Working unit tests
This commit is contained in:
Nanne Baars
parent
04f1b9a282
commit
f774364461
@ -38,6 +38,7 @@ import org.springframework.web.servlet.i18n.FixedLocaleResolver;
|
||||
|
||||
import java.util.Locale;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Matchers.anyString;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
@ -62,7 +63,6 @@ public class AssignmentEndpointTest {
|
||||
|
||||
public void init(AssignmentEndpoint a) {
|
||||
messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
|
||||
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
|
||||
ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
|
||||
ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
|
||||
ReflectionTestUtils.setField(a, "webSession", webSession);
|
||||
|
||||
@ -1,15 +1,11 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
@ -44,23 +40,22 @@ import java.io.IOException;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/BypassRestrictions/FieldRestrictions")
|
||||
@RestController
|
||||
public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/BypassRestrictions/FieldRestrictions")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) throws IOException {
|
||||
if (select.toString().equals("option1") || select.toString().equals("option2")) {
|
||||
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
|
||||
if (select.equals("option1") || select.equals("option2")) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (radio.toString().equals("option1") || radio.toString().equals("option2")) {
|
||||
if (radio.equals("option1") || radio.equals("option2")) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (checkbox.toString().equals("on") || checkbox.toString().equals("off")) {
|
||||
if (checkbox.equals("on") || checkbox.equals("off")) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (shortInput.toString().length() <= 5) {
|
||||
if (shortInput.length() <= 5) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
/*if (disabled == null) {
|
||||
|
||||
@ -3,85 +3,81 @@ package org.owasp.webgoat.plugin;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
*
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/BypassRestrictions/frontendValidation")
|
||||
@RestController
|
||||
public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/BypassRestrictions/frontendValidation")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) throws IOException {
|
||||
String regex1="^[a-z]{3}$";
|
||||
String regex2="^[0-9]{3}$";
|
||||
String regex3="^[a-zA-Z0-9 ]*$";
|
||||
String regex4="^(one|two|three|four|five|six|seven|eight|nine)$";
|
||||
String regex5="^\\d{5}$";
|
||||
String regex6="^\\d{5}(-\\d{4})?$";
|
||||
String regex7="^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
|
||||
if (error>0) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field1.matches(regex1)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field2.matches(regex2)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field3.matches(regex3)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field4.matches(regex4)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field5.matches(regex5)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field6.matches(regex6)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field7.matches(regex7)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
return trackProgress(success().build());
|
||||
public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
|
||||
String regex1 = "^[a-z]{3}$";
|
||||
String regex2 = "^[0-9]{3}$";
|
||||
String regex3 = "^[a-zA-Z0-9 ]*$";
|
||||
String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
|
||||
String regex5 = "^\\d{5}$";
|
||||
String regex6 = "^\\d{5}(-\\d{4})?$";
|
||||
String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
|
||||
if (error > 0) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field1.matches(regex1)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field2.matches(regex2)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field3.matches(regex3)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field4.matches(regex4)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field5.matches(regex5)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field6.matches(regex6)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
if (field7.matches(regex7)) {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
return trackProgress(success().build());
|
||||
}
|
||||
}
|
||||
|
||||
@ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.plugin.Flag;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -44,13 +41,12 @@ import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;
|
||||
* @version $Id: $Id
|
||||
* @since August 11, 2016
|
||||
*/
|
||||
@AssignmentPath("/challenge/1")
|
||||
@RestController
|
||||
public class Assignment1 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/challenge/1")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
|
||||
public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
|
||||
boolean ipAddressKnown = true;
|
||||
boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
|
||||
if (passwordCorrect && ipAddressKnown) {
|
||||
|
||||
@ -1,4 +1,26 @@
|
||||
package org.owasp.webgoat.plugin.challenge5.challenge6;
|
||||
/*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2019 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
*/
|
||||
|
||||
package org.owasp.webgoat.plugin.challenge5;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.commons.lang3.RandomStringUtils;
|
||||
@ -10,9 +32,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
@ -23,7 +43,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("/challenge/5")
|
||||
@RestController
|
||||
@Slf4j
|
||||
public class Assignment5 extends AssignmentEndpoint {
|
||||
|
||||
@ -33,7 +53,7 @@ public class Assignment5 extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private WebSession webSession;
|
||||
|
||||
@RequestMapping(method = POST)
|
||||
@PostMapping("/challenge/5")
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||
@ -0,0 +1,61 @@
|
||||
/*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2019 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
*/
|
||||
|
||||
package org.owasp.webgoat.plugin.challenge5;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.NewLesson;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 3/21/17.
