Commit Graph

413 Commits

Author SHA1 Message Date
8b324b3954 chore: comment out script generation ()
Not necessary to have this enabled while running WebGoat. Only helpful for development.
2025-05-05 20:17:09 +02:00
fc6c61397d set the browser language to pass the playwright tests if default lang of browser is not en () 2025-04-18 12:48:34 +02:00
f45bf6171b fix: remove mailing list references () 2025-04-02 07:22:38 +02:00
b3dec8bdc9 fix: challenge introduction page loads () 2025-03-31 22:49:26 +02:00
c3f9158eab chore: text cleanup 2025-03-31 21:38:33 +02:00
ec3b9e8aaf chore: update Java version in README ()
Closes: gh-2072

* chore: add Maven wrapper jar file

This way we don't download it every time from a Maven repository saving some band with.

* chore: remove @authors tag
2025-03-31 21:05:15 +02:00
8cd0b0a8c9 resolve the url for the developer tools network () 2025-03-29 15:59:09 +01:00
72c09f7240 update the sql mitigation lessons 9 and 10 to contain the correct urls () 2025-03-21 14:15:19 +01:00
95136c9930 chore: update about page () 2025-03-12 06:59:01 +01:00
23d6fe6f36 fix: correct number of solved assignments in report card ()
* fix: correct number of solved assignments in report card

Filter the list of assignments to accurately count the number of solved assignments.

Closes: gh-2063

* chore: remove scoreboard code

This is added when we run a CTF challenge during OWASP AppSecEU in 2017. We can remove this code.

Closes: gh-2064
2025-03-11 22:57:49 +01:00
e2f80b18e2 fix: rewrite questions ()
Closes: gh-1178
2025-03-11 20:05:35 +01:00
641f24df9d fix: update filtering internal endpoints in ZAP () 2025-03-08 12:40:09 +01:00
e9f79cc739 fix: SQL advanced assignment 5 ()
- Add and show correct hints
- Fix solving the lesson immediately when you register as tom. Now uses `informationMessage` to display a message in the UI
- Add Playwright test

Closes: gh-2045
2025-03-02 20:31:05 +01:00
16b7a13de8 chore: add test case for multiple users solving lessons () 2025-02-28 20:56:15 +01:00
95dcc56a19 fix: register user while already logged in as other user. () 2025-02-28 20:56:00 +01:00
55bd0a49db chore: cleanup IT tests () 2025-02-28 18:39:23 +01:00
c3c520f487 refactor: small updates and improvements in HTTP Basic lesson ()
* refactor: cleanup attack result and builder

* refactor: solve compiler warnings

* feature: improve HTTP basics lesson

Closes: 
2025-02-18 14:26:21 +01:00
00f3538be2 chore: format all code according to SPDX () 2025-02-16 19:48:05 +01:00
2a5b4385ea chore: bump com.diffplug.spotless:spotless-maven-plugin ()
Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.41.1 to 2.44.2.
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](https://github.com/diffplug/spotless/compare/maven/2.41.1...maven/2.44.2)

---
updated-dependencies:
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-15 19:52:40 +01:00
9c90a24cc0 docs(CSRFFeedback.java): fixed one invalid solution about CSRF attack ()
Co-authored-by: HackHuang <GoogTech@outlook.com>
Co-authored-by: HackHuang <hi@goog.tech>
2025-01-26 20:23:40 +01:00
8e45316638 feat: Introduce Playwright for UI testing
Instead of using Robot Framework which does not run during a `mvn install`. Playwright seems to be the better approach. We can now write them as normal JUnit test and they are executed during a build.

Additionally this PR solves some interesting bugs found during writing Playwright tests:

- A reset of a lesson removes all assignments as a result another user wouldn't see any assignments
- If someone solves an assignment the assignment automatically got solved for a new user since the assignment included the `solved` flag which immediately got copied to new lesson progress.
- Introduction of assignment progress linking a assignment not directly to all users.
2025-01-26 16:59:59 +01:00
112ca3ab22 fix: enable resource patterns again ()
`LessonScanner.java` got removed by mistake.

