diff --git a/.gitignore b/.gitignore index 53273a5b1..917e56a8c 100644 --- a/.gitignore +++ b/.gitignore @@ -14,7 +14,8 @@ /.settings/org.eclipse.wst.validation.prefs /.externalToolBuilders/ .project -/target +*/target/* +mongo-data/* .classpath .idea/ .settings/ @@ -29,6 +30,7 @@ src/main/webapp/plugin_lessons/*.jar src/main/webapp/users/*.props classes/* *.iml +pom.xml.versionsBackup /*.iml .extract/* @@ -39,3 +41,5 @@ webgoat-lessons/**/target **/*.jar **/.DS_Store webgoat-server/mongo-data/* +webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml +/.sonatype \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 2543b516f..ff681acfb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,10 +7,20 @@ install: "/bin/true" script: - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH" +- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi - mvn clean install -q cache: directories: - "$HOME/.m2" +before_deploy: + - export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target + - export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target + - export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/ + - mkdir -p $WEBGOAT_ARTIFACTS_FOLDER + - cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/ + - cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/ + - echo "Contents of artifacts folder:" + - ls $WEBGOAT_ARTIFACTS_FOLDER deploy: - provider: script skip_cleanup: true @@ -25,10 +35,13 @@ deploy: repo: WebGoat/WebGoat branch: develop - provider: releases + skip_cleanup: true + overwrite: true api_key: #api-key from webgoat-github user secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc= - file: "webgoat-server/target/webgoat-server*.jar" + file_glob: true + file: $WEBGOAT_ARTIFACTS_FOLDER/* on: repo: WebGoat/WebGoat tags: true diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD new file mode 100644 index 000000000..885c7a2fc --- /dev/null +++ b/CREATE_RELEASE.MD @@ -0,0 +1,29 @@ +## Release WebGoat + + +### Version numbers + +For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging + and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use + `v8.0.0` and 8.0.0 in the `pom.xml` + +At the moment we use Gitflow, for a release you create a new release branch and take the following steps: + +``` +git checkout develop +git flow release start +mvn versions:set < +git commit -am "New release, updaing pom.xml" +git flow release publish +``` + +Now we can make a new release, be sure you committed all your changes. + +``` +git tag v8.0.0.M3 +git push origin v8.0.0.M3 +``` + +Now Travis takes over and will create the release in Github and on Docker Hub. + + diff --git a/README.MD b/README.MD index 775d9043d..d0ff4809e 100644 --- a/README.MD +++ b/README.MD @@ -1,15 +1,11 @@ -# WebGoat: A deliberately insecure Web Application +# WebGoat 8: A deliberately insecure Web Application [![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat) [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master) [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat) [![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa) -[![OWASP Labs](https://img.shields.io/badge/owasp-labs-orange.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) - -# Important - -This is the development version of WebGoat 8, if you are looking for a released stable version please go to: https://github.com/WebGoat/WebGoat/wiki/Running-WebGoat - +[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) +[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) # Introduction @@ -44,6 +40,15 @@ docker pull webgoat/webgoat-8.0 docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh ``` +If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a +folder on the host system as follows: + +```Shell +docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh +``` + +where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system. + Wait for the Docker container to start, and run `docker ps` to verify it's running. - If you are using `docker-machine`, verify the machine IP using `docker-machine env` @@ -65,9 +70,23 @@ _Please note: this version may not be completely in sync with the develop branch Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) ```Shell -java -jar webwolf-<>.jar +java -jar webgoat-server-<>.jar ``` +By default WebGoat starts at port 8080 in order to change this use the following property: + +```Shell +java -jar webgoat-server-<>.jar --server.port=9090 +``` + +You can specify one of the following arguments when starting WebGoat: + +```Shell +java -jar webgoat-server-<>.jar --server.port=9090 --server.address=x.x.x.x +``` + +This will start WebGoat on a different port and/or different address. + ## 3. Run from the sources @@ -88,18 +107,19 @@ Now let's start by compiling the project. ```Shell cd WebGoat -git checkout develop +git checkout <> mvn clean install ``` Now we are ready to run the project. WebGoat 8.x is using Spring-Boot. ```Shell -mvn -pl webwolf spring-boot:run +mvn -pl webgoat-server spring-boot:run ``` ... you should be running webgoat on localhost:8080/WebGoat momentarily -To change IP addresss add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file + +To change IP address add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file ``` server.address=x.x.x.x @@ -110,8 +130,8 @@ server.address=x.x.x.x We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed. ```shell - $ cd WebGoat/webgoat-images/vagrant-users - $ vagrant up + $ cd WebGoat/webgoat-images/vagrant-training + $ vagrant up ``` Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant. @@ -120,6 +140,8 @@ The source code will be available in the home directory. # Building a new Docker image +NOTE: Travis will create a new Docker image automatically when making a new release. + WebGoat now has Docker support for x86 and ARM (raspberry pi). ### Docker on x86 On x86 you can build a container with the following commands: diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml new file mode 100644 index 000000000..7ecc68403 --- /dev/null +++ b/docker-compose-postgres.yml @@ -0,0 +1,35 @@ +version: '2.0' + +services: + webgoat: + image: webgoat/webgoat-8.0 + user: webgoat + environment: + - WEBWOLF_HOST=webwolf + - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat + - spring.datasource.username=webgoat + - spring.datasource.password=webgoat + - spring.datasource.driver-class-name=org.postgresql.Driver + - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + ports: + - "8080:8080" + webwolf: + image: webgoat/webwolf + environment: + - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat + - spring.datasource.username=webgoat + - spring.datasource.password=webgoat + - spring.datasource.driver-class-name=org.postgresql.Driver + - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect + ports: + - "8081:8081" + db: + container_name: webgoat_db + image: postgres:latest + environment: + - POSTGRES_PASSWORD=webgoat + - POSTGRES_USER=webgoat + - POSTGRES_DB=webgoat + ports: + - "5432:5432" + diff --git a/docker-compose.yml b/docker-compose.yml index 3212cae13..8d2bcdee3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,40 +1,28 @@ -version: '2.0' +version: '2.1' services: - activemq: - image: webcenter/activemq:latest - ports: - - 8161:8161 - - 61616:61616 - - 61613:61613 - mongo: - image: mongo:latest - expose: - - "27017" - volumes: - - './mongo-data:/data/db' webgoat: - build: webgoat-server/ - command: "sh /home/webgoat/start.sh" + image: webgoat/webgoat-8.0 + environment: + - WEBWOLF_HOST=webwolf + - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "8080:8080" depends_on: - [mongo, activemq] - environment: - WG_MONGO_PORT: 27017 - WG_MONGO_HOST: mongo - WG_MQ_HOST: activemq - WG_MQ_PORT: 61616 - WG_INTERNAL_MONGO: "false" + - db webwolf: - build: webwolf/ - command: "sh /home/webwolf/start.sh" - depends_on: - - webgoat + image: webgoat/webwolf + environment: + - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat ports: - "8081:8081" + depends_on: + - db + db: + image: blacklabelops/hsqldb + container_name: webgoat_db environment: - WG_MONGO_PORT: 27017 - WG_MONGO_HOST: mongo - WG_MQ_HOST: activemq - WG_MQ_PORT: 61616 \ No newline at end of file + - HSQLDB_TRACE=false + - HSQLDB_SILENT=true + - HSQLDB_DATABASE_NAME=webgoat + - HSQLDB_DATABASE_ALIAS=webgoat diff --git a/pom.xml b/pom.xml index af11bbd60..4b75535ed 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ org.owasp.webgoat webgoat-parent pom - 8.0-SNAPSHOT + v8.0.0.M14 WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application @@ -20,7 +20,7 @@ org.springframework.boot spring-boot-starter-parent - 1.5.5.RELEASE + 1.5.12.RELEASE @@ -135,14 +135,13 @@ 2.2.4 18.0 1.4.190 - 2.3.2 + 2.3.4 1.3.1 2.6.3 2.6.3 6.0 1.2 1.7.12 - 1.2 1.3.1 4.12 1.5.4 @@ -296,8 +295,8 @@ org.projectlombok lombok - 1.16.10 provided + true org.apache.commons diff --git a/scripts/deploy-webgoat.sh b/scripts/deploy-webgoat.sh index 70ae5346a..b9562d0fa 100644 --- a/scripts/deploy-webgoat.sh +++ b/scripts/deploy-webgoat.sh @@ -4,19 +4,36 @@ docker login -u $DOCKER_USER -p $DOCKER_PASS export REPO=webgoat/webgoat-8.0 cd webgoat-server +ls target/ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then # If we push a tag to master this will update the LATEST Docker image and tag with the version number - docker build -f Dockerfile -t $REPO:latest . - docker tag $REPO:${TRAVIS_TAG} + docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . docker push $REPO elif [ ! -z "${TRAVIS_TAG}" ]; then # Creating a tag build we push it to Docker with that tag - docker build -f Dockerfile -t $REPO:${TRAVIS_TAG} . - docker tag $REPO:${TRAVIS_TAG} + docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . docker push $REPO -elif [ "${BRANCH}" == "develop" ]; then - docker build -f Dockerfile -t $REPO:snapshot . +#elif [ "${BRANCH}" == "develop" ]; then +# docker build -f Dockerfile -t $REPO:snapshot . +# docker push $REPO +else + echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}" +fi + + +export REPO=webgoat/webwolf +cd .. +cd webwolf +ls target/ + +if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then + # If we push a tag to master this will update the LATEST Docker image and tag with the version number + docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . + docker push $REPO +elif [ ! -z "${TRAVIS_TAG}" ]; then + # Creating a tag build we push it to Docker with that tag + docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . docker push $REPO else echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}" diff --git a/webgoat-container/documentation/csrf-lesson.gliffy b/webgoat-container/documentation/csrf-lesson.gliffy deleted file mode 100644 index 364f3802f..000000000 --- a/webgoat-container/documentation/csrf-lesson.gliffy +++ /dev/null @@ -1 +0,0 @@ -{"contentType":"application/gliffy+json","version":"1.1","metadata":{"title":"untitled","revision":0,"exportBorder":false},"embeddedResources":{"index":0,"resources":[]},"stage":{"objects":[{"x":201,"y":233,"rotation":0,"id":22,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":22,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":false,"interpolationType":"linear","cornerRadius":null,"controlPath":[[0,0],[301.0066444449358,0]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":24,"uid":null,"width":118,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"

