dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:test-v16
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:v8.1.0
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

3 Commits
test-v16 ... v8.1.0

Author SHA1 Message Date
Nanne Baars
a4f7059051 Merge branch 'release/v8.1.0' 2020-05-23 14:19:03 +02:00
Nanne Baars
bd16fedb33 Merge branch 'release/v8.1.0' 2020-05-22 15:08:50 +02:00
Nanne Baars
c8ac054093 Merge branch 'release/v8.0.0.M26' 2019-11-12 09:32:50 +01:00
212 changed files with 1672 additions and 1899 deletions
Expand all files Collapse all files

7
.github/dependabot.yml vendored
View File

@ -1,7 +0,0 @@
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"

42
.github/workflows/main.yml vendored
View File

@ -1,42 +0,0 @@
name: "CI/CD Pipeline"
on:
push:
branches: [ '*' ]
tags-ignore:
- '*'
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
java: [11, 15]
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java }}
uses: actions/setup-java@v1
with:
java-version: ${{ matrix.java }}
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build with Maven
run: mvn clean install
notify-slack:
if: github.event_name == 'push' && (success() || failure())
needs:
- build
runs-on: ubuntu-latest
steps:
- name: "Slack workflow notification"
uses: Gamesight/slack-workflow-status@master
with:
repo_token: ${{secrets.GITHUB_TOKEN}}
slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}}

99
.github/workflows/release.yml vendored
View File

@ -1,99 +0,0 @@
name: "Release Pipeline"
on:
push:
tags:
- test* # todo replace with v*
jobs:
release:
name: Release WebGoat
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: "Get tag name"
id: tag
uses: dawidd6/action-get-tag@v1
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: "Set labels for ${{ github.ref }}"
run: |
echo "WEBGOAT_TAG_VERSION=${{ steps.tag.outputs.tag }}" >> $GITHUB_ENV
WEBGOAT_MAVEN_VERSION=${WEBGOAT_TAG_VERSION:1}
echo ${WEBGOAT_MAVEN_VERSION} >> $GITHUB_ENV
- name: Build with Maven
run: |
mvn versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
mvn clean install -DskipTests
- name: "Create release"
uses: softprops/action-gh-release@v1
with:
draft: false
files: |
webgoat-server/target/webgoat-server-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
webwolf/target/webwolf-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
body: |
## Version ${{ steps.tag.outputs.tag }}
### New functionality
- test
### Bug fixes
- [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
## Contributors
Special thanks to the following contributors providing us with a pull request:
- Person 1
- Person 2
And everyone who provided feedback through Github.
Team WebGoat
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Set up QEMU"
uses: docker/setup-qemu-action@v1
- name: "Set up Docker Buildx"
uses: docker/setup-buildx-action@v1
- name: "Login to dockerhub"
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push"
uses: docker/build-push-action@v2
with:
context: ./docker
file: docker/Dockerfile
push: false #todo enable
platforms: linux/amd64
tags: |
webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }}
# todo webgoat/goatandwolf:latest
build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Image digest"
run: echo ${{ steps.docker_build.outputs.digest }}

1
.gitignore vendored
View File

@ -53,4 +53,3 @@ webgoat.log
webgoat.properties
webgoat.script
TestClass.class
**/*.flattened-pom.xml

2
.mvn/wrapper/maven-wrapper.properties vendored
View File

@ -1,2 +1,2 @@
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.5/apache-maven-3.2.5-bin.zip
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.1/apache-maven-3.2.1-bin.zip
wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar

23
.travis.yml
View File

@ -1,17 +1,10 @@
services:
- docker
language: java
os:
- linux
- osx
dist: xenial
jdk:
- openjdk11
- openjdk15
addons:
firefox: latest
install:
- true
- openjdk13
install: "/bin/true"
script:
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH;
else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
@ -33,22 +26,20 @@ before_deploy:
- ls $WEBGOAT_ARTIFACTS_FOLDER
deploy:
- provider: script
cleanup: false
jdk: openjdk11
skip_cleanup: true
script: bash scripts/deploy-webgoat.sh
on:
condition: $TRAVIS_OS_NAME == 'linux'
jdk: openjdk11
tags: true
- provider: releases
cleanup: false
jdk: openjdk11
skip_cleanup: true
overwrite: true
token:
api_key:
secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
file_glob: true
file: "$WEBGOAT_ARTIFACTS_FOLDER/*"
on:
condition: $TRAVIS_OS_NAME == 'linux'
jdk: openjdk11
tags: true
env:
global:

60
README.MD
View File

@ -3,9 +3,9 @@
[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
[![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
[![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
[![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
# Introduction
@ -29,7 +29,19 @@ first thing that all hackers claim.*
# Installation Instructions:
## 1. Run using Docker
## 1. Standalone
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
```
The latest version of WebGoat needs Java 11 or above. By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
can bind it to a different address (default localhost)
## 2. Run using Docker
Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
@ -38,7 +50,7 @@ Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
```shell
docker run -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
```
WebGoat will be located at: http://127.0.0.1:8080/WebGoat
@ -73,25 +85,6 @@ WebWolf will be located at: http://www.webwolf.local/WebWolf
**Important**: the current directory on your host will be mapped into the container for keeping state.
## 2. Standalone
Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]
```
The latest version of WebGoat needs Java 11 or above. By default WebGoat and WebWolf start on port 8080,9000 and 9090 with the environment variable WEBGOAT_PORT, WEBWOLF_PORT and WEBGOAT_HSQLPORT you can set different values.
```Shell
export WEBGOAT_PORT=18080
export WEBGOAT_HSQLPORT=19001
export WEBWOLF_PORT=19090
java -jar webgoat-server-8.1.0.jar
java -jar webwolf-8.1.0.jar
```
Use set in stead of export on Windows cmd.
## 3. Run from the sources
@ -130,17 +123,20 @@ To change IP address add the following variable to WebGoat/webgoat-container/src
server.address=x.x.x.x
```
## 4. Run with custom menu
# Building a new Docker image
For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting environment variables.
NOTE: Travis will create a new Docker image automatically when making a new release.
For instance running as a jar on a Linux/MacOS it will look like:
```Shell
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like:
```Shell
docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
cd WebGoat/
mvn install
cd webgoat-server
docker build -t webgoat/webgoat-8.0 .
docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
docker login
docker push webgoat/webgoat-8.0
```
# Run Instructions:
Once installed connect to http://localhost:8080/WebGoat and http://localhost:9090/WebWolf

6
docker/Dockerfile
View File

@ -1,16 +1,14 @@
FROM openjdk:11.0.1-jre-slim-stretch
ARG webgoat_version=v8.2.0-SNAPSHOT
ARG webgoat_version=v8.0.0-SNAPSHOT
ENV webgoat_version_env=${webgoat_version}
RUN apt-get update && apt-get install
RUN useradd --home-dir /home/webgoat --create-home -U webgoat
RUN cd /home/webgoat/;
RUN chgrp -R 0 /home/webgoat
RUN chmod -R g=u /home/webgoat
RUN apt-get -y install apt-utils nginx
USER webgoat
RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
COPY nginx.conf /etc/nginx/nginx.conf
COPY index.html /usr/share/nginx/html/

2
docker/Readme.md
View File

@ -2,7 +2,7 @@
## Docker build
docker build --no-cache --build-arg webgoat_version=v8.2.0-SNAPSHOT -t webgoat/goatandwolf:latest .
docker build --no-cache --build-arg webgoat_version=v8.0.0-SNAPSHOT -t webgoat/goatandwolf:latest .
## Docker run

2
docker/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
<dependencies>

4
docker/start.sh
View File

@ -3,10 +3,10 @@
cd /home/webgoat
service nginx start
sleep 1
java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webgoat.log &
java -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webgoat.log &
sleep 10
java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
java -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
tail -300f webgoat.log

