dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:gh-1329
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:v2023.04
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

1 Commits
gh-1329 ... v2023.04

Author SHA1 Message Date
Nanne Baars
5ef865a54b chore: release version 2023.4 2023-02-17 13:07:22 +01:00
149 changed files with 669 additions and 1010 deletions
Expand all files Collapse all files

12
.github/dependabot.yml vendored
View File

@ -1,15 +1,7 @@
version: 2 version: 2
updates: updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: "weekly" interval: "daily"
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"

6
.github/workflows/build.yml vendored
View File

@ -27,7 +27,7 @@ jobs:
java-version: 17 java-version: 17
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.3.1 uses: actions/cache@v3.2.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -42,7 +42,7 @@ jobs:
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
- name: "Verify Docker WebGoat build" - name: "Verify Docker WebGoat build"
if: runner.os == 'Linux' if: runner.os == 'Linux'
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile file: ./Dockerfile
@ -50,7 +50,7 @@ jobs:
build-args: | build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }} webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Verify Docker WebGoat desktop build" - name: "Verify Docker WebGoat desktop build"
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
if: runner.os == 'Linux' if: runner.os == 'Linux'
with: with:
context: ./ context: ./

11
.github/workflows/release.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.3.1 uses: actions/cache@v3.2.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -80,13 +80,13 @@ jobs:
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
- name: "Login to dockerhub" - name: "Login to dockerhub"
uses: docker/login-action@v2.2.0 uses: docker/login-action@v2.1.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push WebGoat" - name: "Build and push WebGoat"
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile file: ./Dockerfile
@ -99,12 +99,12 @@ jobs:
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }} webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Build and push WebGoat desktop" - name: "Build and push WebGoat desktop"
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile_desktop file: ./Dockerfile_desktop
push: true push: true
platforms: linux/amd64, linux/arm64 platforms: linux/amd64, linux/arm64, linux/arm/v7
tags: | tags: |
webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }} webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }}
webgoat/webgoat-desktop:latest webgoat/webgoat-desktop:latest
@ -123,7 +123,6 @@ jobs:
- name: Set up JDK 17 - name: Set up JDK 17
uses: actions/setup-java@v3 uses: actions/setup-java@v3
with: with:
distribution: 'temurin'
java-version: 17 java-version: 17
architecture: x64 architecture: x64

4
.github/workflows/test.yml vendored
View File

@ -37,7 +37,7 @@ jobs:
architecture: x64 architecture: x64
#Uses an action to set up a cache using a certain key based on the hash of the dependencies #Uses an action to set up a cache using a certain key based on the hash of the dependencies
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.3.1 uses: actions/cache@v3.2.5
with: with:
path: ~/.m2 path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }} key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@ -48,8 +48,6 @@ jobs:
robotframework robotframework
robotframework-SeleniumLibrary robotframework-SeleniumLibrary
webdriver-manager webdriver-manager
selenium==4.9.1
# TODO https://github.com/robotframework/SeleniumLibrary/issues/1835
- name: Run with Maven - name: Run with Maven
run: mvn --no-transfer-progress spring-boot:run & run: mvn --no-transfer-progress spring-boot:run &
- name: Wait to start - name: Wait to start

14
CONTRIBUTING.md
View File

@ -3,7 +3,6 @@
[![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors) [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg) ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg) ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
This document describes how you can contribute to WebGoat. Please read it carefully. This document describes how you can contribute to WebGoat. Please read it carefully.
@ -42,19 +41,6 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
### Write a good commit message ### Write a good commit message
* We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and use the following types:
- fix:
- feat:
- build:
- chore:
- ci:
- docs:
- refactor:
- test:
Using this style of commits makes it possible to create our release notes automatically.
* Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message. * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.

1
CREATE_RELEASE.md
View File

@ -13,7 +13,6 @@ committers.
``` ```
mvn versions:set mvn versions:set
<< update release notes >> << update release notes >>
mvn verify
git commit .... git commit ....
git tag v2023.01 git tag v2023.01
git push --tags git push --tags

4
Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/eclipse-temurin:19-jre-focal FROM docker.io/eclipse-temurin:17-jre-focal
LABEL NAME = "WebGoat: A deliberately insecure Web Application" LABEL NAME = "WebGoat: A deliberately insecure Web Application"
MAINTAINER "WebGoat team" MAINTAINER "WebGoat team"
@ -27,8 +27,6 @@ ENTRYPOINT [ "java", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \ "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \ "--add-opens", "java.base/java.io=ALL-UNNAMED", \
"--add-opens", "java.base/java.util=ALL-UNNAMED", \ "--add-opens", "java.base/java.util=ALL-UNNAMED", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"-Drunning.in.docker=true", \ "-Drunning.in.docker=true", \
"-Dwebgoat.host=0.0.0.0", \ "-Dwebgoat.host=0.0.0.0", \
"-Dwebwolf.host=0.0.0.0", \ "-Dwebwolf.host=0.0.0.0", \

11
Dockerfile_desktop
View File

@ -10,17 +10,12 @@ COPY config/desktop/start_zap.sh /config/start_zap.sh
COPY config/desktop/WebGoat.txt /config/Desktop/ COPY config/desktop/WebGoat.txt /config/Desktop/
RUN \ RUN \
case $(uname -m) in \
x86_64) ARCH=x64;; \
aarch64) ARCH=aarch64;; \
*) ARCH=unknown;; \
esac && \
curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \ curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
tar zfxv ZAP_2.12.0_Linux.tar.gz && \ tar zfxv ZAP_2.12.0_Linux.tar.gz && \
rm -rf ZAP_2.12.0_Linux.tar.gz && \ rm -rf ZAP_2.12.0_Linux.tar.gz && \
curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \ curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \ tar zfxv OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \ rm -rf OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
chmod +x /config/start_webgoat.sh && \ chmod +x /config/start_webgoat.sh && \
chmod +x /config/start_zap.sh && \ chmod +x /config/start_zap.sh && \
apt-get update && \ apt-get update && \

8
FAQ.md
View File

@ -1,8 +0,0 @@
# FAQ for development
## Introduction
### Integration tests fail
Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.

