dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Working unit tests

Browse Source
This commit is contained in:
Nanne Baars 2019-09-13 20:05:25 +02:00
parent 04f1b9a282
commit f774364461
34 changed files with 389 additions and 439 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
View File

@ -38,6 +38,7 @@ import org.springframework.web.servlet.i18n.FixedLocaleResolver;
import java.util.Locale;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.Mockito.when;
@ -62,7 +63,6 @@ public class AssignmentEndpointTest {
public void init(AssignmentEndpoint a) {
messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
ReflectionTestUtils.setField(a, "webSession", webSession);

23
webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
View File

@ -1,15 +1,11 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import org.springframework.web.bind.annotation.RestController;
/**
* *************************************************************************************************
@ -44,23 +40,22 @@ import java.io.IOException;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/BypassRestrictions/FieldRestrictions")
@RestController
public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody
AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) throws IOException {
if (select.toString().equals("option1") || select.toString().equals("option2")) {
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
if (select.equals("option1") || select.equals("option2")) {
return trackProgress(failed().build());
}
if (radio.toString().equals("option1") || radio.toString().equals("option2")) {
if (radio.equals("option1") || radio.equals("option2")) {
return trackProgress(failed().build());
}
if (checkbox.toString().equals("on") || checkbox.toString().equals("off")) {
if (checkbox.equals("on") || checkbox.equals("off")) {
return trackProgress(failed().build());
}
if (shortInput.toString().length() <= 5) {
if (shortInput.length() <= 5) {
return trackProgress(failed().build());
}
/*if (disabled == null) {

94
webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
View File

@ -3,85 +3,81 @@ package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* <p>
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/BypassRestrictions/frontendValidation")
@RestController
public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@PostMapping("/BypassRestrictions/frontendValidation")
@ResponseBody
AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) throws IOException {
String regex1="^[a-z]{3}$";
String regex2="^[0-9]{3}$";
String regex3="^[a-zA-Z0-9 ]*$";
String regex4="^(one|two|three|four|five|six|seven|eight|nine)$";
String regex5="^\\d{5}$";
String regex6="^\\d{5}(-\\d{4})?$";
String regex7="^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
if (error>0) {
return trackProgress(failed().build());
}
if (field1.matches(regex1)) {
return trackProgress(failed().build());
}
if (field2.matches(regex2)) {
return trackProgress(failed().build());
}
if (field3.matches(regex3)) {
return trackProgress(failed().build());
}
if (field4.matches(regex4)) {
return trackProgress(failed().build());
}
if (field5.matches(regex5)) {
return trackProgress(failed().build());
}
if (field6.matches(regex6)) {
return trackProgress(failed().build());
}
if (field7.matches(regex7)) {
return trackProgress(failed().build());
}
return trackProgress(success().build());
public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
String regex1 = "^[a-z]{3}$";
String regex2 = "^[0-9]{3}$";
String regex3 = "^[a-zA-Z0-9 ]*$";
String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
String regex5 = "^\\d{5}$";
String regex6 = "^\\d{5}(-\\d{4})?$";
String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
if (error > 0) {
return trackProgress(failed().build());
}
if (field1.matches(regex1)) {
return trackProgress(failed().build());
}
if (field2.matches(regex2)) {
return trackProgress(failed().build());
}
if (field3.matches(regex3)) {
return trackProgress(failed().build());
}
if (field4.matches(regex4)) {
return trackProgress(failed().build());
}
if (field5.matches(regex5)) {
return trackProgress(failed().build());
}
if (field6.matches(regex6)) {
return trackProgress(failed().build());
}
if (field7.matches(regex7)) {
return trackProgress(failed().build());
}
return trackProgress(success().build());
}
}

12
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
View File

@ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.Flag;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@ -44,13 +41,12 @@ import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;
* @version $Id: $Id
* @since August 11, 2016
*/
@AssignmentPath("/challenge/1")
@RestController
public class Assignment1 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@PostMapping("/challenge/1")
@ResponseBody
AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
boolean ipAddressKnown = true;
boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
if (passwordCorrect && ipAddressKnown) {

