diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java index 410d3df3f..159e91b8d 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java @@ -39,7 +39,7 @@ public class Flag extends Endpoint { @PostConstruct public void initFlags() { - IntStream.range(1, 4).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString())); + IntStream.range(1, 5).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString())); } @Override diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java new file mode 100644 index 000000000..b0c288f4e --- /dev/null +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java @@ -0,0 +1,35 @@ +package org.owasp.webgoat.plugin.challenge4; + +import org.apache.commons.lang3.StringUtils; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.springframework.web.bind.annotation.*; + +import static org.springframework.web.bind.annotation.RequestMethod.POST; + +/** + * @author nbaars + * @since 4/8/17. + */ +@AssignmentPath("/challenge/4") +public class Assignment4 extends AssignmentEndpoint { + + @PutMapping //assignment path is bounded to class so we use different http method :-) + @ResponseBody + public AttackResult test() { + return success().build(); + } + + @RequestMapping(method = POST) + @ResponseBody + public AttackResult login(@RequestParam String username, @RequestParam String password) throws Exception { + if (StringUtils.isAlphanumeric(username) && StringUtils.isAlphanumeric(password)) { + return success().build(); + } else { + return failed().build(); + } + } + +} + diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java new file mode 100644 index 000000000..0e878d761 --- /dev/null +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java @@ -0,0 +1,39 @@ +package org.owasp.webgoat.plugin.challenge4; + +import com.google.common.collect.Lists; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.List; + +/** + * @author nbaars + * @since 3/21/17. + */ +public class Challenge4 extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.CHALLENGE; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 10; + } + + @Override + public String getTitle() { + return "challenge4.title"; + } + + @Override + public String getId() { + return "Challenge4"; + } +} diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge4.css b/webgoat-lessons/challenge/src/main/resources/css/challenge4.css new file mode 100644 index 000000000..6a8635ae6 --- /dev/null +++ b/webgoat-lessons/challenge/src/main/resources/css/challenge4.css @@ -0,0 +1,96 @@ +.panel-login { + border-color: #ccc; + -webkit-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2); + -moz-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2); + box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2); +} +.panel-login>.panel-heading { + color: #00415d; + background-color: #fff; + border-color: #fff; + text-align:center; +} +.panel-login>.panel-heading a{ + text-decoration: none; + color: #666; + font-weight: bold; + font-size: 15px; + -webkit-transition: all 0.1s linear; + -moz-transition: all 0.1s linear; + transition: all 0.1s linear; +} +.panel-login>.panel-heading a.active{ + color: #029f5b; + font-size: 18px; +} +.panel-login>.panel-heading hr{ + margin-top: 10px; + margin-bottom: 0px; + clear: both; + border: 0; + height: 1px; + background-image: -webkit-linear-gradient(left,rgba(0, 0, 0, 0),rgba(0, 0, 0, 0.15),rgba(0, 0, 0, 0)); + background-image: -moz-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0)); + background-image: -ms-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0)); + background-image: -o-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0)); +} +.panel-login input[type="text"],.panel-login input[type="email"],.panel-login input[type="password"] { + height: 45px; + border: 1px solid #ddd; + font-size: 16px; + -webkit-transition: all 0.1s linear; + -moz-transition: all 0.1s linear; + transition: all 0.1s linear; +} +.panel-login input:hover, +.panel-login input:focus { + outline:none; + -webkit-box-shadow: none; + -moz-box-shadow: none; + box-shadow: none; + border-color: #ccc; +} +.btn-login { + background-color: #59B2E0; + outline: none; + color: #fff; + font-size: 14px; + height: auto; + font-weight: normal; + padding: 14px 0; + text-transform: uppercase; + border-color: #59B2E6; +} +.btn-login:hover, +.btn-login:focus { + color: #fff; + background-color: #53A3CD; + border-color: #53A3CD; +} +.forgot-password { + text-decoration: underline; + color: #888; +} +.forgot-password:hover, +.forgot-password:focus { + text-decoration: underline; + color: #666; +} + +.btn-register { + background-color: #1CB94E; + outline: none; + color: #fff; + font-size: 14px; + height: auto; + font-weight: normal; + padding: 14px 0; + text-transform: uppercase; + border-color: #1CB94A; +} +.btn-register:hover, +.btn-register:focus { + color: #fff; + background-color: #1CA347; + border-color: #1CA347; +} diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html index 35918a7a8..2ae38ce0e 100644 --- a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html +++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html @@ -5,85 +5,89 @@
- - + +
-
-
- -
- -
-
-

Samsung Galaxy S8

-
Samsung ยท - (124421 reviews) -
- -
- PRICE -
-

US $899

- -
-
- COLOR -
-
-
-
+
+ -
-
- CAPACITY -
-
-
64 GB
-
128 GB
+
+
+
+ +
+ +
+
+ +
+
+ + +
+
+
+
+ +
+
+
+
+
+
+
+ Forgot Password? +
+
+
+
+ + +
+
-
-
- QUANTITY -
-
-
- -
-
-
- -
-
- CHECKOUT CODE -
- - - -
- -
- -
- Like
-
- -
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge4.js b/webgoat-lessons/challenge/src/main/resources/js/challenge4.js new file mode 100644 index 000000000..9107e1176 --- /dev/null +++ b/webgoat-lessons/challenge/src/main/resources/js/challenge4.js @@ -0,0 +1,18 @@ +$(function() { + + $('#login-form-link').click(function(e) { + $("#login-form").delay(100).fadeIn(100); + $("#register-form").fadeOut(100); + $('#register-form-link').removeClass('active'); + $(this).addClass('active'); + e.preventDefault(); + }); + $('#register-form-link').click(function(e) { + $("#register-form").delay(100).fadeIn(100); + $("#login-form").fadeOut(100); + $('#login-form-link').removeClass('active'); + $(this).addClass('active'); + e.preventDefault(); + }); + +}); \ No newline at end of file diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc index 60cb2eb18..6038adf55 100644 --- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc +++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc @@ -1 +1 @@ -No need to pay (fixed after private disclosure), do you need to pay now? \ No newline at end of file +Can you login as Tom? \ No newline at end of file