1
README.md
View File

@ -6,7 +6,6 @@
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
[![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions) [![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
# Introduction # Introduction

154
pom.xml
View File

@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version> <version>2.7.1</version>
</parent> </parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat</artifactId> <artifactId>webgoat</artifactId>
<version>2023.5-SNAPSHOT</version> <version>2023.4</version>
<packaging>jar</packaging> <packaging>jar</packaging>
<name>WebGoat</name> <name>WebGoat</name>
@ -27,7 +27,6 @@
<url>https://www.gnu.org/licenses/gpl-2.0.txt</url> <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
</license> </license>
</licenses> </licenses>
<developers> <developers>
<developer> <developer>
<id>mayhew64</id> <id>mayhew64</id>
@ -95,6 +94,7 @@
<archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive> <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
</mailingList> </mailingList>
</mailingLists> </mailingLists>
<scm> <scm>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection> <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection> <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@ -108,46 +108,44 @@
</issueManagement> </issueManagement>
<properties> <properties>
<!-- Shared properties with plugins and version numbers across submodules--> <!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.3</asciidoctorj.version> <asciidoctorj.version>2.5.3</asciidoctorj.version>
<!-- Upgrading needs UI work in WebWolf -->
<bootstrap.version>3.3.7</bootstrap.version> <bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>3.3.0</cglib.version> <cglib.version>2.2</cglib.version>
<!-- do not update necessary for lesson --> <!-- do not update necessary for lesson -->
<checkstyle.version>3.3.0</checkstyle.version> <checkstyle.version>3.1.2</checkstyle.version>
<commons-collections.version>3.2.1</commons-collections.version> <commons-collections.version>3.2.1</commons-collections.version>
<commons-io.version>2.11.0</commons-io.version> <commons-io.version>2.6</commons-io.version>
<commons-lang3.version>3.12.0</commons-lang3.version> <commons-lang3.version>3.12.0</commons-lang3.version>
<commons-text.version>1.10.0</commons-text.version> <commons-text.version>1.9</commons-text.version>
<guava.version>31.1-jre</guava.version> <guava.version>30.1-jre</guava.version>
<jacoco.version>0.8.10</jacoco.version>
<java.version>17</java.version> <java.version>17</java.version>
<jaxb.version>2.3.1</jaxb.version>
<jjwt.version>0.9.1</jjwt.version> <jjwt.version>0.9.1</jjwt.version>
<jose4j.version>0.9.3</jose4j.version> <jose4j.version>0.7.6</jose4j.version>
<jquery.version>3.5.1</jquery.version> <jquery.version>3.5.1</jquery.version>
<jsoup.version>1.16.1</jsoup.version> <jsoup.version>1.14.3</jsoup.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version> <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version> <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version> <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version> <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
<maven.compiler.source>17</maven.compiler.source> <maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target> <maven.compiler.target>17</maven.compiler.target>
<pmd.version>3.15.0</pmd.version> <pmd.version>3.15.0</pmd.version>
<!-- Use UTF-8 Encoding --> <!-- Use UTF-8 Encoding -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<thymeleaf.version>3.1.1.RELEASE</thymeleaf.version> <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
<webdriver.version>5.3.2</webdriver.version> <webdriver.version>4.3.1</webdriver.version>
<webgoat.port>8080</webgoat.port> <webgoat.port>8080</webgoat.port>
<webwolf.port>9090</webwolf.port> <webwolf.port>9090</webwolf.port>
<wiremock.version>2.27.2</wiremock.version> <wiremock.version>2.27.2</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version> <xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version> <xstream.version>1.4.5</xstream.version>
<!-- do not update necessary for lesson --> <!-- do not update necessary for lesson -->
<zxcvbn.version>1.7.0</zxcvbn.version> <zxcvbn.version>1.5.2</zxcvbn.version>
</properties> </properties>
<dependencyManagement> <dependencyManagement>
@ -156,7 +154,7 @@
<dependency> <dependency>
<groupId>org.ow2.asm</groupId> <groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId> <artifactId>asm</artifactId>
<version>9.5</version> <version>9.1</version>
</dependency> </dependency>
<dependency> <dependency>
@ -243,15 +241,16 @@
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId> <artifactId>commons-compress</artifactId>
<version>1.22</version> <version>1.21</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.jruby</groupId> <groupId>org.jruby</groupId>
<artifactId>jruby</artifactId> <artifactId>jruby</artifactId>
<version>9.4.2.0</version> <version>9.3.6.0</version>
</dependency> </dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>
@ -270,7 +269,6 @@
<dependency> <dependency>
<groupId>javax.xml.bind</groupId> <groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId> <artifactId>jaxb-api</artifactId>
<version>${jaxb.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
@ -312,11 +310,7 @@
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.thymeleaf.extras</groupId> <groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId> <artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.hsqldb</groupId> <groupId>org.hsqldb</groupId>
@ -375,13 +369,8 @@
<artifactId>jquery</artifactId> <artifactId>jquery</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>jakarta.xml.bind</groupId> <groupId>org.glassfish.jaxb</groupId>
<artifactId>jakarta.xml.bind-api</artifactId> <artifactId>jaxb-runtime</artifactId>
</dependency>
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<scope>runtime</scope>
</dependency> </dependency>
<dependency> <dependency>
@ -397,7 +386,6 @@
<dependency> <dependency>
<groupId>com.github.tomakehurst</groupId> <groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId> <artifactId>wiremock</artifactId>
<version>3.0.0-beta-2</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency> <dependency>
@ -405,11 +393,6 @@
<artifactId>rest-assured</artifactId> <artifactId>rest-assured</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-properties-migrator</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies> </dependencies>
<repositories> <repositories>
@ -507,8 +490,7 @@
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
<excludes> <excludes>
<exclude>**/*IntegrationTest.java</exclude> <exclude>**/*IntegrationTest.java</exclude>
<exclude>src/it/java</exclude> <exclude>src/it/java</exclude>
@ -532,7 +514,7 @@
<plugin> <plugin>
<groupId>com.diffplug.spotless</groupId> <groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId> <artifactId>spotless-maven-plugin</artifactId>
<version>2.33.0</version> <version>2.29.0</version>
<configuration> <configuration>
<formats> <formats>
<format> <format>
@ -593,7 +575,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId> <artifactId>maven-enforcer-plugin</artifactId>
<version>3.3.0</version> <version>3.0.0</version>
<executions> <executions>
<execution> <execution>
<id>restrict-log4j-versions</id> <id>restrict-log4j-versions</id>
@ -696,10 +678,6 @@
<argument>java.base/java.io=ALL-UNNAMED</argument> <argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>--add-opens</argument> <argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument> <argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>${project.build.directory}/webgoat-${project.version}.jar</argument> <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
</arguments> </arguments>
<waitForInterrupt>false</waitForInterrupt> <waitForInterrupt>false</waitForInterrupt>
@ -749,82 +727,6 @@
</plugins> </plugins>
</build> </build>
</profile> </profile>
<profile>
<!-- run with: mvn test -Pcoverage -->
<id>coverage</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
${surefire.jacoco.args}</argLine>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
<exclude>src/it/java</exclude>
<exclude>org/owasp/webgoat/*Test</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>before-unit-test</id>
<goals>
<goal>prepare-agent</goal>
</goals>
<configuration>
<destFile>${project.build.directory}/jacoco/jacoco-ut.exec</destFile>
<propertyName>surefire.jacoco.args</propertyName>
</configuration>
</execution>
<execution>
<id>check</id>
<goals>
<goal>check</goal>
</goals>
<configuration>
<rules>
<rule>
<element>BUNDLE</element>
<limits>
<limit>
<counter>CLASS</counter>
<value>COVEREDCOUNT</value>
<minimum>0.6</minimum>
</limit>
</limits>
</rule>
</rules>
<dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
</configuration>
</execution>
<execution>
<id>after-unit-test</id>
<goals>
<goal>report</goal>
</goals>
<phase>test</phase>
<configuration>
<dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
<outputDirectory>${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles> </profiles>
</project> </project>

64
src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
View File

@ -7,14 +7,12 @@ import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.http.HttpStatus;
public class ChallengeIntegrationTest extends IntegrationTest { public class ChallengeIntegrationTest extends IntegrationTest {
@Test @Test
void testChallenge1() { public void testChallenge1() {