32
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java → webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
View File

@ -1,4 +1,26 @@
package org.owasp.webgoat.plugin.challenge5.challenge6;
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.plugin.challenge5;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomStringUtils;
@ -10,9 +32,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.sql.*;
@ -23,7 +43,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("/challenge/5")
@RestController
@Slf4j
public class Assignment5 extends AssignmentEndpoint {
@ -33,7 +53,7 @@ public class Assignment5 extends AssignmentEndpoint {
@Autowired
private WebSession webSession;
@RequestMapping(method = POST)
@PostMapping("/challenge/5")
@ResponseBody
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
Connection connection = DatabaseUtilities.getConnection(webSession);

61
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java Normal file
View File

@ -0,0 +1,61 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.plugin.challenge5;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge5 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge5.title";
}
@Override
public String getId() {
return "Challenge5";
}
}

39
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java
View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.plugin.challenge5.challenge6;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge5 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge5.title";
}
@Override
public String getId() {
return "Challenge5";
}
}

11
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
View File

@ -10,10 +10,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.sql.*;
@ -24,7 +21,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("/challenge/6")
@RestController
@Slf4j
public class Assignment6 extends AssignmentEndpoint {
@ -38,7 +35,7 @@ public class Assignment6 extends AssignmentEndpoint {
log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME);
}
@PutMapping //assignment path is bounded to class so we use different http method :-)
@PutMapping("/challenge/6") //assignment path is bounded to class so we use different http method :-)
@ResponseBody
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
@ -75,7 +72,7 @@ public class Assignment6 extends AssignmentEndpoint {
return null;
}
@RequestMapping(method = POST)
@PostMapping("/challenge/6")
@ResponseBody
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
Connection connection = DatabaseUtilities.getConnection(webSession);

8
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
View File

@ -30,7 +30,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("/challenge/7")
@RestController
@Slf4j
public class Assignment7 extends AssignmentEndpoint {
@ -48,7 +48,7 @@ public class Assignment7 extends AssignmentEndpoint {
@Value("${webwolf.url.mail}")
private String webWolfMailURL;
@GetMapping("/reset-password/{link}")
@GetMapping("/challenge/7/reset-password/{link}")
public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
return ResponseEntity.accepted().body("<h1>Success!!</h1>" +
@ -58,7 +58,7 @@ public class Assignment7 extends AssignmentEndpoint {
return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
}
@RequestMapping(method = POST)
@PostMapping("/challenge/7")
@ResponseBody
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
if (StringUtils.hasText(email)) {
@ -77,7 +77,7 @@ public class Assignment7 extends AssignmentEndpoint {
return success().feedback("email.send").feedbackArgs(email).build();
}
@RequestMapping(method = GET, value = "/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
@GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
@ResponseBody
@SneakyThrows
public ClassPathResource git() {

10
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
View File

@ -10,6 +10,7 @@ import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.util.HashMap;
@ -20,7 +21,7 @@ import java.util.stream.Collectors;
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("/challenge/8")
@RestController
@Slf4j
public class Assignment8 extends AssignmentEndpoint {
@ -34,7 +35,7 @@ public class Assignment8 extends AssignmentEndpoint {
votes.put(5, 300);
}
@GetMapping(value = "/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
@GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public ResponseEntity<?> vote(@PathVariable(value = "stars") int nrOfStars, HttpServletRequest request) {
//Simple implementation of VERB Based Authentication
@ -50,12 +51,12 @@ public class Assignment8 extends AssignmentEndpoint {
return ResponseEntity.ok().header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8)).build();
}
@GetMapping("/votes/")
@GetMapping("/challenge/8/votes/")
public ResponseEntity<?> getVotes() {
return ResponseEntity.ok(votes.entrySet().stream().collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
}
@GetMapping("/votes/average")
@GetMapping("/challenge/8/votes/average")
public ResponseEntity<Map<String, Integer>> average() {
int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
int categories = votes.entrySet().stream().mapToInt(e -> e.getKey() * e.getValue()).reduce(0, (a, b) -> a + b);
@ -63,6 +64,5 @@ public class Assignment8 extends AssignmentEndpoint {
json.put("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
return ResponseEntity.ok(json);
}
}

