
import java.util.ArrayList;
import java.util.List;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
@Component
public class SqlInjection extends NewLesson {
public class SqlInjection extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INJECTION;
}
@Override
public List<String> getHints() {
List<String> hints = new ArrayList<String>();
// hints.add(getLabelManager().get("SqlStringInjectionHint1"));
// hints.add(getLabelManager().get("SqlStringInjectionHint2"));
// hints.add(getLabelManager().get("SqlStringInjectionHint3"));
// hints.add(getLabelManager().get("SqlStringInjectionHint4"));
// hints.add(getLabelManager().get("SqlStringInjectionHint5"));
return hints;
}
@Override
public Integer getDefaultRanking() {
return 0;
}
@Override
public String getTitle() {
return "sql.injection.title";

17
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionMitigations.java
View File

@@ -23,29 +23,16 @@
package org.owasp.webgoat.sql_injection.mitigation;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class SqlInjectionMitigations extends NewLesson {
public class SqlInjectionMitigations extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INJECTION;
}
@Override
public List<String> getHints() {
return new ArrayList<>();
}
@Override
public Integer getDefaultRanking() {
return 3;
}
@Override
public String getTitle() {
return "sql.mitigation.title";

60
webgoat-container/src/main/java/org/owasp/webgoat/lessons/NewLesson.java → webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/SqlLessonTest.java
View File

@@ -1,50 +1,46 @@
package org.owasp.webgoat.lessons;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
public abstract class NewLesson extends LessonAdapter {
@Override
public abstract Category getDefaultCategory();
package org.owasp.webgoat.sql_injection;
public abstract List<String> getHints();
import org.junit.Before;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@Override
public abstract Integer getDefaultRanking();
import static org.mockito.Mockito.when;
@Override
public abstract String getTitle();
public class SqlLessonTest extends LessonTest {
@Autowired
private SqlInjection sql = new SqlInjection();
@Before
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(sql);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Override
public abstract String getId();
}

14
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10Test.java
View File

@@ -27,6 +27,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -42,21 +43,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 11/07/18.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson10Test extends LessonTest {
@Autowired
private WebgoatContext context;
public class SqlInjectionLesson10Test extends SqlLessonTest {
private String completedError = "JSON path \"lessonCompleted\"";
@Before
public void setup() {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void tableExistsIsFailure() throws Exception {
try {

14
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5aTest.java
View File

@@ -6,6 +6,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
@@ -24,18 +25,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 5/21/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson5aTest extends LessonTest {
@Autowired
private WebgoatContext context;
@Before
public void setup() throws Exception {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
public class SqlInjectionLesson5aTest extends SqlLessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {

9
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6aTest.java
View File

@@ -26,6 +26,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -41,13 +42,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 6/15/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson6aTest extends LessonTest {
@Before
public void setup() throws Exception {
when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
public class SqlInjectionLesson6aTest extends SqlLessonTest {
@Test
public void wrongSolution() throws Exception {

9
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6bTest.java
View File

@@ -26,6 +26,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -41,13 +42,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 6/16/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson6bTest extends LessonTest {
@Before
public void setup() throws Exception {
when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
public class SqlInjectionLesson6bTest extends SqlLessonTest {
@Test
public void submitCorrectPassword() throws Exception {

14
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8Test.java
View File

@@ -27,6 +27,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
@@ -44,18 +45,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 11/07/18.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson8Test extends LessonTest {
@Autowired
private WebgoatContext context;
@Before
public void setup() {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
public class SqlInjectionLesson8Test extends SqlLessonTest {
@Test
public void oneAccount() throws Exception {

14
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java
View File

@@ -27,6 +27,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -43,21 +44,10 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 11/07/18.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson9Test extends LessonTest {
@Autowired
private WebgoatContext context;
public class SqlInjectionLesson9Test extends SqlLessonTest {
private String completedError = "JSON path \"lessonCompleted\"";
@Before
public void setup() {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void oneAccount() throws Exception {
try {

15
webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12aTest.java
View File

@@ -3,6 +3,7 @@ package org.owasp.webgoat.sql_injection.mitigation;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.sql_injection.SqlLessonTest;
import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.session.WebgoatContext;
@@ -21,19 +22,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* @since 5/21/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SqlInjectionLesson12aTest extends LessonTest {
@Autowired
private WebgoatContext context;
@Before
public void setup() {
SqlInjection sql = new SqlInjection();
when(webSession.getCurrentLesson()).thenReturn(sql);
when(webSession.getWebgoatContext()).thenReturn(context);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
public class SqlInjectionLesson12aTest extends SqlLessonTest {
@Test
public void knownAccountShouldDisplayData() throws Exception {

17
webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRF.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.ssrf;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,22 +34,12 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class SSRF extends NewLesson {
public class SSRF extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.REQUEST_FORGERIES;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 2;
}
@Override
public String getTitle() {
return "ssrf.title";

4
webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
View File

@@ -4,6 +4,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
@@ -21,10 +22,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class SSRFTest1 extends LessonTest {
@Autowired
private SSRF ssrf;
@Before
public void setup() throws Exception {
SSRF ssrf = new SSRF();
when(webSession.getCurrentLesson()).thenReturn(ssrf);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

