561fb1f7f4
Build matrix for building
2020-04-19 15:42:50 +02:00
3b7481c2a7
Update method signature
2020-04-19 15:42:50 +02:00
f1768bd9a5
small update
2020-04-19 15:42:50 +02:00
407e19638f
Add two more assignments for SQL injection where only filtering is applied.
2020-04-19 15:42:50 +02:00
122cc323f2
Changed the order of explanation of setting up ZAP/Burp a bit (feedback from workshop). This makes the necessary steps more explicit by moving all extra configuration for https etc to the back. So when you follow the lesson you will only setup the minimal and not get confused about things which are only necessary in certain cases
2020-04-19 15:42:50 +02:00
9509993a8f
all tests complete for Password Reset ( #785 )
2020-04-17 15:54:24 +02:00
25e66ae412
use of script console in stead of browser address bar
2020-04-17 15:33:26 +02:00
089952e9ad
quiz fix for CIA, SQL Injection Advanced and XSS + XSS description
...
change in alert(document.cookie)
2020-04-17 15:33:26 +02:00
efc5a870a0
Path traversal windows unittest fix ( #780 )
...
* fixes to support windows and linux/unix/mac
* fix in matcher
2020-04-14 16:13:43 +02:00
0638cae6e5
corrected hints and improved error handling base64 ( #781 )
2020-04-14 16:13:25 +02:00
b8abc99faf
fix for scoreboard after js refactoring
2020-04-08 12:05:01 +02:00
e921fb66a9
actual working version of vulnerable components part 5
2020-04-08 12:05:01 +02:00
e25f7a7560
clean up and update js
2020-04-08 12:05:01 +02:00
c4ae9ae2ab
migrate to JUnit 5 code
2020-04-06 16:02:15 +02:00
c4153ecbfb
Maven owasp dep update ( #776 )
...
* add pmd and owasp dependency check through -P owasp profile
* suppress full stack trace in log
* revert to spring 2.2.0 as 2.2.4 failed in travis
* added owasp dependency check maven configuration details to vulenerable
lesson page 7
2020-04-06 16:01:09 +02:00
bb6d06713f
Fix failing test
2020-03-10 08:03:48 +01:00
14022d88c9
Last assignment now filters out .. and / so encoding plays a role now
2020-03-10 08:03:48 +01:00
d4966b5e71
Fix test cases
2020-03-10 08:03:48 +01:00
b3840e60e3
Fix lessons
2020-03-10 08:03:48 +01:00
3ece45b3d4
Fix for not passing the content-type
2020-03-10 08:03:48 +01:00
6b7678fb1d
Remove old files
2020-03-10 08:03:48 +01:00
6c25cf8e43
Add path traversal lesson
2020-03-10 08:03:48 +01:00
c4c28f544f
Fixed CSRF broken links.
2020-03-06 17:15:10 +01:00
3b050a856a
tested solution with unit test and verfied with lesson 5 on ie
2020-02-28 23:11:29 +01:00
71d9c4b61a
first steps
2020-02-28 23:11:29 +01:00
a8118a14cd
add support for status 403 feedback from e.g. ModSecurity/CRS
2020-02-28 23:06:42 +01:00
5f3dff4921
added notes on salted hash ( #758 )
2020-02-27 07:20:58 +01:00
208aa42fdb
relax detection regex ( #757 )
...
Allow for content before and after the script; Allow optional semicolon
2020-02-20 20:00:07 +01:00
cd3fb8040f
Typo and grammar corrections for the crypto lessons ( #756 )
...
* Correct typos and grammar errors.
* Revert one grammar change
2020-02-09 08:00:08 +01:00
9d5fa6f4ef
Correct typos and clarify language in signing.adoc ( #754 )
...
Some of the changes correct simple misspellings. Some are intended to clarify or simplify the language.
2020-01-30 14:01:42 +01:00
6797033a09
restored pom removal ( #753 )
2020-01-25 18:18:06 +01:00
9eee726eb5
All in one docker ( #749 )
...
* all-in-one Dockerfile preparations
* some cleanup
* add to main pom and add links in index.html
* updated deploy script from build pipeline
* additional line feed just in case
2020-01-25 17:54:24 +01:00
4e371b63d0
suppressing some useless log messages and banners in unit tests ( #752 )
...
* suppressing some useless log messages and banners in unit tests
* some more log suppressed
2020-01-25 12:11:45 +01:00
edd6b7d7cf
Reset lesson bug ( #741 )
...
* Remove old code from UI
* Remove old code
* Remove old functions
* Remove unnecessary divs
* Remove logging to console
* Clear lesson messages (checkmark, output text etc) when lesson resets
2020-01-05 20:22:50 +01:00
5de82c0a06
Fix link to XStream blog which no longer exists ( #740 )
2020-01-05 19:48:40 +01:00
71f2d2968f
Fix NPE when request does not contain parameter ( #739 )
2020-01-05 15:14:53 +01:00
0d7daf60d9
Fix broken e-mail link ( #738 )
2020-01-05 15:05:51 +01:00
bb80e11665
dockerfile and compose changes ( #737 )
...
* dockerfile and compose changes
* adjusted link
2019-12-27 20:32:35 +01:00
8088465652
Move and remove unneccessary pom dependencies ( #736 )
2019-12-24 16:14:36 +01:00
035c8662d4
Revert "Bump xstream from 1.4.5 to 1.4.6 in /webgoat-lessons"
...
This reverts commit a831d949b2
2019-12-23 17:14:20 +01:00
a831d949b2
Bump xstream from 1.4.5 to 1.4.6 in /webgoat-lessons
...
Bumps xstream from 1.4.5 to 1.4.6.
Signed-off-by: dependabot[bot] <support@github.com >
2019-12-23 17:12:31 +01:00
4c45a1e68c
This lesson is intended to show the dangers of outdated software. However in version 1.4.7 the vulnerability is fixed! In 1.4.5 it is still present, so I suggest this downgrade. It is tested and works as intended, just as 1.4.7 does not.
2019-12-23 17:09:46 +01:00
f79ad452d2
password reset support for using www.webwolf.local
2019-12-23 17:08:33 +01:00
59076fc9ef
adjusted WebWolfMacro
2019-12-23 17:08:33 +01:00
b6aa677594
Zap 8 update for proxy lesson ( #718 )
...
* additional steps in proxy setup added
* lessons checked
* added page on https proxy and burp proxy
2019-12-10 12:14:21 +01:00
681a20a7c3
In the migration to Spring 2, this method lost its get mapping to the IDOR/profile url,breaking the javascript call to that address. ( #720 )
...
thanks!
2019-12-04 12:21:19 +01:00
c5ec2d40a1
updates docker image name ( #717 )
2019-11-26 18:12:06 +01:00
b5e5dd1d13
Crypto lesson ( #712 )
...
* crypto lesson added
* signing assignment
* integration test added for signing assignment
* added more hints
* corrections after rebase
* added some explanation
* added security defaults assignment
2019-11-23 21:52:14 +01:00
9c0b7f8233
Fix version substitution so WebGot home directory contains version number instead of @project.version@ in the name ( #710 )
2019-11-17 14:33:24 +01:00
5dd6b31905
Adjust lesson template ( #704 )
...
* Remove method `getId()` from all lessons as it defaults to the class name
* remove clean up endpoint
* remove unused class `RequestParameter`
* remove unused class `PluginLoadingFailure`
* Move `CourseConfiguration` to lesson package
* Add more content around the lesson template lesson and make it visible as a lesson in WebGoat
* Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult`
* Put original solution back as well for SQL string injection
* review comments
* Add
2019-11-17 13:39:56 +01:00