|
||||
*/
|
||||
public class Challenge5 extends NewLesson {
|
||||
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
return Category.CHALLENGE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getHints() {
|
||||
return Lists.newArrayList();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Integer getDefaultRanking() {
|
||||
return 10;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
return "challenge5.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge5";
|
||||
}
|
||||
}
|
||||
@ -1,39 +0,0 @@
|
||||
package org.owasp.webgoat.plugin.challenge5.challenge6;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.NewLesson;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 3/21/17.
|
||||
*/
|
||||
public class Challenge5 extends NewLesson {
|
||||
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
return Category.CHALLENGE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getHints() {
|
||||
return Lists.newArrayList();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Integer getDefaultRanking() {
|
||||
return 10;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
return "challenge5.title";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return "Challenge5";
|
||||
}
|
||||
}
|
||||
@ -10,10 +10,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.PutMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.sql.*;
|
||||
|
||||
@ -24,7 +21,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("/challenge/6")
|
||||
@RestController
|
||||
@Slf4j
|
||||
public class Assignment6 extends AssignmentEndpoint {
|
||||
|
||||
@ -38,7 +35,7 @@ public class Assignment6 extends AssignmentEndpoint {
|
||||
log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME);
|
||||
}
|
||||
|
||||
@PutMapping //assignment path is bounded to class so we use different http method :-)
|
||||
@PutMapping("/challenge/6") //assignment path is bounded to class so we use different http method :-)
|
||||
@ResponseBody
|
||||
public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
|
||||
AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
|
||||
@ -75,7 +72,7 @@ public class Assignment6 extends AssignmentEndpoint {
|
||||
return null;
|
||||
}
|
||||
|
||||
@RequestMapping(method = POST)
|
||||
@PostMapping("/challenge/6")
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||
|
||||
@ -30,7 +30,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("/challenge/7")
|
||||
@RestController
|
||||
@Slf4j
|
||||
public class Assignment7 extends AssignmentEndpoint {
|
||||
|
||||
@ -48,7 +48,7 @@ public class Assignment7 extends AssignmentEndpoint {
|
||||
@Value("${webwolf.url.mail}")
|
||||
private String webWolfMailURL;
|
||||
|
||||
@GetMapping("/reset-password/{link}")
|
||||
@GetMapping("/challenge/7/reset-password/{link}")
|
||||
public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
|
||||
if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
|
||||
return ResponseEntity.accepted().body("<h1>Success!!</h1>" +
|
||||
@ -58,7 +58,7 @@ public class Assignment7 extends AssignmentEndpoint {
|
||||
return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
|
||||
}
|
||||
|
||||
@RequestMapping(method = POST)
|
||||
@PostMapping("/challenge/7")
|
||||
@ResponseBody
|
||||
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
|
||||
if (StringUtils.hasText(email)) {
|
||||
@ -77,7 +77,7 @@ public class Assignment7 extends AssignmentEndpoint {
|
||||
return success().feedback("email.send").feedbackArgs(email).build();
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, value = "/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
|
||||
@GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
|
||||
@ResponseBody
|
||||
@SneakyThrows
|
||||
public ClassPathResource git() {
|
||||
|
||||
@ -10,6 +10,7 @@ import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.HashMap;
|
||||
@ -20,7 +21,7 @@ import java.util.stream.Collectors;
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("/challenge/8")
|
||||
@RestController
|
||||
@Slf4j
|
||||
public class Assignment8 extends AssignmentEndpoint {
|
||||
|
||||
@ -34,7 +35,7 @@ public class Assignment8 extends AssignmentEndpoint {
|
||||
votes.put(5, 300);
|
||||
}
|
||||
|
||||
@GetMapping(value = "/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public ResponseEntity<?> vote(@PathVariable(value = "stars") int nrOfStars, HttpServletRequest request) {
|
||||
//Simple implementation of VERB Based Authentication
|
||||
@ -50,12 +51,12 @@ public class Assignment8 extends AssignmentEndpoint {
|
||||
return ResponseEntity.ok().header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8)).build();
|
||||
}
|
||||
|
||||
@GetMapping("/votes/")
|
||||
@GetMapping("/challenge/8/votes/")
|
||||
public ResponseEntity<?> getVotes() {
|
||||
return ResponseEntity.ok(votes.entrySet().stream().collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
|
||||
}
|
||||
|
||||
@GetMapping("/votes/average")
|
||||
@GetMapping("/challenge/8/votes/average")
|
||||
public ResponseEntity<Map<String, Integer>> average() {
|
||||
int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