images gets reloaded

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":499,"y":200,"rotation":0,"id":18,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":18,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":false,"interpolationType":"linear","cornerRadius":null,"controlPath":[[0,0],[-304.00164473239283,-1.1368683772161603e-13]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":19,"uid":null,"width":132,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"

Message gets displayed

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":204,"y":174,"rotation":0,"id":15,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":15,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":false,"interpolationType":"linear","cornerRadius":null,"controlPath":[[-4.000000000000028,-0.8629150101523919],[296,-0.8629150101523919]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":16,"uid":null,"width":112,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"

User clicks message

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":499,"y":137,"rotation":0,"id":11,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":11,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":false,"interpolationType":"linear","cornerRadius":null,"controlPath":[[1,3],[-299,3]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":14,"uid":null,"width":133,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"

Messages are displayed

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":205,"y":119,"rotation":0,"id":7,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":7,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":false,"interpolationType":"linear","cornerRadius":null,"controlPath":[[-5,-2.137084989847608],[295,-2.137084989847608]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":10,"uid":null,"width":117,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"

Users types message

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":40,"y":90,"rotation":0,"id":0,"uid":"com.gliffy.shape.basic.basic_v1.default.square","width":160,"height":160,"lockAspectRatio":true,"lockShape":false,"order":0,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":5,"uid":null,"width":156,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"

CSRF-Lesson

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":500,"y":90,"rotation":0,"id":4,"uid":"com.gliffy.shape.basic.basic_v1.default.square","width":160,"height":160,"lockAspectRatio":true,"lockShape":false,"order":1,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":6,"uid":null,"width":156,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"

WebGoat-Server

","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]}],"background":"#FFFFFF","width":660,"height":250,"maxWidth":5000,"maxHeight":5000,"nodeIndex":25,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":true,"drawingGuidesOn":true,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"shapeStyles":{"com.gliffy.shape.basic.basic_v1.default":{"fill":"#FFFFFF","stroke":"#333333","strokeWidth":2}},"lineStyles":{"global":{"endArrow":1}},"textStyles":{},"themeData":null}} \ No newline at end of file diff --git a/webgoat-container/documentation/csrf-lessons.png b/webgoat-container/documentation/csrf-lessons.png deleted file mode 100644 index 6360d337d..000000000 Binary files a/webgoat-container/documentation/csrf-lessons.png and /dev/null differ diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index 9d51d232a..76f86c160 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -10,7 +10,7 @@ org.owasp.webgoat webgoat-parent - 8.0-SNAPSHOT + v8.0.0.M14 @@ -36,16 +36,6 @@ - - - - de.flapdoodle.embed - de.flapdoodle.embed.mongo - 2.0.0 - - - - @@ -92,29 +82,6 @@ never - - maven-clean-plugin - - - - ${project.basedir}/src/main/resources/plugin_lessons - - **/*.jar - **/*.pom - - - - ${user.home}/.webgoat/ - - **/*.jar - **/org/** - **/plugin/** - - - - - - org.apache.maven.plugins maven-jar-plugin @@ -135,14 +102,6 @@ com.fasterxml.jackson.datatype jackson-datatype-jsr310 - - org.projectlombok - lombok - - - org.projectlombok - lombok - org.springframework.boot spring-boot-starter-web @@ -152,41 +111,32 @@ spring-boot-starter-actuator - org.springframework.boot - spring-boot-starter-cache - - org.asciidoctor asciidoctorj 1.5.4 org.springframework.boot - spring-boot-starter-data-mongodb + spring-boot-starter-data-jpa org.apache.commons commons-lang3 ${commons-lang3.version} + + com.google.guava + guava + ${guava.version} + + + io.gatling.highcharts gatling-charts-highcharts ${gatling.version} test - - javax.servlet - jstl - - - org.springframework.boot - spring-boot-starter-data-jpa - - - org.springframework.boot - spring-boot-starter-jdbc - org.springframework.boot spring-boot-starter-security @@ -205,11 +155,6 @@ activation ${activation.version} - - com.h2database - h2 - ${h2.version} - org.hsqldb hsqldb @@ -224,19 +169,7 @@ org.scala-lang scala-compiler ${scala.version} - - - - - commons-fileupload - commons-fileupload - ${commons-fileupload.version} - - - - com.google.guava - guava - ${guava.version} + test @@ -259,12 +192,6 @@ ${junit.version} jar - - com.github.fakemongo - fongo - 2.1.0 - test - diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java index 0a0148b58..ecb80bd43 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java @@ -32,7 +32,11 @@ package org.owasp.webgoat; import com.google.common.collect.Maps; import com.google.common.collect.Sets; +import lombok.extern.slf4j.Slf4j; import org.asciidoctor.Asciidoctor; +import org.asciidoctor.extension.JavaExtensionRegistry; +import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; +import org.owasp.webgoat.asciidoc.WebWolfMacro; import org.owasp.webgoat.i18n.Language; import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.resourceresolver.IResourceResolver; @@ -41,6 +45,7 @@ import org.thymeleaf.templateresolver.TemplateResolver; import java.io.*; import java.util.Map; +import static org.apache.commons.lang3.CharEncoding.UTF_8; import static org.asciidoctor.Asciidoctor.Factory.create; /** @@ -50,6 +55,7 @@ import static org.asciidoctor.Asciidoctor.Factory.create; *
* */ +@Slf4j public class AsciiDoctorTemplateResolver extends TemplateResolver { private static final Asciidoctor asciidoctor = create(); @@ -73,11 +79,19 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { @Override public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) { - InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language); - try { - StringWriter writer = new StringWriter(); - asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); - return new ByteArrayInputStream(writer.getBuffer().toString().getBytes()); + try (InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language)) { + if (is == null) { + log.warn("Resource name: {} not found, did you add the adoc file?", resourceName); + return new ByteArrayInputStream(new byte[0]); + } else { + StringWriter writer = new StringWriter(); + JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); + extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); + extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); + + asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); + return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8)); + } } catch (IOException e) { //no html yet return new ByteArrayInputStream(new byte[0]); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java b/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java index d0667fd9f..2048dbbd7 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java @@ -23,11 +23,5 @@ public class CleanupLocalProgressFiles { @PostConstruct public void clean() { - File dir = new File(webgoatHome); - //do it safe, check whether the subdir mongodb is available as subdirectory - File[] mongoDir = dir.listFiles(f -> f.isDirectory() && f.getName().contains("mongodb")); - if (mongoDir != null && mongoDir.length == 1) { - FileSystemUtils.deleteRecursively(dir); - } } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java index e52cff71a..22f6fa99e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java @@ -130,6 +130,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Bean public PluginMessages pluginMessages(Messages messages, Language language) { PluginMessages pluginMessages = new PluginMessages(messages, language); + pluginMessages.setDefaultEncoding("UTF-8"); pluginMessages.setBasenames("i18n/WebGoatLabels"); return pluginMessages; } @@ -142,6 +143,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { @Bean public Messages messageSource(Language language) { Messages messages = new Messages(language); + messages.setDefaultEncoding("UTF-8"); messages.setBasename("classpath:i18n/messages"); return messages; } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java new file mode 100644 index 000000000..141740523 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java @@ -0,0 +1,25 @@ +package org.owasp.webgoat.asciidoc; + +import org.springframework.beans.BeansException; +import org.springframework.context.ApplicationContext; +import org.springframework.context.ApplicationContextAware; +import org.springframework.core.env.Environment; +import org.springframework.stereotype.Component; + +/** + * Make environment available in the asciidoc code (which you cannot inject because it is handled by the framework) + */ +@Component +public class EnvironmentExposure implements ApplicationContextAware { + + private static ApplicationContext context; + + public static Environment getEnv() { + return context.getEnvironment(); + } + + @Override + public void setApplicationContext(ApplicationContext applicationContext) throws BeansException { + context = applicationContext; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java new file mode 100644 index 000000000..f33d06063 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java @@ -0,0 +1,23 @@ +package org.owasp.webgoat.asciidoc; + +import org.asciidoctor.ast.AbstractBlock; +import org.asciidoctor.extension.InlineMacroProcessor; +import org.springframework.core.env.Environment; +import org.springframework.util.StringUtils; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import java.util.Map; + +public class WebGoatVersionMacro extends InlineMacroProcessor { + + public WebGoatVersionMacro(String macroName, Map config) { + super(macroName, config); + } + + @Override + protected String process(AbstractBlock parent, String target, Map attributes) { + return EnvironmentExposure.getEnv().getProperty("webgoat.build.version"); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java new file mode 100644 index 000000000..7f81d63d1 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java @@ -0,0 +1,50 @@ +package org.owasp.webgoat.asciidoc; + +import org.asciidoctor.ast.AbstractBlock; +import org.asciidoctor.extension.InlineMacroProcessor; +import org.springframework.core.env.Environment; +import org.springframework.util.StringUtils; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import java.util.Map; + +/** + * Usage in asciidoc: + *

