dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:v2023.2
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:label-hint-tests
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

1 Commits
v2023.2 ... label-hint

Author SHA1 Message Date
René Zubcevic
dde1008eb8 label test 2022-07-14 18:31:20 +02:00
701 changed files with 15228 additions and 17495 deletions
Expand all files Collapse all files

2
.github/stale.yml vendored
View File

@ -2,7 +2,7 @@
daysUntilStale: 90 daysUntilStale: 90
daysUntilClose: 14 daysUntilClose: 14
onlyLabels: onlyLabels:
- waiting for input - waiting-for-input
- wontfix - wontfix
staleLabel: stale staleLabel: stale
markComment: > markComment: >

10
.github/workflows/build.yml vendored
View File

@ -3,6 +3,8 @@ on:
pull_request: pull_request:
paths-ignore: paths-ignore:
- '.txt' - '.txt'
- '*.MD'
- '*.md'
- 'LICENSE' - 'LICENSE'
- 'docs/**' - 'docs/**'
push: push:
@ -14,6 +16,8 @@ on:
- '*' - '*'
paths-ignore: paths-ignore:
- '.txt' - '.txt'
- '*.MD'
- '*.md'
- 'LICENSE' - 'LICENSE'
- 'docs/**' - 'docs/**'
@ -38,13 +42,13 @@ jobs:
java-version: 17 java-version: 17
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.2.2 uses: actions/cache@v3.0.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2- restore-keys: ${{ runner.os }}-m2-
- name: Build with Maven - name: Build with Maven
run: mvn --no-transfer-progress verify run: mvn --no-transfer-progress package
build: build:
if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push' if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push'
@ -59,7 +63,7 @@ jobs:
java-version: 17 java-version: 17
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.2.2 uses: actions/cache@v3.0.5
with: with:
path: ~/.m2 path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }} key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

12
.github/workflows/release.yml vendored
View File

@ -17,15 +17,15 @@ jobs:
id: tag id: tag
uses: dawidd6/action-get-tag@v1 uses: dawidd6/action-get-tag@v1
- name: Set up JDK 17 - name: Set up JDK 15
uses: actions/setup-java@v3 uses: actions/setup-java@v3
with: with:
distribution: 'zulu' distribution: 'zulu'
java-version: 17 java-version: 15
architecture: x64 architecture: x64
- name: Cache Maven packages - name: Cache Maven packages
uses: actions/cache@v3.2.2 uses: actions/cache@v3.0.5
with: with:
path: ~/.m2 path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -74,7 +74,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Set up QEMU" - name: "Set up QEMU"
uses: docker/setup-qemu-action@v2.1.0 uses: docker/setup-qemu-action@v2.0.0
with: with:
platforms: all platforms: all
@ -82,13 +82,13 @@ jobs:
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
- name: "Login to dockerhub" - name: "Login to dockerhub"
uses: docker/login-action@v2.1.0 uses: docker/login-action@v2.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push" - name: "Build and push"
uses: docker/build-push-action@v3.2.0 uses: docker/build-push-action@v3.0.0
with: with:
context: ./ context: ./
file: ./Dockerfile file: ./Dockerfile

68
.github/workflows/test.yml vendored
View File

@ -1,68 +0,0 @@
name: "UI-Test"
on:
pull_request:
paths-ignore:
- '.txt'
- '*.MD'
- '*.md'
- 'LICENSE'
- 'docs/**'
push:
# tags-ignore:
# - '*'
paths-ignore:
- '.txt'
- '*.MD'
- '*.md'
- 'LICENSE'
- 'docs/**'
jobs:
build:
runs-on: ubuntu-latest
# display name of the job
name: "Robot framework test"
steps:
# Uses an default action to checkout the code
- uses: actions/checkout@v3
# Uses an action to add Python to the VM
- name: Setup Pyton
uses: actions/setup-python@v4
with:
python-version: '3.7'
architecture: x64
# Uses an action to add JDK 17 to the VM (and mvn?)
- name: set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
architecture: x64
#Uses an action to set up a cache using a certain key based on the hash of the dependencies
- name: Cache Maven packages
uses: actions/cache@v3.2.2
with:
path: ~/.m2
key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ubuntu-latest-m2-
- uses: BSFishy/pip-action@v1
with:
packages: |
robotframework
robotframework-SeleniumLibrary
webdriver-manager
- name: Run with Maven
run: mvn --no-transfer-progress spring-boot:run &
- name: Wait to start
uses: ifaxity/wait-on-action@v1
with:
resource: http://127.0.0.1:8080/WebGoat
- name: Test with Robotframework
run: python3 -m robot --variable HEADLESS:"1" --outputdir robotreport robot/goat.robot
# send report to forks only due to limits on permission tokens
- name: Send report to commit
if: github.repository != 'WebGoat/WebGoat' && github.event_name == 'push'
uses: joonvena/robotframework-reporter-action@v2.1
with:
gh_access_token: ${{ secrets.GITHUB_TOKEN }}
report_path: 'robotreport'

2
.github/workflows/welcome.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
if: github.repository == 'WebGoat/WebGoat' if: github.repository == 'WebGoat/WebGoat'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/first-interaction@v1.1.1 - uses: actions/first-interaction@v1.1.0
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: 'Thanks for submitting your first issue, we will have a look as quickly as possible.' issue-message: 'Thanks for submitting your first issue, we will have a look as quickly as possible.'

2
.gitignore vendored
View File

@ -55,5 +55,3 @@ webgoat.script
TestClass.class TestClass.class
**/*.flattened-pom.xml **/*.flattened-pom.xml
/.gitconfig /.gitconfig
webgoat.gitconfig

