dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Provide Server-side service to support UI localization #265 (#322)

Browse Source 
merging
This commit is contained in:
Nanne Baars
2017-01-31 17:52:33 +01:00
committed by misfir3
parent 355393352e
commit ee5a12d205
71 changed files with 875 additions and 926 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
View File

@ -1,19 +1,17 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/***************************************************************************************************
@ -52,9 +50,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("Are you sure? Try using a tab from a different site."));
return trackProgress(failed().feedback("xss.lesson1.failure").build());
}
}
}

16
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
View File

@ -1,19 +1,17 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/***************************************************************************************************
@ -64,6 +62,6 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
cart.append("<p>We have chaged credit card:" + field1 + "<br />");
cart.append( " ------------------- <br />");
cart.append( " $" + totalSale);
return trackProgress(AttackResult.failed(cart.toString()));
return trackProgress(failed().output(cart.toString()).build());
}
}

24
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
View File

@ -2,24 +2,8 @@ package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
@ -55,7 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
*/
@AssignmentPath("/CrossSiteScripting/attack5b")
public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
/*
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
return injectableQuery(userid);
@ -225,6 +209,6 @@ public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
//
// }
*/
}

24
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
View File

@ -1,24 +1,8 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
@ -54,7 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
*/
@AssignmentPath("/CrossSiteScripting/attack6a")
public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
/*
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid_6a, HttpServletRequest request) throws IOException {
return injectableQuery(userid_6a);
@ -224,6 +208,6 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
//
// }
*/
}

26
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
View File

@ -1,24 +1,22 @@
package org.owasp.webgoat.plugin;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/***************************************************************************************************
@ -57,9 +55,9 @@ public class CrossSiteScriptingLesson6b extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
if (userid_6b.toString().equals(getPassword())) {
return trackProgress(AttackResult.success());
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("You are close, try again"));
return trackProgress(failed().build());
}
}

11
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
View File

@ -1,15 +1,14 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.endpoints.AssignmentPath;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import java.io.IOException;
/**
@ -24,9 +23,9 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
throws IOException {
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
return trackProgress(AttackResult.success("well done!"));
return trackProgress(success().build());
} else {
return trackProgress(AttackResult.failed("keep trying!"));
return trackProgress(failed().build());
}
}
}

2
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -6,3 +6,5 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
xss.lesson1.failure=Are you sure? Try using a tab from a different site.