dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use separate project for integration tests so we can start WebGoat and WebWolf

Browse Source
This commit is contained in:
Nanne Baars
2019-08-25 17:43:14 +02:00
parent 139651615e
commit ff530e926e
33 changed files with 793 additions and 742 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java Normal file
View File

@ -0,0 +1,127 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test;
import java.util.HashMap;
import java.util.Map;
public class GeneralLessonTest extends IntegrationTest {
@Test
public void httpBasics() {
startLesson("HttpBasics");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("person", "goatuser");
checkAssignment(url("HttpBasics/attack1"), params, true);
params.clear();
params.put("answer", "POST");
params.put("magic_answer", "33");
params.put("magic_num", "4");
checkAssignment(url("HttpBasics/attack2"), params, false);
params.clear();
params.put("answer", "POST");
params.put("magic_answer", "33");
params.put("magic_num", "33");
checkAssignment(url("HttpBasics/attack2"), params, true);
checkResults("/HttpBasics/");
}
@Test
public void httpProxies() {
startLesson("HttpProxies");
Assert.assertThat(RestAssured.given()
.when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
checkResults("/HttpProxies/");
}
@Test
public void cia() {
startLesson("CIA");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database.");
params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers.");
params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed.");
checkAssignment(url("/WebGoat/cia/quiz"), params, true);
checkResults("/cia/");
}
@Test
public void securePasswords() {
startLesson("SecurePasswords");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("password", "ajnaeliclm^&&@kjn.");
checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
checkResults("SecurePasswords/");
startLesson("AuthBypass");
params.clear();
params.put("secQuestion2", "John");
params.put("secQuestion3", "Main");
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
checkResults("/auth-bypass/");
startLesson("HttpProxies");
Assert.assertThat(RestAssured.given().when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
checkResults("/HttpProxies/");
}
@Test
public void chrome() {
startLesson("ChromeDevTools");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("param1", "42");
params.put("param2", "24");
String result =
RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.header("webgoat-requested-by", "dom-xss-vuln")
.header("X-Requested-With", "XMLHttpRequest")
.formParams(params)
.post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract().path("output");
String secretNumber = result.substring("phoneHome Response is ".length());
params.clear();
params.put("successMessage", secretNumber);
checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
params.clear();
params.put("number", "24");
params.put("network_num", "24");
checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
checkResults("/ChromeDevTools/");
}
}

200
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java Normal file
View File

@ -0,0 +1,200 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.config.RestAssuredConfig;
import io.restassured.config.SSLConfig;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.owasp.webwolf.WebWolf;
import org.springframework.boot.builder.SpringApplicationBuilder;
import java.io.IOException;
import java.net.ServerSocket;
import java.util.Map;
import java.util.UUID;
public abstract class IntegrationTest {
private static String WEBGOAT_URL = "http://localhost:8080/WebGoat/";
private static String WEBWOLF_URL = "http://localhost:9090/";
//This also allows to test the application with HTTPS when outside testing option is used
protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation());
@Getter
private String webGoatCookie;
@Getter
private String webWolfCookie;
@Getter
private String webgoatUser = UUID.randomUUID().toString();
private static boolean started = false;
@BeforeClass
public static void beforeAll() {
if (!started) {
started = true;
if (!areAlreadyRunning()) {
SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class)
.properties(Map.of("spring.config.name", "application-webgoat"));
wgs.run();
SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class)
.properties(Map.of("spring.config.name", "application-webwolf"));
wws.run();
}
}
}
private static boolean areAlreadyRunning() {
return checkIfServerIsRunnningOn(9090) && checkIfServerIsRunnningOn(8080);
}
private static boolean checkIfServerIsRunnningOn(int port) {
try (var ignored = new ServerSocket(port)) {
return false;
} catch (IOException e) {
return true;
}
}
protected String url(String url) {
url = url.replaceFirst("/WebGoat/", "");
url = url.replaceFirst("/WebGoat", "");
url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
return WEBGOAT_URL + url;
}
protected String webWolfUrl(String url) {
url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
return WEBWOLF_URL + url;
}
@Before
public void login() {
webGoatCookie = RestAssured.given()
.when()
.config(restConfig)
.formParam("username", webgoatUser)
.formParam("password", "password")
.formParam("matchingPassword", "password")
.formParam("agree", "agree")
.post(url("register.mvc"))
.then()
.cookie("JSESSIONID")
.statusCode(302)
.extract()
.cookie("JSESSIONID");
webWolfCookie = RestAssured.given()
.when()
.config(restConfig)
.formParam("username", webgoatUser)
.formParam("password", "password")
.post(WEBWOLF_URL + "login")
.then()
.cookie("WEBWOLFSESSION")
.statusCode(302)
.extract()
.cookie("WEBWOLFSESSION");
}
@After
public void logout() {
RestAssured.given()
.when()
.config(restConfig)
.get(WEBGOAT_URL + "logout")
.then()
.statusCode(200);
}
/**
* At start of a lesson. The .lesson.lesson is visited and the lesson is reset.
*
* @param lessonName
*/
public void startLesson(String lessonName) {
RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url(lessonName + ".lesson.lesson"))
.then()
.statusCode(200);
RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/restartlesson.mvc"))
.then()
.statusCode(200);
}
/**
* Helper method for most common type of test.
* POST with parameters.
* Checks for 200 and lessonCompleted as indicated by expectedResult
*
* @param url
* @param params
* @param expectedResult
*/
public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url)
.then()
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
}
/**
* Helper method for most common type of test.
* PUT with parameters.
* Checks for 200 and lessonCompleted as indicated by expectedResult
*
* @param url
* @param params
* @param expectedResult
*/
public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.put(url)
.then()
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
}
public void checkResults(String prefix) {
Assert.assertThat(RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc"))
.then()
.statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
Assert.assertThat(RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc"))
.then()
.statusCode(200).extract().jsonPath().getList("assignment.path"), CoreMatchers.everyItem(CoreMatchers.startsWith(prefix)));
}
}