Closes: gh-1992
2024-12-21 18:47:30 +01:00
a95213757d chore: bump org.springframework.boot:spring-boot-starter-parent from 3.3.5 to 3.4.0 () 2024-12-16 20:16:10 +01:00
4f8652758c refactor: remove unused code () 2024-12-15 13:06:49 +01:00
5fc2e0602c refactor: move plugin messages () 2024-12-03 22:13:44 +01:00
51e3f59054 fix: Hint labels showing default text regardless of localization () 2024-11-26 23:34:09 +01:00
d8100385b6 fix: automatically solve XSS mitigation ()
This PR moves the mitigation Java class into the correct package.

The lesson was automatically solved because no assignments were found.

Closes: 
2024-11-14 08:42:55 +01:00
4880afa0e3 fix: remove implicit context path guessing ()
Pass the context-path in the assignment overview so the frontend can easily match an assignment.
2024-11-13 21:32:28 +01:00
e1e00bca73 fix: JWT kid/jku lessons ()
* refactor: rewrite hints

Use active voice and fix grammar issues.

* fix: use Thymeleaf `th:action`

* fix: JWT kid/jku lessons

Split the JavaScript into two files they pointed to the same URL

The JWTs are now valid, they parse successfully.

The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap.

Closes: 

* fix: update to latest pre-commit version

* fix: increase timeouts for server to start during integration tests
2024-11-07 15:45:33 +01:00
d59153d6d7 Fix password reset lesson ()
* docs: improve text

* fix: use correct POST url
2024-10-29 17:32:51 +01:00
4efaf87c7e Fix passing command line arguments ()
* fix: use banners correctly

* fix: passing command line arguments

Since we already have `webwolf.port` it makes sense to also define `webwolf.port` explicitly and not rely on `server.port`

Closes: 
2024-10-27 08:39:02 +01:00
cf5101a633 chore: bump org.asciidoctor:asciidoctorj from 2.5.13 to 3.0.0 () 2024-10-26 22:53:43 +02:00
3f049ba53a Nbaars/1886 ()
* improved code readbility

* chore: format code

---------

Co-authored-by: guilherme peixoto <peixoto-guilherme7@hotmail.com>
2024-10-26 22:18:28 +02:00
d08a56d351 chore: add test for solving same lesson as different user. ()
We removed the constraint but did not add an extra testcase to cover this bug.

Closes: 
2024-10-26 12:06:30 +02:00
ab068901f1 Remove WebGoat session object ()
* refactor: modernize code

* refactor: move to Tomcat

* chore: bump to Spring Boot 3.3.3

* refactor: use Testcontainers to run integration tests

* refactor: lesson/assignment progress

* chore: format code

* refactor: first step into removing base class for assignment

Always been a bit of an ugly construction, as none of the dependencies are clear. The constructors are hidden due to autowiring the base class. This PR removes two of the fields.

As a bonus we now wire the authentication principal directly in the controllers.

* refactor: use authentication principal directly.

* refactor: pass lesson to the endpoints

No more need to get the current lesson set in a session. The lesson is now passed to the endpoints.

* fix: Testcontainers cannot run on Windows host in Github actions.

