dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

XXE checkin

Browse Source
This commit is contained in:
Nanne Baars
2016-11-18 10:39:39 +01:00
parent 38e5999472
commit f2a114419a
13 changed files with 329 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
View File

@ -35,6 +35,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
@ -50,7 +51,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
.authorizeRequests()
.antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "plugin_lessons/**").permitAll()
.antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll()
.antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
.antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
.anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN");
@ -65,8 +66,14 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
.logout()
.permitAll();
security.and().csrf().disable();
http.headers().cacheControl().disable();
http.headers().cacheControl().disable();
}
//// TODO: 11/18/2016 make this a little bit more configurabe last part at least
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/plugin_lessons/**", "/XXE/**");
}
@Autowired

11
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java
View File

@ -43,17 +43,26 @@ public class AttackResult {
}
public static AttackResult success(String feedback) {
return success(feedback, "");
}
public static AttackResult success(String feedback, String output) {
AttackResult attackResult = new AttackResult();
attackResult.lessonCompleted = true;
attackResult.feedback = feedback;
attackResult.output = "";
attackResult.output = output;
return attackResult;
}
public static AttackResult failed(String feedback) {
return failed(feedback, "");
}
public static AttackResult failed(String feedback, String output) {
AttackResult attackResult = new AttackResult();
attackResult.lessonCompleted = false;
attackResult.feedback = feedback;
attackResult.output = output;
return attackResult;
}