dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:gh-1329
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:v2023.04
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

1 Commits
gh-1329 ... v2023.04

Author SHA1 Message Date
Nanne Baars
5ef865a54b chore: release version 2023.4 2023-02-17 13:07:22 +01:00
149 changed files with 669 additions and 1010 deletions
Expand all files Collapse all files

12
.github/dependabot.yml vendored
View File

@ -1,15 +1,7 @@
version: 2 version: 2
updates: updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: "weekly" interval: "daily"
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"

6
.github/workflows/build.yml vendored
View File

@ -27,7 +27,7 @@ jobs:
java-version: 17 java-version: 17
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.3.1 uses: actions/cache@v3.2.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -42,7 +42,7 @@ jobs:
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
- name: "Verify Docker WebGoat build" - name: "Verify Docker WebGoat build"
if: runner.os == 'Linux' if: runner.os == 'Linux'
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile file: ./Dockerfile
@ -50,7 +50,7 @@ jobs:
build-args: | build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }} webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Verify Docker WebGoat desktop build" - name: "Verify Docker WebGoat desktop build"
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
if: runner.os == 'Linux' if: runner.os == 'Linux'
with: with:
context: ./ context: ./

11
.github/workflows/release.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.3.1 uses: actions/cache@v3.2.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -80,13 +80,13 @@ jobs:
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
- name: "Login to dockerhub" - name: "Login to dockerhub"
uses: docker/login-action@v2.2.0 uses: docker/login-action@v2.1.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push WebGoat" - name: "Build and push WebGoat"
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile file: ./Dockerfile
@ -99,12 +99,12 @@ jobs:
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }} webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Build and push WebGoat desktop" - name: "Build and push WebGoat desktop"
uses: docker/build-push-action@v4.1.0 uses: docker/build-push-action@v4.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile_desktop file: ./Dockerfile_desktop
push: true push: true
platforms: linux/amd64, linux/arm64 platforms: linux/amd64, linux/arm64, linux/arm/v7
tags: | tags: |
webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }} webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }}
webgoat/webgoat-desktop:latest webgoat/webgoat-desktop:latest
@ -123,7 +123,6 @@ jobs:
- name: Set up JDK 17 - name: Set up JDK 17
uses: actions/setup-java@v3 uses: actions/setup-java@v3
with: with:
distribution: 'temurin'
java-version: 17 java-version: 17
architecture: x64 architecture: x64

4
.github/workflows/test.yml vendored
View File

@ -37,7 +37,7 @@ jobs:
architecture: x64 architecture: x64
#Uses an action to set up a cache using a certain key based on the hash of the dependencies #Uses an action to set up a cache using a certain key based on the hash of the dependencies
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.3.1 uses: actions/cache@v3.2.5
with: with:
path: ~/.m2 path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }} key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@ -48,8 +48,6 @@ jobs:
robotframework robotframework
robotframework-SeleniumLibrary robotframework-SeleniumLibrary
webdriver-manager webdriver-manager
selenium==4.9.1
# TODO https://github.com/robotframework/SeleniumLibrary/issues/1835
- name: Run with Maven - name: Run with Maven
run: mvn --no-transfer-progress spring-boot:run & run: mvn --no-transfer-progress spring-boot:run &
- name: Wait to start - name: Wait to start

14
CONTRIBUTING.md
View File

@ -3,7 +3,6 @@
[![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors) [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg) ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg) ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
This document describes how you can contribute to WebGoat. Please read it carefully. This document describes how you can contribute to WebGoat. Please read it carefully.
@ -42,19 +41,6 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
### Write a good commit message ### Write a good commit message
* We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and use the following types:
- fix:
- feat:
- build:
- chore:
- ci:
- docs:
- refactor:
- test:
Using this style of commits makes it possible to create our release notes automatically.
* Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message. * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.

1
CREATE_RELEASE.md
View File

@ -13,7 +13,6 @@ committers.
``` ```
mvn versions:set mvn versions:set
<< update release notes >> << update release notes >>
mvn verify
git commit .... git commit ....
git tag v2023.01 git tag v2023.01
git push --tags git push --tags

4
Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/eclipse-temurin:19-jre-focal FROM docker.io/eclipse-temurin:17-jre-focal
LABEL NAME = "WebGoat: A deliberately insecure Web Application" LABEL NAME = "WebGoat: A deliberately insecure Web Application"
MAINTAINER "WebGoat team" MAINTAINER "WebGoat team"
@ -27,8 +27,6 @@ ENTRYPOINT [ "java", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \ "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \ "--add-opens", "java.base/java.io=ALL-UNNAMED", \
"--add-opens", "java.base/java.util=ALL-UNNAMED", \ "--add-opens", "java.base/java.util=ALL-UNNAMED", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"-Drunning.in.docker=true", \ "-Drunning.in.docker=true", \
"-Dwebgoat.host=0.0.0.0", \ "-Dwebgoat.host=0.0.0.0", \
"-Dwebwolf.host=0.0.0.0", \ "-Dwebwolf.host=0.0.0.0", \

11
Dockerfile_desktop
View File

@ -10,17 +10,12 @@ COPY config/desktop/start_zap.sh /config/start_zap.sh
COPY config/desktop/WebGoat.txt /config/Desktop/ COPY config/desktop/WebGoat.txt /config/Desktop/
RUN \ RUN \
case $(uname -m) in \
x86_64) ARCH=x64;; \
aarch64) ARCH=aarch64;; \
*) ARCH=unknown;; \
esac && \
curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \ curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
tar zfxv ZAP_2.12.0_Linux.tar.gz && \ tar zfxv ZAP_2.12.0_Linux.tar.gz && \
rm -rf ZAP_2.12.0_Linux.tar.gz && \ rm -rf ZAP_2.12.0_Linux.tar.gz && \
curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \ curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \ tar zfxv OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \ rm -rf OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
chmod +x /config/start_webgoat.sh && \ chmod +x /config/start_webgoat.sh && \
chmod +x /config/start_zap.sh && \ chmod +x /config/start_zap.sh && \
apt-get update && \ apt-get update && \

8
FAQ.md
View File

@ -1,8 +0,0 @@
# FAQ for development
## Introduction
### Integration tests fail
Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.

1
README.md
View File

@ -6,7 +6,6 @@
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
[![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions) [![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
# Introduction # Introduction

2
RELEASE_NOTES.md
View File

@ -4,7 +4,7 @@
### New functionality ### New functionality
- [#1422 Add Docker Linux Desktop variant with all tools installed](https://github.com/WebGoat/WebGoat/issues/1422). Thanks to the [OWASP WrongSecrets project](https://owasp.org/www-project-wrongsecrets/) we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it. - [#1422 Add Docker Linux Desktop variant with all tools installed ](https://github.com/WebGoat/WebGoat/issues/1422). Thanks to the [OWASP WrongSecrets project](https://owasp.org/www-project-wrongsecrets/) we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
- [#1411 JWT: looks that buy as Tom also works with alg:none](https://github.com/WebGoat/WebGoat/issues/1411). - [#1411 JWT: looks that buy as Tom also works with alg:none](https://github.com/WebGoat/WebGoat/issues/1411).