startLesson("Challenge1"); startLesson("Challenge1");
byte[] resultBytes = byte[] resultBytes =
@ -69,7 +67,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
} }
@Test @Test
void testChallenge5() { public void testChallenge5() {
startLesson("Challenge5"); startLesson("Challenge5");
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
@ -109,62 +107,4 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured"); .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password")); assertTrue(capturefFlags.contains("Without password"));
} }
@Test
void testChallenge7() {
startLesson("Challenge7");
cleanMailbox();
// One should first be able to download git.zip from WebGoat
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/challenge/7/.git"))
.then()
.statusCode(200)
.extract()
.asString();
// Should send an email to WebWolf inbox this should give a hint to the link being static
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", getUser() + "@webgoat.org")
.post(url("/WebGoat/challenge/7"))
.then()
.statusCode(200)
.extract()
.asString();
// Check whether email has been received
var responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/mail"))
.then()
.extract()
.response()
.getBody()
.asString();
Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
// Call reset link with admin link
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
.then()
.statusCode(HttpStatus.ACCEPTED.value())
.extract()
.asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
}
} }

11
src/it/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -11,7 +11,6 @@ import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert; import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.springframework.http.HttpStatus;
public abstract class IntegrationTest { public abstract class IntegrationTest {
@ -253,14 +252,4 @@ public abstract class IntegrationTest {
.getBody() .getBody()
.asString(); .asString();
} }
public void cleanMailbox() {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.delete(webWolfUrl("/mail"))
.then()
.statusCode(HttpStatus.ACCEPTED.value());
}
} }

2
src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
View File

@ -5,6 +5,7 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import java.util.Arrays; import java.util.Arrays;
import java.util.Map; import java.util.Map;
import lombok.SneakyThrows;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.assertj.core.api.Assertions; import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
@ -15,6 +16,7 @@ import org.junit.jupiter.api.TestFactory;
public class PasswordResetLessonIntegrationTest extends IntegrationTest { public class PasswordResetLessonIntegrationTest extends IntegrationTest {
@BeforeEach @BeforeEach
@SneakyThrows
public void init() { public void init() {
startLesson("/PasswordReset"); startLesson("/PasswordReset");
} }

4
src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
View File

@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test")) .formParams(Map.of("flag", "test"))
.post(url("/challenge/flag")); .post(url("/challenge/flag/"));
}; };
ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS); ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls = List<? extends Callable<Response>> flagCalls =
IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList()); IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
var responses = executorService.invokeAll(flagCalls); var responses = executorService.invokeAll(flagCalls);

6
src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
View File

@ -27,10 +27,10 @@
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

4
src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
View File

@ -33,7 +33,6 @@ package org.owasp.webgoat.container;
import static org.asciidoctor.Asciidoctor.Factory.create; import static org.asciidoctor.Asciidoctor.Factory.create;
import io.undertow.util.Headers; import io.undertow.util.Headers;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.InputStreamReader; import java.io.InputStreamReader;
@ -42,6 +41,7 @@ import java.util.HashMap;
import java.util.Locale; import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor; import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
* Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file: * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
* *
* <p><code> * <p><code>
* <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div> * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
* </code> * </code>
*/ */
@Slf4j @Slf4j

5
src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
View File

@ -50,13 +50,12 @@ public class DatabaseConfiguration {
} }
@Bean @Bean
public Function<String, Flyway> flywayLessons() { public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
return schema -> return schema ->
Flyway.configure() Flyway.configure()
.configuration(Map.of("driver", properties.getDriverClassName())) .configuration(Map.of("driver", properties.getDriverClassName()))
.schemas(schema) .schemas(schema)
.cleanDisabled(false) .dataSource(lessonDataSource)
.dataSource(dataSource())
.locations("lessons") .locations("lessons")
.load(); .load();
} }

8
src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.i18n.LocaleChangeInterceptor; import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
import org.springframework.web.servlet.i18n.SessionLocaleResolver; import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect; import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
import org.thymeleaf.spring6.SpringTemplateEngine; import org.thymeleaf.spring5.SpringTemplateEngine;
import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver; import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
import org.thymeleaf.spring6.view.ThymeleafViewResolver; import org.thymeleaf.spring5.view.ThymeleafViewResolver;
import org.thymeleaf.templatemode.TemplateMode; import org.thymeleaf.templatemode.TemplateMode;
import org.thymeleaf.templateresolver.FileTemplateResolver; import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresolver.ITemplateResolver; import org.thymeleaf.templateresolver.ITemplateResolver;

36
src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -37,26 +37,26 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
/** Security configuration for WebGoat. */ /** Security configuration for WebGoat. */
@Configuration @Configuration
@AllArgsConstructor @AllArgsConstructor
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig { public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userDetailsService; private final UserService userDetailsService;
@Bean @Override
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests( ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
auth -> http.authorizeRequests()
auth.requestMatchers( .antMatchers(
"/css/**", "/css/**",
"/images/**", "/images/**",
"/js/**", "/js/**",
@ -67,19 +67,20 @@ public class WebSecurityConfig {
"/actuator/**") "/actuator/**")
.permitAll() .permitAll()
.anyRequest() .anyRequest()
.authenticated()); .authenticated();
http.formLogin() security
.and()
.formLogin()
.loginPage("/login") .loginPage("/login")
.defaultSuccessUrl("/welcome.mvc", true) .defaultSuccessUrl("/welcome.mvc", true)
.usernameParameter("username") .usernameParameter("username")
.passwordParameter("password") .passwordParameter("password")
.permitAll(); .permitAll();
http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true); security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
http.csrf().disable(); security.and().csrf().disable();
http.headers().cacheControl().disable(); http.headers().cacheControl().disable();
http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")); http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
return http.build();
} }
@Autowired @Autowired
@ -88,14 +89,15 @@ public class WebSecurityConfig {
} }
@Bean @Bean
public UserDetailsService userDetailsServiceBean() { @Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService; return userDetailsService;
} }
@Override
@Bean @Bean
public AuthenticationManager authenticationManager( protected AuthenticationManager authenticationManager() throws Exception {
AuthenticationConfiguration authenticationConfiguration) throws Exception { return super.authenticationManager();
return authenticationConfiguration.getAuthenticationManager();
} }
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")

2
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;

3
src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
View File

@ -75,8 +75,7 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
} else { } else {
userTracker.assignmentFailed(webSession.getCurrentLesson()); userTracker.assignmentFailed(webSession.getCurrentLesson());
} }
userTrackerRepository.save(userTracker); userTrackerRepository.saveAndFlush(userTracker);
return attackResult; return attackResult;
} }
} }

2
src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
View File

@ -31,7 +31,7 @@
*/ */
package org.owasp.webgoat.container.controller; package org.owasp.webgoat.container.controller;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.session.Course; import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;

6
src/main/java/org/owasp/webgoat/container/controller/Welcome.java
View File

@ -29,8 +29,8 @@
*/ */
package org.owasp.webgoat.container.controller; package org.owasp.webgoat.container.controller;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
@ -49,7 +49,7 @@ public class Welcome {
/** /**
* welcome. * welcome.