568
docs/index.html
View File

@ -2,297 +2,285 @@
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="0;url=https://owasp.org/www-project-webgoat/" />
<link rel="canonical" href="https://owasp.org/www-project-webgoat/" />
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities
commonly found in Java-based applications that use common and popular open source components">
<meta name="author" content="WebGoat">
<title>WebGoat</title>
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom fonts for this template -->
<link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">
<!-- Plugin CSS -->
<link href="vendor/magnific-popup/magnific-popup.css" rel="stylesheet" type="text/css">
<!-- Custom styles for this template -->
<link href="css/freelancer.min.css" rel="stylesheet">
</head>
<body>
<h1>
The page been moved to <a href="https://owasp.org/www-project-webgoat/">https://owasp.org/www-project-webgoat/</a>
</h1>
<body id="page-top">
<!-- Navigation -->
<nav class="navbar navbar-expand-lg bg-secondary fixed-top text-uppercase" id="mainNav">
<div class="container">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header page-scroll">
<img class="img-responsive" src="img/profile.png" alt="">
</div>
</div>
</nav>
<!-- Header -->
<header class="masthead bg-primary text-white text-center">
<div class="container">
<div class="row">
<div class="col-lg-12">
<h2 class="text-center text-uppercase mb-5">Learn the hack - Stop the attack</h2>
</div>
</div>
<div class="row">
<div class="col-lg-8 mx-auto">
<p>WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities
commonly found in Java-based applications that use common and popular open source components.</p>
</div>
<div class="col-lg-8 mx-auto">
<a href="https://github.com/WebGoat/WebGoat/releases" class="btn btn-xl btn-outline-light">
<i class="fa fa-download"></i> Download standalone
</a>
<a href="https://hub.docker.com/r/webgoat/webgoat-8.0/" class="btn btn-xl btn-outline-light">
<i class="fa fa-download"></i> Run using Docker
</a>
</div>
</div>
</div>
</header>
<!-- Portfolio Grid Section -->
<section class="portfolio" id="portfolio">
<div class="container">
<h3 class="text-center text-uppercase text-secondary mb-0">Learn in 3 steps</h3>
<hr class="star-dark mb-5">
<div class="row">
<div class="col-md-6 col-lg-4 text-center">
<a class="portfolio-item d-block mx-auto" href="#portfolio-modal-1">
<div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
<div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
<i class="fa fa-search-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="img/portfolio/teach.png" alt="">
</a>
</div>
<div class="col-md-6 col-lg-4 text-center">
<a class="portfolio-item d-block mx-auto" href="#portfolio-modal-2">
<div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
<div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
<i class="fa fa-search-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="img/portfolio/assignment.png" alt="">
</a>
</div>
<div class="col-md-6 col-lg-4 text-center" >
<a class="portfolio-item d-block mx-auto" href="#portfolio-modal-3">
<div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
<div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
<i class="fa fa-search-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="img/portfolio/mitigation.png" alt="">
</a>
</div>
</div>
</div>
</section>
<!-- Goals Section -->
<section class="bg-primary text-white mb-0" id="goals">
<div class="container">
<h3 class="text-center text-uppercase text-white">Goals</h3>
<hr class="star-light mb-5">
<div class="row">
<div class="col-lg-6 ml-auto">
<p class="lead">
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book
stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test
tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe
and legal environment.
</p>
</div>
<div class="col-lg-6 mr-auto">
<p class="lead">Even if your intentions are good, we believe you should never attempt to find vulnerabilities without
permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.
In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
</p>
</div>
</div>
</div>
</section>
<!-- Contributing Section -->
<section class="portfolio" id="portfolio">
<div class="container">
<h3 class="text-center text-uppercase text-secondary mb-0">More information</h3>
<hr class="star-dark mb-5">
<div class="row">
<div class="col-lg-4 ml-auto">
<p class="lead">For more information about running WebGoat / FAQ see our <a href="https://github.com/WebGoat/WebGoat/wiki">wiki pages.</a>
</p>
</div>
<div class="col-lg-4 mr-auto">
<p class="lead">Interested in contributing to WebGoat, take a look at our <a href="https://github.com/WebGoat/WebGoat/issues">issues.</a> </p>
</div>
</div>
</div>
</section>
<!-- Footer -->
<footer class="footer text-center">
<div class="container">
<div class="row">
<div class="col-md-4 mb-5 mb-lg-0">
</div>
<div class="col-md-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Around the Web</h4>
<ul class="list-inline mb-0">
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="mailto:webgoat@owasp.org">
<i class="fa fa-fw fa-at"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://github.com/WebGoat">
<i class="fa fa-fw fa-github"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://stackoverflow.com/search?q=webgoat">
<i class="fa fa-fw fa-stack-overflow"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://twitter.com/OWASP_WebGoat">
<i class="fa fa-fw fa-twitter"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://owasp.slack.com/messages/#project-webgoat/">
<i class="fa fa-fw fa-slack"></i>
</a>
</li>
</ul>
</div>
</div>
</div>
</footer>
<div class="copyright py-4 text-center text-white">
<div class="container">
<small>Team WebGoat 2019</small>
</div>
</div>
<!-- Scroll to Top Button (Only visible on small and extra-small screen sizes) -->
<div class="scroll-to-top d-lg-none position-fixed ">
<a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">
<i class="fa fa-chevron-up"></i>
</a>
</div>
<!-- Explain modal -->
<div class="portfolio-modal mfp-hide" id="portfolio-modal-1">
<div class="portfolio-modal-dialog bg-white">
<a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
<i class="fa fa-3x fa-times"></i>
</a>
<div class="container text-center">
<div class="row">
<div class="col-lg-8 mx-auto">
<h3 class="text-secondary text-uppercase mb-0">Explain the vulnerability</h3>
<hr class="star-dark mb-5">
<img class="img-fluid mb-5" src="img/portfolio/lesson.png" alt="">
<p class="mb-5">Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of 'just hacking' we now focus on explaining from the beginning what for example a SQL injection is.
</p>
<a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
<i class="fa fa-close"></i>
Close</a>
</div>
</div>
</div>
</div>
</div>
<!-- Assignment modal -->
<div class="portfolio-modal mfp-hide" id="portfolio-modal-2">
<div class="portfolio-modal-dialog bg-white">
<a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
<i class="fa fa-3x fa-times"></i>
</a>
<div class="container text-center">
<div class="row">
<div class="col-lg-8 mx-auto">
<h3 class="text-secondary text-uppercase mb-0">Learn by doing</h3>
<hr class="star-dark mb-5">
<img class="img-fluid mb-5" src="img/portfolio/assignment-example.png" alt="">
<p class="mb-5">During the explanation of a vulnerability we build assignments which will help you understand how it works.</p>
<a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
<i class="fa fa-close"></i>
Close</a>
</div>
</div>
</div>
</div>
</div>
<!-- Mitigation modal -->
<div class="portfolio-modal mfp-hide" id="portfolio-modal-3">
<div class="portfolio-modal-dialog bg-white">
<a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
<i class="fa fa-3x fa-times"></i>
</a>
<div class="container text-center">
<div class="row">
<div class="col-lg-8 mx-auto">
<h3 class="text-secondary text-uppercase mb-0">Explain mitigations</h3>
<hr class="star-dark mb-5">
<img class="img-fluid mb-5" src="img/portfolio/mitigation-example.png" alt="">
<p class="mb-5">At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.</p>
<a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
<i class="fa fa-close"></i>
Close</a>
</div>
</div>
</div>
</div>
</div>
<!-- Bootstrap core JavaScript -->
<script src="vendor/jquery/jquery.min.js"></script>
<script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- Plugin JavaScript -->
<script src="vendor/jquery-easing/jquery.easing.min.js"></script>
<script src="vendor/magnific-popup/jquery.magnific-popup.min.js"></script>
<!-- Custom scripts for this template -->
<script src="js/freelancer.min.js"></script>
</body>
</html>
<!--<head>-->
<!-- <meta charset="utf-8">-->
<!-- <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">-->
<!-- <meta name="description" content="WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities-->
<!-- commonly found in Java-based applications that use common and popular open source components">-->
<!-- <meta name="author" content="WebGoat">-->
<!-- <title>WebGoat</title>-->
<!-- &lt;!&ndash; Bootstrap core CSS &ndash;&gt;-->
<!-- <link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">-->
<!-- &lt;!&ndash; Custom fonts for this template &ndash;&gt;-->
<!-- <link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">-->
<!-- <link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">-->
<!-- <link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">-->
<!-- &lt;!&ndash; Plugin CSS &ndash;&gt;-->
<!-- <link href="vendor/magnific-popup/magnific-popup.css" rel="stylesheet" type="text/css">-->
<!-- &lt;!&ndash; Custom styles for this template &ndash;&gt;-->
<!-- <link href="css/freelancer.min.css" rel="stylesheet">-->
<!--</head>-->
<!--<body id="page-top">-->
<!-- &lt;!&ndash; Navigation &ndash;&gt;-->
<!-- <nav class="navbar navbar-expand-lg bg-secondary fixed-top text-uppercase" id="mainNav">-->
<!-- <div class="container">-->
<!-- &lt;!&ndash; Brand and toggle get grouped for better mobile display &ndash;&gt;-->
<!-- <div class="navbar-header page-scroll">-->
<!-- <img class="img-responsive" src="img/profile.png" alt="">-->
<!-- </div>-->
<!-- </div>-->
<!-- </nav>-->
<!-- &lt;!&ndash; Header &ndash;&gt;-->
<!-- <header class="masthead bg-primary text-white text-center">-->
<!-- <div class="container">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-12">-->
<!-- <h2 class="text-center text-uppercase mb-5">Learn the hack - Stop the attack</h2>-->
<!-- -->
<!-- </div>-->
<!-- </div>-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <p>WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities-->
<!-- commonly found in Java-based applications that use common and popular open source components.</p>-->
<!-- </div>-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <a href="https://github.com/WebGoat/WebGoat/releases" class="btn btn-xl btn-outline-light">-->
<!-- <i class="fa fa-download"></i> Download standalone-->
<!-- </a>-->
<!-- <a href="https://hub.docker.com/r/webgoat/webgoat-8.0/" class="btn btn-xl btn-outline-light">-->
<!-- <i class="fa fa-download"></i> Run using Docker-->
<!-- </a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </header>-->
<!-- &lt;!&ndash; Portfolio Grid Section &ndash;&gt;-->
<!-- <section class="portfolio" id="portfolio">-->
<!-- <div class="container">-->
<!-- <h3 class="text-center text-uppercase text-secondary mb-0">Learn in 3 steps</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <div class="row">-->
<!-- <div class="col-md-6 col-lg-4 text-center">-->
<!-- <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-1">-->
<!-- <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
<!-- <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
<!-- <i class="fa fa-search-plus fa-3x"></i>-->
<!-- </div>-->
<!-- </div>-->
<!-- <img class="img-fluid" src="img/portfolio/teach.png" alt="">-->
<!-- </a>-->
<!-- </div>-->
<!-- <div class="col-md-6 col-lg-4 text-center">-->
<!-- <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-2">-->
<!-- <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
<!-- <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
<!-- <i class="fa fa-search-plus fa-3x"></i>-->
<!-- </div>-->
<!-- </div>-->
<!-- <img class="img-fluid" src="img/portfolio/assignment.png" alt="">-->
<!-- </a>-->
<!-- </div>-->
<!-- <div class="col-md-6 col-lg-4 text-center" >-->
<!-- <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-3">-->
<!-- <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
<!-- <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
<!-- <i class="fa fa-search-plus fa-3x"></i>-->
<!-- </div>-->
<!-- </div>-->
<!-- <img class="img-fluid" src="img/portfolio/mitigation.png" alt="">-->
<!-- </a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </section>-->
<!-- &lt;!&ndash; Goals Section &ndash;&gt;-->
<!-- <section class="bg-primary text-white mb-0" id="goals">-->
<!-- <div class="container">-->
<!-- <h3 class="text-center text-uppercase text-white">Goals</h3>-->
<!-- <hr class="star-light mb-5">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-6 ml-auto">-->
<!-- <p class="lead">-->
<!-- Web application security is difficult to learn and practice. Not many people have full blown web applications like online book -->
<!-- stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test -->
<!-- tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe -->
<!-- and legal environment.-->
<!-- -->
<!-- </p>-->
<!-- </div>-->
<!-- <div class="col-lg-6 mr-auto">-->
<!-- <p class="lead">Even if your intentions are good, we believe you should never attempt to find vulnerabilities without-->
<!-- permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. -->
<!-- In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.-->
<!-- </p>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </section>-->
<!-- &lt;!&ndash; Contributing Section &ndash;&gt;-->
<!-- <section class="portfolio" id="portfolio">-->
<!-- <div class="container">-->
<!-- <h3 class="text-center text-uppercase text-secondary mb-0">More information</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-4 ml-auto">-->
<!-- <p class="lead">For more information about running WebGoat / FAQ see our <a href="https://github.com/WebGoat/WebGoat/wiki">wiki pages.</a>-->
<!-- </p>-->
<!-- </div>-->
<!-- <div class="col-lg-4 mr-auto">-->
<!-- <p class="lead">Interested in contributing to WebGoat, take a look at our <a href="https://github.com/WebGoat/WebGoat/issues">issues.</a> </p>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </section>-->
<!-- -->
<!-- &lt;!&ndash; Footer &ndash;&gt;-->
<!-- <footer class="footer text-center">-->
<!-- <div class="container">-->
<!-- <div class="row">-->
<!-- <div class="col-md-4 mb-5 mb-lg-0">-->
<!-- </div>-->
<!-- <div class="col-md-4 mb-5 mb-lg-0">-->
<!-- <h4 class="text-uppercase mb-4">Around the Web</h4>-->
<!-- <ul class="list-inline mb-0">-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="mailto:webgoat@owasp.org">-->
<!-- <i class="fa fa-fw fa-at"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://github.com/WebGoat">-->
<!-- <i class="fa fa-fw fa-github"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://stackoverflow.com/search?q=webgoat">-->
<!-- <i class="fa fa-fw fa-stack-overflow"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://twitter.com/OWASP_WebGoat">-->
<!-- <i class="fa fa-fw fa-twitter"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://owasp.slack.com/messages/#project-webgoat/">-->
<!-- <i class="fa fa-fw fa-slack"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- </ul>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </footer>-->
<!-- <div class="copyright py-4 text-center text-white">-->
<!-- <div class="container">-->
<!-- <small>Team WebGoat 2019</small>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Scroll to Top Button (Only visible on small and extra-small screen sizes) &ndash;&gt;-->
<!-- <div class="scroll-to-top d-lg-none position-fixed ">-->
<!-- <a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">-->
<!-- <i class="fa fa-chevron-up"></i>-->
<!-- </a>-->
<!-- </div>-->
<!-- &lt;!&ndash; Explain modal &ndash;&gt;-->
<!-- <div class="portfolio-modal mfp-hide" id="portfolio-modal-1">-->
<!-- <div class="portfolio-modal-dialog bg-white">-->
<!-- <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-3x fa-times"></i>-->
<!-- </a>-->
<!-- <div class="container text-center">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <h3 class="text-secondary text-uppercase mb-0">Explain the vulnerability</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <img class="img-fluid mb-5" src="img/portfolio/lesson.png" alt="">-->
<!-- <p class="mb-5">Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of 'just hacking' we now focus on explaining from the beginning what for example a SQL injection is.-->
<!-- </p>-->
<!-- <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-close"></i>-->
<!-- Close</a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Assignment modal &ndash;&gt;-->
<!-- <div class="portfolio-modal mfp-hide" id="portfolio-modal-2">-->
<!-- <div class="portfolio-modal-dialog bg-white">-->
<!-- <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-3x fa-times"></i>-->
<!-- </a>-->
<!-- <div class="container text-center">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <h3 class="text-secondary text-uppercase mb-0">Learn by doing</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <img class="img-fluid mb-5" src="img/portfolio/assignment-example.png" alt="">-->
<!-- <p class="mb-5">During the explanation of a vulnerability we build assignments which will help you understand how it works.</p>-->
<!-- <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-close"></i>-->
<!-- Close</a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Mitigation modal &ndash;&gt;-->
<!-- <div class="portfolio-modal mfp-hide" id="portfolio-modal-3">-->
<!-- <div class="portfolio-modal-dialog bg-white">-->
<!-- <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-3x fa-times"></i>-->
<!-- </a>-->
<!-- <div class="container text-center">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <h3 class="text-secondary text-uppercase mb-0">Explain mitigations</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <img class="img-fluid mb-5" src="img/portfolio/mitigation-example.png" alt="">-->
<!-- <p class="mb-5">At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.</p>-->
<!-- <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-close"></i>-->
<!-- Close</a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Bootstrap core JavaScript &ndash;&gt;-->
<!-- <script src="vendor/jquery/jquery.min.js"></script>-->
<!-- <script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>-->
<!-- &lt;!&ndash; Plugin JavaScript &ndash;&gt;-->
<!-- <script src="vendor/jquery-easing/jquery.easing.min.js"></script>-->
<!-- <script src="vendor/magnific-popup/jquery.magnific-popup.min.js"></script>-->
<!-- &lt;!&ndash; Custom scripts for this template &ndash;&gt;-->
<!-- <script src="js/freelancer.min.js"></script>-->
<!--</body>-->
<!--</html>-->
</html>