### Bug fixes ### Bug fixes

154
pom.xml
View File

@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version> <version>2.7.1</version>
</parent> </parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat</artifactId> <artifactId>webgoat</artifactId>
<version>2023.5-SNAPSHOT</version> <version>2023.4</version>
<packaging>jar</packaging> <packaging>jar</packaging>
<name>WebGoat</name> <name>WebGoat</name>
@ -27,7 +27,6 @@
<url>https://www.gnu.org/licenses/gpl-2.0.txt</url> <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
</license> </license>
</licenses> </licenses>
<developers> <developers>
<developer> <developer>
<id>mayhew64</id> <id>mayhew64</id>
@ -95,6 +94,7 @@
<archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive> <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
</mailingList> </mailingList>
</mailingLists> </mailingLists>
<scm> <scm>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection> <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection> <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@ -108,46 +108,44 @@
</issueManagement> </issueManagement>
<properties> <properties>
<!-- Shared properties with plugins and version numbers across submodules--> <!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.3</asciidoctorj.version> <asciidoctorj.version>2.5.3</asciidoctorj.version>
<!-- Upgrading needs UI work in WebWolf -->
<bootstrap.version>3.3.7</bootstrap.version> <bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>3.3.0</cglib.version> <cglib.version>2.2</cglib.version>
<!-- do not update necessary for lesson --> <!-- do not update necessary for lesson -->
<checkstyle.version>3.3.0</checkstyle.version> <checkstyle.version>3.1.2</checkstyle.version>
<commons-collections.version>3.2.1</commons-collections.version> <commons-collections.version>3.2.1</commons-collections.version>
<commons-io.version>2.11.0</commons-io.version> <commons-io.version>2.6</commons-io.version>
<commons-lang3.version>3.12.0</commons-lang3.version> <commons-lang3.version>3.12.0</commons-lang3.version>
<commons-text.version>1.10.0</commons-text.version> <commons-text.version>1.9</commons-text.version>
<guava.version>31.1-jre</guava.version> <guava.version>30.1-jre</guava.version>
<jacoco.version>0.8.10</jacoco.version>
<java.version>17</java.version> <java.version>17</java.version>
<jaxb.version>2.3.1</jaxb.version>
<jjwt.version>0.9.1</jjwt.version> <jjwt.version>0.9.1</jjwt.version>
<jose4j.version>0.9.3</jose4j.version> <jose4j.version>0.7.6</jose4j.version>
<jquery.version>3.5.1</jquery.version> <jquery.version>3.5.1</jquery.version>
<jsoup.version>1.16.1</jsoup.version> <jsoup.version>1.14.3</jsoup.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version> <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version> <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version> <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version> <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
<maven.compiler.source>17</maven.compiler.source> <maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target> <maven.compiler.target>17</maven.compiler.target>
<pmd.version>3.15.0</pmd.version> <pmd.version>3.15.0</pmd.version>
<!-- Use UTF-8 Encoding --> <!-- Use UTF-8 Encoding -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<thymeleaf.version>3.1.1.RELEASE</thymeleaf.version> <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
<webdriver.version>5.3.2</webdriver.version> <webdriver.version>4.3.1</webdriver.version>
<webgoat.port>8080</webgoat.port> <webgoat.port>8080</webgoat.port>
<webwolf.port>9090</webwolf.port> <webwolf.port>9090</webwolf.port>
<wiremock.version>2.27.2</wiremock.version> <wiremock.version>2.27.2</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version> <xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version> <xstream.version>1.4.5</xstream.version>
<!-- do not update necessary for lesson --> <!-- do not update necessary for lesson -->
<zxcvbn.version>1.7.0</zxcvbn.version> <zxcvbn.version>1.5.2</zxcvbn.version>
</properties> </properties>
<dependencyManagement> <dependencyManagement>
@ -156,7 +154,7 @@
<dependency> <dependency>
<groupId>org.ow2.asm</groupId> <groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId> <artifactId>asm</artifactId>
<version>9.5</version> <version>9.1</version>
</dependency> </dependency>
<dependency> <dependency>
@ -243,15 +241,16 @@
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId> <artifactId>commons-compress</artifactId>
<version>1.22</version> <version>1.21</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.jruby</groupId> <groupId>org.jruby</groupId>
<artifactId>jruby</artifactId> <artifactId>jruby</artifactId>
<version>9.4.2.0</version> <version>9.3.6.0</version>
</dependency> </dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>
@ -270,7 +269,6 @@
<dependency> <dependency>
<groupId>javax.xml.bind</groupId> <groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId> <artifactId>jaxb-api</artifactId>
<version>${jaxb.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
@ -312,11 +310,7 @@
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.thymeleaf.extras</groupId> <groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId> <artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.hsqldb</groupId> <groupId>org.hsqldb</groupId>
@ -375,13 +369,8 @@
<artifactId>jquery</artifactId> <artifactId>jquery</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>jakarta.xml.bind</groupId> <groupId>org.glassfish.jaxb</groupId>
<artifactId>jakarta.xml.bind-api</artifactId> <artifactId>jaxb-runtime</artifactId>
</dependency>
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<scope>runtime</scope>
</dependency> </dependency>
<dependency> <dependency>
@ -397,7 +386,6 @@
<dependency> <dependency>
<groupId>com.github.tomakehurst</groupId> <groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId> <artifactId>wiremock</artifactId>
<version>3.0.0-beta-2</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency> <dependency>
@ -405,11 +393,6 @@
<artifactId>rest-assured</artifactId> <artifactId>rest-assured</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-properties-migrator</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies> </dependencies>
<repositories> <repositories>
@ -507,8 +490,7 @@
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
<excludes> <excludes>
<exclude>**/*IntegrationTest.java</exclude> <exclude>**/*IntegrationTest.java</exclude>
<exclude>src/it/java</exclude> <exclude>src/it/java</exclude>
@ -532,7 +514,7 @@
<plugin> <plugin>
<groupId>com.diffplug.spotless</groupId> <groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId> <artifactId>spotless-maven-plugin</artifactId>
<version>2.33.0</version> <version>2.29.0</version>
<configuration> <configuration>
<formats> <formats>
<format> <format>
@ -593,7 +575,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId> <artifactId>maven-enforcer-plugin</artifactId>
<version>3.3.0</version> <version>3.0.0</version>
<executions> <executions>
<execution> <execution>
<id>restrict-log4j-versions</id> <id>restrict-log4j-versions</id>
@ -696,10 +678,6 @@
<argument>java.base/java.io=ALL-UNNAMED</argument> <argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>--add-opens</argument> <argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument> <argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>${project.build.directory}/webgoat-${project.version}.jar</argument> <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
</arguments> </arguments>
<waitForInterrupt>false</waitForInterrupt> <waitForInterrupt>false</waitForInterrupt>
@ -749,82 +727,6 @@
</plugins> </plugins>
</build> </build>
</profile> </profile>
<profile>
<!-- run with: mvn test -Pcoverage -->
<id>coverage</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
--add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
${surefire.jacoco.args}</argLine>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
<exclude>src/it/java</exclude>
<exclude>org/owasp/webgoat/*Test</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>before-unit-test</id>
<goals>
<goal>prepare-agent</goal>
</goals>
<configuration>
<destFile>${project.build.directory}/jacoco/jacoco-ut.exec</destFile>
<propertyName>surefire.jacoco.args</propertyName>
</configuration>
</execution>
<execution>
<id>check</id>
<goals>
<goal>check</goal>
</goals>
<configuration>
<rules>
<rule>
<element>BUNDLE</element>
<limits>
<limit>
<counter>CLASS</counter>
<value>COVEREDCOUNT</value>
<minimum>0.6</minimum>
</limit>
</limits>
</rule>
</rules>
<dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
</configuration>
</execution>
<execution>
<id>after-unit-test</id>
<goals>
<goal>report</goal>
</goals>
<phase>test</phase>
<configuration>
<dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
<outputDirectory>${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles> </profiles>
</project> </project>

64
src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
View File

@ -7,14 +7,12 @@ import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.http.HttpStatus;
public class ChallengeIntegrationTest extends IntegrationTest { public class ChallengeIntegrationTest extends IntegrationTest {
@Test @Test
void testChallenge1() { public void testChallenge1() {
startLesson("Challenge1"); startLesson("Challenge1");
byte[] resultBytes = byte[] resultBytes =