|
||||
int categories = votes.entrySet().stream().mapToInt(e -> e.getKey() * e.getValue()).reduce(0, (a, b) -> a + b);
|
||||
@ -63,6 +64,5 @@ public class Assignment8 extends AssignmentEndpoint {
|
||||
json.put("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
|
||||
return ResponseEntity.ok(json);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -4,34 +4,29 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* This is just a class used to make the the HTTP request.
|
||||
*
|
||||
* @author TMelzer
|
||||
* @since 30.11.18
|
||||
*/
|
||||
@AssignmentPath("/ChromeDevTools/dummy")
|
||||
@RestController
|
||||
public class NetworkDummy extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String successMessage) throws IOException {
|
||||
@PostMapping("/ChromeDevTools/dummy")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String successMessage) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
String answer = (String) userSessionData.getValue("randValue");
|
||||
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
String answer = (String) userSessionData.getValue("randValue");
|
||||
|
||||
if (successMessage!=null && successMessage.equals(answer)) {
|
||||
return trackProgress(success().feedback("xss-dom-message-success").build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-dom-message-failure").build());
|
||||
}
|
||||
|
||||
}
|
||||
if (successMessage != null && successMessage.equals(answer)) {
|
||||
return trackProgress(success().feedback("xss-dom-message-success").build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-dom-message-failure").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -5,38 +5,34 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* Assignment where the user has to look through an HTTP Request
|
||||
* using the Developer Tools and find a specific number.
|
||||
*
|
||||
* @author TMelzer
|
||||
* @since 30.11.18
|
||||
*/
|
||||
@AssignmentPath("/ChromeDevTools/network")
|
||||
@RestController
|
||||
@AssignmentHints({"networkHint1", "networkHint2"})
|
||||
public class NetworkLesson extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
|
||||
public
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
|
||||
if(network_num.equals(number)) {
|
||||
return trackProgress(success().feedback("network.success").output("").build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("network.failed").build());
|
||||
@PostMapping(value = "/ChromeDevTools/network", params = {"network_num", "number"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
|
||||
if (network_num.equals(number)) {
|
||||
return trackProgress(success().feedback("network.success").output("").build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("network.failed").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, params="networkNum")
|
||||
public
|
||||
@ResponseBody
|
||||
ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
|
||||
return ResponseEntity.ok().build();
|
||||
}
|
||||
@PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
|
||||
@ResponseBody
|
||||
public ResponseEntity<?> ok(@RequestParam String networkNum) {
|
||||
return ResponseEntity.ok().build();
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.sql.Connection;
|
||||
@ -15,20 +12,20 @@ import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
@AssignmentPath("/cia/quiz")
|
||||
@RestController
|
||||
public class CIAQuiz extends AssignmentEndpoint {
|
||||
|
||||
String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
|
||||
boolean[] guesses = new boolean[solutions.length];
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/cia/quiz")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) throws IOException {
|
||||
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) {
|
||||
int correctAnswers = 0;
|
||||
|
||||
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]};
|
||||
|
||||
for(int i = 0; i < solutions.length; i++) {
|
||||
for (int i = 0; i < solutions.length; i++) {
|
||||
if (givenAnswers[i].contains(solutions[i])) {
|
||||
// answer correct
|
||||
correctAnswers++;
|
||||
@ -39,14 +36,14 @@ public class CIAQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
if(correctAnswers == solutions.length) {
|
||||
if (correctAnswers == solutions.length) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
@GetMapping("/cia/quiz")
|
||||
@ResponseBody
|
||||
public boolean[] getResults() {
|
||||
return this.guesses;
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@ -40,14 +37,13 @@ import java.io.IOException;
|
||||
* @version $Id: $Id
|
||||
* @since August 11, 2016
|
||||
*/
|
||||
@AssignmentPath("/clientSideFiltering/attack1")
|
||||
@RestController
|
||||
@AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"})
|
||||
public class ClientSideFilteringAssignment extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/clientSideFiltering/attack1")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String answer) throws IOException {
|
||||
public AttackResult completed(@RequestParam String answer) {
|
||||
return trackProgress("450000".equals(answer) ?