28
pom.xml
View File

@ -6,7 +6,7 @@
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging>
<version>${revision}</version>
<version>v8.1.0</version>
<name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -15,13 +15,13 @@
<organization>
<name>OWASP</name>
<url>https://github.com/WebGoat/WebGoat/</url>
<url>https://webgoat.github.io/</url>
</organization>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.0</version>
<version>2.2.2.RELEASE</version>
</parent>
<licenses>
@ -127,6 +127,7 @@
<commons-lang3.version>3.4</commons-lang3.version>
<commons-io.version>2.6</commons-io.version>
<guava.version>18.0</guava.version>
<junit.version>4.12</junit.version>
<lombok.version>1.18.4</lombok.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
@ -134,7 +135,6 @@
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
<revision>v8.2.0-SNAPSHOT</revision>
</properties>
<modules>
@ -147,10 +147,6 @@
</modules>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
@ -170,22 +166,6 @@
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>flatten-maven-plugin</artifactId>
<version>1.2.5</version>
<configuration>
</configuration>
<executions>
<execution>
<id>flatten</id>
<phase>process-resources</phase>
<goals>
<goal>flatten</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>

26
scripts/deploy-webgoat.sh
View File

@ -1,6 +1,32 @@
#!/usr/bin/env bash
docker login -u $DOCKER_USER -p $DOCKER_PASS
export REPO=webgoat/webgoat-8.0
cd webgoat-server
ls target/
if [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi
export REPO=webgoat/webwolf
cd ..
cd webwolf
ls target/
if [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi
export REPO=webgoat/goatandwolf
cd ..

2
webgoat-container/pom.xml
View File

@ -9,7 +9,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
<build>

2
webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
View File

@ -4,7 +4,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
View File

@ -18,7 +18,7 @@ import javax.servlet.http.HttpServletResponse;
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
View File

@ -3,7 +3,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
View File

@ -34,6 +34,8 @@ import org.springframework.beans.factory.annotation.Autowired;
public abstract class AssignmentEndpoint {
@Autowired
private UserTrackerRepository userTrackerRepository;
@Autowired
private WebSession webSession;
@Autowired

2
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
View File

@ -11,7 +11,7 @@ import java.util.List;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -9,7 +9,7 @@ import lombok.Getter;
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
View File

@ -4,7 +4,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java
View File

@ -4,7 +4,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

15
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
@ -40,7 +40,6 @@ import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.LessonTracker;
import org.owasp.webgoat.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@ -66,12 +65,6 @@ public class LessonMenuService {
private final WebSession webSession;
private UserTrackerRepository userTrackerRepository;
@Value("#{'${exclude.categories}'.split(',')}")
private List<String> excludeCategories;
@Value("#{'${exclude.lessons}'.split(',')}")
private List<String> excludeLessons;
/**
* Returns the lesson menu which is used to build the left nav
*
@ -86,9 +79,6 @@ public class LessonMenuService {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
for (Category category : categories) {
if (excludeCategories.contains(category.name())) {
continue;
}
LessonMenuItem categoryItem = new LessonMenuItem();
categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY);
@ -96,9 +86,6 @@ public class LessonMenuService {
List<Lesson> lessons = course.getLessons(category);
lessons = lessons.stream().sorted(Comparator.comparing(l -> l.getTitle())).collect(Collectors.toList());
for (Lesson lesson : lessons) {
if (excludeLessons.contains(lesson.getName())) {
continue;
}
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());

2
webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -2,7 +2,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -15,7 +15,7 @@ import static java.util.stream.Collectors.toList;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

@ -15,7 +15,7 @@ import java.sql.SQLException;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
* http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
* License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later

2
webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
View File

@ -17,7 +17,7 @@ import java.util.stream.Collectors;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

10
webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
View File

@ -8,7 +8,6 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.stream.Collectors;
@ -46,15 +45,6 @@ public class Scoreboard {
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
}
/* sort on number of captured flags to present an ordered ranking */
rankings.sort(new Comparator<Ranking>() {
@Override
public int compare(Ranking o1, Ranking o2) {
return o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size();
}
});
return rankings;
}

2
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
View File

@ -20,7 +20,7 @@ import java.util.stream.Collectors;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

6
webgoat-container/src/main/resources/application-webgoat.properties
View File

@ -50,9 +50,3 @@ spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
exclude.categories=${EXCLUDE_CATEGORIES:none,none}
#exclude based on the enum of the Category
exclude.lessons=${EXCLUDE_LESSONS:none,none}
#exclude based on the class name of a lesson e.g.: LessonTemplate