* *
* @param request a {@link jakarta.servlet.http.HttpServletRequest} object. * @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object. * @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/ */
@GetMapping(path = {"welcome.mvc"}) @GetMapping(path = {"welcome.mvc"})

11
src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
View File

@ -1,14 +1,9 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import lombok.EqualsAndHashCode; import javax.persistence.*;
import lombok.Getter; import lombok.*;
/** /**
* ************************************************************************************************ * ************************************************************************************************
@ -46,7 +41,7 @@ import lombok.Getter;
public class Assignment { public class Assignment {
@Id @Id
@GeneratedValue(strategy = GenerationType.IDENTITY) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
private String name; private String name;

4
src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
View File

@ -4,13 +4,15 @@ import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.sql.Connection; import java.sql.Connection;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.users.WebGoatUser; import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
/** /**
* Handler which sets the correct schema for the currently bounded user. This way users are not * Handler which sets the correct schema for the currently bounded user. This way users are not
* seeing each other data, and we can reset data for just one particular user. * seeing each other data and we can reset data for just one particular user.
*/ */
@Slf4j
public class LessonConnectionInvocationHandler implements InvocationHandler { public class LessonConnectionInvocationHandler implements InvocationHandler {
private final Connection targetConnection; private final Connection targetConnection;

19
src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
View File

@ -1,20 +1,8 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.persistence.CascadeType; import java.util.*;
import jakarta.persistence.Entity;
import jakarta.persistence.FetchType;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.OneToMany;
import jakarta.persistence.Version;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import lombok.EqualsAndHashCode; import javax.persistence.*;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.container.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -51,11 +39,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
* @since October 29, 2003 * @since October 29, 2003
*/ */
@Entity @Entity
@EqualsAndHashCode
public class LessonTracker { public class LessonTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.IDENTITY) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Getter private String lessonName; @Getter private String lessonName;

8
src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
View File

@ -1,10 +1,11 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.servlet.ServletException; import javax.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import jakarta.validation.Valid; import javax.validation.Valid;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult; import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
@ -22,6 +23,7 @@ public class RegistrationController {
private UserValidator userValidator; private UserValidator userValidator;
private UserService userService; private UserService userService;
private AuthenticationManager authenticationManager;
@GetMapping("/registration") @GetMapping("/registration")
public String showForm(UserForm userForm) { public String showForm(UserForm userForm) {

6
src/main/java/org/owasp/webgoat/container/users/UserForm.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import jakarta.validation.constraints.Pattern; import javax.validation.constraints.Pattern;
import jakarta.validation.constraints.Size; import javax.validation.constraints.Size;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;

13
src/main/java/org/owasp/webgoat/container/users/UserTracker.java
View File

@ -1,19 +1,11 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.persistence.CascadeType;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.FetchType;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.OneToMany;
import java.util.HashSet; import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import lombok.EqualsAndHashCode; import javax.persistence.*;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -51,11 +43,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
*/ */
@Slf4j @Slf4j
@Entity @Entity
@EqualsAndHashCode
public class UserTracker { public class UserTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.IDENTITY) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Column(name = "username") @Column(name = "username")

6
src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
View File

@ -1,10 +1,10 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter; import lombok.Getter;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;

4
src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
View File

@ -22,13 +22,13 @@
package org.owasp.webgoat.lessons.authbypass; package org.owasp.webgoat.lessons.authbypass;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

88
src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
View File

@ -1,13 +1,89 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.challenges; package org.owasp.webgoat.lessons.challenges;
public record Flag(int number, String answer) { import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
import javax.annotation.PostConstruct;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.UserTracker;
import org.owasp.webgoat.container.users.UserTrackerRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
public boolean isCorrect(String flag) { /**
return answer.equals(flag); * @author nbaars
* @since 3/23/17.
*/
@RestController
public class Flag extends AssignmentEndpoint {
public static final Map<Integer, String> FLAGS = new HashMap<>();
@Autowired private UserTrackerRepository userTrackerRepository;
@Autowired private WebSession webSession;
@AllArgsConstructor
private class FlagPosted {
@Getter private boolean lessonCompleted;
} }
@Override @PostConstruct
public String toString() { public void initFlags() {
return answer; IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
}
@RequestMapping(
path = "/challenge/flag",
method = RequestMethod.POST,
produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult postFlag(@RequestParam String flag) {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
String currentChallenge = webSession.getCurrentLesson().getName();
int challengeNumber =
Integer.valueOf(
currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
String expectedFlag = FLAGS.get(challengeNumber);
final AttackResult attackResult;
if (expectedFlag.equals(flag)) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
attackResult = success(this).feedback("challenge.flag.correct").build();
} else {
userTracker.assignmentFailed(webSession.getCurrentLesson());
attackResult = failed(this).feedback("challenge.flag.incorrect").build();
}
userTrackerRepository.save(userTracker);
return attackResult;
} }
} }

52
src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
View File

@ -1,52 +0,0 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.challenges;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.WebSession;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
@AllArgsConstructor
public class FlagController extends AssignmentEndpoint {
private final WebSession webSession;
private final Flags flags;
@PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult postFlag(@RequestParam String flag) {
Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
if (expectedFlag.isCorrect(flag)) {
return success(this).feedback("challenge.flag.correct").build();
} else {
return failed(this).feedback("challenge.flag.incorrect").build();
}
}
}

27
src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java
View File

@ -1,27 +0,0 @@
package org.owasp.webgoat.lessons.challenges;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
import org.owasp.webgoat.container.lessons.Lesson;
import org.springframework.context.annotation.Configuration;