|
||||
success().feedback("assignment.solved").build() :
|
||||
failed().feedback("ClientSideFiltering.incorrect").build());
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@ -15,16 +12,15 @@ import java.io.IOException;
|
||||
* @author nbaars
|
||||
* @since 4/6/17.
|
||||
*/
|
||||
@AssignmentPath("/clientSideFiltering/getItForFree")
|
||||
@RestController
|
||||
@AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
|
||||
public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
|
||||
|
||||
public static final String SUPER_COUPON_CODE = "get_it_for_free";
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/clientSideFiltering/getItForFree")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String checkoutCode) {
|
||||
public AttackResult completed(@RequestParam String checkoutCode) {
|
||||
if (SUPER_COUPON_CODE.equals(checkoutCode)) {
|
||||
return trackProgress(success().build());
|
||||
}
|
||||
|
||||
@ -2,16 +2,11 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
@ -44,15 +39,16 @@ import java.io.IOException;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack1")
|
||||
@RestController
|
||||
public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
|
||||
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss.lesson1.failure").build());
|
||||
}
|
||||
}
|
||||
@PostMapping("/CrossSiteScripting/attack1")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String answer_xss_1) {
|
||||
if (answer_xss_1.toString().toLowerCase().equals("yes")) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss.lesson1.failure").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -7,16 +7,13 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
@AssignmentPath("CrossSiteScripting/attack3")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
|
||||
public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("CrossSiteScripting/attack3")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String editor) {
|
||||
String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
|
||||
@ -49,7 +46,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
|
||||
}
|
||||
}catch(Exception e) {
|
||||
} catch (Exception e) {
|
||||
return trackProgress(failed().output(e.getMessage()).build());
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.tools.*;
|
||||
import java.io.IOException;
|
||||
@ -17,28 +14,26 @@ import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@AssignmentPath("CrossSiteScripting/attack4")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
|
||||
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("CrossSiteScripting/attack4")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String editor2) {
|
||||
|
||||
String editor = editor2.replaceAll("\\<.*?>","");
|
||||
String editor = editor2.replaceAll("\\<.*?>", "");
|
||||
System.out.println(editor);
|
||||
|
||||
if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
|
||||
editor.contains("new AntiSamy();")&&
|
||||
editor.contains("new AntiSamy();") &&
|
||||
editor.contains(".scan(newComment,") &&
|
||||
editor.contains("CleanResults") &&
|
||||
editor.contains("MyCommentDAO.addComment(threadID, userID")&&
|
||||
editor.contains(".getCleanHTML());"))
|
||||
{
|
||||
editor.contains("MyCommentDAO.addComment(threadID, userID") &&
|
||||
editor.contains(".getCleanHTML());")) {
|
||||
System.out.println("true");
|
||||
return trackProgress(success().feedback("xss-mitigation-4-success").build());
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
System.out.println("false");
|
||||
return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
|
||||
}
|
||||
|
||||
@ -7,16 +7,12 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
*
|
||||
*
|
||||
@ -47,52 +43,52 @@ import java.io.IOException;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack5a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
|
||||
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
|
||||
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
|
||||
@RequestParam Integer QTY4, @RequestParam String field1,
|
||||
@RequestParam String field2, HttpServletRequest request)
|
||||
throws IOException {
|
||||
@GetMapping("/CrossSiteScripting/attack5a")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam Integer QTY1,
|
||||
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
|
||||
@RequestParam Integer QTY4, @RequestParam String field1,
|
||||
@RequestParam String field2) {
|
||||
|
||||
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
|
||||
}
|
||||
if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
|
||||
}
|
||||
|
||||
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
|
||||
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
|
||||
|
||||
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
|
||||
StringBuffer cart = new StringBuffer();
|
||||
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
|