+ * webWolfLink:here[] will display a href with here as text + * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing + */ +public class WebWolfMacro extends InlineMacroProcessor { + + public WebWolfMacro(String macroName, Map config) { + super(macroName, config); + } + + @Override + protected String process(AbstractBlock parent, String target, Map attributes) { + Environment env = EnvironmentExposure.getEnv(); + String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port")); + + if (displayCompleteLinkNoFormatting(attributes)) { + return hostname + (hostname.endsWith("/") ? "" : "/") + target; + } + return "" + target + ""; + } + + private boolean displayCompleteLinkNoFormatting(Map attributes) { + return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent(); + } + + /** + * Look at the remote address from received from the browser first. This way it will also work if you run + * the browser in a Docker container and WebGoat on your local machine. + */ + private String determineHost(String host, String port) { + HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); + String ip = request.getRemoteAddr(); + String hostname = StringUtils.hasText(ip) ? ip : host; + return "http://" + hostname + ":" + port + "/WebWolf"; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java index c4713a054..3b02b6129 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java @@ -55,7 +55,7 @@ public abstract class AssignmentEndpoint extends Endpoint { //// TODO: 11/13/2016 events better fit? protected AttackResult trackProgress(AttackResult attackResult) { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); if (userTracker == null) { userTracker = new UserTracker(webSession.getUserName()); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java index bbd993c77..d9b1f3470 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java @@ -1,7 +1,9 @@ package org.owasp.webgoat.lessons; +import com.google.common.collect.Lists; import lombok.*; +import javax.persistence.*; import java.util.List; /** @@ -33,16 +35,30 @@ import java.util.List; * @version $Id: $Id * @since November 25, 2016 */ -@AllArgsConstructor -@RequiredArgsConstructor -@NoArgsConstructor @Getter @EqualsAndHashCode +@Entity public class Assignment { - @NonNull + + @Id + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; private String name; - @NonNull private String path; + @Transient private List hints; + private Assignment() { + //Hibernate + } + + public Assignment(String name, String path) { + this(name, path, Lists.newArrayList()); + } + + public Assignment(String name, String path, List hints) { + this.name = name; + this.path = path; + this.hints = hints; + } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java index 097085c48..c0cfdc107 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java @@ -73,7 +73,7 @@ public class LessonMenuService { List showLeftNav() { List menu = new ArrayList<>(); List categories = course.getCategories(); - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); for (Category category : categories) { LessonMenuItem categoryItem = new LessonMenuItem(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java index fb4fe0071..76e6187a5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java @@ -40,17 +40,19 @@ public class LessonProgressService { @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json") @ResponseBody public Map getLessonInfo() { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); - LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson()); Map json = Maps.newHashMap(); - String successMessage = ""; - boolean lessonCompleted = false; - if (lessonTracker != null) { - lessonCompleted = lessonTracker.isLessonSolved(); - successMessage = "LessonCompleted"; //@todo we still use this?? + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); + if (webSession.getCurrentLesson() != null) { + LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson()); + String successMessage = ""; + boolean lessonCompleted = false; + if (lessonTracker != null) { + lessonCompleted = lessonTracker.isLessonSolved(); + successMessage = "LessonCompleted"; //@todo we still use this?? + } + json.put("lessonCompleted", lessonCompleted); + json.put("successMessage", successMessage); } - json.put("lessonCompleted", lessonCompleted); - json.put("successMessage", successMessage); return json; } @@ -63,7 +65,7 @@ public class LessonProgressService { @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json") @ResponseBody public List lessonOverview() { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); AbstractLesson currentLesson = webSession.getCurrentLesson(); List result = Lists.newArrayList(); if ( currentLesson != null ) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java index 21c8c1f20..0337467b1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java @@ -32,6 +32,7 @@ import com.google.common.collect.Lists; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.Setter; +import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; @@ -57,6 +58,7 @@ public class ReportCardService { private final WebSession webSession; private final UserTrackerRepository userTrackerRepository; private final Course course; + private final PluginMessages pluginMessages; /** * Endpoint which generates the report card for the current use to show the stats on the solved lessons @@ -64,7 +66,7 @@ public class ReportCardService { @GetMapping(path = "/service/reportcard.mvc", produces = "application/json") @ResponseBody public ReportCard reportCard() { - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); List lessons = course.getLessons(); ReportCard reportCard = new ReportCard(); reportCard.setTotalNumberOfLessons(course.getTotalOfLessons()); @@ -74,7 +76,7 @@ public class ReportCardService { for (AbstractLesson lesson : lessons) { LessonTracker lessonTracker = userTracker.getLessonTracker(lesson); LessonStatistics lessonStatistics = new LessonStatistics(); - lessonStatistics.setName(lesson.getTitle()); + lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle())); lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts()); lessonStatistics.setSolved(lessonTracker.isLessonSolved()); reportCard.lessonStatistics.add(lessonStatistics); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java index 4ea036996..b207b4ce1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java @@ -59,7 +59,7 @@ public class RestartLessonService { AbstractLesson al = webSession.getCurrentLesson(); log.debug("Restarting lesson: " + al); - UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName()); + UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); userTracker.reset(al); userTrackerRepository.save(userTracker); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java deleted file mode 100644 index 2314ac6d5..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java +++ /dev/null @@ -1,66 +0,0 @@ -/** - * ************************************************************************************************* - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - *

- * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - */ -package org.owasp.webgoat.service; - -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; - -/** - *

SolutionService class.

- * - * @author rlawson - * @version $Id: $Id - */ -@Controller -public class SolutionService { - - /** - * Returns solution for current attack - * - * @return a {@link java.lang.String} object. - */ - @RequestMapping(path = "/service/solution.mvc", produces = "text/html") - public - @ResponseBody - String showSolution() { - //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8 - String source = getSolution(); - return source; - } - - /** - *

getSolution.

- * - * @return a {@link java.lang.String} object. - */ - protected String getSolution() { - return "Solution is not available"; - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java deleted file mode 100644 index 15267f29d..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java +++ /dev/null @@ -1,82 +0,0 @@ -/** - * ************************************************************************************************* - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - *

- * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - */ -package org.owasp.webgoat.service; - -import org.apache.commons.lang3.StringEscapeUtils; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; - -import javax.servlet.http.HttpSession; - -/** - *

SourceService class.