33
webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
View File

@ -4,34 +4,29 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/**
* This is just a class used to make the the HTTP request.
*
* @author TMelzer
* @since 30.11.18
*/
@AssignmentPath("/ChromeDevTools/dummy")
@RestController
public class NetworkDummy extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String successMessage) throws IOException {
UserSessionData userSessionData = getUserSessionData();
String answer = (String) userSessionData.getValue("randValue");
@PostMapping("/ChromeDevTools/dummy")
@ResponseBody
public AttackResult completed(@RequestParam String successMessage) {
UserSessionData userSessionData = getUserSessionData();
String answer = (String) userSessionData.getValue("randValue");
if (successMessage!=null && successMessage.equals(answer)) {
return trackProgress(success().feedback("xss-dom-message-success").build());
} else {
return trackProgress(failed().feedback("xss-dom-message-failure").build());
}
}
if (successMessage != null && successMessage.equals(answer)) {
return trackProgress(success().feedback("xss-dom-message-success").build());
} else {
return trackProgress(failed().feedback("xss-dom-message-failure").build());
}
}
}

38
webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
View File

@ -5,38 +5,34 @@ import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/**
* Assignment where the user has to look through an HTTP Request
* using the Developer Tools and find a specific number.
*
* @author TMelzer
* @since 30.11.18
*/
@AssignmentPath("/ChromeDevTools/network")
@RestController
@AssignmentHints({"networkHint1", "networkHint2"})
public class NetworkLesson extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
public
@ResponseBody
AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
if(network_num.equals(number)) {
return trackProgress(success().feedback("network.success").output("").build());
} else {
return trackProgress(failed().feedback("network.failed").build());
@PostMapping(value = "/ChromeDevTools/network", params = {"network_num", "number"})
@ResponseBody
public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
if (network_num.equals(number)) {
return trackProgress(success().feedback("network.success").output("").build());
} else {
return trackProgress(failed().feedback("network.failed").build());
}
}
@PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
@ResponseBody
public ResponseEntity<?> ok(@RequestParam String networkNum) {
return ResponseEntity.ok().build();
}
}
@RequestMapping(method = RequestMethod.POST, params="networkNum")
public
@ResponseBody
ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
return ResponseEntity.ok().build();
}
}

0
webgoat-lessons/chrome-dev-tools/src/Test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java → webgoat-lessons/chrome-dev-tools/src/test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
View File

17
webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
View File

@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
import java.sql.Connection;
@ -15,20 +12,20 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
@AssignmentPath("/cia/quiz")
@RestController
public class CIAQuiz extends AssignmentEndpoint {
String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
boolean[] guesses = new boolean[solutions.length];
@RequestMapping(method = RequestMethod.POST)
@PostMapping("/cia/quiz")
@ResponseBody
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) throws IOException {
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) {
int correctAnswers = 0;
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]};
for(int i = 0; i < solutions.length; i++) {
for (int i = 0; i < solutions.length; i++) {
if (givenAnswers[i].contains(solutions[i])) {
// answer correct
correctAnswers++;
@ -39,14 +36,14 @@ public class CIAQuiz extends AssignmentEndpoint {
}
}
if(correctAnswers == solutions.length) {
if (correctAnswers == solutions.length) {
return trackProgress(success().build());
} else {
return trackProgress(failed().build());
}
}
@RequestMapping(method = RequestMethod.GET)
@GetMapping("/cia/quiz")
@ResponseBody
public boolean[] getResults() {
return this.guesses;