37
CONTRIBUTING.md
View File

@ -1,5 +1,4 @@
# Contributing # Contributing
[![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors) [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg) ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg) ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
@ -25,7 +24,7 @@ There are a couple of ways on how you can contribute to the project:
Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short: Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
The minimum requirements for code contributions are: The minimum requirements for code contributions are:
1. The code _must_ be compliant with the configured Java Google Formatter, Checkstyle and PMD rules. 1. The code _must_ be compliant with the configured Checkstyle and PMD rules.
2. All new and changed code _should_ have a corresponding unit and/or integration test. 2. All new and changed code _should_ have a corresponding unit and/or integration test.
3. New and changed lessons _must_ have a corresponding integration test. 3. New and changed lessons _must_ have a corresponding integration test.
4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit. 4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
@ -39,13 +38,14 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
* If you are making spelling corrections in the docs, don't modify other files. * If you are making spelling corrections in the docs, don't modify other files.
* If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request. * If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
### Write a good commit message ### Write a good commit message
* Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message. * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
For example: `Fix #545` or `Closes #10` For example: `Fix #545` or `Closes #10`
## How to set up your Contributor Environment ## How to set up your Contributor Environment
@ -54,34 +54,27 @@ For example: `Fix #545` or `Closes #10`
3. Clone your own repository to your host computer so that you can make modifications. If you followed the GitHub tutorial from step 2, you have already done this. 3. Clone your own repository to your host computer so that you can make modifications. If you followed the GitHub tutorial from step 2, you have already done this.
4. Go to the newly cloned directory "WebGoat" and add the remote upstream repository: 4. Go to the newly cloned directory "WebGoat" and add the remote upstream repository:
```bash ```bash
$ git remote -v $ git remote -v
origin git@github.com:<your Github handle>/WebGoat.git (fetch) origin git@github.com:<your Github handle>/WebGoat.git (fetch)
origin git@github.com:<your Github handle>/WebGoat.git (push) origin git@github.com:<your Github handle>/WebGoat.git (push)
$ git remote add upstream git@github.com:WebGoat/WebGoat.git $ git remote add upstream git@github.com:WebGoat/WebGoat.git
$ git remote -v $ git remote -v
origin git@github.com:<your Github handle>/WebGoat.git (fetch) origin git@github.com:<your Github handle>/WebGoat.git (fetch)
origin git@github.com:<your Github handle>/WebGoat.git (push) origin git@github.com:<your Github handle>/WebGoat.git (push)
upstream git@github.com:OWASP/WebGoat.git (fetch) upstream git@github.com:OWASP/WebGoat.git (fetch)
upstream git@github.com:OWASP/WebGoat.git (push) upstream git@github.com:OWASP/WebGoat.git (push)
``` ```
See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
5. Choose what to work on, based on any of the outstanding [issues](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues"). 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues").
6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66` 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/). 7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/).
8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub. 8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/WebGoat> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer. 9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/WebGoat> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. 10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
11. When starting on a new PR in the future, make sure to always keep your local repo up to date: 11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
```bash ```bash

8
CREATE_RELEASE.md
View File

@ -1,13 +1,13 @@
## Release WebGoat ## Release WebGoat
### Version numbers ### Version numbers
For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use
`v8.0.0` in the `pom.xml` `v8.0.0` in the `pom.xml`
### Release notes: ### Release notes:
Update the release notes with the correct version. Use `git shortlog -s -n --since "SEP 31 2019"` for the list of Update the release notes with the correct version. Use `git shortlog -s -n --since "SEP 31 2019"` for the list of
committers. committers.
@ -30,3 +30,5 @@ git push --tags
Now Travis takes over and will create the release in Github and on Docker Hub. Now Travis takes over and will create the release in Github and on Docker Hub.
NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version

2
Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/eclipse-temurin:17-jre-focal FROM docker.io/eclipse-temurin:17-jdk-focal
RUN useradd -ms /bin/bash webgoat RUN useradd -ms /bin/bash webgoat
RUN chgrp -R 0 /home/webgoat RUN chgrp -R 0 /home/webgoat

32
README.md
View File

@ -38,31 +38,19 @@ Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside. The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
```shell ```shell
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
``` ```
If you want to reuse the container, give it a name:
```shell
docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
```
As long as you don't remove the container you can use:
```shell
docker start webgoat
```
This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.* **Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
## 2. Standalone ## 2. Standalone
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell ```shell
java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.2.jar java -Dfile.encoding=UTF-8 -jar webgoat-8.2.3.jar
``` ```
Click the link in the log to start WebGoat. Click the link in the log to start WebGoat.
@ -105,12 +93,10 @@ Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
./mvnw.cmd spring-boot:run ./mvnw.cmd spring-boot:run
``` ```
... you should be running WebGoat on localhost:8080/WebGoat momentarily
... you should be running WebGoat on http://localhost:8080/WebGoat momentarily.
Note: The above link will redirect you to login page if you are not logged in. LogIn/Create account to proceed. To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties file`:
To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties` file:
``` ```
server.address=x.x.x.x server.address=x.x.x.x
@ -121,16 +107,12 @@ server.address=x.x.x.x
For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables. For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.
For instance running as a jar on a Linux/macOS it will look like this: For instance running as a jar on a Linux/macOS it will look like this:
```Shell ```Shell
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar target/webgoat-2023.2-SNAPSHOT.jar java -jar target/webgoat-8.2.3-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like this: Or in a docker run it would (once this version is pushed into docker hub) look like this:
```Shell ```Shell
docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
``` ```

34
README_I18N.md
View File

@ -1,34 +0,0 @@
# Multi language support in WebGoat
WebGoat is mainly written in English, but it does support multiple languages.
## Default language selection
1. Current supported languages are: en, fr, de, nl
2. The primary language is based on the language setting of the browser.
3. If the language is not in the list of supported language, the language is English
4. Once logged in, you can switch between the supported languages using a language dropdown menu on the main page
1. After switching a language you are back at the Introduction page
## Adding a new language
The following steps are required when you want to add a new language
1. Update [main_new.html](src/main/resources/webgoat/static/main_new.html)
1. Add the parts for showing the flag and providing the correct value for the flag= parameter
2.
3. Add a flag image to src/main/resources/webgoat/static/css/img
1. See the main_new.html for a link to download flag resources
4. Add a welcome page to the introduction lesson
1. Copy Introduction_.adoc to Introduction_es.adoc (if in this case you want to add Spanish)
2. Add a highlighted section that explains that most parts of WebGoat will still be in English and invite people to translate parts where it would be valuable
5. Translate the main labels
1. Copy messages.properties to messages_es.properties (if in this case you want to add Spanish)
2. Translate the label values
6. Optionally translate lessons by
1. Adding lang specifc adoc files in documentation folder of the lesson
2. Adding WebGoatLabels.properties of a specific language if you want to
7. Run mvn clean to see if the LabelAndHintIntegration test passes
8. Run WebGoat and verify that your own language and the other languages work as expected
If you only want to translate more for a certain language, you only need to do step 4-8

57
RELEASE_NOTES.md
View File

@ -1,19 +1,14 @@
# WebGoat release notes # WebGoat release notes
## Version 2023.2 ## Unreleased
With great pleasure, we present you with a new release of WebGoat **2023.2**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.
### New functionality ### New functionality
- New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times. - New year's resolution: major refactoring of WebGoat to simplify the setup and improve building times.
- Move away from multi-project setup: - Move away from multi-project setup:
* This has a huge performance benefit when building the application. Build time locally is now `Total time: 42.469 s` (depends on your local machine of course) - This has a huge performance benefit when building the application. Build time locally is now `Total time: 42.469 s` (depends on your local machine of course)
* No longer add Maven dependencies in several places - No longer add Maven dependencies in several places
* H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection. - H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
- More explicit paths in html files to reference `adoc` files, less magic. - More explicit paths in html files to reference `adoc` files, less magic.
- Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image. - Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
- Add WebWolf button in WebGoat - Add WebWolf button in WebGoat
@ -24,29 +19,6 @@ many more releases this year.
- Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build. - Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
- Added `Initializable` interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See `BlindSendFileAssignment` for an example. - Added `Initializable` interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See `BlindSendFileAssignment` for an example.
- Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time. - Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
- Updated introduction lesson to WebWolf.
- Added language switch for support for multiple languages.
- Removed logic to start WebGoat on a random port when port `8080` is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
- Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
- Renaming of all packages and folders.
- [#1039 New OWASP Top 10](https://github.com/WebGoat/WebGoat/issues/1093)
- [#1065 New lesson about logging](https://github.com/WebGoat/WebGoat/issues/1065)
### Bug fixes
- [#1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module](https://github.com/WebGoat/WebGoat/issues/1193)
- [#1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson](https://github.com/WebGoat/WebGoat/issues/1176)
- [#1134 "Exploiting XStream" assignment does not work](https://github.com/WebGoat/WebGoat/issues/1134)
- [#1130 Typo: Using Indrect References](https://github.com/WebGoat/WebGoat/issues/1130)
- [#1101 SQL lesson not correct](https://github.com/WebGoat/WebGoat/issues/1101)
- [#1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB](https://github.com/WebGoat/WebGoat/issues/1079)
- [#1379 Move XXE to A05:2021-_Security_ Misconfiguration](https://github.com/WebGoat/WebGoat/issues/1379)
- [#1298 SocketUtils is deprecated and will be removed in Spring Security 6](https://github.com/WebGoat/WebGoat/issues/1298)
- [#1248 Rewrite the WebWolf Introduction Lesson with the new changes](https://github.com/WebGoat/WebGoat/issues/1248)
- [#1200 Type cast error in sample code at JWT token section](https://github.com/WebGoat/WebGoat/issues/1200)
- [#1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)](https://github.com/WebGoat/WebGoat/issues/1173)
- [#1103 (A1) path traversel lesson 7 seems broken](https://github.com/WebGoat/WebGoat/issues/1103)
- [#986 - User registration not persistant](https://github.com/WebGoat/WebGoat/issues/986)
## Version 8.2.2 ## Version 8.2.2
@ -60,12 +32,14 @@ many more releases this year.
- [#1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct](https://github.com/WebGoat/WebGoat/issues/1031) - [#1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct](https://github.com/WebGoat/WebGoat/issues/1031)
- [#1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error](https://github.com/WebGoat/WebGoat/issues/1027) - [#1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error](https://github.com/WebGoat/WebGoat/issues/1027)
## Version 8.2.1 ## Version 8.2.1
### New functionality ### New functionality
- New Docker image for arm64 architecture is now available (for Apple M1) - New Docker image for arm64 architecture is now available (for Apple M1)
## Version 8.2.0 ## Version 8.2.0
### New functionality ### New functionality
@ -104,6 +78,7 @@ Special thanks to the following contributors providing us with a pull request:
- NatasG - NatasG
- gabe-sky - gabe-sky
## Version 8.1.0 ## Version 8.1.0
### New functionality ### New functionality
@ -124,13 +99,13 @@ Special thanks to the following contributors providing us with a pull request:
- [#766 - Unclear objective of vulnerable components practical assignment](https://github.com/WebGoat/WebGoat/issues/766) - [#766 - Unclear objective of vulnerable components practical assignment](https://github.com/WebGoat/WebGoat/issues/766)
- [#708 - Seems like the home directory of WebGoat always use @project.version@](https://github.com/WebGoat/WebGoat/issues/708) - [#708 - Seems like the home directory of WebGoat always use @project.version@](https://github.com/WebGoat/WebGoat/issues/708)
- [#719 - WebGoat: 'Contact Us' email link in header is not correctly set](https://github.com/WebGoat/WebGoat/issues/719) - [#719 - WebGoat: 'Contact Us' email link in header is not correctly set](https://github.com/WebGoat/WebGoat/issues/719)
- [#715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful](https://github.com/WebGoat/WebGoat/issues/715) - [#715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful](https://github.com/WebGoat/WebGoat/issues/715)
- [#725 - Vulnerable Components lesson 12 broken due to too new dependency](https://github.com/WebGoat/WebGoat/issues/725) - [#725 - Vulnerable Components lesson 12 broken due to too new dependency](https://github.com/WebGoat/WebGoat/issues/725)
- [#716 - On M26 @project.version@ is not "interpreted" #7](https://github.com/WebGoat/WebGoat/issues/716) - [#716 - On M26 @project.version@ is not "interpreted" #7](https://github.com/WebGoat/WebGoat/issues/716)
- [#721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page](https://github.com/WebGoat/WebGoat/issues/721) - [#721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page](https://github.com/WebGoat/WebGoat/issues/721)
- [#724 - Dead link in VulnerableComponents lesson 11](https://github.com/WebGoat/WebGoat/issues/724) - [#724 - Dead link in VulnerableComponents lesson 11](https://github.com/WebGoat/WebGoat/issues/724)
## Contributors ## Contributors
Special thanks to the following contributors providing us with a pull request: Special thanks to the following contributors providing us with a pull request:
@ -146,5 +121,9 @@ Special thanks to the following contributors providing us with a pull request:
And everyone who provided feedback through Github. And everyone who provided feedback through Github.
Team WebGoat Team WebGoat

1
docs/README.md
View File

@ -2,3 +2,4 @@
Old GitHub page which now redirects to OWASP website. Old GitHub page which now redirects to OWASP website.

1384
pom.xml
View File

File diff suppressed because it is too large Load Diff

19
robot/README.md
View File

@ -1,19 +0,0 @@
# Install and use Robotframework
## Install Chromedriver on Mac OS
brew install cask chromedriver
chromedriver --version
Then see security settings and allow the file to run
## Install
pip3 install virtualenv --user
python3 -m virtualenv .venv
source .venv/bin/activate
pip install robotframework
pip install robotframework-SeleniumLibrary
pip install webdriver-manager
robot --variable HEADLESS:"0" --variable ENDPOINT:"http://127.0.0.1:8080/WebGoat" goat.robot

101
robot/goat.robot
View File

@ -1,101 +0,0 @@
*** Settings ***
Documentation Setup WebGoat Robotframework tests
Library SeleniumLibrary timeout=100 run_on_failure=Capture Page Screenshot
Library String
Suite Setup Initial_Page ${ENDPOINT} ${BROWSER}
Suite Teardown Close_Page
*** Variables ***
${BROWSER} chrome
${SLEEP} 100
${DELAY} 0.25
${ENDPOINT} http://127.0.0.1:8080/WebGoat
${ENDPOINT_WOLF} http://127.0.0.1:9090
${USERNAME} robotuser
${PASSWORD} password
${HEADLESS} ${FALSE}
*** Keywords ***
Initial_Page
[Documentation] Check the inital page
[Arguments] ${ENDPOINT} ${BROWSER}
Log To Console Start WebGoat UI Testing
IF ${HEADLESS}
Open Browser ${ENDPOINT} ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat
ELSE
Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat
END
IF ${HEADLESS}
Open Browser ${ENDPOINT_WOLF}/WebWolf ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
ELSE
Open Browser ${ENDPOINT_WOLF}/WebWolf ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
END
Switch Browser webgoat
Maximize Browser Window
Set Window Size ${1400} ${1000}
Switch Browser webwolf
Maximize Browser Window
Set Window Size ${1400} ${1000}
Set Window Position ${400} ${200}
Set Selenium Speed ${DELAY}
Close_Page
[Documentation] Closing the browser
Log To Console ==> Stop WebGoat UI Testing
IF ${HEADLESS}
Switch Browser webgoat
Close Browser
Switch Browser webwolf
Close Browser
END
*** Test Cases ***
Check_Initial_Page
Switch Browser webgoat
Page Should Contain Username
Click Button Sign in
Page Should Contain Invalid username
Click Link /WebGoat/registration
Check_Registration_Page
Page Should Contain Username
Input Text username ${USERNAME}
Input Text password ${PASSWORD}
Input Text matchingPassword ${PASSWORD}
Click Element agree
Click Button Sign up
Check_Welcome_Page
Page Should Contain WebGoat
Go To ${ENDPOINT}/login
Page Should Contain Username
Input Text username ${USERNAME}
Input Text password ${PASSWORD}
Click Button Sign in
Page Should Contain WebGoat
Check_Menu_Page
Click Element css=a[category='Introduction']
Click Element Introduction-WebGoat
CLick Element Introduction-WebWolf
Click Element css=a[category='General']
CLick Element General-HTTPBasics
Click Element xpath=//*[.='2']
Input Text person ${USERNAME}
Click Button Go!
${OUT_VALUE} Get Text xpath=//div[contains(@class, 'attack-feedback')]
${OUT_RESULT} Evaluate "resutobor" in """${OUT_VALUE}"""
IF not ${OUT_RESULT}
Fail "not ok"
END
Check_WebWolf
Switch Browser webwolf
location should be ${ENDPOINT_WOLF}/WebWolf
Go To ${ENDPOINT_WOLF}/mail
Input Text username ${USERNAME}
Input Text password ${PASSWORD}
Click Button Sign In

342
src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
View File

@ -2,209 +2,185 @@ package org.owasp.webgoat;
import io.restassured.RestAssured; import io.restassured.RestAssured;
import io.restassured.http.ContentType; import io.restassured.http.ContentType;
import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert; import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.util.StringUtils;
import java.util.HashMap;
import java.util.Map;
public class GeneralLessonIntegrationTest extends IntegrationTest { public class GeneralLessonIntegrationTest extends IntegrationTest {
@Test @Test
public void httpBasics() { public void httpBasics() {
startLesson("HttpBasics"); startLesson("HttpBasics");
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("person", "goatuser"); params.put("person", "goatuser");
checkAssignment(url("HttpBasics/attack1"), params, true); checkAssignment(url("HttpBasics/attack1"), params, true);
params.clear(); params.clear();
params.put("answer", "POST"); params.put("answer", "POST");
params.put("magic_answer", "33"); params.put("magic_answer", "33");
params.put("magic_num", "4"); params.put("magic_num", "4");
checkAssignment(url("HttpBasics/attack2"), params, false); checkAssignment(url("HttpBasics/attack2"), params, false);
params.clear(); params.clear();
params.put("answer", "POST"); params.put("answer", "POST");
params.put("magic_answer", "33"); params.put("magic_answer", "33");
params.put("magic_num", "33"); params.put("magic_num", "33");
checkAssignment(url("HttpBasics/attack2"), params, true); checkAssignment(url("HttpBasics/attack2"), params, true);
checkResults("/HttpBasics/"); checkResults("/HttpBasics/");
}
@Test
public void httpProxies() {
startLesson("HttpProxies");
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
checkResults("/HttpProxies/");
}
@Test
public void cia() {
startLesson("CIA");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put(
"question_0_solution",
"Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
params.put(
"question_1_solution",
"Solution 1: By changing the names and emails of one or more users stored in a database.");
params.put(
"question_2_solution",
"Solution 4: By launching a denial of service attack on the servers.");
params.put(
"question_3_solution",
"Solution 2: The systems security is compromised even if only one goal is harmed.");
checkAssignment(url("/WebGoat/cia/quiz"), params, true);
checkResults("/cia/");
}
@Test
public void vulnerableComponents() {
if (StringUtils.hasText(System.getProperty("running.in.docker"))) {
String solution =
"<contact class='dynamic-proxy'>\n"
+ "<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n"
+ " <handler class='java.beans.EventHandler'>\n"
+ " <target class='java.lang.ProcessBuilder'>\n"
+ " <command>\n"
+ " <string>calc.exe</string>\n"
+ " </command>\n"
+ " </target>\n"
+ " <action>start</action>\n"
+ " </handler>\n"
+ "</contact>";
startLesson("VulnerableComponents");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("payload", solution);
checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
checkResults("/VulnerableComponents/");
} }
}
@Test @Test
public void insecureLogin() { public void httpProxies() {
startLesson("InsecureLogin"); startLesson("HttpProxies");
Map<String, Object> params = new HashMap<>(); MatcherAssert.assertThat(RestAssured.given()
params.clear(); .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
params.put("username", "CaptainJack"); .contentType(ContentType.JSON)
params.put("password", "BlackPearl"); .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true); .then()
checkResults("/InsecureLogin/"); .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
}
@Test checkResults("/HttpProxies/");
public void securePasswords() { }
startLesson("SecurePasswords");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("password", "ajnaeliclm^&&@kjn.");
checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
checkResults("SecurePasswords/");
startLesson("AuthBypass"); @Test
params.clear(); public void cia() {
params.put("secQuestion2", "John"); startLesson("CIA");
params.put("secQuestion3", "Main"); Map<String, Object> params = new HashMap<>();
params.put("jsEnabled", "1"); params.clear();
params.put("verifyMethod", "SEC_QUESTIONS"); params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
params.put("userId", "12309746"); params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database.");
checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true); params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers.");
checkResults("/auth-bypass/"); params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed.");
checkAssignment(url("/WebGoat/cia/quiz"), params, true);
checkResults("/cia/");
startLesson("HttpProxies"); }
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(
url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
checkResults("/HttpProxies/");
}
@Test @Test
public void chrome() { public void vulnerableComponents() {
startLesson("ChromeDevTools"); String solution = "<contact class='dynamic-proxy'>\n" +
"<interface>org.owasp.webgoat.lessons.vulnerable_components.Contact</interface>\n" +
" <handler class='java.beans.EventHandler'>\n" +
" <target class='java.lang.ProcessBuilder'>\n" +
" <command>\n" +
" <string>calc.exe</string>\n" +
" </command>\n" +
" </target>\n" +
" <action>start</action>\n" +
" </handler>\n" +
"</contact>";
startLesson("VulnerableComponents");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("payload", solution);
checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
checkResults("/VulnerableComponents/");
}
Map<String, Object> params = new HashMap<>(); @Test
params.clear(); public void insecureLogin() {
params.put("param1", "42"); startLesson("InsecureLogin");
params.put("param2", "24"); Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "CaptainJack");
params.put("password", "BlackPearl");
checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true);
checkResults("/InsecureLogin/");
}
String result = @Test
RestAssured.given() public void securePasswords() {
.when() startLesson("SecurePasswords");
.relaxedHTTPSValidation() Map<String, Object> params = new HashMap<>();
.cookie("JSESSIONID", getWebGoatCookie()) params.clear();
.header("webgoat-requested-by", "dom-xss-vuln") params.put("password", "ajnaeliclm^&&@kjn.");
.header("X-Requested-With", "XMLHttpRequest") checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
.formParams(params) checkResults("SecurePasswords/");
.post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract()
.path("output");
String secretNumber = result.substring("phoneHome Response is ".length());
params.clear(); startLesson("AuthBypass");
params.put("successMessage", secretNumber); params.clear();
checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true); params.put("secQuestion2", "John");
params.put("secQuestion3", "Main");
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
checkResults("/auth-bypass/");
params.clear(); startLesson("HttpProxies");
params.put("number", "24"); MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
params.put("network_num", "24"); .contentType(ContentType.JSON)
checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true); .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
checkResults("/HttpProxies/");
}
checkResults("/ChromeDevTools/"); @Test
} public void chrome() {
startLesson("ChromeDevTools");
@Test Map<String, Object> params = new HashMap<>();
public void authByPass() { params.clear();
startLesson("AuthBypass"); params.put("param1", "42");
Map<String, Object> params = new HashMap<>(); params.put("param2", "24");
params.clear();
params.put("secQuestion2", "John"); String result =
params.put("secQuestion3", "Main"); RestAssured.given()
params.put("jsEnabled", "1"); .when()
params.put("verifyMethod", "SEC_QUESTIONS"); .relaxedHTTPSValidation()
params.put("userId", "12309746"); .cookie("JSESSIONID", getWebGoatCookie())
checkAssignment(url("/auth-bypass/verify-account"), params, true); .header("webgoat-requested-by", "dom-xss-vuln")
checkResults("/auth-bypass/"); .header("X-Requested-With", "XMLHttpRequest")
} .formParams(params)
.post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract().path("output");
String secretNumber = result.substring("phoneHome Response is ".length());
params.clear();
params.put("successMessage", secretNumber);
checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
params.clear();
params.put("number", "24");
params.put("network_num", "24");
checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
checkResults("/ChromeDevTools/");
}
@Test
public void authByPass() {
startLesson("AuthBypass");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("secQuestion2", "John");
params.put("secQuestion3", "Main");
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("/auth-bypass/verify-account"), params, true);
checkResults("/auth-bypass/");
}
@Test
public void lessonTemplate() {
startLesson("LessonTemplate");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("param1", "secr37Value");
params.put("param2", "Main");
checkAssignment(url("/lesson-template/sample-attack"), params, true);
checkResults("/lesson-template/");
}
@Test
public void lessonTemplate() {
startLesson("LessonTemplate");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("param1", "secr37Value");
params.put("param2", "Main");
checkAssignment(url("/lesson-template/sample-attack"), params, true);
checkResults("/lesson-template/");
}
} }

170
src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
View File

@ -1,170 +0,0 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import io.restassured.path.json.JsonPath;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.List;
import java.util.Properties;
public class LabelAndHintIntegrationTest extends IntegrationTest {
final static String ESCAPE_JSON_PATH_CHAR = "\'";
@Test
public void testSingleLabel() {
Assertions.assertTrue(true);
JsonPath jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"http-basics.close"+ESCAPE_JSON_PATH_CHAR));
// check if lang parameter overrules Accept-Language parameter
jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc?lang=nl")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Gebruikersnaam", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc?lang=de")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Benutzername", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
// check if invalid language returns english
jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","nl")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc?lang=xx")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
// check if invalid language returns english
jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","xx_YY")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
}
@Test
public void testHints() {
JsonPath jsonPathLabels = getLabels("en");
List<String> allLessons = List.of(
"HttpBasics",
"HttpProxies", "CIA", "InsecureLogin", "Cryptography", "PathTraversal",
"XXE", "JWT", "IDOR", "SSRF", "WebWolfIntroduction", "CrossSiteScripting", "CSRF", "HijackSession",
"SqlInjection", "SqlInjectionMitigations" ,"SqlInjectionAdvanced",
"Challenge1");
for (String lesson: allLessons) {
startLesson(lesson);
List<String> hintKeys = getHints();
for (String key : hintKeys) {
String keyValue = jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR);
//System.out.println("key: " + key + " ,value: " + keyValue);
Assertions.assertNotNull(keyValue);
Assertions.assertNotEquals(key, keyValue);
}
}
//Assertions.assertEquals("http-basics.hints.http_basics_lesson.1", ""+jsonPath.getList("hint").get(0));
}
@Test
public void testLabels() {
JsonPath jsonPathLabels = getLabels("en");
Properties propsDefault = getProperties("");
for (String key: propsDefault.stringPropertyNames()) {
String keyValue = jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR);
Assertions.assertNotNull(keyValue);
}
checkLang(propsDefault,"nl");
checkLang(propsDefault,"de");
checkLang(propsDefault,"fr");
checkLang(propsDefault,"ru");
}
private Properties getProperties(String lang) {