@Configuration
public class Flags {
private final Map<Integer, Flag> FLAGS = new HashMap<>();
public Flags() {
IntStream.range(1, 10).forEach(i -> FLAGS.put(i, new Flag(i, UUID.randomUUID().toString())));
}
public Flag getFlag(Lesson forLesson) {
String lessonName = forLesson.getName();
int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
return FLAGS.get(challengeNumber);
}
public Flag getFlag(int flagNumber) {
return FLAGS.get(flagNumber);
}
}

2
src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
View File

@ -32,4 +32,6 @@ public interface SolutionConstants {
// TODO should be random generated when starting the server // TODO should be random generated when starting the server
String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD = "!!webgoat_admin_1234!!";
String PASSWORD_TOM = "thisisasecretfortomonly";
String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
} }

17
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
View File

@ -2,10 +2,11 @@ package org.owasp.webgoat.lessons.challenges.challenge1;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD; import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
import lombok.RequiredArgsConstructor; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
@ -42,14 +43,12 @@ import org.springframework.web.bind.annotation.RestController;
* @since August 11, 2016 * @since August 11, 2016
*/ */
@RestController @RestController
@RequiredArgsConstructor
public class Assignment1 extends AssignmentEndpoint { public class Assignment1 extends AssignmentEndpoint {
private final Flags flags;
@PostMapping("/challenge/1") @PostMapping("/challenge/1")
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) { public AttackResult completed(
@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
boolean ipAddressKnown = true; boolean ipAddressKnown = true;
boolean passwordCorrect = boolean passwordCorrect =
"admin".equals(username) "admin".equals(username)
@ -57,10 +56,14 @@ public class Assignment1 extends AssignmentEndpoint {
.replace("1234", String.format("%04d", ImageServlet.PINCODE)) .replace("1234", String.format("%04d", ImageServlet.PINCODE))
.equals(password); .equals(password);
if (passwordCorrect && ipAddressKnown) { if (passwordCorrect && ipAddressKnown) {
return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(1)).build(); return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
} else if (passwordCorrect) { } else if (passwordCorrect) {
return failed(this).feedback("ip.address.unknown").build(); return failed(this).feedback("ip.address.unknown").build();
} }
return failed(this).build(); return failed(this).build();
} }
public static boolean containsHeader(HttpServletRequest request) {
return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
}
} }

8
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
View File

@ -4,7 +4,8 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST; import static org.springframework.web.bind.annotation.RequestMethod.POST;
import java.io.IOException; import java.io.IOException;
import java.util.Random; import java.security.SecureRandom;
import javax.servlet.http.HttpServlet;
import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.ClassPathResource;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -12,9 +13,10 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class ImageServlet { public class ImageServlet extends HttpServlet {
public static final int PINCODE = new Random().nextInt(10000); private static final long serialVersionUID = 9132775506936676850L;
public static final int PINCODE = new SecureRandom().nextInt(10000);
@RequestMapping( @RequestMapping(
method = {GET, POST}, method = {GET, POST},

11
src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
View File

@ -24,12 +24,11 @@ package org.owasp.webgoat.lessons.challenges.challenge5;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
@ -38,11 +37,13 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
@Slf4j @Slf4j
@RequiredArgsConstructor
public class Assignment5 extends AssignmentEndpoint { public class Assignment5 extends AssignmentEndpoint {
private final LessonDataSource dataSource; private final LessonDataSource dataSource;
private final Flags flags;
public Assignment5(LessonDataSource dataSource) {
this.dataSource = dataSource;
}
@PostMapping("/challenge/5") @PostMapping("/challenge/5")
@ResponseBody @ResponseBody
@ -65,7 +66,7 @@ public class Assignment5 extends AssignmentEndpoint {
ResultSet resultSet = statement.executeQuery(); ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) { if (resultSet.next()) {
return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(5)).build(); return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
} else { } else {
return failed(this).feedback("challenge.close").build(); return failed(this).feedback("challenge.close").build();
} }

28
src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
View File

@ -1,14 +1,16 @@
package org.owasp.webgoat.lessons.challenges.challenge7; package org.owasp.webgoat.lessons.challenges.challenge7;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Email; import org.owasp.webgoat.lessons.challenges.Email;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.owasp.webgoat.lessons.challenges.SolutionConstants;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.ClassPathResource;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
@ -31,8 +33,6 @@ import org.springframework.web.client.RestTemplate;
@Slf4j @Slf4j
public class Assignment7 extends AssignmentEndpoint { public class Assignment7 extends AssignmentEndpoint {
public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
private static final String TEMPLATE = private static final String TEMPLATE =
"Hi, you requested a password reset link, please use this <a target='_blank'" "Hi, you requested a password reset link, please use this <a target='_blank'"
+ " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your" + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@ -44,26 +44,22 @@ public class Assignment7 extends AssignmentEndpoint {
+ "Kind regards, \n" + "Kind regards, \n"
+ "Team WebGoat"; + "Team WebGoat";
private final Flags flags; @Autowired private RestTemplate restTemplate;
private final RestTemplate restTemplate;
private final String webWolfMailURL;
public Assignment7( @Value("${webwolf.mail.url}")
Flags flags, RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfMailURL) { private String webWolfMailURL;
this.flags = flags;
this.restTemplate = restTemplate;
this.webWolfMailURL = webWolfMailURL;
}
@GetMapping("/challenge/7/reset-password/{link}") @GetMapping("/challenge/7/reset-password/{link}")
public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) { public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
if (link.equals(ADMIN_PASSWORD_LINK)) { if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
return ResponseEntity.accepted() return ResponseEntity.accepted()
.body( .body(
"<h1>Success!!</h1>" "<h1>Success!!</h1>"
+ "<img src='/WebGoat/images/hi-five-cat.jpg'>" + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
+ "<br/><br/>Here is your flag: " + "<br/><br/>Here is your flag: "
+ flags.getFlag(7)); + "<b>"
+ Flag.FLAGS.get(7)
+ "</b>");
} }
return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT) return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
.body("That is not the reset link for admin"); .body("That is not the reset link for admin");
@ -98,6 +94,6 @@ public class Assignment7 extends AssignmentEndpoint {
@GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE) @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
@ResponseBody @ResponseBody
public ClassPathResource git() { public ClassPathResource git() {
return new ClassPathResource("lessons/challenges/challenge7/git.zip"); return new ClassPathResource("challenge7/git.zip");
} }
} }

14
src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
View File

@ -1,14 +1,13 @@
package org.owasp.webgoat.lessons.challenges.challenge8; package org.owasp.webgoat.lessons.challenges.challenge8;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import lombok.RequiredArgsConstructor; import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
@ -16,9 +15,12 @@ import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
/**
* @author nbaars
* @since 4/8/17.