12
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
View File

@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
@ -40,14 +37,13 @@ import java.io.IOException;
* @version $Id: $Id
* @since August 11, 2016
*/
@AssignmentPath("/clientSideFiltering/attack1")
@RestController
@AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"})
public class ClientSideFilteringAssignment extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@PostMapping("/clientSideFiltering/attack1")
@ResponseBody
AttackResult completed(@RequestParam String answer) throws IOException {
public AttackResult completed(@RequestParam String answer) {
return trackProgress("450000".equals(answer) ?
success().feedback("assignment.solved").build() :
failed().feedback("ClientSideFiltering.incorrect").build());

12
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
View File

@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
@ -15,16 +12,15 @@ import java.io.IOException;
* @author nbaars
* @since 4/6/17.
*/
@AssignmentPath("/clientSideFiltering/getItForFree")
@RestController
@AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
public static final String SUPER_COUPON_CODE = "get_it_for_free";
@RequestMapping(method = RequestMethod.POST)
public
@PostMapping("/clientSideFiltering/getItForFree")
@ResponseBody
AttackResult completed(@RequestParam String checkoutCode) {
public AttackResult completed(@RequestParam String checkoutCode) {
if (SUPER_COUPON_CODE.equals(checkoutCode)) {
return trackProgress(success().build());
}

48
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
View File

@ -2,57 +2,53 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import org.springframework.web.bind.annotation.RestController;
/***************************************************************************************************
*
*
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
*
* Getting Source ==============
*
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*
* For details, please see http://webgoat.github.io
*
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/CrossSiteScripting/attack1")
@RestController
public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
return trackProgress(success().build());
} else {
return trackProgress(failed().feedback("xss.lesson1.failure").build());
}
}
@PostMapping("/CrossSiteScripting/attack1")
@ResponseBody
public AttackResult completed(@RequestParam String answer_xss_1) {
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
return trackProgress(success().build());
} else {
return trackProgress(failed().feedback("xss.lesson1.failure").build());
}
}
}

11
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
View File

@ -7,16 +7,13 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
@AssignmentPath("CrossSiteScripting/attack3")
@RestController
@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@PostMapping("CrossSiteScripting/attack3")
@ResponseBody
public AttackResult completed(@RequestParam String editor) {
String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
@ -49,7 +46,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
} else {
return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
}
}catch(Exception e) {
} catch (Exception e) {
return trackProgress(failed().output(e.getMessage()).build());
}
}

21
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
View File

@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.tools.*;
import java.io.IOException;
@ -17,28 +14,26 @@ import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@AssignmentPath("CrossSiteScripting/attack4")
@RestController
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@PostMapping("CrossSiteScripting/attack4")
@ResponseBody
public AttackResult completed(@RequestParam String editor2) {
String editor = editor2.replaceAll("\\<.*?>","");
String editor = editor2.replaceAll("\\<.*?>", "");
System.out.println(editor);
if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
editor.contains("new AntiSamy();")&&
editor.contains("new AntiSamy();") &&
editor.contains(".scan(newComment,") &&
editor.contains("CleanResults") &&
editor.contains("MyCommentDAO.addComment(threadID, userID")&&
editor.contains(".getCleanHTML());"))
{
editor.contains("MyCommentDAO.addComment(threadID, userID") &&
editor.contains(".getCleanHTML());")) {
System.out.println("true");
return trackProgress(success().feedback("xss-mitigation-4-success").build());
}
else {
} else {
System.out.println("false");
return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
}

