dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:v2023.6
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:gh-1329
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

1 Commits
v2023.6 ... gh-1329

Author SHA1 Message Date
Nanne Baars
bd5fe360c7 fix: WIP 2023-06-19 17:42:20 +02:00
180 changed files with 1064 additions and 4037 deletions
Expand all files Collapse all files

2
.github/dependabot.yml vendored
View File

@ -8,8 +8,6 @@ updates:
directory: "/"
schedule:
interval: "weekly"
ignore:
- dependency-name: "org.webjars:bootstrap" # First the WebWolf UI needs to be refactored due to breaking changes
- package-ecosystem: "docker"
directory: "/"
schedule:

54
.github/workflows/branchbuild.yml vendored
View File

@ -1,54 +0,0 @@
name: "Branch build"
on:
push:
branches:
- "*"
- "!main"
jobs:
branch-build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
java-version: [ 17, 21 ]
steps:
- uses: actions/checkout@v3
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: ${{ matrix.java-version }}
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v3.3.1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2-
- name: Build with Maven
run: mvn --no-transfer-progress verify
- name: "Set up QEMU"
if: runner.os == 'Linux'
uses: docker/setup-qemu-action@v2.2.0
- name: "Set up Docker Buildx"
if: runner.os == 'Linux'
uses: docker/setup-buildx-action@v2
- name: "Verify Docker WebGoat build"
if: runner.os == 'Linux'
uses: docker/build-push-action@v5.1.0
with:
context: ./
file: ./Dockerfile
push: false
build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Verify Docker WebGoat desktop build"
uses: docker/build-push-action@v5.1.0
if: runner.os == 'Linux'
with:
context: ./
file: ./Dockerfile_desktop
push: false
build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}

10
.github/workflows/build.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
@ -36,13 +36,13 @@ jobs:
run: mvn --no-transfer-progress verify
- name: "Set up QEMU"
if: runner.os == 'Linux'
uses: docker/setup-qemu-action@v2.2.0
uses: docker/setup-qemu-action@v2.1.0
- name: "Set up Docker Buildx"
if: runner.os == 'Linux'
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v2
- name: "Verify Docker WebGoat build"
if: runner.os == 'Linux'
uses: docker/build-push-action@v5.1.0
uses: docker/build-push-action@v4.1.0
with:
context: ./
file: ./Dockerfile
@ -50,7 +50,7 @@ jobs:
build-args: |
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Verify Docker WebGoat desktop build"
uses: docker/build-push-action@v5.1.0
uses: docker/build-push-action@v4.1.0
if: runner.os == 'Linux'
with:
context: ./

18
.github/workflows/release.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
@ -44,7 +44,7 @@ jobs:
files: |
target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
body: |
## Version ${{ github.ref_name }}
## Version ${{ steps.tag.outputs.tag }}
### New functionality
@ -54,7 +54,7 @@ jobs:
- [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
Full change log: https://github.com/WebGoat/WebGoat/compare/${{ github.ref_name }}...${{ github.ref_name }}
Full change log: https://github.com/WebGoat/WebGoat/compare/${{ steps.tag.outputs.tag }}...${{ steps.tag.outputs.tag }}
## Contributors
@ -72,21 +72,21 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Set up QEMU"
uses: docker/setup-qemu-action@v2.2.0
uses: docker/setup-qemu-action@v2.1.0
with:
platforms: all
- name: "Set up Docker Buildx"
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v2
- name: "Login to dockerhub"
uses: docker/login-action@v3.0.0
uses: docker/login-action@v2.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push WebGoat"
uses: docker/build-push-action@v5.1.0
uses: docker/build-push-action@v4.1.0
with:
context: ./
file: ./Dockerfile
@ -99,7 +99,7 @@ jobs:
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
- name: "Build and push WebGoat desktop"
uses: docker/build-push-action@v5.1.0
uses: docker/build-push-action@v4.1.0
with:
context: ./
file: ./Dockerfile_desktop
@ -121,7 +121,7 @@ jobs:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17

4
.github/workflows/test.yml vendored
View File

@ -30,7 +30,7 @@ jobs:
architecture: x64
# Uses an action to add JDK 17 to the VM (and mvn?)
- name: set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
@ -61,7 +61,7 @@ jobs:
# send report to forks only due to limits on permission tokens
- name: Send report to commit
if: github.repository != 'WebGoat/WebGoat' && github.event_name == 'push'
uses: joonvena/robotframework-reporter-action@v2.2
uses: joonvena/robotframework-reporter-action@v2.1
with:
gh_access_token: ${{ secrets.GITHUB_TOKEN }}
report_path: 'robotreport'

2
.github/workflows/welcome.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
if: github.repository == 'WebGoat/WebGoat'
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v1.3.0
- uses: actions/first-interaction@v1.1.1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: 'Thanks for submitting your first issue, we will have a look as quickly as possible.'

