diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
index dc0c7a481..8edbd1264 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
@@ -38,6 +38,7 @@ import org.springframework.web.servlet.i18n.FixedLocaleResolver;
import java.util.Locale;
+import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.Mockito.when;
@@ -62,7 +63,6 @@ public class AssignmentEndpointTest {
public void init(AssignmentEndpoint a) {
messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
- when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
ReflectionTestUtils.setField(a, "webSession", webSession);
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
index b916019f8..f5b4afaca 100755
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
@@ -1,15 +1,11 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
+import org.springframework.web.bind.annotation.RestController;
/**
* *************************************************************************************************
@@ -44,23 +40,22 @@ import java.io.IOException;
* @author Bruce Mayhew WebGoat
* @created October 28, 2003
*/
-@AssignmentPath("/BypassRestrictions/FieldRestrictions")
+@RestController
public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
- public
+ @PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody
- AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) throws IOException {
- if (select.toString().equals("option1") || select.toString().equals("option2")) {
+ public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
+ if (select.equals("option1") || select.equals("option2")) {
return trackProgress(failed().build());
}
- if (radio.toString().equals("option1") || radio.toString().equals("option2")) {
+ if (radio.equals("option1") || radio.equals("option2")) {
return trackProgress(failed().build());
}
- if (checkbox.toString().equals("on") || checkbox.toString().equals("off")) {
+ if (checkbox.equals("on") || checkbox.equals("off")) {
return trackProgress(failed().build());
}
- if (shortInput.toString().length() <= 5) {
+ if (shortInput.length() <= 5) {
return trackProgress(failed().build());
}
/*if (disabled == null) {
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
index 7eaefb129..a6c5aa95e 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
@@ -3,85 +3,81 @@ package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
- *
+ *
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
- *
+ *
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew WebGoat
* @created October 28, 2003
*/
-@AssignmentPath("/BypassRestrictions/frontendValidation")
+@RestController
public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
- public
+ @PostMapping("/BypassRestrictions/frontendValidation")
@ResponseBody
- AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) throws IOException {
- String regex1="^[a-z]{3}$";
- String regex2="^[0-9]{3}$";
- String regex3="^[a-zA-Z0-9 ]*$";
- String regex4="^(one|two|three|four|five|six|seven|eight|nine)$";
- String regex5="^\\d{5}$";
- String regex6="^\\d{5}(-\\d{4})?$";
- String regex7="^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
- if (error>0) {
- return trackProgress(failed().build());
- }
- if (field1.matches(regex1)) {
- return trackProgress(failed().build());
- }
- if (field2.matches(regex2)) {
- return trackProgress(failed().build());
- }
- if (field3.matches(regex3)) {
- return trackProgress(failed().build());
- }
- if (field4.matches(regex4)) {
- return trackProgress(failed().build());
- }
- if (field5.matches(regex5)) {
- return trackProgress(failed().build());
- }
- if (field6.matches(regex6)) {
- return trackProgress(failed().build());
- }
- if (field7.matches(regex7)) {
- return trackProgress(failed().build());
- }
- return trackProgress(success().build());
+ public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
+ String regex1 = "^[a-z]{3}$";
+ String regex2 = "^[0-9]{3}$";
+ String regex3 = "^[a-zA-Z0-9 ]*$";
+ String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
+ String regex5 = "^\\d{5}$";
+ String regex6 = "^\\d{5}(-\\d{4})?$";
+ String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
+ if (error > 0) {
+ return trackProgress(failed().build());
+ }
+ if (field1.matches(regex1)) {
+ return trackProgress(failed().build());
+ }
+ if (field2.matches(regex2)) {
+ return trackProgress(failed().build());
+ }
+ if (field3.matches(regex3)) {
+ return trackProgress(failed().build());
+ }
+ if (field4.matches(regex4)) {
+ return trackProgress(failed().build());
+ }
+ if (field5.matches(regex5)) {
+ return trackProgress(failed().build());
+ }
+ if (field6.matches(regex6)) {
+ return trackProgress(failed().build());
+ }
+ if (field7.matches(regex7)) {
+ return trackProgress(failed().build());
+ }
+ return trackProgress(success().build());
}
}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
index 932aca8d8..ef09f2451 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
@@ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.Flag;
import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@@ -44,13 +41,12 @@ import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;
* @version $Id: $Id
* @since August 11, 2016
*/
-@AssignmentPath("/challenge/1")
+@RestController
public class Assignment1 extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
- public
+ @PostMapping("/challenge/1")
@ResponseBody
- AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
+ public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
boolean ipAddressKnown = true;
boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
if (passwordCorrect && ipAddressKnown) {
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
similarity index 76%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java
rename to webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
index bdb663ec2..f97a90e8b 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
@@ -1,4 +1,26 @@
-package org.owasp.webgoat.plugin.challenge5.challenge6;
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.plugin.challenge5;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomStringUtils;
@@ -10,9 +32,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.sql.*;
@@ -23,7 +43,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @author nbaars
* @since 4/8/17.