Properties prop = null;
if (lang == null || lang.equals("")) { lang = ""; } else { lang = "_"+lang; }
try (InputStream input = new FileInputStream("src/main/resources/i18n/messages"+lang+".properties")) {
prop = new Properties();
// load a properties file
prop.load(input);
} catch (Exception e) {
e.printStackTrace();
}
return prop;
}
private void checkLang(Properties propsDefault, String lang) {
JsonPath jsonPath = getLabels(lang);
Properties propsLang = getProperties(lang);
for (String key: propsLang.stringPropertyNames()) {
if (!propsDefault.containsKey(key)) {
System.err.println("key: " + key + " in (" +lang+") is missing from default properties");
Assertions.fail();
}
if (!jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR).equals(propsLang.get(key))) {
System.out.println("key: " + key + " in (" +lang+") has incorrect translation in label service");
System.out.println("actual:"+jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR));
System.out.println("expected: "+propsLang.getProperty(key));
System.out.println();
Assertions.fail();
}
}
}
private JsonPath getLabels(String lang) {
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language",lang)
.cookie("JSESSIONID", getWebGoatCookie())
//.log().headers()
.get(url("service/labels.mvc"))
.then()
//.log().all()
.statusCode(200).extract().jsonPath();
}
private List<String> getHints() {
JsonPath jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/hint.mvc"))
.then()
//.log().all()
.statusCode(200).extract().jsonPath();
return jsonPath.getList("hint");
}
}

88
src/it/java/org/owasp/webgoat/LabelAndHintTest.java Normal file
View File

@ -0,0 +1,88 @@
package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import io.restassured.path.json.JsonPath;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.Properties;
public class LabelAndHintTest extends IntegrationTest {
@Test
public void testSingleLabel() {
Assertions.assertTrue(true);
JsonPath jsonPath = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language","en")
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString("\'http-basics.close\'"));
}
@Test
public void testLabels() {
Properties propsDefault = getProperties("");
System.out.println("Working Directory = " + System.getProperty("user.dir"));
checkLang(propsDefault,"nl");
checkLang(propsDefault,"de");
checkLang(propsDefault,"fr");
checkLang(propsDefault,"ru");
}
private Properties getProperties(String lang) {
Properties prop = null;
if (lang == null || lang.equals("")) { lang = ""; } else { lang = "_"+lang; }
try (InputStream input = new FileInputStream("src/main/resources/i18n/messages"+lang+".properties")) {
prop = new Properties();
// load a properties file
prop.load(input);
} catch (Exception e) {
e.printStackTrace();
}
return prop;
}
private void checkLang(Properties propsDefault, String lang) {
JsonPath jsonPath = getLabels(lang);
Properties propsLang = getProperties(lang);
for (String key: propsLang.stringPropertyNames()) {
if (!propsDefault.containsKey(key)) {
System.out.println("key: " + key + " in (" +lang+") is missing from default properties");
Assertions.fail();
}
if (!jsonPath.getString("\'"+key+"\'").equals(propsLang.get(key))) {
System.out.println("key: " + key + " in (" +lang+") has incorrect translation in label service");
System.out.println("actual:"+jsonPath.getString("\'"+key+"\'"));
System.out.println("expected: "+propsLang.getProperty(key));
System.out.println();
//Assertions.fail();
}
}
}
private JsonPath getLabels(String lang) {
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.contentType(ContentType.JSON)
.header("Accept-Language",lang)
.cookie("JSESSIONID", getWebGoatCookie())
//.log().headers()
.get(url("service/labels.mvc"))
.then()
//.log().all()
.statusCode(200).extract().jsonPath();
}
}

111
src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java Normal file
View File

@ -0,0 +1,111 @@
package org.owasp.webgoat;
import java.util.concurrent.TimeUnit;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.firefox.FirefoxBinary;
import org.openqa.selenium.firefox.FirefoxDriver;
import org.openqa.selenium.firefox.FirefoxOptions;
import io.github.bonigarcia.wdm.WebDriverManager;
import io.github.bonigarcia.wdm.config.DriverManagerType;
public class SeleniumIntegrationTest extends IntegrationTest {
static {
try {
WebDriverManager.getInstance(DriverManagerType.FIREFOX).setup();
} catch (Exception e) {
//sometimes a 403 cause an ExceptionInInitializerError
}
}
private WebDriver driver;
@BeforeEach
public void setUpAndLogin() {
try {
FirefoxBinary firefoxBinary = new FirefoxBinary();
firefoxBinary.addCommandLineOptions("--headless");
FirefoxOptions firefoxOptions = new FirefoxOptions();
firefoxOptions.setBinary(firefoxBinary);
driver = new FirefoxDriver(firefoxOptions);
driver.get(url("/login"));
driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
// Login
driver.findElement(By.name("username")).sendKeys(this.getUser());
driver.findElement(By.name("password")).sendKeys("password");
driver.findElement(By.className("btn")).click();
// Check if user exists. If not, create user.
if (driver.getCurrentUrl().equals(url("/login?error"))) {
driver.get(url("/registration"));
driver.findElement(By.id("username")).sendKeys(this.getUser());
driver.findElement(By.id("password")).sendKeys("password");
driver.findElement(By.id("matchingPassword")).sendKeys("password");
driver.findElement(By.name("agree")).click();
driver.findElement(By.className("btn-primary")).click();
}
} catch (Exception e) {
System.err.println("Selenium test failed "+System.getProperty("webdriver.gecko.driver")+", message: "+e.getMessage());
}
}
@AfterEach
public void tearDown() {
if (null != driver) {
driver.close();
}
}
@Test
public void sqlInjection() {
if (null==driver) return;
driver.get(url("/start.mvc#lesson/SqlInjection.lesson"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.id("restart-lesson-button")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonIntegrationTest.sql_2);
driver.findElement(By.name("query")).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonIntegrationTest.sql_3);
driver.findElements(By.name("query")).get(1).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_add);
driver.findElements(By.name("query")).get(2).submit();
driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonIntegrationTest.sql_5);
driver.findElements(By.name("query")).get(3).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
driver.findElement(By.name("account")).sendKeys("Smith'");
driver.findElement(By.name("operator")).sendKeys("OR");
driver.findElement(By.name("injection")).sendKeys("'1'='1");
driver.findElement(By.name("Get Account Info")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_userid);
driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_login_count);
driver.findElements(By.name("Get Account Info")).get(1).click();
}
}

106
src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
View File

@ -1,76 +1,74 @@
package org.dummy.insecure.framework; package org.dummy.insecure.framework;
import lombok.extern.slf4j.Slf4j;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.IOException; import java.io.IOException;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.io.Serializable; import java.io.Serializable;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import lombok.extern.slf4j.Slf4j;
@Slf4j @Slf4j
// TODO move back to lesson //TODO move back to lesson
public class VulnerableTaskHolder implements Serializable { public class VulnerableTaskHolder implements Serializable {
private static final long serialVersionUID = 2; private static final long serialVersionUID = 2;
private String taskName; private String taskName;
private String taskAction; private String taskAction;
private LocalDateTime requestedExecutionTime; private LocalDateTime requestedExecutionTime;
public VulnerableTaskHolder(String taskName, String taskAction) { public VulnerableTaskHolder(String taskName, String taskAction) {
super(); super();
this.taskName = taskName; this.taskName = taskName;
this.taskAction = taskAction; this.taskAction = taskAction;
this.requestedExecutionTime = LocalDateTime.now(); this.requestedExecutionTime = LocalDateTime.now();
} }
@Override @Override
public String toString() { public String toString() {
return "VulnerableTaskHolder [taskName=" return "VulnerableTaskHolder [taskName=" + taskName + ", taskAction=" + taskAction + ", requestedExecutionTime="
+ taskName + requestedExecutionTime + "]";
+ ", taskAction=" }
+ taskAction
+ ", requestedExecutionTime="
+ requestedExecutionTime
+ "]";
}
/** /**
* Execute a task when de-serializing a saved or received object. * Execute a task when de-serializing a saved or received object.
* * @author stupid develop
* @author stupid develop */
*/ private void readObject( ObjectInputStream stream ) throws Exception {
private void readObject(ObjectInputStream stream) throws Exception { //unserialize data so taskName and taskAction are available
// unserialize data so taskName and taskAction are available stream.defaultReadObject();
stream.defaultReadObject();
// do something with the data //do something with the data
log.info("restoring task: {}", taskName); log.info("restoring task: {}", taskName);
log.info("restoring time: {}", requestedExecutionTime); log.info("restoring time: {}", requestedExecutionTime);
if (requestedExecutionTime != null if (requestedExecutionTime!=null &&
&& (requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10)) (requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
|| requestedExecutionTime.isAfter(LocalDateTime.now()))) { || requestedExecutionTime.isAfter(LocalDateTime.now()))) {
// do nothing is the time is not within 10 minutes after the object has been created //do nothing is the time is not within 10 minutes after the object has been created
log.debug(this.toString()); log.debug(this.toString());
throw new IllegalArgumentException("outdated"); throw new IllegalArgumentException("outdated");
} }
// condition is here to prevent you from destroying the goat altogether //condition is here to prevent you from destroying the goat altogether
if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping")) if ((taskAction.startsWith("sleep")||taskAction.startsWith("ping"))
&& taskAction.length() < 22) { && taskAction.length() < 22) {
log.info("about to execute: {}", taskAction); log.info("about to execute: {}", taskAction);
try { try {
Process p = Runtime.getRuntime().exec(taskAction); Process p = Runtime.getRuntime().exec(taskAction);
BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream())); BufferedReader in = new BufferedReader(
String line = null; new InputStreamReader(p.getInputStream()));
while ((line = in.readLine()) != null) { String line = null;
log.info(line); while ((line = in.readLine()) != null) {
log.info(line);
}
} catch (IOException e) {
log.error("IO Exception", e);
} }
} catch (IOException e) { }
log.error("IO Exception", e);
}
} }
}
} }

84
src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
View File

@ -1,59 +1,59 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/** /**
* AjaxAuthenticationEntryPoint class. * <p>AjaxAuthenticationEntryPoint class.</p>
* *
* @author zupzup * @author zupzup
*/ */
public class AjaxAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
public AjaxAuthenticationEntryPoint(String loginFormUrl) {
super(loginFormUrl);
}
@Override public class AjaxAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
public void commence( public AjaxAuthenticationEntryPoint(String loginFormUrl) {
HttpServletRequest request, super(loginFormUrl);
HttpServletResponse response, }
AuthenticationException authException)
throws IOException, ServletException { @Override
if (request.getHeader("x-requested-with") != null) { public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
response.sendError(401, authException.getMessage()); if (request.getHeader("x-requested-with") != null) {
} else { response.sendError(401, authException.getMessage());
super.commence(request, response, authException); } else {
super.commence(request, response, authException);
}
} }
}
} }

202
src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
View File

@ -1,172 +1,110 @@
/** /**
* ************************************************************************************************ * ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
*
* <p> * <p>
* *
* @author WebGoat * @author WebGoat
* @version $Id: $Id * @version $Id: $Id
* @since December 12, 2015 * @since December 12, 2015
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import static org.asciidoctor.Asciidoctor.Factory.create;
import io.undertow.util.Headers;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor; import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
import org.owasp.webgoat.container.asciidoc.*; import org.owasp.webgoat.container.asciidoc.OperatingSystemMacro;
import org.owasp.webgoat.container.i18n.Language; import org.owasp.webgoat.container.asciidoc.UsernameMacro;
import org.owasp.webgoat.container.asciidoc.WebGoatTmpDirMacro;
import org.owasp.webgoat.container.asciidoc.WebGoatVersionMacro;
import org.owasp.webgoat.container.asciidoc.WebWolfMacro;
import org.owasp.webgoat.container.asciidoc.WebWolfRootMacro;
import org.springframework.core.io.ResourceLoader; import org.springframework.core.io.ResourceLoader;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.templateresolver.FileTemplateResolver; import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresource.ITemplateResource; import org.thymeleaf.templateresource.ITemplateResource;
import org.thymeleaf.templateresource.StringTemplateResource; import org.thymeleaf.templateresource.StringTemplateResource;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import static org.asciidoctor.Asciidoctor.Factory.create;
/** /**
* Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file: * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
* * <p>
* <p><code> * <code>
* <div th:replace="doc:AccessControlMatrix_plan.adoc"></div> * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
* </code> * </code>
*/ */
@Slf4j @Slf4j
public class AsciiDoctorTemplateResolver extends FileTemplateResolver { public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
private static final Asciidoctor asciidoctor = create(); private static final Asciidoctor asciidoctor = create();
private static final String PREFIX = "doc:"; private static final String PREFIX = "doc:";
private final ResourceLoader resourceLoader;
private final Language language; public AsciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
private final ResourceLoader resourceLoader; this.resourceLoader = resourceLoader;
setResolvablePatterns(Set.of(PREFIX + "*"));
public AsciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
this.resourceLoader = resourceLoader;
this.language = language;
setResolvablePatterns(Set.of(PREFIX + "*"));
}
@Override
protected ITemplateResource computeTemplateResource(
IEngineConfiguration configuration,
String ownerTemplate,
String template,
String resourceName,
String characterEncoding,
Map<String, Object> templateResolutionAttributes) {
var templateName = resourceName.substring(PREFIX.length());
log.debug("template used: {}", templateName);
try (InputStream is = getInputStream(templateName)) {
JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
extensionRegistry.inlineMacro("username", UsernameMacro.class);
StringWriter writer = new StringWriter();
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new StringTemplateResource(writer.getBuffer().toString());
} catch (IOException e) {
return new StringTemplateResource(
"<div>Unable to find documentation for: " + templateName + " </div>");
} }
}
private InputStream getInputStream(String templateName) throws IOException { @Override
log.debug("locale: {}", language.getLocale().getLanguage()); protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
String computedResourceName = var templateName = resourceName.substring(PREFIX.length());
computeResourceName(templateName, language.getLocale().getLanguage());
if (resourceLoader try (InputStream is = resourceLoader.getResource("classpath:/" + templateName).getInputStream()) {
.getResource("classpath:/" + computedResourceName) JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
.isReadable() /*isFile()*/) { extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
log.debug("localized file exists"); extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
return resourceLoader.getResource("classpath:/" + computedResourceName).getInputStream(); extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
} else { extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
log.debug("using english template"); extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
return resourceLoader.getResource("classpath:/" + templateName).getInputStream(); extensionRegistry.inlineMacro("username", UsernameMacro.class);
StringWriter writer = new StringWriter();
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new StringTemplateResource(writer.getBuffer().toString());
} catch (IOException e) {
return new StringTemplateResource("<div>Unable to find documentation for: " + templateName + " </div>");
}
} }
}
private String computeResourceName(String resourceName, String language) { private Map<String, Object> createAttributes() {
String computedResourceName; Map<String, Object> attributes = new HashMap<>();
if (language.equals("en")) { attributes.put("source-highlighter", "coderay");
computedResourceName = resourceName; attributes.put("backend", "xhtml");
} else { attributes.put("icons", org.asciidoctor.Attributes.FONT_ICONS);
computedResourceName = resourceName.replace(".adoc", "_".concat(language).concat(".adoc"));
Map<String, Object> options = new HashMap<>();
options.put("attributes", attributes);
return options;
} }
log.debug("computed local file name: {}", computedResourceName);
log.debug(
"file exists: {}",
resourceLoader.getResource("classpath:/" + computedResourceName).isReadable());
return computedResourceName;
}
private Map<String, Object> createAttributes() {
Map<String, Object> attributes = new HashMap<>();
attributes.put("source-highlighter", "coderay");
attributes.put("backend", "xhtml");
attributes.put("lang", determineLanguage());
attributes.put("icons", org.asciidoctor.Attributes.FONT_ICONS);
Map<String, Object> options = new HashMap<>();
options.put("attributes", attributes);
return options;
}
private String determineLanguage() {
HttpServletRequest request =
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
Locale browserLocale =
(Locale)
request.getSession().getAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME);
if (null != browserLocale) {
log.debug("browser locale {}", browserLocale);
return browserLocale.getLanguage();
} else {
String langHeader = request.getHeader(Headers.ACCEPT_LANGUAGE_STRING);
if (null != langHeader) {
log.debug("browser locale {}", langHeader);
return langHeader.substring(0, 2);
} else {
log.debug("browser default english");
return "en";
}
}
}
} }

89
src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import java.util.Map;
import java.util.function.Function;
import javax.sql.DataSource;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.flywaydb.core.Flyway; import org.flywaydb.core.Flyway;
@ -14,54 +11,58 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary; import org.springframework.context.annotation.Primary;
import org.springframework.jdbc.datasource.DriverManagerDataSource; import org.springframework.jdbc.datasource.DriverManagerDataSource;
import javax.sql.DataSource;
import java.util.Map;
import java.util.function.Function;
@Configuration @Configuration
@RequiredArgsConstructor @RequiredArgsConstructor
@Slf4j @Slf4j
public class DatabaseConfiguration { public class DatabaseConfiguration {
private final DataSourceProperties properties; private final DataSourceProperties properties;
private final LessonScanner lessonScanner; private final LessonScanner lessonScanner;
@Bean @Bean
@Primary @Primary
public DataSource dataSource() { public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource(); DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName(properties.getDriverClassName()); dataSource.setDriverClassName(properties.getDriverClassName());
dataSource.setUrl(properties.getUrl()); dataSource.setUrl(properties.getUrl());
dataSource.setUsername(properties.getUsername()); dataSource.setUsername(properties.getUsername());
dataSource.setPassword(properties.getPassword()); dataSource.setPassword(properties.getPassword());
return dataSource; return dataSource;
} }
/** /**
* Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson
* and 1 for lesson specific tables we use. This way we clean the data in the lesson database * specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()}
* quite easily see {@link RestartLessonService#restartLesson()} for how we clean the lesson * for how we clean the lesson related tables.
* related tables. */
*/ @Bean(initMethod = "migrate")
@Bean(initMethod = "migrate") public Flyway flyWayContainer() {
public Flyway flyWayContainer() { return Flyway
return Flyway.configure() .configure()
.configuration(Map.of("driver", properties.getDriverClassName())) .configuration(Map.of("driver", properties.getDriverClassName()))
.dataSource(dataSource()) .dataSource(dataSource())
.schemas("container") .schemas("container")
.locations("db/container") .locations("db/container")
.load(); .load();
} }
@Bean @Bean
public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) { public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
return schema -> return schema -> Flyway
Flyway.configure() .configure()
.configuration(Map.of("driver", properties.getDriverClassName())) .configuration(Map.of("driver", properties.getDriverClassName()))
.schemas(schema) .schemas(schema)
.dataSource(lessonDataSource) .dataSource(lessonDataSource)
.locations("lessons") .locations("lessons")
.load(); .load();
} }
@Bean @Bean
public LessonDataSource lessonDataSource() { public LessonDataSource lessonDataSource() {
return new LessonDataSource(dataSource()); return new LessonDataSource(dataSource());
} }
} }

61
src/main/java/org/owasp/webgoat/container/HammerHead.java
View File

@ -9,29 +9,30 @@ import org.springframework.web.servlet.ModelAndView;
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
* *
* @author Jeff Williams * @author Jeff Williams
@ -44,13 +45,13 @@ import org.springframework.web.servlet.ModelAndView;
@AllArgsConstructor @AllArgsConstructor
public class HammerHead { public class HammerHead {
private final Course course; private final Course course;
/** Entry point for WebGoat, redirects to the first lesson found within the course. */ /**
@RequestMapping( * Entry point for WebGoat, redirects to the first lesson found within the course.
path = "/attack", */
method = {RequestMethod.GET, RequestMethod.POST}) @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView attack() { public ModelAndView attack() {
return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink()); return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
} }
} }

96
src/main/java/org/owasp/webgoat/container/LessonDataSource.java
View File

@ -1,70 +1,70 @@
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import org.owasp.webgoat.container.lessons.LessonConnectionInvocationHandler;
import org.springframework.jdbc.datasource.ConnectionProxy;
import javax.sql.DataSource;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.lang.reflect.Proxy; import java.lang.reflect.Proxy;
import java.sql.Connection; import java.sql.Connection;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException; import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger; import java.util.logging.Logger;
import javax.sql.DataSource;
import org.owasp.webgoat.container.lessons.LessonConnectionInvocationHandler;
import org.springframework.jdbc.datasource.ConnectionProxy;
public class LessonDataSource implements DataSource { public class LessonDataSource implements DataSource {
private final DataSource originalDataSource; private final DataSource originalDataSource;
public LessonDataSource(DataSource dataSource) { public LessonDataSource(DataSource dataSource) {
this.originalDataSource = dataSource; this.originalDataSource = dataSource;
} }
@Override @Override
public Connection getConnection() throws SQLException { public Connection getConnection() throws SQLException {
var targetConnection = originalDataSource.getConnection(); var targetConnection = originalDataSource.getConnection();
return (Connection) return (Connection) Proxy.newProxyInstance(
Proxy.newProxyInstance( ConnectionProxy.class.getClassLoader(),
ConnectionProxy.class.getClassLoader(), new Class[]{ConnectionProxy.class},
new Class[] {ConnectionProxy.class}, new LessonConnectionInvocationHandler(targetConnection));
new LessonConnectionInvocationHandler(targetConnection)); }
}
@Override @Override
public Connection getConnection(String username, String password) throws SQLException { public Connection getConnection(String username, String password) throws SQLException {
return originalDataSource.getConnection(username, password); return originalDataSource.getConnection(username, password);
} }
@Override @Override
public PrintWriter getLogWriter() throws SQLException { public PrintWriter getLogWriter() throws SQLException {
return originalDataSource.getLogWriter(); return originalDataSource.getLogWriter();
} }
@Override @Override
public void setLogWriter(PrintWriter out) throws SQLException { public void setLogWriter(PrintWriter out) throws SQLException {
originalDataSource.setLogWriter(out); originalDataSource.setLogWriter(out);
} }
@Override @Override
public void setLoginTimeout(int seconds) throws SQLException { public void setLoginTimeout(int seconds) throws SQLException {
originalDataSource.setLoginTimeout(seconds); originalDataSource.setLoginTimeout(seconds);
} }
@Override @Override
public int getLoginTimeout() throws SQLException { public int getLoginTimeout() throws SQLException {
return originalDataSource.getLoginTimeout(); return originalDataSource.getLoginTimeout();
} }
@Override @Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException { public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return originalDataSource.getParentLogger(); return originalDataSource.getParentLogger();
} }
@Override @Override
public <T> T unwrap(Class<T> clazz) throws SQLException { public <T> T unwrap(Class<T> clazz) throws SQLException {
return originalDataSource.unwrap(clazz); return originalDataSource.unwrap(clazz);
} }
@Override @Override
public boolean isWrapperFor(Class<?> clazz) throws SQLException { public boolean isWrapperFor(Class<?> clazz) throws SQLException {
return originalDataSource.isWrapperFor(clazz); return originalDataSource.isWrapperFor(clazz);
} }
} }

108
src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
View File

@ -1,41 +1,36 @@
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author WebGoat * @author WebGoat
* @version $Id: $Id * @version $Id: $Id
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.core.io.ResourceLoader; import org.springframework.core.io.ResourceLoader;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
@ -43,48 +38,45 @@ import org.thymeleaf.templateresolver.FileTemplateResolver;
import org.thymeleaf.templateresource.ITemplateResource; import org.thymeleaf.templateresource.ITemplateResource;
import org.thymeleaf.templateresource.StringTemplateResource; import org.thymeleaf.templateresource.StringTemplateResource;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
/** /**
* Dynamically resolve a lesson. In the html file this can be invoked as: <code> * Dynamically resolve a lesson. In the html file this can be invoked as:
*
* <code>
* <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div> * <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
* </code> * </code>
* * <p>
* <p>Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve * Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory
* the html in the plugins directory
*/ */
@Slf4j @Slf4j
public class LessonTemplateResolver extends FileTemplateResolver { public class LessonTemplateResolver extends FileTemplateResolver {
private static final String PREFIX = "lesson:"; private static final String PREFIX = "lesson:";
private ResourceLoader resourceLoader; private ResourceLoader resourceLoader;
private Map<String, byte[]> resources = new HashMap<>(); private Map<String, byte[]> resources = new HashMap<>();
public LessonTemplateResolver(ResourceLoader resourceLoader) { public LessonTemplateResolver(ResourceLoader resourceLoader) {
this.resourceLoader = resourceLoader; this.resourceLoader = resourceLoader;
setResolvablePatterns(Set.of(PREFIX + "*")); setResolvablePatterns(Set.of(PREFIX + "*"));
} }
@Override @Override
protected ITemplateResource computeTemplateResource( protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
IEngineConfiguration configuration, var templateName = resourceName.substring(PREFIX.length());
String ownerTemplate, byte[] resource = resources.get(templateName);
String template, if (resource == null) {
String resourceName, try {
String characterEncoding, resource = resourceLoader.getResource("classpath:/" + templateName).getInputStream().readAllBytes();
Map<String, Object> templateResolutionAttributes) { } catch (IOException e) {
var templateName = resourceName.substring(PREFIX.length()); log.error("Unable to find lesson HTML: {}", template);
byte[] resource = resources.get(templateName); }
if (resource == null) { resources.put(templateName, resource);
try { }
resource = return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
resourceLoader
.getResource("classpath:/" + templateName)
.getInputStream()
.readAllBytes();
} catch (IOException e) {
log.error("Unable to find lesson HTML: {}", template);
}
resources.put(templateName, resource);
} }
return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
}
} }

346
src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -1,42 +1,37 @@
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author WebGoat * @author WebGoat
* @version $Id: $Id * @version $Id: $Id
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.Set;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.i18n.Language; import org.owasp.webgoat.container.i18n.Language;
import org.owasp.webgoat.container.i18n.Messages; import org.owasp.webgoat.container.i18n.Messages;
import org.owasp.webgoat.container.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
@ -49,11 +44,9 @@ import org.springframework.core.io.ResourceLoader;
import org.springframework.core.io.support.ResourcePatternResolver; import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.web.servlet.LocaleResolver; import org.springframework.web.servlet.LocaleResolver;
import org.springframework.web.servlet.ViewResolver; import org.springframework.web.servlet.ViewResolver;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
import org.springframework.web.servlet.i18n.SessionLocaleResolver; import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.thymeleaf.IEngineConfiguration; import org.thymeleaf.IEngineConfiguration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect; import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
@ -66,195 +59,160 @@ import org.thymeleaf.templateresolver.ITemplateResolver;
import org.thymeleaf.templateresource.ITemplateResource; import org.thymeleaf.templateresource.ITemplateResource;
import org.thymeleaf.templateresource.StringTemplateResource; import org.thymeleaf.templateresource.StringTemplateResource;
/** Configuration for Spring MVC */ import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.Set;
/**
* Configuration for Spring MVC
*/
@Configuration @Configuration
@RequiredArgsConstructor @RequiredArgsConstructor
@Slf4j
public class MvcConfiguration implements WebMvcConfigurer { public class MvcConfiguration implements WebMvcConfigurer {
private static final String UTF8 = "UTF-8"; private static final String UTF8 = "UTF-8";
