diff --git a/src/main/java/org/owasp/webgoat/controller/About.java b/src/main/java/org/owasp/webgoat/controller/About.java new file mode 100644 index 000000000..479f83a74 --- /dev/null +++ b/src/main/java/org/owasp/webgoat/controller/About.java @@ -0,0 +1,49 @@ +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ +package org.owasp.webgoat.controller; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.servlet.ModelAndView; + +/** + * + * @author rlawson + */ +@Controller +public class About { + + final Logger logger = LoggerFactory.getLogger(About.class); + private static final String WELCOMED = "welcomed"; + + @RequestMapping(value = "about.mvc", method = RequestMethod.GET) + public ModelAndView welcome(HttpServletRequest request, + @RequestParam(value = "error", required = false) String error, + @RequestParam(value = "logout", required = false) String logout) { + + // set the welcome attribute + // this is so the attack servlet does not also + // send them to the welcome page + HttpSession session = request.getSession(); + if (session.getAttribute(WELCOMED) == null) { + session.setAttribute(WELCOMED, "true"); + } + + //go ahead and send them to webgoat (skip the welcome page) + ModelAndView model = new ModelAndView(); + //model.setViewName("welcome"); + //model.setViewName("main_new"); + model.setViewName("about"); + return model; + } + +} diff --git a/src/main/webapp/WEB-INF/pages/about.jsp b/src/main/webapp/WEB-INF/pages/about.jsp new file mode 100644 index 000000000..785761353 --- /dev/null +++ b/src/main/webapp/WEB-INF/pages/about.jsp @@ -0,0 +1,124 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + errorPage=""%> + + + + + +
+ +

About WebGoat

+
+
+

Thank you for using WebGoat! This program is a demonstration of common web application flaws. + The exercises are intended to provide hands on experience with + application penetration testing techniques.

+

The WebGoat project is led + by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
OWASP Foundation
+ 		+
Aspect Security
+
+
+ WebGoat Authors
+
+
+ Bruce Mayhew
+
+
+ Jeff Williams
+
+

+ WebGoat Design Team
+ 		+

+ V5.4 Lesson Contributers
+
+
David Anderson
+
Laurence Casey (Graphics)
+
Rogan Dawes
+
Bruce Mayhew
+ 		+
Sherif Koussa
+
Yiannis Pavlosoglou
+
+ +
+
Special Thanks + for V5.4
+ 		+
Documentation + Contributers
+
+
Brian Ciomei (Multitude of bug fixes)
+
To all who have sent comments
+ + 		+
+ Erwin Geirnaert
+
+ Aung Khant
+
+ Sherif Koussa +
+
+
 
+
+
+
 
+
 
+
 
+
WARNING
+ While running this program, your machine is extremely vulnerable to + attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. +
+
+ This program is for educational purposes only. Use of these techniques + without permission could lead to job termination, financial liability, + and/or criminal penalties.
+
+
+ +
+ + diff --git a/src/main/webapp/WEB-INF/pages/main_new.jsp b/src/main/webapp/WEB-INF/pages/main_new.jsp index 9dce8ee1d..602a00a94 100644 --- a/src/main/webapp/WEB-INF/pages/main_new.jsp +++ b/src/main/webapp/WEB-INF/pages/main_new.jsp @@ -76,7 +76,7 @@