||||
cart.append("<p>We have charged credit card:" + field1 + "<br />");
|
||||
cart.append( " ------------------- <br />");
|
||||
cart.append( " $" + totalSale);
|
||||
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
|
||||
StringBuffer cart = new StringBuffer();
|
||||
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
|
||||
cart.append("<p>We have charged credit card:" + field1 + "<br />");
|
||||
cart.append(" ------------------- <br />");
|
||||
cart.append(" $" + totalSale);
|
||||
|
||||
//init state
|
||||
if (userSessionData.getValue("xss-reflected1-complete") == null) {
|
||||
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
|
||||
}
|
||||
//init state
|
||||
if (userSessionData.getValue("xss-reflected1-complete") == null) {
|
||||
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
|
||||
}
|
||||
|
||||
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
//return trackProgress()
|
||||
userSessionData.setValue("xss-reflected-5a-complete","true");
|
||||
if(field1.toLowerCase().contains("console.log")) {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
|
||||
}
|
||||
} else {
|
||||
userSessionData.setValue("xss-reflected1-complete","false");
|
||||
return trackProgress(success()
|
||||
.feedback("xss-reflected-5a-failure")
|
||||
.output(cart.toString())
|
||||
.build());
|
||||
}
|
||||
}
|
||||
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
|
||||
//return trackProgress()
|
||||
userSessionData.setValue("xss-reflected-5a-complete", "true");
|
||||
if (field1.toLowerCase().contains("console.log")) {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
|
||||
}
|
||||
} else {
|
||||
userSessionData.setValue("xss-reflected1-complete", "false");
|
||||
return trackProgress(success()
|
||||
.feedback("xss-reflected-5a-failure")
|
||||
.output(cart.toString())
|
||||
.build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -7,10 +7,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@ -45,15 +42,15 @@ import java.io.IOException;
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack6a")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"})
|
||||
public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String DOMTestRoute) throws IOException {
|
||||
@PostMapping("/CrossSiteScripting/attack6a")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String DOMTestRoute) {
|
||||
|
||||
if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
|
||||
//return trackProgress()
|
||||
|
||||
@ -1,29 +1,25 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
@AssignmentPath("/cross-site-scripting/quiz")
|
||||
@RestController
|
||||
public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
|
||||
|
||||
String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
|
||||
boolean[] guesses = new boolean[solutions.length];
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/cross-site-scripting/quiz")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
|
||||
int correctAnswers = 0;
|
||||
|
||||
String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
|
||||
|
||||
for(int i = 0; i < solutions.length; i++) {
|
||||
for (int i = 0; i < solutions.length; i++) {
|
||||
if (givenAnswers[i].contains(solutions[i])) {
|
||||
// answer correct
|
||||
correctAnswers++;
|
||||
@ -34,17 +30,17 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
if(correctAnswers == solutions.length) {
|
||||
if (correctAnswers == solutions.length) {
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
@GetMapping("/cross-site-scripting/quiz")
|
||||
@ResponseBody
|
||||
public boolean[] getResults() {
|
||||
return this.guesses;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@ -32,29 +32,24 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
import java.security.SecureRandom;
|
||||
|
||||
|
||||
@AssignmentPath("/CrossSiteScripting/phone-home-xss")
|
||||
@RestController
|
||||
public class DOMCrossSiteScripting extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam Integer param1,
|
||||
@RequestParam Integer param2, HttpServletRequest request) throws IOException {
|
||||
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
@PostMapping("/CrossSiteScripting/phone-home-xss")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam Integer param1,
|
||||
@RequestParam Integer param2, HttpServletRequest request) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
SecureRandom number = new SecureRandom();
|
||||
userSessionData.setValue("randValue",String.valueOf(number.nextInt()));
|
||||
userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
|
||||
|
||||
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
|
||||
return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build());
|
||||
|
||||
@ -36,10 +36,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -47,13 +44,13 @@ import java.io.IOException;
|
||||
/**
|
||||
* Created by jason on 11/23/16.
