From 112386b43eee9b0f829609ac0f887f0737271a3a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 2 Sep 2015 23:22:24 +0200 Subject: [PATCH 1/6] Lab - DOM-based cross-site scripting: Java Source produces XSS alert #38 --- .../org/owasp/webgoat/service/SourceService.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java index ae3eaa8c9..daf2e922d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java @@ -30,9 +30,7 @@ */ package org.owasp.webgoat.service; -import javax.servlet.http.HttpSession; -import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; -import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; +import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; @@ -40,6 +38,11 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; +import javax.servlet.http.HttpSession; + +import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; +import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; + /** * * @author rlawson @@ -61,10 +64,7 @@ public class SourceService extends BaseService { if (source == null) { source = "No source listing found"; } - return source; - //SourceListing sl = new SourceListing(); - //sl.setSource(source); - //return sl; + return StringEscapeUtils.escapeHtml4(source); } /** From 18204c62c6e8f2adbb5294b9642d40992c0650b8 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 5 Sep 2015 09:43:03 +0200 Subject: [PATCH 2/6] LessonAdapter did not read the 'New Lesson Instructions.txt' (IOException) --- .../owasp/webgoat/lessons/LessonAdapter.java | 44 +++++++++---------- .../org/owasp/webgoat/plugins/Plugin.java | 5 +-- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java index f85a11b93..83258c855 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java @@ -1,5 +1,7 @@ package org.owasp.webgoat.lessons; +import com.google.common.base.Joiner; +import org.apache.commons.io.IOUtils; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.StringElement; @@ -14,37 +16,39 @@ import org.owasp.webgoat.session.WebSession; import java.io.BufferedReader; import java.io.FileReader; +import java.io.IOException; +import java.io.InputStream; import java.util.ArrayList; import java.util.List; /** * ************************************************************************************************* - * - * + *

+ *

* This file is part of WebGoat, an Open Web Application Security Project * utility. For details, please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) any later * version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. - * + *

* You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place - Suite 330, Boston, MA 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * for free software projects. - * + *