2
CREATE_RELEASE.md
View File

@ -8,7 +8,7 @@ and 2023.01 in the `pom.xml`.
### Release notes:
Update the release notes with the correct version. Use `git shortlog -s -n --since "JAN 06 2023"` for the list of
committers. In order to fetch the list of issues included use: `git log --graph --pretty='%C(auto)%d%Creset%s' v2023.4..origin/main`
committers.
```
mvn versions:set

10
Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/eclipse-temurin:21-jdk-ubi9-minimal
FROM docker.io/eclipse-temurin:19-jre-focal
LABEL NAME = "WebGoat: A deliberately insecure Web Application"
MAINTAINER "WebGoat team"
@ -14,8 +14,6 @@ COPY --chown=webgoat target/webgoat-*.jar /home/webgoat/webgoat.jar
EXPOSE 8080
EXPOSE 9090
ENV TZ=Europe/Amsterdam
WORKDIR /home/webgoat
ENTRYPOINT [ "java", \
"-Duser.home=/home/webgoat", \
@ -32,4 +30,8 @@ ENTRYPOINT [ "java", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"-Drunning.in.docker=true", \
"-jar", "webgoat.jar", "--server.address", "0.0.0.0" ]
"-Dwebgoat.host=0.0.0.0", \
"-Dwebwolf.host=0.0.0.0", \
"-Dwebgoat.port=8080", \
"-Dwebwolf.port=9090", \
"-jar", "webgoat.jar" ]

28
README.md
View File

@ -1,4 +1,4 @@
# WebGoat: A deliberately insecure Web Application
# WebGoat 8: A deliberately insecure Web Application
[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
[![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
@ -44,27 +44,19 @@ Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
```
For some lessons you need the container run in the same timezone. For this you can set the TZ environment variable.
E.g.
If you want to reuse the container, give it a name:
```shell
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=America/Boise webgoat/webgoat
docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
```
If you want to use OWASP ZAP or another proxy, you can no longer use 127.0.0.1 or localhost. but
you can use custom host entries. For example:
As long as you don't remove the container you can use:
```shell
127.0.0.1 www.webgoat.local www.webwolf.local
docker start webgoat
```
Then you can run the container with:
```shell
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e WEBGOAT_HOST=www.webgoat.local -e WEBWOLF_HOST=www.webwolf.local -e TZ=America/Boise webgoat/webgoat
```
Then visit http://www.webgoat.local:8080/WebGoat/ and http://www.webwolf.local:9090/WebWolf/
This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
## 2. Run using Docker with complete Linux Desktop
@ -79,8 +71,7 @@ docker run -p 127.0.0.1:3000:3000 webgoat/webgoat-desktop
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell
export TZ=Europe/Amsterdam # or your timezone
java -Dfile.encoding=UTF-8 -jar webgoat-2023.5.jar
java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.3.jar
```
Click the link in the log to start WebGoat.
@ -89,7 +80,7 @@ Click the link in the log to start WebGoat.
### Prerequisites:
* Java 17 or 21
* Java 17
* Your favorite IDE
* Git, or Git support in your IDE
@ -141,10 +132,9 @@ For specialist only. There is a way to set up WebGoat with a personalized menu.
For instance running as a jar on a Linux/macOS it will look like this:
```Shell
export TZ=Europe/Amsterdam # or your timezone
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar target/webgoat-2023.6-SNAPSHOT.jar
java -jar target/webgoat-2023.3-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like this:

55
RELEASE_NOTES.md
View File

@ -1,60 +1,5 @@
# WebGoat release notes
## Version 2023.6
### 🚀 New functionality
- Consistent environment values and url references (#1677)
- Show directly requested file in requests overview
- Show creating time in file upload overview
### 🐞 Bug fixes
- Fix startup message (#1687)
- Fix/state of software supply chain links (#1683)
- Fix WebWolf UI (#1686)
### 🔄 Technical tasks
- bump actions/setup-java from 3 to 4 (#1690)
- bump commons-io:commons-io from 2.14.0 to 2.15.1 (#1689)
- bump com.diffplug.spotless:spotless-maven-plugin (#1688)
## Version 2023.5
### New functionality
- Implement JWT jku example (#1552)
- Java 21 initial support (#1622)
- improve MFAC lesson hint texts for a better user experience (#1424)
- upgrade to Spring Boot version 3 (#1477)
### Bug fixes
- typo in WebGoad.txt (#1667)
- search box moved and jwt encode/decode with little delay (#1664)
- skip validation for JWT (#1663)
- fixed issue in JWT test tool and added robot test (#1658)
- Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)
- fix servers id (#1619)
- potential NPE in the stored XSS assignment
- crypto basics broken links
- fixes the default change in trailing slash matching and address the affected assignments
- hint that was breaking the template, causing hints from different assignments to mix (#1424)
- HijackSession lesson template deprecated Tymeleaf attribute
- Fix NPE in IDOR lesson
- Add new assignment IT tests
- XSS mitigation
- Stored Cross-Site Scripting Lesson
- Add Assignment7 Tests
- Fix IDOR lesson
- remove steps from release script (#1509)
- robotframework fails due to updated dependencies (#1508)
- fix Java image inside Docker file The image now downloads the correct Java version based on the architecture.
- Fix typo of HijackSession_content0.adoc
- Restrict SSRF Regexes
- update challenge code - Flags are now wired through a Spring config - Introduced Flag class - Removed Flags from the FlagController
## Version 2023.4
### New functionality

2
config/desktop/WebGoat.txt
View File

@ -3,7 +3,7 @@
With this image you have WebGoat and ZAP and a browser available to you in a browser running on Ubuntu.
You can start WebGoat and ZAP by opening a terminal and type:
./start_webgoat.sh
./start-webgoat.sh
./start_zap.sh
Happy hacking,