73
webgoat-container/src/main/resources/static/css/main.css
View File

@ -104,15 +104,24 @@ img {
font-weight: 700;
}
#header .toggle-navigation button:hover,
#header .toggle-navigation button:active,
#header button#toggle-mail:hover,
#header button#toggle-mail:active {
background: #e84c3d;
}
#header .toggle-navigation button:hover i,
#header button#toggle-mail:hover i {
color: #F6F6F6;
}
#header .toggle-navigation.toggle-left {
margin-top: 5px;
margin-left: 20px;
display: inline-block;
}
#header .btn-default {
padding: 3px 9px;
background: #F6F6F6;
@ -148,7 +157,7 @@ img {
#header #lesson-title-wrapper {
display: inline-block;
margin: 0 0 0 30px;
margin: 0 0 0 20px;
}
#header .pull-right {
@ -203,6 +212,14 @@ img {
font-family: 'Source Sans Pro', Arial, sans-serif;
}
.main-content-toggle-left {
margin-left: 0;
}
.main-content-toggle-right {
margin-right: 240px;
}
/*==========================================================================
lesson content / wrapper
========================================================================= */
@ -780,10 +797,27 @@ fieldset[disabled] .btn-warning.active {
padding-left: 0;
}
#header .toggle-navigation.toggle-left {
float: left;
}
.sidebar {
margin-left: -240px;
}
.sidebar-toggle {
margin-left: 0;
width: 100%;
}
.main-content-wrapper {
margin-left: 0;
}
.main-content-toggle-left {
margin-left: 660px;
}
.sidebarRight {
top: 160px;
width: 100%;
@ -897,6 +931,10 @@ cookie-container {
overflow-x: hidden;
}
.sidebar-toggle {
margin-left: -240px;
}
#menu-container ul,
#menu-container ul ul {
margin: -2px 0 0;
@ -1022,9 +1060,10 @@ cookie-container {
display: inline-block;
background-color: #555;
border-radius: 8px;
min-width: 25px;
min-width: 20px;
text-align: center;
font-weight: bold;
padding-top: 2px;
}
.attack-link.solved-false {
@ -1055,14 +1094,21 @@ cookie-container {
margin: 3px;
}
@keyframes blink {
50% {
border-color: white;
}
}
.cur-page {
border: 3px solid #000;
color:#aaa;
animation: blink 1.5s 2 forwards;
border: 3px solid blue;
color: #aaa;
background-color: lightsalmon;
}
span.show-next-page, span.show-prev-page {
font-size: 1.1em;
align-content: space-evenly;
font-size: 1.3em;
}
.show-prev-page {
@ -1073,10 +1119,6 @@ span.show-next-page, span.show-prev-page {
cursor: pointer;
}
.no-underline:hover {
text-decoration: none;
}
/* attack ... */
.attack-feedback {
@ -1185,7 +1227,7 @@ div.scoreboard-username {
color: aliceblue;
padding: 4px;
padding-left: 8px;
font-size: medium;
font-size: x-large;
border-radius: 6px;
}
@ -1203,7 +1245,7 @@ div.captured-flag {
background-color: #444;
color: white;
padding: 4px;
font-size: medium;
font-size: x-large;
display: inline-block;
}
@ -1216,6 +1258,13 @@ div.captured-flag {
color: red
}
.appseceu-banner {
background: url('img/owasp_logo.jpg') no-repeat 0px 0px;
height: 117px;
width: 1268px;
margin-bottom: 20px;
}
#content {
position: relative;
}

45
webgoat-container/src/main/resources/static/js/application.js
View File

@ -3,6 +3,8 @@ var app = function() {
var init = function() {
tooltips();
toggleMenuLeft();
toggleMenuRight();
// menu is handled by angular
//menu();
togglePanel();
@ -26,6 +28,38 @@ var app = function() {
};
var toggleMenuLeft = function() {
$('#toggle-left').bind('click', function(e) {
if (!$('.sidebarRight').hasClass('.sidebar-toggle-right')) {
$('.sidebarRight').removeClass('sidebar-toggle-right');
$('.main-content-wrapper').removeClass('main-content-toggle-right');
}
$('.sidebar').toggleClass('sidebar-toggle');
$('.main-content-wrapper').toggleClass('main-content-toggle-left');
e.stopPropagation();
});
};
var toggleMenuRight = function() {
$('#toggle-right').bind('click', function(e) {
if (!$('.sidebar').hasClass('.sidebar-toggle')) {
$('.sidebar').addClass('sidebar-toggle');
$('.main-content-wrapper').addClass('main-content-toggle-left');
}
$('.sidebarRight').toggleClass('sidebar-toggle-right animated bounceInRight');
$('.main-content-wrapper').toggleClass('main-content-toggle-right');
if ( $(window).width() < 660 ) {
$('.sidebar').removeClass('sidebar-toggle');
$('.main-content-wrapper').removeClass('main-content-toggle-left main-content-toggle-right');
};
e.stopPropagation();
});
};
var closePanel = function() {
$('.actions > .fa-times').click(function() {
$(this).parent().parent().parent().fadeOut();
@ -33,6 +67,17 @@ var app = function() {
}
/*
var menu = function() {
$("#leftside-navigation .sub-menu a").click(function(e) {
$("#leftside-navigation ul ul").slideUp();
if (!$(this).next().is(":visible")) {
$(this).next().slideDown();
}
e.stopPropagation();
});
};
*/
//End functions
//Dashboard functions

6
webgoat-container/src/main/resources/static/js/goatApp/templates/paging_controls.html
View File

@ -1,9 +1,9 @@
<div>
<div class="page-nav-wrapper"><span class="glyphicon-class glyphicon glyphicon-circle-arrow-left show-prev-page"></span></div>
<div class="page-link-wrapper">
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-left show-prev-page"></span>
<% var baseUrl = overview.baseUrl; %>
<% _.each(overview.pages, function(page,index) { %>
<a href="<%=overview.baseUrl%>/<%=index%>" alt="Page <%=index++ %>" class="no-underline">
<a href="<%=overview.baseUrl%>/<%=index%>" alt="Page <%=index++ %>">
<% if (page.content === 'assignment') { %>
<div class="<%=page.pageClass%> <%=page.solvedClass%> <%=page.curPageClass%>"><%=index++%></div>
<% } else { %>
@ -11,6 +11,6 @@
<% } %>
</a>
<% }); %>
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-right show-next-page"></span>
</div>
<div class="page-nav-wrapper"><span class="glyphicon-class glyphicon glyphicon-circle-arrow-right show-next-page"></span></div>
</div>

4
webgoat-container/src/main/resources/static/js/goatApp/templates/scoreboard.html
View File

@ -1,7 +1,9 @@
<div class="scoreboard-title">WebGoat Challenge</div>
<div class="appseceu-banner"></div>
<table class="scoreboard-table">
<% _.each(rankings, function(userRanking, index) { %>
<tr>
<th class="username"> <div class="scoreboard-username"><%= index+1%> - <%=userRanking.username %> </div></th>
<th class="username"> <div class="scoreboard-username"><%= index%> <%=userRanking.username %> </div></th>
<td class="user-flags"> <% _.each(userRanking.flagsCaptured, function(flag) { %>
<div class="captured-flag">

13
webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js
View File

@ -22,7 +22,18 @@ function($,_,Backbone) {
$('#show-hints-button').hide();
},
render:function() {
render:function(title) {
$('#show-source-button').hide();
$('#show-solution-button').hide();
$('#show-plan-button').hide();
if (this.hasSource) {
this.$el.find('#show-source-button').unbind().on('click',_.bind(this.showSource,this)).show();
}
if (this.hasSolution) {
this.$el.find('#show-solution-button').unbind().on('click',_.bind(this.showSolution,this)).show();
}
this.$el.find('#restart-lesson-button').unbind().on('click',_.bind(this.restartLesson,this)).show();
},

4
webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
View File

@ -108,9 +108,7 @@ define(['jquery',
},
onLessonClick: function (elementId) {
if (this.curLessonLinkId) {
$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
}
$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
//update
$('#'+elementId).addClass('selected').parent().addClass('selected');
this.curLessonLinkId = elementId;

2
webgoat-container/src/main/resources/templates/login.html
View File

@ -13,6 +13,8 @@
<div class="brand">
<a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<div class="toggle-navigation toggle-left">
</div>
<div class="lessonTitle">
</div>

16
webgoat-container/src/main/resources/templates/main_new.html
View File

@ -37,6 +37,12 @@
<a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
<button type="button" class="btn btn-default" id="toggle-menu" data-toggle="tooltip" data-placement="right"
title="Toggle Navigation">
<i class="fa fa-bars"></i>
</button>
</div><!--toggle navigation end-->
<div id="lesson-title-wrapper">
</div><!--lesson title end-->
@ -103,10 +109,14 @@
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content">
<section id="main-content"> <!--ng-controller="goatLesson"-->
<div id="lesson-page" class="pages">
<div class="row">
<div class="col-md-8">
<!--<div class="col-md-12" align="left">-->
<!---->
<!--&lt;!&ndash; hints moved into lesson template &ndash;&gt;-->
<!--</div>-->
<div class="col-md-12" align="left">
<div id="lesson-content-wrapper" class="panel">
<div class="" id="error-notification-container">
@ -116,6 +126,10 @@
</div>
</div>
<div class="" id="help-controls">
<button class="btn btn-primary btn-xs btn-danger help-button"
id="show-source-button">
<i class="fa fa-code"></i>
</button>
<button class="btn btn-primary btn-xs btn-danger help-button"
id="show-hints-button" th:text="#{show.hints}">Show hints
</button>

2
webgoat-container/src/main/resources/templates/registration.html
View File

@ -13,6 +13,8 @@
<div class="brand">
<a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<div class="toggle-navigation toggle-left">
</div>
<div class="lessonTitle">
</div>

32
webgoat-container/src/main/resources/templates/scoreboard.html
View File

@ -7,6 +7,14 @@
<meta http-equiv="Cache-Control" CONTENT="no-cache"/>
<meta http-equiv="Cache-Control" CONTENT="no-store"/>
<!--[if lt IE 7]>
<id class="no-js lt-ie9 lt-ie8 lt-ie7"/> <![endif]-->
<!--[if IE 7]>
<id class="no-js lt-ie9 lt-ie8"/> <![endif]-->
<!--[if IE 8]>
<id class="no-js lt-ie9"/> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
@ -20,35 +28,13 @@
<meta http-equiv="Content-Type" content="text/id; charset=ISO-8859-1"/>
<title>WebGoat</title>
</head>
<!-- <body class="scoreboard-page"> -->
<body>
<header id="header">
<!--logo start-->
<div class="brand">
<a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div id="lesson-title-wrapper">
<h1 id="lesson-title">WebGoat challenges ranking</h1>
</div><!--lesson title end-->
<div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
</div>
</header>
<section id="container">
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content">
<body class="scoreboard-page">
<div id="scoreboard-wrapper">
<div id="scoreboard">
<!-- will use _ template here -->
</div>
</div>
</section>
</section>
</section>
</body>

8
webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
View File

@ -23,7 +23,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
@ -53,6 +53,12 @@ public class LabelServiceTest {
@Autowired
public MockMvc mockMvc;
@MockBean
private Course course;
@MockBean
private UserService userService;
@MockBean
private LessonTrackerInterceptor interceptor;
@Test
@WithMockUser(username = "guest", password = "guest")

4
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
View File

@ -47,8 +47,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import java.util.Arrays;
@RunWith(MockitoJUnitRunner.class)
public class LessonMenuServiceTest {
@ -66,7 +64,7 @@ public class LessonMenuServiceTest {
@Before
public void setup() {
this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository, Arrays.asList("none"), Arrays.asList("none"))).build();
this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository)).build();
}
@Test

2
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
View File

@ -30,7 +30,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/test/java/org/owasp/webgoat/session/CourseTest.java
View File

@ -5,7 +5,7 @@ package org.owasp.webgoat.session;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
View File