@ -69,7 +67,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
} }
@Test @Test
void testChallenge5() { public void testChallenge5() {
startLesson("Challenge5"); startLesson("Challenge5");
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
@ -109,62 +107,4 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured"); .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password")); assertTrue(capturefFlags.contains("Without password"));
} }
@Test
void testChallenge7() {
startLesson("Challenge7");
cleanMailbox();
// One should first be able to download git.zip from WebGoat
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/challenge/7/.git"))
.then()
.statusCode(200)
.extract()
.asString();
// Should send an email to WebWolf inbox this should give a hint to the link being static
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", getUser() + "@webgoat.org")
.post(url("/WebGoat/challenge/7"))
.then()
.statusCode(200)
.extract()
.asString();
// Check whether email has been received
var responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/mail"))
.then()
.extract()
.response()
.getBody()
.asString();
Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
// Call reset link with admin link
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
.then()
.statusCode(HttpStatus.ACCEPTED.value())
.extract()
.asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
}
} }

11
src/it/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -11,7 +11,6 @@ import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert; import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.springframework.http.HttpStatus;
public abstract class IntegrationTest { public abstract class IntegrationTest {
@ -253,14 +252,4 @@ public abstract class IntegrationTest {
.getBody() .getBody()
.asString(); .asString();
} }
public void cleanMailbox() {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.delete(webWolfUrl("/mail"))
.then()
.statusCode(HttpStatus.ACCEPTED.value());
}
} }

2
src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
View File

@ -5,6 +5,7 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import java.util.Arrays; import java.util.Arrays;
import java.util.Map; import java.util.Map;
import lombok.SneakyThrows;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.assertj.core.api.Assertions; import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
@ -15,6 +16,7 @@ import org.junit.jupiter.api.TestFactory;
public class PasswordResetLessonIntegrationTest extends IntegrationTest { public class PasswordResetLessonIntegrationTest extends IntegrationTest {
@BeforeEach @BeforeEach
@SneakyThrows
public void init() { public void init() {
startLesson("/PasswordReset"); startLesson("/PasswordReset");
} }

4
src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
View File

@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test")) .formParams(Map.of("flag", "test"))
.post(url("/challenge/flag")); .post(url("/challenge/flag/"));
}; };
ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS); ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls = List<? extends Callable<Response>> flagCalls =
IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList()); IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
var responses = executorService.invokeAll(flagCalls); var responses = executorService.invokeAll(flagCalls);

6
src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
View File

@ -27,10 +27,10 @@
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

4
src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
View File

@ -33,7 +33,6 @@ package org.owasp.webgoat.container;
import static org.asciidoctor.Asciidoctor.Factory.create; import static org.asciidoctor.Asciidoctor.Factory.create;
import io.undertow.util.Headers; import io.undertow.util.Headers;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.InputStreamReader; import java.io.InputStreamReader;
@ -42,6 +41,7 @@ import java.util.HashMap;
import java.util.Locale; import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor; import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
* Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file: * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
* *
* <p><code> * <p><code>
* <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div> * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
* </code> * </code>
*/ */
@Slf4j @Slf4j

5
src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
View File

@ -50,13 +50,12 @@ public class DatabaseConfiguration {
} }
@Bean @Bean
public Function<String, Flyway> flywayLessons() { public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
return schema -> return schema ->
Flyway.configure() Flyway.configure()
.configuration(Map.of("driver", properties.getDriverClassName())) .configuration(Map.of("driver", properties.getDriverClassName()))
.schemas(schema) .schemas(schema)
.cleanDisabled(false) .dataSource(lessonDataSource)
.dataSource(dataSource())
.locations("lessons") .locations("lessons")
.load(); .load();
} }

8
src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.i18n.LocaleChangeInterceptor; import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
import org.springframework.web.servlet.i18n.SessionLocaleResolver; import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect; import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
import org.thymeleaf.spring6.SpringTemplateEngine; import org.thymeleaf.spring5.SpringTemplateEngine;
import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver; import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
import org.thymeleaf.spring6.view.ThymeleafViewResolver; import org.thymeleaf.spring5.view.ThymeleafViewResolver;
import org.thymeleaf.templatemode.TemplateMode; import org.thymeleaf.templatemode.TemplateMode;
import org.thymeleaf.templateresolver.FileTemplateResolver; import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresolver.ITemplateResolver; import org.thymeleaf.templateresolver.ITemplateResolver;

36
src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -37,26 +37,26 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
/** Security configuration for WebGoat. */ /** Security configuration for WebGoat. */
@Configuration @Configuration
@AllArgsConstructor @AllArgsConstructor
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig { public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userDetailsService; private final UserService userDetailsService;
@Bean @Override
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests( ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
auth -> http.authorizeRequests()
auth.requestMatchers( .antMatchers(
"/css/**", "/css/**",
"/images/**", "/images/**",
"/js/**", "/js/**",
@ -67,19 +67,20 @@ public class WebSecurityConfig {
"/actuator/**") "/actuator/**")
.permitAll() .permitAll()
.anyRequest() .anyRequest()
.authenticated()); .authenticated();
http.formLogin() security
.and()
.formLogin()
.loginPage("/login") .loginPage("/login")
.defaultSuccessUrl("/welcome.mvc", true) .defaultSuccessUrl("/welcome.mvc", true)
.usernameParameter("username") .usernameParameter("username")
.passwordParameter("password") .passwordParameter("password")
.permitAll(); .permitAll();
http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true); security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
http.csrf().disable(); security.and().csrf().disable();
http.headers().cacheControl().disable(); http.headers().cacheControl().disable();
http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")); http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
return http.build();
} }
@Autowired @Autowired
@ -88,14 +89,15 @@ public class WebSecurityConfig {
} }
@Bean @Bean
public UserDetailsService userDetailsServiceBean() { @Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService; return userDetailsService;
} }
@Override
@Bean @Bean
public AuthenticationManager authenticationManager( protected AuthenticationManager authenticationManager() throws Exception {
AuthenticationConfiguration authenticationConfiguration) throws Exception { return super.authenticationManager();
return authenticationConfiguration.getAuthenticationManager();
} }
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")

2
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;

3
src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
View File

@ -75,8 +75,7 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
} else { } else {
userTracker.assignmentFailed(webSession.getCurrentLesson()); userTracker.assignmentFailed(webSession.getCurrentLesson());
} }
userTrackerRepository.save(userTracker); userTrackerRepository.saveAndFlush(userTracker);
return attackResult; return attackResult;
} }
} }

2
src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
View File

@ -31,7 +31,7 @@
*/ */
package org.owasp.webgoat.container.controller; package org.owasp.webgoat.container.controller;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.session.Course; import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;

6
src/main/java/org/owasp/webgoat/container/controller/Welcome.java
View File

@ -29,8 +29,8 @@
*/ */
package org.owasp.webgoat.container.controller; package org.owasp.webgoat.container.controller;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
@ -49,7 +49,7 @@ public class Welcome {
/** /**
* welcome. * welcome.