private final LessonScanner lessonScanner; private final LessonScanner lessonScanner;
@Override @Override
public void addViewControllers(ViewControllerRegistry registry) { public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login"); registry.addViewController("/login").setViewName("login");
registry.addViewController("/lesson_content").setViewName("lesson_content"); registry.addViewController("/lesson_content").setViewName("lesson_content");
registry.addViewController("/start.mvc").setViewName("main_new"); registry.addViewController("/start.mvc").setViewName("main_new");
registry.addViewController("/scoreboard").setViewName("scoreboard"); registry.addViewController("/scoreboard").setViewName("scoreboard");
} }
@Bean @Bean
public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) { public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) {
ThymeleafViewResolver resolver = new ThymeleafViewResolver(); ThymeleafViewResolver resolver = new ThymeleafViewResolver();
resolver.setTemplateEngine(thymeleafTemplateEngine); resolver.setTemplateEngine(thymeleafTemplateEngine);
resolver.setCharacterEncoding(StandardCharsets.UTF_8.displayName()); resolver.setCharacterEncoding(StandardCharsets.UTF_8.displayName());
return resolver; return resolver;
} }
/** /**
* Responsible for loading lesson templates based on Thymeleaf, for example: * Responsible for loading lesson templates based on Thymeleaf, for example:
* *
* <p><div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div> * <div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div>
*/ */
@Bean @Bean
public ITemplateResolver lessonThymeleafTemplateResolver(ResourceLoader resourceLoader) { public ITemplateResolver lessonThymeleafTemplateResolver(ResourceLoader resourceLoader) {
var resolver = var resolver = new FileTemplateResolver() {
new FileTemplateResolver() { @Override
@Override protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
protected ITemplateResource computeTemplateResource( try (var is = resourceLoader.getResource("classpath:" + resourceName).getInputStream()) {
IEngineConfiguration configuration, return new StringTemplateResource(new String(is.readAllBytes(), StandardCharsets.UTF_8));
String ownerTemplate, } catch (IOException e) {
String template, return null;
String resourceName, }
String characterEncoding,
Map<String, Object> templateResolutionAttributes) {
try (var is =
resourceLoader.getResource("classpath:" + resourceName).getInputStream()) {
return new StringTemplateResource(
new String(is.readAllBytes(), StandardCharsets.UTF_8));
} catch (IOException e) {
return null;
} }
}
}; };
resolver.setOrder(1); resolver.setOrder(1);
return resolver; return resolver;
} }
/** Loads all normal WebGoat specific Thymeleaf templates */ /**
@Bean * Loads all normal WebGoat specific Thymeleaf templates
public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) { */
SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver(); @Bean
resolver.setPrefix("classpath:/webgoat/templates/"); public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
resolver.setSuffix(".html"); SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
resolver.setTemplateMode(TemplateMode.HTML); resolver.setPrefix("classpath:/webgoat/templates/");
resolver.setOrder(2); resolver.setSuffix(".html");
resolver.setCharacterEncoding(UTF8); resolver.setTemplateMode(TemplateMode.HTML);
resolver.setApplicationContext(applicationContext); resolver.setOrder(2);
return resolver; resolver.setCharacterEncoding(UTF8);
} resolver.setApplicationContext(applicationContext);
return resolver;
}
/** Loads the html for the complete lesson, see lesson_content.html */ /**
@Bean * Loads the html for the complete lesson, see lesson_content.html
public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) { */
LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader); @Bean
resolver.setOrder(0); public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) {
resolver.setCacheable(false); LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader);
resolver.setCharacterEncoding(UTF8); resolver.setOrder(0);
return resolver; resolver.setCacheable(false);
} resolver.setCharacterEncoding(UTF8);
return resolver;
}
/** Loads the lesson asciidoc. */ /**
@Bean * Loads the lesson asciidoc.
public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver( */
Language language, ResourceLoader resourceLoader) { @Bean
log.debug("template locale {}", language); public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
AsciiDoctorTemplateResolver resolver = AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(resourceLoader);
new AsciiDoctorTemplateResolver(language, resourceLoader); resolver.setCacheable(false);
resolver.setCacheable(false); resolver.setOrder(1);
resolver.setOrder(1); resolver.setCharacterEncoding(UTF8);
resolver.setCharacterEncoding(UTF8); return resolver;
return resolver; }
}
@Bean @Bean
public SpringTemplateEngine thymeleafTemplateEngine( public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThymeleafTemplateResolver,
ITemplateResolver springThymeleafTemplateResolver, LessonTemplateResolver lessonTemplateResolver,
LessonTemplateResolver lessonTemplateResolver, AsciiDoctorTemplateResolver asciiDoctorTemplateResolver,
AsciiDoctorTemplateResolver asciiDoctorTemplateResolver, ITemplateResolver lessonThymeleafTemplateResolver) {
ITemplateResolver lessonThymeleafTemplateResolver) { SpringTemplateEngine engine = new SpringTemplateEngine();
SpringTemplateEngine engine = new SpringTemplateEngine(); engine.setEnableSpringELCompiler(true);
engine.setEnableSpringELCompiler(true); engine.addDialect(new SpringSecurityDialect());
engine.addDialect(new SpringSecurityDialect()); engine.setTemplateResolvers(
engine.setTemplateResolvers( Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, lessonThymeleafTemplateResolver, springThymeleafTemplateResolver));
Set.of( return engine;
lessonTemplateResolver, }
asciiDoctorTemplateResolver,
lessonThymeleafTemplateResolver,
springThymeleafTemplateResolver));
return engine;
}
@Override @Override
public void addResourceHandlers(ResourceHandlerRegistry registry) { public void addResourceHandlers(ResourceHandlerRegistry registry) {
// WebGoat internal //WebGoat internal
registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webgoat/static/css/"); registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webgoat/static/css/");
registry.addResourceHandler("/js/**").addResourceLocations("classpath:/webgoat/static/js/"); registry.addResourceHandler("/js/**")
registry .addResourceLocations("classpath:/webgoat/static/js/");
.addResourceHandler("/plugins/**") registry.addResourceHandler("/plugins/**").addResourceLocations("classpath:/webgoat/static/plugins/");
.addResourceLocations("classpath:/webgoat/static/plugins/"); registry.addResourceHandler("/fonts/**").addResourceLocations("classpath:/webgoat/static/fonts/");
registry
.addResourceHandler("/fonts/**")
.addResourceLocations("classpath:/webgoat/static/fonts/");
// WebGoat lessons //WebGoat lessons
registry registry.addResourceHandler("/images/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new));
.addResourceHandler("/images/**") registry.addResourceHandler("/lesson_js/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
.addResourceLocations( registry.addResourceHandler("/lesson_css/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new)); registry.addResourceHandler("/lesson_templates/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
registry registry.addResourceHandler("/video/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
.addResourceHandler("/lesson_js/**") }
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
registry
.addResourceHandler("/lesson_css/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
registry
.addResourceHandler("/lesson_templates/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
registry
.addResourceHandler("/video/**")
.addResourceLocations(
lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
}
@Bean @Bean
public PluginMessages pluginMessages( public PluginMessages pluginMessages(Messages messages, Language language,
Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) { ResourcePatternResolver resourcePatternResolver) {
PluginMessages pluginMessages = new PluginMessages(messages, language, resourcePatternResolver); PluginMessages pluginMessages = new PluginMessages(messages, language, resourcePatternResolver);
pluginMessages.setDefaultEncoding("UTF-8"); pluginMessages.setDefaultEncoding("UTF-8");
pluginMessages.setBasenames("i18n/WebGoatLabels"); pluginMessages.setBasenames("i18n/WebGoatLabels");
pluginMessages.setFallbackToSystemLocale(false); pluginMessages.setFallbackToSystemLocale(false);
return pluginMessages; return pluginMessages;
} }
@Bean @Bean
public Language language(LocaleResolver localeResolver) { public Language language(LocaleResolver localeResolver) {
return new Language(localeResolver); return new Language(localeResolver);
} }
@Bean @Bean
public LocaleResolver localeResolver() { public Messages messageSource(Language language) {
SessionLocaleResolver localeResolver = new SessionLocaleResolver(); Messages messages = new Messages(language);
return localeResolver; messages.setDefaultEncoding("UTF-8");
} messages.setBasename("classpath:i18n/messages");
messages.setFallbackToSystemLocale(false);
return messages;
}
@Bean @Bean
public LocaleChangeInterceptor localeChangeInterceptor() { public LocaleResolver localeResolver() {
LocaleChangeInterceptor lci = new LocaleChangeInterceptor(); return new SessionLocaleResolver();
lci.setParamName("lang"); }
return lci;
}
@Override @Bean
public void addInterceptors(InterceptorRegistry registry) { public LabelDebugger labelDebugger() {
registry.addInterceptor(localeChangeInterceptor()); return new LabelDebugger();
} }
@Bean
public Messages messageSource(Language language) {
Messages messages = new Messages(language);
messages.setDefaultEncoding("UTF-8");
messages.setBasename("classpath:i18n/messages");
messages.setFallbackToSystemLocale(false);
return messages;
}
@Bean
public LabelDebugger labelDebugger() {
return new LabelDebugger();
}
} }

77
src/main/java/org/owasp/webgoat/container/WebGoat.java
View File

@ -1,37 +1,36 @@
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author WebGoat * @author WebGoat
* @version $Id: $Id * @version $Id: $Id
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import java.io.File;
import org.owasp.webgoat.container.session.UserSessionData; import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.container.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
@ -44,31 +43,33 @@ import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode; import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
import java.io.File;
@Configuration @Configuration
@ComponentScan(basePackages = {"org.owasp.webgoat.container", "org.owasp.webgoat.lessons"}) @ComponentScan(basePackages = { "org.owasp.webgoat.container", "org.owasp.webgoat.lessons"})
@PropertySource("classpath:application-webgoat.properties") @PropertySource("classpath:application-webgoat.properties")
@EnableAutoConfiguration @EnableAutoConfiguration
public class WebGoat { public class WebGoat {
@Bean(name = "pluginTargetDirectory") @Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) { public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
return new File(webgoatHome); return new File(webgoatHome);
} }
@Bean @Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS) @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public WebSession webSession() { public WebSession webSession() {
return new WebSession(); return new WebSession();
} }
@Bean @Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS) @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public UserSessionData userSessionData() { public UserSessionData userSessionData() {
return new UserSessionData("test", "data"); return new UserSessionData("test", "data");
} }
@Bean @Bean
public RestTemplate restTemplate() { public RestTemplate restTemplate() {
return new RestTemplate(); return new RestTemplate();
} }
} }

124
src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -2,32 +2,32 @@
* ************************************************************************************************ * ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
*
* <p> * <p>
* *
* @author WebGoat * @author WebGoat
* @version $Id: $Id * @version $Id: $Id
* @since December 12, 2015 * @since December 12, 2015
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
@ -44,65 +44,57 @@ import org.springframework.security.config.annotation.web.configurers.Expression
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.NoOpPasswordEncoder;
/** Security configuration for WebGoat. */ /**
* Security configuration for WebGoat.
*/
@Configuration @Configuration
@AllArgsConstructor @AllArgsConstructor
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userDetailsService; private final UserService userDetailsService;
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
http.authorizeRequests() .authorizeRequests()
.antMatchers( .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc", "/actuator/**").permitAll()
"/css/**", .anyRequest().authenticated();
"/images/**", security.and()
"/js/**", .formLogin()
"fonts/**", .loginPage("/login")
"/plugins/**", .defaultSuccessUrl("/welcome.mvc", true)
"/registration", .usernameParameter("username")
"/register.mvc", .passwordParameter("password")
"/actuator/**") .permitAll();
.permitAll() security.and()
.anyRequest() .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
.authenticated(); security.and().csrf().disable();
security
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/welcome.mvc", true)
.usernameParameter("username")
.passwordParameter("password")
.permitAll();
security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
security.and().csrf().disable();
http.headers().cacheControl().disable(); http.headers().cacheControl().disable();
http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")); http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
} }
@Autowired @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService); auth.userDetailsService(userDetailsService);
} }
@Bean @Bean
@Override @Override
public UserDetailsService userDetailsServiceBean() throws Exception { public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService; return userDetailsService;
} }
@Override @Override
@Bean @Bean
protected AuthenticationManager authenticationManager() throws Exception { protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager(); return super.authenticationManager();
} }
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
@Bean @Bean
public NoOpPasswordEncoder passwordEncoder() { public NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance(); return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
} }
} }

12
src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
View File

@ -10,12 +10,12 @@ import org.springframework.web.servlet.ModelAndView;
@RequiredArgsConstructor @RequiredArgsConstructor
public class WebWolfRedirect { public class WebWolfRedirect {
private final ApplicationContext applicationContext; private final ApplicationContext applicationContext;
@GetMapping("/WebWolf") @GetMapping("/WebWolf")
public ModelAndView openWebWolf() { public ModelAndView openWebWolf() {
var url = applicationContext.getEnvironment().getProperty("webwolf.url"); var url = applicationContext.getEnvironment().getProperty("webwolf.url");
return new ModelAndView("redirect:" + url + "/home"); return new ModelAndView("redirect:" + url + "/home");
} }
} }

19
src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
View File

@ -7,20 +7,19 @@ import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
/** /**
* Make environment available in the asciidoc code (which you cannot inject because it is handled by * Make environment available in the asciidoc code (which you cannot inject because it is handled by the framework)
* the framework)
*/ */
@Component @Component
public class EnvironmentExposure implements ApplicationContextAware { public class EnvironmentExposure implements ApplicationContextAware {
private static ApplicationContext context; private static ApplicationContext context;
public static Environment getEnv() { public static Environment getEnv() {
return context.getEnvironment(); return context.getEnvironment();
} }
@Override @Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException { public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
context = applicationContext; context = applicationContext;
} }
} }

28
src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
View File

@ -1,25 +1,25 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import java.util.Map;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import java.util.Map;
public class OperatingSystemMacro extends InlineMacroProcessor { public class OperatingSystemMacro extends InlineMacroProcessor {
public OperatingSystemMacro(String macroName) { public OperatingSystemMacro(String macroName) {
super(macroName); super(macroName);
} }
public OperatingSystemMacro(String macroName, Map<String, Object> config) { public OperatingSystemMacro(String macroName, Map<String, Object> config) {
super(macroName, config); super(macroName, config);
} }
@Override @Override
public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) { public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
var osName = System.getProperty("os.name"); var osName = System.getProperty("os.name");
// see //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
// https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used return createPhraseNode(contentNode, "quoted", osName);
return createPhraseNode(contentNode, "quoted", osName); }
}
} }

38
src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
View File

@ -1,31 +1,31 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import java.util.Map;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import org.owasp.webgoat.container.users.WebGoatUser; import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import java.util.Map;
public class UsernameMacro extends InlineMacroProcessor { public class UsernameMacro extends InlineMacroProcessor {
public UsernameMacro(String macroName) { public UsernameMacro(String macroName) {
super(macroName); super(macroName);
}
public UsernameMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
@Override
public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
var auth = SecurityContextHolder.getContext().getAuthentication();
var username = "unknown";
if (auth.getPrincipal() instanceof WebGoatUser webGoatUser) {
username = webGoatUser.getUsername();
} }
// see public UsernameMacro(String macroName, Map<String, Object> config) {
// https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used super(macroName, config);
return createPhraseNode(contentNode, "quoted", username); }
}
@Override
public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
var auth = SecurityContextHolder.getContext().getAuthentication();
var username = "unknown";
if (auth.getPrincipal() instanceof WebGoatUser webGoatUser) {
username = webGoatUser.getUsername();
}
//see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
return createPhraseNode(contentNode, "quoted", username);
}
} }

29
src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
View File

@ -1,25 +1,26 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import java.util.Map;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import java.util.Map;
public class WebGoatTmpDirMacro extends InlineMacroProcessor { public class WebGoatTmpDirMacro extends InlineMacroProcessor {
public WebGoatTmpDirMacro(String macroName) { public WebGoatTmpDirMacro(String macroName) {
super(macroName); super(macroName);
} }
public WebGoatTmpDirMacro(String macroName, Map<String, Object> config) { public WebGoatTmpDirMacro(String macroName, Map<String, Object> config) {
super(macroName, config); super(macroName, config);
} }
@Override @Override
public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) { public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
var env = EnvironmentExposure.getEnv().getProperty("webgoat.server.directory"); var env = EnvironmentExposure.getEnv().getProperty("webgoat.server.directory");
// see //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
// https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used return createPhraseNode(contentNode, "quoted", env);
return createPhraseNode(contentNode, "quoted", env);
} }
} }

28
src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
View File

@ -1,25 +1,25 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import java.util.Map;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import java.util.Map;
public class WebGoatVersionMacro extends InlineMacroProcessor { public class WebGoatVersionMacro extends InlineMacroProcessor {
public WebGoatVersionMacro(String macroName) { public WebGoatVersionMacro(String macroName) {
super(macroName); super(macroName);
} }
public WebGoatVersionMacro(String macroName, Map<String, Object> config) { public WebGoatVersionMacro(String macroName, Map<String, Object> config) {
super(macroName, config); super(macroName, config);
} }
@Override @Override
public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) { public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
var webgoatVersion = EnvironmentExposure.getEnv().getProperty("webgoat.build.version"); var webgoatVersion = EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
// see //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
// https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used return createPhraseNode(contentNode, "quoted", webgoatVersion);
return createPhraseNode(contentNode, "quoted", webgoatVersion); }
}
} }

112
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,73 +1,73 @@
package org.owasp.webgoat.container.asciidoc; package org.owasp.webgoat.container.asciidoc;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.asciidoctor.ast.ContentNode; import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor; import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes; import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
/** /**
* Usage in asciidoc: * Usage in asciidoc:
* * <p>
* <p>webWolfLink:here[] will display a href with here as text * webWolfLink:here[] will display a href with here as text
*/ */
public class WebWolfMacro extends InlineMacroProcessor { public class WebWolfMacro extends InlineMacroProcessor {
public WebWolfMacro(String macroName) { public WebWolfMacro(String macroName) {
super(macroName); super(macroName);
}
public WebWolfMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
@Override
public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
var env = EnvironmentExposure.getEnv();
var hostname = determineHost(env.getProperty("webwolf.port"));
var target = (String) attributes.getOrDefault("target", "home");
var href = hostname + "/" + target;
// are we using noLink in webWolfLink:landing[noLink]? Then display link with full href
if (displayCompleteLinkNoFormatting(attributes)) {
linkText = href;
} }
var options = new HashMap<String, Object>(); public WebWolfMacro(String macroName, Map<String, Object> config) {
options.put("type", ":link"); super(macroName, config);
options.put("target", href);
attributes.put("window", "_blank");
return createPhraseNode(contentNode, "anchor", linkText, attributes, options).convert();
}
private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
}
/**
* Determine the host from the hostname and ports that were used. The purpose is to make it
* possible to use the application behind a reverse proxy. For instance in the docker
* compose/stack version with webgoat webwolf and nginx proxy. You do not have to use the
* indicated hostname, but if you do, you should define two hosts aliases 127.0.0.1
* www.webgoat.local www.webwolf.local
*/
private String determineHost(String port) {
HttpServletRequest request =
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String host = request.getHeader("Host");
int semicolonIndex = host.indexOf(":");
if (semicolonIndex == -1 || host.endsWith(":80")) {
host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
} else {
host = host.substring(0, semicolonIndex);
host = host.concat(":").concat(port);
} }
return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
}
protected boolean includeWebWolfContext() { @Override
return true; public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
} var env = EnvironmentExposure.getEnv();
var hostname = determineHost(env.getProperty("webwolf.port"));
var target = (String) attributes.getOrDefault("target", "home");
var href = hostname + "/" + target;
//are we using noLink in webWolfLink:landing[noLink]? Then display link with full href
if (displayCompleteLinkNoFormatting(attributes)) {
linkText = href;
}
var options = new HashMap<String, Object>();
options.put("type", ":link");
options.put("target", href);
attributes.put("window", "_blank");
return createPhraseNode(contentNode, "anchor", linkText, attributes, options).convert();
}
private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
}
/**
* Determine the host from the hostname and ports that were used.
* The purpose is to make it possible to use the application behind a reverse proxy. For instance in the docker
* compose/stack version with webgoat webwolf and nginx proxy.
* You do not have to use the indicated hostname, but if you do, you should define two hosts aliases
* 127.0.0.1 www.webgoat.local www.webwolf.local
*/
private String determineHost(String port) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String host = request.getHeader("Host");
int semicolonIndex = host.indexOf(":");
if (semicolonIndex == -1 || host.endsWith(":80")) {
host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
} else {
host = host.substring(0, semicolonIndex);
host = host.concat(":").concat(port);
}
return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
}
protected boolean includeWebWolfContext() {
return true;
}
} }

26
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
View File

@ -4,22 +4,22 @@ import java.util.Map;
/** /**
* Usage in asciidoc: * Usage in asciidoc:
* * <p>
* <p>webWolfLink:here[] will display a href with here as text webWolfLink:landing[noLink] will * webWolfLink:here[] will display a href with here as text
* display the complete url, for example: http://WW_HOST:WW_PORT/landing * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
*/ */
public class WebWolfRootMacro extends WebWolfMacro { public class WebWolfRootMacro extends WebWolfMacro {
public WebWolfRootMacro(String macroName) { public WebWolfRootMacro(String macroName) {
super(macroName); super(macroName);
} }
public WebWolfRootMacro(String macroName, Map<String, Object> config) { public WebWolfRootMacro(String macroName, Map<String, Object> config) {
super(macroName, config); super(macroName, config);
} }
@Override @Override
protected boolean includeWebWolfContext() { protected boolean includeWebWolfContext() {
return false; return false;
} }
} }

95
src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
View File

@ -35,58 +35,57 @@ import org.springframework.beans.factory.annotation.Autowired;
public abstract class AssignmentEndpoint implements Initializeable { public abstract class AssignmentEndpoint implements Initializeable {
@Autowired private WebSession webSession; @Autowired
@Autowired private UserSessionData userSessionData; private WebSession webSession;
@Getter @Autowired private PluginMessages messages; @Autowired
private UserSessionData userSessionData;
@Getter
@Autowired
private PluginMessages messages;
protected WebSession getWebSession() { protected WebSession getWebSession() {
return webSession; return webSession;
} }
protected UserSessionData getUserSessionData() { protected UserSessionData getUserSessionData() {
return userSessionData; return userSessionData;
} }
/** /**
* Convenience method for create a successful result: * Convenience method for create a successful result:
* * <p>
* <p>- Assignment is set to solved - Feedback message is set to 'assignment.solved' * - Assignment is set to solved
* * - Feedback message is set to 'assignment.solved'
* <p>Of course you can overwrite these values in a specific lesson * <p>
* * Of course you can overwrite these values in a specific lesson
* @return a builder for creating a result from a lesson *
* @param assignment * @return a builder for creating a result from a lesson
*/ * @param assignment
protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) { */
return AttackResult.builder(messages) protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
.lessonCompleted(true) return AttackResult.builder(messages).lessonCompleted(true).attemptWasMade().feedback("assignment.solved").assignment(assignment);
.attemptWasMade() }
.feedback("assignment.solved")
.assignment(assignment);
}
/** /**
* Convenience method for create a failed result: * Convenience method for create a failed result:
* * <p>
* <p>- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved' * - Assignment is set to not solved
* * - Feedback message is set to 'assignment.not.solved'
* <p>Of course you can overwrite these values in a specific lesson * <p>
* * Of course you can overwrite these values in a specific lesson
* @return a builder for creating a result from a lesson *
* @param assignment * @return a builder for creating a result from a lesson
*/ * @param assignment
protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) { */
return AttackResult.builder(messages) protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
.lessonCompleted(false) return AttackResult.builder(messages).lessonCompleted(false).attemptWasMade().feedback("assignment.not.solved").assignment(assignment);
.attemptWasMade() }
.feedback("assignment.not.solved")
.assignment(assignment);
}
protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) { protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment); return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
} }
@Override @Override
public void initialize(WebGoatUser user) {} public void initialize(WebGoatUser user) {
}
} }

6
src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
View File

@ -5,10 +5,12 @@ import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy; import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target; import java.lang.annotation.Target;
/** Created by nbaars on 1/14/17. */ /**
* Created by nbaars on 1/14/17.
*/
@Target(ElementType.TYPE) @Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME) @Retention(RetentionPolicy.RUNTIME)
public @interface AssignmentHints { public @interface AssignmentHints {
String[] value() default {}; String[] value() default {};
} }

13
src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
View File

@ -1,19 +1,22 @@
package org.owasp.webgoat.container.assignments; package org.owasp.webgoat.container.assignments;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.ElementType; import java.lang.annotation.ElementType;
import java.lang.annotation.Retention; import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy; import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target; import java.lang.annotation.Target;
import org.springframework.web.bind.annotation.RequestMethod;
/** Created by nbaars on 1/14/17. */ /**
* Created by nbaars on 1/14/17.
*/
@Target(ElementType.TYPE) @Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME) @Retention(RetentionPolicy.RUNTIME)
public @interface AssignmentPath { public @interface AssignmentPath {
String[] path() default {}; String[] path() default {};
RequestMethod[] method() default {}; RequestMethod[] method() default {};
String value() default ""; String value() default "";
} }

168
src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
View File

@ -25,104 +25,100 @@
package org.owasp.webgoat.container.assignments; package org.owasp.webgoat.container.assignments;