@ -18,7 +18,7 @@ import static org.mockito.Mockito.when;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

13
webgoat-integration-tests/pom.xml
View File

@ -6,21 +6,10 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
<dependencies>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>4.2.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-server</artifactId>

371
webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
View File

@ -1,15 +1,8 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import lombok.Data;
import lombok.SneakyThrows;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import org.owasp.webgoat.lessons.Assignment;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import java.io.IOException;
import java.nio.file.Files;
@ -19,44 +12,49 @@ import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import lombok.SneakyThrows;
public class CSRFTest extends IntegrationTest {
private static final String trickHTML3 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n" +
"<input type=\"submit\" name=\"submit\" value=\"assignment 3\"/>\n" +
"</form></body></html>";
private static final String trickHTML4 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"reviewText\" value=\"hoi\"/>\n" +
"<input type=\"hidden\" name=\"starts\" value=\"3\"/>\n" +
"<input type=\"hidden\" name=\"validateReq\" value=\"2aa14227b9a13d0bede0388a7fba9aa9\"/>\n" +
"<input type=\"submit\" name=\"submit\" value=\"assignment 4\"/>\n" +
"</form>\n" +
"</body></html>";
private static final String trickHTML7 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" enctype='text/plain' method=\"POST\">\n" +
"<input type=\"hidden\" name='{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!' value='\"}' />\n" +
"<input type=\"submit\" value=\"assignment 7\"/>\n" +
"</form></body></html>";
private static final String trickHTML8 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"username\" value=\"csrf-USERNAME\"/>\n" +
"<input type=\"hidden\" name=\"password\" value=\"password\"/>\n" +
"<input type=\"hidden\" name=\"matchingPassword\" value=\"password\"/>\n" +
"<input type=\"hidden\" name=\"agree\" value=\"agree\"/>\n" +
"<input type=\"submit\" value=\"assignment 8\"/>\n" +
"</form></body></html>";
private static final String trickHTML3 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n" +
"<input type=\"submit\" name=\"submit\" value=\"assignment 3\"/>\n" +
"</form></body></html>";
private static final String trickHTML4 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"reviewText\" value=\"hoi\"/>\n" +
"<input type=\"hidden\" name=\"starts\" value=\"3\"/>\n" +
"<input type=\"hidden\" name=\"validateReq\" value=\"2aa14227b9a13d0bede0388a7fba9aa9\"/>\n" +
"<input type=\"submit\" name=\"submit\" value=\"assignment 4\"/>\n" +
"</form>\n" +
"</body></html>";
private static final String trickHTML7 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" enctype='text/plain' method=\"POST\">\n" +
"<input type=\"hidden\" name='{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!' value='\"}' />\n" +
"<input type=\"submit\" value=\"assignment 7\"/>\n" +
"</form></body></html>";
private static final String trickHTML8 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
"<input type=\"hidden\" name=\"username\" value=\"csrf-USERNAME\"/>\n" +
"<input type=\"hidden\" name=\"password\" value=\"password\"/>\n" +
"<input type=\"hidden\" name=\"matchingPassword\" value=\"password\"/>\n" +
"<input type=\"hidden\" name=\"agree\" value=\"agree\"/>\n" +
"<input type=\"submit\" value=\"assignment 8\"/>\n" +
"</form></body></html>";
private String webwolfFileDir;
@BeforeEach
@SneakyThrows
public void init() {
startLesson("CSRF");
startLesson("CSRF");
webwolfFileDir = getWebWolfServerPath();
uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag")));
uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review")));
@ -66,197 +64,178 @@ public class CSRFTest extends IntegrationTest {
@TestFactory
Iterable<DynamicTest> testCSRFLesson() {
return Arrays.asList(
dynamicTest("assignement 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
dynamicTest("assignement 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
dynamicTest("assignement 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
dynamicTest("assignement 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
);
return Arrays.asList(
dynamicTest("assignement 3",()-> checkAssignment3(callTrickHtml("csrf3.html"))),
dynamicTest("assignement 4",()-> checkAssignment4(callTrickHtml("csrf4.html"))),
dynamicTest("assignement 7",()-> checkAssignment7(callTrickHtml("csrf7.html"))),
dynamicTest("assignement 8",()-> checkAssignment8(callTrickHtml("csrf8.html")))
);
}
@AfterEach
public void shutdown() throws IOException {
//logout();
public void shutdown() throws IOException {
//logout();
login();//because old cookie got replaced and invalidated
startLesson("CSRF", false);
checkResults("/csrf");
checkResults("/csrf");
}
private void uploadTrickHtml(String htmlName, String htmlContent) throws IOException {
//remove any left over html
Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)));
//remove any left over html
Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)));
}
//upload trick html
//upload trick html
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", htmlName, htmlContent.getBytes())
.post(webWolfUrl("/WebWolf/fileupload"))
.then()
.extract().response().getBody().asString();
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", htmlName, htmlContent.getBytes())
.post(webWolfUrl("/WebWolf/fileupload"))
.then()
.extract().response().getBody().asString();
}
private String callTrickHtml(String htmlName) {
String result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/files/" + getWebgoatUser() + "/" + htmlName))
.then()
.extract().response().getBody().asString();
result = result.substring(8 + result.indexOf("action=\""));
result = result.substring(0, result.indexOf("\""));
return result;
String result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/files/"+getWebgoatUser()+"/"+htmlName))
.then()
.extract().response().getBody().asString();
result = result.substring(8+result.indexOf("action=\""));
result = result.substring(0, result.indexOf("\""));
return result;
}
private void checkAssignment3(String goatURL) {
String flag = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.post(goatURL)
.then()
.extract().path("flag").toString();
Map<String, Object> params = new HashMap<>();
String flag = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.post(goatURL)
.then()
.extract().path("flag").toString();
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("confirmFlagVal", flag);
checkAssignment(url("/WebGoat/csrf/confirm-flag-1"), params, true);
}
private void checkAssignment4(String goatURL) {
Map<String, Object> params = new HashMap<>();
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("reviewText", "test review");
params.put("stars", "5");
params.put("validateReq", "2aa14227b9a13d0bede0388a7fba9aa9");//always the same token is the weakness
boolean result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.formParams(params)
.post(goatURL)
.then()
.extract().path("lessonCompleted");
assertEquals(true, result);
boolean result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.formParams(params)
.post(goatURL)
.then()
.extract().path("lessonCompleted");
assertEquals(true, result);
}
private void checkAssignment7(String goatURL) {
Map<String, Object> params = new HashMap<>();
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!", "\"}");
String flag = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.contentType(ContentType.TEXT)
.body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!"+ "=\"}")
.post(goatURL)
.then()
.extract().asString();
flag = flag.substring(9+flag.indexOf("flag is:"));
flag = flag.substring(0, flag.indexOf("\""));
String flag = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.contentType(ContentType.TEXT)
.body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!" + "=\"}")
.post(goatURL)
.then()
.extract().asString();
flag = flag.substring(9 + flag.indexOf("flag is:"));
flag = flag.substring(0, flag.indexOf("\""));
params.clear();
params.clear();
params.put("confirmFlagVal", flag);
checkAssignment(url("/WebGoat/csrf/feedback"), params, true);
}
private void checkAssignment8(String goatURL) {
//first make sure there is an attack csrf- user
registerCSRFUser();
Map<String, Object> params = new HashMap<>();
//first make sure there is an attack csrf- user
registerCSRFUser();
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "csrf-" + getWebgoatUser());
params.put("password", "password");
params.put("username", "csrf-"+getWebgoatUser());
params.put("password","password");
//login and get the new cookie
String newCookie = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.params(params)
.post(goatURL)
.then()
.extract().cookie("JSESSIONID");
//select the lesson
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.get(url("CSRF.lesson.lesson"))
.then()
.statusCode(200);
//click on the assignment
boolean result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.post(url("/csrf/login"))
.then()
.statusCode(200)
.extract().path("lessonCompleted");
assertThat(result).isTrue();
login();
startLesson("CSRF", false);
Overview[] assignments = RestAssured.given()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/service/lessonoverview.mvc"))
.then()
.extract()
.jsonPath()
.getObject("$", Overview[].class);
assertThat(assignments)
.filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
.extracting(o -> o.solved)
.containsExactly(true);
String newCookie = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.params(params)
.post(goatURL)
.then()
.extract().cookie("JSESSIONID");
//select the lesson
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.get(url("CSRF.lesson.lesson"))
.then()
.statusCode(200);
//click on the assignment
boolean result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.post(url("/csrf/login"))
.then()
.statusCode(200)
.extract().path("lessonCompleted");
//vaidate the result
assertEquals(true, result);
}
@Data
private static class Overview {
Assignment assignment;
boolean solved;
}
/**
* Try to register the new user. Ignore the result.
*/
private void registerCSRFUser() {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.formParam("username", "csrf-" + getWebgoatUser())
.formParam("password", "password")
.formParam("matchingPassword", "password")
.formParam("agree", "agree")
.post(url("register.mvc"));
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.formParam("username", "csrf-"+getWebgoatUser())
.formParam("password", "password")
.formParam("matchingPassword", "password")
.formParam("agree", "agree")
.post(url("register.mvc"));
}
}

41
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
View File

@ -69,46 +69,5 @@ public class ChallengeTest extends IntegrationTest {
.get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Admin lost password"));
}
@Test
public void testChallenge5() {
startLesson("Challenge5");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username_login", "Larry");
params.put("password_login", "1' or '1'='1");
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/5"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/5");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password"));
}
}

21
webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java
View File

@ -3,7 +3,7 @@ package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.jupiter.api.Test;
import java.util.HashMap;
@ -38,7 +38,7 @@ public class GeneralLessonTest extends IntegrationTest {
@Test
public void httpProxies() {
startLesson("HttpProxies");
MatcherAssert.assertThat(RestAssured.given()
Assert.assertThat(RestAssured.given()
.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
@ -64,16 +64,11 @@ public class GeneralLessonTest extends IntegrationTest {
@Test
public void vulnerableComponents() {
String solution = "<contact class='dynamic-proxy'>\n" +
"<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>\n" +
" <handler class='java.beans.EventHandler'>\n" +
" <target class='java.lang.ProcessBuilder'>\n" +
" <command>\n" +
" <string>calc.exe</string>\n" +
" </command>\n" +
" </target>\n" +
" <action>start</action>\n" +
" </handler>\n" +
String solution = "<contact>\n" +
" <java.lang.Integer>1</java.lang.Integer>\n" +
" <firstName>Bruce</firstName>\n" +
" <lastName>Mayhew</lastName>\n" +
" <email>webgoat@owasp.org</email>\n" +
"</contact>";
startLesson("VulnerableComponents");
Map<String, Object> params = new HashMap<>();
@ -114,7 +109,7 @@ public class GeneralLessonTest extends IntegrationTest {
checkResults("/auth-bypass/");
startLesson("HttpProxies");
MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
Assert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java
View File