* *
* @param request a {@link jakarta.servlet.http.HttpServletRequest} object. * @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object. * @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/ */
@GetMapping(path = {"welcome.mvc"}) @GetMapping(path = {"welcome.mvc"})

11
src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
View File

@ -1,14 +1,9 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import lombok.EqualsAndHashCode; import javax.persistence.*;
import lombok.Getter; import lombok.*;
/** /**
* ************************************************************************************************ * ************************************************************************************************
@ -46,7 +41,7 @@ import lombok.Getter;
public class Assignment { public class Assignment {
@Id @Id
@GeneratedValue(strategy = GenerationType.IDENTITY) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
private String name; private String name;

4
src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
View File

@ -4,13 +4,15 @@ import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.sql.Connection; import java.sql.Connection;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.users.WebGoatUser; import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
/** /**
* Handler which sets the correct schema for the currently bounded user. This way users are not * Handler which sets the correct schema for the currently bounded user. This way users are not
* seeing each other data, and we can reset data for just one particular user. * seeing each other data and we can reset data for just one particular user.
*/ */
@Slf4j
public class LessonConnectionInvocationHandler implements InvocationHandler { public class LessonConnectionInvocationHandler implements InvocationHandler {
private final Connection targetConnection; private final Connection targetConnection;

19
src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
View File

@ -1,20 +1,8 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.persistence.CascadeType; import java.util.*;
import jakarta.persistence.Entity;
import jakarta.persistence.FetchType;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.OneToMany;
import jakarta.persistence.Version;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import lombok.EqualsAndHashCode; import javax.persistence.*;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.container.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -51,11 +39,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
* @since October 29, 2003 * @since October 29, 2003
*/ */
@Entity @Entity
@EqualsAndHashCode
public class LessonTracker { public class LessonTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.IDENTITY) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Getter private String lessonName; @Getter private String lessonName;

8
src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
View File

@ -1,10 +1,11 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.servlet.ServletException; import javax.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import jakarta.validation.Valid; import javax.validation.Valid;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult; import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
@ -22,6 +23,7 @@ public class RegistrationController {
private UserValidator userValidator; private UserValidator userValidator;
private UserService userService; private UserService userService;
private AuthenticationManager authenticationManager;
@GetMapping("/registration") @GetMapping("/registration")
public String showForm(UserForm userForm) { public String showForm(UserForm userForm) {

6
src/main/java/org/owasp/webgoat/container/users/UserForm.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import jakarta.validation.constraints.Pattern; import javax.validation.constraints.Pattern;
import jakarta.validation.constraints.Size; import javax.validation.constraints.Size;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;

13
src/main/java/org/owasp/webgoat/container/users/UserTracker.java
View File

@ -1,19 +1,11 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.persistence.CascadeType;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.FetchType;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.OneToMany;
import java.util.HashSet; import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import lombok.EqualsAndHashCode; import javax.persistence.*;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -51,11 +43,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
*/ */
@Slf4j @Slf4j
@Entity @Entity
@EqualsAndHashCode
public class UserTracker { public class UserTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.IDENTITY) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Column(name = "username") @Column(name = "username")

6
src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
View File

@ -1,10 +1,10 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter; import lombok.Getter;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;

4
src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
View File

@ -22,13 +22,13 @@
package org.owasp.webgoat.lessons.authbypass; package org.owasp.webgoat.lessons.authbypass;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

88
src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
View File

@ -1,13 +1,89 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.challenges; package org.owasp.webgoat.lessons.challenges;
public record Flag(int number, String answer) { import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
import javax.annotation.PostConstruct;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.UserTracker;
import org.owasp.webgoat.container.users.UserTrackerRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
public boolean isCorrect(String flag) { /**
return answer.equals(flag); * @author nbaars
* @since 3/23/17.
*/
@RestController
public class Flag extends AssignmentEndpoint {
public static final Map<Integer, String> FLAGS = new HashMap<>();
@Autowired private UserTrackerRepository userTrackerRepository;
@Autowired private WebSession webSession;
@AllArgsConstructor
private class FlagPosted {
@Getter private boolean lessonCompleted;
} }
@Override @PostConstruct
public String toString() { public void initFlags() {
return answer; IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
}
@RequestMapping(
path = "/challenge/flag",
method = RequestMethod.POST,
produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult postFlag(@RequestParam String flag) {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
String currentChallenge = webSession.getCurrentLesson().getName();
int challengeNumber =
Integer.valueOf(
currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
String expectedFlag = FLAGS.get(challengeNumber);
final AttackResult attackResult;
if (expectedFlag.equals(flag)) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
attackResult = success(this).feedback("challenge.flag.correct").build();
} else {
userTracker.assignmentFailed(webSession.getCurrentLesson());
attackResult = failed(this).feedback("challenge.flag.incorrect").build();
}
userTrackerRepository.save(userTracker);
return attackResult;
} }
} }

52
src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
View File

@ -1,52 +0,0 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.challenges;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.WebSession;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
@AllArgsConstructor
public class FlagController extends AssignmentEndpoint {
private final WebSession webSession;
private final Flags flags;
@PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult postFlag(@RequestParam String flag) {
Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
if (expectedFlag.isCorrect(flag)) {
return success(this).feedback("challenge.flag.correct").build();
} else {
return failed(this).feedback("challenge.flag.incorrect").build();
}
}
}

27
src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java
View File

@ -1,27 +0,0 @@
package org.owasp.webgoat.lessons.challenges;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
import org.owasp.webgoat.container.lessons.Lesson;
import org.springframework.context.annotation.Configuration;
@Configuration
public class Flags {