* For details, please see http://webgoat.github.io * * @author Bruce Mayhew WebGoat @@ -69,25 +73,21 @@ public abstract class LessonAdapter extends AbstractLesson { ec.addElement(new P()); ec .addElement(new StringElement( - "Lesson are simple to create and very little coding is required.   " + "Lesson are simple to create and very little coding is required.   " + "In fact, most lessons can be created by following the easy to use instructions in the " + "WebGoat User Guide.  " + "If you would prefer, send your lesson ideas to " + getWebgoatContext().getFeedbackAddressHTML())); - String fileName = s.getContext().getRealPath("WEB-INF/classes/New Lesson Instructions.txt"); - if (fileName != null) { - try { + try (InputStream is = Thread.currentThread().getContextClassLoader() + .getResourceAsStream("New Lesson Instructions.txt")) { + if (is != null) { PRE pre = new PRE(); - BufferedReader in = new BufferedReader(new FileReader(fileName)); - String line = null; - while ((line = in.readLine()) != null) { - pre.addElement(line + "\n"); - } + pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is))); ec.addElement(pre); - } catch (Exception e) { - e.printStackTrace(); } + } catch (IOException e) { + e.printStackTrace(); } return (ec); } @@ -140,9 +140,9 @@ public abstract class LessonAdapter extends AbstractLesson { /** * Gets the credits attribute of the AbstractLesson object * - * @deprecated Credits are in the about page. This method s no - * longer called from WebGoat * @return The credits value + * @deprecated Credits are in the about page. This method s no + * longer called from WebGoat */ public Element getCredits() { return new StringElement(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java index a9b2121c1..b7e27b7c3 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java @@ -16,9 +16,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import static java.nio.file.StandardOpenOption.APPEND; -import static java.nio.file.StandardOpenOption.CREATE; -import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING; import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith; import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName; import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles; @@ -94,7 +91,7 @@ public class Plugin { Path propertiesPath = createPropertiesDirectory(); LabelProvider.updatePluginResources(propertiesPath); PluginFileUtils.createDirsIfNotExists(file.getParent()); - Files.write(propertiesPath.resolve(file.getFileName()), lines, CREATE, (reload ? APPEND : TRUNCATE_EXISTING)); + Files.write(propertiesPath.resolve(file.getFileName()), lines); } catch (IOException io) { throw new PluginLoadingFailure("Property file detected, but unable to copy the properties", io); } From 5365679b7c797e938d7cc7c5935b791dd802ef25 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 5 Sep 2015 11:25:45 +0200 Subject: [PATCH 3/6] Removed webgoat-release project now part of Travis build --- pom.xml | 1 - webgoat-release/.gitignore | 4 -- webgoat-release/README.md | 18 ------ webgoat-release/pom.xml | 119 ------------------------------------- 4 files changed, 142 deletions(-) delete mode 100644 webgoat-release/.gitignore delete mode 100644 webgoat-release/README.md delete mode 100644 webgoat-release/pom.xml diff --git a/pom.xml b/pom.xml index cbdc5450f..419a69801 100644 --- a/pom.xml +++ b/pom.xml @@ -15,6 +15,5 @@ webgoat-container webgoat-classloader - diff --git a/webgoat-release/.gitignore b/webgoat-release/.gitignore deleted file mode 100644 index 1428faf7e..000000000 --- a/webgoat-release/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -target/ -.idea/ -*.iml -dependency-reduced-pom.xml \ No newline at end of file diff --git a/webgoat-release/README.md b/webgoat-release/README.md deleted file mode 100644 index 61389f009..000000000 --- a/webgoat-release/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Releasing WebGoat - -## Introduction - -This project will create a release for WebGoat ready for distribution. -This project creates a war with all the lessons included. - -## Details - -The following steps happen during the release: - -* Download the webgoat-container.war from the repository -* Unpack the war -* Download the dist-plugin.zip from the repository -* Unpack the lessons -* Build the war again (webgoat-release-${version}.war) -* Create the executable jar (webgoat-release-${version}-war-exec.jar) - diff --git a/webgoat-release/pom.xml b/webgoat-release/pom.xml deleted file mode 100644 index c30d398a4..000000000 --- a/webgoat-release/pom.xml +++ /dev/null @@ -1,119 +0,0 @@ - - webgoat-release - 4.0.0 - webgoat-release - war - - org.owasp.webgoat - webgoat-parent - 7.0-SNAPSHOT - - - - - 2.2.2 - - local - 1.0 - ${project.build.directory}/war/ - ${war.output.dir}/plugin_lessons - - - - - - - - - org.apache.maven.plugins - maven-dependency-plugin - 2.10 - - - unpack-war - generate-resources - - unpack - - - - - org.owasp.webgoat - webgoat-container - ${project.version} - war - - - ${war.output.dir} - - - - unpack-lessons-zip - generate-resources - - unpack - - - false - - - **/*.jar - org.owasp.webgoat.lesson - dist - ${lessons.version} - zip - plugins - - - ${lessons.output.dir} - - - - - - - org.apache.maven.plugins - maven-war-plugin - 2.4 - - ${war.output.dir} - - - true - - - ${project.name} - ${project.version} - ${build.number} - - - - - - - org.apache.tomcat.maven - tomcat7-maven-plugin - 2.1 - - http://localhost:8080/manager - /WebGoat - exec - - - - tomcat-run - - exec-war-only - - package - - - - - - From e294bd39b92adb72d129157c3105213048f85b7b Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sat, 5 Sep 2015 16:03:18 +0200 Subject: [PATCH 4/6] User Info/Logout Links #25 --- .../src/main/webapp/WEB-INF/pages/main_new.jsp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp b/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp index cf00d7d8b..085920a30 100644 --- a/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp +++ b/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp @@ -39,6 +39,9 @@ + + + WebGoat @@ -59,10 +62,10 @@

- -
- From 543e35caa1a06e6a1ffc41bfa391c22532d243af Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Sun, 6 Sep 2015 11:51:00 +0200 Subject: [PATCH 6/6] Removed duplicate css import --- webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp b/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp index 874ff754d..93ca8ba56 100644 --- a/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp +++ b/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp @@ -37,11 +37,9 @@ - - - + WebGoat