- * - * @author rlawson - * @version $Id: $Id - */ -@Controller -//TODO REMOVE! -public class SourceService { - - /** - * Description of the Field - */ - public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; - - /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */ - public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; - - /** - * Returns source for current attack - * - * @param session a {@link javax.servlet.http.HttpSession} object. - * @return a {@link java.lang.String} object. - */ - @RequestMapping(path = "/service/source.mvc", produces = "application/text") - public - @ResponseBody - String showSource(HttpSession session) { - //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8 - String source = getSource(); - if (source == null) { - source = "No source listing found"; - } - return StringEscapeUtils.escapeHtml4(source); - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - protected String getSource() { - return "Source code is not available for this lesson."; - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java index bff30316e..7d1d5d859 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java @@ -7,6 +7,7 @@ import lombok.Getter; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.Assignment; +import javax.persistence.*; import java.util.List; import java.util.Map; import java.util.Optional; @@ -44,16 +45,23 @@ import java.util.stream.Collectors; * @version $Id: $Id * @since October 29, 2003 */ +@Entity public class LessonTracker { + + @Id + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; @Getter private String lessonName; + @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) private final Set solvedAssignments = Sets.newHashSet(); - private final List allAssignments = Lists.newArrayList(); + @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) + private final Set allAssignments = Sets.newHashSet(); @Getter private int numberOfAttempts = 0; - protected LessonTracker() { - //Mongo + private LessonTracker() { + //JPA } public LessonTracker(AbstractLesson lesson) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java index aa8416d58..0b77b89c6 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java @@ -38,7 +38,7 @@ public class Scoreboard { List allUsers = userRepository.findAll(); List rankings = Lists.newArrayList(); for (WebGoatUser user : allUsers) { - UserTracker userTracker = userTrackerRepository.findOne(user.getUsername()); + UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername()); rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker))); } return rankings; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java index e5143704b..afcbd0615 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java @@ -15,7 +15,7 @@ import javax.validation.constraints.Size; public class UserForm { @NotNull - @Size(min=6, max=10) + @Size(min=6, max=20) private String username; @NotNull @Size(min=6, max=10) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java index b836d5bfa..920109876 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java @@ -1,6 +1,6 @@ package org.owasp.webgoat.users; -import org.springframework.data.mongodb.repository.MongoRepository; +import org.springframework.data.jpa.repository.JpaRepository; import java.util.List; @@ -8,7 +8,7 @@ import java.util.List; * @author nbaars * @since 3/19/17. */ -public interface UserRepository extends MongoRepository { +public interface UserRepository extends JpaRepository { WebGoatUser findByUsername(String username); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java index c139d2571..1cc4920ea 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java @@ -2,14 +2,16 @@ package org.owasp.webgoat.users; import com.google.common.collect.Lists; +import com.google.common.collect.Sets; import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.Assignment; -import org.springframework.data.annotation.Id; +import javax.persistence.*; import java.util.List; import java.util.Map; import java.util.Optional; +import java.util.Set; import java.util.stream.Collectors; @@ -44,11 +46,18 @@ import java.util.stream.Collectors; * @since October 29, 2003 */ @Slf4j +@Entity public class UserTracker { @Id - private final String user; - private List lessonTrackers = Lists.newArrayList(); + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; + @Column(name = "username") + private String user; + @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) + private Set lessonTrackers = Sets.newHashSet(); + + private UserTracker() {} public UserTracker(final String user) { this.user = user; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java index f915154cb..efa231d59 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java @@ -1,12 +1,13 @@ package org.owasp.webgoat.users; -import org.springframework.data.mongodb.repository.MongoRepository; +import org.springframework.data.jpa.repository.JpaRepository; /** * @author nbaars * @since 4/30/17. */ -public interface UserTrackerRepository extends MongoRepository { +public interface UserTrackerRepository extends JpaRepository { + UserTracker findByUser(String user); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java index b6e9fc776..23fcae34d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java @@ -1,13 +1,14 @@ package org.owasp.webgoat.users; import lombok.Getter; -import org.springframework.data.annotation.Id; -import org.springframework.data.annotation.Transient; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; +import javax.persistence.Entity; +import javax.persistence.Id; +import javax.persistence.Transient; import java.util.Collection; import java.util.Collections; @@ -16,6 +17,7 @@ import java.util.Collections; * @since 3/19/17. */ @Getter +@Entity public class WebGoatUser implements UserDetails { public static final String ROLE_USER = "WEBGOAT_USER"; diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index 8362f4290..35b177ddd 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -3,6 +3,12 @@ server.error.path=/error.html server.session.timeout=600 server.contextPath=/WebGoat server.port=8080 +server.address=127.0.0.1 + +spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat +spring.jpa.hibernate.ddl-auto=update +spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect +spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver logging.level.org.springframework=WARN @@ -16,9 +22,10 @@ security.enable-csrf=false spring.resources.cache-period=0 spring.thymeleaf.cache=false +webgoat.start.hsqldb=true webgoat.clean=false -webgoat.server.directory=${user.home}/.webgoat/ -webgoat.user.directory=${user.home}/.webgoat/ +webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ +webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.build.version=@project.version@ webgoat.build.number=@build.number@ webgoat.email=webgoat@owasp.org @@ -28,22 +35,15 @@ webgoat.feedback.address.html=webgoat@owasp.org webgoat.database.driver=org.hsqldb.jdbcDriver webgoat.database.connection.string=jdbc:hsqldb:mem:{USER} webgoat.default.language=en -webgoat.embedded.mongo=${WG_INTERNAL_MONGO:true} -webwolf.port=8081 -webwolf.url=http://localhost:${webwolf.port}/WebWolf -webworf.url.landingpage=http://localhost:${webwolf.port}/landing -webworf.url.mail=http://localhost:${webwolf.port}/mail +webwolf.host=${WEBWOLF_HOST:localhost} +webwolf.port=${WEBWOLF_PORT:8081} +webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf +webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing +webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail spring.jackson.serialization.indent_output=true spring.jackson.serialization.write-dates-as-timestamps=false -spring.activemq.brokerUrl=tcp://${WG_MQ_HOST:localhost}:${WG_MQ_PORT:61616} - -spring.data.mongodb.host=${WG_MONGO_HOST:localhost} -spring.data.mongodb.port=${WG_MONGO_PORT:27017} -spring.data.mongodb.database=webgoat -spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/ - #For static file refresh ... and faster dev :D spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css index d9347acb8..59f674616 100644 --- a/webgoat-container/src/main/resources/static/css/main.css +++ b/webgoat-container/src/main/resources/static/css/main.css @@ -1066,6 +1066,7 @@ span.show-next-page, span.show-prev-page { /* ATTACK DISPLAY */ .attack-container { + position: relative; background-color: #f1f1f1; border: 2px solid #a66; border-radius: 12px; @@ -1150,4 +1151,16 @@ div.captured-flag { height: 117px; width: 1268px; margin-bottom: 20px; +} + +#content { + position:relative; +} + +.webwolf-enabled { + position:absolute; + top: 10px; + right: 25px; + width: 42px; + height: 47px; } \ No newline at end of file diff --git a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js index e692e0beb..11b8279cf 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js @@ -73,6 +73,7 @@ define(['jquery', } this.loadLesson = function(name,pageNum) { + if (this.name === name) { this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton); this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton); @@ -83,15 +84,15 @@ define(['jquery', return; } + if (pageNum && !this.name) { + //placeholder + } + this.helpsLoaded = {}; if (typeof(name) === 'undefined' || name === null) { //TODO: implement lesson not found or return to welcome page? } this.lessonContent.loadData({'name':name}); -// this.planView = {}; -// this.solutionView = {}; -// this.sourceView = {}; -// this.lessonHintView = {}; this.name = name; }; @@ -124,15 +125,8 @@ define(['jquery', this.helpControlsView = null; this.lessonContentView.model = this.lessonContent; this.lessonContentView.render(); - - //this.planView = new PlanView(); - //this.solutionView = new SolutionView(); - //this.sourceView = new SourceView(); - if (this.lessonHintView) { - this.lessonHintView.stopListening(); - this.lessonHintView = null; - } - this.lessonHintView = new HintView(); + //TODO: consider moving hintView as child of lessonContentView ... + this.createLessonHintView(); //TODO: instantiate model with values (not sure why was not working before) var paramModel = new ParamModel({}); @@ -148,40 +142,23 @@ define(['jquery', this.lessonProgressModel.completed(); }; + this.createLessonHintView = function () { + if (this.lessonHintView) { + this.lessonHintView.stopListening(); + this.lessonHintView = null; + } + this.lessonHintView = new HintView(); + } + this.addCurHelpState = function (curHelp) { this.helpsLoaded[curHelp.helpElement] = curHelp.value; }; -// this.hideShowHelps = function(showHelp) { -// var showId = '#lesson-' + showHelp + '-row'; -// var contentId = '#lesson-' + showHelp + '-content'; -// $('.lesson-help').not(showId).hide(); -// if (!showId) { -// return; -// } -// -// if ($(showId).is(':visible')) { -// $(showId).hide(); -// return; -// } else { -// //TODO: move individual .html operations into individual help views -// switch(showHelp) { -// case 'plan': -// $(contentId).html(this.planView.model.get('content')); -// break; -// case 'solution': -// $(showId).html(this.solutionView.model.get('content')); -// break; -// case 'source': -// $(contentId).html('