*/
-@AssignmentPath("/challenge/5")
+@RestController
@Slf4j
public class Assignment5 extends AssignmentEndpoint {
@@ -33,7 +53,7 @@ public class Assignment5 extends AssignmentEndpoint {
@Autowired
private WebSession webSession;
- @RequestMapping(method = POST)
+ @PostMapping("/challenge/5")
@ResponseBody
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
Connection connection = DatabaseUtilities.getConnection(webSession);
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java
new file mode 100644
index 000000000..3b7345eaa
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java
@@ -0,0 +1,61 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.plugin.challenge5;
+
+import com.google.common.collect.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * @author nbaars
+ * @since 3/21/17.
+ */
+public class Challenge5 extends NewLesson {
+
+ @Override
+ public Category getDefaultCategory() {
+ return Category.CHALLENGE;
+ }
+
+ @Override
+ public List getHints() {
+ return Lists.newArrayList();
+ }
+
+ @Override
+ public Integer getDefaultRanking() {
+ return 10;
+ }
+
+ @Override
+ public String getTitle() {
+ return "challenge5.title";
+ }
+
+ @Override
+ public String getId() {
+ return "Challenge5";
+ }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java
deleted file mode 100644
index 140162828..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge5.challenge6;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge5 extends NewLesson {
-
- @Override
- public Category getDefaultCategory() {
- return Category.CHALLENGE;
- }
-
- @Override
- public List getHints() {
- return Lists.newArrayList();
- }
-
- @Override
- public Integer getDefaultRanking() {
- return 10;
- }
-
- @Override
- public String getTitle() {
- return "challenge5.title";
- }
-
- @Override
- public String getId() {
- return "Challenge5";
- }
-}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
index 743e5036f..b3822b9ce 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
@@ -10,10 +10,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.PutMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.sql.*;
@@ -24,7 +21,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @author nbaars
* @since 4/8/17.
*/
-@AssignmentPath("/challenge/6")
+@RestController
@Slf4j
public class Assignment6 extends AssignmentEndpoint {
@@ -38,7 +35,7 @@ public class Assignment6 extends AssignmentEndpoint {
log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME);
}
- @PutMapping //assignment path is bounded to class so we use different http method :-)
+ @PutMapping("/challenge/6") //assignment path is bounded to class so we use different http method :-)
@ResponseBody
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
@@ -75,7 +72,7 @@ public class Assignment6 extends AssignmentEndpoint {
return null;
}
- @RequestMapping(method = POST)
+ @PostMapping("/challenge/6")
@ResponseBody
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
Connection connection = DatabaseUtilities.getConnection(webSession);
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
index 2e12e14cc..23dc6bda1 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
@@ -30,7 +30,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @author nbaars
* @since 4/8/17.
