From f520c3589cd10f90a5506dba1055191f574910d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Thu, 7 May 2020 11:04:00 +0200
Subject: [PATCH] flag submission fixed (#812)
---
.../org/owasp/webgoat/users/Scoreboard.java | 4 ++
.../java/org/owasp/webgoat/ChallengeTest.java | 59 +++++++++++++++++++
.../org/owasp/webgoat/challenges/Flag.java | 28 ++++-----
3 files changed, 76 insertions(+), 15 deletions(-)
create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
index 43801e2db..06d789e13 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
@@ -38,6 +38,10 @@ public class Scoreboard {
List<WebGoatUser> allUsers = userRepository.findAll();
List<Ranking> rankings = new ArrayList<>();
for (WebGoatUser user : allUsers) {
+ if (user.getUsername().startsWith("csrf-")) {
+ //the csrf- assignment specific users do not need to be in the overview
+ continue;
+ }
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
}
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
new file mode 100644
index 000000000..b8d9d3ce9
--- /dev/null
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
@@ -0,0 +1,59 @@
+package org.owasp.webgoat;
+
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import io.restassured.RestAssured;
+
+public class ChallengeTest extends IntegrationTest {
+
+ @Test
+ public void testChallenge1() {
+ startLesson("Challenge1");
+
+ Map<String, Object> params = new HashMap<>();
+ params.clear();
+ params.put("username", "admin");
+ params.put("password", "!!webgoat_admin_1234!!");
+
+
+ checkAssignment(url("/WebGoat/challenge/1"), params, true);
+ String result =
+ RestAssured.given()
+ .when()
+ .relaxedHTTPSValidation()
+ .cookie("JSESSIONID", getWebGoatCookie())
+ .formParams(params)
+ .post(url("/WebGoat/challenge/1"))
+ .then()
+ .statusCode(200)
+ .extract().asString();
+
+ String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
+ params.clear();
+ params.put("flag", flag);
+ checkAssignment(url("/WebGoat/challenge/flag"), params, true);
+
+
+ checkResults("/challenge/1");
+
+ List<String> capturefFlags =
+ RestAssured.given()
+ .when()
+ .relaxedHTTPSValidation()
+ .cookie("JSESSIONID", getWebGoatCookie())
+ .get(url("/WebGoat/scoreboard-data"))
+ .then()
+ .statusCode(200)
+ .extract().jsonPath()
+ .get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
+ assertTrue(capturefFlags.contains("Admin lost password"));
+ }
+
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
index d9b7e9bba..3d20545f1 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
@@ -22,11 +22,15 @@
package org.owasp.webgoat.challenges;
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import lombok.extern.slf4j.Slf4j;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+
+import javax.annotation.PostConstruct;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository;
@@ -38,27 +42,21 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
-import javax.annotation.PostConstruct;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-import java.util.stream.IntStream;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
/**
* @author nbaars
* @since 3/23/17.
*/
-@Slf4j
@RestController
-public class Flag {
+public class Flag extends AssignmentEndpoint {
public static final Map<Integer, String> FLAGS = new HashMap<>();
@Autowired
private UserTrackerRepository userTrackerRepository;
@Autowired
private WebSession webSession;
- @Autowired
- private PluginMessages pluginMessages;
@AllArgsConstructor
private class FlagPosted {
@@ -81,10 +79,10 @@ public class Flag {
final AttackResult attackResult;
if (expectedFlag.equals(flag)) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
- attackResult = new AttackResult.AttackResultBuilder(pluginMessages).lessonCompleted(true, "challenge.flag.correct").build();
+ attackResult = success(this).feedback("challenge.flag.correct").build();
} else {
userTracker.assignmentFailed(webSession.getCurrentLesson());
- attackResult = new AttackResult.AttackResultBuilder(pluginMessages).feedback("challenge.flag.incorrect").build();
+ attackResult = failed(this).feedback("challenge.flag.incorrect").build();
}
userTrackerRepository.save(userTracker);
return attackResult;