*/
@RestController @RestController
@Slf4j @Slf4j
@RequiredArgsConstructor
public class Assignment8 extends AssignmentEndpoint { public class Assignment8 extends AssignmentEndpoint {
private static final Map<Integer, Integer> votes = new HashMap<>(); private static final Map<Integer, Integer> votes = new HashMap<>();
@ -31,8 +33,6 @@ public class Assignment8 extends AssignmentEndpoint {
votes.put(5, 300); votes.put(5, 300);
} }
private final Flags flags;
@GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE) @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody @ResponseBody
public ResponseEntity<?> vote( public ResponseEntity<?> vote(
@ -47,7 +47,7 @@ public class Assignment8 extends AssignmentEndpoint {
Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0); Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
votes.put(nrOfStars, allVotesForStar + 1); votes.put(nrOfStars, allVotesForStar + 1);
return ResponseEntity.ok() return ResponseEntity.ok()
.header("X-FlagController", "Thanks for voting, your flag is: " + flags.getFlag(8)) .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
.build(); .build();
} }

2
src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
View File

@ -22,7 +22,6 @@
package org.owasp.webgoat.lessons.clientsidefiltering; package org.owasp.webgoat.lessons.clientsidefiltering;
import jakarta.annotation.PostConstruct;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileOutputStream; import java.io.FileOutputStream;
@ -32,6 +31,7 @@ import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.annotation.PostConstruct;
import javax.xml.xpath.XPath; import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants; import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathExpressionException;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.cryptography; package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64; import java.util.Base64;
import java.util.Random; import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.cryptography; package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Random; import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.lessons.cryptography; package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair; import java.security.KeyPair;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey; import java.security.interfaces.RSAPublicKey;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

4
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
View File

@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.util.Map; import java.util.Map;
import java.util.UUID; import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.csrf; package org.owasp.webgoat.lessons.csrf;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Random; import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.session.UserSessionData; import org.owasp.webgoat.container.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;

2
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
View File

@ -22,7 +22,7 @@
package org.owasp.webgoat.lessons.csrf; package org.owasp.webgoat.lessons.csrf;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
View File

@ -25,7 +25,6 @@ package org.owasp.webgoat.lessons.csrf;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import jakarta.servlet.http.HttpServletRequest;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter; import java.time.format.DateTimeFormatter;
import java.util.ArrayList; import java.util.ArrayList;
@ -33,6 +32,7 @@ import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

4
src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.hijacksession; package org.owasp.webgoat.lessons.hijacksession;
import jakarta.servlet.http.Cookie; import javax.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
View File

@ -22,7 +22,7 @@
package org.owasp.webgoat.lessons.httpproxies; package org.owasp.webgoat.lessons.httpproxies;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;

3
src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
View File

@ -97,8 +97,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
.feedback("idor.edit.profile.failure3") .feedback("idor.edit.profile.failure3")
.output(currentUserProfile.profileToMap().toString()) .output(currentUserProfile.profileToMap().toString())
.build(); .build();
} else if (userSubmittedProfile.getUserId() != null } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
&& userSubmittedProfile.getUserId().equals(authUserId)) {
return failed(this).feedback("idor.edit.profile.failure4").build(); return failed(this).feedback("idor.edit.profile.failure4").build();
} }

2
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.idor; package org.owasp.webgoat.lessons.idor;
import jakarta.servlet.http.HttpServletResponse;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

6
src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
View File

@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException; import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts; import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.TextCodec; import io.jsonwebtoken.impl.TextCodec;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.time.Duration; import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.logging; package org.owasp.webgoat.lessons.logging;
import jakarta.annotation.PostConstruct;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.Base64; import java.util.Base64;
import java.util.UUID; import java.util.UUID;
import javax.annotation.PostConstruct;
import org.apache.logging.log4j.util.Strings; import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.passwordreset; package org.owasp.webgoat.lessons.passwordreset;
import jakarta.servlet.http.HttpServletRequest;
import java.util.UUID; import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;

4
src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
View File

@ -1,7 +1,7 @@
package org.owasp.webgoat.lessons.passwordreset.resetlink; package org.owasp.webgoat.lessons.passwordreset.resetlink;
import jakarta.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import jakarta.validation.constraints.Size; import javax.validation.constraints.Size;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;

4
src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
View File

@ -1,7 +1,5 @@
package org.owasp.webgoat.lessons.pathtraversal; package org.owasp.webgoat.lessons.pathtraversal;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File; import java.io.File;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
@ -10,6 +8,8 @@ import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.file.Files; import java.nio.file.Files;
import java.util.Base64; import java.util.Base64;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomUtils; import org.apache.commons.lang3.RandomUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

4
src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.spoofcookie; package org.owasp.webgoat.lessons.spoofcookie;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map; import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction; package org.owasp.webgoat.lessons.sqlinjection.introduction;
import jakarta.annotation.PostConstruct;
import java.sql.Connection; import java.sql.Connection;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;
import javax.annotation.PostConstruct;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction; package org.owasp.webgoat.lessons.sqlinjection.introduction;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.sql.*; import java.sql.*;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

4
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
View File

@ -44,12 +44,12 @@ public class SSRFTask1 extends AssignmentEndpoint {
try { try {
StringBuilder html = new StringBuilder(); StringBuilder html = new StringBuilder();
if (url.matches("images/tom\\.png")) { if (url.matches("images/tom.png")) {
html.append( html.append(
"<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\"" "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
+ " height=\"25%\">"); + " height=\"25%\">");
return failed(this).feedback("ssrf.tom").output(html.toString()).build(); return failed(this).feedback("ssrf.tom").output(html.toString()).build();
} else if (url.matches("images/jerry\\.png")) { } else if (url.matches("images/jerry.png")) {
html.append( html.append(
"<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\"" "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
+ " height=\"25%\">"); + " height=\"25%\">");

2
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
View File

@ -46,7 +46,7 @@ public class SSRFTask2 extends AssignmentEndpoint {
} }
protected AttackResult furBall(String url) { protected AttackResult furBall(String url) {
if (url.matches("http://ifconfig\\.pro")) { if (url.matches("http://ifconfig.pro")) {
String html; String html;
try (InputStream in = new URL(url).openStream()) { try (InputStream in = new URL(url).openStream()) {
html = html =

2
src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.webwolfintroduction; package org.owasp.webgoat.lessons.webwolfintroduction;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.xss; package org.owasp.webgoat.lessons.xss;
import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom; import java.security.SecureRandom;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.UserSessionData; import org.owasp.webgoat.container.session.UserSessionData;

6
src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
View File

@ -22,8 +22,7 @@
package org.owasp.webgoat.lessons.xxe; package org.owasp.webgoat.lessons.xxe;
import jakarta.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.XmlRootElement;
import jakarta.xml.bind.annotation.XmlType;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.NoArgsConstructor; import lombok.NoArgsConstructor;