103
pom.xml
View File

@ -5,12 +5,12 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.5</version>
<version>3.1.0</version>
</parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat</artifactId>
<version>2023.6</version>
<version>2023.5-SNAPSHOT</version>
<packaging>jar</packaging>
<name>WebGoat</name>
@ -109,29 +109,30 @@
<properties>
<!-- Shared properties with plugins and version numbers across submodules-->
<asciidoctorj.version>2.5.10</asciidoctorj.version>
<bootstrap.version>5.3.1</bootstrap.version>
<asciidoctorj.version>2.5.3</asciidoctorj.version>
<!-- Upgrading needs UI work in WebWolf -->
<bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>3.3.0</cglib.version>
<!-- do not update necessary for lesson -->
<checkstyle.version>3.3.1</checkstyle.version>
<checkstyle.version>3.3.0</checkstyle.version>
<commons-collections.version>3.2.1</commons-collections.version>
<commons-io.version>2.15.1</commons-io.version>
<commons-io.version>2.11.0</commons-io.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<commons-text.version>1.10.0</commons-text.version>
<guava.version>32.1.3-jre</guava.version>
<jacoco.version>0.8.11</jacoco.version>
<guava.version>31.1-jre</guava.version>
<jacoco.version>0.8.10</jacoco.version>
<java.version>17</java.version>
<jaxb.version>2.3.1</jaxb.version>
<jjwt.version>0.9.1</jjwt.version>
<jose4j.version>0.9.3</jose4j.version>
<jquery.version>3.7.0</jquery.version>
<jquery.version>3.5.1</jquery.version>
<jsoup.version>1.16.1</jsoup.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.2.1</maven-surefire-plugin.version>
<maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<pmd.version>3.15.0</pmd.version>
@ -139,16 +140,14 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
<webdriver.version>5.3.3</webdriver.version>
<webgoat.context>/</webgoat.context>
<webgoat.sslenabled>false</webgoat.sslenabled>
<webjars-locator-core.version>0.53</webjars-locator-core.version>
<webwolf.context>/</webwolf.context>
<webdriver.version>5.3.2</webdriver.version>
<webgoat.port>8080</webgoat.port>
<webwolf.port>9090</webwolf.port>
<wiremock.version>2.27.2</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version>
<!-- do not update necessary for lesson -->
<zxcvbn.version>1.8.0</zxcvbn.version>
<zxcvbn.version>1.7.0</zxcvbn.version>
</properties>
<dependencyManagement>
@ -201,17 +200,6 @@
<artifactId>jjwt</artifactId>
<version>${jjwt.version}</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.22.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>4.4.0</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
@ -242,11 +230,6 @@
<artifactId>jquery</artifactId>
<version>${jquery.version}</version>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>webjars-locator-core</artifactId>
<version>${webjars-locator-core.version}</version>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock</artifactId>
@ -260,12 +243,12 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.25.0</version>
<version>1.22</version>
</dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby</artifactId>
<version>9.4.3.0</version>
<version>9.4.2.0</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -327,10 +310,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
@ -367,15 +346,6 @@
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
@ -404,10 +374,6 @@
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>webjars-locator-core</artifactId>
</dependency>
<dependency>
<groupId>jakarta.xml.bind</groupId>
<artifactId>jakarta.xml.bind-api</artifactId>
@ -512,19 +478,10 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<environmentVariables>
<WEBGOAT_SSLENABLED>${webgoat.sslenabled}</WEBGOAT_SSLENABLED>
<WEBGOAT_HOST>127.0.0.1</WEBGOAT_HOST>
<WEBGOAT_PORT>${webgoat.port}</WEBGOAT_PORT>
<WEBGOAT_CONTEXT>${webgoat.context}</WEBGOAT_CONTEXT>
<WEBWOLF_HOST>127.0.0.1</WEBWOLF_HOST>
<WEBWOLF_PORT>${webwolf.port}</WEBWOLF_PORT>
<WEBWOLF_CONTEXT>${webwolf.context}</WEBWOLF_CONTEXT>
</environmentVariables>
<systemPropertyVariables>
<logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
</systemPropertyVariables>
<argLine>-Xmx512m</argLine>
<argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
<includes>org/owasp/webgoat/*Test</includes>
</configuration>
<executions>
@ -547,7 +504,6 @@
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven-surefire-plugin.version}</version>
<configuration>
<forkedProcessTimeoutInSeconds>600</forkedProcessTimeoutInSeconds>
<argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
@ -565,6 +521,7 @@
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${checkstyle.version}</version>
<configuration>
<encoding>UTF-8</encoding>
<consoleOutput>true</consoleOutput>
<failsOnError>true</failsOnError>
<configLocation>config/checkstyle/checkstyle.xml</configLocation>
@ -575,7 +532,7 @@
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>2.41.1</version>
<version>2.33.0</version>
<configuration>
<formats>
<format>
@ -693,15 +650,16 @@
<portNames>
<portName>webgoat.port</portName>
<portName>webwolf.port</portName>
<portName>jmxPort</portName>
</portNames>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.honton.chas</groupId>
<groupId>com.bazaarvoice.maven.plugins</groupId>
<artifactId>process-exec-maven-plugin</artifactId>
<version>0.9.2</version>
<version>0.9</version>
<executions>
<execution>
<id>start-jar</id>
@ -709,18 +667,8 @@
<goal>start</goal>
</goals>
<phase>pre-integration-test</phase>
<configuration>
<workingDir>${project.build.directory}</workingDir>
<environment>
<WEBGOAT_SSLENABLED>${webgoat.sslenabled}</WEBGOAT_SSLENABLED>
<WEBGOAT_HOST>127.0.0.1</WEBGOAT_HOST>
<WEBGOAT_PORT>${webgoat.port}</WEBGOAT_PORT>
<WEBGOAT_CONTEXT>${webgoat.context}</WEBGOAT_CONTEXT>
<WEBWOLF_HOST>127.0.0.1</WEBWOLF_HOST>
<WEBWOLF_PORT>${webwolf.port}</WEBWOLF_PORT>
<WEBWOLF_CONTEXT>${webwolf.context}</WEBWOLF_CONTEXT>
</environment>
<arguments>
<argument>java</argument>
<argument>-jar</argument>
@ -728,6 +676,8 @@
<argument>-Dwebgoat.server.directory=${java.io.tmpdir}/webgoat_${webgoat.port}</argument>
<argument>-Dwebgoat.user.directory=${java.io.tmpdir}/webgoat_${webgoat.port}</argument>
<argument>-Dspring.main.banner-mode=off</argument>
<argument>-Dwebgoat.port=${webgoat.port}</argument>
<argument>-Dwebwolf.port=${webwolf.port}</argument>
<argument>--add-opens</argument>
<argument>java.base/java.lang=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
@ -753,6 +703,7 @@
<argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
</arguments>
<waitForInterrupt>false</waitForInterrupt>
<healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/actuator/health</healthcheckUrl>
</configuration>
</execution>
<execution>
@ -777,6 +728,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.5.1</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>false</skipProvidedScope>
@ -825,6 +777,7 @@
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>before-unit-test</id>

8
robot/README.md
View File

@ -12,10 +12,8 @@ Then see security settings and allow the file to run
pip3 install virtualenv --user
python3 -m virtualenv .venv
source .venv/bin/activate
pip install --upgrade robotframework
pip install --upgrade robotframework-SeleniumLibrary
pip install --upgrade webdriver-manager
brew upgrade
pip install robotframework
pip install robotframework-SeleniumLibrary
pip install webdriver-manager
robot --variable HEADLESS:"0" --variable ENDPOINT:"http://127.0.0.1:8080/WebGoat" goat.robot
Make sure that the Chrome version, the webdriver version and all related components are up-to-date and compatible!

