First setup for challenge 4

2017-04-15 18:12:25 +02:00 · 2017-04-15 18:12:25 +02:00 · ed0e1a1f37
commit ed0e1a1f37
parent 213e73bf02
7 changed files with 264 additions and 72 deletions
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
@ -39,7 +39,7 @@ public class Flag extends Endpoint {
    @PostConstruct
    public void initFlags() {
-        IntStream.range(1, 4).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
+        IntStream.range(1, 5).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
    }
    @Override
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
@ -0,0 +1,35 @@
 package org.owasp.webgoat.plugin.challenge4;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.*;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 /**
 * @author nbaars
 * @since 4/8/17.
 */
@AssignmentPath("/challenge/4")
 public class Assignment4 extends AssignmentEndpoint {
    @PutMapping  //assignment path is bounded to class so we use different http method :-)
    @ResponseBody
    public AttackResult test() {
        return success().build();
    }
    @RequestMapping(method = POST)
    @ResponseBody
    public AttackResult login(@RequestParam String username, @RequestParam String password) throws Exception {
        if (StringUtils.isAlphanumeric(username) && StringUtils.isAlphanumeric(password)) {
            return success().build();
        } else {
            return failed().build();
        }
    }
 }
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java
@ -0,0 +1,39 @@
 package org.owasp.webgoat.plugin.challenge4;
 import com.google.common.collect.Lists;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;
 import java.util.List;
 /**
 * @author nbaars
 * @since 3/21/17.
 */
 public class Challenge4 extends NewLesson {
    @Override
    public Category getDefaultCategory() {
        return Category.CHALLENGE;
    }
    @Override
    public List<String> getHints() {
        return Lists.newArrayList();
    }
    @Override
    public Integer getDefaultRanking() {
        return 10;
    }
    @Override
    public String getTitle() {
        return "challenge4.title";
    }
    @Override
    public String getId() {
        return "Challenge4";
    }
 }
--- a/webgoat-lessons/challenge/src/main/resources/css/challenge4.css
+++ b/webgoat-lessons/challenge/src/main/resources/css/challenge4.css
@ -0,0 +1,96 @@
 .panel-login {
    border-color: #ccc;
    -webkit-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
    -moz-box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
    box-shadow: 0px 2px 3px 0px rgba(0,0,0,0.2);
 }
 .panel-login>.panel-heading {
    color: #00415d;
    background-color: #fff;
    border-color: #fff;
    text-align:center;
 }
 .panel-login>.panel-heading a{
    text-decoration: none;
    color: #666;
    font-weight: bold;
    font-size: 15px;
    -webkit-transition: all 0.1s linear;
    -moz-transition: all 0.1s linear;
    transition: all 0.1s linear;
 }
 .panel-login>.panel-heading a.active{
    color: #029f5b;
    font-size: 18px;
 }
 .panel-login>.panel-heading hr{
    margin-top: 10px;
    margin-bottom: 0px;
    clear: both;
    border: 0;
    height: 1px;
    background-image: -webkit-linear-gradient(left,rgba(0, 0, 0, 0),rgba(0, 0, 0, 0.15),rgba(0, 0, 0, 0));
    background-image: -moz-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
    background-image: -ms-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
    background-image: -o-linear-gradient(left,rgba(0,0,0,0),rgba(0,0,0,0.15),rgba(0,0,0,0));
 }
 .panel-login input[type="text"],.panel-login input[type="email"],.panel-login input[type="password"] {
    height: 45px;
    border: 1px solid #ddd;
    font-size: 16px;
    -webkit-transition: all 0.1s linear;
    -moz-transition: all 0.1s linear;
    transition: all 0.1s linear;
 }
 .panel-login input:hover,
 .panel-login input:focus {
    outline:none;
    -webkit-box-shadow: none;
    -moz-box-shadow: none;
    box-shadow: none;
    border-color: #ccc;
 }
 .btn-login {
    background-color: #59B2E0;
    outline: none;
    color: #fff;
    font-size: 14px;
    height: auto;
    font-weight: normal;
    padding: 14px 0;
    text-transform: uppercase;
    border-color: #59B2E6;
 }
 .btn-login:hover,
 .btn-login:focus {
    color: #fff;
    background-color: #53A3CD;
    border-color: #53A3CD;
 }
 .forgot-password {
    text-decoration: underline;
    color: #888;
 }
 .forgot-password:hover,
 .forgot-password:focus {
    text-decoration: underline;
    color: #666;
 }
 .btn-register {
    background-color: #1CB94E;
    outline: none;
    color: #fff;
    font-size: 14px;
    height: auto;
    font-weight: normal;
    padding: 14px 0;
    text-transform: uppercase;
    border-color: #1CB94A;
 }
 .btn-register:hover,
 .btn-register:focus {
    color: #fff;
    background-color: #1CA347;
    border-color: #1CA347;
 }
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html
@ -5,85 +5,89 @@
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/>
-    <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
              action="/WebGoat/challenge/4"
              enctype="application/json;charset=UTF-8">
            <input id="discount" type="hidden" value="0"/>
            <div class="row">
-
+                <div class="col-md-6">
-                <div class="col-xs-3 item-photo">
+                    <div class="panel panel-login">
-                    <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                        <div class="panel-heading">
-                </div>
+                            <div class="row">
-                <div class="col-xs-5" style="border:0px solid gray">
+                                <div class="col-xs-6">
-                    <h3>Samsung Galaxy S8</h3>
+                                    <a href="#" class="active" id="login-form-link">Login</a>
-                    <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
+                                </div>
-                        <small style="color:#337ab7">(124421 reviews)</small>
+                                <div class="col-xs-6">
-                    </h5>
+                                    <a href="#" id="register-form-link">Register</a>
-
+                                </div>
-                    <h6 class="title-price">
+                            </div>
-                        <small>PRICE</small>
+                            <hr/>
                    </h6>
                    <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
                    <div class="section">
                        <h6 class="title-attr" style="margin-top:15px;">
                            <small>COLOR</small>
                        </h6>
                        <div>
                            <div class="attr" style="width:25px;background:lightgrey;"></div>
                            <div class="attr" style="width:25px;background:black;"></div>
                        </div>
-                    </div>
+                        <div class="panel-body">
-                    <div class="section" style="padding-bottom:5px;">
+                            <div class="row">
-                        <h6 class="title-attr">
+                                <div class="col-lg-12">
-                            <small>CAPACITY</small>