Lesson Title in here

- - - + +
- +
@@ -140,57 +140,57 @@
-

Cookies / Parameters

+

Cookies / Parameters

-
-
-

Cookies

- - - - - - - - - - - - -
FieldValue
{{key}}{{value}}
-
-
-

Params

- - - - - - - - - - -
ParamValue
{{param.name}}{{param.value}}
- -
-
+
+
+

Cookies

+ + + + + + + + + + + + +
FieldValue
{{key}}{{value}}
+
+
+

Params

+ + + + + + + + + + +
ParamValue
{{param.name}}{{param.value}}
+ +
+
-
+

Hints

- - -
- {{curHint}} + + +
+ {{curHint}}
@@ -220,7 +220,7 @@

Lesson Plan

- +
@@ -239,7 +239,7 @@

Lesson Source Code

- 
{{source}}
+ 
{{source}}
@@ -255,76 +255,83 @@ + + diff --git a/src/main/webapp/js/goatControllers.js b/src/main/webapp/js/goatControllers.js index e29d16e09..88aa79379 100644 --- a/src/main/webapp/js/goatControllers.js +++ b/src/main/webapp/js/goatControllers.js @@ -7,162 +7,168 @@ * prepares and updates menu topic items for the view */ goat.controller('goatLesson', function($scope, $http, $modal, $log, $templateCache) { - $scope.cookies= []; - $scope.params=[]; + $scope.cookies = []; + $scope.params = []; //TODO: implement via separate promise and use config for menu (goat.data.loadMenuData()) $http({method: 'GET', url: goatConstants.lessonService}).then( - function(menuData) { - var menuItems = goat.utils.addMenuClasses(goatConstants.menuPrefix.concat(menuData.data)); - $scope.menuTopics = menuItems; - }, - function(error) { - // TODO - handle this some way other than an alert - console.error("Error rendering menu: " + error); - } + function(menuData) { + var menuItems = goat.utils.addMenuClasses(goatConstants.menuPrefix.concat(menuData.data)); + $scope.menuTopics = menuItems; + }, + function(error) { + // TODO - handle this some way other than an alert + console.error("Error rendering menu: " + error); + } ); - + $scope.renderLesson = function(url) { //console.log(url + ' was passed in'); // use jquery to render lesson content to div - $scope.hintIndex = 0; - - var curScope = $scope; - - - curScope.parameters = goat.utils.scrapeParams(url); + $scope.hintIndex = 0; + + var curScope = $scope; + + + curScope.parameters = goat.utils.scrapeParams(url); goat.data.loadLessonContent(url).then( - function(reply) { - $("#lesson_content").html(reply); - //hook forms - goat.utils.makeFormsAjax(); - $('#hintsView').hide(); - //render lesson title - $('#lessonTitle').text(goat.utils.extractLessonTitle($(reply))); - //@KLUGE to remove h1 after extracting and moving it to top - $('#lesson_content h1').remove() - // adjust menu to lessonContent size if necssary - //@TODO: this is still clunky ... needs some TLC - if ($('div.panel-body').height() > 400) { - $('#leftside-navigation').height($(window).height()); - } - //cookies - goat.data.loadCookies().then( - function(resp) { - curScope.cookies = resp; - } - ); - //hints - curScope.hintIndex=0; - goat.data.loadHints().then( - function (resp) { - curScope.hints = resp; - if (curScope.hints.length > 0 && curScope.hints[0].hint.indexOf(goatConstants.noHints) === -1) { - goat.utils.displayButton('showHintsBtn',true); - } else { - goat.utils.displayButton('showHintsBtn',false); + function(reply) { + $("#lesson_content").html(reply); + //hook forms + goat.utils.makeFormsAjax(); + $('#hintsView').hide(); + //render lesson title + $('#lessonTitle').text(goat.utils.extractLessonTitle($(reply))); + //@KLUGE to remove h1 after extracting and moving it to top + $('#lesson_content h1').remove() + // adjust menu to lessonContent size if necssary + //@TODO: this is still clunky ... needs some TLC + if ($('div.panel-body').height() > 400) { + $('#leftside-navigation').height($(window).height()); + } + //cookies + goat.data.loadCookies().then( + function(resp) { + curScope.cookies = resp; } - } - ); - //source - goat.data.loadSource().then( - function(resp) { - curScope.source = resp; - } - ); - //plan - goat.data.loadPlan().then( - function(resp) { - curScope.plan = resp; - } - ); - //solution - goat.data.loadSolution().then( - function(resp) { - curScope.solution = resp; - } - ); - goat.utils.scrollToTop(); - } - ); + ); + //hints + curScope.hintIndex = 0; + goat.data.loadHints().then( + function(resp) { + curScope.hints = resp; + if (curScope.hints.length > 0 && curScope.hints[0].hint.indexOf(goatConstants.noHints) === -1) { + goat.utils.displayButton('showHintsBtn', true); + } else { + goat.utils.displayButton('showHintsBtn', false); + } + } + ); + //source + goat.data.loadSource().then( + function(resp) { + curScope.source = resp; + } + ); + //plan + goat.data.loadPlan().then( + function(resp) { + curScope.plan = resp; + } + ); + //solution + goat.data.loadSolution().then( + function(resp) { + curScope.solution = resp; + } + ); + goat.utils.scrollToTop(); + } + ); }; - - $scope.showLessonSource = function () { - $('.lessonHelp').hide(); + + $scope.showLessonSource = function() { + $('.lessonHelp').hide(); $('#lesson_source_row').show(); goat.utils.scrollToHelp(); } - - $scope.showLessonPlan = function () { - $('.lessonHelp').hide(); - $("#lesson_plan").html($scope.plan); + + $scope.showLessonPlan = function() { + $('.lessonHelp').hide(); + $("#lesson_plan").html($scope.plan); $('#lesson_plan_row').show(); goat.utils.scrollToHelp(); } - $scope.showLessonSolution = function () { - $('.lessonHelp').hide(); - $("#lesson_solution").html($scope.solution); + $scope.showLessonSolution = function() { + $('.lessonHelp').hide(); + $("#lesson_solution").html($scope.solution); $('#lesson_solution_row').show(); goat.utils.scrollToHelp(); } - $scope.manageHintButtons = function () { - if ($scope.hintIndex === $scope.hints.length -1) { - $('#showNextHintBtn').css('visibility','hidden'); - } else if ($scope.hintIndex < $scope.hints.length - 1) { - $('#showNextHintBtn').css('visibility','visible'); - } - // - if ($scope.hintIndex === 0) { - $('#showPrevHintBtn').css('visibility','hidden'); - } else if ($scope.hintIndex > 0) { - $('#showPrevHintBtn').css('visibility','visible'); - } + $scope.manageHintButtons = function() { + if ($scope.hintIndex === $scope.hints.length - 1) { + $('#showNextHintBtn').css('visibility', 'hidden'); + } else if ($scope.hintIndex < $scope.hints.length - 1) { + $('#showNextHintBtn').css('visibility', 'visible'); + } + // + if ($scope.hintIndex === 0) { + $('#showPrevHintBtn').css('visibility', 'hidden'); + } else if ($scope.hintIndex > 0) { + $('#showPrevHintBtn').css('visibility', 'visible'); + } }; - + $scope.viewHints = function() { - if (!$scope.hints) { - return; - } - - $('.lessonHelp').hide(); + if (!$scope.hints) { + return; + } + + $('.lessonHelp').hide(); $('#lesson_hint_row').show(); goat.utils.scrollToHelp(); - $scope.curHint = $scope.hints[$scope.hintIndex].hint; - $scope.manageHintButtons(); + $scope.curHint = $scope.hints[$scope.hintIndex].hint; + $scope.manageHintButtons(); }; - + $scope.viewNextHint = function() { - $scope.hintIndex++; - $scope.curHint = $scope.hints[$scope.hintIndex].hint; - $scope.manageHintButtons(); + $scope.hintIndex++; + $scope.curHint = $scope.hints[$scope.hintIndex].hint; + $scope.manageHintButtons(); }; - - $scope.viewPrevHint = function () { - $scope.hintIndex--; - $scope.curHint = $scope.hints[$scope.hintIndex].hint; - $scope.manageHintButtons(); + + $scope.viewPrevHint = function() { + $scope.hintIndex--; + $scope.curHint = $scope.hints[$scope.hintIndex].hint; + $scope.manageHintButtons(); }; - - $scope.hideHints = function () { - + + $scope.hideHints = function() { + }; - - - }).animation('.slideDown', function() { - var NgHideClassName = 'ng-hide'; - return { - beforeAddClass: function(element, className, done) { - if (className === NgHideClassName) { - $(element).slideUp(done); - } - }, - removeClass: function(element, className, done) { - if (className === NgHideClassName) { - $(element).hide().slideDown(done); - } - } - }; - - - }); + + $scope.showAbout = function() { + $('#aboutModal').modal({ + remote: 'about.mvc' + }); + }; + + +}).animation('.slideDown', function() { + var NgHideClassName = 'ng-hide'; + return { + beforeAddClass: function(element, className, done) { + if (className === NgHideClassName) { + $(element).slideUp(done); + } + }, + removeClass: function(element, className, done) { + if (className === NgHideClassName) { + $(element).hide().slideDown(done); + } + } + }; + + +});