*/
-@AssignmentPath("/challenge/7")
+@RestController
@Slf4j
public class Assignment7 extends AssignmentEndpoint {
@@ -48,7 +48,7 @@ public class Assignment7 extends AssignmentEndpoint {
@Value("${webwolf.url.mail}")
private String webWolfMailURL;
- @GetMapping("/reset-password/{link}")
+ @GetMapping("/challenge/7/reset-password/{link}")
public ResponseEntity resetPassword(@PathVariable(value = "link") String link) {
if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
return ResponseEntity.accepted().body("Success!!
" +
@@ -58,7 +58,7 @@ public class Assignment7 extends AssignmentEndpoint {
return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
}
- @RequestMapping(method = POST)
+ @PostMapping("/challenge/7")
@ResponseBody
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
if (StringUtils.hasText(email)) {
@@ -77,7 +77,7 @@ public class Assignment7 extends AssignmentEndpoint {
return success().feedback("email.send").feedbackArgs(email).build();
}
- @RequestMapping(method = GET, value = "/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
+ @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
@ResponseBody
@SneakyThrows
public ClassPathResource git() {
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
index 5a38aaf4e..0dff250b6 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
@@ -10,6 +10,7 @@ import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.util.HashMap;
@@ -20,7 +21,7 @@ import java.util.stream.Collectors;
* @author nbaars
* @since 4/8/17.
*/
-@AssignmentPath("/challenge/8")
+@RestController
@Slf4j
public class Assignment8 extends AssignmentEndpoint {
@@ -34,7 +35,7 @@ public class Assignment8 extends AssignmentEndpoint {
votes.put(5, 300);
}
- @GetMapping(value = "/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
+ @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public ResponseEntity vote(@PathVariable(value = "stars") int nrOfStars, HttpServletRequest request) {
//Simple implementation of VERB Based Authentication
@@ -50,12 +51,12 @@ public class Assignment8 extends AssignmentEndpoint {
return ResponseEntity.ok().header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8)).build();
}
- @GetMapping("/votes/")
+ @GetMapping("/challenge/8/votes/")
public ResponseEntity getVotes() {
return ResponseEntity.ok(votes.entrySet().stream().collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
}
- @GetMapping("/votes/average")
+ @GetMapping("/challenge/8/votes/average")
public ResponseEntity> average() {
int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
int categories = votes.entrySet().stream().mapToInt(e -> e.getKey() * e.getValue()).reduce(0, (a, b) -> a + b);
@@ -63,6 +64,5 @@ public class Assignment8 extends AssignmentEndpoint {
json.put("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
return ResponseEntity.ok(json);
}
-
}
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
index e5efd285d..f8f425ee1 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
@@ -4,34 +4,29 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/**
* This is just a class used to make the the HTTP request.
+ *
* @author TMelzer
* @since 30.11.18
*/
-@AssignmentPath("/ChromeDevTools/dummy")
+@RestController
public class NetworkDummy extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
- public
- @ResponseBody
- AttackResult completed(@RequestParam String successMessage) throws IOException {
-
- UserSessionData userSessionData = getUserSessionData();
- String answer = (String) userSessionData.getValue("randValue");
+ @PostMapping("/ChromeDevTools/dummy")
+ @ResponseBody
+ public AttackResult completed(@RequestParam String successMessage) {
+ UserSessionData userSessionData = getUserSessionData();
+ String answer = (String) userSessionData.getValue("randValue");
- if (successMessage!=null && successMessage.equals(answer)) {
- return trackProgress(success().feedback("xss-dom-message-success").build());
- } else {
- return trackProgress(failed().feedback("xss-dom-message-failure").build());
- }
-
- }
+ if (successMessage != null && successMessage.equals(answer)) {
+ return trackProgress(success().feedback("xss-dom-message-success").build());
+ } else {
+ return trackProgress(failed().feedback("xss-dom-message-failure").build());
+ }
+ }
}
\ No newline at end of file
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
index 1969e53e9..8e02f537d 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
@@ -5,38 +5,34 @@ import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.io.IOException;
/**
* Assignment where the user has to look through an HTTP Request
* using the Developer Tools and find a specific number.