import static org.apache.commons.text.StringEscapeUtils.escapeJson;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.container.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
import static org.apache.commons.text.StringEscapeUtils.escapeJson;
public class AttackResult { public class AttackResult {
public static class AttackResultBuilder {
public static class AttackResultBuilder {
private boolean lessonCompleted;
private PluginMessages messages;
private Object[] feedbackArgs;
private String feedbackResourceBundleKey;
private String output;
private Object[] outputArgs;
private AssignmentEndpoint assignment;
private boolean attemptWasMade = false;
public AttackResultBuilder(PluginMessages messages) {
this.messages = messages;
}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = "lesson.completed";
return this;
}
public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
this.lessonCompleted = lessonCompleted;
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder feedbackArgs(Object... args) {
this.feedbackArgs = args;
return this;
}
public AttackResultBuilder feedback(String resourceBundleKey) {
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder output(String output) {
this.output = output;
return this;
}
public AttackResultBuilder outputArgs(Object... args) {
this.outputArgs = args;
return this;
}
public AttackResultBuilder attemptWasMade() {
this.attemptWasMade = true;
return this;
}
public AttackResult build() {
return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName(), attemptWasMade);
}
public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
this.assignment = assignment;
return this;
}
}
@Getter
private boolean lessonCompleted; private boolean lessonCompleted;
private PluginMessages messages; @Getter
private Object[] feedbackArgs; private String feedback;
private String feedbackResourceBundleKey; @Getter
private String output; private String output;
private Object[] outputArgs; @Getter
private AssignmentEndpoint assignment; private final String assignment;
private boolean attemptWasMade = false; @Getter
private boolean attemptWasMade;
public AttackResultBuilder(PluginMessages messages) { public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) {
this.messages = messages; this.lessonCompleted = lessonCompleted;
this.feedback = escapeJson(feedback);
this.output = escapeJson(output);
this.assignment = assignment;
this.attemptWasMade = attemptWasMade;
} }
public AttackResultBuilder lessonCompleted(boolean lessonCompleted) { public static AttackResultBuilder builder(PluginMessages messages) {
this.lessonCompleted = lessonCompleted; return new AttackResultBuilder(messages);
this.feedbackResourceBundleKey = "lesson.completed";
return this;
} }
public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) { public boolean assignmentSolved() {
this.lessonCompleted = lessonCompleted; return lessonCompleted;
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
} }
public AttackResultBuilder feedbackArgs(Object... args) {
this.feedbackArgs = args;
return this;
}
public AttackResultBuilder feedback(String resourceBundleKey) {
this.feedbackResourceBundleKey = resourceBundleKey;
return this;
}
public AttackResultBuilder output(String output) {
this.output = output;
return this;
}
public AttackResultBuilder outputArgs(Object... args) {
this.outputArgs = args;
return this;
}
public AttackResultBuilder attemptWasMade() {
this.attemptWasMade = true;
return this;
}
public AttackResult build() {
return new AttackResult(
lessonCompleted,
messages.getMessage(feedbackResourceBundleKey, feedbackArgs),
messages.getMessage(output, output, outputArgs),
assignment.getClass().getSimpleName(),
attemptWasMade);
}
public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
this.assignment = assignment;
return this;
}
}
@Getter private boolean lessonCompleted;
@Getter private String feedback;
@Getter private String output;
@Getter private final String assignment;
@Getter private boolean attemptWasMade;
public AttackResult(
boolean lessonCompleted,
String feedback,
String output,
String assignment,
boolean attemptWasMade) {
this.lessonCompleted = lessonCompleted;
this.feedback = escapeJson(feedback);
this.output = escapeJson(output);
this.assignment = assignment;
this.attemptWasMade = attemptWasMade;
}
public static AttackResultBuilder builder(PluginMessages messages) {
return new AttackResultBuilder(messages);
}
public boolean assignmentSolved() {
return lessonCompleted;
}
} }

67
src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
View File

@ -36,46 +36,39 @@ import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
@RestControllerAdvice @RestControllerAdvice
public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> { public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
private UserTrackerRepository userTrackerRepository; private UserTrackerRepository userTrackerRepository;
private WebSession webSession; private WebSession webSession;
public LessonTrackerInterceptor( public LessonTrackerInterceptor(UserTrackerRepository userTrackerRepository, WebSession webSession) {
UserTrackerRepository userTrackerRepository, WebSession webSession) { this.userTrackerRepository = userTrackerRepository;
this.userTrackerRepository = userTrackerRepository; this.webSession = webSession;
this.webSession = webSession;
}
@Override
public boolean supports(
MethodParameter methodParameter, Class<? extends HttpMessageConverter<?>> clazz) {
return true;
}
@Override
public Object beforeBodyWrite(
Object o,
MethodParameter methodParameter,
MediaType mediaType,
Class<? extends HttpMessageConverter<?>> aClass,
ServerHttpRequest serverHttpRequest,
ServerHttpResponse serverHttpResponse) {
if (o instanceof AttackResult attackResult) {
trackProgress(attackResult);
} }
return o;
}
protected AttackResult trackProgress(AttackResult attackResult) { @Override
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); public boolean supports(MethodParameter methodParameter, Class<? extends HttpMessageConverter<?>> clazz) {
if (userTracker == null) { return true;
userTracker = new UserTracker(webSession.getUserName());
} }
if (attackResult.assignmentSolved()) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment()); @Override
} else { public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
userTracker.assignmentFailed(webSession.getCurrentLesson()); if (o instanceof AttackResult attackResult) {
trackProgress(attackResult);
}
return o;
}
protected AttackResult trackProgress(AttackResult attackResult) {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
if (userTracker == null) {
userTracker = new UserTracker(webSession.getUserName());
}
if (attackResult.assignmentSolved()) {
userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment());
} else {
userTracker.assignmentFailed(webSession.getCurrentLesson());
}
userTrackerRepository.saveAndFlush(userTracker);
return attackResult;
} }
userTrackerRepository.saveAndFlush(userTracker);
return attackResult;
}
} }

113
src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
View File

@ -1,37 +1,36 @@
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author WebGoat * @author WebGoat
* @version $Id: $Id * @version $Id: $Id
* @since October 28, 2003 * @since October 28, 2003
*/ */
package org.owasp.webgoat.container.controller; package org.owasp.webgoat.container.controller;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.session.Course; import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.session.WebSession; import org.owasp.webgoat.container.session.WebSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
@ -39,52 +38,52 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
@Controller @Controller
public class StartLesson { public class StartLesson {
private final WebSession ws; private final WebSession ws;
private final Course course; private final Course course;
public StartLesson(WebSession ws, Course course) { public StartLesson(WebSession ws, Course course) {
this.ws = ws; this.ws = ws;
this.course = course; this.course = course;
} }
/** /**
* start. * <p>start.</p>
* *
* @return a {@link ModelAndView} object. * @return a {@link ModelAndView} object.
*/ */
@RequestMapping( @RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
path = "startlesson.mvc", public ModelAndView start() {
method = {RequestMethod.GET, RequestMethod.POST}) var model = new ModelAndView();
public ModelAndView start() {
var model = new ModelAndView();
model.addObject("course", course); model.addObject("course", course);
model.addObject("lesson", ws.getCurrentLesson()); model.addObject("lesson", ws.getCurrentLesson());
model.setViewName("lesson_content"); model.setViewName("lesson_content");
return model; return model;
} }
@RequestMapping( @RequestMapping(value = {"*.lesson"}, produces = "text/html")
value = {"*.lesson"}, public ModelAndView lessonPage(HttpServletRequest request) {
produces = "text/html") var model = new ModelAndView("lesson_content");
public ModelAndView lessonPage(HttpServletRequest request) { var path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
var model = new ModelAndView("lesson_content"); var lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
var path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
var lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
course.getLessons().stream() course.getLessons()
.filter(l -> l.getId().equals(lessonName)) .stream()
.findFirst() .filter(l -> l.getId().equals(lessonName))
.ifPresent( .findFirst()
lesson -> { .ifPresent(lesson -> {
ws.setCurrentLesson(lesson); ws.setCurrentLesson(lesson);
model.addObject("lesson", lesson); model.addObject("lesson", lesson);
}); });
return model;
}
return model;
}
} }

72
src/main/java/org/owasp/webgoat/container/controller/Welcome.java
View File

@ -1,42 +1,45 @@
/** /**
* ************************************************************************************************ *************************************************************************************************
* *
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* *
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* *
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* *
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* *
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* *
* <p>Getting Source ============== * Getting Source ==============
* *
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author WebGoat * @author WebGoat
* @since October 28, 2003 * @since October 28, 2003
* @version $Id: $Id * @version $Id: $Id
*/ */
package org.owasp.webgoat.container.controller; package org.owasp.webgoat.container.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
/** /**
* Welcome class. * <p>Welcome class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id * @version $Id: $Id
@ -44,28 +47,29 @@ import org.springframework.web.servlet.ModelAndView;
@Controller @Controller
public class Welcome { public class Welcome {
private static final String WELCOMED = "welcomed"; private static final String WELCOMED = "welcomed";
/** /**
* welcome. * <p>welcome.</p>
* *
* @param request a {@link javax.servlet.http.HttpServletRequest} object. * @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object. * @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/ */
@GetMapping(path = {"welcome.mvc"}) @GetMapping(path = {"welcome.mvc"})
public ModelAndView welcome(HttpServletRequest request) { public ModelAndView welcome(HttpServletRequest request) {
// set the welcome attribute // set the welcome attribute
// this is so the attack servlet does not also // this is so the attack servlet does not also
// send them to the welcome page // send them to the welcome page
HttpSession session = request.getSession(); HttpSession session = request.getSession();
if (session.getAttribute(WELCOMED) == null) { if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true"); session.setAttribute(WELCOMED, "true");
}
//go ahead and send them to webgoat (skip the welcome page)
ModelAndView model = new ModelAndView();
model.setViewName("forward:/attack?start=true");
return model;
} }
// go ahead and send them to webgoat (skip the welcome page)
ModelAndView model = new ModelAndView();
model.setViewName("forward:/attack?start=true");
return model;
}
} }

17
src/main/java/org/owasp/webgoat/container/i18n/Language.java
View File

@ -25,15 +25,16 @@
package org.owasp.webgoat.container.i18n; package org.owasp.webgoat.container.i18n;
import java.util.Locale;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes; import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.LocaleResolver; import org.springframework.web.servlet.LocaleResolver;
import java.util.Locale;
/** /**
* Wrapper around the LocaleResolver from Spring so we do not need to bother with passing the * Wrapper around the LocaleResolver from Spring so we do not need to bother with passing the HttpRequest object
* HttpRequest object when asking for a Locale. * when asking for a Locale.
* *
* @author nbaars * @author nbaars
* @date 2/7/17 * @date 2/7/17
@ -41,10 +42,10 @@ import org.springframework.web.servlet.LocaleResolver;
@AllArgsConstructor @AllArgsConstructor
public class Language { public class Language {
private final LocaleResolver localeResolver; private final LocaleResolver localeResolver;
public Locale getLocale() {
return localeResolver.resolveLocale(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
}
public Locale getLocale() {
return localeResolver.resolveLocale(
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
}
} }

37
src/main/java/org/owasp/webgoat/container/i18n/Messages.java
View File

@ -25,35 +25,36 @@
package org.owasp.webgoat.container.i18n; package org.owasp.webgoat.container.i18n;
import java.util.Properties;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import java.util.Properties;
/** /**
* ExposedReloadableResourceMessageBundleSource class. Extends the reloadable message source with a * <p>ExposedReloadableResourceMessageBundleSource class.</p>
* way to get all messages * Extends the reloadable message source with a way to get all messages
* *
* @author zupzup * @author zupzup
*/ */
@AllArgsConstructor @AllArgsConstructor
public class Messages extends ReloadableResourceBundleMessageSource { public class Messages extends ReloadableResourceBundleMessageSource {
private final Language language; private final Language language;
/** /**
* Gets all messages for presented Locale. * Gets all messages for presented Locale.
* *
* @return all messages * @return all messages
*/ */
public Properties getMessages() { public Properties getMessages() {
return getMergedProperties(language.getLocale()).getProperties(); return getMergedProperties(language.getLocale()).getProperties();
} }
public String getMessage(String code, Object... args) { public String getMessage(String code, Object... args) {
return getMessage(code, args, language.getLocale()); return getMessage(code, args, language.getLocale());
} }
public String getMessage(String code, String defaultValue, Object... args) { public String getMessage(String code, String defaultValue, Object... args) {
return super.getMessage(code, args, defaultValue, language.getLocale()); return super.getMessage(code, args, defaultValue, language.getLocale());
} }
} }

79
src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
View File

@ -25,11 +25,12 @@
package org.owasp.webgoat.container.i18n; package org.owasp.webgoat.container.i18n;
import java.io.IOException;
import java.util.Properties;
import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.core.io.support.ResourcePatternResolver; import org.springframework.core.io.support.ResourcePatternResolver;
import java.io.IOException;
import java.util.Properties;
/** /**
* Message resource bundle for plugins. * Message resource bundle for plugins.
* *
@ -37,49 +38,49 @@ import org.springframework.core.io.support.ResourcePatternResolver;
* @date 2/4/17 * @date 2/4/17
*/ */
public class PluginMessages extends ReloadableResourceBundleMessageSource { public class PluginMessages extends ReloadableResourceBundleMessageSource {
private static final String PROPERTIES_SUFFIX = ".properties"; private static final String PROPERTIES_SUFFIX = ".properties";
private final Language language; private final Language language;
private final ResourcePatternResolver resourcePatternResolver; private final ResourcePatternResolver resourcePatternResolver;
public PluginMessages(
Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
this.language = language;
this.setParentMessageSource(messages);
this.setBasename("WebGoatLabels");
this.resourcePatternResolver = resourcePatternResolver;
}
@Override public PluginMessages(Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) { this.language = language;
Properties properties = new Properties(); this.setParentMessageSource(messages);
long lastModified = System.currentTimeMillis(); this.setBasename("WebGoatLabels");
this.resourcePatternResolver = resourcePatternResolver;
try {
var resources =
resourcePatternResolver.getResources(
"classpath:/lessons/**/i18n" + "/WebGoatLabels" + PROPERTIES_SUFFIX);
for (var resource : resources) {
String sourcePath = resource.getURI().toString().replace(PROPERTIES_SUFFIX, "");
PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
properties.putAll(holder.getProperties());
}
} catch (IOException e) {
logger.error("Unable to read plugin message", e);
} }
return new PropertiesHolder(properties, lastModified); @Override
} protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) {
Properties properties = new Properties();
long lastModified = System.currentTimeMillis();
public Properties getMessages() { try {
return getMergedProperties(language.getLocale()).getProperties(); var resources = resourcePatternResolver.getResources("classpath:/lessons/**/i18n" +
} "/WebGoatLabels" + PROPERTIES_SUFFIX);
for (var resource : resources) {
String sourcePath = resource.getURI().toString().replace(PROPERTIES_SUFFIX, "");
PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
properties.putAll(holder.getProperties());
}
} catch (IOException e) {
logger.error("Unable to read plugin message", e);
}
public String getMessage(String code, Object... args) { return new PropertiesHolder(properties, lastModified);
return getMessage(code, args, language.getLocale()); }
}
public String getMessage(String code, String defaultValue, Object... args) {
return super.getMessage(code, args, defaultValue, language.getLocale()); public Properties getMessages() {
} return getMergedProperties(language.getLocale()).getProperties();
}
public String getMessage(String code, Object... args) {
return getMessage(code, args, language.getLocale());
}
public String getMessage(String code, String defaultValue, Object... args) {
return super.getMessage(code, args, defaultValue, language.getLocale());
}
} }

85
src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
View File

@ -1,34 +1,34 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import lombok.*;
import javax.persistence.*;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.persistence.*;
import lombok.*;
/** /**
* ************************************************************************************************ * ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
*
* <p> * <p>
* *
* @author nbaars * @author nbaars
@ -40,33 +40,30 @@ import lombok.*;
@Entity @Entity
public class Assignment { public class Assignment {
@Id @Id
@GeneratedValue(strategy = GenerationType.AUTO) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
private String name;
private String path;
private String name; @Transient
private String path; private List<String> hints;
@Transient private List<String> hints; private Assignment() {
//Hibernate
private Assignment() {
// Hibernate
}
public Assignment(String name) {
this(name, name, new ArrayList<>());
}
public Assignment(String name, String path, List<String> hints) {
if (path.equals("") || path.equals("/") || path.equals("/WebGoat/")) {
throw new IllegalStateException(
"The path of assignment '"
+ name
+ "' overrides WebGoat endpoints, please choose a path within the scope of the"
+ " lesson");
} }
this.name = name;
this.path = path; public Assignment(String name) {
this.hints = hints; this(name, name, new ArrayList<>());
} }
public Assignment(String name, String path, List<String> hints) {
if (path.equals("") || path.equals("/") || path.equals("/WebGoat/")) {
throw new IllegalStateException("The path of assignment '" + name + "' overrides WebGoat endpoints, please choose a path within the scope of the lesson");
}
this.name = name;
this.path = path;
this.hints = hints;
}
} }

97
src/main/java/org/owasp/webgoat/container/lessons/Category.java
View File

@ -4,29 +4,30 @@ import lombok.Getter;
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@ -34,34 +35,40 @@ import lombok.Getter;
* @since October 28, 2003 * @since October 28, 2003
*/ */
public enum Category { public enum Category {
INTRODUCTION("Introduction", 5),
GENERAL("General", 100),
A1("(A1) Broken Access Control", 301), INTRODUCTION("Introduction", 5),
A2("(A2) Cryptographic Failures", 302), GENERAL("General", 100),
A3("(A3) Injection", 303),
A5("(A5) Security Misconfiguration", 305), A1("(A1) Broken Access Control", 301),
A6("(A6) Vuln & Outdated Components", 306), A2("(A2) Cryptographic Failures", 302),
A7("(A7) Identity & Auth Failure", 307), A3("(A3) Injection", 303),
A8("(A8) Software & Data Integrity", 308),
A9("(A9) Security Logging Failures", 309),
A10("(A10) Server-side Request Forgery", 310),
CLIENT_SIDE("Client side", 1700), A5("(A5) Security Misconfiguration", 305),
A6("(A6) Vuln & Outdated Components", 306),
A7("(A7) Identity & Auth Failure", 307),
A8("(A8) Software & Data Integrity", 308),
A9("(A9) Security Logging Failures", 309),
A10("(A10) Server-side Request Forgery", 310),
CHALLENGE("Challenges", 3000); CLIENT_SIDE("Client side", 1700),
@Getter private String name; CHALLENGE("Challenges", 3000);
@Getter private Integer ranking;
Category(String name, Integer ranking) { @Getter
this.name = name; private String name;
this.ranking = ranking; @Getter
} private Integer ranking;
@Override Category(String name, Integer ranking) {
public String toString() { this.name = name;
return getName(); this.ranking = ranking;
} }
/**
* {@inheritDoc}
*/
@Override
public String toString() {
return getName();
}
} }

161
src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
View File

@ -22,11 +22,6 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import static java.util.stream.Collectors.groupingBy;
import java.lang.reflect.Method;
import java.lang.reflect.ParameterizedType;
import java.util.*;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.ArrayUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -41,103 +36,91 @@ import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping; import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import java.lang.reflect.Method;
import java.lang.reflect.ParameterizedType;
import java.util.*;
import static java.util.stream.Collectors.groupingBy;
import static java.util.stream.Collectors.toList;
@Slf4j @Slf4j
@Configuration @Configuration
public class CourseConfiguration { public class CourseConfiguration {
private final List<Lesson> lessons; private final List<Lesson> lessons;
private final List<AssignmentEndpoint> assignments; private final List<AssignmentEndpoint> assignments;
private final Map<String, List<AssignmentEndpoint>> assignmentsByPackage; private final Map<String, List<AssignmentEndpoint>> assignmentsByPackage;
public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) { public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
this.lessons = lessons; this.lessons = lessons;
this.assignments = assignments; this.assignments = assignments;
assignmentsByPackage = assignmentsByPackage = this.assignments.stream().collect(groupingBy(a -> a.getClass().getPackageName()));
this.assignments.stream().collect(groupingBy(a -> a.getClass().getPackageName()));
}
@Bean
public Course course() {
lessons.stream().forEach(l -> l.setAssignments(createAssignment(l)));
return new Course(lessons);
}
private List<Assignment> createAssignment(Lesson lesson) {
var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
if (CollectionUtils.isEmpty(endpoints)) {
log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
return new ArrayList<>();
} }
return endpoints.stream()
.map(
e ->
new Assignment(
e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass())))
.toList();
}
private String getPath(Class<? extends AssignmentEndpoint> e) { @Bean
for (Method m : e.getMethods()) { public Course course() {
if (methodReturnTypeIsOfTypeAttackResult(m)) { lessons.stream().forEach(l -> l.setAssignments(createAssignment(l)));
var mapping = getMapping(m); return new Course(lessons);
if (mapping != null) { }
return mapping;
private List<Assignment> createAssignment(Lesson lesson) {
var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
if (CollectionUtils.isEmpty(endpoints)) {
log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
return new ArrayList<>();
} }
} return endpoints.stream()
.map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass())))
.toList();
} }
throw new IllegalStateException(
"Assignment endpoint: "
+ e
+ " has no mapping like @GetMapping/@PostMapping etc,with return type 'AttackResult' or"
+ " 'ResponseEntity<AttackResult>' please consider adding one");
}
private boolean methodReturnTypeIsOfTypeAttackResult(Method m) { private String getPath(Class<? extends AssignmentEndpoint> e) {
if (m.getReturnType() == AttackResult.class) { for (Method m : e.getMethods()) {
return true; if (methodReturnTypeIsOfTypeAttackResult(m)) {
var mapping = getMapping(m);
if (mapping != null) {
return mapping;
}
}
}
throw new IllegalStateException("Assignment endpoint: " + e + " has no mapping like @GetMapping/@PostMapping etc," +
"with return type 'AttackResult' or 'ResponseEntity<AttackResult>' please consider adding one");
} }
var genericType = m.getGenericReturnType();
if (genericType instanceof ParameterizedType) {
return ((ParameterizedType) m.getGenericReturnType()).getActualTypeArguments()[0]
== AttackResult.class;
}
return false;
}
private String getMapping(Method m) { private boolean methodReturnTypeIsOfTypeAttackResult(Method m) {
String[] paths = null; if (m.getReturnType() == AttackResult.class) {
// Find the path, either it is @GetMapping("/attack") of GetMapping(path = "/attack") both are return true;
// valid, we need to consider both }
if (m.getAnnotation(RequestMapping.class) != null) { var genericType = m.getGenericReturnType();
paths = if (genericType instanceof ParameterizedType) {
ArrayUtils.addAll( return ((ParameterizedType) m.getGenericReturnType()).getActualTypeArguments()[0] == AttackResult.class;
m.getAnnotation(RequestMapping.class).value(), }
m.getAnnotation(RequestMapping.class).path()); return false;
} else if (m.getAnnotation(PostMapping.class) != null) {
paths =
ArrayUtils.addAll(
m.getAnnotation(PostMapping.class).value(),
m.getAnnotation(PostMapping.class).path());
} else if (m.getAnnotation(GetMapping.class) != null) {
paths =
ArrayUtils.addAll(
m.getAnnotation(GetMapping.class).value(), m.getAnnotation(GetMapping.class).path());
} else if (m.getAnnotation(PutMapping.class) != null) {
paths =
ArrayUtils.addAll(
m.getAnnotation(PutMapping.class).value(), m.getAnnotation(PutMapping.class).path());
} }
if (paths == null) {
return null;
} else {
return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElse("");
}
}
private List<String> getHints(Class<? extends AssignmentEndpoint> e) { private String getMapping(Method m) {
if (e.isAnnotationPresent(AssignmentHints.class)) { String[] paths = null;
return List.of(e.getAnnotationsByType(AssignmentHints.class)[0].value()); //Find the path, either it is @GetMapping("/attack") of GetMapping(path = "/attack") both are valid, we need to consider both
if (m.getAnnotation(RequestMapping.class) != null) {
paths = ArrayUtils.addAll(m.getAnnotation(RequestMapping.class).value(), m.getAnnotation(RequestMapping.class).path());
} else if (m.getAnnotation(PostMapping.class) != null) {
paths = ArrayUtils.addAll(m.getAnnotation(PostMapping.class).value(), m.getAnnotation(PostMapping.class).path());
} else if (m.getAnnotation(GetMapping.class) != null) {
paths = ArrayUtils.addAll(m.getAnnotation(GetMapping.class).value(), m.getAnnotation(GetMapping.class).path());
} else if (m.getAnnotation(PutMapping.class) != null) {
paths = ArrayUtils.addAll(m.getAnnotation(PutMapping.class).value(), m.getAnnotation(PutMapping.class).path());
}
if (paths == null) {
return null;
} else {
return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElse("");
}
}
private List<String> getHints(Class<? extends AssignmentEndpoint> e) {
if (e.isAnnotationPresent(AssignmentHints.class)) {
return List.of(e.getAnnotationsByType(AssignmentHints.class)[0].value());
}
return Collections.emptyList();
} }
return Collections.emptyList();
}
} }

6
src/main/java/org/owasp/webgoat/container/lessons/Hint.java
View File

@ -30,7 +30,7 @@ package org.owasp.webgoat.container.lessons;
import lombok.Value; import lombok.Value;
/** /**
* Hint class. * <p>Hint class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id * @version $Id: $Id
@ -38,6 +38,6 @@ import lombok.Value;
@Value @Value
public class Hint { public class Hint {
private String hint; private String hint;
private String assignmentPath; private String assignmentPath;
} }

6
src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
View File

@ -3,10 +3,10 @@ package org.owasp.webgoat.container.lessons;
import org.owasp.webgoat.container.users.WebGoatUser; import org.owasp.webgoat.container.users.WebGoatUser;
/** /**
* Interface for initialization of a lesson. It is called when a new user is added to WebGoat and * Interface for initialization of a lesson. It is called when a new user is added to WebGoat and when a users
* when a users reset a lesson. Make sure to clean beforehand and then re-initialize the lesson. * reset a lesson. Make sure to clean beforehand and then re-initialize the lesson.
*/ */
public interface Initializeable { public interface Initializeable {
void initialize(WebGoatUser webGoatUser); void initialize(WebGoatUser webGoatUser);
} }

176
src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
View File

@ -22,103 +22,115 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import java.util.List;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;
import java.util.List;
@Getter @Getter
@Setter @Setter
public abstract class Lesson { public abstract class Lesson {
private static int count = 1; private static int count = 1;
private Integer id = null; private Integer id = null;
private List<Assignment> assignments; private List<Assignment> assignments;
/** Constructor for the Lesson object */ /**
protected Lesson() { * Constructor for the Lesson object
id = ++count; */
} protected Lesson() {
id = ++count;
}
/**
* getName.
*
* @return a {@link java.lang.String} object.
*/
public String getName() {
String className = getClass().getName();
return className.substring(className.lastIndexOf('.') + 1);
}
/** /**
* Gets the category attribute of the Lesson object * <p>getName.</p>
* *
* @return The category value * @return a {@link java.lang.String} object.
*/ */
public Category getCategory() { public String getName() {
return getDefaultCategory(); String className = getClass().getName();
} return className.substring(className.lastIndexOf('.') + 1);
}
/** /**
* getDefaultCategory. * Gets the category attribute of the Lesson object
* *
* @return a {@link org.owasp.webgoat.container.lessons.Category} object. * @return The category value
*/ */
protected abstract Category getDefaultCategory(); public Category getCategory() {
return getDefaultCategory();
}
/** /**
* Gets the title attribute of the HelloScreen object * <p>getDefaultCategory.</p>
* *
* @return The title value * @return a {@link org.owasp.webgoat.container.lessons.Category} object.
*/ */
public abstract String getTitle(); protected abstract Category getDefaultCategory();
/** /**
* Returns the default "path" portion of a lesson's URL. * Gets the title attribute of the HelloScreen object
* *
* <p> * @return The title value
* */
* <p>Legacy webgoat lesson links are of the form "attack?Screen=Xmenu=Ystage=Z". This method public abstract String getTitle();
* returns the path portion of the url, i.e., "attack" in the string above.
*
* <p>Newer, Spring-Controller-based classes will override this method to return "*.do"-styled
* paths.
*
* @return a {@link java.lang.String} object.
*/
protected String getPath() {
return "#lesson/";
}
/** /**
* Get the link that can be used to request this screen. * <p>Returns the default "path" portion of a lesson's URL.</p>
* * <p>
* <p>Rendering the link in the browser may result in Javascript sending additional requests to * <p>
* perform necessary actions or to obtain data relevant to the lesson or the element of the lesson * Legacy webgoat lesson links are of the form
* selected by the user. Thanks to using the hash mark "#" and Javascript handling the clicks, the * "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of
* user will experience less waiting as the pages do not have to reload entirely. * the url, i.e., "attack" in the string above.
* * <p>
* @return a {@link java.lang.String} object. * Newer, Spring-Controller-based classes will override this method to
*/ * return "*.do"-styled paths.
public String getLink() { *
return String.format("%s%s.lesson", getPath(), getId()); * @return a {@link java.lang.String} object.
} */
protected String getPath() {
return "#lesson/";
}
/**
* Get the link that can be used to request this screen.
* <p>
* Rendering the link in the browser may result in Javascript sending
* additional requests to perform necessary actions or to obtain data
* relevant to the lesson or the element of the lesson selected by the
* user. Thanks to using the hash mark "#" and Javascript handling the
* clicks, the user will experience less waiting as the pages do not have
* to reload entirely.
*
* @return a {@link java.lang.String} object.
*/
public String getLink() {
return String.format("%s%s.lesson", getPath(), getId());
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString() {
return getTitle();
}
public final String getId() {
return this.getClass().getSimpleName();
}
public final String getPackage() {
var packageName = this.getClass().getPackageName();
//package name is the direct package name below lessons (any subpackage will be removed)
return packageName.replaceAll("org.owasp.webgoat.lessons.", "").replaceAll("\\..*", "");
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString() {
return getTitle();
}
public final String getId() {
return this.getClass().getSimpleName();
}
public final String getPackage() {
var packageName = this.getClass().getPackageName();
// package name is the direct package name below lessons (any subpackage will be removed)
return packageName.replaceAll("org.owasp.webgoat.lessons.", "").replaceAll("\\..*", "");
}
} }

45
src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
View File

@ -1,38 +1,39 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder;
import java.lang.reflect.InvocationHandler; import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.sql.Connection; import java.sql.Connection;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder;
/** /**
* Handler which sets the correct schema for the currently bounded user. This way users are not * Handler which sets the correct schema for the currently bounded user. This way users are not seeing each other
* seeing each other data and we can reset data for just one particular user. * data and we can reset data for just one particular user.
*/ */
@Slf4j @Slf4j
public class LessonConnectionInvocationHandler implements InvocationHandler { public class LessonConnectionInvocationHandler implements InvocationHandler {
private final Connection targetConnection; private final Connection targetConnection;
public LessonConnectionInvocationHandler(Connection targetConnection) { public LessonConnectionInvocationHandler(Connection targetConnection) {
this.targetConnection = targetConnection; this.targetConnection = targetConnection;
} }
@Override @Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
var authentication = SecurityContextHolder.getContext().getAuthentication(); var authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser user) { if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser user) {
try (var statement = targetConnection.createStatement()) { try (var statement = targetConnection.createStatement()) {
statement.execute("SET SCHEMA \"" + user.getUsername() + "\""); statement.execute("SET SCHEMA \"" + user.getUsername() + "\"");
} }
}
try {
return method.invoke(targetConnection, args);
} catch (InvocationTargetException e) {
throw e.getTargetException();
}
} }
try {
return method.invoke(targetConnection, args);
} catch (InvocationTargetException e) {
throw e.getTargetException();
}
}
} }

11
src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
View File

@ -4,7 +4,7 @@ import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
/** /**
* LessonInfoModel class. * <p>LessonInfoModel class.</p>
* *
* @author dm * @author dm
* @version $Id: $Id * @version $Id: $Id
@ -13,8 +13,9 @@ import lombok.Getter;
@AllArgsConstructor @AllArgsConstructor
public class LessonInfoModel { public class LessonInfoModel {
private String lessonTitle; private String lessonTitle;
private boolean hasSource; private boolean hasSource;
private boolean hasSolution; private boolean hasSolution;
private boolean hasPlan; private boolean hasPlan;
} }

266
src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
View File

@ -1,162 +1,166 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* for free software projects. * <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
/** /**
* LessonMenuItem class. * <p>LessonMenuItem class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id * @version $Id: $Id
*/ */
public class LessonMenuItem { public class LessonMenuItem {
private String name; private String name;
private LessonMenuItemType type; private LessonMenuItemType type;
private List<LessonMenuItem> children = new ArrayList<>(); private List<LessonMenuItem> children = new ArrayList<>();
private boolean complete; private boolean complete;
private String link; private String link;
private int ranking; private int ranking;
/** /**
* Getter for the field <code>name</code>. * <p>Getter for the field <code>name</code>.</p>
* *
* @return the name * @return the name
*/ */
public String getName() { public String getName() {
return name; return name;
} }
/** /**
* Setter for the field <code>name</code>. * <p>Setter for the field <code>name</code>.</p>
* *
* @param name the name to set * @param name the name to set
*/ */
public void setName(String name) { public void setName(String name) {
this.name = name; this.name = name;
} }
/** /**
* Getter for the field <code>children</code>. * <p>Getter for the field <code>children</code>.</p>
* *
* @return the children * @return the children
*/ */
public List<LessonMenuItem> getChildren() { public List<LessonMenuItem> getChildren() {
return children; return children;
} }
/** /**
* Setter for the field <code>children</code>. * <p>Setter for the field <code>children</code>.</p>
* *
* @param children the children to set * @param children the children to set
*/ */
public void setChildren(List<LessonMenuItem> children) { public void setChildren(List<LessonMenuItem> children) {
this.children = children; this.children = children;
} }
/** /**
* Getter for the field <code>type</code>. * <p>Getter for the field <code>type</code>.</p>
* *
* @return the type * @return the type
*/ */
public LessonMenuItemType getType() { public LessonMenuItemType getType() {
return type; return type;
} }
/** /**
* Setter for the field <code>type</code>. * <p>Setter for the field <code>type</code>.</p>
* *
* @param type the type to set * @param type the type to set
*/ */
public void setType(LessonMenuItemType type) { public void setType(LessonMenuItemType type) {
this.type = type; this.type = type;
} }
/** /**
* addChild. * <p>addChild.</p>
* *
* @param child a {@link LessonMenuItem} object. * @param child a {@link LessonMenuItem} object.
*/ */
public void addChild(LessonMenuItem child) { public void addChild(LessonMenuItem child) {
children.add(child); children.add(child);
} }
@Override @Override
public String toString() { public String toString() {
StringBuilder bldr = new StringBuilder(); StringBuilder bldr = new StringBuilder();
bldr.append("Name: ").append(name).append(" | "); bldr.append("Name: ").append(name).append(" | ");
bldr.append("Type: ").append(type).append(" | "); bldr.append("Type: ").append(type).append(" | ");
return bldr.toString(); return bldr.toString();
} }
/** /**
* isComplete. * <p>isComplete.</p>
* *
* @return the complete * @return the complete
*/ */
public boolean isComplete() { public boolean isComplete() {
return complete; return complete;
} }
/** /**
* Setter for the field <code>complete</code>. * <p>Setter for the field <code>complete</code>.</p>
* *
* @param complete the complete to set * @param complete the complete to set
*/ */
public void setComplete(boolean complete) { public void setComplete(boolean complete) {
this.complete = complete; this.complete = complete;
} }
/** /**
* Getter for the field <code>link</code>. * <p>Getter for the field <code>link</code>.</p>
* *
* @return the link * @return the link
*/ */
public String getLink() { public String getLink() {
return link; return link;
} }
/** /**
* Setter for the field <code>link</code>. * <p>Setter for the field <code>link</code>.</p>
* *
* @param link the link to set * @param link the link to set
*/ */
public void setLink(String link) { public void setLink(String link) {
this.link = link; this.link = link;
} }
public void setRanking(int ranking) {
this.ranking = ranking;
}
public int getRanking() {
return this.ranking;
}
public void setRanking(int ranking) {
this.ranking = ranking;
}
public int getRanking() {
return this.ranking;
}
} }

8
src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
View File

@ -28,13 +28,13 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
/** /**
* LessonMenuItemType class. * <p>LessonMenuItemType class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id * @version $Id: $Id
*/ */
public enum LessonMenuItemType { public enum LessonMenuItemType {
CATEGORY, CATEGORY,
LESSON, LESSON,
STAGE STAGE
} }

54
src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
View File

@ -1,42 +1,46 @@
package org.owasp.webgoat.container.lessons; package org.owasp.webgoat.container.lessons;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.stereotype.Component;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList;
import java.util.HashSet; import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.io.support.ResourcePatternResolver;
import org.springframework.stereotype.Component;
@Component @Component
@Slf4j @Slf4j
public class LessonScanner { public class LessonScanner {
private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$"); private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$");
@Getter private final Set<String> lessons = new HashSet<>(); @Getter
private final Set<String> lessons = new HashSet<>();
public LessonScanner(ResourcePatternResolver resourcePatternResolver) { public LessonScanner(ResourcePatternResolver resourcePatternResolver) {
try { try {
var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*"); var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*");
for (var resource : resources) { for (var resource : resources) {
// WG can run as a fat jar or as directly from file system we need to support both so use //WG can run as a fat jar or as directly from file system we need to support both so use the URL
// the URL var url = resource.getURL();
var url = resource.getURL(); var matcher = lessonPattern.matcher(url.toString());
var matcher = lessonPattern.matcher(url.toString()); if (matcher.matches()) {
if (matcher.matches()) { lessons.add(matcher.group(1));
lessons.add(matcher.group(1)); }
}
log.debug("Found {} lessons", lessons.size());
} catch (IOException e) {
log.warn("No lessons found...");
} }
}
log.debug("Found {} lessons", lessons.size());
} catch (IOException e) {
log.warn("No lessons found...");
}
}
public List<String> applyPattern(String pattern) { }
return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
} public List<String> applyPattern(String pattern) {
return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
}
} }

11
src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
View File

@ -9,10 +9,11 @@ import org.springframework.web.bind.annotation.RestController;
@RequiredArgsConstructor @RequiredArgsConstructor
public class EnvironmentService { public class EnvironmentService {
private final ApplicationContext context; private final ApplicationContext context;
@GetMapping("/server-directory")
public String homeDirectory() {
return context.getEnvironment().getProperty("webgoat.server.directory");
}
@GetMapping("/server-directory")
public String homeDirectory() {
return context.getEnvironment().getProperty("webgoat.server.directory");
}
} }

62
src/main/java/org/owasp/webgoat/container/service/HintService.java
View File

@ -6,8 +6,6 @@
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.Collection;
import java.util.List;
import org.owasp.webgoat.container.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Hint; import org.owasp.webgoat.container.lessons.Hint;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -16,8 +14,11 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import java.util.Collection;
import java.util.List;
/** /**
* HintService class. * <p>HintService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id * @version $Id: $Id
@ -25,33 +26,36 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class HintService { public class HintService {
public static final String URL_HINTS_MVC = "/service/hint.mvc"; public static final String URL_HINTS_MVC = "/service/hint.mvc";
private final WebSession webSession; private final WebSession webSession;
public HintService(WebSession webSession) { public HintService(WebSession webSession) {
this.webSession = webSession; this.webSession = webSession;
}
/**
* Returns hints for current lesson
*
* @return a {@link java.util.List} object.
*/
@GetMapping(path = URL_HINTS_MVC, produces = "application/json")
@ResponseBody
public List<Hint> getHints() {
Lesson l = webSession.getCurrentLesson();
return createAssignmentHints(l);
}
private List<Hint> createAssignmentHints(Lesson l) {
if (l != null) {
return l.getAssignments().stream().map(this::createHint).flatMap(Collection::stream).toList();
} }
return List.of();
}
private List<Hint> createHint(Assignment a) { /**
return a.getHints().stream().map(h -> new Hint(h, a.getPath())).toList(); * Returns hints for current lesson
} *
* @return a {@link java.util.List} object.
*/
@GetMapping(path = URL_HINTS_MVC, produces = "application/json")
@ResponseBody
public List<Hint> getHints() {
Lesson l = webSession.getCurrentLesson();
return createAssignmentHints(l);
}
private List<Hint> createAssignmentHints(Lesson l) {
if (l != null) {
return l.getAssignments().stream()
.map(this::createHint)
.flatMap(Collection::stream)
.toList();
}
return List.of();
}
private List<Hint> createHint(Assignment a) {
return a.getHints().stream().map(h -> new Hint(h, a.getPath())).toList();
}
} }

129
src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
View File

@ -1,33 +1,34 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* for free software projects. * <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.Map;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.session.LabelDebugger; import org.owasp.webgoat.container.session.LabelDebugger;
@ -39,8 +40,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.util.Map;
/** /**
* LabelDebugService class. * <p>LabelDebugService class.</p>
* *
* @author nbaars * @author nbaars
* @version $Id: $Id * @version $Id: $Id
@ -50,47 +53,45 @@ import org.springframework.web.bind.annotation.ResponseBody;
@AllArgsConstructor @AllArgsConstructor
public class LabelDebugService { public class LabelDebugService {
private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc"; private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
private static final String KEY_ENABLED = "enabled"; private static final String KEY_ENABLED = "enabled";
private static final String KEY_SUCCESS = "success"; private static final String KEY_SUCCESS = "success";
private LabelDebugger labelDebugger; private LabelDebugger labelDebugger;
/** /**
* Checks if debugging of labels is enabled or disabled * Checks if debugging of labels is enabled or disabled
* *
* @return a {@link org.springframework.http.ResponseEntity} object. * @return a {@link org.springframework.http.ResponseEntity} object.
*/ */
@RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE) @RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody ResponseEntity<Map<String, Object>> checkDebuggingStatus() { public @ResponseBody
log.debug("Checking label debugging, it is {}", labelDebugger.isEnabled()); ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
Map<String, Object> result = createResponse(labelDebugger.isEnabled()); log.debug("Checking label debugging, it is {}", labelDebugger.isEnabled());
return new ResponseEntity<>(result, HttpStatus.OK); Map<String, Object> result = createResponse(labelDebugger.isEnabled());
} return new ResponseEntity<>(result, HttpStatus.OK);
}
/** /**
* Sets the enabled flag on the label debugger to the given parameter * Sets the enabled flag on the label debugger to the given parameter
* *
* @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
* @return a {@link org.springframework.http.ResponseEntity} object. * @return a {@link org.springframework.http.ResponseEntity} object.
*/ */
@RequestMapping( @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
value = URL_DEBUG_LABELS_MVC, public @ResponseBody
produces = MediaType.APPLICATION_JSON_VALUE, ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) {
params = KEY_ENABLED) log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
public @ResponseBody ResponseEntity<Map<String, Object>> setDebuggingStatus( Map<String, Object> result = createResponse(enabled);
@RequestParam("enabled") Boolean enabled) { labelDebugger.setEnabled(enabled);
log.debug("Setting label debugging to {} ", labelDebugger.isEnabled()); return new ResponseEntity<>(result, HttpStatus.OK);
Map<String, Object> result = createResponse(enabled); }
labelDebugger.setEnabled(enabled);
return new ResponseEntity<>(result, HttpStatus.OK);
}
/** /**
* @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
* @return a {@link java.util.Map} object. * @return a {@link java.util.Map} object.
*/ */
private Map<String, Object> createResponse(Boolean enabled) { private Map<String, Object> createResponse(Boolean enabled) {
return Map.of(KEY_SUCCESS, Boolean.TRUE, KEY_ENABLED, enabled); return Map.of(KEY_SUCCESS, Boolean.TRUE, KEY_ENABLED, enabled);
} }
} }

80
src/main/java/org/owasp/webgoat/container/service/LabelService.java
View File

@ -1,33 +1,34 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
*/ */
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.Properties;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.i18n.Messages; import org.owasp.webgoat.container.i18n.Messages;
@ -39,8 +40,11 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import java.util.Properties;
/** /**
* LabelService class. * <p>LabelService class.</p>
* *
* @author zupzup * @author zupzup
*/ */
@ -49,19 +53,19 @@ import org.springframework.web.bind.annotation.RestController;
@RequiredArgsConstructor @RequiredArgsConstructor
public class LabelService { public class LabelService {
public static final String URL_LABELS_MVC = "/service/labels.mvc"; public static final String URL_LABELS_MVC = "/service/labels.mvc";
private final Messages messages; private final Messages messages;
private final PluginMessages pluginMessages; private final PluginMessages pluginMessages;
/** /**
* @return a map of all the labels * @return a map of all the labels
*/ */
@GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE) @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody @ResponseBody
public ResponseEntity<Properties> fetchLabels() { public ResponseEntity<Properties> fetchLabels() {
var allProperties = new Properties(); var allProperties = new Properties();
allProperties.putAll(messages.getMessages()); allProperties.putAll(messages.getMessages());
allProperties.putAll(pluginMessages.getMessages()); allProperties.putAll(pluginMessages.getMessages());
return new ResponseEntity<>(allProperties, HttpStatus.OK); return new ResponseEntity<>(allProperties, HttpStatus.OK);
} }
} }

27
src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
View File

@ -8,8 +8,9 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
/** /**
* LessonInfoService class. * <p>LessonInfoService class.</p>
* *
* @author dm * @author dm
* @version $Id: $Id * @version $Id: $Id
@ -18,16 +19,18 @@ import org.springframework.web.bind.annotation.RestController;
@AllArgsConstructor @AllArgsConstructor
public class LessonInfoService { public class LessonInfoService {
private final WebSession webSession; private final WebSession webSession;
/**
* <p>getLessonInfo.</p>
*
* @return a {@link LessonInfoModel} object.
*/
@RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
public @ResponseBody
LessonInfoModel getLessonInfo() {
Lesson lesson = webSession.getCurrentLesson();
return new LessonInfoModel(lesson.getTitle(), false, false, false);
}
/**
* getLessonInfo.
*
* @return a {@link LessonInfoModel} object.
*/
@RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
public @ResponseBody LessonInfoModel getLessonInfo() {
Lesson lesson = webSession.getCurrentLesson();
return new LessonInfoModel(lesson.getTitle(), false, false, false);
}
} }

177
src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
View File

@ -1,36 +1,34 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* for free software projects. * <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.lessons.Assignment; import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Category; import org.owasp.webgoat.container.lessons.Category;
@ -47,8 +45,13 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
/** /**
* LessonMenuService class. * <p>LessonMenuService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id * @version $Id: $Id
@ -57,68 +60,72 @@ import org.springframework.web.bind.annotation.ResponseBody;
@AllArgsConstructor @AllArgsConstructor
public class LessonMenuService { public class LessonMenuService {
public static final String URL_LESSONMENU_MVC = "/service/lessonmenu.mvc"; public static final String URL_LESSONMENU_MVC = "/service/lessonmenu.mvc";
private final Course course; private final Course course;
private final WebSession webSession; private final WebSession webSession;
private UserTrackerRepository userTrackerRepository; private UserTrackerRepository userTrackerRepository;
@Value("#{'${exclude.categories}'.split(',')}") @Value("#{'${exclude.categories}'.split(',')}")
private List<String> excludeCategories; private List<String> excludeCategories;
@Value("#{'${exclude.lessons}'.split(',')}") @Value("#{'${exclude.lessons}'.split(',')}")
private List<String> excludeLessons; private List<String> excludeLessons;
/** /**
* Returns the lesson menu which is used to build the left nav * Returns the lesson menu which is used to build the left nav
* *
* @return a {@link java.util.List} object. * @return a {@link java.util.List} object.
*/ */
@RequestMapping(path = URL_LESSONMENU_MVC, produces = "application/json") @RequestMapping(path = URL_LESSONMENU_MVC, produces = "application/json")
public @ResponseBody List<LessonMenuItem> showLeftNav() { public
List<LessonMenuItem> menu = new ArrayList<>(); @ResponseBody
List<Category> categories = course.getCategories(); List<LessonMenuItem> showLeftNav() {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); List<LessonMenuItem> menu = new ArrayList<>();
List<Category> categories = course.getCategories();
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
for (Category category : categories) { for (Category category : categories) {
if (excludeCategories.contains(category.name())) { if (excludeCategories.contains(category.name())) {
continue; continue;
} }
LessonMenuItem categoryItem = new LessonMenuItem(); LessonMenuItem categoryItem = new LessonMenuItem();
categoryItem.setName(category.getName()); categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY); categoryItem.setType(LessonMenuItemType.CATEGORY);
// check for any lessons for this category // check for any lessons for this category
List<Lesson> lessons = course.getLessons(category); List<Lesson> lessons = course.getLessons(category);
lessons = lessons.stream().sorted(Comparator.comparing(Lesson::getTitle)).toList(); lessons = lessons.stream().sorted(Comparator.comparing(Lesson::getTitle)).toList();
for (Lesson lesson : lessons) { for (Lesson lesson : lessons) {
if (excludeLessons.contains(lesson.getName())) { if (excludeLessons.contains(lesson.getName())) {
continue; continue;
}
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());
lessonItem.setType(LessonMenuItemType.LESSON);
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
lessonItem.setComplete(lessonSolved);
categoryItem.addChild(lessonItem);
}
categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
menu.add(categoryItem);
} }
LessonMenuItem lessonItem = new LessonMenuItem(); return menu;
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());
lessonItem.setType(LessonMenuItemType.LESSON);
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
lessonItem.setComplete(lessonSolved);
categoryItem.addChild(lessonItem);
}
categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
menu.add(categoryItem);
}
return menu;
}
private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
boolean result = true;
for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
Assignment storedAssignment = entry.getKey();
for (Assignment lessonAssignment : currentLesson.getAssignments()) {
if (lessonAssignment.getName().equals(storedAssignment.getName())) {
result = result && entry.getValue();
break;
}
}
} }
return result;
} private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
boolean result = true;
for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
Assignment storedAssignment = entry.getKey();
for (Assignment lessonAssignment : currentLesson.getAssignments()) {
if (lessonAssignment.getName().equals(storedAssignment.getName())) {
result = result && entry.getValue();
break;
}
}
}
return result;
}
} }

64
src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.List;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
@ -11,8 +10,11 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.util.List;
/** /**
* LessonProgressService class. * <p>LessonProgressService class.</p>
* *
* @author webgoat * @author webgoat
*/ */
@ -20,38 +22,38 @@ import org.springframework.web.bind.annotation.ResponseBody;
@RequiredArgsConstructor @RequiredArgsConstructor
public class LessonProgressService { public class LessonProgressService {
private final UserTrackerRepository userTrackerRepository; private final UserTrackerRepository userTrackerRepository;
private final WebSession webSession; private final WebSession webSession;
/** /**
* Endpoint for fetching the complete lesson overview which informs the user about whether all the * Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
* assignments are solved. Used as the last page of the lesson to generate a lesson overview. * Used as the last page of the lesson to generate a lesson overview.
* *
* @return list of assignments * @return list of assignments
*/ */
@RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json") @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
@ResponseBody @ResponseBody
public List<LessonOverview> lessonOverview() { public List<LessonOverview> lessonOverview() {
var userTracker = userTrackerRepository.findByUser(webSession.getUserName()); var userTracker = userTrackerRepository.findByUser(webSession.getUserName());
var currentLesson = webSession.getCurrentLesson(); var currentLesson = webSession.getCurrentLesson();
if (currentLesson != null) { if (currentLesson != null) {
var lessonTracker = userTracker.getLessonTracker(currentLesson); var lessonTracker = userTracker.getLessonTracker(currentLesson);
return lessonTracker.getLessonOverview().entrySet().stream() return lessonTracker.getLessonOverview().entrySet().stream()
.map(entry -> new LessonOverview(entry.getKey(), entry.getValue())) .map(entry -> new LessonOverview(entry.getKey(), entry.getValue()))
.toList(); .toList();
}
return List.of();
} }
return List.of();
}
@AllArgsConstructor @AllArgsConstructor
@Getter @Getter
// Jackson does not really like returning a map of <Assignment, Boolean> directly, see //Jackson does not really like returning a map of <Assignment, Boolean> directly, see http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json
// http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json //so creating intermediate object is the easiest solution
// so creating intermediate object is the easiest solution private static class LessonOverview {
private static class LessonOverview {
private Assignment assignment; private Assignment assignment;
private Boolean solved; private Boolean solved;
}
}
} }

34
src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
View File

@ -6,8 +6,9 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* LessonTitleService class. * <p>LessonTitleService class.</p>
* *
* @author dm * @author dm
* @version $Id: $Id * @version $Id: $Id
@ -15,20 +16,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller @Controller
public class LessonTitleService { public class LessonTitleService {
private final WebSession webSession; private final WebSession webSession;
public LessonTitleService(final WebSession webSession) { public LessonTitleService(final WebSession webSession) {
this.webSession = webSession; this.webSession = webSession;
} }
/**
* Returns the title for the current attack
*
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
public
@ResponseBody
String showPlan() {
Lesson lesson = webSession.getCurrentLesson();
return lesson != null ? lesson.getTitle() : "";
}
/**
* Returns the title for the current attack
*
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
public @ResponseBody String showPlan() {
Lesson lesson = webSession.getCurrentLesson();
return lesson != null ? lesson.getTitle() : "";
}
} }

140
src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
View File

@ -1,34 +1,34 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* * version.
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * <p>
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * This program is distributed in the hope that it will be useful, but WITHOUT
* GNU General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* <p>You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* <p>Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Getting Source ==============
* for free software projects. * <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.ArrayList;
import java.util.List;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;
@ -43,8 +43,11 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.util.ArrayList;
import java.util.List;
/** /**
* ReportCardService * <p>ReportCardService</p>
* *
* @author nbaars * @author nbaars
* @version $Id: $Id * @version $Id: $Id
@ -53,53 +56,52 @@ import org.springframework.web.bind.annotation.ResponseBody;
@AllArgsConstructor @AllArgsConstructor
public class ReportCardService { public class ReportCardService {
private final WebSession webSession; private final WebSession webSession;
private final UserTrackerRepository userTrackerRepository; private final UserTrackerRepository userTrackerRepository;
private final Course course; private final Course course;
private final PluginMessages pluginMessages; private final PluginMessages pluginMessages;
/** /**
* Endpoint which generates the report card for the current use to show the stats on the solved * Endpoint which generates the report card for the current use to show the stats on the solved lessons
* lessons */
*/ @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
@GetMapping(path = "/service/reportcard.mvc", produces = "application/json") @ResponseBody
@ResponseBody public ReportCard reportCard() {
public ReportCard reportCard() { final ReportCard reportCard = new ReportCard();
final ReportCard reportCard = new ReportCard(); reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
reportCard.setTotalNumberOfLessons(course.getTotalOfLessons()); reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved()); reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved()); reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
for (Lesson lesson : course.getLessons()) { for (Lesson lesson : course.getLessons()) {
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson); LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
final LessonStatistics lessonStatistics = new LessonStatistics(); final LessonStatistics lessonStatistics = new LessonStatistics();
lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle())); lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts()); lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
lessonStatistics.setSolved(lessonTracker.isLessonSolved()); lessonStatistics.setSolved(lessonTracker.isLessonSolved());
reportCard.lessonStatistics.add(lessonStatistics); reportCard.lessonStatistics.add(lessonStatistics);
}
return reportCard;
} }
return reportCard;
}
@Getter @Getter
@Setter @Setter
private final class ReportCard { private final class ReportCard {
private int totalNumberOfLessons; private int totalNumberOfLessons;
private int totalNumberOfAssignments; private int totalNumberOfAssignments;
private int solvedLessons; private int solvedLessons;
private int numberOfAssignmentsSolved; private int numberOfAssignmentsSolved;
private int numberOfLessonsSolved; private int numberOfLessonsSolved;
private List<LessonStatistics> lessonStatistics = new ArrayList<>(); private List<LessonStatistics> lessonStatistics = new ArrayList<>();
} }
@Setter @Setter
@Getter @Getter
private final class LessonStatistics { private final class LessonStatistics {
private String name; private String name;
private boolean solved; private boolean solved;
private int numberOfAttempts; private int numberOfAttempts;
} }
} }

39
src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
View File

@ -24,8 +24,6 @@
package org.owasp.webgoat.container.service; package org.owasp.webgoat.container.service;
import java.util.List;
import java.util.function.Function;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.flywaydb.core.Flyway; import org.flywaydb.core.Flyway;
@ -39,30 +37,33 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.ResponseStatus;
import java.util.List;
import java.util.function.Function;
@Controller @Controller
@AllArgsConstructor @AllArgsConstructor
@Slf4j @Slf4j
public class RestartLessonService { public class RestartLessonService {
private final WebSession webSession; private final WebSession webSession;
private final UserTrackerRepository userTrackerRepository; private final UserTrackerRepository userTrackerRepository;
private final Function<String, Flyway> flywayLessons; private final Function<String, Flyway> flywayLessons;
private final List<Initializeable> lessonsToInitialize; private final List<Initializeable> lessonsToInitialize;
@RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text") @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
@ResponseStatus(value = HttpStatus.OK) @ResponseStatus(value = HttpStatus.OK)
public void restartLesson() { public void restartLesson() {
Lesson al = webSession.getCurrentLesson(); Lesson al = webSession.getCurrentLesson();
log.debug("Restarting lesson: " + al); log.debug("Restarting lesson: " + al);
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
userTracker.reset(al); userTracker.reset(al);
userTrackerRepository.save(userTracker); userTrackerRepository.save(userTracker);
var flyway = flywayLessons.apply(webSession.getUserName()); var flyway = flywayLessons.apply(webSession.getUserName());
flyway.clean(); flyway.clean();
flyway.migrate(); flyway.migrate();
lessonsToInitialize.forEach(i -> i.initialize(webSession.getUser())); lessonsToInitialize.forEach(i -> i.initialize(webSession.getUser()));
} }
} }

22
src/main/java/org/owasp/webgoat/container/service/SessionService.java
View File

@ -17,17 +17,17 @@ import org.springframework.web.bind.annotation.ResponseBody;
@RequiredArgsConstructor @RequiredArgsConstructor
public class SessionService { public class SessionService {
private final WebSession webSession; private final WebSession webSession;
private final RestartLessonService restartLessonService; private final RestartLessonService restartLessonService;
private final Messages messages; private final Messages messages;
@RequestMapping(path = "/service/enable-security.mvc", produces = "application/json") @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
@ResponseBody @ResponseBody
public String applySecurity() { public String applySecurity() {
webSession.toggleSecurity(); webSession.toggleSecurity();
restartLessonService.restartLesson(); restartLessonService.restartLesson();
var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled"; var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
return messages.getMessage(msg); return messages.getMessage(msg);
} }
} }

135
src/main/java/org/owasp/webgoat/container/session/Course.java
View File

@ -1,36 +1,36 @@
package org.owasp.webgoat.container.session; package org.owasp.webgoat.container.session;
import java.util.List;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.lessons.Category; import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
import java.util.List;
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @version $Id: $Id * @version $Id: $Id
@ -39,61 +39,60 @@ import org.owasp.webgoat.container.lessons.Lesson;
@Slf4j @Slf4j
public class Course { public class Course {
private List<Lesson> lessons; private List<Lesson> lessons;
public Course(List<Lesson> lessons) { public Course(List<Lesson> lessons) {
this.lessons = lessons; this.lessons = lessons;
} }
/** /**
* Gets the categories attribute of the Course object * Gets the categories attribute of the Course object
* *
* @return The categories value * @return The categories value
*/ */
public List<Category> getCategories() { public List<Category> getCategories() {
return lessons.parallelStream().map(Lesson::getCategory).distinct().sorted().toList(); return lessons.parallelStream().map(Lesson::getCategory).distinct().sorted().toList();
} }
/** /**
* Gets the firstLesson attribute of the Course object * Gets the firstLesson attribute of the Course object
* *
* @return The firstLesson value * @return The firstLesson value
*/ */
public Lesson getFirstLesson() { public Lesson getFirstLesson() {
// Category 0 is the admin function. We want the first real category // Category 0 is the admin function. We want the first real category
// to be returned. This is normally the General category and the Http Basics lesson // to be returned. This is normally the General category and the Http Basics lesson
return getLessons(getCategories().get(0)).get(0); return getLessons(getCategories().get(0)).get(0);
} }
/** /**
* Getter for the field <code>lessons</code>. * <p>Getter for the field <code>lessons</code>.</p>
* *
* @return a {@link java.util.List} object. * @return a {@link java.util.List} object.
*/ */
public List<Lesson> getLessons() { public List<Lesson> getLessons() {
return this.lessons; return this.lessons;
} }
/** /**
* Getter for the field <code>lessons</code>. * <p>Getter for the field <code>lessons</code>.</p>
* *
* @param category a {@link org.owasp.webgoat.container.lessons.Category} object. * @param category a {@link org.owasp.webgoat.container.lessons.Category} object.
* @return a {@link java.util.List} object. * @return a {@link java.util.List} object.
*/ */
public List<Lesson> getLessons(Category category) { public List<Lesson> getLessons(Category category) {
return this.lessons.stream().filter(l -> l.getCategory() == category).toList(); return this.lessons.stream().filter(l -> l.getCategory() == category).toList();
} }
public void setLessons(List<Lesson> lessons) { public void setLessons(List<Lesson> lessons) {
this.lessons = lessons; this.lessons = lessons;
} }
public int getTotalOfLessons() { public int getTotalOfLessons() {
return this.lessons.size(); return this.lessons.size();
} }
public int getTotalOfAssignments() { public int getTotalOfAssignments() {
return this.lessons.stream() return this.lessons.stream().reduce(0, (total, lesson) -> lesson.getAssignments().size() + total, Integer::sum);
.reduce(0, (total, lesson) -> lesson.getAssignments().size() + total, Integer::sum); }
}
} }

56
src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
View File

@ -3,40 +3,44 @@ package org.owasp.webgoat.container.session;
import java.io.Serializable; import java.io.Serializable;
/** /**
* LabelDebugger class. * <p>LabelDebugger class.</p>
* *
* @author dm * @author dm
* @version $Id: $Id * @version $Id: $Id
*/ */
public class LabelDebugger implements Serializable { public class LabelDebugger implements Serializable {
private boolean enabled = false; private boolean enabled = false;
/** /**
* isEnabled. * <p>isEnabled.</p>
* *
* @return a boolean. * @return a boolean.
*/ */
public boolean isEnabled() { public boolean isEnabled() {
return enabled; return enabled;
} }
/** Enables label debugging */ /**
public void enable() { * <p>Enables label debugging</p>
this.enabled = true; */
} public void enable() {
this.enabled = true;
}
/** Disables label debugging */ /**
public void disable() { * <p>Disables label debugging</p>
this.enabled = false; */
} public void disable() {
this.enabled = false;
}
/**
* <p>Sets the status to enabled</p>
* @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
*/
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
/**
* Sets the status to enabled
*
* @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
*/
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
} }

46
src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
View File

@ -2,31 +2,35 @@ package org.owasp.webgoat.container.session;
import java.util.HashMap; import java.util.HashMap;
/** Created by jason on 1/4/17. */ /**
* Created by jason on 1/4/17.
*/
public class UserSessionData { public class UserSessionData {
private HashMap<String, Object> userSessionData = new HashMap<>(); private HashMap<String,Object> userSessionData = new HashMap<>();
public UserSessionData() {} public UserSessionData() {
public UserSessionData(String key, String value) {
setValue(key, value);
}
// GETTERS & SETTERS
public Object getValue(String key) {
if (!userSessionData.containsKey(key)) {
return null;
} }
// else
return userSessionData.get(key);
}
public void setValue(String key, Object value) { public UserSessionData(String key, String value) {
if (userSessionData.containsKey(key)) { setValue(key,value);
userSessionData.replace(key, value);
} else {
userSessionData.put(key, value);
} }
}
//GETTERS & SETTERS
public Object getValue(String key) {
if (!userSessionData.containsKey(key)) {
return null;
}
// else
return userSessionData.get(key);
}
public void setValue(String key, Object value) {
if (userSessionData.containsKey(key)) {
userSessionData.replace(key,value);
} else {
userSessionData.put(key,value);
}
}
} }

127
src/main/java/org/owasp/webgoat/container/session/WebSession.java
View File

@ -1,36 +1,34 @@
package org.owasp.webgoat.container.session; package org.owasp.webgoat.container.session;
import java.io.Serializable;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.users.WebGoatUser; import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import java.io.Serializable;
/** /**
* ************************************************************************************************* * *************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
* please see http://www.owasp.org/ * http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
* License, or (at your option) any later version. * version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
* GNU General Public License for more details. * <p>
* * You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
* <p>You should have received a copy of the GNU General Public License along with this program; if * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * <p>
* 02111-1307, USA. * Getting Source ==============
* * <p>
* <p>Getting Source ============== * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@ -39,52 +37,51 @@ import org.springframework.security.core.context.SecurityContextHolder;
*/ */
public class WebSession implements Serializable { public class WebSession implements Serializable {
private static final long serialVersionUID = -4270066103101711560L; private static final long serialVersionUID = -4270066103101711560L;
private final WebGoatUser currentUser; private final WebGoatUser currentUser;
private transient Lesson currentLesson; private transient Lesson currentLesson;
private boolean securityEnabled; private boolean securityEnabled;
public WebSession() { public WebSession() {
this.currentUser = this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
(WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); }
}
/** /**
* Setter for the field <code>currentScreen</code>. * <p> Setter for the field <code>currentScreen</code>. </p>
* *
* @param lesson current lesson * @param lesson current lesson
*/ */
public void setCurrentLesson(Lesson lesson) { public void setCurrentLesson(Lesson lesson) {
this.currentLesson = lesson; this.currentLesson = lesson;
} }
/** /**
* getCurrentLesson. * <p> getCurrentLesson. </p>
* *
* @return a {@link Lesson} object. * @return a {@link Lesson} object.
*/ */
public Lesson getCurrentLesson() { public Lesson getCurrentLesson() {
return this.currentLesson; return this.currentLesson;
} }
/** /**
* Gets the userName attribute of the WebSession object * Gets the userName attribute of the WebSession object
* *
* @return The userName value * @return The userName value
*/ */
public String getUserName() { public String getUserName() {
return currentUser.getUsername(); return currentUser.getUsername();
} }
public WebGoatUser getUser() { public WebGoatUser getUser() {
return currentUser; return currentUser;
} }
public void toggleSecurity() { public void toggleSecurity() {
this.securityEnabled = !this.securityEnabled; this.securityEnabled = !this.securityEnabled;
} }
public boolean isSecurityEnabled() { public boolean isSecurityEnabled() {
return securityEnabled; return securityEnabled;
} }
} }

163
src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
View File

@ -1,38 +1,40 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import lombok.Getter;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.lessons.Assignment;
import javax.persistence.*;
import java.util.*; import java.util.*;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.persistence.*;
import lombok.Getter;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @version $Id: $Id * @version $Id: $Id
@ -41,69 +43,72 @@ import org.owasp.webgoat.container.lessons.Lesson;
@Entity @Entity
public class LessonTracker { public class LessonTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.AUTO) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Getter
private String lessonName;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private final Set<Assignment> solvedAssignments = new HashSet<>();
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private final Set<Assignment> allAssignments = new HashSet<>();
@Getter
private int numberOfAttempts = 0;
@Version
private Integer version;
@Getter private String lessonName; private LessonTracker() {
//JPA
}
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) public LessonTracker(Lesson lesson) {
private final Set<Assignment> solvedAssignments = new HashSet<>(); lessonName = lesson.getId();
allAssignments.addAll(lesson.getAssignments() == null ? List.of() : lesson.getAssignments());
}
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) public Optional<Assignment> getAssignment(String name) {
private final Set<Assignment> allAssignments = new HashSet<>(); return allAssignments.stream().filter(a -> a.getName().equals(name)).findFirst();
}
@Getter private int numberOfAttempts = 0; /**
@Version private Integer version; * Mark an assignment as solved
*
* @param solvedAssignment the assignment which the user solved
*/
public void assignmentSolved(String solvedAssignment) {
getAssignment(solvedAssignment).ifPresent(solvedAssignments::add);
}
private LessonTracker() { /**
// JPA * @return did they user solved all solvedAssignments for the lesson?
} */
public boolean isLessonSolved() {
return allAssignments.size() == solvedAssignments.size();
}
public LessonTracker(Lesson lesson) { /**
lessonName = lesson.getId(); * Increase the number attempts to solve the lesson
allAssignments.addAll(lesson.getAssignments() == null ? List.of() : lesson.getAssignments()); */
} public void incrementAttempts() {
numberOfAttempts++;
}
public Optional<Assignment> getAssignment(String name) { /**
return allAssignments.stream().filter(a -> a.getName().equals(name)).findFirst(); * Reset the tracker. We do not reset the number of attempts here!
} */
void reset() {
solvedAssignments.clear();
}
/** /**
* Mark an assignment as solved * @return list containing all the assignments solved or not
* */
* @param solvedAssignment the assignment which the user solved public Map<Assignment, Boolean> getLessonOverview() {
*/ List<Assignment> notSolved = allAssignments.stream()
public void assignmentSolved(String solvedAssignment) { .filter(i -> !solvedAssignments.contains(i))
getAssignment(solvedAssignment).ifPresent(solvedAssignments::add); .toList();
} Map<Assignment, Boolean> overview = notSolved.stream().collect(Collectors.toMap(a -> a, b -> false));
overview.putAll(solvedAssignments.stream().collect(Collectors.toMap(a -> a, b -> true)));
/** return overview;
* @return did they user solved all solvedAssignments for the lesson? }
*/
public boolean isLessonSolved() {
return allAssignments.size() == solvedAssignments.size();
}
/** Increase the number attempts to solve the lesson */
public void incrementAttempts() {
numberOfAttempts++;
}
/** Reset the tracker. We do not reset the number of attempts here! */
void reset() {
solvedAssignments.clear();
}
/**
* @return list containing all the assignments solved or not
*/
public Map<Assignment, Boolean> getLessonOverview() {
List<Assignment> notSolved =
allAssignments.stream().filter(i -> !solvedAssignments.contains(i)).toList();
Map<Assignment, Boolean> overview =
notSolved.stream().collect(Collectors.toMap(a -> a, b -> false));
overview.putAll(solvedAssignments.stream().collect(Collectors.toMap(a -> a, b -> true)));
return overview;
}
} }

47
src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
@ -12,6 +9,10 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
/** /**
* @author nbaars * @author nbaars
* @since 3/19/17. * @since 3/19/17.
@ -21,29 +22,25 @@ import org.springframework.web.bind.annotation.PostMapping;
@Slf4j @Slf4j
public class RegistrationController { public class RegistrationController {
private UserValidator userValidator; private UserValidator userValidator;
private UserService userService; private UserService userService;
private AuthenticationManager authenticationManager; private AuthenticationManager authenticationManager;
@GetMapping("/registration") @GetMapping("/registration")
public String showForm(UserForm userForm) { public String showForm(UserForm userForm) {
return "registration"; return "registration";
}
@PostMapping("/register.mvc")
public String registration(
@ModelAttribute("userForm") @Valid UserForm userForm,
BindingResult bindingResult,
HttpServletRequest request)
throws ServletException {
userValidator.validate(userForm, bindingResult);
if (bindingResult.hasErrors()) {
return "registration";
} }
userService.addUser(userForm.getUsername(), userForm.getPassword());
request.login(userForm.getUsername(), userForm.getPassword());
return "redirect:/attack"; @PostMapping("/register.mvc")
} public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) throws ServletException {
userValidator.validate(userForm, bindingResult);
if (bindingResult.hasErrors()) {
return "registration";
}
userService.addUser(userForm.getUsername(), userForm.getPassword());
request.login(userForm.getUsername(), userForm.getPassword());
return "redirect:/attack";
}
} }

106
src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.container.i18n.PluginMessages; import org.owasp.webgoat.container.i18n.PluginMessages;
@ -11,6 +8,10 @@ import org.owasp.webgoat.container.session.Course;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
/** /**
* Temp endpoint just for the CTF. * Temp endpoint just for the CTF.
* *
@ -21,63 +22,52 @@ import org.springframework.web.bind.annotation.RestController;
@AllArgsConstructor @AllArgsConstructor
public class Scoreboard { public class Scoreboard {
private final UserTrackerRepository userTrackerRepository; private final UserTrackerRepository userTrackerRepository;
private final UserRepository userRepository; private final UserRepository userRepository;
private final Course course; private final Course course;
private final PluginMessages pluginMessages; private final PluginMessages pluginMessages;
@AllArgsConstructor @AllArgsConstructor
@Getter @Getter
private class Ranking { private class Ranking {
private String username; private String username;
private List<String> flagsCaptured; private List<String> flagsCaptured;
}
@GetMapping("/scoreboard-data")
public List<Ranking> getRankings() {
List<WebGoatUser> allUsers = userRepository.findAll();
List<Ranking> rankings = new ArrayList<>();
for (WebGoatUser user : allUsers) {
if (user.getUsername().startsWith("csrf-")) {
// the csrf- assignment specific users do not need to be in the overview
continue;
}
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
} }
/* sort on number of captured flags to present an ordered ranking */
rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
return rankings;
}
private List<String> challengesSolved(UserTracker userTracker) { @GetMapping("/scoreboard-data")
List<String> challenges = public List<Ranking> getRankings() {
List.of( List<WebGoatUser> allUsers = userRepository.findAll();
"Challenge1", List<Ranking> rankings = new ArrayList<>();
"Challenge2", for (WebGoatUser user : allUsers) {
"Challenge3", if (user.getUsername().startsWith("csrf-")) {
"Challenge4", //the csrf- assignment specific users do not need to be in the overview
"Challenge5", continue;
"Challenge6", }
"Challenge7", UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
"Challenge8", rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
"Challenge9"); }
return challenges.stream() /* sort on number of captured flags to present an ordered ranking */
.map(userTracker::getLessonTracker) rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
.flatMap(Optional::stream) return rankings;
.filter(LessonTracker::isLessonSolved) }
.map(LessonTracker::getLessonName)
.map(this::toLessonTitle)
.toList();
}
private String toLessonTitle(String id) { private List<String> challengesSolved(UserTracker userTracker) {
String titleKey = List<String> challenges = List.of("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
course.getLessons().stream() return challenges.stream()
.filter(l -> l.getId().equals(id)) .map(userTracker::getLessonTracker)
.findFirst() .flatMap(Optional::stream)
.map(Lesson::getTitle) .filter(LessonTracker::isLessonSolved)
.orElse("No title"); .map(LessonTracker::getLessonName)
return pluginMessages.getMessage(titleKey, titleKey); .map(this::toLessonTitle)
} .toList();
}
private String toLessonTitle(String id) {
String titleKey = course.getLessons().stream()
.filter(l -> l.getId().equals(id))
.findFirst()
.map(Lesson::getTitle)
.orElse("No title");
return pluginMessages.getMessage(titleKey, titleKey);
}
} }

31
src/main/java/org/owasp/webgoat/container/users/UserForm.java
View File

@ -1,10 +1,11 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import lombok.Getter;
import lombok.Setter;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import javax.validation.constraints.Pattern; import javax.validation.constraints.Pattern;
import javax.validation.constraints.Size; import javax.validation.constraints.Size;
import lombok.Getter;
import lombok.Setter;
/** /**
* @author nbaars * @author nbaars
@ -14,18 +15,16 @@ import lombok.Setter;
@Setter @Setter
public class UserForm { public class UserForm {
@NotNull @NotNull
@Size(min = 6, max = 45) @Size(min = 6, max = 45)
@Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -") @Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -")
private String username; private String username;
@NotNull
@NotNull @Size(min = 6, max = 10)
@Size(min = 6, max = 10) private String password;
private String password; @NotNull
@Size(min = 6, max = 10)
@NotNull private String matchingPassword;
@Size(min = 6, max = 10) @NotNull
private String matchingPassword; private String agree;
@NotNull private String agree;
} }

10
src/main/java/org/owasp/webgoat/container/users/UserRepository.java
View File

@ -1,17 +1,19 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import java.util.List;
import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.JpaRepository;
import java.util.List;
/** /**
* @author nbaars * @author nbaars
* @since 3/19/17. * @since 3/19/17.
*/ */
public interface UserRepository extends JpaRepository<WebGoatUser, String> { public interface UserRepository extends JpaRepository<WebGoatUser, String> {
WebGoatUser findByUsername(String username); WebGoatUser findByUsername(String username);
List<WebGoatUser> findAll(); List<WebGoatUser> findAll();
boolean existsByUsername(String username);
boolean existsByUsername(String username);
} }

67
src/main/java/org/owasp/webgoat/container/users/UserService.java
View File

@ -1,7 +1,5 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import java.util.List;
import java.util.function.Function;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.flywaydb.core.Flyway; import org.flywaydb.core.Flyway;
import org.owasp.webgoat.container.lessons.Initializeable; import org.owasp.webgoat.container.lessons.Initializeable;
@ -10,6 +8,9 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import java.util.List;
import java.util.function.Function;
/** /**
* @author nbaars * @author nbaars
* @since 3/19/17. * @since 3/19/17.
@ -18,42 +19,42 @@ import org.springframework.stereotype.Service;
@AllArgsConstructor @AllArgsConstructor
public class UserService implements UserDetailsService { public class UserService implements UserDetailsService {
private final UserRepository userRepository; private final UserRepository userRepository;
private final UserTrackerRepository userTrackerRepository; private final UserTrackerRepository userTrackerRepository;
private final JdbcTemplate jdbcTemplate; private final JdbcTemplate jdbcTemplate;
private final Function<String, Flyway> flywayLessons; private final Function<String, Flyway> flywayLessons;
private final List<Initializeable> lessonInitializables; private final List<Initializeable> lessonInitializables;
@Override @Override
public WebGoatUser loadUserByUsername(String username) throws UsernameNotFoundException { public WebGoatUser loadUserByUsername(String username) throws UsernameNotFoundException {
WebGoatUser webGoatUser = userRepository.findByUsername(username); WebGoatUser webGoatUser = userRepository.findByUsername(username);
if (webGoatUser == null) { if (webGoatUser == null) {
throw new UsernameNotFoundException("User not found"); throw new UsernameNotFoundException("User not found");
} else { } else {
webGoatUser.createUser(); webGoatUser.createUser();
lessonInitializables.forEach(l -> l.initialize(webGoatUser)); lessonInitializables.forEach(l -> l.initialize(webGoatUser));
}
return webGoatUser;
} }
return webGoatUser;
}
public void addUser(String username, String password) { public void addUser(String username, String password) {
// get user if there exists one by the name //get user if there exists one by the name
var userAlreadyExists = userRepository.existsByUsername(username); var userAlreadyExists = userRepository.existsByUsername(username);
var webGoatUser = userRepository.save(new WebGoatUser(username, password)); var webGoatUser = userRepository.save(new WebGoatUser(username, password));
if (!userAlreadyExists) { if (!userAlreadyExists) {
userTrackerRepository.save( userTrackerRepository.save(new UserTracker(username)); //if user previously existed it will not get another tracker
new UserTracker(username)); // if user previously existed it will not get another tracker createLessonsForUser(webGoatUser);
createLessonsForUser(webGoatUser); }
} }
}
private void createLessonsForUser(WebGoatUser webGoatUser) { private void createLessonsForUser(WebGoatUser webGoatUser) {
jdbcTemplate.execute("CREATE SCHEMA \"" + webGoatUser.getUsername() + "\" authorization dba"); jdbcTemplate.execute("CREATE SCHEMA \"" + webGoatUser.getUsername() + "\" authorization dba");
flywayLessons.apply(webGoatUser.getUsername()).migrate(); flywayLessons.apply(webGoatUser.getUsername()).migrate();
} }
public List<WebGoatUser> getAllUsers() {
return userRepository.findAll();
}
public List<WebGoatUser> getAllUsers() {
return userRepository.findAll();
}
} }

5
src/main/java/org/owasp/webgoat/container/users/UserSession.java
View File

@ -15,6 +15,7 @@ import org.springframework.data.annotation.Id;
@NoArgsConstructor(access = AccessLevel.PROTECTED) @NoArgsConstructor(access = AccessLevel.PROTECTED)
public class UserSession { public class UserSession {
private WebGoatUser webGoatUser; private WebGoatUser webGoatUser;
@Id private String sessionId; @Id
private String sessionId;
} }

187
src/main/java/org/owasp/webgoat/container/users/UserTracker.java
View File

@ -1,41 +1,43 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.lessons.Assignment;
import javax.persistence.*;
import java.util.HashSet; import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.persistence.*;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
/** /**
* ************************************************************************************************ * ************************************************************************************************
*
* <p> * <p>
* * <p>
* <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @version $Id: $Id * @version $Id: $Id
@ -45,83 +47,80 @@ import org.owasp.webgoat.container.lessons.Lesson;
@Entity @Entity
public class UserTracker { public class UserTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.AUTO) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Column(name = "username")
private String user;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private Set<LessonTracker> lessonTrackers = new HashSet<>();
@Column(name = "username") private UserTracker() {}
private String user;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) public UserTracker(final String user) {
private Set<LessonTracker> lessonTrackers = new HashSet<>(); this.user = user;
private UserTracker() {}
public UserTracker(final String user) {
this.user = user;
}
/**
* Returns an existing lesson tracker or create a new one based on the lesson
*
* @param lesson the lesson
* @return a lesson tracker created if not already present
*/
public LessonTracker getLessonTracker(Lesson lesson) {
Optional<LessonTracker> lessonTracker =
lessonTrackers.stream().filter(l -> l.getLessonName().equals(lesson.getId())).findFirst();
if (!lessonTracker.isPresent()) {
LessonTracker newLessonTracker = new LessonTracker(lesson);
lessonTrackers.add(newLessonTracker);
