Draft Vuln components

webgoat-lessons/vulnerable-components/.gitignore

@@ -0,0 +1 @@
+/target/

webgoat-lessons/vulnerable-components/pom.xml

@@ -0,0 +1,12 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>vulnerable-components</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+</project>

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponents.java

@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class VulnerableComponents extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.VULNERABLE_COMPONENTS;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 1;
+    }
+
+    @Override
+    public String getTitle() {
+        return "vulnerable-components.title";
+    }
+
+    @Override
+    public String getId() {
+        return "VulnerableComponents";
+    }
+}

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java

@@ -0,0 +1,62 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.lessons.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.Path;
+
+import java.io.IOException;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/VulnerableComponents/attack1")
+//@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
+public class VulnerableComponentsLesson extends AssignmentEndpoint {
+
+	@RequestMapping(method = RequestMethod.POST)
+	public @ResponseBody AttackResult completed(@RequestParam String person, HttpServletRequest request) throws IOException {
+	    if (!person.toString().equals("")) {
+	        return trackProgress(AttackResult.success("The server has reversed your name: " + new StringBuffer(person).reverse().toString()));
+	    } else {
+	        return trackProgress(AttackResult.failed("You are close, try again"));
+	    }
+	}
+}

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsQuiz.java

@@ -0,0 +1,67 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.lessons.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.Path;
+
+import java.io.IOException;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/VulnerableComponents/attack2")
+public class VulnerableComponentsQuiz extends AssignmentEndpoint {
+
+	@RequestMapping(method = RequestMethod.POST)
+	public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
+        if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
+	        return trackProgress(AttackResult.success());
+	    } else {
+	    	StringBuffer message = new StringBuffer();
+	    	if (!"POST".equals(answer.toUpperCase())) {
+	    		message.append("The HTTP Command is incorrect.  ");
+ 			}
+	    	if (!magic_answer.equals(magic_num)){
+	    		message.append("The magic number is incorrect.  ");
+	    	}
+	        return trackProgress(AttackResult.failed("You are close, try again.  " + message.toString()));
+	    }
+	}
+}

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html

@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_plan.adoc"></div>
+	</div>
+
+
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content2.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+                <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+                <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+					<script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>
+					<script>
+					webgoat.customjs.jquery_2_1_4(document).ready(function() { alert(webgoat.customjs.jquery_2_1_4().jquery); });
+					$(document).ready(function() { alert(jQuery.fn.jquery); });
+					</script>
+				    <div id="dialog" title="Dialog Title">Content here!</div>
+				<!-- do not remove the two following div's, this is where your feedback/output will land -->
+				<div class="attack-feedback"></div>
+				<div class="attack-output"></div>
+				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+			</div>
+
+		</div>
+	</div>
+
+</html>

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_ProxyIntro1.adoc

@@ -0,0 +1,30 @@
+= HTTP Basics : Proxy
+ 
+== HTTP Proxy Setup
+
+HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
+OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
+this will show you how to set up ZAP to act as a proxy on your localhost.
+
+=== Setting up ZAP
+
+Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
+
+* Start ZAP
+* Configure the local proxy port
+* Point the browser at the proxy
+
+=== Start ZAP
+When ZAP starts, you will be presented with a dialog such as the one below ...
+
+image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
+
+=== Configure Proxy's Port
+
+. Select Tools > Options from the menu
+. Select Local Proxy on the left
+. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
+. Click OK
+
+image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_ProxyIntro2.adoc

@@ -0,0 +1,31 @@
+== HTTP Proxy Setup: The Browser
+
+=== Point Browser at Proxy
+
+There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
+This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
+
+==== Firefox Proxy Config
+
+. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
+. Select _Advanced_ on the left
+. Select _Network_ in the in Advanced Pane
+. Click _Settings_
+. Select _Manual proxy configuration_
+.. input *127.0.0.1* as the Proxy
+.. input *8090* as the port
+.. check the _Use this proxy server for all protocols_ checkbox
+
+image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
+
+==== Chrome Proxy Config
+
+. Bring up Chrome's settings form the menu
+. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
+. Click the _Change proxy settings_ button
+. Select the _proxies_ tab
+. Select Web Proxy (HTTP)
+. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
+. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
+
+image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_ProxyIntro3.adoc

@@ -0,0 +1,6 @@
+=== Confirm it's working
+
+You should now be able to browse somewhere. We suggest starting with a plain http host.
+If it's working, ZAP's history tab will start to look something like this.
+
+image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc

@@ -0,0 +1,8 @@
+
+Enter your name in the input field below and press "Go!" to submit.	The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP	request. 
+
+The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
+
+== Try It!
+
+Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc

@@ -0,0 +1,4 @@
+== The Quiz
+
+What type of HTTP command did WebGoat use for this lesson.  A POST or a GET.
+

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc

@@ -0,0 +1,11 @@
+= Vulnerable Components 
+ 
+== Concept 
+
+The way we build software has changed.  The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref: 
+
+== Goals
+
+The user will become familiar with exploiting components with known vulnerabilities.
+
+image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="OWASP-2013-A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonSolutions/en/VulnerableComponents_solution.adoc

@@ -0,0 +1,5 @@
+= HTTP Basics 
+ 
+== Solution 
+
+Solution goes here

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonSolutions/html/VulnerableComponents.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this block for each 'page' of content -->
+		<!-- include content here ... will be first page/tab  multiple -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_solution.adoc"></div>
+	</div>
+
+
+</html>

webgoat-lessons/vulnerable-components/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -0,0 +1,3 @@
+vulnerable-components.title=Vulnerable Components
+EnterYourName=Enter your Name
+Go!=Go!