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
|
||||
@RestController
|
||||
@AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
|
||||
public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String successMessage) throws IOException {
|
||||
|
||||
@PostMapping("/CrossSiteScripting/dom-follow-up")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String successMessage) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
String answer = (String) userSessionData.getValue("randValue");
|
||||
|
||||
|
||||
@ -35,22 +35,19 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* Created by jason on 11/23/16.
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/stored-xss-follow-up")
|
||||
@RestController
|
||||
public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String successMessage) throws IOException {
|
||||
|
||||
@PostMapping("/CrossSiteScripting/stored-xss-follow-up")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String successMessage) {
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
|
||||
if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
|
||||
|
||||
@ -48,12 +48,13 @@ import org.springframework.web.bind.annotation.*;
|
||||
import org.owasp.encoder.*;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.*;
|
||||
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||
|
||||
@AssignmentPath("/CrossSiteScripting/stored-xss")
|
||||
@RestController
|
||||
public class StoredXssComments extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
@ -72,7 +73,7 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
|
||||
@GetMapping(path = "/CrossSiteScripting/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Comment> retrieveComments() {
|
||||
List<Comment> allComments = Lists.newArrayList();
|
||||
@ -85,10 +86,9 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
return allComments;
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/CrossSiteScripting/stored-xss")
|
||||
@ResponseBody
|
||||
public AttackResult createNewComment (@RequestBody String commentStr) throws IOException {
|
||||
|
||||
public AttackResult createNewComment(@RequestBody String commentStr) {
|
||||
Comment comment = parseJson(commentStr);
|
||||
|
||||
EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
|
||||
@ -114,8 +114,3 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ import org.hamcrest.CoreMatchers;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
@ -44,8 +44,7 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
|
||||
private MockMvc mockMvc;
|
||||
private UserSessionData mockUserSessionData;
|
||||
private String randVal = "12034837";
|
||||
private String randVal = "12034837";
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
@ -60,7 +59,7 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
|
||||
public void success() throws Exception {
|
||||
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
|
||||
.header("webgoat-requested-by","dom-xss-vuln")
|
||||
.header("webgoat-requested-by", "dom-xss-vuln")
|
||||
.param("param1", "42")
|
||||
.param("param2", "24"))
|
||||
.andExpect(status().isOk())
|
||||
@ -72,7 +71,7 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
|
||||
public void failure() throws Exception {
|
||||
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
|
||||
.header("webgoat-requested-by","wrong-value")
|
||||
.header("webgoat-requested-by", "wrong-value")
|
||||
.param("param1", "22")
|
||||
.param("param2", "20"))
|
||||
.andExpect(status().isOk())
|
||||
|
||||
@ -2,28 +2,27 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/**
|
||||
* Created by jason on 9/29/17.
|
||||
*/
|
||||
|
||||
@AssignmentPath("/csrf/confirm-flag-1")
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
|
||||
public class CSRFConfirmFlag1 extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@PostMapping(produces = {"application/json"})
|
||||
public @ResponseBody
|
||||
AttackResult completed(String confirmFlagVal) {
|
||||
|
||||
@PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(String confirmFlagVal) {
|
||||
Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
|
||||
if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
|
||||
return trackProgress(
|
||||
|
||||
@ -11,10 +11,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -26,7 +23,7 @@ import java.util.UUID;
|
||||
* @author nbaars
|
||||
* @since 11/17/17.