return newLessonTracker;
} else {
return lessonTracker.get();
} }
}
/** /**
* Query method for finding a specific lesson tracker based on id * Returns an existing lesson tracker or create a new one based on the lesson
* *
* @param id the id of the lesson * @param lesson the lesson
* @return optional due to the fact we can only create a lesson tracker based on a lesson * @return a lesson tracker created if not already present
*/ */
public Optional<LessonTracker> getLessonTracker(String id) { public LessonTracker getLessonTracker(Lesson lesson) {
return lessonTrackers.stream().filter(l -> l.getLessonName().equals(id)).findFirst(); Optional<LessonTracker> lessonTracker = lessonTrackers
} .stream().filter(l -> l.getLessonName().equals(lesson.getId())).findFirst();
if (!lessonTracker.isPresent()) {
public void assignmentSolved(Lesson lesson, String assignmentName) { LessonTracker newLessonTracker = new LessonTracker(lesson);
LessonTracker lessonTracker = getLessonTracker(lesson); lessonTrackers.add(newLessonTracker);
lessonTracker.incrementAttempts(); return newLessonTracker;
lessonTracker.assignmentSolved(assignmentName); } else {
} return lessonTracker.get();
}
public void assignmentFailed(Lesson lesson) {
LessonTracker lessonTracker = getLessonTracker(lesson);
lessonTracker.incrementAttempts();
}
public void reset(Lesson al) {
LessonTracker lessonTracker = getLessonTracker(al);
lessonTracker.reset();
}
public int numberOfLessonsSolved() {
int numberOfLessonsSolved = 0;
for (LessonTracker lessonTracker : lessonTrackers) {
if (lessonTracker.isLessonSolved()) {
numberOfLessonsSolved = numberOfLessonsSolved + 1;
}
} }
return numberOfLessonsSolved;
}
public int numberOfAssignmentsSolved() { /**
int numberOfAssignmentsSolved = 0; * Query method for finding a specific lesson tracker based on id
for (LessonTracker lessonTracker : lessonTrackers) { *
Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview(); * @param id the id of the lesson
numberOfAssignmentsSolved = * @return optional due to the fact we can only create a lesson tracker based on a lesson
lessonOverview.values().stream().filter(b -> b).collect(Collectors.counting()).intValue(); */
public Optional<LessonTracker> getLessonTracker(String id) {
return lessonTrackers.stream().filter(l -> l.getLessonName().equals(id)).findFirst();
}
public void assignmentSolved(Lesson lesson, String assignmentName) {
LessonTracker lessonTracker = getLessonTracker(lesson);
lessonTracker.incrementAttempts();
lessonTracker.assignmentSolved(assignmentName);
}
public void assignmentFailed(Lesson lesson) {
LessonTracker lessonTracker = getLessonTracker(lesson);
lessonTracker.incrementAttempts();
}
public void reset(Lesson al) {
LessonTracker lessonTracker = getLessonTracker(al);
lessonTracker.reset();
}
public int numberOfLessonsSolved() {
int numberOfLessonsSolved = 0;
for (LessonTracker lessonTracker : lessonTrackers) {
if (lessonTracker.isLessonSolved()) {
numberOfLessonsSolved = numberOfLessonsSolved + 1;
}
}
return numberOfLessonsSolved;
}
public int numberOfAssignmentsSolved() {
int numberOfAssignmentsSolved = 0;
for (LessonTracker lessonTracker : lessonTrackers) {
Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview();
numberOfAssignmentsSolved = lessonOverview.values().stream().filter(b -> b).collect(Collectors.counting()).intValue();
}
return numberOfAssignmentsSolved;
} }
return numberOfAssignmentsSolved;
}
} }

3
src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
View File

@ -8,5 +8,6 @@ import org.springframework.data.jpa.repository.JpaRepository;
*/ */
public interface UserTrackerRepository extends JpaRepository<UserTracker, String> { public interface UserTrackerRepository extends JpaRepository<UserTracker, String> {
UserTracker findByUser(String user); UserTracker findByUser(String user);
} }

30
src/main/java/org/owasp/webgoat/container/users/UserValidator.java
View File

@ -13,23 +13,23 @@ import org.springframework.validation.Validator;
@AllArgsConstructor @AllArgsConstructor
public class UserValidator implements Validator { public class UserValidator implements Validator {
private final UserRepository userRepository; private final UserRepository userRepository;
@Override @Override
public boolean supports(Class<?> clazz) { public boolean supports(Class<?> clazz) {
return UserForm.class.equals(clazz); return UserForm.class.equals(clazz);
}
@Override
public void validate(Object o, Errors errors) {
UserForm userForm = (UserForm) o;
if (userRepository.findByUsername(userForm.getUsername()) != null) {
errors.rejectValue("username", "username.duplicate");
} }
if (!userForm.getMatchingPassword().equals(userForm.getPassword())) { @Override
errors.rejectValue("matchingPassword", "password.diff"); public void validate(Object o, Errors errors) {
UserForm userForm = (UserForm) o;
if (userRepository.findByUsername(userForm.getUsername()) != null) {
errors.rejectValue("username", "username.duplicate");
}
if (!userForm.getMatchingPassword().equals(userForm.getPassword())) {
errors.rejectValue("matchingPassword", "password.diff");
}
} }
}
} }

124
src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
View File

@ -1,16 +1,17 @@
package org.owasp.webgoat.container.users; package org.owasp.webgoat.container.users;
import java.util.Collection;
import java.util.Collections;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import lombok.Getter; import lombok.Getter;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import java.util.Collection;
import java.util.Collections;
/** /**
* @author nbaars * @author nbaars
* @since 3/19/17. * @since 3/19/17.
@ -19,72 +20,79 @@ import org.springframework.security.core.userdetails.UserDetails;
@Entity @Entity
public class WebGoatUser implements UserDetails { public class WebGoatUser implements UserDetails {
public static final String ROLE_USER = "WEBGOAT_USER"; public static final String ROLE_USER = "WEBGOAT_USER";
public static final String ROLE_ADMIN = "WEBGOAT_ADMIN"; public static final String ROLE_ADMIN = "WEBGOAT_ADMIN";
@Id private String username; @Id
private String password; private String username;
private String role = ROLE_USER; private String password;
@Transient private User user; private String role = ROLE_USER;
@Transient
private User user;
protected WebGoatUser() {} protected WebGoatUser() {
}
public WebGoatUser(String username, String password) { public WebGoatUser(String username, String password) {
this(username, password, ROLE_USER); this(username, password, ROLE_USER);
} }
public WebGoatUser(String username, String password, String role) { public WebGoatUser(String username, String password, String role) {
this.username = username; this.username = username;
this.password = password; this.password = password;
this.role = role; this.role = role;
createUser(); createUser();
} }
public void createUser() {
this.user = new User(username, password, getAuthorities());
}
public Collection<? extends GrantedAuthority> getAuthorities() { public void createUser() {
return Collections.singleton(new SimpleGrantedAuthority(getRole())); this.user = new User(username, password, getAuthorities());
} }
public String getRole() { public Collection<? extends GrantedAuthority> getAuthorities() {
return this.role; return Collections.singleton(new SimpleGrantedAuthority(getRole()));
} }
public String getUsername() { public String getRole() {
return this.username; return this.role;
} }
public String getPassword() { public String getUsername() {
return this.password; return this.username;
} }
@Override public String getPassword() {
public boolean isAccountNonExpired() { return this.password;
return this.user.isAccountNonExpired(); }
}
@Override @Override
public boolean isAccountNonLocked() { public boolean isAccountNonExpired() {
return this.user.isAccountNonLocked(); return this.user.isAccountNonExpired();
} }
@Override @Override
public boolean isCredentialsNonExpired() { public boolean isAccountNonLocked() {
return this.user.isCredentialsNonExpired(); return this.user.isAccountNonLocked();
} }
@Override @Override
public boolean isEnabled() { public boolean isCredentialsNonExpired() {
return this.user.isEnabled(); return this.user.isCredentialsNonExpired();
} }
public boolean equals(Object obj) { @Override
return obj instanceof WebGoatUser webGoatUser && this.user.equals(webGoatUser.user); public boolean isEnabled() {
} return this.user.isEnabled();
}
public boolean equals(Object obj) {
return obj instanceof WebGoatUser webGoatUser && this.user.equals(webGoatUser.user);
}
public int hashCode() {
return user.hashCode();
}
public int hashCode() {
return user.hashCode();
}
} }

87
src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java Normal file
View File

@ -0,0 +1,87 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.auth_bypass;
import java.util.HashMap;
import java.util.Map;
/**
* Created by appsec on 7/18/17.
*/
public class AccountVerificationHelper {
//simulating database storage of verification credentials
private static final Integer verifyUserId = 1223445;
private static final Map<String, String> userSecQuestions = new HashMap<>();
static {
userSecQuestions.put("secQuestion0", "Dr. Watson");
userSecQuestions.put("secQuestion1", "Baker Street");
}
private static final Map<Integer, Map> secQuestionStore = new HashMap<>();
static {
secQuestionStore.put(verifyUserId, userSecQuestions);
}
// end 'data store set up'
// this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code
public boolean didUserLikelylCheat(HashMap<String, String> submittedAnswers) {
boolean likely = false;
if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
likely = true;
}
if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
&& (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
likely = true;
} else {
likely = false;
}
return likely;
}
//end of cheating check ... the method below is the one of real interest. Can you find the flaw?
public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {
//short circuit if no questions are submitted
if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
return false;
}
if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
return false;
}
if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
return false;
}
// else
return true;
}
}

18
src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java → src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
View File

@ -20,7 +20,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons.authbypass; package org.owasp.webgoat.lessons.auth_bypass;
import org.owasp.webgoat.container.lessons.Category; import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -29,13 +29,13 @@ import org.springframework.stereotype.Component;
@Component @Component
public class AuthBypass extends Lesson { public class AuthBypass extends Lesson {
@Override @Override
public Category getDefaultCategory() { public Category getDefaultCategory() {
return Category.A7; return Category.A7;
} }
@Override @Override
public String getTitle() { public String getTitle() {
return "auth-bypass.title"; return "auth-bypass.title";
} }
} }

95
src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java Normal file
View File

@ -0,0 +1,95 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.auth_bypass;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.container.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* Created by jason on 1/5/17.
*/
@RestController
@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
public class VerifyAccount extends AssignmentEndpoint {
@Autowired
private WebSession webSession;
@Autowired
UserSessionData userSessionData;
@PostMapping(path = "/auth-bypass/verify-account", produces = {"application/json"})
@ResponseBody
public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
Map<String, String> submittedAnswers = parseSecQuestions(req);
if (verificationHelper.didUserLikelylCheat((HashMap) submittedAnswers)) {
return failed(this)
.feedback("verify-account.cheated")
.output("Yes, you guessed correctly, but see the feedback message")
.build();
}
// else
if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) {
userSessionData.setValue("account-verified-id", userId);
return success(this)
.feedback("verify-account.success")
.build();
} else {
return failed(this)
.feedback("verify-account.failed")
.build();
}
}
private HashMap<String, String> parseSecQuestions(HttpServletRequest req) {
Map<String, String> userAnswers = new HashMap<>();
List<String> paramNames = Collections.list(req.getParameterNames());
for (String paramName : paramNames) {
//String paramName = req.getParameterNames().nextElement();
if (paramName.contains("secQuestion")) {
userAnswers.put(paramName, req.getParameter(paramName));
}
}
return (HashMap) userAnswers;
}
}

96
src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
View File

@ -1,96 +0,0 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.authbypass;
import java.util.HashMap;
import java.util.Map;
/** Created by appsec on 7/18/17. */
public class AccountVerificationHelper {
// simulating database storage of verification credentials
private static final Integer verifyUserId = 1223445;
private static final Map<String, String> userSecQuestions = new HashMap<>();
static {
userSecQuestions.put("secQuestion0", "Dr. Watson");
userSecQuestions.put("secQuestion1", "Baker Street");
}
private static final Map<Integer, Map> secQuestionStore = new HashMap<>();
static {
secQuestionStore.put(verifyUserId, userSecQuestions);
}
// end 'data store set up'
// this is to aid feedback in the attack process and is not intended to be part of the
// 'vulnerable' code
public boolean didUserLikelylCheat(HashMap<String, String> submittedAnswers) {
boolean likely = false;
if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
likely = true;
}
if ((submittedAnswers.containsKey("secQuestion0")
&& submittedAnswers
.get("secQuestion0")
.equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
&& (submittedAnswers.containsKey("secQuestion1")
&& submittedAnswers
.get("secQuestion1")
.equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
likely = true;
} else {
likely = false;
}
return likely;
}
// end of cheating check ... the method below is the one of real interest. Can you find the flaw?
public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {
// short circuit if no questions are submitted
if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
return false;
}
if (submittedQuestions.containsKey("secQuestion0")
&& !submittedQuestions
.get("secQuestion0")
.equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
return false;
}
if (submittedQuestions.containsKey("secQuestion1")
&& !submittedQuestions
.get("secQuestion1")
.equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
return false;
}
// else
return true;
}
}

93
src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
View File

@ -1,93 +0,0 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.authbypass;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.container.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
/** Created by jason on 1/5/17. */
@RestController
@AssignmentHints({
"auth-bypass.hints.verify.1",
"auth-bypass.hints.verify.2",
"auth-bypass.hints.verify.3",
"auth-bypass.hints.verify.4"
})
public class VerifyAccount extends AssignmentEndpoint {
@Autowired private WebSession webSession;
@Autowired UserSessionData userSessionData;
@PostMapping(
path = "/auth-bypass/verify-account",
produces = {"application/json"})
@ResponseBody
public AttackResult completed(
@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req)
throws ServletException, IOException {
AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
Map<String, String> submittedAnswers = parseSecQuestions(req);
if (verificationHelper.didUserLikelylCheat((HashMap) submittedAnswers)) {
return failed(this)
.feedback("verify-account.cheated")
.output("Yes, you guessed correctly, but see the feedback message")
.build();
}
// else
if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) {
userSessionData.setValue("account-verified-id", userId);
return success(this).feedback("verify-account.success").build();
} else {
return failed(this).feedback("verify-account.failed").build();
}
}
private HashMap<String, String> parseSecQuestions(HttpServletRequest req) {
Map<String, String> userAnswers = new HashMap<>();
List<String> paramNames = Collections.list(req.getParameterNames());
for (String paramName : paramNames) {
// String paramName = req.getParameterNames().nextElement();
if (paramName.contains("secQuestion")) {
userAnswers.put(paramName, req.getParameter(paramName));
}
}
return (HashMap) userAnswers;
}
}

18
src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java → src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java
View File

@ -20,7 +20,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons.bypassrestrictions; package org.owasp.webgoat.lessons.bypass_restrictions;
import org.owasp.webgoat.container.lessons.Category; import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
@Component @Component
public class BypassRestrictions extends Lesson { public class BypassRestrictions extends Lesson {
@Override @Override
public Category getDefaultCategory() { public Category getDefaultCategory() {
return Category.CLIENT_SIDE; return Category.CLIENT_SIDE;
} }
@Override @Override
public String getTitle() { public String getTitle() {
return "bypass-restrictions.title"; return "bypass-restrictions.title";
} }
} }

45
src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java → src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
View File

@ -20,7 +20,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons.bypassrestrictions; package org.owasp.webgoat.lessons.bypass_restrictions;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
@ -32,29 +32,24 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint { public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions") @PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody @ResponseBody
public AttackResult completed( public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput, @RequestParam String readOnlyInput) {
@RequestParam String select, if (select.equals("option1") || select.equals("option2")) {
@RequestParam String radio, return failed(this).build();
@RequestParam String checkbox, }
@RequestParam String shortInput, if (radio.equals("option1") || radio.equals("option2")) {
@RequestParam String readOnlyInput) { return failed(this).build();
if (select.equals("option1") || select.equals("option2")) { }
return failed(this).build(); if (checkbox.equals("on") || checkbox.equals("off")) {
return failed(this).build();
}
if (shortInput.length() <= 5) {
return failed(this).build();
}
if ("change".equals(readOnlyInput)) {
return failed(this).build();
}
return success(this).build();
} }
if (radio.equals("option1") || radio.equals("option2")) {
return failed(this).build();
}
if (checkbox.equals("on") || checkbox.equals("off")) {
return failed(this).build();
}
if (shortInput.length() <= 5) {
return failed(this).build();
}
if ("change".equals(readOnlyInput)) {
return failed(this).build();
}
return success(this).build();
}
} }

80
src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java → src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java
View File

@ -20,7 +20,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
package org.owasp.webgoat.lessons.bypassrestrictions; package org.owasp.webgoat.lessons.bypass_restrictions;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
@ -32,48 +32,40 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint { public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/frontendValidation") @PostMapping("/BypassRestrictions/frontendValidation")
@ResponseBody @ResponseBody
public AttackResult completed( public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
@RequestParam String field1, final String regex1 = "^[a-z]{3}$";
@RequestParam String field2, final String regex2 = "^[0-9]{3}$";
@RequestParam String field3, final String regex3 = "^[a-zA-Z0-9 ]*$";
@RequestParam String field4, final String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
@RequestParam String field5, final String regex5 = "^\\d{5}$";
@RequestParam String field6, final String regex6 = "^\\d{5}(-\\d{4})?$";
@RequestParam String field7, final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
@RequestParam Integer error) { if (error > 0) {
final String regex1 = "^[a-z]{3}$"; return failed(this).build();
final String regex2 = "^[0-9]{3}$"; }
final String regex3 = "^[a-zA-Z0-9 ]*$"; if (field1.matches(regex1)) {
final String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$"; return failed(this).build();
final String regex5 = "^\\d{5}$"; }
final String regex6 = "^\\d{5}(-\\d{4})?$"; if (field2.matches(regex2)) {
final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$"; return failed(this).build();
if (error > 0) { }
return failed(this).build(); if (field3.matches(regex3)) {
return failed(this).build();
}
if (field4.matches(regex4)) {
return failed(this).build();
}
if (field5.matches(regex5)) {
return failed(this).build();
}
if (field6.matches(regex6)) {
return failed(this).build();
}
if (field7.matches(regex7)) {
return failed(this).build();
}
return success(this).build();
} }
if (field1.matches(regex1)) {
return failed(this).build();
}
if (field2.matches(regex2)) {
return failed(this).build();
}
if (field3.matches(regex3)) {
return failed(this).build();
}
if (field4.matches(regex4)) {
return failed(this).build();
}
if (field5.matches(regex5)) {
return failed(this).build();
}
if (field6.matches(regex6)) {
return failed(this).build();
}
if (field7.matches(regex7)) {
return failed(this).build();
}
return success(this).build();
}
} }

16
src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
View File

@ -9,13 +9,13 @@ import org.owasp.webgoat.container.lessons.Lesson;
*/ */
public class ChallengeIntro extends Lesson { public class ChallengeIntro extends Lesson {
@Override @Override
public Category getDefaultCategory() { public Category getDefaultCategory() {
return Category.CHALLENGE; return Category.CHALLENGE;
} }
@Override @Override
public String getTitle() { public String getTitle() {
return "challenge0.title"; return "challenge0.title";
} }
} }

15
src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
View File

@ -22,11 +22,12 @@
package org.owasp.webgoat.lessons.challenges; package org.owasp.webgoat.lessons.challenges;
import java.io.Serializable;
import java.time.LocalDateTime;
import lombok.Builder; import lombok.Builder;
import lombok.Data; import lombok.Data;
import java.io.Serializable;
import java.time.LocalDateTime;
/** /**
* @author nbaars * @author nbaars
* @since 8/20/17. * @since 8/20/17.
@ -35,9 +36,9 @@ import lombok.Data;
@Data @Data
public class Email implements Serializable { public class Email implements Serializable {
private LocalDateTime time; private LocalDateTime time;
private String contents; private String contents;
private String sender; private String sender;
private String title; private String title;
private String recipient; private String recipient;
} }

79
src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
View File

@ -22,11 +22,6 @@
package org.owasp.webgoat.lessons.challenges; package org.owasp.webgoat.lessons.challenges;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
import javax.annotation.PostConstruct;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -42,6 +37,12 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
/** /**
* @author nbaars * @author nbaars
* @since 3/23/17. * @since 3/23/17.
@ -49,41 +50,39 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class Flag extends AssignmentEndpoint { public class Flag extends AssignmentEndpoint {
public static final Map<Integer, String> FLAGS = new HashMap<>(); public static final Map<Integer, String> FLAGS = new HashMap<>();
@Autowired private UserTrackerRepository userTrackerRepository; @Autowired
@Autowired private WebSession webSession; private UserTrackerRepository userTrackerRepository;
@Autowired
private WebSession webSession;
@AllArgsConstructor @AllArgsConstructor
private class FlagPosted { private class FlagPosted {
@Getter private boolean lessonCompleted; @Getter
} private boolean lessonCompleted;
}
@PostConstruct
public void initFlags() { @PostConstruct
IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString())); public void initFlags() {
} IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
}
@RequestMapping(
path = "/challenge/flag", @RequestMapping(path = "/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
method = RequestMethod.POST, @ResponseBody
produces = MediaType.APPLICATION_JSON_VALUE) public AttackResult postFlag(@RequestParam String flag) {
@ResponseBody UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
public AttackResult postFlag(@RequestParam String flag) { String currentChallenge = webSession.getCurrentLesson().getName();
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName()); int challengeNumber = Integer.valueOf(currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
String currentChallenge = webSession.getCurrentLesson().getName(); String expectedFlag = FLAGS.get(challengeNumber);
int challengeNumber = final AttackResult attackResult;
Integer.valueOf( if (expectedFlag.equals(flag)) {
currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length())); userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
String expectedFlag = FLAGS.get(challengeNumber); attackResult = success(this).feedback("challenge.flag.correct").build();
final AttackResult attackResult; } else {
if (expectedFlag.equals(flag)) { userTracker.assignmentFailed(webSession.getCurrentLesson());
userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber); attackResult = failed(this).feedback("challenge.flag.incorrect").build();
attackResult = success(this).feedback("challenge.flag.correct").build(); }
} else { userTrackerRepository.save(userTracker);
userTracker.assignmentFailed(webSession.getCurrentLesson()); return attackResult;
attackResult = failed(this).feedback("challenge.flag.incorrect").build();
} }
userTrackerRepository.save(userTracker);
return attackResult;
}
} }

8
src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
View File

@ -30,8 +30,8 @@ package org.owasp.webgoat.lessons.challenges;
*/ */
public interface SolutionConstants { public interface SolutionConstants {
// TODO should be random generated when starting the server //TODO should be random generated when starting the server
String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD = "!!webgoat_admin_1234!!";
String PASSWORD_TOM = "thisisasecretfortomonly"; String PASSWORD_TOM = "thisisasecretfortomonly";
String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2"; String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
} }

71
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
View File

@ -1,8 +1,5 @@
package org.owasp.webgoat.lessons.challenges.challenge1; package org.owasp.webgoat.lessons.challenges.challenge1;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.challenges.Flag; import org.owasp.webgoat.lessons.challenges.Flag;
@ -12,30 +9,33 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
/** /**
* ************************************************************************************************ * ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* * <p>
* <p>Copyright (c) 2002 - 2014 Bruce Mayhew * Copyright (c) 2002 - 2014 Bruce Mayhew
* * <p>
* <p>This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* * <p>
* <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* GNU General Public License for more details. * General Public License for more details.
* * <p>
* <p>You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* * <p>
* <p>Getting Source ============== * Getting Source ==============
* * <p>
* <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
*
* <p> * <p>
* *
* @author WebGoat * @author WebGoat
@ -45,25 +45,20 @@ import org.springframework.web.bind.annotation.RestController;
@RestController @RestController
public class Assignment1 extends AssignmentEndpoint { public class Assignment1 extends AssignmentEndpoint {
@PostMapping("/challenge/1") @PostMapping("/challenge/1")
@ResponseBody @ResponseBody
public AttackResult completed( public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
@RequestParam String username, @RequestParam String password, HttpServletRequest request) { boolean ipAddressKnown = true;
boolean ipAddressKnown = true; boolean passwordCorrect = "admin".equals(username) && PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE)).equals(password);
boolean passwordCorrect = if (passwordCorrect && ipAddressKnown) {
"admin".equals(username) return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
&& PASSWORD } else if (passwordCorrect) {
.replace("1234", String.format("%04d", ImageServlet.PINCODE)) return failed(this).feedback("ip.address.unknown").build();
.equals(password); }
if (passwordCorrect && ipAddressKnown) { return failed(this).build();
return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
} else if (passwordCorrect) {
return failed(this).feedback("ip.address.unknown").build();
} }
return failed(this).build();
}
public static boolean containsHeader(HttpServletRequest request) { public static boolean containsHeader(HttpServletRequest request) {
return StringUtils.hasText(request.getHeader("X-Forwarded-For")); return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
} }
} }

16
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
View File

@ -11,13 +11,13 @@ import org.springframework.stereotype.Component;
@Component @Component
public class Challenge1 extends Lesson { public class Challenge1 extends Lesson {
@Override @Override
public Category getDefaultCategory() { public Category getDefaultCategory() {
return Category.CHALLENGE; return Category.CHALLENGE;
} }
@Override @Override
public String getTitle() { public String getTitle() {
return "challenge1.title"; return "challenge1.title";
} }
} }

45
src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
View File

@ -1,41 +1,36 @@
package org.owasp.webgoat.lessons.challenges.challenge1; package org.owasp.webgoat.lessons.challenges.challenge1;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST;
import java.io.IOException;
import java.security.SecureRandom;
import javax.servlet.http.HttpServlet;
import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.ClassPathResource;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServlet;
import java.io.IOException;
import java.security.SecureRandom;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST;
@RestController @RestController
public class ImageServlet extends HttpServlet { public class ImageServlet extends HttpServlet {
private static final long serialVersionUID = 9132775506936676850L; private static final long serialVersionUID = 9132775506936676850L;
public static final int PINCODE = new SecureRandom().nextInt(10000); static final public int PINCODE = new SecureRandom().nextInt(10000);
@RequestMapping( @RequestMapping(method = {GET, POST}, value = "/challenge/logo", produces = MediaType.IMAGE_PNG_VALUE)
method = {GET, POST}, @ResponseBody
value = "/challenge/logo", public byte[] logo() throws IOException {
produces = MediaType.IMAGE_PNG_VALUE) byte[] in = new ClassPathResource("lessons/challenges/images/webgoat2.png").getInputStream().readAllBytes();
@ResponseBody
public byte[] logo() throws IOException {
byte[] in =
new ClassPathResource("lessons/challenges/images/webgoat2.png")
.getInputStream()
.readAllBytes();
String pincode = String.format("%04d", PINCODE); String pincode = String.format("%04d", PINCODE);
in[81216] = (byte) pincode.charAt(0); in[81216]=(byte) pincode.charAt(0);
in[81217] = (byte) pincode.charAt(1); in[81217]=(byte) pincode.charAt(1);
in[81218] = (byte) pincode.charAt(2); in[81218]=(byte) pincode.charAt(2);
in[81219] = (byte) pincode.charAt(3); in[81219]=(byte) pincode.charAt(3);
return in; return in;
} }
} }

Some files were not shown because too many files have changed in this diff Show More