48
robot/goat.robot
View File

@ -2,7 +2,6 @@
Documentation Setup WebGoat Robotframework tests
Library SeleniumLibrary timeout=100 run_on_failure=Capture Page Screenshot
Library String
Library OperatingSystem
Suite Setup Initial_Page ${ENDPOINT} ${BROWSER}
Suite Teardown Close_Page
@ -12,7 +11,7 @@ ${BROWSER} chrome
${SLEEP} 100
${DELAY} 0.25
${ENDPOINT} http://127.0.0.1:8080/WebGoat
${ENDPOINT_WOLF} http://127.0.0.1:9090/WebWolf
${ENDPOINT_WOLF} http://127.0.0.1:9090
${USERNAME} robotuser
${PASSWORD} password
${HEADLESS} ${FALSE}
@ -23,25 +22,22 @@ Initial_Page
[Arguments] ${ENDPOINT} ${BROWSER}
Log To Console Start WebGoat UI Testing
IF ${HEADLESS}
Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'});add_argument("-headless");add_argument("--start-maximized") alias=webgoat
Open Browser ${ENDPOINT} ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat
ELSE
Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat
END
IF ${HEADLESS}
Open Browser ${ENDPOINT_WOLF}/WebWolf ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
ELSE
Open Browser ${ENDPOINT_WOLF}/WebWolf ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
END
Switch Browser webgoat
Maximize Browser Window
Set Window Size ${1400} ${1000}
Set Window Position ${0} ${0}
Set Selenium Speed ${DELAY}
Log To Console Start WebWolf UI Testing
IF ${HEADLESS}
Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'});add_argument("-headless");add_argument("--start-maximized") alias=webwolf
ELSE
Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
END
Switch Browser webwolf
Maximize Browser Window
Set Window Size ${1400} ${1000}
Set Window Position ${500} ${0}
Set Window Position ${400} ${200}
Set Selenium Speed ${DELAY}
Close_Page
@ -57,7 +53,6 @@ Close_Page
*** Test Cases ***
Check_Initial_Page
[Tags] WebGoatTests
Switch Browser webgoat
Page Should Contain Username
Click Button Sign in
@ -65,7 +60,6 @@ Check_Initial_Page
Click Link /WebGoat/registration
Check_Registration_Page
[Tags] WebGoatTests
Page Should Contain Username
Input Text username ${USERNAME}
Input Text password ${PASSWORD}
@ -74,7 +68,6 @@ Check_Registration_Page
Click Button Sign up
Check_Welcome_Page
[Tags] WebGoatTests
Page Should Contain WebGoat
Go To ${ENDPOINT}/login
Page Should Contain Username
@ -84,7 +77,6 @@ Check_Welcome_Page
Page Should Contain WebGoat
Check_Menu_Page
[Tags] WebGoatTests
Click Element css=a[category='Introduction']
Click Element Introduction-WebGoat
CLick Element Introduction-WebWolf
@ -101,29 +93,9 @@ Check_Menu_Page
Check_WebWolf
Switch Browser webwolf
location should be ${ENDPOINT_WOLF}/login
location should be ${ENDPOINT_WOLF}/WebWolf
Go To ${ENDPOINT_WOLF}/mail
Input Text username ${USERNAME}
Input Text password ${PASSWORD}
Click Button Sign In
Go To ${ENDPOINT_WOLF}/mail
Go To ${ENDPOINT_WOLF}/requests
Go To ${ENDPOINT_WOLF}/files
Check_JWT_Page
Go To ${ENDPOINT_WOLF}/jwt
Click Element token
Wait Until Element Is Enabled token 5s
Input Text token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Click Element secretKey
Input Text secretKey none
Sleep 2s # Pause before reading the result
${OUT_VALUE} Get Value xpath=//textarea[@id='token']
Log To Console Found token ${OUT_VALUE}
${OUT_RESULT} Evaluate "ImuPnHvLdU7ULKfbD4aJU" in """${OUT_VALUE}"""
Log To Console Found token ${OUT_RESULT}
Capture Page Screenshot
Check_Files_Page
Go To ${ENDPOINT_WOLF}/files
Choose File css:input[type="file"] ${CURDIR}/goat.robot
Click Button Upload files

15
src/it/java/org/owasp/webgoat/AccessControlIntegrationTest.java
View File

@ -25,7 +25,7 @@ class AccessControlIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("access-control/users-admin-fix"))
.get(url("/WebGoat/access-control/users-admin-fix"))
.then()
.statusCode(HttpStatus.SC_FORBIDDEN);
@ -40,7 +40,7 @@ class AccessControlIntegrationTest extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.body(String.format(userTemplate, this.getUser(), this.getUser()))
.post(url("access-control/users"))
.post(url("/WebGoat/access-control/users"))
.then()
.statusCode(HttpStatus.SC_OK);
@ -51,14 +51,15 @@ class AccessControlIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("access-control/users-admin-fix"))
.get(url("/WebGoat/access-control/users-admin-fix"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"Jerry\" }.userHash");
checkAssignment(url("access-control/user-hash-fix"), Map.of("userHash", userHash), true);
checkAssignment(
url("/WebGoat/access-control/user-hash-fix"), Map.of("userHash", userHash), true);
}
private void assignment2() {
@ -68,18 +69,18 @@ class AccessControlIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("access-control/users"))
.get(url("/WebGoat/access-control/users"))
.then()
.statusCode(200)
.extract()
.jsonPath()
.get("find { it.username == \"Jerry\" }.userHash");
checkAssignment(url("access-control/user-hash"), Map.of("userHash", userHash), true);
checkAssignment(url("/WebGoat/access-control/user-hash"), Map.of("userHash", userHash), true);
}
private void assignment1() {
var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config");
checkAssignment(url("access-control/hidden-menu"), params, true);
checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
}
}

