dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,088 Commits 11 Branches 78 Tags
Commit Graph

400 Commits

Author SHA1 Message Date
Àngel Ollé Blázquez
be30551850 fix: potential NPE in the stored XSS assignment 2023-08-27 14:31:35 +02:00
Àngel Ollé Blázquez
49862f6b90 fix: fixes the default change in trailing slash matching and address the affected assignments 2023-08-27 14:14:27 +02:00
Àngel Ollé Blázquez
4009785bb8 fix: crypto basics broken links 2023-08-27 13:16:08 +02:00
Àngel Ollé Blázquez
d8341c86a1 bug: fix hint that was breaking the template, causing hints from different assignments to mix (#1424) 2023-08-27 02:08:52 +02:00
Àngel Ollé Blázquez
055578893d feat: improve MFAC lesson hint texts for a better user experience (#1424) 2023-08-27 02:08:52 +02:00
Àngel Ollé Blázquez
7b81247dd1 fix: HijackSession lesson template deprecated Tymeleaf attribute 2023-08-26 02:57:50 +02:00
Àngel Ollé Blázquez
3bc2e57c9c Fix NPE in IDOR lesson 2023-08-26 02:22:33 +02:00
Àngel Ollé Blázquez
c3ec168d59 Add new assignment IT tests 2023-08-26 01:30:17 +02:00
Àngel Ollé Blázquez
a67fbf5a5a fix: XSS mitigation 2023-08-26 01:30:17 +02:00
Àngel Ollé Blázquez
3365c8d447 Remove wrong files 2023-08-25 22:50:40 +02:00
Àngel Ollé Blázquez
368c046779 fix: Stored Cross-Site Scripting Lesson 2023-08-25 20:55:26 +02:00
Àngel Ollé Blázquez
786cabd251 Make webjar dependencies version agnostic 2023-08-24 16:43:28 +02:00
Àngel Ollé Blázquez
4ba818533c fix: WebWolf JWT jquery webjar 2023-08-09 01:32:03 +02:00
Nanne Baars
a9b1fd66b8
feat: implement JWT jku example (#1552) 
Closes #1539
 2023-08-08 17:18:22 +02:00
dependabot[bot]
61de52840f
chore: bump com.diffplug.spotless:spotless-maven-plugin from 2.33.0 to 2.38.0 (#1535) 
* chore: bump com.diffplug.spotless:spotless-maven-plugin

Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.33.0 to 2.38.0.
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](https://github.com/diffplug/spotless/compare/lib/2.33.0...lib/2.38.0)

---
updated-dependencies:
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: format code