@ -9,7 +9,7 @@ import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
@ -53,7 +53,7 @@ public class IDORTest extends IntegrationTest {
}
private void profile() {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -70,7 +70,7 @@ public class IDORTest extends IntegrationTest {
params.put("url", "WebGoat/IDOR/profile/2342384");
checkAssignment(url("/WebGoat/IDOR/profile/alt-path"), params, true);
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -80,7 +80,7 @@ public class IDORTest extends IntegrationTest {
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(true));
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()

20
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -4,7 +4,10 @@ import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
@ -46,6 +49,7 @@ public abstract class IntegrationTest {
private static boolean started = false;
@BeforeClass
@BeforeAll
public static void beforeAll() {
if (WG_SSL) {
@ -87,6 +91,7 @@ public abstract class IntegrationTest {
return WEBWOLF_URL + url;
}
@Before
@BeforeEach
public void login() {
@ -138,6 +143,7 @@ public abstract class IntegrationTest {
.cookie("WEBWOLFSESSION");
}
@After
@AfterEach
public void logout() {
RestAssured.given()
@ -187,7 +193,7 @@ public abstract class IntegrationTest {
* @param expectedResult
*/
public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -209,7 +215,7 @@ public abstract class IntegrationTest {
* @param expectedResult
*/
public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -225,7 +231,7 @@ public abstract class IntegrationTest {
public void checkResults(String prefix) {
checkResults();
MatcherAssert.assertThat(RestAssured.given()
Assert.assertThat(RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
@ -236,7 +242,7 @@ public abstract class IntegrationTest {
}
public void checkResults() {
MatcherAssert.assertThat(RestAssured.given()
Assert.assertThat(RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
@ -246,7 +252,7 @@ public abstract class IntegrationTest {
}
public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -260,7 +266,7 @@ public abstract class IntegrationTest {
}
public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()

10
webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
View File

@ -12,7 +12,7 @@ import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;
@ -86,7 +86,7 @@ public class JWTLessonTest extends IntegrationTest {
String secret = getSecretToken(accessToken);
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -126,7 +126,7 @@ public class JWTLessonTest extends IntegrationTest {
.concat(new String(Base64.getUrlEncoder().encode(bodyObject.toString().getBytes())).toString())
.concat(".").replace("=", "");
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -154,7 +154,7 @@ public class JWTLessonTest extends IntegrationTest {
.concat(new String(Base64.getUrlEncoder().encode(body.getBytes())).toString())
.concat(".").replace("=", "");
MatcherAssert.assertThat(RestAssured.given()
Assert.assertThat(RestAssured.given()
.when().relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Authorization","Bearer "+replacedToken)
@ -180,7 +180,7 @@ public class JWTLessonTest extends IntegrationTest {
.claim("Role", new String[] {"Manager", "Project Administrator"})
.signWith(SignatureAlgorithm.HS256, "deletingTom").compact();
MatcherAssert.assertThat(RestAssured.given()
Assert.assertThat(RestAssured.given()
.when().relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.post(url("/WebGoat/JWT/final/delete?token="+token))

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java
View File

@ -10,7 +10,7 @@ import java.util.Arrays;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
@ -49,7 +49,7 @@ public class PathTraversalTest extends IntegrationTest {
}
public void assignment1() throws IOException {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -63,7 +63,7 @@ public class PathTraversalTest extends IntegrationTest {
}
public void assignment2() throws IOException {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -77,7 +77,7 @@ public class PathTraversalTest extends IntegrationTest {
}
public void assignment3() throws IOException {
MatcherAssert.assertThat(
Assert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()

27
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
View File

@ -2,8 +2,6 @@ package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.response.Response;
import lombok.extern.log4j.Log4j;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
@ -20,37 +18,26 @@ public class ProgressRaceConditionTest extends IntegrationTest {
@Test
public void runTests() throws InterruptedException {
int NUMBER_OF_CALLS = 40;
int NUMBER_OF_PARALLEL_THREADS = 5;
startLesson("Challenge1");
Callable<Response> call = () -> {
//System.out.println("thread "+Thread.currentThread().getName());
return RestAssured.given()
Callable<Response> call = () ->
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test"))
.post(url("/challenge/flag/"));
};
ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls = IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
ExecutorService executorService = Executors.newFixedThreadPool(20);
List<? extends Callable<Response>> flagCalls = IntStream.range(0, 20).mapToObj(i -> call).collect(Collectors.toList());
var responses = executorService.invokeAll(flagCalls);
//A certain amount of parallel calls should fail as optimistic locking in DB is applied
long countStatusCode500 = responses.stream().filter(r -> {
Assertions.assertThat(responses.stream().filter(r -> {
try {
//System.err.println(r.get().getStatusCode());
return r.get().getStatusCode() != 200;
return r.get().getStatusCode() == 500;
} catch (InterruptedException | ExecutionException e) {
//System.err.println(e);
throw new IllegalStateException(e);
}
}).count();
System.out.println("counted status 500: "+countStatusCode500);
Assertions.assertThat(countStatusCode500).isLessThanOrEqualTo((NUMBER_OF_CALLS - (NUMBER_OF_CALLS/NUMBER_OF_PARALLEL_THREADS)));
Assertions.assertThat(countStatusCode500).isGreaterThan((NUMBER_OF_CALLS/NUMBER_OF_PARALLEL_THREADS));
}).count()).isGreaterThan(8);
}
}

30
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java
View File

@ -1,30 +0,0 @@
package org.owasp.webgoat;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class SSRFTest extends IntegrationTest {
@Test
public void runTests() throws IOException {
startLesson("SSRF");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("url", "images/jerry.png");
checkAssignment(url("/WebGoat/SSRF/task1"),params,true);
params.clear();
params.put("url", "http://ifconfig.pro");
checkAssignment(url("/WebGoat/SSRF/task2"),params,true);
checkResults("/SSRF/");
}
}

111
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java
View File

@ -1,111 +0,0 @@
package org.owasp.webgoat;
import java.util.concurrent.TimeUnit;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.firefox.FirefoxBinary;
import org.openqa.selenium.firefox.FirefoxDriver;
import org.openqa.selenium.firefox.FirefoxOptions;
import io.github.bonigarcia.wdm.WebDriverManager;
import io.github.bonigarcia.wdm.config.DriverManagerType;
public class SeleniumTest extends IntegrationTest {
static {
try {
WebDriverManager.getInstance(DriverManagerType.FIREFOX).setup();
} catch (Exception e) {
//sometimes a 403 cause an ExceptionInInitializerError
}
}
private WebDriver driver;
@BeforeEach
public void setUpAndLogin() {
try {
FirefoxBinary firefoxBinary = new FirefoxBinary();
firefoxBinary.addCommandLineOptions("--headless");
FirefoxOptions firefoxOptions = new FirefoxOptions();
firefoxOptions.setBinary(firefoxBinary);
driver = new FirefoxDriver(firefoxOptions);
driver.get(url("/login"));
driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
// Login
driver.findElement(By.name("username")).sendKeys(getWebgoatUser());
driver.findElement(By.name("password")).sendKeys("password");
driver.findElement(By.className("btn")).click();
// Check if user exists. If not, create user.
if (driver.getCurrentUrl().equals(url("/login?error"))) {
driver.get(url("/registration"));
driver.findElement(By.id("username")).sendKeys(getWebgoatUser());
driver.findElement(By.id("password")).sendKeys("password");
driver.findElement(By.id("matchingPassword")).sendKeys("password");
driver.findElement(By.name("agree")).click();
driver.findElement(By.className("btn-primary")).click();
}
} catch (IllegalStateException e) {
System.err.println("Web driver not found here: "+System.getProperty("webdriver.gecko.driver"));
}
}
@AfterEach
public void tearDown() {
if (null != driver) {
driver.close();
}
}
@Test
public void sqlInjection() {
if (null==driver) return;
driver.get(url("/start.mvc#lesson/SqlInjection.lesson"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.id("restart-lesson-button")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonTest.sql_2);
driver.findElement(By.name("query")).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonTest.sql_3);
driver.findElements(By.name("query")).get(1).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_add);
driver.findElements(By.name("query")).get(2).submit();
driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonTest.sql_5);
driver.findElements(By.name("query")).get(3).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
driver.findElement(By.name("account")).sendKeys("Smith'");
driver.findElement(By.name("operator")).sendKeys("OR");
driver.findElement(By.name("injection")).sendKeys("'1'='1");
driver.findElement(By.name("Get Account Info")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonTest.sql_10_userid);
driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonTest.sql_10_login_count);
driver.findElements(By.name("Get Account Info")).get(1).click();
}
}

30
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
View File

@ -7,24 +7,24 @@ import org.junit.jupiter.api.Test;
public class SqlInjectionLessonTest extends IntegrationTest {
public static final String sql_2 = "select department from employees where last_name='Franco'";
public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
public static final String sql_4_drop = "alter table employees drop column phone";
public static final String sql_4_add = "alter table employees add column phone varchar(20)";
public static final String sql_5 = "grant alter table to UnauthorizedUser";
public static final String sql_9_account = " ' ";
public static final String sql_9_operator = "or";
public static final String sql_9_injection = "'1'='1";
public static final String sql_10_login_count = "2";
public static final String sql_10_userid = "1 or 1=1";
private static final String sql_2 = "select department from employees where last_name='Franco'";
private static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
private static final String sql_4_drop = "alter table employees drop column phone";
private static final String sql_4_add = "alter table employees add column phone varchar(20)";
private static final String sql_5 = "grant alter table to UnauthorizedUser";
private static final String sql_9_account = " ' ";
private static final String sql_9_operator = "or";
private static final String sql_9_injection = "'1'='1";
private static final String sql_10_login_count = "2";
private static final String sql_10_userid = "1 or 1=1";
public static final String sql_11_a = "Smith' or '1' = '1";
public static final String sql_11_b = "3SL99A' or '1'='1";
private static final String sql_11_a = "Smith' or '1' = '1";
private static final String sql_11_b = "3SL99A' or '1'='1";
public static final String sql_12_a = "Smith";
public static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
private static final String sql_12_a = "Smith";
private static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
public static final String sql_13 = "%update% '; drop table access_log ; --'";
private static final String sql_13 = "%update% '; drop table access_log ; --'";
@Test
public void runTests() {

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
View File

@ -59,7 +59,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
.get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
.then()
.statusCode(500)
.body("trace", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by"));
.body("message", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by"));
params.clear();
params.put("ip", "104.130.219.202");

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java
View File

@ -1,6 +1,6 @@
package org.owasp.webgoat;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.util.HashMap;

19
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
View File

@ -31,21 +31,6 @@ public class XXETest extends IntegrationTest {
checkResults("xxe/");
}
/*
* This test is to verify that all is secure when XXE security patch is applied.
*/
@Test
public void xxeSecure() throws IOException {
startLesson("XXE");
webGoatHomeDirectory = getWebGoatServerPath();
webwolfFileDir = getWebWolfServerPath();
RestAssured.given().when().relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()).get(url("/xxe/applysecurity"));
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false);
}
/**
* This performs the steps of the exercise before the secret can be committed in the final step.
*
@ -83,9 +68,7 @@ public class XXETest extends IntegrationTest {
.then()
.extract().response().getBody().asString();
result = result.replace("%20", " ");
if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
}
result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
return result;
}
}

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
</project>

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
</project>

5
webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
View File

@ -34,7 +34,7 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput, @RequestParam String readOnlyInput) {
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
if (select.equals("option1") || select.equals("option2")) {
return failed(this).build();
}
@ -47,9 +47,6 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
if (shortInput.length() <= 5) {
return failed(this).build();
}
if ("change".equals(readOnlyInput)) {
return failed(this).build();
}
return success(this).build();
}
}

5
webgoat-lessons/bypass-restrictions/src/main/resources/css/bypass-restrictions.css
View File

@ -1,5 +0,0 @@
.bypass-input-container {
position: relative;
padding: 7px;
margin-top: 7px;
}

257
webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html
View File

@ -1,167 +1,124 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org" xmlns="http://www.w3.org/1999/html">
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
method="POST"
action="/WebGoat/BypassRestrictions/FieldRestrictions">
<div class="bypass-input-container"><b>Select field with two possible value</b>
<div class="input-group">
<select name="select">
<option value="option1">Option 1</option>
<option value="option2">Option 2</option>
</select>
</div>
</div>
<div class="bypass-input-container"><b>Radio button with two possible values</b>
<div class="input-group">
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br/>
<input type="radio" name="radio" value="option2"/> Option 2<br/>
</div>
</div>
<div class="bypass-input-container"><b>Checkbox: value either on or off</b>
<div class="input-group">
<input type="checkbox" name="checkbox" checked="checked"> Checkbox</input>
</div>
</div>
<div class="bypass-input-container"><b>Input restricted to max 5 characters</b>
<div class="input-group"><input type="text" value="12345" name="shortInput" maxlength="5"/>
</div>
</div>
<div class="bypass-input-container"><b>Readonly input field</b>
<div class="input-group">
<input type="text" value="change" readonly="readonly" name="readOnlyInput"/>
</div>
</div>
<br>
<input type="submit" class="btn btn-primary" value="Submit"/>
<div>Select field with two possible values</div>
<select name="select">
<option value="option1">Option 1</option>
<option value="option2">Option 2</option>
</select>
<div>Radio button with two possible values</div>
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br />
<input type="radio" name="radio" value="option2" /> Option 2<br />
<div>Checkbox: value either on or off</div>
<input type="checkbox" name="checkbox" checked="checked"/> Checkbox
<div>Input restricted to max 5 characters</div>
<input type="text" value="12345" name="shortInput" maxlength="5"/>
<div>Disabled input field</div>
<input type="submit" value="submit"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
id="frontendValidation"
method="POST"
action="/WebGoat/BypassRestrictions/frontendValidation/"
onsubmit="return validate()">
<div>
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)
</div>
<div>
<textarea cols="25" name="field1" rows="1">abc</textarea>
</div>
<p></p>
<div><strong>Field 2:</strong> exactly three digits(^[0-9]{3}$)</div>
<div>
<textarea cols="25" name="field2" rows="1">123</textarea>
</div>
<p></p>
<div><strong>Field 3:</strong> letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div>
<div>
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
</div>
<p></p>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)
</div>
<div>
<textarea cols="25" name="field4" rows="1">seven</textarea>
</div>
<p></p>
<div><strong>Field 5:</strong> simple zip code (^\d{5}$)</div>
<div>
<textarea cols="25" name="field5" rows="1">01101</textarea>
</div>
<p></p>
<div><strong>Field 6:</strong> zip with optional dash four (^\d{5}(-\d{4})?$)</div>
<div>
<textarea cols="25" name="field6" rows="1">90210-1111</textarea>
</div>
<p></p>
<div><strong>Field 7:</strong> US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div>
<div>
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
</div>
<input type="hidden" value="" name="error"/>
<p>
<button type="submit" class="btn btn-primary">Submit</button>
</p>
</form>
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
id="frontendValidation"
method="POST"
action="/WebGoat/BypassRestrictions/frontendValidation/"
onsubmit="return validate()">
<div>
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)
</div>
<div>
<textarea cols="25" name="field1" rows="1">abc</textarea>
</div>
<p></p>
<div><strong>Field 2:</strong> exactly three digits(^[0-9]{3}$)</div>
<div>
<textarea cols="25" name="field2" rows="1">123</textarea>
</div>
<p></p>
<div><strong>Field 3:</strong> letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div>
<div>
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
</div>
<p></p>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)</div>
<div>
<textarea cols="25" name="field4" rows="1">seven</textarea>
</div>
<p></p>
<div><strong>Field 5:</strong> simple zip code (^\d{5}$)</div>
<div>
<textarea cols="25" name="field5" rows="1">01101</textarea>
</div>
<p></p>
<div><strong>Field 6:</strong> zip with optional dash four (^\d{5}(-\d{4})?$)</div>
<div>
<textarea cols="25" name="field6" rows="1">90210-1111</textarea>
</div>
<p></p>
<div><strong>Field 7:</strong> US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div>
<div>
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
</div>
<input type="hidden" value="" name="error" />
<p><button type="submit" class="btn btn-primary">Submit</button></p>
</form>
<script>
var regex1 = /^[a-z]{3}$/;
var regex2 = /^[0-9]{3}$/;
var regex3 = /^[a-zA-Z0-9 ]*$/;
var regex4 = /^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5 = /^\d{5}$/;
var regex6 = /^\d{5}(-\d{4})?$/;
var regex7 = /^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function () {
var msg = 'JavaScript found form errors';
var err = 0;
if (!regex1.test(document.frontendValidation.field1.value)) {
err += 1;
msg += '\n Value entered for field 1 is not correct';
}
if (!regex2.test(document.frontendValidation.field2.value)) {
err += 1;
msg += '\n Value entered for field 2 is not correct';
}
if (!regex3.test(document.frontendValidation.field3.value)) {
err += 1;
msg += '\n Value entered for field 3 is not correct';
}
if (!regex4.test(document.frontendValidation.field4.value)) {
err += 1;
msg += '\n Value entered for field 4 is not correct';
}
if (!regex5.test(document.frontendValidation.field5.value)) {
err += 1;
msg += '\n Value entered for field 5 is not correct';
}
if (!regex6.test(document.frontendValidation.field6.value)) {
err += 1;
msg += '\n Value entered for field 6 is not correct';
}
if (!regex7.test(document.frontendValidation.field7.value)) {
err += 1;
msg += '\n Value entered for field 7 is not correct';
}
document.frontendValidation.error.value = err
if (err > 0) {
alert(msg)
return false;
}
return true;
<script>
var regex1=/^[a-z]{3}$/;
var regex2=/^[0-9]{3}$/;
var regex3=/^[a-zA-Z0-9 ]*$/;
var regex4=/^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5=/^\d{5}$/;
var regex6=/^\d{5}(-\d{4})?$/;
var regex7=/^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function() {
var msg='JavaScript found form errors';
var err=0;
if (!regex1.test(document.frontendValidation.field1.value)) {err+=1; msg+='\n Value entered for field 1 is not correct';}
if (!regex2.test(document.frontendValidation.field2.value)) {err+=1; msg+='\n Value entered for field 2 is not correct';}
if (!regex3.test(document.frontendValidation.field3.value)) {err+=1; msg+='\n Value entered for field 3 is not correct';}
if (!regex4.test(document.frontendValidation.field4.value)) {err+=1; msg+='\n Value entered for field 4 is not correct';}
if (!regex5.test(document.frontendValidation.field5.value)) {err+=1; msg+='\n Value entered for field 5 is not correct';}
if (!regex6.test(document.frontendValidation.field6.value)) {err+=1; msg+='\n Value entered for field 6 is not correct';}
if (!regex7.test(document.frontendValidation.field7.value)) {err+=1; msg+='\n Value entered for field 7 is not correct';}
document.frontendValidation.error.value = err
if ( err > 0 ) {
alert(msg)
return false;
}
return true;
}
</script>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</script>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</div>
</html>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>

2
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
View File

@ -15,7 +15,7 @@ import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-lessons/chrome-dev-tools/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
</project>

2
webgoat-lessons/cia/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
</project>