29
src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java
View File

@ -64,12 +64,12 @@ public class CSRFIntegrationTest extends IntegrationTest {
public void init() {
startLesson("CSRF");
webwolfFileDir = getWebWolfFileServerLocation();
uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("csrf/basic-get-flag")));
uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("csrf/review")));
uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("csrf/feedback/message")));
uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag")));
uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review")));
uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message")));
uploadTrickHtml(
"csrf8.html",
trickHTML8.replace("WEBGOATURL", url("login")).replace("USERNAME", this.getUser()));
trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", this.getUser()));
}
@TestFactory
@ -103,7 +103,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", htmlName, htmlContent.getBytes())
.post(webWolfUrl("fileupload"))
.post(webWolfUrl("/WebWolf/fileupload"))
.then()
.extract()
.response()
@ -118,7 +118,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("files/" + this.getUser() + "/" + htmlName))
.get(webWolfUrl("/files/" + this.getUser() + "/" + htmlName))
.then()
.extract()
.response()
@ -136,7 +136,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("files/fake.html"))
.header("Referer", webWolfUrl("/files/fake.html"))
.post(goatURL)
.then()
.extract()
@ -146,7 +146,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("confirmFlagVal", flag);
checkAssignment(url("csrf/confirm-flag-1"), params, true);
checkAssignment(url("/WebGoat/csrf/confirm-flag-1"), params, true);
}
private void checkAssignment4(String goatURL) {
@ -163,7 +163,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("files/fake.html"))
.header("Referer", webWolfUrl("/files/fake.html"))
.formParams(params)
.post(goatURL)
.then()
@ -184,7 +184,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("files/fake.html"))
.header("Referer", webWolfUrl("/files/fake.html"))
.contentType(ContentType.TEXT)
.body(
"{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is"
@ -198,7 +198,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
params.clear();
params.put("confirmFlagVal", flag);
checkAssignment(url("csrf/feedback"), params, true);
checkAssignment(url("/WebGoat/csrf/feedback"), params, true);
}
private void checkAssignment8(String goatURL) {
@ -217,7 +217,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("files/fake.html"))
.header("Referer", webWolfUrl("/files/fake.html"))
.params(params)
.post(goatURL)
.then()
@ -239,7 +239,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", newCookie)
.post(url("csrf/login"))
.post(url("/csrf/login"))
.then()
.statusCode(200)
.extract()
@ -253,8 +253,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
Overview[] assignments =
RestAssured.given()
.cookie("JSESSIONID", getWebGoatCookie())
.relaxedHTTPSValidation()
.get(url("service/lessonoverview.mvc"))
.get(url("/service/lessonoverview.mvc"))
.then()
.extract()
.jsonPath()

26
src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
View File

@ -22,7 +22,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("challenge/logo"))
.get(url("/WebGoat/challenge/logo"))
.then()
.statusCode(200)
.extract()
@ -34,14 +34,14 @@ public class ChallengeIntegrationTest extends IntegrationTest {
params.put("username", "admin");
params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
checkAssignment(url("challenge/1"), params, true);
checkAssignment(url("/WebGoat/challenge/1"), params, true);
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("challenge/1"))
.post(url("/WebGoat/challenge/1"))
.then()
.statusCode(200)
.extract()
@ -50,7 +50,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("challenge/flag"), params, true);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/1");
@ -59,7 +59,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("scoreboard-data"))
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract()
@ -83,7 +83,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("challenge/5"))
.post(url("/WebGoat/challenge/5"))
.then()
.statusCode(200)
.extract()
@ -92,7 +92,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
params.clear();
params.put("flag", flag);
checkAssignment(url("challenge/flag"), params, true);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/5");
@ -101,7 +101,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("scoreboard-data"))
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract()
@ -120,7 +120,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("challenge/7/.git"))
.get(url("/WebGoat/challenge/7/.git"))
.then()
.statusCode(200)
.extract()
@ -132,7 +132,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", getUser() + "@webgoat.org")
.post(url("challenge/7"))
.post(url("/WebGoat/challenge/7"))
.then()
.statusCode(200)
.extract()
@ -144,7 +144,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("mail"))
.get(webWolfUrl("/mail"))
.then()
.extract()
.response()
@ -158,13 +158,13 @@ public class ChallengeIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
.get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
.then()
.statusCode(HttpStatus.ACCEPTED.value())
.extract()
.asString();
String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
checkAssignment(url("challenge/flag"), Map.of("flag", flag), true);
checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
}
}

18
src/it/java/org/owasp/webgoat/CryptoIntegrationTest.java
View File

@ -52,7 +52,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/encoding/basic"))
.get(url("/crypto/encoding/basic"))
.then()
.extract()
.asString();
@ -64,7 +64,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
params.clear();
params.put("answer_user", answer_user);
params.put("answer_pwd", answer_pwd);
checkAssignment(url("crypto/encoding/basic-auth"), params, true);
checkAssignment(url("/crypto/encoding/basic-auth"), params, true);
}
private void checkAssignment3() {
@ -72,7 +72,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("answer_pwd1", answer_1);
checkAssignment(url("crypto/encoding/xor"), params, true);
checkAssignment(url("/crypto/encoding/xor"), params, true);
}
private void checkAssignment4() throws NoSuchAlgorithmException {
@ -82,7 +82,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/hashing/md5"))
.get(url("/crypto/hashing/md5"))
.then()
.extract()
.asString();
@ -92,7 +92,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/hashing/sha256"))
.get(url("/crypto/hashing/sha256"))
.then()
.extract()
.asString();
@ -112,7 +112,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
params.clear();
params.put("answer_pwd1", answer_1);
params.put("answer_pwd2", answer_2);
checkAssignment(url("crypto/hashing"), params, true);
checkAssignment(url("/WebGoat/crypto/hashing"), params, true);
}
private void checkAssignmentSigning() throws NoSuchAlgorithmException, InvalidKeySpecException {
@ -122,7 +122,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("crypto/signing/getprivate"))
.get(url("/crypto/signing/getprivate"))
.then()
.extract()
.asString();
@ -135,7 +135,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
params.clear();
params.put("modulus", modulus);
params.put("signature", signature);
checkAssignment(url("crypto/signing/verify"), params, true);
checkAssignment(url("/crypto/signing/verify"), params, true);
}
private void checkAssignmentDefaults() {
@ -151,6 +151,6 @@ public class CryptoIntegrationTest extends IntegrationTest {
params.clear();
params.put("secretText", text);
params.put("secretFileName", "default_secret");
checkAssignment(url("crypto/secure/defaults"), params, true);
checkAssignment(url("/crypto/secure/defaults"), params, true);
}
}

2
src/it/java/org/owasp/webgoat/DeserializationIntegrationTest.java
View File

@ -26,7 +26,7 @@ public class DeserializationIntegrationTest extends IntegrationTest {
params.put(
"token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")));
}
checkAssignment(url("InsecureDeserialization/task"), params, true);
checkAssignment(url("/WebGoat/InsecureDeserialization/task"), params, true);
checkResults("/InsecureDeserialization/");
}