@ -38,8 +37,7 @@ import lombok.ToString;
@Setter @Setter
@AllArgsConstructor @AllArgsConstructor
@NoArgsConstructor @NoArgsConstructor
@XmlRootElement(name = "comment") @XmlRootElement
@XmlType
@ToString @ToString
public class Comment { public class Comment {
private String user; private String user;

6
src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
View File

@ -26,8 +26,6 @@ import static java.util.Optional.empty;
import static java.util.Optional.of; import static java.util.Optional.of;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.xml.bind.JAXBContext;
import jakarta.xml.bind.JAXBException;
import java.io.IOException; import java.io.IOException;
import java.io.StringReader; import java.io.StringReader;
import java.time.LocalDateTime; import java.time.LocalDateTime;
@ -38,6 +36,8 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamException;
import org.owasp.webgoat.container.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
@ -93,7 +93,7 @@ public class CommentsCache {
* progress etc). In real life the XmlMapper bean defined above will be used automatically and the * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
* Comment class can be directly used in the controller method (instead of a String) * Comment class can be directly used in the controller method (instead of a String)
*/ */
protected Comment parseXml(String xml) throws XMLStreamException, JAXBException { protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
var jc = JAXBContext.newInstance(Comment.class); var jc = JAXBContext.newInstance(Comment.class);
var xif = XMLInputFactory.newInstance(); var xif = XMLInputFactory.newInstance();

5
src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
View File

@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.apache.commons.exec.OS; import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -60,7 +60,8 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
public AttackResult createNewUser( public AttackResult createNewUser(
HttpServletRequest request, HttpServletRequest request,
@RequestBody String commentStr, @RequestBody String commentStr,
@RequestHeader("Content-Type") String contentType) { @RequestHeader("Content-Type") String contentType)
throws Exception {
AttackResult attackResult = failed(this).build(); AttackResult attackResult = failed(this).build();
if (APPLICATION_JSON_VALUE.equals(contentType)) { if (APPLICATION_JSON_VALUE.equals(contentType)) {

2
src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
View File

@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.apache.commons.exec.OS; import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

2
src/main/java/org/owasp/webgoat/webwolf/FileServer.java
View File

@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;

2
src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.webwolf; package org.owasp.webgoat.webwolf;
import jakarta.annotation.PostConstruct;
import java.io.File; import java.io.File;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;

47
src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
View File

@ -29,49 +29,54 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
/** Security configuration for WebWolf. */ /** Security configuration for WebGoat. */
@Configuration @Configuration
@AllArgsConstructor @AllArgsConstructor
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig { public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userDetailsService; private final UserService userDetailsService;
@Bean @Override
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests( ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated()); http.authorizeRequests()
http.authorizeHttpRequests( .antMatchers(HttpMethod.POST, "/fileupload")
auth -> .authenticated()
auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated()); .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
http.authorizeHttpRequests().anyRequest().permitAll(); .authenticated()
http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true"); .and()
http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll(); .authorizeRequests()
http.logout().permitAll(); .anyRequest()
return http.build(); .permitAll();
security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
security.and().logout().permitAll();
} }
@Autowired @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService); auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
} }
@Bean @Bean
public UserDetailsService userDetailsServiceBean() { @Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService; return userDetailsService;
} }
@Override
@Bean @Bean
public AuthenticationManager authenticationManager( protected AuthenticationManager authenticationManager() throws Exception {
AuthenticationConfiguration authenticationConfiguration) throws Exception { return super.authenticationManager();
return authenticationConfiguration.getAuthenticationManager();
} }
@Bean @Bean

4
src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
View File

@ -23,7 +23,7 @@
package org.owasp.webgoat.webwolf; package org.owasp.webgoat.webwolf;
import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository; import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository; import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.ComponentScan;
@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
public class WebWolf { public class WebWolf {
@Bean @Bean
public HttpExchangeRepository traceRepository() { public HttpTraceRepository traceRepository() {
return new WebWolfTraceRepository(); return new WebWolfTraceRepository();
} }
} }

6
src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
View File

@ -23,14 +23,10 @@
package org.owasp.webgoat.webwolf.mailbox; package org.owasp.webgoat.webwolf.mailbox;
import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonIgnore;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import java.io.Serializable; import java.io.Serializable;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter; import java.time.format.DateTimeFormatter;
import javax.persistence.*;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Builder; import lombok.Builder;
import lombok.Data; import lombok.Data;

23
src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
View File

@ -23,25 +23,26 @@
package org.owasp.webgoat.webwolf.mailbox; package org.owasp.webgoat.webwolf.mailbox;
import java.util.List; import java.util.List;
import lombok.RequiredArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
@RestController @RestController
@RequiredArgsConstructor @AllArgsConstructor
@Slf4j
public class MailboxController { public class MailboxController {
private final MailboxRepository mailboxRepository; private final MailboxRepository mailboxRepository;
@GetMapping("/mail") @GetMapping(value = "/mail")
public ModelAndView mail() { public ModelAndView mail() {
UserDetails user = UserDetails user =
(UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@ -55,15 +56,9 @@ public class MailboxController {
return modelAndView; return modelAndView;
} }
@PostMapping("/mail") @PostMapping(value = "/mail")
@ResponseStatus(HttpStatus.CREATED) public ResponseEntity<?> sendEmail(@RequestBody Email email) {
public void sendEmail(@RequestBody Email email) {
mailboxRepository.save(email); mailboxRepository.save(email);
} return ResponseEntity.status(HttpStatus.CREATED).build();
@DeleteMapping("/mail")
@ResponseStatus(HttpStatus.ACCEPTED)
public void deleteAllMail() {
mailboxRepository.deleteAll();
} }
} }

2
src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.webwolf.requests; package org.owasp.webgoat.webwolf.requests;
import jakarta.servlet.http.HttpServletRequest;
import java.util.concurrent.Callable; import java.util.concurrent.Callable;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;

11
src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
View File

@ -32,7 +32,8 @@ import lombok.Getter;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.springframework.boot.actuate.web.exchanges.HttpExchange; import org.springframework.boot.actuate.trace.http.HttpTrace;
import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
@ -77,8 +78,8 @@ public class Requests {
return model; return model;
} }
private boolean allowedTrace(HttpExchange t, UserDetails user) { private boolean allowedTrace(HttpTrace t, UserDetails user) {
HttpExchange.Request req = t.getRequest(); Request req = t.getRequest();
boolean allowed = true; boolean allowed = true;
/* do not show certain traces to other users in a classroom setup */ /* do not show certain traces to other users in a classroom setup */
if (req.getUri().getPath().contains("/files") if (req.getUri().getPath().contains("/files")
@ -94,11 +95,11 @@ public class Requests {
return allowed; return allowed;
} }
private String path(HttpExchange t) { private String path(HttpTrace t) {
return (String) t.getRequest().getUri().getPath(); return (String) t.getRequest().getUri().getPath();
} }
private String toJsonString(HttpExchange t) { private String toJsonString(HttpTrace t) {
try { try {
return objectMapper.writeValueAsString(t); return objectMapper.writeValueAsString(t);
} catch (JsonProcessingException e) { } catch (JsonProcessingException e) {

14
src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
View File

@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.actuate.web.exchanges.HttpExchange; import org.springframework.boot.actuate.trace.http.HttpTrace;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository; import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
/** /**
* Keep track of all the incoming requests, we are only keeping track of request originating from * Keep track of all the incoming requests, we are only keeping track of request originating from
@ -37,9 +37,9 @@ import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
* @since 8/13/17. * @since 8/13/17.