4
webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
View File

@@ -26,6 +26,7 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
@@ -43,10 +44,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class SSRFTest2 extends LessonTest {
@Autowired
private SSRF ssrf;
@Before
public void setup() throws Exception {
SSRF ssrf = new SSRF();
when(webSession.getCurrentLesson()).thenReturn(ssrf);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

17
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponents.java
View File

@@ -23,29 +23,16 @@
package org.owasp.webgoat.vulnerable_components;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class VulnerableComponents extends NewLesson {
public class VulnerableComponents extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.VULNERABLE_COMPONENTS;
}
@Override
public List<String> getHints() {
return new ArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "vulnerable-components.title";

17
webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/introduction/WebGoatIntroduction.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.introduction;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,22 +34,12 @@ import java.util.List;
* @since October 12, 2016
*/
@Component
public class WebGoatIntroduction extends NewLesson {
public class WebGoatIntroduction extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INTRODUCTION;
}
@Override
public List<String> getHints() {
return new ArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "webgoat.title";

17
webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java
View File

@@ -1,12 +1,9 @@
package org.owasp.webgoat.template;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -37,23 +34,13 @@ import java.util.List;
* @since January 3, 2017
*/
@Component
public class LessonTemplate extends NewLesson {
public class LessonTemplate extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 30;
}
@Override
public String getTitle() {
return "lesson-template.title";

2
webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc
View File

@@ -5,7 +5,7 @@ Each lesson can contain multiple assignments, first let's define a lesson class
[source]
----
@Component
public class LessonTemplate extends NewLesson {
public class LessonTemplate extends AbstractLesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;

17
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/WebWolfIntroduction.java
View File

@@ -23,29 +23,16 @@
package org.owasp.webgoat.webwolf_introduction;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class WebWolfIntroduction extends NewLesson {
public class WebWolfIntroduction extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INTRODUCTION;
}
@Override
public List<String> getHints() {
return new ArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "webwolf.title";

21
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/XXE.java
View File

@@ -23,34 +23,17 @@
package org.owasp.webgoat.xxe;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class XXE extends NewLesson {
public class XXE extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.XXE;
}
@Override
public List<String> getHints() {
List<String> hints = new ArrayList<String>();
hints.add("Try submitting the form and see what happens");
hints.add("XXE stands for XML External Entity attack");
hints.add("Try to include your own DTD");
return hints;
}
@Override
public Integer getDefaultRanking() {
return 4;
}
@Override
public String getTitle() {
return "xxe.title";

6
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
View File

@@ -34,6 +34,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class BlindSendFileAssignmentTest extends LessonTest {
@Autowired
private XXE xxe;
@Autowired
private Comments comments;
@Value("${webgoat.user.directory}")
@@ -45,11 +47,9 @@ public class BlindSendFileAssignmentTest extends LessonTest {
public WireMockRule webwolfServer = new WireMockRule(wireMockConfig().dynamicPort());
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
port = webwolfServer.port();
}

6
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/ContentTypeAssignmentTest.java
View File

@@ -47,15 +47,15 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class ContentTypeAssignmentTest extends LessonTest {
@Autowired
private XXE xxe;
@Autowired
private Comments comments;
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test

8
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/SimpleXXETest.java
View File

@@ -28,6 +28,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.owasp.webgoat.xxe.XXE;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -43,12 +44,13 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
@RunWith(SpringJUnit4ClassRunner.class)
public class SimpleXXETest extends LessonTest {
@Autowired
private XXE xxe;
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test

3
webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
View File

@@ -28,6 +28,7 @@ import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
import org.springframework.util.StringUtils;
/**
* Main entry point, this project is here to get all the lesson jars included to the final jar file
@@ -40,7 +41,7 @@ import org.springframework.boot.web.servlet.support.SpringBootServletInitializer
public class StartWebGoat extends SpringBootServletInitializer {
public static void main(String[] args) {
log.info("Starting WebGoat with args: {}", args);
log.info("Starting WebGoat with args: {}", StringUtils.arrayToCommaDelimitedString(args));
System.setProperty("spring.config.name", "application-webgoat");
SpringApplication.run(StartWebGoat.class, args);
}

3
webwolf/src/test/java/org/owasp/webwolf/user/UserServiceTest.java
View File

@@ -27,12 +27,13 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import static org.mockito.Mockito.*;
@RunWith(SpringJUnit4ClassRunner.class)
@RunWith(MockitoJUnitRunner.class)
public class UserServiceTest {
@Mock

3
webwolf/src/test/java/org/owasp/webwolf/user/UserValidatorTest.java
View File

@@ -28,6 +28,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.validation.BindException;
@@ -35,7 +36,7 @@ import static junit.framework.TestCase.assertTrue;
import static org.junit.Assert.assertFalse;
import static org.mockito.Mockito.when;
@RunWith(SpringJUnit4ClassRunner.class)
@RunWith(MockitoJUnitRunner.class)
public class UserValidatorTest {
@Mock