23
src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
View File

@ -72,7 +72,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.put(
"question_3_solution",
"Solution 2: The systems security is compromised even if only one goal is harmed.");
checkAssignment(url("cia/quiz"), params, true);
checkAssignment(url("/WebGoat/cia/quiz"), params, true);
checkResults("/cia/");
}
@ -95,7 +95,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("payload", solution);
checkAssignment(url("VulnerableComponents/attack1"), params, true);
checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
checkResults("/VulnerableComponents/");
}
}
@ -107,7 +107,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.clear();
params.put("username", "CaptainJack");
params.put("password", "BlackPearl");
checkAssignment(url("InsecureLogin/task"), params, true);
checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true);
checkResults("/InsecureLogin/");
}
@ -117,7 +117,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("password", "ajnaeliclm^&&@kjn.");
checkAssignment(url("SecurePasswords/assignment"), params, true);
checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
checkResults("SecurePasswords/");
startLesson("AuthBypass");
@ -127,7 +127,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("auth-bypass/verify-account"), params, true);
checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
checkResults("/auth-bypass/");
startLesson("HttpProxies");
@ -138,7 +138,8 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie())
.header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.get(
url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
.statusCode(200)
.extract()
@ -164,7 +165,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
.header("webgoat-requested-by", "dom-xss-vuln")
.header("X-Requested-With", "XMLHttpRequest")
.formParams(params)
.post(url("CrossSiteScripting/phone-home-xss"))
.post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract()
@ -173,12 +174,12 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.clear();
params.put("successMessage", secretNumber);
checkAssignment(url("ChromeDevTools/dummy"), params, true);
checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
params.clear();
params.put("number", "24");
params.put("network_num", "24");
checkAssignment(url("ChromeDevTools/network"), params, true);
checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
checkResults("/ChromeDevTools/");
}
@ -193,7 +194,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.put("jsEnabled", "1");
params.put("verifyMethod", "SEC_QUESTIONS");
params.put("userId", "12309746");
checkAssignment(url("auth-bypass/verify-account"), params, true);
checkAssignment(url("/auth-bypass/verify-account"), params, true);
checkResults("/auth-bypass/");
}
@ -204,7 +205,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
params.clear();
params.put("param1", "secr37Value");
params.put("param2", "Main");
checkAssignment(url("lesson-template/sample-attack"), params, true);
checkAssignment(url("/lesson-template/sample-attack"), params, true);
checkResults("/lesson-template/");
}
}

32
src/it/java/org/owasp/webgoat/IDORIntegrationTest.java
View File

@ -4,9 +4,11 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import lombok.SneakyThrows;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
@ -17,6 +19,7 @@ import org.junit.jupiter.api.TestFactory;
public class IDORIntegrationTest extends IntegrationTest {
@BeforeEach
@SneakyThrows
public void init() {
startLesson("IDOR");
}
@ -24,63 +27,56 @@ public class IDORIntegrationTest extends IntegrationTest {
@TestFactory
Iterable<DynamicTest> testIDORLesson() {
return Arrays.asList(
dynamicTest("assignment 2 - login", this::loginIDOR),
dynamicTest("profile", this::profile));
dynamicTest("login", () -> loginIDOR()), dynamicTest("profile", () -> profile()));
}
@AfterEach
public void shutdown() {
public void shutdown() throws IOException {
checkResults("/IDOR");
}
private void loginIDOR() {
private void loginIDOR() throws IOException {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "tom");
params.put("password", "cat");
checkAssignment(url("IDOR/login"), params, true);
checkAssignment(url("/WebGoat/IDOR/login"), params, true);
}
private void profile() {
// View profile - assignment 3a
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("IDOR/profile"))
.get(url("/WebGoat/IDOR/profile"))
.then()
.statusCode(200)
.extract()
.path("userId"),
CoreMatchers.is("2342384"));
// Show difference - assignment 3b
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("attributes", "userId,role");
checkAssignment(url("IDOR/diff-attributes"), params, true);
// View profile another way - assignment 4
checkAssignment(url("/WebGoat/IDOR/diff-attributes"), params, true);
params.clear();
params.put("url", "WebGoat/IDOR/profile/2342384");
checkAssignment(url("IDOR/profile/alt-path"), params, true);
checkAssignment(url("/WebGoat/IDOR/profile/alt-path"), params, true);
// assignment 5a
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("IDOR/profile/2342388"))
.get(url("/WebGoat/IDOR/profile/2342388"))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
// assignment 5b
MatcherAssert.assertThat(
RestAssured.given()
.when()
@ -90,7 +86,7 @@ public class IDORIntegrationTest extends IntegrationTest {
.body(
"{\"role\":\"1\", \"color\":\"red\", \"size\":\"large\", \"name\":\"Buffalo Bill\","
+ " \"userId\":\"2342388\"}")
.put(url("IDOR/profile/2342388"))
.put(url("/WebGoat/IDOR/profile/2342388"))
.then()
.statusCode(200)
.extract()

39
src/it/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -5,6 +5,7 @@ import static io.restassured.RestAssured.given;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.util.Map;
import java.util.Objects;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
@ -14,42 +15,34 @@ import org.springframework.http.HttpStatus;
public abstract class IntegrationTest {
private static String webGoatPort = System.getenv().getOrDefault("WEBGOAT_PORT", "8080");
private static String webGoatContext =
System.getenv().getOrDefault("WEBGOAT_CONTEXT", "/WebGoat/");
@Getter private static String webWolfPort = System.getenv().getOrDefault("WEBWOLF_PORT", "9090");
private static String webGoatPort = Objects.requireNonNull(System.getProperty("webgoatport"));
@Getter
private static String webWolfHost = System.getenv().getOrDefault("WEBWOLF_HOST", "127.0.0.1");
private static String webWolfPort = Objects.requireNonNull(System.getProperty("webwolfport"));
@Getter
private static String webGoatHost = System.getenv().getOrDefault("WEBGOAT_HOST", "127.0.0.1");
private static String webWolfContext =
System.getenv().getOrDefault("WEBWOLF_CONTEXT", "/WebWolf/");
private static boolean useSSL =
Boolean.valueOf(System.getenv().getOrDefault("WEBGOAT_SSLENABLED", "false"));
private static boolean useSSL = false;
private static String webgoatUrl =
(useSSL ? "https://" : "http://") + webGoatHost + ":" + webGoatPort + webGoatContext;
private static String webWolfUrl = "http://" + webWolfHost + ":" + webWolfPort + webWolfContext;
(useSSL ? "https:" : "http:") + "//localhost:" + webGoatPort + "/WebGoat/";
private static String webWolfUrl =
(useSSL ? "https:" : "http:") + "//localhost:" + webWolfPort + "/";
@Getter private String webGoatCookie;
@Getter private String webWolfCookie;
@Getter private final String user = "webgoat";
protected String url(String url) {
url = url.replaceFirst("/WebGoat/", "");
url = url.replaceFirst("/WebGoat", "");
url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
return webgoatUrl + url;
}
protected String webWolfUrl(String url) {
url = url.replaceFirst("/WebWolf/", "");
url = url.replaceFirst("/WebWolf", "");
url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
return webWolfUrl + url;
}
protected String webWolfFileUrl(String fileName) {
return webWolfUrl("files") + "/" + getUser() + "/" + fileName;
}
@BeforeEach
public void login() {
String location =
@ -238,7 +231,7 @@ public abstract class IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("file-server-location"))
.get(webWolfUrl("/file-server-location"))
.then()
.extract()
.response()
@ -253,7 +246,7 @@ public abstract class IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("server-directory"))
.get(url("/server-directory"))
.then()
.extract()
.response()
@ -266,7 +259,7 @@ public abstract class IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.delete(webWolfUrl("mail"))
.delete(webWolfUrl("/mail"))
.then()
.statusCode(HttpStatus.ACCEPTED.value());
}