*/ */
@Slf4j @Slf4j
public class WebWolfTraceRepository implements HttpExchangeRepository { public class WebWolfTraceRepository implements HttpTraceRepository {
private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000); private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
private final List<String> exclusionList = private final List<String> exclusionList =
List.of( List.of(
"/tmpdir", "/tmpdir",
@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
"/mail"); "/mail");
@Override @Override
public List<HttpExchange> findAll() { public List<HttpTrace> findAll() {
return List.of(); return List.of();
} }
public List<HttpExchange> findAllTraces() { public List<HttpTrace> findAllTraces() {
return new ArrayList<>(traces); return new ArrayList<>(traces);
} }
@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
} }
@Override @Override
public void add(HttpExchange httpTrace) { public void add(HttpTrace httpTrace) {
var path = httpTrace.getRequest().getUri().getPath(); var path = httpTrace.getRequest().getUri().getPath();
if (!isInExclusionList(path)) { if (!isInExclusionList(path)) {
traces.add(httpTrace); traces.add(httpTrace);

6
src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.webwolf.user; package org.owasp.webgoat.webwolf.user;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter; import lombok.Getter;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;

10
src/main/resources/application-webgoat.properties
View File

@ -13,12 +13,11 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat} server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
server.ssl.enabled=${WEBGOAT_SSLENABLED:false} server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
spring.banner.location=classpath:banner.txt
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.open-in-view=false
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.banner.location=classpath:banner.txt
logging.level.org.thymeleaf=INFO logging.level.org.thymeleaf=INFO
logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@ -29,7 +28,6 @@ logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=INFO logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=DEBUG logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=DEBUG logging.level.org.owasp.webgoat=DEBUG
logging.level.org.hidbernate.SQL=DEBUG
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@ -53,11 +51,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D #For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
#exclude based on the enum of the Category
exclude.categories=${EXCLUDE_CATEGORIES:none,none} exclude.categories=${EXCLUDE_CATEGORIES:none,none}
#exclude based on the enum of the Category
#exclude based on the class name of a lesson e.g.: LessonTemplate
exclude.lessons=${EXCLUDE_LESSONS:none,none} exclude.lessons=${EXCLUDE_LESSONS:none,none}
#exclude based on the class name of a lesson e.g.: LessonTemplate
management.health.db.enabled=true management.health.db.enabled=true
management.endpoint.health.show-details=always management.endpoint.health.show-details=always

3
src/main/resources/application-webwolf.properties
View File

@ -18,7 +18,6 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.jpa.open-in-view=false
spring.messages.basename=i18n/messages spring.messages.basename=i18n/messages
spring.jmx.enabled=false spring.jmx.enabled=false
@ -27,7 +26,7 @@ logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG logging.level.org.owasp=DEBUG
logging.level.org.owasp.webwolf=TRACE logging.level.org.owasp.webwolf=TRACE
management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
management.endpoint.httptrace.enabled=true management.endpoint.httptrace.enabled=true
spring.thymeleaf.cache=false spring.thymeleaf.cache=false

4
src/main/resources/db/container/V3__id.sql
View File

@ -1,4 +0,0 @@
ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);

8
src/main/resources/lessons/authbypass/html/AuthBypass.html
View File

@ -4,14 +4,14 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -72,9 +72,9 @@
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>--> <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
<!-- can use multiple adoc's in a page-wrapper if you want ... or not--> <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>--> <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below --> <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->

6
src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
View File

@ -6,12 +6,12 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments --> <!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -59,7 +59,7 @@
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

2
src/main/resources/lessons/challenges/html/Challenge.html
View File

@ -3,7 +3,7 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div> </div>
</html> </html>

2
src/main/resources/lessons/challenges/html/Challenge1.html
View File

@ -3,7 +3,7 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="attack-container"> <div class="attack-container">

2
src/main/resources/lessons/challenges/html/Challenge5.html
View File

@ -4,7 +4,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

2
src/main/resources/lessons/challenges/html/Challenge6.html
View File

@ -4,7 +4,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
<div class="attack-container"> <div class="attack-container">

2
src/main/resources/lessons/challenges/html/Challenge7.html
View File

@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid"> <div class="container-fluid">

2
src/main/resources/lessons/challenges/html/Challenge8.html
View File

@ -3,7 +3,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
<script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>

12
src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
View File

@ -4,22 +4,22 @@
<!-- 1 --> <!-- 1 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
</div> </div>
<!-- 2 --> <!-- 2 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
</div> </div>
<!-- 3 --> <!-- 3 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
</div> </div>
<!-- 4 --> <!-- 4 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
@ -35,12 +35,12 @@
<!-- 5 --> <!-- 5 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
</div> </div>
<!-- 6 --> <!-- 6 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"

10
src/main/resources/lessons/cia/html/CIA.html
View File

@ -3,19 +3,19 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
@ -23,7 +23,7 @@
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script> <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/> <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid"> <div class="container-fluid">

6
src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
View File

@ -2,10 +2,10 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
<br/> <br/>
@ -74,7 +74,7 @@
</div> </div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
<script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
<div class="attack-container"> <div class="attack-container">

18
src/main/resources/lessons/cryptography/html/Cryptography.html
View File

@ -18,11 +18,11 @@ $(document).ready(initialise);
<body> <body>
<!-- 1. overview --> <!-- 1. overview -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
</div> </div>
<!-- 2. encoding --> <!-- 2. encoding -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
<!-- 2. assignment --> <!-- 2. assignment -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -41,7 +41,7 @@ $(document).ready(initialise);
</div> </div>
<!-- 3. encoding xor --> <!-- 3. encoding xor -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
<!-- 3. assignment xor --> <!-- 3. assignment xor -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -58,7 +58,7 @@ $(document).ready(initialise);
<!-- 4. hashing --> <!-- 4. hashing -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
<!-- 4. weak hashing exercise --> <!-- 4. weak hashing exercise -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -76,12 +76,12 @@ $(document).ready(initialise);
<!-- 5. encryption --> <!-- 5. encryption -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
</div> </div>
<!-- 6. signing --> <!-- 6. signing -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
<!-- 6. assignment --> <!-- 6. assignment -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -101,12 +101,12 @@ $(document).ready(initialise);
<!-- 7. keystores --> <!-- 7. keystores -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
</div> </div>
<!-- 8. security defaults --> <!-- 8. security defaults -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
<!-- 8. assignment --> <!-- 8. assignment -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -123,7 +123,7 @@ $(document).ready(initialise);
</div> </div>
<!-- 9. postquantum --> <!-- 9. postquantum -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
</div> </div>
</body> </body>
</html> </html>

20
src/main/resources/lessons/csrf/html/CSRF.html
View File

@ -3,15 +3,15 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_GET.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
<form accept-charset="UNKNOWN" id="basic-csrf-get" <form accept-charset="UNKNOWN" id="basic-csrf-get"
method="POST" name="form1" method="POST" name="form1"
@ -23,7 +23,7 @@
</form> </form>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/> <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@ -54,7 +54,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Reviews.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
<!-- comment area --> <!-- comment area -->
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@ -121,15 +121,15 @@
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Frameworks.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_JSON.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_ContentType.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
<script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
<div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66; <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@ -227,7 +227,7 @@
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Login.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"> <div class="assignment-success">
@ -251,7 +251,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
</div> </div>

10
src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
View File

@ -3,24 +3,24 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments --> <!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task" <form class="attack-form" accept-charset="UNKNOWN" name="task"

2
src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc
View File

@ -1,4 +1,4 @@
= Hijack a Session = Hijack a Session
In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat. In this lesson we are trying to predict the 'hijack_cookie' value. THe 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.

4
src/main/resources/lessons/hijacksession/html/HijackSession.html
View File

@ -7,12 +7,12 @@
<!-- 1 --> <!-- 1 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
</div> </div>
<!-- 2 --> <!-- 2 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_content0.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"> <div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i> <i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>

2
src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
View File

@ -7,7 +7,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content --> <!-- reuse this block for each 'page' of content -->
<!-- include content here ... will be first page/tab multiple --> <!-- include content here ... will be first page/tab multiple -->
<div class="adoc-content" th:replace="~{doc:HijackSession_solution.adoc}"></div> <div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
</div> </div>

6
src/main/resources/lessons/htmltampering/html/HtmlTampering.html
View File

@ -3,12 +3,12 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments --> <!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" id="task" name="task" <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
@ -143,6 +143,6 @@
</div> </div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc"></div>
</div> </div>
</html> </html>

Some files were not shown because too many files have changed in this diff Show More