Working unit tests
This commit is contained in:
Nanne Baars
@ -2,57 +2,53 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
*
|
||||
*
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
*
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
*
|
||||
*
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack1")
|
||||
@RestController
|
||||
public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
|
||||
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss.lesson1.failure").build());
|
||||
}
|
||||
}
|
||||
@PostMapping("/CrossSiteScripting/attack1")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String answer_xss_1) {
|
||||
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss.lesson1.failure").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -7,16 +7,13 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
@AssignmentPath("CrossSiteScripting/attack3")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
|
||||
public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("CrossSiteScripting/attack3")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String editor) {
|
||||
String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
|
||||
@ -49,7 +46,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
|
||||
}
|
||||
}catch(Exception e) {
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().output(e.getMessage()).build());
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.tools.*;
|
||||
import java.io.IOException;
|
||||
@ -17,28 +14,26 @@ import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@AssignmentPath("CrossSiteScripting/attack4")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
|
||||
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("CrossSiteScripting/attack4")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String editor2) {
|
||||
|
||||
String editor = editor2.replaceAll("\\<.*?>","");
|
||||
String editor = editor2.replaceAll("\\<.*?>", "");
|
||||
System.out.println(editor);
|
||||
|
||||
if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
|
||||
editor.contains("new AntiSamy();")&&
|
||||
editor.contains("new AntiSamy();") &&
|
||||
editor.contains(".scan(newComment,") &&
|
||||
editor.contains("CleanResults") &&
|
||||
editor.contains("MyCommentDAO.addComment(threadID, userID")&&
|
||||
editor.contains(".getCleanHTML());"))
|
||||
{
|
||||
editor.contains("MyCommentDAO.addComment(threadID, userID") &&
|
||||
editor.contains(".getCleanHTML());")) {
|
||||
System.out.println("true");
|
||||
return trackProgress(success().feedback("xss-mitigation-4-success").build());
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
System.out.println("false");
|
||||
return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
|
||||
}
|
||||
|
||||
@ -7,16 +7,12 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
*
|
||||
*
|
||||
@ -47,52 +43,52 @@ import java.io.IOException;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack5a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
|
||||
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
|
||||
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
|
||||
@RequestParam Integer QTY4, @RequestParam String field1,
|
||||
@RequestParam String field2, HttpServletRequest request)
|
||||
throws IOException {
|
||||
@GetMapping("/CrossSiteScripting/attack5a")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam Integer QTY1,
|
||||
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
|
||||
@RequestParam Integer QTY4, @RequestParam String field1,
|
||||
@RequestParam String field2) {
|
||||
|
||||
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
|
||||
}
|
||||
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
|
||||
}
|
||||
|
||||
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
|
||||
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
|
||||
|
||||
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
|
||||
StringBuffer cart = new StringBuffer();
|
||||
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
|
||||
cart.append("<p>We have charged credit card:" + field1 + "<br />");
|
||||
cart.append( " ------------------- <br />");
|
||||
cart.append( " $" + totalSale);
|
||||
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
|
||||
StringBuffer cart = new StringBuffer();
|
||||
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
|
||||
cart.append("<p>We have charged credit card:" + field1 + "<br />");
|
||||
cart.append(" ------------------- <br />");
|
||||
cart.append(" $" + totalSale);
|
||||
|
||||
//init state
|
||||
if (userSessionData.getValue("xss-reflected1-complete") == null) {
|
||||
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
|
||||
}
|
||||
//init state
|
||||
if (userSessionData.getValue("xss-reflected1-complete") == null) {
|
||||
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
|
||||
}
|
||||
|
||||
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
//return trackProgress()
|
||||
userSessionData.setValue("xss-reflected-5a-complete","true");
|
||||
if(field1.toLowerCase().contains("console.log")) {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
|
||||
}
|
||||
} else {
|
||||
userSessionData.setValue("xss-reflected1-complete","false");
|
||||
return trackProgress(success()
|
||||
.feedback("xss-reflected-5a-failure")
|
||||
.output(cart.toString())
|
||||
.build());
|
||||
}
|
||||
}
|
||||
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
//return trackProgress()
|
||||
userSessionData.setValue("xss-reflected-5a-complete", "true");
|
||||
if (field1.toLowerCase().contains("console.log")) {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
|
||||
}
|
||||