+ *
* @author TMelzer
* @since 30.11.18
*/
-@AssignmentPath("/ChromeDevTools/network")
+@RestController
@AssignmentHints({"networkHint1", "networkHint2"})
public class NetworkLesson extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
- public
- @ResponseBody
- AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
- if(network_num.equals(number)) {
- return trackProgress(success().feedback("network.success").output("").build());
- } else {
- return trackProgress(failed().feedback("network.failed").build());
+ @PostMapping(value = "/ChromeDevTools/network", params = {"network_num", "number"})
+ @ResponseBody
+ public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
+ if (network_num.equals(number)) {
+ return trackProgress(success().feedback("network.success").output("").build());
+ } else {
+ return trackProgress(failed().feedback("network.failed").build());
+ }
+ }
+
+ @PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
+ @ResponseBody
+ public ResponseEntity ok(@RequestParam String networkNum) {
+ return ResponseEntity.ok().build();
}
- }
-
- @RequestMapping(method = RequestMethod.POST, params="networkNum")
- public
- @ResponseBody
- ResponseEntity ok(@RequestParam String networkNum) throws IOException {
- return ResponseEntity.ok().build();
- }
}
diff --git a/webgoat-lessons/chrome-dev-tools/src/Test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java b/webgoat-lessons/chrome-dev-tools/src/test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/Test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
rename to webgoat-lessons/chrome-dev-tools/src/test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
index 28f3a2f5b..9df73ee36 100644
--- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
+++ b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.io.IOException;
import java.sql.Connection;
@@ -15,20 +12,20 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
-@AssignmentPath("/cia/quiz")
+@RestController
public class CIAQuiz extends AssignmentEndpoint {
String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
boolean[] guesses = new boolean[solutions.length];
- @RequestMapping(method = RequestMethod.POST)
+ @PostMapping("/cia/quiz")
@ResponseBody
- public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) throws IOException {
+ public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) {
int correctAnswers = 0;
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]};
- for(int i = 0; i < solutions.length; i++) {
+ for (int i = 0; i < solutions.length; i++) {
if (givenAnswers[i].contains(solutions[i])) {
// answer correct
correctAnswers++;
@@ -39,14 +36,14 @@ public class CIAQuiz extends AssignmentEndpoint {
}
}
- if(correctAnswers == solutions.length) {
+ if (correctAnswers == solutions.length) {
return trackProgress(success().build());
} else {
return trackProgress(failed().build());
}
}
- @RequestMapping(method = RequestMethod.GET)
+ @GetMapping("/cia/quiz")
@ResponseBody
public boolean[] getResults() {
return this.guesses;
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
index e21f5c77d..e1368221b 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.io.IOException;
@@ -40,14 +37,13 @@ import java.io.IOException;
* @version $Id: $Id
* @since August 11, 2016
*/
-@AssignmentPath("/clientSideFiltering/attack1")
+@RestController
@AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"})
public class ClientSideFilteringAssignment extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
- public
+ @PostMapping("/clientSideFiltering/attack1")
@ResponseBody
- AttackResult completed(@RequestParam String answer) throws IOException {
+ public AttackResult completed(@RequestParam String answer) {
return trackProgress("450000".equals(answer) ?
success().feedback("assignment.solved").build() :
failed().feedback("ClientSideFiltering.incorrect").build());
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
index d27e67c86..78923ad57 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import java.io.IOException;
@@ -15,16 +12,15 @@ import java.io.IOException;
* @author nbaars
* @since 4/6/17.