+                                    <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
-                        </h6>
+                                          method="POST" name="form"
-                        <div>
+                                          action="/WebGoat/challenge/4"
-                            <div class="attr2">64 GB</div>
+                                          enctype="application/json;charset=UTF-8" role="form">
-                            <div class="attr2">128 GB</div>
+                                        <div class="form-group">
                                            <input type="text" name="username" id="username4" tabindex="1" class="form-control" placeholder="Username" value=""/>
                                        </div>
                                        <div class="form-group">
                                            <input type="password" name="password" id="password4" tabindex="2" class="form-control" placeholder="Password"/>
                                        </div>
                                        <div class="form-group text-center">
                                            <input type="checkbox" tabindex="3" class="" name="remember" id="remember"/>
                                            <label for="remember"> Remember me</label>
                                        </div>
                                        <div class="form-group">
                                            <div class="row">
                                                <div class="col-sm-6 col-sm-offset-3">
                                                    <input type="submit" name="login-submit" id="login-submit" tabindex="4" class="form-control btn-primary" value="Log In"/>
                                                </div>
                                            </div>
                                        </div>
                                        <div class="form-group">
                                            <div class="row">
                                                <div class="col-lg-12">
                                                    <div class="text-center">
                                                        <a href="#" tabindex="5" class="forgot-password">Forgot Password?</a>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </form>
                                    <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="PUT" name="form"
                                          action="/WebGoat/challenge/4"
                                          enctype="application/json;charset=UTF-8" style="display: none;" role="form">
                                        <div class="form-group">
                                            <input type="text" name="username-reg" id="username" tabindex="1" class="form-control" placeholder="Username" value=""/>
                                        </div>
                                        <div class="form-group">
                                            <input type="email" name="email-reg" id="email" tabindex="1" class="form-control" placeholder="Email Address" value=""/>
                                        </div>
                                        <div class="form-group">
                                            <input type="password" name="password-reg" id="password" tabindex="2" class="form-control" placeholder="Password"/>
                                        </div>
                                        <div class="form-group">
                                            <input type="password" name="confirm-password-reg" id="confirm-password" tabindex="2" class="form-control" placeholder="Confirm Password"/>
                                        </div>
                                        <div class="form-group">
                                            <div class="row">
                                                <div class="col-sm-6 col-sm-offset-3">
                                                    <input type="submit" name="register-submit" id="register-submit" tabindex="4" class="form-control btn btn-primary" value="Register Now"/>
                                                </div>
                                            </div>
                                        </div>
                                    </form>
                                </div>
                            </div>
                        </div>
                    </div>
                    <div class="section" style="padding-bottom:5px;">
                        <h6 class="title-attr">
                            <small>QUANTITY</small>
                        </h6>
                        <div>
                            <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
                            <input class="quantity" value="1"/>
                            <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
                        </div>
                    </div>
                    <div class="section" style="padding-bottom:5px;">
                        <h6 class="title-attr">
                            <small>CHECKOUT CODE</small>
                        </h6>
                        <!--
                          Checkout code: webgoat, owasp, owasp-webgoat
                        -->
                        <input name="checkoutCode" class="checkoutCode" value=""/>
                    </div>
                    <div class="section" style="padding-bottom:20px;">
                        <button type="submit" class="btn btn-success"><span style="margin-right:20px"
                                                                            class="glyphicon glyphicon-shopping-cart"
                                                                            aria-hidden="true"></span>Buy
                        </button>
                        <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
                                              style="cursor:pointer;"></span>
                            Like</a></h6>
                    </div>
                </div>
            </div>
        </form>
        <br/>
        <form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
            <div class="form-group">
--- a/webgoat-lessons/challenge/src/main/resources/js/challenge4.js
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge4.js
@ -0,0 +1,18 @@
 $(function() {
    $('#login-form-link').click(function(e) {
        $("#login-form").delay(100).fadeIn(100);
        $("#register-form").fadeOut(100);
        $('#register-form-link').removeClass('active');
        $(this).addClass('active');
        e.preventDefault();
    });
    $('#register-form-link').click(function(e) {
        $("#register-form").delay(100).fadeIn(100);
        $("#login-form").fadeOut(100);
        $('#login-form-link').removeClass('active');
        $(this).addClass('active');
        e.preventDefault();
    });
 });
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc
@ -1 +1 @@
-No need to pay (fixed after private disclosure), do you need to pay now?
+Can you login as Tom?
		`@ -1 +1 @@`
			`No need to pay (fixed after private disclosure), do you need to pay now?`				`Can you login as Tom?`