} else {
|
||||
userSessionData.setValue("xss-reflected1-complete", "false");
|
||||
return trackProgress(success()
|
||||
.feedback("xss-reflected-5a-failure")
|
||||
.output(cart.toString())
|
||||
.build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -7,53 +7,50 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
*
|
||||
*
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
*
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
*
|
||||
*
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack6a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"})
|
||||
public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String DOMTestRoute) throws IOException {
|
||||
@PostMapping("/CrossSiteScripting/attack6a")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String DOMTestRoute) {
|
||||
|
||||
if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
|
||||
//return trackProgress()
|
||||
|
||||
@ -1,29 +1,25 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@AssignmentPath("/cross-site-scripting/quiz")
|
||||
@RestController
|
||||
public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
|
||||
|
||||
String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
|
||||
boolean[] guesses = new boolean[solutions.length];
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/cross-site-scripting/quiz")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
|
||||
int correctAnswers = 0;
|
||||
|
||||
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
|
||||
|
||||
for(int i = 0; i < solutions.length; i++) {
|
||||
for (int i = 0; i < solutions.length; i++) {
|
||||
if (givenAnswers[i].contains(solutions[i])) {
|
||||
// answer correct
|
||||
correctAnswers++;
|
||||
@ -34,17 +30,17 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
if(correctAnswers == solutions.length) {
|
||||
if (correctAnswers == solutions.length) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
@GetMapping("/cross-site-scripting/quiz")
|
||||
@ResponseBody
|
||||
public boolean[] getResults() {
|
||||
return this.guesses;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@ -32,29 +32,24 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
import java.security.SecureRandom;
|
||||
|
||||
|
||||
@AssignmentPath("/CrossSiteScripting/phone-home-xss")
|
||||
@RestController
|
||||
public class DOMCrossSiteScripting extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam Integer param1,
|
||||
@RequestParam Integer param2, HttpServletRequest request) throws IOException {
|
||||
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
@PostMapping("/CrossSiteScripting/phone-home-xss")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam Integer param1,
|
||||
@RequestParam Integer param2, HttpServletRequest request) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
SecureRandom number = new SecureRandom();
|
||||
userSessionData.setValue("randValue",String.valueOf(number.nextInt()));
|
||||
userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
|
||||
|
||||
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
|
||||
return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build());
|
||||
|
||||
@ -36,10 +36,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -47,13 +44,13 @@ import java.io.IOException;
|
||||
/**
|
||||
* Created by jason on 11/23/16.
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
|
||||
public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String successMessage) throws IOException {
|
||||
|
||||
@PostMapping("/CrossSiteScripting/dom-follow-up")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String successMessage) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
String answer = (String) userSessionData.getValue("randValue");
|
||||
|
||||
|
||||
@ -35,22 +35,19 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* Created by jason on 11/23/16.
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/stored-xss-follow-up")
|
||||
@RestController
|
||||
public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String successMessage) throws IOException {
|
||||
|
||||
@PostMapping("/CrossSiteScripting/stored-xss-follow-up")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String successMessage) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
|
||||
if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
|
||||
|
||||
@ -48,12 +48,13 @@ import org.springframework.web.bind.annotation.*;
|
||||
import org.owasp.encoder.*;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.*;
|
||||
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||
|
||||
@AssignmentPath("/CrossSiteScripting/stored-xss")
|
||||
@RestController
|
||||
public class StoredXssComments extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
@ -72,7 +73,7 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
|
||||
@GetMapping(path = "/CrossSiteScripting/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Comment> retrieveComments() {
|
||||
List<Comment> allComments = Lists.newArrayList();
|
||||
@ -85,10 +86,9 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
return allComments;
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/CrossSiteScripting/stored-xss")
|
||||
@ResponseBody
|
||||
public AttackResult createNewComment (@RequestBody String commentStr) throws IOException {
|
||||
|
||||
public AttackResult createNewComment(@RequestBody String commentStr) {
|
||||
Comment comment = parseJson(commentStr);
|
||||
|
||||
EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
|
||||
@ -113,9 +113,4 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
return new Comment();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user