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nanne Baars <nanne.baars@owasp.org>
 2023-07-30 15:10:31 +02:00
Àngel Ollé Blázquez
ad00119b0d Add Assignment7 Tests 2023-07-18 00:38:23 +02:00
Àngel Ollé Blázquez
25f49537e7 bug: Fix IDOR lesson 2023-07-16 17:14:27 +02:00
Àngel Ollé Blázquez
8ec718c1ef format 2023-06-15 19:26:33 +02:00
Àngel Ollé Blázquez
1df7ca61a3 Text content improvement 2023-06-15 19:26:33 +02:00
Àngel Ollé Blázquez
75398feca0 Add hints 2023-06-15 19:26:33 +02:00
Nanne Baars
ca886b4818
feat: upgrade to Spring Boot version 3 (#1477) 2023-06-04 11:19:47 +02:00
caputdraconis
ac6de9d788 Fix typo of HijackSession_content0.adoc 2023-04-17 09:04:15 +02:00
Loris Sierra
cbf2e153d9 Restrict SSRF Regexes 2023-03-08 23:22:38 +01:00
Nanne Baars
e50986a098
fix: challenge 7 (#1433) 2023-02-22 22:55:48 +01:00
Nanne Baars
5dbe2eaf19 refactor: update challenge code 
- Flags are now wired through a Spring config
- Introduced Flag class
- Removed Flags from the FlagController
 2023-02-22 11:01:34 +01:00
Nanne Baars
ecfc321f14 feature: Add extra feedback once someone solves JWT refresh lesson differently 
One can solve this lesson by using `alg:none` instead of using the refresh token flow. Instead of adding a check to force using the refresh token we opt for giving the user extra feedback.
 2023-02-16 20:32:27 +00:00
Nanne Baars
73b8c431fc chore: use constructor instead of field dependency injection 2023-02-16 20:32:27 +00:00
Nanne Baars
693771220c fix: change url in JavaScript for JWT endpoint 
The JavaScript pointed to the context root /WebWolf/ which is no longer in use.
 2023-02-16 12:24:02 +00:00
Àngel Ollé Blázquez
075b1ab30a Fix WebWolf JWT tool 2023-02-15 22:40:24 +00:00
Nanne Baars
390ff39f19 chore: format src/test/it as well 2023-02-15 19:01:06 +00:00
Nanne Baars
3ec34b0df5 fix: challenge test fails sometimes when calling scoreboard endpoint 2023-02-15 19:01:06 +00:00
Àngel Ollé Blázquez
ae081ce319 Add fileserver location (test) 2023-02-15 12:00:54 +00:00
Nanne Baars
bd398e4c09 #1396 Fix templates path for views 2023-02-15 11:58:49 +00:00
Nanne Baars
323daae578 Vulnerable components only work in a Docker container 2023-01-05 20:51:15 +01:00
Nanne Baars
3901814363 Fix documentation link for XXE mitigation. 2023-01-05 19:00:12 +01:00
Nanne Baars
59bfd7c6d4 Move XXE to A05 - Security Misconfiguration 2023-01-05 19:00:12 +01:00
Nanne Baars
dca415099f Remove unused JavaScript function 2023-01-05 11:33:00 +01:00
Nanne Baars
54e115aff0 Update the solution with WebWolf URLs 
The new solution uses WebWolf paths as these will change automatically when a user start WebGoat on a different port. It no longer depends on the hardcoded port `8080`.
 2023-01-05 11:02:45 +01:00
Nanne Baars
fcaa2d8589 Fix zip slip lesson. 
The lesson did not work properly as the directory is reused across several path traversal lessons. First thing before uploading the zip file we now clean the directory.

The html had a reference to a location of the profile picture, this was part of a hint but this only causes confusion as this is not indicating to where you need to upload the picture with the Zip Slip vulnerability.

The assignment now contains a direct hint as where the image needs to be saved. The assignment is about creating a vulnerable zip file and NOT about guessing where the image should be saved inside WebGoat.
 2023-01-05 11:02:45 +01:00
Nanne Baars
9666597164 - Add reference to the WebWolf icon in the top right corner. 
- Format all text of the lesson
 2023-01-04 08:07:51 +01:00
Nanne Baars
d2a1546dff
Apply formatting 
This will make sure we have a consistent style across our project and the PRs are only concerned with actual changes and no longer about style.
 2023-01-04 08:07:23 +01:00
Nanne Baars
b03777d39b Support boolean when parsing the token. 
When the admin json element passes as a `boolean`:

```
{
 "admin": true
}
```

the parsing is now successful.
 2023-01-04 07:43:18 +01:00
Nanne Baars
32468ff90b
Add sql lesson (#1370) 2023-01-04 07:42:29 +01:00
Adam Szatyin
71ec36102f Fix typo 2022-12-01 21:34:19 +01:00
András Veres-Szentkirályi
8db9ff30be Fixed incorrect word 
while "wear" and "were" have similar pronunciation, one of them is better here than the other :)
 2022-11-29 18:55:44 +01:00
András Veres-Szentkirályi
b51be74cab typofix 2022-11-28 17:10:14 +01:00
Jesper Hallborg
96c2595ad0 Update interface name to exploit 
The name is
org.owasp.webgoat.lessons.vulnerablecomponents.Contact
not
org.owasp.webgoat.vulnerablecomponents.Contact
 2022-09-21 22:32:16 +02:00
René Zubcevic
34f5b79249
isReadable works inside a container, isFile not (#1334) 2022-09-12 09:02:07 +02:00
Thanh Tran
f5e4d4717a FixTypo - Fix typo in various lesson documentations 2022-08-30 22:21:22 +02:00
Àngel Ollé Blázquez
50f932b02e Renamed to webwolfintroduction 2022-07-31 22:39:21 +02:00