dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,464 Commits 11 Branches 78 Tags
Commit Graph

2464 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nanne Baars
b3840e60e3 Fix lessons 2020-03-10 08:03:48 +01:00
Nanne Baars
3ece45b3d4 Fix for not passing the content-type 2020-03-10 08:03:48 +01:00
Nanne Baars
6b7678fb1d Remove old files 2020-03-10 08:03:48 +01:00
Nanne Baars
6c25cf8e43 Add path traversal lesson 2020-03-10 08:03:48 +01:00
Tiago Mussi
c4c28f544f Fixed CSRF broken links. 2020-03-06 17:15:10 +01:00
René Zubcevic
3b050a856a tested solution with unit test and verfied with lesson 5 on ie 2020-02-28 23:11:29 +01:00
René Zubcevic
71d9c4b61a first steps 2020-02-28 23:11:29 +01:00
René Zubcevic
a8118a14cd add support for status 403 feedback from e.g. ModSecurity/CRS 2020-02-28 23:06:42 +01:00
René Zubcevic
5f3dff4921
added notes on salted hash (#758) 2020-02-27 07:20:58 +01:00
August Detlefsen
208aa42fdb
relax detection regex (#757) 
Allow for content before and after the script; Allow optional semicolon
 2020-02-20 20:00:07 +01:00
Jonathan Thompson
cd3fb8040f
Typo and grammar corrections for the crypto lessons (#756) 
* Correct typos and grammar errors.

* Revert one grammar change
 2020-02-09 08:00:08 +01:00
Dan Muller
9d5fa6f4ef
Correct typos and clarify language in signing.adoc (#754) 
Some of the changes correct simple misspellings. Some are intended to clarify or simplify the language.
 2020-01-30 14:01:42 +01:00
René Zubcevic
6797033a09
restored pom removal (#753) 2020-01-25 18:18:06 +01:00
René Zubcevic
9eee726eb5
All in one docker (#749) 
* all-in-one Dockerfile preparations

* some cleanup

* add to main pom and add links in index.html

* updated deploy script from build pipeline

* additional line feed just in case
 2020-01-25 17:54:24 +01:00
René Zubcevic
4e371b63d0
suppressing some useless log messages and banners in unit tests (#752) 
* suppressing some useless log messages and banners in unit tests

* some more log suppressed
 2020-01-25 12:11:45 +01:00
Nanne Baars
edd6b7d7cf Reset lesson bug (#741) 
* Remove old code from UI

* Remove old code

* Remove old functions

* Remove unnecessary divs

* Remove logging to console

* Clear lesson messages (checkmark, output text etc) when lesson resets
 2020-01-05 20:22:50 +01:00
Nanne Baars
5de82c0a06 Fix link to XStream blog which no longer exists (#740) 2020-01-05 19:48:40 +01:00
Nanne Baars
71f2d2968f Fix NPE when request does not contain parameter (#739) 2020-01-05 15:14:53 +01:00
Nanne Baars
0d7daf60d9 Fix broken e-mail link (#738) 2020-01-05 15:05:51 +01:00
René Zubcevic
bb80e11665
dockerfile and compose changes (#737) 
* dockerfile and compose changes

* adjusted link
 2019-12-27 20:32:35 +01:00
Nanne Baars
8088465652 Move and remove unneccessary pom dependencies (#736) 2019-12-24 16:14:36 +01:00
Nanne Baars
035c8662d4 Revert "Bump xstream from 1.4.5 to 1.4.6 in /webgoat-lessons" 
This reverts commit a831d949b25b0da599a8e71518f52b7889fc982a.
 2019-12-23 17:14:20 +01:00
dependabot[bot]
a831d949b2 Bump xstream from 1.4.5 to 1.4.6 in /webgoat-lessons 
Bumps xstream from 1.4.5 to 1.4.6.

Signed-off-by: dependabot[bot] <support@github.com>
 2019-12-23 17:12:31 +01:00
torleif
4c45a1e68c This lesson is intended to show the dangers of outdated software. However in version 1.4.7 the vulnerability is fixed! In 1.4.5 it is still present, so I suggest this downgrade. It is tested and works as intended, just as 1.4.7 does not. 2019-12-23 17:09:46 +01:00
René Zubcevic
f79ad452d2 password reset support for using www.webwolf.local 2019-12-23 17:08:33 +01:00
René Zubcevic
59076fc9ef adjusted WebWolfMacro 2019-12-23 17:08:33 +01:00
René Zubcevic
b6aa677594
Zap 8 update for proxy lesson (#718) 
* additional steps in proxy setup added

* lessons checked

* added page on https proxy and burp proxy
 2019-12-10 12:14:21 +01:00
thegoodcrumpets
681a20a7c3 In the migration to Spring 2, this method lost its get mapping to the IDOR/profile url,breaking the javascript call to that address. (#720) 
thanks!
 2019-12-04 12:21:19 +01:00
René Zubcevic
c5ec2d40a1
updates docker image name (#717) 2019-11-26 18:12:06 +01:00
René Zubcevic
b5e5dd1d13
Crypto lesson (#712) 
* crypto lesson added