84
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
View File

@ -7,16 +7,12 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/***************************************************************************************************
*
*
@ -47,52 +43,52 @@ import java.io.IOException;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/CrossSiteScripting/attack5a")
@RestController
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
@Autowired
UserSessionData userSessionData;
@Autowired
UserSessionData userSessionData;
@RequestMapping(method = RequestMethod.GET)
public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
@RequestParam Integer QTY4, @RequestParam String field1,
@RequestParam String field2, HttpServletRequest request)
throws IOException {
@GetMapping("/CrossSiteScripting/attack5a")
@ResponseBody
public AttackResult completed(@RequestParam Integer QTY1,
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
@RequestParam Integer QTY4, @RequestParam String field1,
@RequestParam String field2) {
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
}
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
}
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
StringBuffer cart = new StringBuffer();
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
cart.append("<p>We have charged credit card:" + field1 + "<br />");
cart.append( " ------------------- <br />");
cart.append( " $" + totalSale);
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
StringBuffer cart = new StringBuffer();
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
cart.append("<p>We have charged credit card:" + field1 + "<br />");
cart.append(" ------------------- <br />");
cart.append(" $" + totalSale);
//init state
if (userSessionData.getValue("xss-reflected1-complete") == null) {
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
}
//init state
if (userSessionData.getValue("xss-reflected1-complete") == null) {
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
}
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
//return trackProgress()
userSessionData.setValue("xss-reflected-5a-complete","true");
if(field1.toLowerCase().contains("console.log")) {
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
} else {
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
}
} else {
userSessionData.setValue("xss-reflected1-complete","false");
return trackProgress(success()
.feedback("xss-reflected-5a-failure")
.output(cart.toString())
.build());
}
}
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
//return trackProgress()
userSessionData.setValue("xss-reflected-5a-complete", "true");
if (field1.toLowerCase().contains("console.log")) {
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
} else {
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
}
} else {
userSessionData.setValue("xss-reflected1-complete", "false");
return trackProgress(success()
.feedback("xss-reflected-5a-failure")
.output(cart.toString())
.build());
}
}
}

33
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
View File

@ -7,53 +7,50 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/***************************************************************************************************
*
*
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
*
* Getting Source ==============
*
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*
* For details, please see http://webgoat.github.io
*
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/CrossSiteScripting/attack6a")
@RestController
@AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"})
public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
@Autowired
UserSessionData userSessionData;
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam String DOMTestRoute) throws IOException {
@PostMapping("/CrossSiteScripting/attack6a")
@ResponseBody
public AttackResult completed(@RequestParam String DOMTestRoute) {
if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
//return trackProgress()

18
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java
View File

@ -1,29 +1,25 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
@AssignmentPath("/cross-site-scripting/quiz")
@RestController
public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
boolean[] guesses = new boolean[solutions.length];
@RequestMapping(method = RequestMethod.POST)
@PostMapping("/cross-site-scripting/quiz")
@ResponseBody
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
int correctAnswers = 0;
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
for(int i = 0; i < solutions.length; i++) {
for (int i = 0; i < solutions.length; i++) {
if (givenAnswers[i].contains(solutions[i])) {
// answer correct
correctAnswers++;
@ -34,17 +30,17 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
}
}
if(correctAnswers == solutions.length) {
if (correctAnswers == solutions.length) {
return trackProgress(success().build());
} else {
return trackProgress(failed().build());
}
}
@RequestMapping(method = RequestMethod.GET)
@GetMapping("/cross-site-scripting/quiz")
@ResponseBody
public boolean[] getResults() {
return this.guesses;
}
}
}

21
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
View File

@ -32,29 +32,24 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.security.SecureRandom;
@AssignmentPath("/CrossSiteScripting/phone-home-xss")
@RestController
public class DOMCrossSiteScripting extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam Integer param1,
@RequestParam Integer param2, HttpServletRequest request) throws IOException {
UserSessionData userSessionData = getUserSessionData();
@PostMapping("/CrossSiteScripting/phone-home-xss")
@ResponseBody
public AttackResult completed(@RequestParam Integer param1,
@RequestParam Integer param2, HttpServletRequest request) {
UserSessionData userSessionData = getUserSessionData();
SecureRandom number = new SecureRandom();
userSessionData.setValue("randValue",String.valueOf(number.nextInt()));
userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build());