|
||||
*/
|
||||
@AssignmentPath("/csrf/feedback")
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
|
||||
public class CSRFFeedback extends AssignmentEndpoint {
|
||||
|
||||
@ -35,7 +32,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
|
||||
@Autowired
|
||||
private ObjectMapper objectMapper;
|
||||
|
||||
@PostMapping(value = "/message", produces = {"application/json"})
|
||||
@PostMapping(value = "/csrf/feedback/message", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
|
||||
try {
|
||||
@ -59,7 +56,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
|
||||
return failed().build();
|
||||
}
|
||||
|
||||
@PostMapping(produces = "application/json")
|
||||
@PostMapping(path = "/csrf/feedback", produces = "application/json")
|
||||
@ResponseBody
|
||||
public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
|
||||
if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
|
||||
|
||||
@ -9,19 +9,20 @@ import org.owasp.webgoat.users.UserTrackerRepository;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 11/17/17.
|
||||
*/
|
||||
@AssignmentPath("/csrf/login")
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
|
||||
public class CSRFLogin extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private UserTrackerRepository userTrackerRepository;
|
||||
|
||||
@PostMapping(produces = {"application/json"})
|
||||
@PostMapping(path = "/csrf/login", produces = {"application/json"})
|
||||
@ResponseBody
|
||||
public AttackResult completed() {
|
||||
String userName = getWebSession().getUserName();
|
||||
|
||||
@ -44,9 +44,7 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
@ -56,8 +54,8 @@ import java.util.Map;
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||
|
||||
@AssignmentPath("/csrf/review")
|
||||
@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
|
||||
@RestController
|
||||
@AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
|
||||
public class ForgedReviews extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
@ -73,10 +71,10 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
REVIEWS.add(new Review("secUriTy", DateTime.now().toString(fmt), "This is like swiss cheese", 0));
|
||||
REVIEWS.add(new Review("webgoat", DateTime.now().toString(fmt), "It works, sorta", 2));
|
||||
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "Best, App, Ever", 5));
|
||||
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?",1));
|
||||
REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
|
||||
@GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Review> retrieveReviews() {
|
||||
Collection<Review> allReviews = Lists.newArrayList();
|
||||
@ -90,9 +88,9 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
return allReviews;
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/csrf/review")
|
||||
@ResponseBody
|
||||
public AttackResult createNewReview (String reviewText, Integer stars, String validateReq, HttpServletRequest request) throws IOException {
|
||||
public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
|
||||
|
||||
String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
|
||||
// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
|
||||
@ -116,7 +114,7 @@ public class ForgedReviews extends AssignmentEndpoint {
|
||||
return trackProgress(failed().feedback("csrf-you-forgot-something").build());
|
||||
}
|
||||
//we have the spoofed files
|
||||
if (referer != "NULL" && refererArr[2].equals(host) ) {
|
||||
if (referer != "NULL" && refererArr[2].equals(host)) {
|
||||
return trackProgress(failed().feedback("csrf-same-host").build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
|
||||
|
||||
@ -4,57 +4,53 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* *************************************************************************************************
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
*
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* <p>
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/HtmlTampering/task")
|
||||
@AssignmentHints({ "hint1", "hint2", "hint3"})
|
||||
@RestController
|
||||
@AssignmentHints({"hint1", "hint2", "hint3"})
|
||||
public class HtmlTamperingTask extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@PostMapping("/HtmlTampering/task")
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String QTY, @RequestParam String Total) throws IOException {
|
||||
if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
|
||||
return trackProgress(success().feedback("html-tampering.tamper.success").build());
|
||||
}
|
||||
public AttackResult completed(@RequestParam String QTY, @RequestParam String Total) {
|
||||
if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
|
||||
return trackProgress(success().feedback("html-tampering.tamper.success").build());
|
||||
}
|
||||
return trackProgress(failed().feedback("html-tampering.tamper.failure").build());
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,3 +1,25 @@
|
||||
/*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2019 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
*/
|
||||
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.beust.jcommander.internal.Lists;
|
||||
@ -6,35 +28,6 @@ import org.owasp.webgoat.lessons.NewLesson;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
* <p>
|
||||
*
|
||||
* @author WebGoat
|
||||
* @version $Id: $Id
|
||||
* @since October 12, 2016
|
||||
*/
|
||||
public class HttpBasics extends NewLesson {
|
||||
@Override
|
||||
public Category getDefaultCategory() {
|
||||
|
||||
@ -29,7 +29,7 @@ import org.hamcrest.CoreMatchers;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user