' + this.sourceView.model.get('content') + '
'); -// break; -// } -// $(showId).show(); -// GoatUtils.scrollToHelp() -// } -// }; - this.showHintsView = function() { + if (!this.lessonHintView) { + this.createLessonHintView(); + } + // this.lessonHintView.render(); if (this.lessonHintView.getHintsCount > 0) { this.helpControlsView.showHintsButton(); diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js b/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js index 709c557f7..c4c01c70a 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js @@ -1,29 +1,33 @@ define(['jquery', - 'underscore', - 'backbone', - 'goatApp/model/MenuModel'], - function($,_,Backbone,MenuModel) { + 'underscore', + 'backbone', + 'goatApp/model/MenuModel'], + function ($, _, Backbone, MenuModel) { - return Backbone.Collection.extend({ - model: MenuModel, - url:'service/lessonmenu.mvc', - initialize: function () { - var self = this; - this.fetch(); - }, + return Backbone.Collection.extend({ + model: MenuModel, + url: 'service/lessonmenu.mvc', - onDataLoaded: function() { - this.trigger('menuData:loaded'); - }, + initialize: function () { + var self = this; + this.fetch(); + setInterval(function () { + this.fetch() + }.bind(this), 5000); + }, - fetch: function() { - var self=this; - Backbone.Collection.prototype.fetch.apply(this,arguments).then( - function(data) { - this.models = data; - self.onDataLoaded(); - } - ); - } - }); -}); \ No newline at end of file + onDataLoaded: function () { + this.trigger('menuData:loaded'); + }, + + fetch: function () { + var self = this; + Backbone.Collection.prototype.fetch.apply(this, arguments).then( + function (data) { + this.models = data; + self.onDataLoaded(); + } + ); + } + }); + }); \ No newline at end of file diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js index 54aa52828..84a23334f 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js @@ -67,7 +67,7 @@ define(['jquery', contentType: 'application/x-www-form-urlencoded; charset=UTF-8', success: function (data) { //devs leave stuff like this in all the time - console.log('phone home said ' + data); + console.log('phone home said ' + JSON.stringify(data)); } }); } diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js index 0ef51ad2d..75ff968b2 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js @@ -25,6 +25,9 @@ define(['jquery', self.navToPage(page); } }); + setInterval(function () { + this.updatePagination(); + }.bind(this), 5000); }, findPage: function(assignment) { @@ -45,7 +48,6 @@ define(['jquery', this.$el.find('.attack-feedback').hide(); this.$el.find('.attack-output').hide(); this.makeFormsAjax(); - //this.ajaxifyAttackHref(); $(window).scrollTop(0); //work-around til we get the scroll down sorted out var startPageNum = this.model.get('pageNum'); this.initPagination(startPageNum); @@ -57,11 +59,13 @@ define(['jquery', var currentPage = (!isNaN(startPageNum) && startPageNum && startPageNum < this.$contentPages) ? startPageNum : 0; //init views & pagination this.showCurContentPage(currentPage); - this.paginationControlView = new PaginationControlView(this.$contentPages,this.model.get('lessonUrl')); + this.paginationControlView = new PaginationControlView(this.$contentPages,this.model.get('lessonUrl'),startPageNum); }, updatePagination: function() { - this.paginationControlView.updateCollection(); + if ( this.paginationControlView != undefined ) { + this.paginationControlView.updateCollection(); + } }, getCurrentPage: function () { @@ -86,6 +90,8 @@ define(['jquery', var prepareDataFunctionName = $(curForm).attr('prepareData'); var callbackFunctionName = $(curForm).attr('callback'); var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize(); + var successCallBackFunctionName = $(curForm).attr('successCallback'); + var failureCallbackFunctionName = $(curForm).attr('failureCallback'); var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {}; // var submitData = this.$form.serialize(); this.curForm = curForm; @@ -104,19 +110,18 @@ define(['jquery', //complete: function (data) { //callbackFunction(data); //} - }).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self)); + }).then(function(data){ + self.onSuccessResponse(data, failureCallbackFunctionName, successCallBackFunctionName)}, self.onErrorResponse.bind(self)); return false; }, - onSuccessResponse: function(data) { + onSuccessResponse: function(data, failureCallbackFunctionName, successCallBackFunctionName) { this.renderFeedback(data.feedback); this.renderOutput(data.output || ""); - var successCallBackFunctionName = this.$form.attr('successCallback'); - var failureCallbackFunctionName = this.$form.attr('failureCallback'); //var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize(); - successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {}; - failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {}; + var successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {}; + var failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {}; //TODO: refactor back assignmentCompleted in Java if (data.lessonCompleted || data.assignmentCompleted) { this.markAssignmentComplete(); @@ -146,22 +151,23 @@ define(['jquery', return false; }, - ajaxifyAttackHref: function() { // rewrite any links with hrefs point to relative attack URLs - var self = this; - // instruct in template to have links returned with the attack-link class - $('a.attack-link').submit(function(event){ - $.get(this.action, "json").then(self.onSuccessResponse, self.onErrorResponse); - }); + removeSlashesFromJSON: function(str) { + // slashes are leftover escapes from JSON serialization by server + // for every two char sequence starting with backslash, + // replace them in the text with second char only + return str.replace(/\\(.)/g, "$1"); }, renderFeedback: function(feedback) { - this.$curFeedback.html(polyglot.t(feedback) || ""); + var s = this.removeSlashesFromJSON(feedback); + this.$curFeedback.html(polyglot.t(s) || ""); this.$curFeedback.show(400) }, renderOutput: function(output) { - this.$curOutput.html(polyglot.t(output) || ""); + var s = this.removeSlashesFromJSON(output); + this.$curOutput.html(polyglot.t(s) || ""); this.$curOutput.show(400) }, @@ -181,13 +187,19 @@ define(['jquery', return endpoints; }, + onNavToPage: function(pageNum) { + var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum); + this.trigger('endpoints:filtered',assignmentPaths); + }, + navToPage: function (pageNum) { this.paginationControlView.setCurrentPage(pageNum);//provides validation this.showCurContentPage(this.paginationControlView.currentPage); this.paginationControlView.render(); this.paginationControlView.hideShowNavButtons(); - var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum); - this.trigger('endpoints:filtered',assignmentPaths); + this.onNavToPage(pageNum); + //var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum); + //this.trigger('endpoints:filtered',assignmentPaths); }, /* for testing */ diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js index 2dcecf136..7dac8f063 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js @@ -12,14 +12,14 @@ define(['jquery', template: PaginationTemplate, el: '#lesson-page-controls', - initialize: function ($contentPages,baseLessonUrl) { + initialize: function ($contentPages,baseLessonUrl,initPageNum) { this.$contentPages = $contentPages; this.collection = new LessonOverviewCollection(); this.listenTo(this.collection, 'reset', this.render); this.numPages = this.$contentPages.length; this.baseUrl = baseLessonUrl; this.collection.fetch({reset:true}); - this.initPagination(); + this.initPagination(initPageNum); //this.render(); }, @@ -117,9 +117,9 @@ define(['jquery', $('span.glyphicon-class.glyphicon.glyphicon-circle-arrow-right.show-next-page').hide(); }, - initPagination: function() { - //track pagination state in this view ... start at 0 - this.currentPage = 0; + initPagination: function(initPageNum) { + //track pagination state in this view ... start at 0 .. unless a pageNum was provided + this.currentPage = !initPageNum ? 0 : initPageNum; }, setCurrentPage: function (pageNum) { diff --git a/webgoat-container/src/main/resources/static/js/main.js b/webgoat-container/src/main/resources/static/js/main.js index 4715858cd..4c77d9c0f 100644 --- a/webgoat-container/src/main/resources/static/js/main.js +++ b/webgoat-container/src/main/resources/static/js/main.js @@ -30,7 +30,7 @@ require.config({ shim: { "jqueryui": { exports:"$", - deps: ['jquery'] + deps: ['libs/jquery-2.1.4.min'] }, underscore: { exports: "_" diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html index 07f8143c8..eadb722c3 100644 --- a/webgoat-container/src/main/resources/templates/main_new.html +++ b/webgoat-container/src/main/resources/templates/main_new.html @@ -76,24 +76,25 @@ - - -
- + + + diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java index 1f9628fb0..dc0c7a481 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java @@ -62,7 +62,7 @@ public class AssignmentEndpointTest { public void init(AssignmentEndpoint a) { messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels"); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository); ReflectionTestUtils.setField(a, "userSessionData", userSessionData); ReflectionTestUtils.setField(a, "webSession", webSession); diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java deleted file mode 100644 index 5946104b4..000000000 --- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.owasp.webgoat.plugins; - -import com.github.fakemongo.Fongo; -import com.mongodb.MongoClient; -import org.springframework.context.annotation.Configuration; -import org.springframework.data.mongodb.config.AbstractMongoConfiguration; - -/** - * Using Fongo for embedded in memory MongoDB testing - */ -@Configuration -public class TestConfig extends AbstractMongoConfiguration { - - @Override - protected String getDatabaseName() { - return "test"; - } - - @Override - public MongoClient mongo() throws Exception { - return new Fongo(getDatabaseName()).getMongo(); - } -} \ No newline at end of file diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java index d71126d82..196610274 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java @@ -63,7 +63,7 @@ public class LessonMenuServiceTest { when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2)); when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL)); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC)) .andExpect(status().isOk()) @@ -81,7 +81,7 @@ public class LessonMenuServiceTest { when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1)); when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL)); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC)) diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java index 2ca3e9169..cdab7c84f 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java @@ -72,7 +72,7 @@ public class LessonProgressServiceTest { @Before public void setup() { Assignment assignment = new Assignment("test", "test"); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); when(websession.getCurrentLesson()).thenReturn(lesson); when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true)); diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java index e1b6f639f..f35c4131d 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java @@ -6,6 +6,7 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.runners.MockitoJUnitRunner; +import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; @@ -40,10 +41,13 @@ public class ReportCardServiceTest { private UserTrackerRepository userTrackerRepository; @Mock private WebSession websession; + @Mock + private PluginMessages pluginMessages; @Before public void setup() { - this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course)).build(); + this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build(); + when(pluginMessages.getMessage(anyString())).thenReturn("Test"); } @Test @@ -53,7 +57,7 @@ public class ReportCardServiceTest { when(course.getTotalOfLessons()).thenReturn(1); when(course.getTotalOfAssignments()).thenReturn(10); when(course.getLessons()).thenReturn(Lists.newArrayList(lesson)); - when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker); + when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker); when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker); mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc")) .andExpect(status().isOk()) diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java new file mode 100644 index 000000000..67b4d9bcf --- /dev/null +++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java @@ -0,0 +1,29 @@ +package org.owasp.webgoat.users; + +import org.assertj.core.api.Assertions; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest; +import org.springframework.test.context.junit4.SpringRunner; + +@DataJpaTest +@RunWith(SpringRunner.class) +public class UserRepositoryTest { + + @Autowired + private UserRepository userRepository; + + @Test + public void userShouldBeSaved() { + WebGoatUser user = new WebGoatUser("test", "password"); + userRepository.saveAndFlush(user); + + user = userRepository.findByUsername("test"); + + Assertions.assertThat(user.getUsername()).isEqualTo("test"); + Assertions.assertThat(user.getPassword()).isEqualTo("password"); + } + + +} \ No newline at end of file diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java new file mode 100644 index 000000000..142a6c8c7 --- /dev/null +++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java @@ -0,0 +1,101 @@ +package org.owasp.webgoat.users; + +import org.assertj.core.api.Assertions; +import org.assertj.core.util.Lists; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.owasp.webgoat.lessons.Assignment; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest; +import org.springframework.test.context.junit4.SpringRunner; + +import java.util.List; + +@DataJpaTest +@RunWith(SpringRunner.class) +public class UserTrackerRepositoryTest { + + private class TestLesson extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.AJAX_SECURITY; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 12; + } + + @Override + public String getTitle() { + return "test"; + } + + @Override + public String getId() { + return "test"; + } + + @Override + public List getAssignments() { + Assignment assignment = new Assignment("test", "test", Lists.newArrayList()); + return Lists.newArrayList(assignment); + } + } + + @Autowired + private UserTrackerRepository userTrackerRepository; + + + @Test + public void saveUserTracker() { + UserTracker userTracker = new UserTracker("test"); + LessonTracker lessonTracker = userTracker.getLessonTracker(new TestLesson()); + + userTrackerRepository.save(userTracker); + + userTracker = userTrackerRepository.findByUser("test"); + Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull(); + } + + @Test + public void solvedAssignmentsShouldBeSaved() { + UserTracker userTracker = new UserTracker("test"); + TestLesson lesson = new TestLesson(); + userTracker.getLessonTracker(lesson); + userTracker.assignmentFailed(lesson); + userTracker.assignmentFailed(lesson); + userTracker.assignmentSolved(lesson, "test"); + + userTrackerRepository.saveAndFlush(userTracker); + + userTracker = userTrackerRepository.findByUser("test"); + Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1); + } + + @Test + public void saveAndLoadShouldHaveCorrectNumberOfAttemtps() { + UserTracker userTracker = new UserTracker("test"); + TestLesson lesson = new TestLesson(); + userTracker.getLessonTracker(lesson); + userTracker.assignmentFailed(lesson); + userTracker.assignmentFailed(lesson); + userTrackerRepository.saveAndFlush(userTracker); + + userTracker = userTrackerRepository.findByUser("test"); + userTracker.assignmentFailed(lesson); + userTracker.assignmentFailed(lesson); + userTrackerRepository.saveAndFlush(userTracker); + + Assertions.assertThat(userTracker.getLessonTracker(lesson).getNumberOfAttempts()).isEqualTo(4); + } + +} \ No newline at end of file diff --git a/webgoat-container/src/test/resources/application-test.properties b/webgoat-container/src/test/resources/application-test.properties index 3100e029a..a4e152215 100644 --- a/webgoat-container/src/test/resources/application-test.properties +++ b/webgoat-container/src/test/resources/application-test.properties @@ -1 +1,4 @@ -webgoat.user.directory=${java.io.tmpdir} \ No newline at end of file +webgoat.user.directory=${java.io.tmpdir} + +spring.datasource.url=jdbc:hsqldb:mem:test +spring.jpa.hibernate.ddl-auto=create-drop \ No newline at end of file diff --git a/webgoat-images/vagrant-developers/Vagrantfile b/webgoat-images/vagrant-developers/Vagrantfile deleted file mode 100644 index 47b41f3fc..000000000 --- a/webgoat-images/vagrant-developers/Vagrantfile +++ /dev/null @@ -1,32 +0,0 @@ -Vagrant.configure(2) do |config| - config.vm.box = "boxcutter/ubuntu1604-desktop" - - - config.vm.provider "virtualbox" do |vb| - vb.gui = true - vb.memory = "4096" - vb.cpus = 2 - vb.name = "WebGoat-Development" - vb.customize ["modifyvm", :id, "--nictype1", "virtio"] - end - - config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'" - - config.vm.provision 'shell' do |s| - s.path = '../vagrant_provision.sh' - s.privileged = true - end - - config.vm.provision :shell, privileged:false, inline: <<-SHELL - echo -e "Cloning the WebGoat container repository" - git clone -b master https://github.com/WebGoat/WebGoat.git - echo -e "Cloning the WebGoat Lessons repository" - git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git - SHELL - - config.vm.provision 'shell' do |s| - s.inline = "echo Finished provisioning, login with user vagrant pass vagrant" - end - -end - diff --git a/webgoat-images/vagrant-training/Vagrantfile b/webgoat-images/vagrant-training/Vagrantfile new file mode 100644 index 000000000..ec6bc9b25 --- /dev/null +++ b/webgoat-images/vagrant-training/Vagrantfile @@ -0,0 +1,35 @@ +# Setup a Linux box headless which will start WebGoat and WebWolf helpful image to give away during training + +Vagrant.configure(2) do |config| + config.vm.box = "ubuntu/trusty64" + config.vm.network :forwarded_port, guest: 8080, host: 8080 + config.vm.network :forwarded_port, guest: 8081, host: 8081 + config.vm.provider "virtualbox" do |vb| + vb.gui = false + vb.memory = "4096" + vb.cpus = 2 + vb.name = "WebGoat-Training" + vb.customize ["modifyvm", :id, "--nictype1", "virtio"] + end + config.vm.provider "vmware_fusion" do |vf| + vf.gui = false + vf.vmx["memsize"] = 4096 + vf.vmx["numvcpus"] = 2 + vf.vmx["displayname"] = "WebGoat-Training" + end + + config.vm.provision "shell", inline: <<-SHELL + wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar + wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar + sudo add-apt-repository ppa:openjdk-r/ppa + sudo apt-get update + sudo apt-get install openjdk-8-jre -y + SHELL + + config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL + java -jar webgoat-server-8.0.0.RELEASE.jar & + sleep 40s + java -jar webwolf-8.0.0.RELEASE.jar + SHELL + +end diff --git a/webgoat-images/vagrant-users/Vagrantfile b/webgoat-images/vagrant-users/Vagrantfile deleted file mode 100644 index 41a97210b..000000000 --- a/webgoat-images/vagrant-users/Vagrantfile +++ /dev/null @@ -1,48 +0,0 @@ -#For now use the same as for developers but start WebGoat -#In the future we can add Docker as well and then Vagrant can start the -#Docker container or Chef which setups the Tomcat - -Vagrant.configure(2) do |config| - config.vm.box = "boxcutter/ubuntu1604-desktop" - config.vm.network :forwarded_port, guest: 8080, host: 9999 - config.vm.provider "virtualbox" do |vb| - vb.gui = false - vb.memory = "2048" - vb.cpus = 2 - vb.name = "WebGoat-Users" - vb.customize ["modifyvm", :id, "--nictype1", "virtio"] - end - config.vm.provider "vmware_fusion" do |vf| - vf.gui = false - vf.vmx["memsize"] = 4096 - vf.vmx["numvcpus"] = 2 - vf.vmx["displayname"] = "WebGoat-Users" - end - - config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'" - - config.vm.provision 'shell' do |s| - s.path = '../vagrant_provision.sh' - s.privileged = true - end - - config.vm.provision :shell, inline: <<-SHELL - echo -e "Cloning the WebGoat container repository" - git clone -b master https://github.com/WebGoat/WebGoat.git - echo -e "Cloning the WebGoat Lessons repository" - git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git - echo -e "Compiling and installing the WebGoat Container lesson server....." - mvn -q -DskipTests -file WebGoat/pom.xml clean compile install - echo -e "Compiling and installing the WebGoat Lessons $COL_RESET" - mvn -q -DskipTests -file WebGoat-Lessons/pom.xml package - echo -e "Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons" - cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./WebGoat/webgoat-container/src/main/webapp/plugin_lessons/ - nohup mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war 0<&- &>/dev/null & - SHELL - - config.vm.provision 'shell' do |s| - s.inline = "echo Finished provisioning, open a browser and browse to http://localhost:9999/WebGoat/" - end - -end - diff --git a/webgoat-images/vagrant_provision.sh b/webgoat-images/vagrant_provision.sh deleted file mode 100644 index da88799e3..000000000 --- a/webgoat-images/vagrant_provision.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/env bash -set -e - -echo "Setting locale..." -sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 - -sudo kill -9 $(lsof -t /var/lib/dpkg/lock) || true -sudo apt-get update -sudo apt-get install -y git - -echo "Installing required packages..." -sudo apt-get install -y -q build-essential autotools-dev automake pkg-config expect - - -## Chrome -wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - -sudo sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' -sudo apt-get update -sudo apt-get install -y google-chrome-stable - -## Java 8 -echo "Provisioning Java 8..." -mkdir -p /home/vagrant/java -cd /home/vagrant/java -test -f /tmp/jdk-8-linux-x64.tar.gz || curl -q -L --cookie "oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u144-b01/090f390dda5b47b9b721c7dfaa008135/jdk-8u144-linux-x64.tar.gz -o /tmp/jdk-8-linux-x64.tar.gz - -sudo mkdir -p /usr/lib/jvm -sudo tar zxf /tmp/jdk-8-linux-x64.tar.gz -C /usr/lib/jvm - -sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_144/bin/java" 1 -sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_144/bin/javac" 1 -sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_144/bin/javaws" 1 - -sudo chmod a+x /usr/bin/java -sudo chmod a+x /usr/bin/javac -sudo chmod a+x /usr/bin/javaws -sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_144 - -echo "export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_144" >> /home/vagrant/.bashrc - -## Maven -echo "Installing Maven.." -sudo apt-get install -y maven - -## ZAP -echo "Provisioning ZAP..." -cd /home/vagrant -mkdir tools -cd tools -wget https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAP_2.5.0_Linux.tar.gz -tar xvfx ZAP_2.5.0_Linux.tar.gz -rm -rf ZAP_2.5.0_Linux.tar.gz - -## IntelliJ -cd /home/vagrant/tools -wget https://download.jetbrains.com/idea/ideaIC-2016.1.4.tar.gz -tar xvfz ideaIC-2016.1.4.tar.gz -rm -rf ideaIC-2016.1.4.tar.gz - -## Eclipse -sudo apt-get -y install eclipse - diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml index fe1fca044..22253bee4 100644 --- a/webgoat-lessons/auth-bypass/pom.xml +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0-SNAPSHOT + v8.0.0.M14 diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc index a18bce132..ef7c5725a 100644 --- a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc +++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc @@ -1,4 +1,4 @@ -== Authentication Bpasses +== Authentication Bypasses Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions. @@ -12,4 +12,4 @@ Sometimes, if an attacker doesn't know the correct value of a parameter, they ma === Forced Browsing -If an area of a site is not protected properly by configuation, that area of the site may be accessed by guessing/brute-forcing. \ No newline at end of file +If an area of a site is not protected properly by configuration, that area of the site may be accessed by guessing/brute-forcing. diff --git a/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v b/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v deleted file mode 100644 index ff801f48b..000000000 Binary files a/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v and /dev/null differ diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml index 8775fdbd5..8ae0f4f4c 100755 --- a/webgoat-lessons/bypass-restrictions/pom.xml +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -6,6 +6,6 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0-SNAPSHOT + v8.0.0.M14 diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml index 04adf95cb..60639ca63 100644 --- a/webgoat-lessons/challenge/pom.xml +++ b/webgoat-lessons/challenge/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0-SNAPSHOT + v8.0.0.M14 diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java index fe9d66466..7d5c85967 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java @@ -46,7 +46,6 @@ public class Flag extends Endpoint { @PostConstruct public void initFlags() { IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString())); - FLAGS.entrySet().stream().forEach(e -> log.debug("Flag {} {}", e.getKey(), e.getValue())); } @Override diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java index d7d5e20cf..2e12e14cc 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java @@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint { @Autowired private RestTemplate restTemplate; - @Value("${webworf.url.mail}") + @Value("${webwolf.url.mail}") private String webWolfMailURL; @GetMapping("/reset-password/{link}") diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml index c44a2605f..95970426a 100644 --- a/webgoat-lessons/client-side-filtering/pom.xml +++ b/webgoat-lessons/client-side-filtering/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0-SNAPSHOT + v8.0.0.M14 diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java index 98a7c4172..84596b1ba 100644 --- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java +++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java @@ -56,7 +56,7 @@ public class ClientSideFiltering extends NewLesson { @Override public String getTitle() { - return "Client side filtering"; + return "client.side.filtering.title"; } @Override diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties index a5a163cad..e9a044325 100644 --- a/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties @@ -1,3 +1,4 @@ +client.side.filtering.title=Client side filtering ClientSideFilteringSelectUser=Select user: ClientSideFilteringUserID=User ID ClientSideFilteringFirstName=First Name diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index c6043ff30..71723d5b3 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -6,7 +6,7 @@ org.owasp.webgoat.lesson webgoat-lessons-parent - 8.0-SNAPSHOT + v8.0.0.M14 diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java index 609fb49cd..c1453a112 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java @@ -60,7 +60,7 @@ public class CrossSiteScripting extends NewLesson { @Override public String getTitle() { - return "Cross Site Scripting"; + return "xss.title"; } @Override diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java index 27bc2b4d5..7f6683f66 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java @@ -64,7 +64,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { userSessionData.setValue("xss-reflected1-complete",(Object)"false"); StringBuffer cart = new StringBuffer(); cart.append("Thank you for shopping at WebGoat.
You're support is appreciated
"); - cart.append("