13
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
View File

@ -36,10 +36,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@ -47,13 +44,13 @@ import java.io.IOException;
/**
* Created by jason on 11/23/16.
*/
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
@RestController
@AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam String successMessage) throws IOException {
@PostMapping("/CrossSiteScripting/dom-follow-up")
@ResponseBody
public AttackResult completed(@RequestParam String successMessage) {
UserSessionData userSessionData = getUserSessionData();
String answer = (String) userSessionData.getValue("randValue");

13
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredCrossSiteScriptingVerifier.java
View File

@ -35,22 +35,19 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/**
* Created by jason on 11/23/16.
*/
@AssignmentPath("/CrossSiteScripting/stored-xss-follow-up")
@RestController
public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam String successMessage) throws IOException {
@PostMapping("/CrossSiteScripting/stored-xss-follow-up")
@ResponseBody
public AttackResult completed(@RequestParam String successMessage) {
UserSessionData userSessionData = getUserSessionData();
if (successMessage.equals(userSessionData.getValue("randValue").toString())) {

17
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
View File

@ -48,12 +48,13 @@ import org.springframework.web.bind.annotation.*;
import org.owasp.encoder.*;
import static org.springframework.http.MediaType.ALL_VALUE;
import java.io.IOException;
import java.util.*;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
@AssignmentPath("/CrossSiteScripting/stored-xss")
@RestController
public class StoredXssComments extends AssignmentEndpoint {
@Autowired
@ -72,7 +73,7 @@ public class StoredXssComments extends AssignmentEndpoint {
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
}
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
@GetMapping(path = "/CrossSiteScripting/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
@ResponseBody
public Collection<Comment> retrieveComments() {
List<Comment> allComments = Lists.newArrayList();
@ -85,10 +86,9 @@ public class StoredXssComments extends AssignmentEndpoint {
return allComments;
}
@RequestMapping(method = RequestMethod.POST)
@PostMapping("/CrossSiteScripting/stored-xss")
@ResponseBody
public AttackResult createNewComment (@RequestBody String commentStr) throws IOException {
public AttackResult createNewComment(@RequestBody String commentStr) {
Comment comment = parseJson(commentStr);
EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
@ -113,9 +113,4 @@ public class StoredXssComments extends AssignmentEndpoint {
return new Comment();
}
}
}
}

9
webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingTest.java
View File

@ -29,7 +29,7 @@ import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.test.web.servlet.MockMvc;
@ -44,8 +44,7 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
@RunWith(MockitoJUnitRunner.class)
public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
private MockMvc mockMvc;
private UserSessionData mockUserSessionData;
private String randVal = "12034837";
private String randVal = "12034837";
@Before
public void setup() {
@ -60,7 +59,7 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
public void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
.header("webgoat-requested-by","dom-xss-vuln")
.header("webgoat-requested-by", "dom-xss-vuln")
.param("param1", "42")
.param("param2", "24"))
.andExpect(status().isOk())
@ -72,7 +71,7 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
public void failure() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
.header("webgoat-requested-by","wrong-value")
.header("webgoat-requested-by", "wrong-value")
.param("param1", "22")
.param("param2", "20"))
.andExpect(status().isOk())

11
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
View File

@ -2,28 +2,27 @@ package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
/**
* Created by jason on 9/29/17.
*/
@AssignmentPath("/csrf/confirm-flag-1")
@RestController
@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
public class CSRFConfirmFlag1 extends AssignmentEndpoint {
@Autowired
UserSessionData userSessionData;
@PostMapping(produces = {"application/json"})
public @ResponseBody
AttackResult completed(String confirmFlagVal) {
@PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"})
@ResponseBody
public AttackResult completed(String confirmFlagVal) {
Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
return trackProgress(