*/
-@AssignmentPath("/clientSideFiltering/getItForFree")
+@RestController
@AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
public static final String SUPER_COUPON_CODE = "get_it_for_free";
- @RequestMapping(method = RequestMethod.POST)
- public
+ @PostMapping("/clientSideFiltering/getItForFree")
@ResponseBody
- AttackResult completed(@RequestParam String checkoutCode) {
+ public AttackResult completed(@RequestParam String checkoutCode) {
if (SUPER_COUPON_CODE.equals(checkoutCode)) {
return trackProgress(success().build());
}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
index 084cff5c6..41de6c257 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
@@ -2,57 +2,53 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
+import org.springframework.web.bind.annotation.RestController;
/***************************************************************************************************
- *
- *
+ *
+ *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
- *
+ *
* Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ *
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
- *
+ *
* Getting Source ==============
- *
+ *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
- *
+ *
* For details, please see http://webgoat.github.io
- *
+ *
* @author Bruce Mayhew WebGoat
* @created October 28, 2003
*/
-@AssignmentPath("/CrossSiteScripting/attack1")
+@RestController
public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
- public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
- if (answer_xss_1.toString().toLowerCase().equals("yes")) {
- return trackProgress(success().build());
- } else {
- return trackProgress(failed().feedback("xss.lesson1.failure").build());
- }
- }
+ @PostMapping("/CrossSiteScripting/attack1")
+ @ResponseBody
+ public AttackResult completed(@RequestParam String answer_xss_1) {
+ if (answer_xss_1.toString().toLowerCase().equals("yes")) {
+ return trackProgress(success().build());
+ } else {
+ return trackProgress(failed().feedback("xss.lesson1.failure").build());
+ }
+ }
}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
index b8d6c672a..91eba4ae2 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
@@ -7,16 +7,13 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
-@AssignmentPath("CrossSiteScripting/attack3")
+@RestController
@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
+ @PostMapping("CrossSiteScripting/attack3")
@ResponseBody
public AttackResult completed(@RequestParam String editor) {
String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
@@ -49,7 +46,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
} else {
return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
}
- }catch(Exception e) {
+ } catch (Exception e) {
return trackProgress(failed().output(e.getMessage()).build());
}
}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
index 2c7b5857e..0331b58b7 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import javax.tools.*;
import java.io.IOException;
@@ -17,28 +14,26 @@ import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-@AssignmentPath("CrossSiteScripting/attack4")
+@RestController
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
- @RequestMapping(method = RequestMethod.POST)
+ @PostMapping("CrossSiteScripting/attack4")
@ResponseBody
public AttackResult completed(@RequestParam String editor2) {
- String editor = editor2.replaceAll("\\<.*?>","");
+ String editor = editor2.replaceAll("\\<.*?>", "");
System.out.println(editor);
if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
- editor.contains("new AntiSamy();")&&
+ editor.contains("new AntiSamy();") &&
editor.contains(".scan(newComment,") &&
editor.contains("CleanResults") &&
- editor.contains("MyCommentDAO.addComment(threadID, userID")&&
- editor.contains(".getCleanHTML());"))
- {
+ editor.contains("MyCommentDAO.addComment(threadID, userID") &&
+ editor.contains(".getCleanHTML());")) {
System.out.println("true");
return trackProgress(success().feedback("xss-mitigation-4-success").build());
- }
- else {
+ } else {
System.out.println("false");
return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
index 18946e22c..d9b955192 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@@ -7,16 +7,12 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
-
/***************************************************************************************************
*
*
@@ -47,52 +43,52 @@ import java.io.IOException;
* @author Bruce Mayhew WebGoat
* @created October 28, 2003
*/
-@AssignmentPath("/CrossSiteScripting/attack5a")
+@RestController
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
- @Autowired
- UserSessionData userSessionData;
+ @Autowired
+ UserSessionData userSessionData;
- @RequestMapping(method = RequestMethod.GET)
- public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
- @RequestParam Integer QTY2, @RequestParam Integer QTY3,
- @RequestParam Integer QTY4, @RequestParam String field1,
- @RequestParam String field2, HttpServletRequest request)
- throws IOException {
+ @GetMapping("/CrossSiteScripting/attack5a")
+ @ResponseBody
+ public AttackResult completed(@RequestParam Integer QTY1,
+ @RequestParam Integer QTY2, @RequestParam Integer QTY3,
+ @RequestParam Integer QTY4, @RequestParam String field1,
+ @RequestParam String field2) {
- if (field2.toLowerCase().matches("