69
webgoat-lessons/cia/src/main/resources/js/questions_cia.json
View File

@ -1,40 +1,35 @@
{
"questions": [
{
"text": "How could an intruder harm the security goal of confidentiality?",
"solutions": {
"1": "By deleting all the databases.",
"2": "By stealing a database where general configuration information for the system is stored.",
"3": "By stealing a database where names and emails are stored and uploading it to a website.",
"4": "Confidentiality can't be harmed by an intruder."
}
},
{
"text": "How could an intruder harm the security goal of integrity?",
"solutions": {
"1": "By changing the names and emails of one or more users stored in a database.",
"2": "By listening to incoming and outgoing network traffic.",
"3": "By bypassing the access control mechanisms used to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database."
}
},
{
"text": "How could an intruder harm the security goal of availability?",
"solutions": {
"1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.",
"2": "By redirecting sensitive emails to other individuals.",
"3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
"4": "By launching a denial of service attack on the servers."
}
},
{
"text": "What happens if at least one of the CIA security goals is harmed?",
"solutions": {
"1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.",
"2": "The system's security is compromised even if only one goal is harmed.",
"3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.",
"4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed."
}
"questions": [{
"text": "How could an intruder harm the security goal of confidentiality?",
"solutions": {
"1": "By deleting all the databases.",
"2": "By stealing a database where general configuration information for the system is stored.",
"3": "By stealing a database where names and emails are stored and uploading it to a website.",
"4": "Confidentiality can't be harmed by an intruder."
}
]
}, {
"text": "How could an intruder harm the security goal of integrity?",
"solutions": {
"1": "By changing the names and emails of one or more users stored in a database.",
"2": "By listening to incoming and outgoing network traffic.",
"3": "By bypassing authentication mechanisms that are in place to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database storage."
}
}, {
"text": "How could an intruder harm the security goal of availability?",
"solutions": {
"1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.",
"2": "By redirecting emails with sensitive data to other individuals.",
"3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
"4": "By launching a denial of service attack on the servers."
}
}, {
"text": "What happens if at least one of the CIA security goals is harmed?",
"solutions": {
"1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.",
"2": "The systems security is compromised even if only one goal is harmed.",
"3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.",
"4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
}
}]
}

16
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
View File

@ -1,24 +1,22 @@
== Availability
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times.
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed.
{nbsp} +
=== Examples that compromise availability:
** denial-of-service attacks (DOS)
** hardware failures
** fire or other natural disasters
** software or network misconfigurations
** denial-of-service attacks (Dos)
** server crashes
** even fire or natural disasters
{nbsp} +
=== Examples of methods ensuring availability
** intrusion detection systems (IDSs)
** intrusion detection systems
** network traffic control
** firewalls
** physical security of hardware and underlying infrastructure
*** protections against fire, water, and other elements
** physically and geographically isolated location
*** fire- and waterproof
** hardware maintenance
** redundancy

16
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
View File

@ -1,25 +1,25 @@
== Confidentiality
Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for.
Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it.
Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers.
{nbsp} +
=== Examples that compromise confidentiality:
** a hacker gets access to the password database of a company
** a sensitive emails is sent to the incorrect individual
** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
** sensitive emails being sent to incorrect individuals
** a hacker reads sensitive information by intercepting and eavesdropping an information transfer
{nbsp} +
=== Examples of methods ensuring confidentiality
** data encryption
** properly implemented authentication and access control
*** securely stored passwords
*** multi-factor authentication (MFA)
** authentication methods
*** passwords
*** two-factor authentication
*** biometric verification
** minimizing the number of places/times the information appears
** physical security controls such as properly secured server rooms
** physical security measurements like protected server rooms etc.

7
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
View File

@ -1,6 +1,6 @@
== Integrity
Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data.
Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality).
{nbsp} +
@ -8,7 +8,7 @@ Integrity is "the property of accuracy and completeness." In other words, integr
** human error when entering data
** errors during data transmission
** software bugs and hardware failures
** software bugs, hardware failures
** hackers change information that they should not have access to
{nbsp} +
@ -17,5 +17,4 @@ Integrity is "the property of accuracy and completeness." In other words, integr
** well functioning authentication methods and access control
** checking integrity with hash functions
** backups and redundancy
** auditing and logging
** backups, redundancy

4
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
View File

@ -2,6 +2,6 @@
The CIA Triad (confidentiality, integrity, availability) is a model for information security.
The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. +
Serious consequences can result if even one these elements is breached.
If only one of those three elements can be breached it can have serious consequences for the parties concerned.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization.

4
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
View File

@ -1,3 +1,3 @@
Now it's time for a quiz! Answer the following question to check if you understood the topic.
Now it's time for a quiz! Answer the following question to check, if you understood the topic.
Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:
Today every system is protected by a firewall. The firewall keeps intruders locked out of the system and guarantees, that the data handled there is safe. Imagine a system that handles personal data and is not protected by a firewall:

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
</project>

2
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java
View File

@ -9,7 +9,7 @@ import org.springframework.stereotype.Component;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

34
webgoat-lessons/command-injection/pom.xml Normal file
View File

@ -0,0 +1,34 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>http-proxies</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.1.3.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<type>jar</type>
<scope>test</scope>
</dependency>
</dependencies>
</project>

58
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java Normal file
View File

@ -0,0 +1,58 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/HttpProxies/intercept-request")
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.GET)
public @ResponseBody
AttackResult completed(HttpServletRequest request) throws IOException {
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
return trackProgress(success().feedback("http-proxies.intercept.success").build());
} else {
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
}
}
}

53
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java Normal file
View File

@ -0,0 +1,53 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.Lesson;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
public class HttpProxies extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public String getTitle() {
return "http-proxies.title";
}
@Override
public String getId() {
return "HttpProxies";
}
}

50
webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html Normal file
View File

@ -0,0 +1,50 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
method="POST"
action="/WebGoat/HttpBasics/intercept-request">
<input type="text" value="doesn't matter really" name="changeMe" />
<input type="submit" value="Submit" />
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

4
webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,4 @@
http-proxies.title=HTTP Proxies
http-proxies.intercept.success=Well done, you tampered the request as expected
http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!

20
webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc Normal file
View File

@ -0,0 +1,20 @@
== HTTP Proxy Overview
Many times proxies are used as a way of accessing otherwise blocked content. A user might connect to server A, which relays content from server B
... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
relationship to proxies.
=== Proxy Capabilities
Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to
modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and
analyzing the security of a website.
=== Other Uses for Proxies
ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does
not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
CI/CD with Jenkins, Maven or other build processes.

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>${revision}</version>
<version>v8.1.0</version>
</parent>
<dependencies>
<dependency>

17
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
View File

@ -30,17 +30,11 @@ import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import java.util.function.Predicate;
import java.util.regex.Pattern;
@RestController
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
public static final Predicate<String> XSS_PATTERN = Pattern.compile(
".*<script>(console\\.log|alert)\\(.*\\);?</script>.*"
, Pattern.CASE_INSENSITIVE).asMatchPredicate();
@Autowired
UserSessionData userSessionData;
@ -51,13 +45,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
@RequestParam Integer QTY4, @RequestParam String field1,
@RequestParam String field2) {
if (XSS_PATTERN.test(field2)) {
if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
}
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
userSessionData.setValue("xss-reflected1-complete", "false");
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
StringBuffer cart = new StringBuffer();
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
cart.append("<p>We have charged credit card:" + field1 + "<br />");
@ -66,10 +60,11 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
//init state
if (userSessionData.getValue("xss-reflected1-complete") == null) {
userSessionData.setValue("xss-reflected1-complete", "false");
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
}
if (XSS_PATTERN.test(field1)) {
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
//return )
userSessionData.setValue("xss-reflected-5a-complete", "true");
if (field1.toLowerCase().contains("console.log")) {
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
@ -78,7 +73,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
}
} else {
userSessionData.setValue("xss-reflected1-complete", "false");
return failed(this)
return success(this)
.feedback("xss-reflected-5a-failure")
.output(cart.toString())
.build();

17
webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
View File

@ -48,8 +48,9 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="GET" name="xss-5a"
action="/WebGoat/CrossSiteScripting/attack5a">
<hr width="90%" />
<center>
<h4>Shopping Cart</h4>
<h1>Shopping Cart</h1>
</center>
<table width="90%" cellspacing="0" cellpadding="2" border="1"
align="center">
@ -91,9 +92,18 @@
</tr>
</tbody>
</table>
<table width="90%" cellspacing="0" cellpadding="2"
<br />
<table width="90%" cellspacing="0" cellpadding="2" border="0"
align="center">
<tbody>
<tr>
<td>The total charged to your credit card:</td>
<td>$0.00</td>
<td><input name="SUBMIT" value="UpdateCart" type="SUBMIT" /></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td>Enter your credit card number:</td>
<td><input name="field1" value="4128 3214 0002 1999"
@ -103,9 +113,8 @@
<td>Enter your three digit access code:</td>
<td><input name="field2" value="111" type="TEXT" /></td>
</tr>
<br/>
<tr>
<td colspan="3" align="center"><input name="SUBMIT" class="btn btn-primary"
<td colspan="2" align="center"><input name="SUBMIT"
value="Purchase" type="SUBMIT" /></td>
</tr>
</tbody>

6
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -2,10 +2,10 @@
xss.title=Cross Site Scripting
xss-stored.title=Cross Site Scripting (stored)
xss-mitigation.title=Cross Site Scripting (mitigation)
xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-success-alert=Well done, but alerts are not very impressive are they? Please continue.
xss-reflected-5a-success-console=Well done, but console logs are not very impressive are they? Please continue.
xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
xss-reflected-5a-failure=Try again. We do want to see a specific JavaScript mentioned in the goal of the assignment (in case you are trying to do something fancier).
xss-reflected-5a-failure=Try again. We do want to see this specific JavaScript (in case you are trying to do something more fancy).
xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?

10
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
View File

@ -1,6 +1,8 @@
== What is XSS?
Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines the allowance of html/script tags as input that are rendered into a browser without encoding or sanitization
Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines ...
# the allowance of html/script tags as input that are ...
# rendered into a browser without encoding or sanitization
=== Cross-Site Scripting (XSS) is the most prevalent and pernicious web application security issue
@ -9,12 +11,12 @@ coverage of fixes also tends to be a problem. We will talk more about the defens
=== XSS has significant impact
Especially as 'Rich Internet Applications' are more and more commonplace, privileged function calls linked to via JavaScript may be compromised.
Especially as 'Rich Internet Applications' are more and more common place, privileged function calls linked to via JavaScript may be compromised.
And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
==== Quick examples:
* From the JavaScript console in the developer tools of the browser (Chrome, Firefox)
* From the JavaScript console in the developer tools of the browser (chrome, Firefox)
+
----
alert("XSS Test");
@ -26,7 +28,7 @@ alert(document.cookie);
<script>alert("XSS Test")</script>
----
== Try It! Using Chrome or Firefox
== Try It! Using Chrome or Firefox
* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
* Then, on that second that open the browser developer tools and open the javascript console. And type: `alert(document.cookie);` .

8
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
View File

@ -1,8 +1,8 @@
== Try It! Reflected XSS
== Try It! Reflected XSS
The goal of the assignment is to identify which field is susceptible to XSS.
Identify which field is susceptible to XSS
It is always a good practice to validate all input on the server-side. XSS can occur when unvalidated user input gets used in an HTTP response.
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.
An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.

Some files were not shown because too many files have changed in this diff Show More