11
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
View File

@ -11,10 +11,7 @@ import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
@ -26,7 +23,7 @@ import java.util.UUID;
* @author nbaars
* @since 11/17/17.
*/
@AssignmentPath("/csrf/feedback")
@RestController
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
public class CSRFFeedback extends AssignmentEndpoint {
@ -35,7 +32,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
@Autowired
private ObjectMapper objectMapper;
@PostMapping(value = "/message", produces = {"application/json"})
@PostMapping(value = "/csrf/feedback/message", produces = {"application/json"})
@ResponseBody
public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
try {
@ -59,7 +56,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
return failed().build();
}
@PostMapping(produces = "application/json")
@PostMapping(path = "/csrf/feedback", produces = "application/json")
@ResponseBody
public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
if (flag.equals(userSessionData.getValue("csrf-feedback"))) {

5
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
View File

@ -9,19 +9,20 @@ import org.owasp.webgoat.users.UserTrackerRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
/**
* @author nbaars
* @since 11/17/17.
*/
@AssignmentPath("/csrf/login")
@RestController
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
public class CSRFLogin extends AssignmentEndpoint {
@Autowired
private UserTrackerRepository userTrackerRepository;
@PostMapping(produces = {"application/json"})
@PostMapping(path = "/csrf/login", produces = {"application/json"})
@ResponseBody
public AttackResult completed() {
String userName = getWebSession().getUserName();

18
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
View File

@ -44,9 +44,7 @@ import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@ -56,8 +54,8 @@ import java.util.Map;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
@AssignmentPath("/csrf/review")
@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
@RestController
@AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
public class ForgedReviews extends AssignmentEndpoint {
@Autowired
@ -73,10 +71,10 @@ public class ForgedReviews extends AssignmentEndpoint {
REVIEWS.add(new Review("secUriTy", DateTime.now().toString(fmt), "This is like swiss cheese", 0));
REVIEWS.add(new Review("webgoat", DateTime.now().toString(fmt), "It works, sorta", 2));
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "Best, App, Ever", 5));
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?",1));
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
}
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
@GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
@ResponseBody
public Collection<Review> retrieveReviews() {
Collection<Review> allReviews = Lists.newArrayList();
@ -90,9 +88,9 @@ public class ForgedReviews extends AssignmentEndpoint {
return allReviews;
}
@RequestMapping(method = RequestMethod.POST)
@PostMapping("/csrf/review")
@ResponseBody
public AttackResult createNewReview (String reviewText, Integer stars, String validateReq, HttpServletRequest request) throws IOException {
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
@ -116,7 +114,7 @@ public class ForgedReviews extends AssignmentEndpoint {
return trackProgress(failed().feedback("csrf-you-forgot-something").build());
}
//we have the spoofed files
if (referer != "NULL" && refererArr[2].equals(host) ) {
if (referer != "NULL" && refererArr[2].equals(host)) {
return trackProgress(failed().feedback("csrf-same-host").build());
} else {
return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")

38
webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
View File

@ -4,57 +4,53 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* <p>
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/HtmlTampering/task")
@AssignmentHints({ "hint1", "hint2", "hint3"})
@RestController
@AssignmentHints({"hint1", "hint2", "hint3"})
public class HtmlTamperingTask extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@PostMapping("/HtmlTampering/task")
@ResponseBody
AttackResult completed(@RequestParam String QTY, @RequestParam String Total) throws IOException {
if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
return trackProgress(success().feedback("html-tampering.tamper.success").build());
}
public AttackResult completed(@RequestParam String QTY, @RequestParam String Total) {
if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
return trackProgress(success().feedback("html-tampering.tamper.success").build());
}
return trackProgress(failed().feedback("html-tampering.tamper.failure").build());
}
}

51
webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasics.java
View File

@ -1,3 +1,25 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
@ -6,35 +28,6 @@ import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
public class HttpBasics extends NewLesson {
@Override
public Category getDefaultCategory() {

2
webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
View File

@ -29,7 +29,7 @@ import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.junit.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;