Since we have Windows specific paths let's run it standalone for now. We need to run these tests on Docker as well (for now disabled)
2024-10-26 10:54:21 +02:00
cb7c508046 fix: reset form and quiz color on reset lesson ()
* ./mvnw spotless:apply

```
[INFO] --- spotless-maven-plugin:2.41.1:apply (default-cli) @ webgoat ---
[INFO] Writing clean file: /home/ulyssa/labs/WebGoat/WebGoat-bb6e84d/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
```

* On reset lesson: reset form and quizzes colors
2024-10-26 09:22:18 +02:00
cf2c115093 fix: xss lesson typo 2024-10-18 22:38:32 +02:00
58b762eade fix: copying file using transferTo sometimes fails. ()
Turns out that using this method sometimes fails with an exception about unable to delete a directory.
The stacktrace points to:

```
java.nio.file.FileSystemException: /tmp/webwolf-fileserver/dumbanddummer/xxe_a11.dtd: Not a directory
        at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100) ~[na:na]
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[na:na]
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[na:na]
        at java.base/sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:248) ~[na:na]
        at java.base/sun.nio.fs.AbstractFileSystemProvider.deleteIfExists(AbstractFileSystemProvider.java:110) ~[na:na]
        at java.base/java.nio.file.Files.deleteIfExists(Files.java:1191) ~[na:na]
        at java.base/java.nio.file.Files.copy(Files.java:3147) ~[na:na]
        at io.undertow.server.handlers.form.FormData$FileItem.write(FormData.java:274) ~[undertow-core-2.3.10.Final.jar!/:2.3.10.Final]
        at io.undertow.servlet.spec.PartImpl.write(PartImpl.java:119) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
        at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest$StandardMultipartFile.transferTo(StandardMultipartHttpServletRequest.java:254) ~[spring-web-6.0.13.jar!/:6.0.13]
        at org.owasp.webgoat.webwolf.FileServer.importFile(FileServer.java:89)
```

It has to do with the underlying implmentation in Undertow. An explaination can be found here: https://stackoverflow.com/questions/60336929/java-nio-file-nosuchfileexception-when-file-transferto-is-called

The solution is to take the input stream and use a simple `Files.copy()` to copy the file.

Closes: 
2024-07-28 17:47:30 +02:00
2b0c22ac68 Small improvements ()
* refactor: remove CORS

* improvement: add healthcheck to Docker file
2024-07-23 17:42:56 +02:00
a0b6decf34 Fix report card ()
* fix: report card

Fix and simplify calculation of the number of assignments a user solved.
Rename `UserTracker` to `UserProgress`
Rename `LessonTracker` to `LessonProgress`
Rename tables in database
2024-07-09 20:07:09 +02:00
3134f18066 fix: Success if only Smith earn most salary ()
* Update labels

* Update Java

* Update Test

---------

Co-authored-by: René Zubcevic <rene@zubcevic.com>
2024-06-01 10:50:38 +02:00
e219887f14 docs: Update HttpBasics_plan.adoc - fix broken link to https://www.zaproxy.org/ ()
fix broken link OWASP ZAP -  https://www.zaproxy.org/

Co-authored-by: René Zubcevic <rene@zubcevic.com>
2024-06-01 10:45:12 +02:00
4ab820e1d1 feat: move CSRF to A3 ()
CSRF is part of security misconfiguration in the OWASP Top 10.
2024-03-21 20:50:37 +01:00
62931a1836 feature: enable CORS configuration () 2024-03-17 10:55:27 +01:00
57d5b313b9 Fix typo in SQLi blind case 2024-02-10 16:02:35 +01:00
dd0f135088 fix(quiz): use $ instead of jQuery which is undefined ()
Fixes: 

Signed-off-by: cap-dev0x <158111888+cap-dev0x@users.noreply.github.com>
2024-02-05 14:30:01 +01:00
4ebb869f5d Fix hidden links in MissingFunctionAC.html. () 2023-12-29 15:01:35 +01:00
6bb7a182dc Fix typos in texts. 2023-12-14 23:00:59 +01:00
cb2c99d38d Improve texts to avoid confusion. 2023-12-14 22:54:20 +01:00
17acef57b4 chore: add pre-commit hooks
chore: add pre-commit hooks

chore: add pre-commit hooks

chore: add pre-commit hooks

chore: add pre-commit hooks
2023-12-06 17:16:24 +01:00