76
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java Normal file
View File

@ -0,0 +1,76 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import org.assertj.core.api.Assertions;
import org.junit.Test;
import java.util.Map;
public class PasswordResetLessonTest extends IntegrationTest {
@Test
public void solveAssignment() {
//WebGoat
startLesson("PasswordReset");
clickForgotEmailLink("tom@webgoat-cloud.org");
//WebWolf
var link = getPasswordResetLinkFromLandingPage();
//WebGoat
changePassword(link);
checkAssignment(url("PasswordReset/reset/login"), Map.of("email", "tom@webgoat-cloud.org", "password", "123456"), true);
}
@Test
public void sendEmailShouldBeAvailabeInWebWolf() {
startLesson("PasswordReset");
clickForgotEmailLink(getWebgoatUser() + "@webgoat.org");
var responseBody = RestAssured.given()
.when()
.config(restConfig)
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/WebWolf/mail"))
.then()
.extract().response().getBody().asString();
Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
}
private void changePassword(String link) {
RestAssured.given()
.when()
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("resetLink", link, "password", "123456")
.post(url("PasswordReset/reset/change-password"))
.then()
.statusCode(200);
}
private String getPasswordResetLinkFromLandingPage() {
var responseBody = RestAssured.given()
.when()
.config(restConfig)
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("WebWolf/requests"))
.then()
.extract().response().getBody().asString();
int startIndex = responseBody.lastIndexOf("\"path\" : \"/PasswordReset/reset/reset-password/");
var link = responseBody.substring(startIndex + "\"path\" : \"/PasswordReset/reset/reset-password/".length(), responseBody.indexOf(",", startIndex) - 1);
return link;
}
private void clickForgotEmailLink(String user) {
RestAssured.given()
.when()
.header("host", "localhost:9090")
.config(restConfig)
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", user)
.post(url("PasswordReset/ForgotPassword/create-password-reset-link"))
.then()
.statusCode(200);
}
}

49
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java Normal file
View File

@ -0,0 +1,49 @@
package org.owasp.webgoat;
import org.junit.Test;
import java.util.HashMap;
import java.util.Map;
public class SqlInjectionAdvancedTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("SqlInjectionAdvanced");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username_reg", "tom' AND substring(password,1,1)='t");
params.put("password_reg", "password");
params.put("email_reg", "someone@microsoft.com");
params.put("confirm_password", "password");
checkAssignmentWithPUT(url("/WebGoat/SqlInjectionAdvanced/challenge"), params, true);
params.clear();
params.put("username_login", "tom");
params.put("password_login", "thisisasecretfortomonly");
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/challenge_Login"), params, true);
params.clear();
params.put("userid_6a", "'; SELECT * FROM user_system_data;--");
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6a"), params, true);
params.clear();
params.put("userid_6a", "Smith' union select userid,user_name, user_name,user_name,password,cookie,userid from user_system_data --");
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6a"), params, true);
params.clear();
params.put("userid_6b", "passW0rD");
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6b"), params, true);
params.clear();
params.put("question_0_solution", "Solution 4: A statement has got values instead of a prepared statement");
params.put("question_1_solution", "Solution 3: ?");
params.put("question_2_solution", "Solution 2: Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way.");
params.put("question_3_solution", "Solution 3: Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data.");
params.put("question_4_solution", "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/quiz"), params, true);
checkResults("/SqlInjectionAdvanced/");
}
}