private final Map<Integer, Flag> FLAGS = new HashMap<>();
public Flags() {
IntStream.range(1, 10).forEach(i -> FLAGS.put(i, new Flag(i, UUID.randomUUID().toString())));
}
public Flag getFlag(Lesson forLesson) {
String lessonName = forLesson.getName();
int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
return FLAGS.get(challengeNumber);
}
public Flag getFlag(int flagNumber) {
return FLAGS.get(flagNumber);
}
}

2
src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
View File

@ -32,4 +32,6 @@ public interface SolutionConstants {
// TODO should be random generated when starting the server // TODO should be random generated when starting the server
String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD = "!!webgoat_admin_1234!!";
String PASSWORD_TOM = "thisisasecretfortomonly";
String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
} }

17
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
View File

@ -2,10 +2,11 @@ package org.owasp.webgoat.lessons.challenges.challenge1;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD; import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
import lombok.RequiredArgsConstructor; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
@ -42,14 +43,12 @@ import org.springframework.web.bind.annotation.RestController;
* @since August 11, 2016 * @since August 11, 2016
*/ */
@RestController @RestController
@RequiredArgsConstructor
public class Assignment1 extends AssignmentEndpoint { public class Assignment1 extends AssignmentEndpoint {
private final Flags flags;
@PostMapping("/challenge/1") @PostMapping("/challenge/1")
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) { public AttackResult completed(
@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
boolean ipAddressKnown = true; boolean ipAddressKnown = true;
boolean passwordCorrect = boolean passwordCorrect =
"admin".equals(username) "admin".equals(username)
@ -57,10 +56,14 @@ public class Assignment1 extends AssignmentEndpoint {
.replace("1234", String.format("%04d", ImageServlet.PINCODE)) .replace("1234", String.format("%04d", ImageServlet.PINCODE))
.equals(password); .equals(password);
if (passwordCorrect && ipAddressKnown) { if (passwordCorrect && ipAddressKnown) {
return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(1)).build(); return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
} else if (passwordCorrect) { } else if (passwordCorrect) {
return failed(this).feedback("ip.address.unknown").build(); return failed(this).feedback("ip.address.unknown").build();
} }
return failed(this).build(); return failed(this).build();
} }
public static boolean containsHeader(HttpServletRequest request) {
return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
}
} }

8
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
View File

@ -4,7 +4,8 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST; import static org.springframework.web.bind.annotation.RequestMethod.POST;
import java.io.IOException; import java.io.IOException;
import java.util.Random; import java.security.SecureRandom;
import javax.servlet.http.HttpServlet;
import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.ClassPathResource;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -12,9 +13,10 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class ImageServlet { public class ImageServlet extends HttpServlet {
public static final int PINCODE = new Random().nextInt(10000); private static final long serialVersionUID = 9132775506936676850L;
public static final int PINCODE = new SecureRandom().nextInt(10000);
@RequestMapping( @RequestMapping(
method = {GET, POST}, method = {GET, POST},

11
src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
View File

@ -24,12 +24,11 @@ package org.owasp.webgoat.lessons.challenges.challenge5;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
@ -38,11 +37,13 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
@Slf4j @Slf4j
@RequiredArgsConstructor
public class Assignment5 extends AssignmentEndpoint { public class Assignment5 extends AssignmentEndpoint {
private final LessonDataSource dataSource; private final LessonDataSource dataSource;
private final Flags flags;
public Assignment5(LessonDataSource dataSource) {
this.dataSource = dataSource;
}
@PostMapping("/challenge/5") @PostMapping("/challenge/5")
@ResponseBody @ResponseBody
@ -65,7 +66,7 @@ public class Assignment5 extends AssignmentEndpoint {
ResultSet resultSet = statement.executeQuery(); ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) { if (resultSet.next()) {
return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(5)).build(); return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
} else { } else {
return failed(this).feedback("challenge.close").build(); return failed(this).feedback("challenge.close").build();
} }

28
src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
View File

@ -1,14 +1,16 @@
package org.owasp.webgoat.lessons.challenges.challenge7; package org.owasp.webgoat.lessons.challenges.challenge7;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Email; import org.owasp.webgoat.lessons.challenges.Email;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.owasp.webgoat.lessons.challenges.SolutionConstants;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.ClassPathResource;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
@ -31,8 +33,6 @@ import org.springframework.web.client.RestTemplate;
@Slf4j @Slf4j
public class Assignment7 extends AssignmentEndpoint { public class Assignment7 extends AssignmentEndpoint {
public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
private static final String TEMPLATE = private static final String TEMPLATE =
"Hi, you requested a password reset link, please use this <a target='_blank'" "Hi, you requested a password reset link, please use this <a target='_blank'"
+ " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your" + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@ -44,26 +44,22 @@ public class Assignment7 extends AssignmentEndpoint {
+ "Kind regards, \n" + "Kind regards, \n"
+ "Team WebGoat"; + "Team WebGoat";
private final Flags flags; @Autowired private RestTemplate restTemplate;
private final RestTemplate restTemplate;
private final String webWolfMailURL;
public Assignment7( @Value("${webwolf.mail.url}")
Flags flags, RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfMailURL) { private String webWolfMailURL;
this.flags = flags;
this.restTemplate = restTemplate;
this.webWolfMailURL = webWolfMailURL;
}
@GetMapping("/challenge/7/reset-password/{link}") @GetMapping("/challenge/7/reset-password/{link}")
public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) { public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
if (link.equals(ADMIN_PASSWORD_LINK)) { if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
return ResponseEntity.accepted() return ResponseEntity.accepted()
.body( .body(
"<h1>Success!!</h1>" "<h1>Success!!</h1>"
+ "<img src='/WebGoat/images/hi-five-cat.jpg'>" + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
+ "<br/><br/>Here is your flag: " + "<br/><br/>Here is your flag: "
+ flags.getFlag(7)); + "<b>"
+ Flag.FLAGS.get(7)
+ "</b>");
} }
return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT) return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
.body("That is not the reset link for admin"); .body("That is not the reset link for admin");
@ -98,6 +94,6 @@ public class Assignment7 extends AssignmentEndpoint {
@GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE) @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
@ResponseBody @ResponseBody
public ClassPathResource git() { public ClassPathResource git() {
return new ClassPathResource("lessons/challenges/challenge7/git.zip"); return new ClassPathResource("challenge7/git.zip");
} }
} }

14
src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
View File

@ -1,14 +1,13 @@
package org.owasp.webgoat.lessons.challenges.challenge8; package org.owasp.webgoat.lessons.challenges.challenge8;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import lombok.RequiredArgsConstructor; import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags; import org.owasp.webgoat.lessons.challenges.Flag;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
@ -16,9 +15,12 @@ import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
/**
* @author nbaars
* @since 4/8/17.
*/
@RestController @RestController
@Slf4j @Slf4j
@RequiredArgsConstructor
public class Assignment8 extends AssignmentEndpoint { public class Assignment8 extends AssignmentEndpoint {
private static final Map<Integer, Integer> votes = new HashMap<>(); private static final Map<Integer, Integer> votes = new HashMap<>();
@ -31,8 +33,6 @@ public class Assignment8 extends AssignmentEndpoint {
votes.put(5, 300); votes.put(5, 300);
} }
private final Flags flags;
@GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE) @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody @ResponseBody
public ResponseEntity<?> vote( public ResponseEntity<?> vote(
@ -47,7 +47,7 @@ public class Assignment8 extends AssignmentEndpoint {
Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0); Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
votes.put(nrOfStars, allVotesForStar + 1); votes.put(nrOfStars, allVotesForStar + 1);
return ResponseEntity.ok() return ResponseEntity.ok()
.header("X-FlagController", "Thanks for voting, your flag is: " + flags.getFlag(8)) .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
.build(); .build();
} }

2
src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
View File

@ -22,7 +22,6 @@
package org.owasp.webgoat.lessons.clientsidefiltering; package org.owasp.webgoat.lessons.clientsidefiltering;
import jakarta.annotation.PostConstruct;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileOutputStream; import java.io.FileOutputStream;
@ -32,6 +31,7 @@ import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.annotation.PostConstruct;
import javax.xml.xpath.XPath; import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants; import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathExpressionException;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.cryptography; package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64; import java.util.Base64;
import java.util.Random; import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.cryptography; package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Random; import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.lessons.cryptography; package org.owasp.webgoat.lessons.cryptography;
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair; import java.security.KeyPair;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey; import java.security.interfaces.RSAPublicKey;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

4
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
View File

@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.util.Map; import java.util.Map;
import java.util.UUID; import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.csrf; package org.owasp.webgoat.lessons.csrf;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Random; import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.session.UserSessionData; import org.owasp.webgoat.container.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;

2
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
View File

@ -22,7 +22,7 @@
package org.owasp.webgoat.lessons.csrf; package org.owasp.webgoat.lessons.csrf;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
View File

@ -25,7 +25,6 @@ package org.owasp.webgoat.lessons.csrf;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import jakarta.servlet.http.HttpServletRequest;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter; import java.time.format.DateTimeFormatter;
import java.util.ArrayList; import java.util.ArrayList;
@ -33,6 +32,7 @@ import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

4
src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.hijacksession; package org.owasp.webgoat.lessons.hijacksession;
import jakarta.servlet.http.Cookie; import javax.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
View File

@ -22,7 +22,7 @@
package org.owasp.webgoat.lessons.httpproxies; package org.owasp.webgoat.lessons.httpproxies;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;

3
src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
View File

@ -97,8 +97,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
.feedback("idor.edit.profile.failure3") .feedback("idor.edit.profile.failure3")
.output(currentUserProfile.profileToMap().toString()) .output(currentUserProfile.profileToMap().toString())
.build(); .build();
} else if (userSubmittedProfile.getUserId() != null } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
&& userSubmittedProfile.getUserId().equals(authUserId)) {
return failed(this).feedback("idor.edit.profile.failure4").build(); return failed(this).feedback("idor.edit.profile.failure4").build();
} }

2
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.idor; package org.owasp.webgoat.lessons.idor;
import jakarta.servlet.http.HttpServletResponse;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

6
src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
View File

@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException; import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts; import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.TextCodec; import io.jsonwebtoken.impl.TextCodec;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.time.Duration; import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
View File

@ -22,10 +22,10 @@
package org.owasp.webgoat.lessons.logging; package org.owasp.webgoat.lessons.logging;
import jakarta.annotation.PostConstruct;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.Base64; import java.util.Base64;
import java.util.UUID; import java.util.UUID;
import javax.annotation.PostConstruct;
import org.apache.logging.log4j.util.Strings; import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.passwordreset; package org.owasp.webgoat.lessons.passwordreset;
import jakarta.servlet.http.HttpServletRequest;
import java.util.UUID; import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;

4
src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
View File

@ -1,7 +1,7 @@
package org.owasp.webgoat.lessons.passwordreset.resetlink; package org.owasp.webgoat.lessons.passwordreset.resetlink;
import jakarta.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import jakarta.validation.constraints.Size; import javax.validation.constraints.Size;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;

4
src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
View File

@ -1,7 +1,5 @@
package org.owasp.webgoat.lessons.pathtraversal; package org.owasp.webgoat.lessons.pathtraversal;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File; import java.io.File;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
@ -10,6 +8,8 @@ import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.file.Files; import java.nio.file.Files;
import java.util.Base64; import java.util.Base64;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomUtils; import org.apache.commons.lang3.RandomUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

4
src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.spoofcookie; package org.owasp.webgoat.lessons.spoofcookie;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map; import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction; package org.owasp.webgoat.lessons.sqlinjection.introduction;
import jakarta.annotation.PostConstruct;
import java.sql.Connection; import java.sql.Connection;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;
import javax.annotation.PostConstruct;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

2
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction; package org.owasp.webgoat.lessons.sqlinjection.introduction;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException; import java.io.IOException;
import java.sql.*; import java.sql.*;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;

4
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
View File

@ -44,12 +44,12 @@ public class SSRFTask1 extends AssignmentEndpoint {
try { try {
StringBuilder html = new StringBuilder(); StringBuilder html = new StringBuilder();
if (url.matches("images/tom\\.png")) { if (url.matches("images/tom.png")) {
html.append( html.append(
"<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\"" "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
+ " height=\"25%\">"); + " height=\"25%\">");
return failed(this).feedback("ssrf.tom").output(html.toString()).build(); return failed(this).feedback("ssrf.tom").output(html.toString()).build();
} else if (url.matches("images/jerry\\.png")) { } else if (url.matches("images/jerry.png")) {
html.append( html.append(
"<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\"" "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
+ " height=\"25%\">"); + " height=\"25%\">");

2
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
View File

@ -46,7 +46,7 @@ public class SSRFTask2 extends AssignmentEndpoint {
} }
protected AttackResult furBall(String url) { protected AttackResult furBall(String url) {
if (url.matches("http://ifconfig\\.pro")) { if (url.matches("http://ifconfig.pro")) {
String html; String html;
try (InputStream in = new URL(url).openStream()) { try (InputStream in = new URL(url).openStream()) {
html = html =

2
src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.webwolfintroduction; package org.owasp.webgoat.lessons.webwolfintroduction;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;

2
src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.lessons.xss; package org.owasp.webgoat.lessons.xss;
import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom; import java.security.SecureRandom;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.UserSessionData; import org.owasp.webgoat.container.session.UserSessionData;

6
src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
View File

@ -22,8 +22,7 @@
package org.owasp.webgoat.lessons.xxe; package org.owasp.webgoat.lessons.xxe;
import jakarta.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.XmlRootElement;
import jakarta.xml.bind.annotation.XmlType;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.NoArgsConstructor; import lombok.NoArgsConstructor;
@ -38,8 +37,7 @@ import lombok.ToString;
@Setter @Setter
@AllArgsConstructor @AllArgsConstructor
@NoArgsConstructor @NoArgsConstructor
@XmlRootElement(name = "comment") @XmlRootElement
@XmlType
@ToString @ToString
public class Comment { public class Comment {
private String user; private String user;

6
src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
View File

@ -26,8 +26,6 @@ import static java.util.Optional.empty;
import static java.util.Optional.of; import static java.util.Optional.of;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.xml.bind.JAXBContext;
import jakarta.xml.bind.JAXBException;
import java.io.IOException; import java.io.IOException;
import java.io.StringReader; import java.io.StringReader;
import java.time.LocalDateTime; import java.time.LocalDateTime;
@ -38,6 +36,8 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamException;
import org.owasp.webgoat.container.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
@ -93,7 +93,7 @@ public class CommentsCache {
* progress etc). In real life the XmlMapper bean defined above will be used automatically and the * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
* Comment class can be directly used in the controller method (instead of a String) * Comment class can be directly used in the controller method (instead of a String)
*/ */
protected Comment parseXml(String xml) throws XMLStreamException, JAXBException { protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
var jc = JAXBContext.newInstance(Comment.class); var jc = JAXBContext.newInstance(Comment.class);
var xif = XMLInputFactory.newInstance(); var xif = XMLInputFactory.newInstance();

5
src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
View File

@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.apache.commons.exec.OS; import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -60,7 +60,8 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
public AttackResult createNewUser( public AttackResult createNewUser(
HttpServletRequest request, HttpServletRequest request,
@RequestBody String commentStr, @RequestBody String commentStr,
@RequestHeader("Content-Type") String contentType) { @RequestHeader("Content-Type") String contentType)
throws Exception {
AttackResult attackResult = failed(this).build(); AttackResult attackResult = failed(this).build();
if (APPLICATION_JSON_VALUE.equals(contentType)) { if (APPLICATION_JSON_VALUE.equals(contentType)) {

2
src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
View File

@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import jakarta.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.apache.commons.exec.OS; import org.apache.commons.exec.OS;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

2
src/main/java/org/owasp/webgoat/webwolf/FileServer.java
View File

@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;

2
src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.webwolf; package org.owasp.webgoat.webwolf;
import jakarta.annotation.PostConstruct;
import java.io.File; import java.io.File;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;

47
src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
View File

@ -29,49 +29,54 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
/** Security configuration for WebWolf. */ /** Security configuration for WebGoat. */
@Configuration @Configuration
@AllArgsConstructor @AllArgsConstructor
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig { public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userDetailsService; private final UserService userDetailsService;
@Bean @Override
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests( ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated()); http.authorizeRequests()
http.authorizeHttpRequests( .antMatchers(HttpMethod.POST, "/fileupload")
auth -> .authenticated()
auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated()); .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
http.authorizeHttpRequests().anyRequest().permitAll(); .authenticated()
http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true"); .and()
http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll(); .authorizeRequests()
http.logout().permitAll(); .anyRequest()
return http.build(); .permitAll();
security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
security.and().logout().permitAll();
} }
@Autowired @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService); auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
} }
@Bean @Bean
public UserDetailsService userDetailsServiceBean() { @Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService; return userDetailsService;
} }
@Override
@Bean @Bean
public AuthenticationManager authenticationManager( protected AuthenticationManager authenticationManager() throws Exception {
AuthenticationConfiguration authenticationConfiguration) throws Exception { return super.authenticationManager();
return authenticationConfiguration.getAuthenticationManager();
} }
@Bean @Bean

4
src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
View File

@ -23,7 +23,7 @@
package org.owasp.webgoat.webwolf; package org.owasp.webgoat.webwolf;
import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository; import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository; import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.ComponentScan;
@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
public class WebWolf { public class WebWolf {
@Bean @Bean
public HttpExchangeRepository traceRepository() { public HttpTraceRepository traceRepository() {
return new WebWolfTraceRepository(); return new WebWolfTraceRepository();
} }
} }

6
src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
View File

@ -23,14 +23,10 @@
package org.owasp.webgoat.webwolf.mailbox; package org.owasp.webgoat.webwolf.mailbox;
import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonIgnore;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import java.io.Serializable; import java.io.Serializable;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter; import java.time.format.DateTimeFormatter;
import javax.persistence.*;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Builder; import lombok.Builder;
import lombok.Data; import lombok.Data;

23
src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
View File

@ -23,25 +23,26 @@
package org.owasp.webgoat.webwolf.mailbox; package org.owasp.webgoat.webwolf.mailbox;
import java.util.List; import java.util.List;
import lombok.RequiredArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
@RestController @RestController
@RequiredArgsConstructor @AllArgsConstructor
@Slf4j
public class MailboxController { public class MailboxController {
private final MailboxRepository mailboxRepository; private final MailboxRepository mailboxRepository;
@GetMapping("/mail") @GetMapping(value = "/mail")
public ModelAndView mail() { public ModelAndView mail() {
UserDetails user = UserDetails user =
(UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@ -55,15 +56,9 @@ public class MailboxController {
return modelAndView; return modelAndView;
} }
@PostMapping("/mail") @PostMapping(value = "/mail")
@ResponseStatus(HttpStatus.CREATED) public ResponseEntity<?> sendEmail(@RequestBody Email email) {
public void sendEmail(@RequestBody Email email) {
mailboxRepository.save(email); mailboxRepository.save(email);
} return ResponseEntity.status(HttpStatus.CREATED).build();
@DeleteMapping("/mail")
@ResponseStatus(HttpStatus.ACCEPTED)
public void deleteAllMail() {
mailboxRepository.deleteAll();
} }
} }

2
src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
View File

@ -22,8 +22,8 @@
package org.owasp.webgoat.webwolf.requests; package org.owasp.webgoat.webwolf.requests;
import jakarta.servlet.http.HttpServletRequest;
import java.util.concurrent.Callable; import java.util.concurrent.Callable;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;

11
src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
View File

@ -32,7 +32,8 @@ import lombok.Getter;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.springframework.boot.actuate.web.exchanges.HttpExchange; import org.springframework.boot.actuate.trace.http.HttpTrace;
import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
@ -77,8 +78,8 @@ public class Requests {
return model; return model;
} }
private boolean allowedTrace(HttpExchange t, UserDetails user) { private boolean allowedTrace(HttpTrace t, UserDetails user) {
HttpExchange.Request req = t.getRequest(); Request req = t.getRequest();
boolean allowed = true; boolean allowed = true;
/* do not show certain traces to other users in a classroom setup */ /* do not show certain traces to other users in a classroom setup */
if (req.getUri().getPath().contains("/files") if (req.getUri().getPath().contains("/files")
@ -94,11 +95,11 @@ public class Requests {
return allowed; return allowed;
} }
private String path(HttpExchange t) { private String path(HttpTrace t) {
return (String) t.getRequest().getUri().getPath(); return (String) t.getRequest().getUri().getPath();
} }
private String toJsonString(HttpExchange t) { private String toJsonString(HttpTrace t) {
try { try {
return objectMapper.writeValueAsString(t); return objectMapper.writeValueAsString(t);
} catch (JsonProcessingException e) { } catch (JsonProcessingException e) {

14
src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
View File

@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.actuate.web.exchanges.HttpExchange; import org.springframework.boot.actuate.trace.http.HttpTrace;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository; import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
/** /**
* Keep track of all the incoming requests, we are only keeping track of request originating from * Keep track of all the incoming requests, we are only keeping track of request originating from
@ -37,9 +37,9 @@ import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
* @since 8/13/17. * @since 8/13/17.
*/ */
@Slf4j @Slf4j
public class WebWolfTraceRepository implements HttpExchangeRepository { public class WebWolfTraceRepository implements HttpTraceRepository {
private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000); private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
private final List<String> exclusionList = private final List<String> exclusionList =
List.of( List.of(
"/tmpdir", "/tmpdir",
@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
"/mail"); "/mail");
@Override @Override
public List<HttpExchange> findAll() { public List<HttpTrace> findAll() {
return List.of(); return List.of();
} }
public List<HttpExchange> findAllTraces() { public List<HttpTrace> findAllTraces() {
return new ArrayList<>(traces); return new ArrayList<>(traces);
} }
@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
} }
@Override @Override
public void add(HttpExchange httpTrace) { public void add(HttpTrace httpTrace) {
var path = httpTrace.getRequest().getUri().getPath(); var path = httpTrace.getRequest().getUri().getPath();
if (!isInExclusionList(path)) { if (!isInExclusionList(path)) {
traces.add(httpTrace); traces.add(httpTrace);

6
src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
View File

@ -22,11 +22,11 @@
package org.owasp.webgoat.webwolf.user; package org.owasp.webgoat.webwolf.user;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Transient;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter; import lombok.Getter;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;

10
src/main/resources/application-webgoat.properties
View File

@ -13,12 +13,11 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat} server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
server.ssl.enabled=${WEBGOAT_SSLENABLED:false} server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
spring.banner.location=classpath:banner.txt
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.open-in-view=false
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.banner.location=classpath:banner.txt
logging.level.org.thymeleaf=INFO logging.level.org.thymeleaf=INFO
logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@ -29,7 +28,6 @@ logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=INFO logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=DEBUG logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=DEBUG logging.level.org.owasp.webgoat=DEBUG
logging.level.org.hidbernate.SQL=DEBUG
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@ -53,11 +51,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D #For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
#exclude based on the enum of the Category
exclude.categories=${EXCLUDE_CATEGORIES:none,none} exclude.categories=${EXCLUDE_CATEGORIES:none,none}
#exclude based on the enum of the Category
#exclude based on the class name of a lesson e.g.: LessonTemplate
exclude.lessons=${EXCLUDE_LESSONS:none,none} exclude.lessons=${EXCLUDE_LESSONS:none,none}
#exclude based on the class name of a lesson e.g.: LessonTemplate
management.health.db.enabled=true management.health.db.enabled=true
management.endpoint.health.show-details=always management.endpoint.health.show-details=always

3
src/main/resources/application-webwolf.properties
View File

@ -18,7 +18,6 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
spring.jpa.properties.hibernate.default_schema=CONTAINER spring.jpa.properties.hibernate.default_schema=CONTAINER
spring.jpa.open-in-view=false
spring.messages.basename=i18n/messages spring.messages.basename=i18n/messages
spring.jmx.enabled=false spring.jmx.enabled=false
@ -27,7 +26,7 @@ logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG logging.level.org.owasp=DEBUG
logging.level.org.owasp.webwolf=TRACE logging.level.org.owasp.webwolf=TRACE
management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
management.endpoint.httptrace.enabled=true management.endpoint.httptrace.enabled=true
spring.thymeleaf.cache=false spring.thymeleaf.cache=false

4
src/main/resources/db/container/V3__id.sql
View File

@ -1,4 +0,0 @@
ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);

8
src/main/resources/lessons/authbypass/html/AuthBypass.html
View File

@ -4,14 +4,14 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -72,9 +72,9 @@
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>--> <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
<!-- can use multiple adoc's in a page-wrapper if you want ... or not--> <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
<!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>--> <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below --> <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->

6
src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
View File

@ -6,12 +6,12 @@
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments --> <!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -59,7 +59,7 @@
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

2
src/main/resources/lessons/challenges/html/Challenge.html
View File

@ -3,7 +3,7 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div> </div>
</html> </html>

2
src/main/resources/lessons/challenges/html/Challenge1.html
View File

@ -3,7 +3,7 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="attack-container"> <div class="attack-container">

2
src/main/resources/lessons/challenges/html/Challenge5.html
View File

@ -4,7 +4,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

2
src/main/resources/lessons/challenges/html/Challenge6.html
View File

@ -4,7 +4,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
<script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
<div class="attack-container"> <div class="attack-container">

2
src/main/resources/lessons/challenges/html/Challenge7.html
View File

@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid"> <div class="container-fluid">

2
src/main/resources/lessons/challenges/html/Challenge8.html
View File

@ -3,7 +3,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
<script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>

12
src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
View File

@ -4,22 +4,22 @@
<!-- 1 --> <!-- 1 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
</div> </div>
<!-- 2 --> <!-- 2 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
</div> </div>
<!-- 3 --> <!-- 3 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
</div> </div>
<!-- 4 --> <!-- 4 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
@ -35,12 +35,12 @@
<!-- 5 --> <!-- 5 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
</div> </div>
<!-- 6 --> <!-- 6 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"

10
src/main/resources/lessons/cia/html/CIA.html
View File

@ -3,19 +3,19 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
@ -23,7 +23,7 @@
<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
<script th:src="@{/js/quiz.js}" language="JavaScript"></script> <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/> <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
<div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid"> <div class="container-fluid">

6
src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
View File

@ -2,10 +2,10 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
<br/> <br/>
@ -74,7 +74,7 @@
</div> </div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
<script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
<div class="attack-container"> <div class="attack-container">

18
src/main/resources/lessons/cryptography/html/Cryptography.html
View File

@ -18,11 +18,11 @@ $(document).ready(initialise);
<body> <body>
<!-- 1. overview --> <!-- 1. overview -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
</div> </div>
<!-- 2. encoding --> <!-- 2. encoding -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
<!-- 2. assignment --> <!-- 2. assignment -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -41,7 +41,7 @@ $(document).ready(initialise);
</div> </div>
<!-- 3. encoding xor --> <!-- 3. encoding xor -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
<!-- 3. assignment xor --> <!-- 3. assignment xor -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -58,7 +58,7 @@ $(document).ready(initialise);
<!-- 4. hashing --> <!-- 4. hashing -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
<!-- 4. weak hashing exercise --> <!-- 4. weak hashing exercise -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -76,12 +76,12 @@ $(document).ready(initialise);
<!-- 5. encryption --> <!-- 5. encryption -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
</div> </div>
<!-- 6. signing --> <!-- 6. signing -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
<!-- 6. assignment --> <!-- 6. assignment -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -101,12 +101,12 @@ $(document).ready(initialise);
<!-- 7. keystores --> <!-- 7. keystores -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
</div> </div>
<!-- 8. security defaults --> <!-- 8. security defaults -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
<!-- 8. assignment --> <!-- 8. assignment -->
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -123,7 +123,7 @@ $(document).ready(initialise);
</div> </div>
<!-- 9. postquantum --> <!-- 9. postquantum -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
</div> </div>
</body> </body>
</html> </html>

20
src/main/resources/lessons/csrf/html/CSRF.html
View File

@ -3,15 +3,15 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_GET.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
<form accept-charset="UNKNOWN" id="basic-csrf-get" <form accept-charset="UNKNOWN" id="basic-csrf-get"
method="POST" name="form1" method="POST" name="form1"
@ -23,7 +23,7 @@
</form> </form>
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/> <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@ -54,7 +54,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Reviews.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
<!-- comment area --> <!-- comment area -->
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@ -121,15 +121,15 @@
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Frameworks.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_JSON.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_ContentType.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
<script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
<div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66; <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@ -227,7 +227,7 @@
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Login.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"> <div class="assignment-success">
@ -251,7 +251,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
</div> </div>

10
src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
View File

@ -3,24 +3,24 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments --> <!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task" <form class="attack-form" accept-charset="UNKNOWN" name="task"

2
src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc
View File

@ -1,4 +1,4 @@
= Hijack a Session = Hijack a Session
In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat. In this lesson we are trying to predict the 'hijack_cookie' value. THe 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.

4
src/main/resources/lessons/hijacksession/html/HijackSession.html
View File

@ -7,12 +7,12 @@
<!-- 1 --> <!-- 1 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_plan.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
</div> </div>
<!-- 2 --> <!-- 2 -->
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_content0.adoc}"></div> <div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"> <div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i> <i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>

2
src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
View File

@ -7,7 +7,7 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content --> <!-- reuse this block for each 'page' of content -->
<!-- include content here ... will be first page/tab multiple --> <!-- include content here ... will be first page/tab multiple -->
<div class="adoc-content" th:replace="~{doc:HijackSession_solution.adoc}"></div> <div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
</div> </div>

Some files were not shown because too many files have changed in this diff Show More