dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

flag submission fixed (#812)

Browse Source
This commit is contained in:
René Zubcevic 2020-05-07 11:04:00 +02:00 committed by GitHub
parent 832d6432fc
commit f520c3589c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 76 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
View File

@ -38,6 +38,10 @@ public class Scoreboard {
List<WebGoatUser> allUsers = userRepository.findAll(); List<WebGoatUser> allUsers = userRepository.findAll();
List<Ranking> rankings = new ArrayList<>(); List<Ranking> rankings = new ArrayList<>();
for (WebGoatUser user : allUsers) { for (WebGoatUser user : allUsers) {
if (user.getUsername().startsWith("csrf-")) {
//the csrf- assignment specific users do not need to be in the overview
continue;
}
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername()); UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker))); rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
} }

59
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java Normal file
View File

@ -0,0 +1,59 @@
package org.owasp.webgoat;
import static org.junit.jupiter.api.Assertions.assertTrue;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.junit.jupiter.api.Test;
import io.restassured.RestAssured;
public class ChallengeTest extends IntegrationTest {
@Test
public void testChallenge1() {
startLesson("Challenge1");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "admin");
params.put("password", "!!webgoat_admin_1234!!");
checkAssignment(url("/WebGoat/challenge/1"), params, true);
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/1"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/1");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Admin lost password"));
}
}

28
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
View File

@ -22,11 +22,15 @@
package org.owasp.webgoat.challenges; package org.owasp.webgoat.challenges;
import lombok.AllArgsConstructor; import java.util.HashMap;
import lombok.Getter; import java.util.Map;
import lombok.extern.slf4j.Slf4j; import java.util.UUID;
import java.util.stream.IntStream;
import javax.annotation.PostConstruct;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.UserTracker; import org.owasp.webgoat.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository; import org.owasp.webgoat.users.UserTrackerRepository;
@ -38,27 +42,21 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct; import lombok.AllArgsConstructor;
import java.util.HashMap; import lombok.Getter;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
/** /**
* @author nbaars * @author nbaars
* @since 3/23/17. * @since 3/23/17.
*/ */
@Slf4j
@RestController @RestController
public class Flag { public class Flag extends AssignmentEndpoint {
public static final Map<Integer, String> FLAGS = new HashMap<>(); public static final Map<Integer, String> FLAGS = new HashMap<>();
@Autowired @Autowired
private UserTrackerRepository userTrackerRepository; private UserTrackerRepository userTrackerRepository;
@Autowired @Autowired
private WebSession webSession; private WebSession webSession;
@Autowired
private PluginMessages pluginMessages;
@AllArgsConstructor @AllArgsConstructor
private class FlagPosted { private class FlagPosted {
@ -81,10 +79,10 @@ public class Flag {
final AttackResult attackResult; final AttackResult attackResult;
if (expectedFlag.equals(flag)) { if (expectedFlag.equals(flag)) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber); userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
attackResult = new AttackResult.AttackResultBuilder(pluginMessages).lessonCompleted(true, "challenge.flag.correct").build(); attackResult = success(this).feedback("challenge.flag.correct").build();
} else { } else {
userTracker.assignmentFailed(webSession.getCurrentLesson()); userTracker.assignmentFailed(webSession.getCurrentLesson());
attackResult = new AttackResult.AttackResultBuilder(pluginMessages).feedback("challenge.flag.incorrect").build(); attackResult = failed(this).feedback("challenge.flag.incorrect").build();
} }
userTrackerRepository.save(userTracker); userTrackerRepository.save(userTracker);
return attackResult; return attackResult;