75
src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java
View File

@ -14,10 +14,7 @@ import io.restassured.RestAssured;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.util.Base64;
import java.util.Calendar;
@ -26,8 +23,6 @@ import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.RsaJsonWebKey;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint;
@ -45,9 +40,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
buyAsTom();
deleteTomThroughKidClaim();
deleteTomThroughJkuClaim();
deleteTom();
quiz();
@ -88,7 +81,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParam("jwt-encode-user", "user")
.post(url("JWT/decode"))
.post(url("/WebGoat/JWT/decode"))
.then()
.statusCode(200)
.extract()
@ -103,7 +96,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("JWT/secret/gettoken"))
.get(url("/WebGoat/JWT/secret/gettoken"))
.then()
.extract()
.response()
@ -117,7 +110,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParam("token", generateToken(secret))
.post(url("JWT/secret"))
.post(url("/WebGoat/JWT/secret"))
.then()
.statusCode(200)
.extract()
@ -131,7 +124,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("JWT/votings/login?user=Tom"))
.get(url("/WebGoat/JWT/votings/login?user=Tom"))
.then()
.extract()
.cookie("access_token");
@ -164,7 +157,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("access_token", replacedToken)
.post(url("JWT/votings"))
.post(url("/WebGoat/JWT/votings"))
.then()
.statusCode(200)
.extract()
@ -205,7 +198,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Authorization", "Bearer " + replacedToken)
.post(url("JWT/refresh/checkout"))
.post(url("/WebGoat/JWT/refresh/checkout"))
.then()
.statusCode(200)
.extract()
@ -213,7 +206,8 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
CoreMatchers.is(true));
}
private void deleteTomThroughKidClaim() {
private void deleteTom() {
Map<String, Object> header = new HashMap();
header.put(Header.TYPE, Header.JWT_TYPE);
header.put(
@ -238,54 +232,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.post(url("JWT/kid/delete?token=" + token))
.then()
.statusCode(200)
.extract()
.path("lessonCompleted"),
CoreMatchers.is(true));
}
private void deleteTomThroughJkuClaim() throws NoSuchAlgorithmException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
var jwks = new JsonWebKeySet(new RsaJsonWebKey((RSAPublicKey) keyPair.getPublic()));
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "jwks.json", jwks.toJson().getBytes())
.post(webWolfUrl("fileupload"))
.then()
.extract()
.response()
.getBody()
.asString();
Map<String, Object> header = new HashMap();
header.put(Header.TYPE, Header.JWT_TYPE);
header.put(JwsHeader.JWK_SET_URL, webWolfFileUrl("jwks.json"));
String token =
Jwts.builder()
.setHeader(header)
.setIssuer("WebGoat Token Builder")
.setAudience("webgoat.org")
.setIssuedAt(Calendar.getInstance().getTime())
.setExpiration(Date.from(Instant.now().plusSeconds(60)))
.setSubject("tom@webgoat.org")
.claim("username", "Tom")
.claim("Email", "tom@webgoat.org")
.claim("Role", new String[] {"Manager", "Project Administrator"})
.signWith(SignatureAlgorithm.RS256, keyPair.getPrivate())
.compact();
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.post(url("JWT/jku/delete?token=" + token))
.post(url("/WebGoat/JWT/final/delete?token=" + token))
.then()
.statusCode(200)
.extract()
@ -298,6 +245,6 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
params.put("question_0_solution", "Solution 1");
params.put("question_1_solution", "Solution 2");
checkAssignment(url("JWT/quiz"), params, true);
checkAssignment(url("/WebGoat/JWT/quiz"), params, true);
}
}

10
src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
View File

@ -11,13 +11,12 @@ import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import org.springframework.http.HttpHeaders;
public class PasswordResetLessonIntegrationTest extends IntegrationTest {
@BeforeEach
public void init() {
startLesson("PasswordReset");
startLesson("/PasswordReset");
}
@TestFactory
@ -69,6 +68,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
// WebWolf
var link = getPasswordResetLinkFromLandingPage();
// WebGoat
changePassword(link);
checkAssignment(
@ -85,7 +85,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("mail"))
.get(webWolfUrl("/WebWolf/mail"))
.then()
.extract()
.response()
@ -119,7 +119,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("requests"))
.get(webWolfUrl("/WebWolf/requests"))
.then()
.extract()
.response()
@ -136,7 +136,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
private void clickForgotEmailLink(String user) {
RestAssured.given()
.when()
.header(HttpHeaders.HOST, String.format("%s:%s", getWebWolfHost(), getWebWolfPort()))
.header("host", String.format("%s:%s", "localhost", getWebWolfPort()))
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", user)