We have chaged credit card:" + field1 + "
"); + cart.append("

We have charged credit card:" + field1 + "
"); cart.append( " -------------------
"); cart.append( " $" + totalSale); diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties index 9d3490287..3f6a96ee2 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties @@ -1,4 +1,5 @@ # XSS success, failure messages and hints +xss.title=Cross Site Scripting xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue. xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy) xss-reflected-5b-success=Correct ... because

  • The script was not triggered by the URL/QueryString
  • Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc index 80a3c7a25..a39af74c3 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc @@ -2,10 +2,10 @@ === Why? -Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession +Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session === What to encode? -The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen. +The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen. That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters* Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted). diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java index 3187e936b..a333a2602 100644 --- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java +++ b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java @@ -33,8 +33,10 @@ import org.mockito.runners.MockitoJUnitRunner; import org.owasp.webgoat.assignments.AssignmentEndpointTest; import org.springframework.http.MediaType; import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.ResultActions; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.util.Assert; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; @@ -80,13 +82,13 @@ public class StoredXssCommentsTest extends AssignmentEndpointTest { */ //Ensures it is vulnerable -// @Test -// public void isNotEncoded() throws Exception { -// //do get to get comments after posting xss payload -// ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss")); -// taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("")))); -// } - + @Test + public void isNotEncoded() throws Exception { + //do get to get comments after posting xss payload + ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss")); + MvcResult mvcResult = taintedResults.andReturn(); + assert(mvcResult.getResponse().getContentAsString().contains(" + */ +} diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java new file mode 100644 index 000000000..122238bc1 --- /dev/null +++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java @@ -0,0 +1,40 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.users.UserTracker; +import org.owasp.webgoat.users.UserTrackerRepository; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +/** + * @author nbaars + * @since 11/17/17. + */ +@AssignmentPath("/csrf/login") +@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"}) +public class CSRFLogin extends AssignmentEndpoint { + + @Autowired + private UserTrackerRepository userTrackerRepository; + + @PostMapping(produces = {"application/json"}) + @ResponseBody + public AttackResult completed() { + String userName = getWebSession().getUserName(); + if (userName.startsWith("csrf")) { + markAssignmentSolvedWithRealUser(userName.substring("csrf-".length())); + return trackProgress(success().feedback("csrf-login-success").build()); + } + return trackProgress(failed().feedback("csrf-login-failed").feedbackArgs(userName).build()); + } + + private void markAssignmentSolvedWithRealUser(String username) { + UserTracker userTracker = userTrackerRepository.findByUser(username); + userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName()); + userTrackerRepository.save(userTracker); + } +} diff --git a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html index b85568f08..0e56a7c31 100644 --- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html +++ b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html @@ -2,62 +2,63 @@ -
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
+ + + +
+ +
+ +
+
+ +
+
- - + + Confirm Flag Value: + + +
-
- -
-
- -
-
- - Confirm Flag Value: - - - - -
- -
-
-
+
+
+
-
+
-
+
- - - + + + -
+
+
@@ -89,16 +90,17 @@ method="POST" name="review-form" successCallback="" action="/WebGoat/csrf/review"> - - - + + +
- - + +
    @@ -108,14 +110,144 @@
- +
+ +
+ +
+
+
+ +
+
+
+ +
+
+ + +
+
+
+
+
+
+
+
+
+
+ + +
+
+ +
+ + +
+
+
+ + +
+
+
+
+ + +
+
+
+ +
+
+
+
+
+
+
-
-
+
+
+ +
+
+ + Confirm Flag Value: + + + + +
+ +
+
- + +
+ +
+
+ +
+
+ +
+
+ + Press the button below when your are logged in as the other user
+ + + +
+ +
+
+
+
+ + +
+
+
+ + + \ No newline at end of file diff --git a/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties index 84c269777..5571650f5 100644 --- a/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties @@ -16,4 +16,17 @@ csrf-review.success=It appears you have submitted correctly from another site. G csrf-review-hint1=Again, you will need to submit from an external domain/host to trigger this action. While CSRF can often be triggered from the same host (e.g. via persisted payload), this doesn't work that way. csrf-review-hint2=Remember, you need to mimic the existing workflow/form. -csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it \ No newline at end of file +csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it + +csrf-feedback-hint1=Look at the content-type. +csrf-feedback-hint2=Try to post the same message with content-type text/plain +csrf-feedback-hint3=The json can be put into a hidden field inside + +csrf-feedback-invalid-json=Invalid JSON received. +csrf-feedback-success=Congratulations you have found the correct solution, the flag is: {0} + +csrf-login-hint1=First create a new account with csrf-username +csrf-login-hint2=Create a form which will log you in as this user (hint 1) and upload it to WebWolf +csrf-login-hint3=Visit this assignment again +csrf-login-success=Congratulations, now log out and login with your normal user account within WebGoat, remember the attacker knows you solved this assignment +csrf-login-failed=The solution is not correct, you are clicking the button while logged in as {0} \ No newline at end of file diff --git a/webgoat-lessons/csrf/src/main/resources/images/login-csrf.png b/webgoat-lessons/csrf/src/main/resources/images/login-csrf.png new file mode 100644 index 000000000..bdc982732 Binary files /dev/null and b/webgoat-lessons/csrf/src/main/resources/images/login-csrf.png differ diff --git a/webgoat-lessons/csrf/src/main/resources/js/feedback.js b/webgoat-lessons/csrf/src/main/resources/js/feedback.js new file mode 100644 index 000000000..242090c7b --- /dev/null +++ b/webgoat-lessons/csrf/src/main/resources/js/feedback.js @@ -0,0 +1,7 @@ +webgoat.customjs.feedback = function() { + var data = {}; + $('#csrf-feedback').find('input, textarea, select').each(function(i, field) { + data[field.name] = field.value; + }); + return JSON.stringify(data); +} diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc new file mode 100644 index 000000000..735e320bc --- /dev/null +++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc @@ -0,0 +1,23 @@ +== CSRF and content-type + +In the previous section we saw how relying on the content-type is not a protection against +CSRF. In this section we will look into another way we can perform a CSRF attack against +a APIs which are not protected against CSRF. + +In this assignment you need to achieve to POST the following JSON message to our endpoints: + +[source] +---- +POST /csrf/feedback/message HTTP/1.1 + +{ + "name" : "WebGoat", + "email" : "webgoat@webgoat.org", + "content" : "WebGoat is the best!!" +} +---- + +More information can be found http://pentestmonkey.net/blog/csrf-xml-post-request[here] + +Remember you need to make the call from another origin (WebWolf can help here) and you need to be logged in into +WebGoat. \ No newline at end of file diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc new file mode 100644 index 000000000..dff9a78c1 --- /dev/null +++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc @@ -0,0 +1,22 @@ +=== Automatic support from frameworks + +Most frameworks now have default support for preventing CSRF. For example with Angular an interceptor reads a token +from a cookie by default XSRF-TOKEN and sets it as an HTTP header, X-XSRF-TOKEN. Since only code that runs on your domain +could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker. + +In order for this to work the backend server sets the token in a cookie. As the value of the cookie should be read +by Angular (JavaScript) this cookie should not be marked with the http-only flag. On every request towards the server +Angular will put the token in the X-XSRF-TOKEN as a HTTP header. The server can validate whether those two tokens +match and this will ensure the server the request is running on the same domain. + +*Important: DEFINE A SEPARATE COOKIE, DO NOT REUSE THE SESSION COOKIE* + +Remember the session cookie should always be defined with http-only flag. + +Another effective defense can be to add a custom request header to each call. This will work if all the interactions +with the server are performed with JavaScript. On the server side you only need to check the presence of this header +if this header is not present deny the request. + + + + diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc new file mode 100644 index 000000000..bcf7be949 --- /dev/null +++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc @@ -0,0 +1,46 @@ +**But I only have JSON APIs and no CORS enabled, how can those be susceptible to CSRF?** + +A lot of web applications implement no protection against CSRF they are somehow protected by the fact that +they only work with `application/json` as content type. The only way to make a request with this content-type from the +browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards +the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin +request the browser will not make the call. + +To make a long answer short: this is *not* a valid protection against CSRF. + +One example why this protection is not enough can be found https://bugs.chromium.org/p/chromium/issues/detail?id=490015[here]. +Turns out `Navigator.sendBeacon()` was allowed to send POST request with an arbitrary content-type. + +[qoute, developer.mozilla.org] +____ +The navigator.sendBeacon() method can be used to asynchronously transfer a small amount of +data over HTTP to a web server. This method addresses the needs of analytics and diagnostics +code that typically attempts to send data to a web server prior to the unloading of the +document. Sending the data any sooner may result in a missed opportunity to gather data..." +____ + +{nbsp} + +For example: + +[source] +---- +function postBeacon() { + var data= new Blob([JSON.stringify({"author" :"WebGoat"})], {type : 'application/json'}); + navigator.sendBeacon("http://localhost:8083", data) +} +---- + +[quote, Eduardo Vela] +____ +I think Content-Type restrictions are useful for websites that are accidentally safe against CSRF. They are not meant to be, but they are because they happen to only accept XML or JSON payloads. + +That said, it's somewhat obvious the websites depending on this behavior should be fixed, and any reputable pentesters will point that out. The issue is whether it's the browser responsibility to act as a nanny to weak websites, or we should leave weak websites as sacrifice for great justice. Survival of the fittest. + +IMHO, the answer is somewhere in between, and a good first step would be to document all these Same Origin Policy gotchas that websites might depend upon for security. + +But wrt to this bug in specific, if it never got fixed, I don't think it would be the end of the world. But then again, on this day and age, maybe there's a way to launch nuclear missiles with a XML RPC interface, so maybe it would be the end of the world. +____ + +{nbsp} + +Both Firefox and Chrome fixed this issue, but it shows why you should implement a CSRF protection instead +of relying on the content-type of your APIs. \ No newline at end of file diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc new file mode 100644 index 000000000..ea480f495 --- /dev/null +++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc @@ -0,0 +1,24 @@ +:blank: pass:[ +] + +== Login CSRF attack + +In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s username +and password at that site. If the forgery succeeds, the honest server responds with a `Set-Cookie` header +that instructs the browser to mutate its state by storing a session cookie, logging the user into +the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence +to the attacker’s authentication credentials. Login CSRF attacks can have serious consequences, for example +see the picture below where an attacker created an account at google.com the victim visits the malicious +website and the user is logged in as the attacker. The attacker could then later on gather information about +the activities of the user. + +{blank} + +image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"] + +{blank} +For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper] + +In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user +based on your own username prefixed with csrf. So if your username is `tom` you must create +a new user called `csrf-tom` + diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc index 6fb15da4e..f3df9c4e6 100644 --- a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc +++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc @@ -1,9 +1,9 @@ == Post a review on someone else's behalf -The page below simulates a comment/review page. The difference here is that you have to inititate the submission elsewhere as you might +The page below simulates a comment/review page. The difference here is that you have to initiate the submission elsewhere as you might with a CSRF attack and like the previous exercise. It's easier than you think. In most cases, the trickier part is finding somewhere that you want to execute the CSRF attack. The classic example is account/wire transfers in someone's bank account. -But we're keepoing it simple here. In this case, you just need to trigger a review submission on behalf of the currently +But we're keeping it simple here. In this case, you just need to trigger a review submission on behalf of the currently logged in user. diff --git a/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java b/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java new file mode 100644 index 000000000..98c44077f --- /dev/null +++ b/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java @@ -0,0 +1,58 @@ +package org.owasp.webgoat.plugin; + +import org.hamcrest.core.StringContains; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.owasp.webgoat.plugins.LessonTest; +import org.springframework.http.MediaType; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; + +import javax.servlet.http.Cookie; + +import static org.hamcrest.core.Is.is; +import static org.mockito.Mockito.when; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/** + * @author nbaars + * @since 11/17/17. + */ +@RunWith(SpringJUnit4ClassRunner.class) +public class CSRFFeedbackTest extends LessonTest { + + @Before + public void setup() throws Exception { + CSRF csrf = new CSRF(); + when(webSession.getCurrentLesson()).thenReturn(csrf); + this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); + when(webSession.getUserName()).thenReturn("unit-test"); + } + + @Test + public void postingJsonMessageThroughWebGoatShouldWork() throws Exception { + mockMvc.perform(post("/csrf/feedback/message") + .contentType(MediaType.APPLICATION_JSON) + .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}")) + .andExpect(status().isOk()); + } + + + @Test + public void csrfAttack() throws Exception { + mockMvc.perform(post("/csrf/feedback/message") + .contentType(MediaType.TEXT_PLAIN) + .cookie(new Cookie("JSESSIONID", "test")) + .header("host", "localhost:8080") + .header("referer", "webgoat.org") + .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}")) + .andExpect(jsonPath("lessonCompleted", is(true))) + .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: "))); + } + + + +} \ No newline at end of file diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt b/webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt deleted file mode 100644 index c0677c6b7..000000000 --- a/webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt +++ /dev/null @@ -1,55 +0,0 @@ -##### To include lesson template in build ##### -1. edit theh webgoat-server/pom.xml file and uncomment the section under ... - - -2. Also uncomment in webgoat-lessons/pom.xml where it says ... - - -##### To add a lesson to WebGoat ##### - -There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory. - -0. The POM file - a. change the ... - webgoat-lesson-template - ... line to give your lesson its own artifactId.That should be all you need to do there - -1. The Base Class ... - In webgoat-lessons/{your-lesson}/src/main/java, refactor the LessonTemplate.java class, changing ... - a. the category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added - b. The 'defaultRanking' will move your lesson up or down in the categories list - c. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties - d. Implement a new value for the getId method, which leads us to ... - -2. The HTML content framing ... - a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson"; } >> "your-lesson.html") - b. Modify that file following the commented instructions in there - c. In conjunction with this file you - -3. Assignment Endpoints - a. In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these. You will extend the AssignmentEndpoint as the example will show - b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded. - c. See other lesson examples for creating unit/integration tests for your project as well - - -4. Getting your lesson to show up - a. modify the webgoat-lessons/pom.xml to include your project in the section - - - webgoat-lesson-template - - - - b. modify the webgoat-server/pom.xml to add your project as a dependency in the section ... - - - -
-
- -
- - -
- -
- - -
-
- - - - - - 4128 3214 0002 1999 +``` + +DOM-XSS: + + Something like + `http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E +//` +OR +`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere