dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:nbaars/refactor-plugin-message
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:nbaars/build
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

3 Commits
nbaars/ref ... nbaars/bui

Author SHA1 Message Date
Nanne Baars
d94d99a942 ci: run pre-commit checks first 2024-10-28 21:54:49 +01:00
Nanne Baars
52c20738f9 fix: passing command line arguments 
Since we already have `webwolf.port` it makes sense to also define `webwolf.port` explicitly and not rely on `server.port`

Closes: #1910
 2024-10-27 08:29:14 +01:00
Nanne Baars
e5d5a370f9 fix: use banners correctly 2024-10-27 07:49:37 +01:00
191 changed files with 1032 additions and 927 deletions
Expand all files Collapse all files

5
.github/workflows/build.yml vendored
View File

@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout git repository
uses: actions/checkout@v4.1.6
uses: actions/checkout@v4
- name: Setup python
uses: actions/setup-python@v5
with:
@ -26,13 +26,12 @@ jobs:
distribution: 'temurin'
java-version: '21'
- name: Pre-commit checks
uses: pre-commit/action@v3.0.1
uses: pre-commit/action@v3.0.0
- name: pre-commit-ci-lite
uses: pre-commit-ci/lite-action@v1.1.0
if: always()
build:
runs-on: ${{ matrix.os }}
needs: [ pre-commit ]
strategy:
fail-fast: true
matrix:

20
pom.xml
View File

@ -66,13 +66,13 @@
<bootstrap.version>5.3.3</bootstrap.version>
<cglib.version>3.3.0</cglib.version>
<!-- do not update necessary for lesson -->
<checkstyle.version>3.6.0</checkstyle.version>
<checkstyle.version>3.4.0</checkstyle.version>
<commons-collections.version>3.2.1</commons-collections.version>
<commons-compress.version>1.27.1</commons-compress.version>
<commons-io.version>2.17.0</commons-io.version>
<commons-io.version>2.16.1</commons-io.version>
<commons-lang3.version>3.14.0</commons-lang3.version>
<commons-text.version>1.12.0</commons-text.version>
<guava.version>33.3.1-jre</guava.version>
<guava.version>33.3.0-jre</guava.version>
<jacoco.version>0.8.11</jacoco.version>
<java.version>21</java.version>
<jaxb.version>2.3.1</jaxb.version>
@ -85,7 +85,7 @@
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.5.2</maven-surefire-plugin.version>
<maven-surefire-plugin.version>3.5.1</maven-surefire-plugin.version>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<pmd.version>3.15.0</pmd.version>
@ -93,13 +93,13 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
<waittimeForServerStart>60</waittimeForServerStart>
<waittimeForServerStart>30</waittimeForServerStart>
<webdriver.version>5.9.2</webdriver.version>
<webgoat.context>/</webgoat.context>
<webgoat.sslenabled>false</webgoat.sslenabled>
<webjars-locator-core.version>0.59</webjars-locator-core.version>
<webwolf.context>/</webwolf.context>
<wiremock.version>3.9.2</wiremock.version>
<wiremock.version>3.9.1</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version>
<!-- do not update necessary for lesson -->
@ -213,7 +213,7 @@
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby</artifactId>
<version>9.4.9.0</version>
<version>9.4.8.0</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -235,13 +235,13 @@
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>testcontainers</artifactId>
<version>1.20.3</version>
<version>1.20.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<version>1.20.3</version>
<version>1.20.1</version>
<scope>test</scope>
</dependency>
<dependency>
@ -374,7 +374,7 @@
<dependency>
<groupId>com.github.terma</groupId>
<artifactId>javaniotcpproxy</artifactId>
<version>1.6</version>
<version>1.5</version>
<scope>test</scope>
</dependency>

4
src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
View File

@ -55,8 +55,8 @@ import org.thymeleaf.templateresource.StringTemplateResource;
public class LessonTemplateResolver extends FileTemplateResolver {
private static final String PREFIX = "lesson:";
private final ResourceLoader resourceLoader;
private final Map<String, byte[]> resources = new HashMap<>();
private ResourceLoader resourceLoader;
private Map<String, byte[]> resources = new HashMap<>();
public LessonTemplateResolver(ResourceLoader resourceLoader) {
this.resourceLoader = resourceLoader;

25
src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -40,6 +40,7 @@ import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.i18n.Language;
import org.owasp.webgoat.container.i18n.Messages;
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.lessons.LessonScanner;
import org.owasp.webgoat.container.session.LabelDebugger;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
@ -73,6 +74,8 @@ public class MvcConfiguration implements WebMvcConfigurer {
private static final String UTF8 = "UTF-8";
private final LessonScanner lessonScanner;
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
@ -184,6 +187,28 @@ public class MvcConfiguration implements WebMvcConfigurer {
registry
.addResourceHandler("/fonts/**")
.addResourceLocations("classpath:/webgoat/static/fonts/");
// WebGoat lessons
registry
.addResourceHandler("/images/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new));
registry
.addResourceHandler("/lesson_js/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
registry
.addResourceHandler("/lesson_css/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
registry
.addResourceHandler("/lesson_templates/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
registry
.addResourceHandler("/video/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
}
@Bean

7
src/main/java/org/owasp/webgoat/container/WebGoat.java
View File

@ -33,6 +33,7 @@ package org.owasp.webgoat.container;
import java.io.File;
import org.owasp.webgoat.container.session.LessonSession;
import org.owasp.webgoat.container.users.UserRepository;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.domain.EntityScan;
@ -53,6 +54,12 @@ import org.springframework.web.client.RestTemplate;
@EntityScan(basePackages = "org.owasp.webgoat.container")
public class WebGoat {
private final UserRepository userRepository;
public WebGoat(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
return new File(webgoatHome);

49
src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
View File

@ -25,4 +25,51 @@
package org.owasp.webgoat.container.assignments;
public interface AssignmentEndpoint {}
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.springframework.beans.factory.annotation.Autowired;
public abstract class AssignmentEndpoint {
// TODO: move this to different bean.
@Autowired private PluginMessages messages;
/**
* Convenience method for create a successful result:
*
* <p>- Assignment is set to solved - Feedback message is set to 'assignment.solved'
*
* <p>Of course you can overwrite these values in a specific lesson
*
* @return a builder for creating a result from a lesson
* @param assignment
*/
protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
return AttackResult.builder(messages)
.lessonCompleted(true)
.attemptWasMade()
.feedback("assignment.solved")
.assignment(assignment);
}
/**
* Convenience method for create a failed result:
*
* <p>- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
*
* <p>Of course you can overwrite these values in a specific lesson
*
* @return a builder for creating a result from a lesson
* @param assignment
*/
protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
return AttackResult.builder(messages)
.lessonCompleted(false)
.attemptWasMade()
.feedback("assignment.not.solved")
.assignment(assignment);
}
protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
}
}

19
src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java Normal file
View File

@ -0,0 +1,19 @@
package org.owasp.webgoat.container.assignments;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import org.springframework.web.bind.annotation.RequestMethod;
/** Created by nbaars on 1/14/17. */
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
public @interface AssignmentPath {
String[] path() default {};
RequestMethod[] method() default {};
String value() default "";
}

100
src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
View File

@ -30,18 +30,82 @@ import static org.apache.commons.text.StringEscapeUtils.escapeJson;
import lombok.Getter;
import org.owasp.webgoat.container.i18n.PluginMessages;
@Getter
public class AttackResult {
public static class AttackResultBuilder {
private boolean lessonCompleted;
private String feedback;
private PluginMessages messages;
private Object[] feedbackArgs;
private String feedbackResourceBundleKey;
private String output;
private Object[] outputArgs;
private final String assignment;
private boolean attemptWasMade;
private AssignmentEndpoint assignment;
private boolean attemptWasMade = false;
private AttackResult(
public AttackResultBuilder(PluginMessages messages) {
this.messages = messages;
}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = "lesson.completed";
return this;
}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder feedbackArgs(Object... args) {
this.feedbackArgs = args;
return this;
}
public AttackResultBuilder feedback(String resourceBundleKey) {
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder output(String output) {
this.output = output;
return this;
}
public AttackResultBuilder outputArgs(Object... args) {
this.outputArgs = args;
return this;
}
public AttackResultBuilder attemptWasMade() {
this.attemptWasMade = true;
return this;
}
public AttackResult build() {
return new AttackResult(
lessonCompleted,
messages.getMessage(feedbackResourceBundleKey, feedbackArgs),
messages.getMessage(output, output, outputArgs),
assignment.getClass().getSimpleName(),
attemptWasMade);
}
public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
this.assignment = assignment;
return this;
}
}
@Getter private boolean lessonCompleted;
@Getter private String feedback;
@Getter private String output;
@Getter private final String assignment;
@Getter private boolean attemptWasMade;
public AttackResult(
boolean lessonCompleted,
String feedback,
String output,
@ -54,33 +118,11 @@ public class AttackResult {
this.attemptWasMade = attemptWasMade;
}
public AttackResult(
boolean lessonCompleted,
String feedback,
Object[] feedbackArgs,
String output,
Object[] outputArgs,
String assignment,
boolean attemptWasMade) {
this.lessonCompleted = lessonCompleted;
this.feedback = feedback;
this.feedbackArgs = feedbackArgs;
this.output = output;
this.outputArgs = outputArgs;
this.assignment = assignment;
this.attemptWasMade = attemptWasMade;
public static AttackResultBuilder builder(PluginMessages messages) {
return new AttackResultBuilder(messages);
}
public boolean assignmentSolved() {
return lessonCompleted;
}
public AttackResult apply(PluginMessages pluginMessages) {
return new AttackResult(
lessonCompleted,
pluginMessages.getMessage(feedback, feedback, feedbackArgs),
pluginMessages.getMessage(output, output, outputArgs),
assignment,
attemptWasMade);
}
}

130
src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java
View File

@ -1,130 +0,0 @@
package org.owasp.webgoat.container.assignments;
import org.owasp.webgoat.container.i18n.PluginMessages;
public class AttackResultBuilder {
private PluginMessages messages;
private boolean lessonCompleted;
private Object[] feedbackArgs;
private String feedbackResourceBundleKey;
private String output;
private Object[] outputArgs;
private AssignmentEndpoint assignment;
private boolean attemptWasMade = false;
private boolean assignmentCompleted;
public AttackResultBuilder(PluginMessages messages) {
this.messages = messages;
}
public AttackResultBuilder() {}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = "lesson.completed";
return this;
}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder assignmentCompleted(boolean assignmentCompleted) {
this.assignmentCompleted = assignmentCompleted;
this.feedbackResourceBundleKey = "assignment.completed";
return this;
}
public AttackResultBuilder assignmentCompleted(
boolean assignmentCompleted, String resourceBundleKey) {
this.assignmentCompleted = assignmentCompleted;
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder feedbackArgs(Object... args) {
this.feedbackArgs = args;
return this;
}
public AttackResultBuilder feedback(String resourceBundleKey) {
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder output(String output) {
this.output = output;
return this;
}
public AttackResultBuilder outputArgs(Object... args) {
this.outputArgs = args;
return this;
}
public AttackResultBuilder attemptWasMade() {
this.attemptWasMade = true;
return this;
}
public AttackResult build() {
return new AttackResult(
lessonCompleted,
feedbackResourceBundleKey,
feedbackArgs,
output,
outputArgs,
assignment.getClass().getSimpleName(),
attemptWasMade);
}
public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
this.assignment = assignment;
return this;
}
/**
* Convenience method for create a successful result:
*
* <p>- Assignment is set to solved - Feedback message is set to 'assignment.solved'
*
* <p>Of course you can overwrite these values in a specific lesson
*
* @return a builder for creating a result from a lesson
* @param assignment
*/
public static AttackResultBuilder success(AssignmentEndpoint assignment) {
return new AttackResultBuilder()
.lessonCompleted(true)
.assignmentCompleted(true)
.attemptWasMade()
.feedback("assignment.solved")
.assignment(assignment);
}
/**
* Convenience method for create a failed result:
*
* <p>- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
*
* <p>Of course you can overwrite these values in a specific lesson
*
* @return a builder for creating a result from a lesson
* @param assignment
*/
public static AttackResultBuilder failed(AssignmentEndpoint assignment) {
return new AttackResultBuilder()
.lessonCompleted(false)
.assignmentCompleted(true)
.attemptWasMade()
.feedback("assignment.not.solved")
.assignment(assignment);
}
public static AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
return new AttackResultBuilder().lessonCompleted(false).assignment(assignment);
}
}

41
src/main/java/org/owasp/webgoat/container/assignments/AttackResultMessageResponseBodyAdvice.java
View File

@ -1,41 +0,0 @@
package org.owasp.webgoat.container.assignments;
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.springframework.core.MethodParameter;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
/** This class intercepts the response body and applies the plugin messages to the attack result. */
@RestControllerAdvice
public class AttackResultMessageResponseBodyAdvice implements ResponseBodyAdvice<Object> {
private final PluginMessages pluginMessages;
public AttackResultMessageResponseBodyAdvice(PluginMessages pluginMessages) {
this.pluginMessages = pluginMessages;
}
@Override
public boolean supports(
MethodParameter returnType, Class<? extends HttpMessageConverter<?>> converterType) {
return true;
}
@Override
public Object beforeBodyWrite(
Object body,
MethodParameter returnType,
MediaType selectedContentType,
Class<? extends HttpMessageConverter<?>> selectedConverterType,
ServerHttpRequest request,
ServerHttpResponse response) {
if (body instanceof AttackResult a) {
return a.apply(pluginMessages);
}
return body;
}
}

10
src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
View File

@ -30,7 +30,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.Course;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.util.Assert;
@ -43,15 +42,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
public class CourseConfiguration {
private final List<Lesson> lessons;
private final List<AssignmentEndpoint> assignments;
private final String contextPath;
public CourseConfiguration(
List<Lesson> lessons,
List<AssignmentEndpoint> assignments,
@Value("${server.servlet.context-path}") String contextPath) {
public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
this.lessons = lessons;
this.assignments = assignments;
this.contextPath = contextPath.equals("/") ? "" : contextPath;
}
private void attachToLessonInParentPackage(
@ -130,7 +124,7 @@ public class CourseConfiguration {
if (methodReturnTypeIsOfTypeAttackResult(m)) {
var mapping = getMapping(m);
if (mapping != null) {
return contextPath + mapping;
return mapping;
}
}
}

3
src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
View File

@ -35,5 +35,6 @@ package org.owasp.webgoat.container.lessons;
*/
public enum LessonMenuItemType {
CATEGORY,
LESSON
LESSON,
STAGE
}

42
src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java Normal file
View File

@ -0,0 +1,42 @@
package org.owasp.webgoat.container.lessons;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.stereotype.Component;
@Component
@Slf4j
public class LessonScanner {
private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$");
@Getter private final Set<String> lessons = new HashSet<>();
public LessonScanner(ResourcePatternResolver resourcePatternResolver) {
try {
var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*");
for (var resource : resources) {
// WG can run as a fat jar or as directly from file system we need to support both so use
// the URL
var url = resource.getURL();
var matcher = lessonPattern.matcher(url.toString());
if (matcher.matches()) {
lessons.add(matcher.group(1));
}
}
log.debug("Found {} lessons", lessons.size());
} catch (IOException e) {
log.warn("No lessons found...");
}
}
public List<String> applyPattern(String pattern) {
return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
}
}

18
src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
View File

@ -30,8 +30,10 @@ package org.owasp.webgoat.container.service;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.lessons.LessonMenuItem;
@ -98,7 +100,7 @@ public class LessonMenuService {
lessonItem.setLink(lesson.getLink());
lessonItem.setType(LessonMenuItemType.LESSON);
LessonProgress lessonTracker = userTracker.getLessonProgress(lesson);
boolean lessonSolved = lessonTracker.isLessonSolved();
boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
lessonItem.setComplete(lessonSolved);
categoryItem.addChild(lessonItem);
}
@ -107,4 +109,18 @@ public class LessonMenuService {
}
return menu;
}
private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
boolean result = true;
for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
Assignment storedAssignment = entry.getKey();
for (Assignment lessonAssignment : currentLesson.getAssignments()) {
if (lessonAssignment.getName().equals(storedAssignment.getName())) {
result = result && entry.getValue();
break;
}
}
}
return result;
}
}

5
src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.authbypass;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
@ -49,7 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
"auth-bypass.hints.verify.3",
"auth-bypass.hints.verify.4"
})
public class VerifyAccount implements AssignmentEndpoint {
public class VerifyAccount extends AssignmentEndpoint {
private final LessonSession userSessionData;

5
src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@ -33,7 +30,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class BypassRestrictionsFieldRestrictions implements AssignmentEndpoint {
public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@ -33,7 +30,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class BypassRestrictionsFrontendValidation implements AssignmentEndpoint {
public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/frontendValidation")
@ResponseBody

11
src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
View File

@ -22,9 +22,7 @@
package org.owasp.webgoat.lessons.challenges;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PathVariable;
@ -34,14 +32,11 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class FlagController implements AssignmentEndpoint {
@AllArgsConstructor
public class FlagController extends AssignmentEndpoint {
private final Flags flags;
public FlagController(Flags flags) {
this.flags = flags;
}
@PostMapping(path = "/challenge/flag/{flagNumber}")
@ResponseBody
public AttackResult postFlag(@PathVariable int flagNumber, @RequestParam String flag) {

10
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
View File

@ -1,9 +1,8 @@
package org.owasp.webgoat.lessons.challenges.challenge1;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flags;
@ -43,14 +42,11 @@ import org.springframework.web.bind.annotation.RestController;
* @since August 11, 2016
*/
@RestController
public class Assignment1 implements AssignmentEndpoint {
@RequiredArgsConstructor
public class Assignment1 extends AssignmentEndpoint {
private final Flags flags;
public Assignment1(Flags flags) {
this.flags = flags;
}
@PostMapping("/challenge/1")
@ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) {

5
src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.challenges.challenge5;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import lombok.RequiredArgsConstructor;
@ -42,7 +39,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Slf4j
@RequiredArgsConstructor
public class Assignment5 implements AssignmentEndpoint {
public class Assignment5 extends AssignmentEndpoint {
private final LessonDataSource dataSource;
private final Flags flags;

4
src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
View File

@ -1,7 +1,5 @@
package org.owasp.webgoat.lessons.challenges.challenge7;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
@ -31,7 +29,7 @@ import org.springframework.web.client.RestTemplate;
*/
@RestController
@Slf4j
public class Assignment7 implements AssignmentEndpoint {
public class Assignment7 extends AssignmentEndpoint {
public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";

2
src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
View File

@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Slf4j
@RequiredArgsConstructor
public class Assignment8 implements AssignmentEndpoint {
public class Assignment8 extends AssignmentEndpoint {
private static final Map<Integer, Integer> votes = new HashMap<>();

5
src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.chromedevtools;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
* @since 30.11.18
*/
@RestController
public class NetworkDummy implements AssignmentEndpoint {
public class NetworkDummy extends AssignmentEndpoint {
private final LessonSession lessonSession;

5
src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.chromedevtools;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -43,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
*/
@RestController
@AssignmentHints({"networkHint1", "networkHint2"})
public class NetworkLesson implements AssignmentEndpoint {
public class NetworkLesson extends AssignmentEndpoint {
@PostMapping(
value = "/ChromeDevTools/network",

7
src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.lessons.cia;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.GetMapping;
@ -12,9 +9,9 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class CIAQuiz implements AssignmentEndpoint {
public class CIAQuiz extends AssignmentEndpoint {
private final String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
boolean[] guesses = new boolean[solutions.length];
@PostMapping("/cia/quiz")

5
src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
"ClientSideFilteringHint3",
"ClientSideFilteringHint4"
})
public class ClientSideFilteringAssignment implements AssignmentEndpoint {
public class ClientSideFilteringAssignment extends AssignmentEndpoint {
@PostMapping("/clientSideFiltering/attack1")
@ResponseBody

6
src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -43,7 +40,8 @@ import org.springframework.web.bind.annotation.RestController;
"client.side.filtering.free.hint2",
"client.side.filtering.free.hint3"
})
public class ClientSideFilteringFreeAssignment implements AssignmentEndpoint {
public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
public static final String SUPER_COUPON_CODE = "get_it_for_free";
@PostMapping("/clientSideFiltering/getItForFree")

5
src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.cryptography;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64;
import java.util.Random;
@ -38,7 +35,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class EncodingAssignment implements AssignmentEndpoint {
public class EncodingAssignment extends AssignmentEndpoint {
public static String getBasicAuth(String username, String password) {
return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());

6
src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.cryptography;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
@ -42,7 +39,8 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
public class HashingAssignment implements AssignmentEndpoint {
public class HashingAssignment extends AssignmentEndpoint {
public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
@RequestMapping(path = "/crypto/hashing/md5", produces = MediaType.TEXT_HTML_VALUE)

5
src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.cryptography;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.security.NoSuchAlgorithmException;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
"crypto-secure-defaults.hints.2",
"crypto-secure-defaults.hints.3"
})
public class SecureDefaultsAssignment implements AssignmentEndpoint {
public class SecureDefaultsAssignment extends AssignmentEndpoint {
@PostMapping("/crypto/secure/defaults")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.cryptography;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
@ -50,7 +47,7 @@ import org.springframework.web.bind.annotation.RestController;
"crypto-signing.hints.4"
})
@Slf4j
public class SigningAssignment implements AssignmentEndpoint {
public class SigningAssignment extends AssignmentEndpoint {
@RequestMapping(path = "/crypto/signing/getprivate", produces = MediaType.TEXT_HTML_VALUE)
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.cryptography;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -35,7 +32,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"crypto-encoding-xor.hints.1"})
public class XOREncodingAssignment implements AssignmentEndpoint {
public class XOREncodingAssignment extends AssignmentEndpoint {
@PostMapping("/crypto/encoding/xor")
@ResponseBody

12
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
View File

@ -22,13 +22,11 @@
package org.owasp.webgoat.lessons.csrf;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@ -36,13 +34,9 @@ import org.springframework.web.bind.annotation.RestController;
/** Created by jason on 9/29/17. */
@RestController
@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
public class CSRFConfirmFlag1 implements AssignmentEndpoint {
public class CSRFConfirmFlag1 extends AssignmentEndpoint {
private final LessonSession userSessionData;
public CSRFConfirmFlag1(LessonSession userSessionData) {
this.userSessionData = userSessionData;
}
@Autowired LessonSession userSessionData;
@PostMapping(
path = "/csrf/confirm-flag-1",

15
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.csrf;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.http.Cookie;
@ -37,6 +34,7 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@ -46,15 +44,10 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
public class CSRFFeedback implements AssignmentEndpoint {
public class CSRFFeedback extends AssignmentEndpoint {
private final LessonSession userSessionData;
private final ObjectMapper objectMapper;
public CSRFFeedback(LessonSession userSessionData, ObjectMapper objectMapper) {
this.userSessionData = userSessionData;
this.objectMapper = objectMapper;
}
@Autowired private LessonSession userSessionData;
@Autowired private ObjectMapper objectMapper;
@PostMapping(
value = "/csrf/feedback/message",

5
src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.csrf;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@ -35,7 +32,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
public class CSRFLogin implements AssignmentEndpoint {
public class CSRFLogin extends AssignmentEndpoint {
@PostMapping(
path = "/csrf/login",

4
src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
View File

@ -22,8 +22,6 @@
package org.owasp.webgoat.lessons.csrf;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import com.google.common.collect.Lists;
@ -47,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
public class ForgedReviews implements AssignmentEndpoint {
public class ForgedReviews extends AssignmentEndpoint {
private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");

5
src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.deserialization;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InvalidClassException;
@ -45,7 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
"insecure-deserialization.hints.2",
"insecure-deserialization.hints.3"
})
public class InsecureDeserializationTask implements AssignmentEndpoint {
public class InsecureDeserializationTask extends AssignmentEndpoint {
@PostMapping("/InsecureDeserialization/task")
@ResponseBody

13
src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.hijacksession;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
@ -33,6 +30,7 @@ import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.CookieValue;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
@ -53,14 +51,11 @@ import org.springframework.web.bind.annotation.RestController;
"hijacksession.hints.4",
"hijacksession.hints.5"
})
public class HijackSessionAssignment implements AssignmentEndpoint {
public class HijackSessionAssignment extends AssignmentEndpoint {
private static final String COOKIE_NAME = "hijack_cookie";
private final HijackSessionAuthenticationProvider provider;
public HijackSessionAssignment(HijackSessionAuthenticationProvider provider) {
this.provider = provider;
}
@Autowired HijackSessionAuthenticationProvider provider;
@PostMapping(path = "/HijackSession/login")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.htmltampering;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -35,7 +32,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"hint1", "hint2", "hint3"})
public class HtmlTamperingTask implements AssignmentEndpoint {
public class HtmlTamperingTask extends AssignmentEndpoint {
@PostMapping("/HtmlTampering/task")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.httpbasics;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -35,7 +32,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
public class HttpBasicsLesson implements AssignmentEndpoint {
public class HttpBasicsLesson extends AssignmentEndpoint {
@PostMapping("/HttpBasics/attack1")
@ResponseBody

7
src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
View File

@ -22,11 +22,9 @@
package org.owasp.webgoat.lessons.httpbasics;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AssignmentPath;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
@ -35,7 +33,8 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"http-basics.hints.http_basic_quiz.1", "http-basics.hints.http_basic_quiz.2"})
public class HttpBasicsQuiz implements AssignmentEndpoint {
@AssignmentPath("HttpBasics/attack2")
public class HttpBasicsQuiz extends AssignmentEndpoint {
@PostMapping("/HttpBasics/attack2")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.httpproxies;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -37,7 +34,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HttpBasicsInterceptRequest implements AssignmentEndpoint {
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
@RequestMapping(
path = "/HttpProxies/intercept-request",

5
src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
View File

@ -23,9 +23,6 @@
package org.owasp.webgoat.lessons.idor;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.idorDiffAttributes2",
"idor.hints.idorDiffAttributes3"
})
public class IDORDiffAttributes implements AssignmentEndpoint {
public class IDORDiffAttributes extends AssignmentEndpoint {
@PostMapping("/IDOR/diff-attributes")
@ResponseBody

12
src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java
View File

@ -23,13 +23,11 @@
package org.owasp.webgoat.lessons.idor;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
@ -48,13 +46,9 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.otherProfile8",
"idor.hints.otherProfile9"
})
public class IDOREditOtherProfile implements AssignmentEndpoint {
public class IDOREditOtherProfile extends AssignmentEndpoint {
private final LessonSession userSessionData;
public IDOREditOtherProfile(LessonSession lessonSession) {
this.userSessionData = lessonSession;
}
@Autowired private LessonSession userSessionData;
@PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
@ResponseBody

8
src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
View File

@ -23,9 +23,6 @@
package org.owasp.webgoat.lessons.idor;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -39,14 +36,15 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"idor.hints.idor_login"})
public class IDORLogin implements AssignmentEndpoint {
public class IDORLogin extends AssignmentEndpoint {
private final LessonSession lessonSession;
public IDORLogin(LessonSession lessonSession) {
this.lessonSession = lessonSession;
}
private final Map<String, Map<String, String>> idorUserInfo = new HashMap<>();
private Map<String, Map<String, String>> idorUserInfo = new HashMap<>();
public void initIDORInfo() {

15
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
View File

@ -23,13 +23,12 @@
package org.owasp.webgoat.lessons.idor;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletResponse;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody;
@ -47,19 +46,15 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.otherProfile8",
"idor.hints.otherProfile9"
})
public class IDORViewOtherProfile implements AssignmentEndpoint {
public class IDORViewOtherProfile extends AssignmentEndpoint {
private final LessonSession userSessionData;
public IDORViewOtherProfile(LessonSession userSessionData) {
this.userSessionData = userSessionData;
}
@Autowired LessonSession userSessionData;
@GetMapping(
path = "/IDOR/profile/{userId}",
produces = {"application/json"})
@ResponseBody
public AttackResult completed(@PathVariable("userId") String userId) {
public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
Object obj = userSessionData.getValue("idor-authenticated-as");
if (obj != null && obj.equals("tom")) {

9
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
View File

@ -27,6 +27,7 @@ import java.util.HashMap;
import java.util.Map;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@ -35,11 +36,7 @@ import org.springframework.web.bind.annotation.RestController;
@Slf4j
public class IDORViewOwnProfile {
private final LessonSession userSessionData;
public IDORViewOwnProfile(LessonSession userSessionData) {
this.userSessionData = userSessionData;
}
@Autowired LessonSession userSessionData;
@GetMapping(
path = {"/IDOR/own", "/IDOR/profile"},
@ -63,7 +60,7 @@ public class IDORViewOwnProfile {
"You do not have privileges to view the profile. Authenticate as tom first please.");
}
} catch (Exception ex) {
log.error("something went wrong: {}", ex.getMessage());
log.error("something went wrong", ex.getMessage());
}
return details;
}

11
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
View File

@ -23,13 +23,11 @@
package org.owasp.webgoat.lessons.idor;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@ -41,12 +39,9 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.ownProfileAltUrl2",
"idor.hints.ownProfileAltUrl3"
})
public class IDORViewOwnProfileAltUrl implements AssignmentEndpoint {
private final LessonSession userSessionData;
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
public IDORViewOwnProfileAltUrl(LessonSession userSessionData) {
this.userSessionData = userSessionData;
}
@Autowired LessonSession userSessionData;
@PostMapping("/IDOR/profile/alt-path")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
View File

@ -22,16 +22,13 @@
package org.owasp.webgoat.lessons.insecurelogin;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.*;
@RestController
public class InsecureLoginTask implements AssignmentEndpoint {
public class InsecureLoginTask extends AssignmentEndpoint {
@PostMapping("/InsecureLogin/task")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.lessons.jwt;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@ -11,7 +8,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class JWTDecodeEndpoint implements AssignmentEndpoint {
public class JWTDecodeEndpoint extends AssignmentEndpoint {
@PostMapping("/JWT/decode")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.lessons.jwt;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.GetMapping;
@ -12,7 +9,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class JWTQuiz implements AssignmentEndpoint {
public class JWTQuiz extends AssignmentEndpoint {
private final String[] solutions = {"Solution 1", "Solution 2"};
private final boolean[] guesses = new boolean[solutions.length];

4
src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
View File

@ -22,8 +22,6 @@
package org.owasp.webgoat.lessons.jwt;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.ResponseEntity.ok;
import io.jsonwebtoken.Claims;
@ -58,7 +56,7 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-refresh-hint3",
"jwt-refresh-hint4"
})
public class JWTRefreshEndpoint implements AssignmentEndpoint {
public class JWTRefreshEndpoint extends AssignmentEndpoint {
public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";

5
src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.jwt;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
@ -47,7 +44,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
public class JWTSecretKeyEndpoint implements AssignmentEndpoint {
public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
public static final String[] SECRETS = {
"victory", "business", "available", "shipping", "washington"

6
src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
View File

@ -25,8 +25,6 @@ package org.owasp.webgoat.lessons.jwt;
import static java.util.Comparator.comparingLong;
import static java.util.Optional.ofNullable;
import static java.util.stream.Collectors.toList;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
@ -68,13 +66,13 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-change-token-hint4",
"jwt-change-token-hint5"
})
public class JWTVotesEndpoint implements AssignmentEndpoint {
public class JWTVotesEndpoint extends AssignmentEndpoint {
public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
private static String validUsers = "TomJerrySylvester";
private static int totalVotes = 38929;
private final Map<String, Vote> votes = new HashMap<>();
private Map<String, Vote> votes = new HashMap<>();
@PostConstruct
public void initVotes() {

11
src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
@ -22,7 +19,7 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RequestMapping("/JWT/")
@RequestMapping("/JWT/jku")
@RestController
@AssignmentHints({
"jwt-jku-hint1",
@ -31,9 +28,9 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-jku-hint4",
"jwt-jku-hint5"
})
public class JWTHeaderJKUEndpoint implements AssignmentEndpoint {
public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
@PostMapping("jku/follow/{user}")
@PostMapping("/follow/{user}")
public @ResponseBody String follow(@PathVariable("user") String user) {
if ("Jerry".equals(user)) {
return "Following yourself seems redundant";
@ -42,7 +39,7 @@ public class JWTHeaderJKUEndpoint implements AssignmentEndpoint {
}
}
@PostMapping("jku/delete")
@PostMapping("/delete")
public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
if (StringUtils.isEmpty(token)) {
return failed(this).feedback("jwt-invalid-token").build();

12
src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.Jwt;
@ -55,15 +52,16 @@ import org.springframework.web.bind.annotation.RestController;
"jwt-kid-hint5",
"jwt-kid-hint6"
})
@RequestMapping("/JWT/")
public class JWTHeaderKIDEndpoint implements AssignmentEndpoint {
@RequestMapping("/JWT/kid")
public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
private final LessonDataSource dataSource;
private JWTHeaderKIDEndpoint(LessonDataSource dataSource) {
this.dataSource = dataSource;
}
@PostMapping("kid/follow/{user}")
@PostMapping("/follow/{user}")
public @ResponseBody String follow(@PathVariable("user") String user) {
if ("Jerry".equals(user)) {
return "Following yourself seems redundant";
@ -72,7 +70,7 @@ public class JWTHeaderKIDEndpoint implements AssignmentEndpoint {
}
}
@PostMapping("kid/delete")
@PostMapping("/delete")
public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
if (StringUtils.isEmpty(token)) {
return failed(this).feedback("jwt-invalid-token").build();

14
src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
View File

@ -22,15 +22,13 @@
package org.owasp.webgoat.lessons.lessontemplate;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.List;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
@ -41,14 +39,12 @@ import org.springframework.web.bind.annotation.RestController;
/** Created by jason on 1/5/17. */
@RestController
@AssignmentHints({"lesson-template.hints.1", "lesson-template.hints.2", "lesson-template.hints.3"})
public class SampleAttack implements AssignmentEndpoint {
private static final String secretValue = "secr37Value";
public class SampleAttack extends AssignmentEndpoint {
private final LessonSession userSessionData;
String secretValue = "secr37Value";
public SampleAttack(LessonSession userSessionData) {
this.userSessionData = userSessionData;
}
// UserSessionData is bound to session and can be used to persist data across multiple assignments
@Autowired LessonSession userSessionData;
@PostMapping("/lesson-template/sample-attack")
@ResponseBody

15
src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
View File

@ -22,9 +22,7 @@
package org.owasp.webgoat.lessons.logging;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.annotation.PostConstruct;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.UUID;
@ -39,13 +37,14 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class LogBleedingTask implements AssignmentEndpoint {
public class LogBleedingTask extends AssignmentEndpoint {
private static final Logger log = LoggerFactory.getLogger(LogBleedingTask.class);
private final String password;
Logger log = LoggerFactory.getLogger(this.getClass().getName());
private String password;
public LogBleedingTask() {
this.password = UUID.randomUUID().toString();
@PostConstruct
public void generatePassword() {
password = UUID.randomUUID().toString();
log.info(
"Password for admin: {}",
Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));

5
src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.logging;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -34,7 +31,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class LogSpoofingTask implements AssignmentEndpoint {
public class LogSpoofingTask extends AssignmentEndpoint {
@PostMapping("/LogSpoofing/log-spoofing")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.missingac;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -39,7 +36,7 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hidden-menus.hint2",
"access-control.hidden-menus.hint3"
})
public class MissingFunctionACHiddenMenus implements AssignmentEndpoint {
public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
@PostMapping(
path = "/access-control/hidden-menu",

10
src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
View File

@ -22,10 +22,9 @@
package org.owasp.webgoat.lessons.missingac;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
import lombok.RequiredArgsConstructor;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -41,14 +40,11 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hash.hint4",
"access-control.hash.hint5"
})
public class MissingFunctionACYourHash implements AssignmentEndpoint {
@RequiredArgsConstructor
public class MissingFunctionACYourHash extends AssignmentEndpoint {
private final MissingAccessControlUserRepository userRepository;
public MissingFunctionACYourHash(MissingAccessControlUserRepository userRepository) {
this.userRepository = userRepository;
}
@PostMapping(
path = "/access-control/user-hash",
produces = {"application/json"})

4
src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
View File

@ -22,8 +22,6 @@
package org.owasp.webgoat.lessons.missingac;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -44,7 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hash.hint12",
"access-control.hash.hint13"
})
public class MissingFunctionACYourHashAdmin implements AssignmentEndpoint {
public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint {
private final MissingAccessControlUserRepository userRepository;

5
src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.passwordreset;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
* @since 8/20/17.
*/
@RestController
public class QuestionsAssignment implements AssignmentEndpoint {
public class QuestionsAssignment extends AssignmentEndpoint {
private static final Map<String, String> COLORS = new HashMap<>();

8
src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
View File

@ -22,10 +22,6 @@
package org.owasp.webgoat.lessons.passwordreset;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.util.StringUtils.hasText;
import com.google.common.collect.Maps;
import java.util.ArrayList;
import java.util.HashMap;
@ -60,7 +56,7 @@ import org.springframework.web.servlet.ModelAndView;
"password-reset-hint5",
"password-reset-hint6"
})
public class ResetLinkAssignment implements AssignmentEndpoint {
public class ResetLinkAssignment extends AssignmentEndpoint {
private static final String VIEW_FORMATTER = "lessons/passwordreset/templates/%s.html";
static final String PASSWORD_TOM_9 =
@ -121,7 +117,7 @@ public class ResetLinkAssignment implements AssignmentEndpoint {
BindingResult bindingResult,
@CurrentUsername String username) {
ModelAndView modelAndView = new ModelAndView();
if (!hasText(form.getPassword())) {
if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
bindingResult.rejectValue("password", "not.empty");
}
if (bindingResult.hasErrors()) {

11
src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.passwordreset;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.util.UUID;
import org.owasp.webgoat.container.CurrentUsername;
@ -47,12 +44,12 @@ import org.springframework.web.client.RestTemplate;
* @since 8/20/17.
*/
@RestController
public class ResetLinkAssignmentForgotPassword implements AssignmentEndpoint {
public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
private final RestTemplate restTemplate;
private final String webWolfHost;
private final String webWolfPort;
private final String webWolfURL;
private String webWolfHost;
private String webWolfPort;
private String webWolfURL;
private final String webWolfMailURL;
public ResetLinkAssignmentForgotPassword(

11
src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
View File

@ -23,13 +23,12 @@
package org.owasp.webgoat.lessons.passwordreset;
import static java.util.Optional.of;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@ -42,9 +41,9 @@ import org.springframework.web.bind.annotation.RestController;
* @since 11.12.18
*/
@RestController
public class SecurityQuestionAssignment implements AssignmentEndpoint {
public class SecurityQuestionAssignment extends AssignmentEndpoint {
private final TriedQuestions triedQuestions;
@Autowired private TriedQuestions triedQuestions;
private static Map<String, String> questions;
@ -91,10 +90,6 @@ public class SecurityQuestionAssignment implements AssignmentEndpoint {
questions.put("What is your favorite color?", "Can easily be guessed.");
}
public SecurityQuestionAssignment(TriedQuestions triedQuestions) {
this.triedQuestions = triedQuestions;
}
@PostMapping("/PasswordReset/SecurityQuestions")
@ResponseBody
public AttackResult completed(@RequestParam String question) {

6
src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
View File

@ -23,9 +23,6 @@
package org.owasp.webgoat.lessons.passwordreset;
import static java.util.Optional.ofNullable;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.time.LocalDateTime;
import org.apache.commons.lang3.StringUtils;
@ -46,7 +43,8 @@ import org.springframework.web.client.RestTemplate;
* @since 8/20/17.
*/
@RestController
public class SimpleMailAssignment implements AssignmentEndpoint {
public class SimpleMailAssignment extends AssignmentEndpoint {
private final String webWolfURL;
private RestTemplate restTemplate;

14
src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
View File

@ -1,9 +1,5 @@
package org.owasp.webgoat.lessons.pathtraversal;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@ -11,6 +7,7 @@ import java.nio.file.Files;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.SneakyThrows;
import org.apache.commons.io.FilenameUtils;
@ -24,14 +21,11 @@ import org.springframework.util.FileSystemUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.multipart.MultipartFile;
@AllArgsConstructor
@Getter
public class ProfileUploadBase implements AssignmentEndpoint {
public class ProfileUploadBase extends AssignmentEndpoint {
private final String webGoatHomeDirectory;
public ProfileUploadBase(String webGoatHomeDirectory) {
this.webGoatHomeDirectory = webGoatHomeDirectory;
}
private String webGoatHomeDirectory;
protected AttackResult execute(MultipartFile file, String fullName, String username) {
if (file.isEmpty()) {

6
src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.lessons.pathtraversal;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
@ -43,7 +40,8 @@ import org.springframework.web.bind.annotation.RestController;
"path-traversal-profile-retrieve.hint6"
})
@Slf4j
public class ProfileUploadRetrieval implements AssignmentEndpoint {
public class ProfileUploadRetrieval extends AssignmentEndpoint {
private final File catPicturesDirectory;
public ProfileUploadRetrieval(@Value("${webgoat.server.directory}") String webGoatHomeDirectory) {

2
src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
View File

@ -1,7 +1,5 @@
package org.owasp.webgoat.lessons.pathtraversal;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;

5
src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.securepasswords;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn;
import java.text.DecimalFormat;
@ -38,7 +35,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class SecurePasswordsAssignment implements AssignmentEndpoint {
public class SecurePasswordsAssignment extends AssignmentEndpoint {
@PostMapping("SecurePasswords/assignment")
@ResponseBody

6
src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
View File

@ -23,10 +23,6 @@
package org.owasp.webgoat.lessons.spoofcookie;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Map;
@ -52,7 +48,7 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints({"spoofcookie.hint1", "spoofcookie.hint2", "spoofcookie.hint3"})
@RestController
public class SpoofCookieAssignment implements AssignmentEndpoint {
public class SpoofCookieAssignment extends AssignmentEndpoint {
private static final String COOKIE_NAME = "spoof_auth";
private static final String COOKIE_INFO =

5
src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.*;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource;
@ -45,7 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints(
value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
@Slf4j
public class SqlInjectionChallenge implements AssignmentEndpoint {
public class SqlInjectionChallenge extends AssignmentEndpoint {
private final LessonDataSource dataSource;

6
src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@ -42,7 +39,8 @@ import org.springframework.web.bind.annotation.RestController;
"SqlInjectionChallengeHint3",
"SqlInjectionChallengeHint4"
})
public class SqlInjectionChallengeLogin implements AssignmentEndpoint {
public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
private final LessonDataSource dataSource;
public SqlInjectionChallengeLogin(LessonDataSource dataSource) {

6
src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
@ -49,7 +46,8 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-advanced-6a-4",
"SqlStringInjectionHint-advanced-6a-5"
})
public class SqlInjectionLesson6a implements AssignmentEndpoint {
public class SqlInjectionLesson6a extends AssignmentEndpoint {
private final LessonDataSource dataSource;
private static final String YOUR_QUERY_WAS = "<br> Your query was: ";

6
src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
@ -39,7 +36,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class SqlInjectionLesson6b implements AssignmentEndpoint {
public class SqlInjectionLesson6b extends AssignmentEndpoint {
private final LessonDataSource dataSource;
public SqlInjectionLesson6b(LessonDataSource dataSource) {

5
src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.io.IOException;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
* implement the quiz go to the quiz.js file in webgoat-container -> js
*/
@RestController
public class SqlInjectionQuiz implements AssignmentEndpoint {
public class SqlInjectionQuiz extends AssignmentEndpoint {
String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};
boolean[] guesses = new boolean[solutions.length];

8
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
@ -48,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint.10.5",
"SqlStringInjectionHint.10.6"
})
public class SqlInjectionLesson10 implements AssignmentEndpoint {
public class SqlInjectionLesson10 extends AssignmentEndpoint {
private final LessonDataSource dataSource;
@ -123,7 +120,8 @@ public class SqlInjectionLesson10 implements AssignmentEndpoint {
if (errorMsg.contains("object not found: ACCESS_LOG")) {
return false;
} else {
return true;
System.err.println(e.getMessage());
return false;
}
}
}

4
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
View File

@ -24,8 +24,6 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static java.sql.ResultSet.CONCUR_READ_ONLY;
import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.ResultSet;
import java.sql.SQLException;
@ -47,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint2-3",
"SqlStringInjectionHint2-4"
})
public class SqlInjectionLesson2 implements AssignmentEndpoint {
public class SqlInjectionLesson2 extends AssignmentEndpoint {
private final LessonDataSource dataSource;

4
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
View File

@ -24,8 +24,6 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static java.sql.ResultSet.CONCUR_READ_ONLY;
import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.ResultSet;
@ -42,7 +40,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"})
public class SqlInjectionLesson3 implements AssignmentEndpoint {
public class SqlInjectionLesson3 extends AssignmentEndpoint {
private final LessonDataSource dataSource;

4
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
View File

@ -24,8 +24,6 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static java.sql.ResultSet.CONCUR_READ_ONLY;
import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.ResultSet;
@ -43,7 +41,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(
value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"})
public class SqlInjectionLesson4 implements AssignmentEndpoint {
public class SqlInjectionLesson4 extends AssignmentEndpoint {
private final LessonDataSource dataSource;

5
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.annotation.PostConstruct;
import java.sql.Connection;
import java.sql.ResultSet;
@ -46,7 +43,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint5-3",
"SqlStringInjectionHint5-4"
})
public class SqlInjectionLesson5 implements AssignmentEndpoint {
public class SqlInjectionLesson5 extends AssignmentEndpoint {
private final LessonDataSource dataSource;

5
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.*;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -37,7 +34,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(value = {"SqlStringInjectionHint5a1"})
public class SqlInjectionLesson5a implements AssignmentEndpoint {
public class SqlInjectionLesson5a extends AssignmentEndpoint {
private static final String EXPLANATION =
"<br> Explanation: This injection works, because <span style=\"font-style: italic\">or '1' ="

9
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
View File

@ -22,9 +22,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.sql.*;
import org.owasp.webgoat.container.LessonDataSource;
@ -44,7 +42,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint5b3",
"SqlStringInjectionHint5b4"
})
public class SqlInjectionLesson5b implements AssignmentEndpoint {
public class SqlInjectionLesson5b extends AssignmentEndpoint {
private final LessonDataSource dataSource;
@ -54,7 +52,8 @@ public class SqlInjectionLesson5b implements AssignmentEndpoint {
@PostMapping("/SqlInjection/assignment5b")
@ResponseBody
public AttackResult completed(@RequestParam String userid, @RequestParam String login_count)
public AttackResult completed(
@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request)
throws IOException {
return injectableQuery(login_count, userid);
}

4
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
View File

@ -24,8 +24,6 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static java.sql.ResultSet.CONCUR_UPDATABLE;
import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.*;
import java.text.SimpleDateFormat;
@ -48,7 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint.8.4",
"SqlStringInjectionHint.8.5"
})
public class SqlInjectionLesson8 implements AssignmentEndpoint {
public class SqlInjectionLesson8 extends AssignmentEndpoint {
private final LessonDataSource dataSource;

5
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
View File

@ -24,8 +24,6 @@ package org.owasp.webgoat.lessons.sqlinjection.introduction;
import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE;
import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.ResultSet;
@ -49,7 +47,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint.9.4",
"SqlStringInjectionHint.9.5"
})
public class SqlInjectionLesson9 implements AssignmentEndpoint {
public class SqlInjectionLesson9 extends AssignmentEndpoint {
private final LessonDataSource dataSource;
@ -101,6 +99,7 @@ public class SqlInjectionLesson9 implements AssignmentEndpoint {
SqlInjectionLesson8.generateTable(this.getEmployeesDataOrderBySalaryDesc(connection)))
.build();
} catch (SQLException e) {
System.err.println(e.getMessage());
return failed(this)
.output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
.build();

7
src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@ -38,9 +35,9 @@ import org.springframework.web.bind.annotation.RestController;
@Slf4j
@AssignmentHints(
value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"})
public class SqlInjectionLesson10a implements AssignmentEndpoint {
public class SqlInjectionLesson10a extends AssignmentEndpoint {
private static final String[] results = {
private String[] results = {
"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"
};

