Working unit tests
This commit is contained in:
Nanne Baars
@ -2,28 +2,27 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/**
|
||||
* Created by jason on 9/29/17.
|
||||
*/
|
||||
|
||||
@AssignmentPath("/csrf/confirm-flag-1")
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
|
||||
public class CSRFConfirmFlag1 extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@PostMapping(produces = {"application/json"})
|
||||
public @ResponseBody
|
||||
AttackResult completed(String confirmFlagVal) {
|
||||
|
||||
@PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(String confirmFlagVal) {
|
||||
Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
|
||||
if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
|
||||
return trackProgress(
|
||||
|
||||
@ -11,10 +11,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -26,7 +23,7 @@ import java.util.UUID;
|
||||
* @author nbaars
|
||||
* @since 11/17/17.
|
||||
*/
|
||||
@AssignmentPath("/csrf/feedback")
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
|
||||
public class CSRFFeedback extends AssignmentEndpoint {
|
||||
|
||||
@ -35,7 +32,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private ObjectMapper objectMapper;
|
||||
|
||||
@PostMapping(value = "/message", produces = {"application/json"})
|
||||
@PostMapping(value = "/csrf/feedback/message", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
|
||||
try {
|
||||
@ -59,7 +56,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
|
||||
return failed().build();
|
||||
}
|
||||
|
||||
@PostMapping(produces = "application/json")
|
||||
@PostMapping(path = "/csrf/feedback", produces = "application/json")
|
||||
@ResponseBody
|
||||
public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
|
||||
if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
|
||||
|
||||
@ -9,19 +9,20 @@ import org.owasp.webgoat.users.UserTrackerRepository;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 11/17/17.
|
||||
*/
|
||||
@AssignmentPath("/csrf/login")
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
|
||||
public class CSRFLogin extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private UserTrackerRepository userTrackerRepository;
|
||||
|
||||
@PostMapping(produces = {"application/json"})
|
||||
@PostMapping(path = "/csrf/login", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed() {
|
||||
String userName = getWebSession().getUserName();
|
||||
|
||||
@ -44,9 +44,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -56,8 +54,8 @@ import java.util.Map;
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||
|
||||
@AssignmentPath("/csrf/review")
|
||||
@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
|
||||
public class ForgedReviews extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
@ -73,10 +71,10 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
REVIEWS.add(new Review("secUriTy", DateTime.now().toString(fmt), "This is like swiss cheese", 0));
|
||||
REVIEWS.add(new Review("webgoat", DateTime.now().toString(fmt), "It works, sorta", 2));
|
||||
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "Best, App, Ever", 5));
|
||||
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?",1));
|
||||
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
|
||||
@GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Review> retrieveReviews() {
|
||||
Collection<Review> allReviews = Lists.newArrayList();
|
||||
@ -90,9 +88,9 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
return allReviews;
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/csrf/review")
|
||||
@ResponseBody
|
||||
public AttackResult createNewReview (String reviewText, Integer stars, String validateReq, HttpServletRequest request) throws IOException {
|
||||
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
|
||||
|
||||
String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
|
||||
// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
|
||||
@ -116,7 +114,7 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
return trackProgress(failed().feedback("csrf-you-forgot-something").build());
|
||||
}
|
||||
//we have the spoofed files
|
||||
if (referer != "NULL" && refererArr[2].equals(host) ) {
|
||||
if (referer != "NULL" && refererArr[2].equals(host)) {
|
||||
return trackProgress(failed().feedback("csrf-same-host").build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
|
||||
|
||||
Reference in New Issue
Block a user