82
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java Normal file
View File

@ -0,0 +1,82 @@
package org.owasp.webgoat;
import org.junit.Test;
import java.util.HashMap;
import java.util.Map;
public class SqlInjectionLessonTest extends IntegrationTest {
private static final String sql_2 = "select department from employees where last_name='Franco'";
private static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
private static final String sql_4_drop = "alter table employees drop column phone";
private static final String sql_4_add = "alter table employees add column phone varchar(20)";
private static final String sql_5 = "grant alter table to UnauthorizedUser";
private static final String sql_9_account = " ' ";
private static final String sql_9_operator = "or";
private static final String sql_9_injection = "'1'='1";
private static final String sql_10_login_count = "2";
private static final String sql_10_userid = "1 or 1=1";
private static final String sql_11_a = "Smith' or '1' = '1";
private static final String sql_11_b = "3SL99A' or '1'='1";
private static final String sql_12_a = "Smith";
private static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
private static final String sql_13 = "%update% '; drop table access_log ; --'";
@Test
public void runTests() {
startLesson("SqlInjection");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("query", sql_2);
checkAssignment(url("/WebGoat/SqlInjection/attack2"), params, true);
params.clear();
params.put("query", sql_3);
checkAssignment(url("/WebGoat/SqlInjection/attack3"), params, true);
params.clear();
params.put("query", sql_4_drop);
checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, false);
params.clear();
params.put("query", sql_4_add);
checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, true);
params.clear();
params.put("query", sql_5);
checkAssignment(url("/WebGoat/SqlInjection/attack5"), params, true);
params.clear();
params.put("operator", sql_9_operator);
params.put("account", sql_9_account);
params.put("injection", sql_9_injection);
checkAssignment(url("/WebGoat/SqlInjection/assignment5a"), params, true);
params.clear();
params.put("login_count", sql_10_login_count);
params.put("userid", sql_10_userid);
checkAssignment(url("/WebGoat/SqlInjection/assignment5b"), params, true);
params.clear();
params.put("name", sql_11_a);
params.put("auth_tan", sql_11_b);
checkAssignment(url("/WebGoat/SqlInjection/attack8"), params, true);
params.clear();
params.put("name", sql_12_a);
params.put("auth_tan", sql_12_b);
checkAssignment(url("/WebGoat/SqlInjection/attack9"), params, true);
params.clear();
params.put("action_string", sql_13);
checkAssignment(url("/WebGoat/SqlInjection/attack10"), params, true);
checkResults("/SqlInjection/");
}
}

39
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java Normal file
View File

@ -0,0 +1,39 @@
package org.owasp.webgoat;
import org.junit.Test;
import java.util.HashMap;
import java.util.Map;
public class SqlInjectionMitigationTest extends IntegrationTest {
@Test
public void runTests() {
startLesson("SqlInjectionMitigations");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("field1", "getConnection");
params.put("field2", "PreparedStatement prep");
params.put("field3", "prepareStatement");
params.put("field4", "?");
params.put("field5", "?");
params.put("field6", "prep.setString(1,\"\")");
params.put("field7", "prep.setString(2,\\\"\\\")");
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true);
params.put("editor", "try {\r\n" +
" Connection conn = DriverManager.getConnection(DBURL,DBUSER,DBPW);\r\n" +
" PreparedStatement prep = conn.prepareStatement(\"select id from users where name = ?\");\r\n" +
" prep.setString(1,\"me\");\r\n" +
" prep.execute();\r\n" +
" System.out.println(conn); //should output 'null'\r\n" +
"} catch (Exception e) {\r\n" +
" System.out.println(\"Oops. Something went wrong!\");\r\n" +
"}");
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);
//checkResults(webGoatCookie, webgoatURL, "/SqlInjectionMitigations/");
}
}