* signing assignment

* integration test added for signing assignment

* added more hints

* corrections after rebase

* added some explanation

* added security defaults assignment
 2019-11-23 21:52:14 +01:00
Nanne Baars
9c0b7f8233 Fix version substitution so WebGot home directory contains version number instead of @project.version@ in the name (#710) 2019-11-17 14:33:24 +01:00
Nanne Baars
5dd6b31905 Adjust lesson template (#704) 
* Remove method `getId()` from all lessons as it defaults to the class name

* remove clean up endpoint

* remove unused class `RequestParameter`

* remove unused class `PluginLoadingFailure`

* Move `CourseConfiguration` to lesson package

* Add more content around the lesson template lesson and make it visible as a lesson in WebGoat

* Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult`

* Put original solution back as well for SQL string injection

* review comments

* Add
 2019-11-17 13:39:56 +01:00
Nanne Baars
f40b6ffd31 Moving back to snapshot 2019-11-13 12:27:26 +01:00
Nanne Baars
7313fc6c08 Merge branch 'release/v8.0.0.M26' into develop 2019-11-12 09:33:05 +01:00
Nanne Baars
fe2ac1b8d4 New release, updating pom.xml 2019-11-12 09:22:45 +01:00
Nanne Baars
ba74898441 Add JavaScript to assignment otherwise you will not be able to see the flow of the endpoint 2019-11-12 09:12:37 +01:00
Nanne Baars
1d477bd0e8 Rename endpoint in JavaScript as backend call uses different endpoint 2019-11-12 09:12:37 +01:00
Nanne Baars
48b604d6d9 Enable salaries again as rest controller 2019-11-12 09:12:37 +01:00
Rene Zubcevic
2ab8a838c3 update JRE and milestone version to latest 2019-11-11 22:03:20 +01:00
Nanne Baars
e07a2aff48 Fix mistake the SQL exception should be throws otherwise users cannot see the table name (servers) makes it impossible to 
solve the assignment. Add explicit test for this to guard against future mistakes
 2019-11-11 21:17:51 +01:00
Nanne Baars
7d48427d4f Integrate ZAP 2.8.0 (no HUB) as the setup is different also update the filtering as usual ZAP exclusion is again broken 2019-11-11 21:17:51 +01:00
Nanne Baars
d8844216cc Add solution for Firefox no longer proxying localhost at all 2019-11-11 10:38:25 +01:00
Nanne Baars
ab3cd118c9 Explicitly set Maven repo to https 2019-11-11 10:38:05 +01:00
Cotonne
8da4342430 Improve readability of query (#685) 
thanks! and do not forget to clean your .webgoat... local db related files
 2019-11-04 13:28:35 +01:00
Nanne Baars
ddf6ac9bdb Improve handling of missing parameters, now returns HTTP/401 (#698) 2019-11-03 18:27:03 +01:00
Nanne Baars
f7b794bf68 Race condition in counting number of attempts #567 (#697) 
Add version to Hibernate mapping so we get optimistic locking this solves
number of parallel calls trying to update/guess and mess with the lesson
counter
 2019-11-03 18:14:15 +01:00
Nanne Baars
1a83e2825e Code style (#696) 
* Remove Guava dependency from WebGoat

* Add Checkstyle to the project with very basic standards so we have a
style across lessons. It does not interfere with basic Intellij formatting
 2019-11-03 18:11:09 +01:00
Philippe Lafoucrière
66bd1d8c1a Remove obsolete methods 
As there were removed also in e8d086ac9b (diff-98a46e7f04c7a2dd03d59046076aac5bL40)
 2019-10-30 08:28:42 +01:00
Philippe Lafoucrière
531db87876 Fix CommandInjection java files 
Avoid these compilation errors:

```
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjectionExecute.java:[47,8] class HttpBasicsInterceptRequest is public, should be declared in a file named HttpBasicsInterceptRequest.java
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[38,8] class HttpProxies is public, should be declared in a file named HttpProxies.java
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[5,33] cannot find symbol
  symbol:   class AbstractLesson
  location: package org.owasp.webgoat.lessons
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[38,34] cannot find symbol
  symbol: class AbstractLesson
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[39,5] method does not override or implement a method from a supertype
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[44,5] method does not override or implement a method from a supertype
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[49,5] method does not override or implement a method from a supertype
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[54,5] method does not override or implement a method from a supertype
[ERROR] /tmp/app/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java:[59,5] method does not override or implement a method from a supertype
[INFO] 9 errors
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.356 s
[INFO] Finished at: 2019-10-19T21:13:03Z
[INFO] ------------------------------------------------------------------------
```
 2019-10-30 08:28:42 +01:00
Philippe Lafoucrière
cac5985873 Fix command-injection pom.xml 2019-10-30 08:28:42 +01:00