5
src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
@ -55,7 +52,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-mitigation-10b-4",
"SqlStringInjectionHint-mitigation-10b-5"
})
public class SqlInjectionLesson10b implements AssignmentEndpoint {
public class SqlInjectionLesson10b extends AssignmentEndpoint {
@PostMapping("/SqlInjectionMitigations/attack10b")
@ResponseBody

7
src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@ -48,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlStringInjectionHint-mitigation-13-4"
})
@Slf4j
public class SqlInjectionLesson13 implements AssignmentEndpoint {
public class SqlInjectionLesson13 extends AssignmentEndpoint {
private final LessonDataSource dataSource;
@ -71,7 +68,7 @@ public class SqlInjectionLesson13 implements AssignmentEndpoint {
return failed(this).build();
} catch (SQLException e) {
log.error("Failed", e);
return failed(this).build();
return (failed(this).build());
}
}
}

6
src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
View File

@ -22,8 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -36,7 +34,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(
value = {"SqlOnlyInputValidation-1", "SqlOnlyInputValidation-2", "SqlOnlyInputValidation-3"})
public class SqlOnlyInputValidation implements AssignmentEndpoint {
public class SqlOnlyInputValidation extends AssignmentEndpoint {
private final SqlInjectionLesson6a lesson6a;
@ -54,9 +52,7 @@ public class SqlOnlyInputValidation implements AssignmentEndpoint {
return new AttackResult(
attackResult.isLessonCompleted(),
attackResult.getFeedback(),
attackResult.getFeedbackArgs(),
attackResult.getOutput(),
attackResult.getOutputArgs(),
getClass().getSimpleName(),
true);
}

6
src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
View File

@ -22,8 +22,6 @@
package org.owasp.webgoat.lessons.sqlinjection.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -40,7 +38,7 @@ import org.springframework.web.bind.annotation.RestController;
"SqlOnlyInputValidationOnKeywords-2",
"SqlOnlyInputValidationOnKeywords-3"
})
public class SqlOnlyInputValidationOnKeywords implements AssignmentEndpoint {
public class SqlOnlyInputValidationOnKeywords extends AssignmentEndpoint {
private final SqlInjectionLesson6a lesson6a;
@ -60,9 +58,7 @@ public class SqlOnlyInputValidationOnKeywords implements AssignmentEndpoint {
return new AttackResult(
attackResult.isLessonCompleted(),
attackResult.getFeedback(),
attackResult.getFeedbackArgs(),
attackResult.getOutput(),
attackResult.getOutputArgs(),
getClass().getSimpleName(),
true);
}

5
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.ssrf;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -35,7 +32,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"ssrf.hint1", "ssrf.hint2"})
public class SSRFTask1 implements AssignmentEndpoint {
public class SSRFTask1 extends AssignmentEndpoint {
@PostMapping("/SSRF/task1")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.ssrf;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
@ -40,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"ssrf.hint3"})
public class SSRFTask2 implements AssignmentEndpoint {
public class SSRFTask2 extends AssignmentEndpoint {
@PostMapping("/SSRF/task2")
@ResponseBody

5
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.vulnerablecomponents;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import com.thoughtworks.xstream.XStream;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -37,7 +34,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({"vulnerable.hint"})
public class VulnerableComponentsLesson implements AssignmentEndpoint {
public class VulnerableComponentsLesson extends AssignmentEndpoint {
@PostMapping("/VulnerableComponents/attack1")
public @ResponseBody AttackResult completed(@RequestParam String payload) {

18
src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
View File

@ -22,9 +22,9 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -41,12 +41,10 @@ import org.springframework.web.servlet.ModelAndView;
* @since 8/20/17.
*/
@RestController
public class LandingAssignment implements AssignmentEndpoint {
private final String landingPageUrl;
public class LandingAssignment extends AssignmentEndpoint {
public LandingAssignment(@Value("${webwolf.landingpage.url}") String landingPageUrl) {
this.landingPageUrl = landingPageUrl;
}
@Value("${webwolf.landingpage.url}")
private String landingPageUrl;
@PostMapping("/WebWolf/landing")
@ResponseBody
@ -58,7 +56,9 @@ public class LandingAssignment implements AssignmentEndpoint {
}
@GetMapping("/WebWolf/landing/password-reset")
public ModelAndView openPasswordReset(@CurrentUsername String username) {
public ModelAndView openPasswordReset(
HttpServletRequest request, @CurrentUsername String username) throws URISyntaxException {
URI uri = new URI(request.getRequestURL().toString());
ModelAndView modelAndView = new ModelAndView();
modelAndView.addObject(
"webwolfLandingPageUrl", landingPageUrl.replace("//landing", "/landing"));

6
src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
View File

@ -22,10 +22,6 @@
package org.owasp.webgoat.lessons.webwolfintroduction;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.CurrentUsername;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -43,7 +39,7 @@ import org.springframework.web.client.RestTemplate;
* @since 8/20/17.
*/
@RestController
public class MailAssignment implements AssignmentEndpoint {
public class MailAssignment extends AssignmentEndpoint {
private final String webWolfURL;
private RestTemplate restTemplate;

5
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
View File

@ -22,9 +22,6 @@
package org.owasp.webgoat.lessons.xss;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
@ -33,7 +30,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class CrossSiteScriptingLesson1 implements AssignmentEndpoint {
public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack1")
@ResponseBody

7
src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson3.java → src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
View File

@ -21,10 +21,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.xss.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
package org.owasp.webgoat.lessons.xss;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
@ -44,7 +41,7 @@ import org.springframework.web.bind.annotation.RestController;
"xss-mitigation-3-hint3",
"xss-mitigation-3-hint4"
})
public class CrossSiteScriptingLesson3 implements AssignmentEndpoint {
public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack3")
@ResponseBody

7
src/main/java/org/owasp/webgoat/lessons/xss/mitigation/CrossSiteScriptingLesson4.java → src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
View File

@ -20,10 +20,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.xss.mitigation;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
package org.owasp.webgoat.lessons.xss;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@ -35,7 +32,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
public class CrossSiteScriptingLesson4 implements AssignmentEndpoint {
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack4")
@ResponseBody

13
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
View File

@ -22,15 +22,13 @@
package org.owasp.webgoat.lessons.xss;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@ -44,18 +42,13 @@ import org.springframework.web.bind.annotation.RestController;
"xss-reflected-5a-hint-3",
"xss-reflected-5a-hint-4"
})
public class CrossSiteScriptingLesson5a implements AssignmentEndpoint {
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
public static final Predicate<String> XSS_PATTERN =
Pattern.compile(
".*<script>(console\\.log|alert)\\(.*\\);?</script>.*", Pattern.CASE_INSENSITIVE)
.asMatchPredicate();
private final LessonSession userSessionData;
public CrossSiteScriptingLesson5a(LessonSession lessonSession) {
this.userSessionData = lessonSession;
}
@Autowired LessonSession userSessionData;
@GetMapping("/CrossSiteScripting/attack5a")
@ResponseBody

Some files were not shown because too many files have changed in this diff Show More