14
src/it/java/org/owasp/webgoat/PathTraversalIntegrationTest.java
View File

@ -55,7 +55,7 @@ class PathTraversalIT extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.param("fullName", "../John Doe")
.post(url("PathTraversal/profile-upload"))
.post(url("/WebGoat/PathTraversal/profile-upload"))
.then()
.statusCode(200)
.extract()
@ -71,7 +71,7 @@ class PathTraversalIT extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
.param("fullNameFix", "..././John Doe")
.post(url("PathTraversal/profile-upload-fix"))
.post(url("/WebGoat/PathTraversal/profile-upload-fix"))
.then()
.statusCode(200)
.extract()
@ -89,7 +89,7 @@ class PathTraversalIT extends IntegrationTest {
"uploadedFileRemoveUserInput",
"../test.jpg",
Files.readAllBytes(fileToUpload.toPath()))
.post(url("PathTraversal/profile-upload-remove-user-input"))
.post(url("/WebGoat/PathTraversal/profile-upload-remove-user-input"))
.then()
.statusCode(200)
.extract()
@ -98,7 +98,7 @@ class PathTraversalIT extends IntegrationTest {
}
private void assignment4() throws IOException {
var uri = "PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
RestAssured.given()
.urlEncodingEnabled(false)
.when()
@ -110,7 +110,7 @@ class PathTraversalIT extends IntegrationTest {
.body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
checkAssignment(
url("PathTraversal/random"),
url("/WebGoat/PathTraversal/random"),
Map.of("secret", Sha512DigestUtils.shaHex(this.getUser())),
true);
}
@ -133,10 +133,8 @@ class PathTraversalIT extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath()))
.post(url("PathTraversal/zip-slip"))
.post(url("/WebGoat/PathTraversal/zip-slip"))
.then()
.log()
.all()
.statusCode(200)
.extract()
.path("lessonCompleted"),

2
src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
View File

@ -29,7 +29,7 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test"))
.post(url("challenge/flag"));
.post(url("/challenge/flag"));
};
ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls =

4
src/it/java/org/owasp/webgoat/SSRFIntegrationTest.java
View File

@ -15,11 +15,11 @@ public class SSRFIntegrationTest extends IntegrationTest {
params.clear();
params.put("url", "images/jerry.png");
checkAssignment(url("SSRF/task1"), params, true);
checkAssignment(url("/WebGoat/SSRF/task1"), params, true);
params.clear();
params.put("url", "http://ifconfig.pro");
checkAssignment(url("SSRF/task2"), params, true);
checkAssignment(url("/WebGoat/SSRF/task2"), params, true);
checkResults("/SSRF/");
}

2
src/it/java/org/owasp/webgoat/SessionManagementIntegrationTest.java
View File

@ -31,7 +31,7 @@ import org.junit.jupiter.api.Test;
*/
class SessionManagementIT extends IntegrationTest {
private static final String HIJACK_LOGIN_CONTEXT_PATH = "HijackSession/login";
private static final String HIJACK_LOGIN_CONTEXT_PATH = "/WebGoat/HijackSession/login";
@Test
void hijackSessionTest() {

12
src/it/java/org/owasp/webgoat/SqlInjectionAdvancedIntegrationTest.java
View File

@ -16,27 +16,27 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
params.put("password_reg", "password");
params.put("email_reg", "someone@microsoft.com");
params.put("confirm_password", "password");
checkAssignmentWithPUT(url("SqlInjectionAdvanced/challenge"), params, true);
checkAssignmentWithPUT(url("/WebGoat/SqlInjectionAdvanced/challenge"), params, true);
params.clear();
params.put("username_login", "tom");
params.put("password_login", "thisisasecretfortomonly");
checkAssignment(url("SqlInjectionAdvanced/challenge_Login"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/challenge_Login"), params, true);
params.clear();
params.put("userid_6a", "'; SELECT * FROM user_system_data;--");
checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6a"), params, true);
params.clear();
params.put(
"userid_6a",
"Smith' union select userid,user_name, user_name,user_name,password,cookie,userid from"
+ " user_system_data --");
checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6a"), params, true);
params.clear();
params.put("userid_6b", "passW0rD");
checkAssignment(url("SqlInjectionAdvanced/attack6b"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/attack6b"), params, true);
params.clear();
params.put(
@ -54,7 +54,7 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
params.put(
"question_4_solution",
"Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
checkAssignment(url("SqlInjectionAdvanced/quiz"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionAdvanced/quiz"), params, true);
checkResults("/SqlInjectionAdvanced/");
}

18
src/it/java/org/owasp/webgoat/SqlInjectionLessonIntegrationTest.java
View File

@ -34,44 +34,44 @@ public class SqlInjectionLessonIntegrationTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("query", sql_2);
checkAssignment(url("SqlInjection/attack2"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack2"), params, true);
params.clear();
params.put("query", sql_3);
checkAssignment(url("SqlInjection/attack3"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack3"), params, true);
params.clear();
params.put("query", sql_4_add);
checkAssignment(url("SqlInjection/attack4"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack4"), params, true);
params.clear();
params.put("query", sql_5);
checkAssignment(url("SqlInjection/attack5"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack5"), params, true);
params.clear();
params.put("operator", sql_9_operator);
params.put("account", sql_9_account);
params.put("injection", sql_9_injection);
checkAssignment(url("SqlInjection/assignment5a"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/assignment5a"), params, true);
params.clear();
params.put("login_count", sql_10_login_count);
params.put("userid", sql_10_userid);
checkAssignment(url("SqlInjection/assignment5b"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/assignment5b"), params, true);
params.clear();
params.put("name", sql_11_a);
params.put("auth_tan", sql_11_b);
checkAssignment(url("SqlInjection/attack8"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack8"), params, true);
params.clear();
params.put("name", sql_12_a);
params.put("auth_tan", sql_12_b);
checkAssignment(url("SqlInjection/attack9"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack9"), params, true);
params.clear();
params.put("action_string", sql_13);
checkAssignment(url("SqlInjection/attack10"), params, true);
checkAssignment(url("/WebGoat/SqlInjection/attack10"), params, true);
checkResults("/SqlInjection/");
}

14
src/it/java/org/owasp/webgoat/SqlInjectionMitigationIntegrationTest.java
View File

@ -23,7 +23,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
params.put("field5", "?");
params.put("field6", "prep.setString(1,\"\")");
params.put("field7", "prep.setString(2,\\\"\\\")");
checkAssignment(url("SqlInjectionMitigations/attack10a"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10a"), params, true);
params.put(
"editor",
@ -37,18 +37,18 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
+ "} catch (Exception e) {\r\n"
+ " System.out.println(\"Oops. Something went wrong!\");\r\n"
+ "}");
checkAssignment(url("SqlInjectionMitigations/attack10b"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);
params.clear();
params.put(
"userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--");
checkAssignment(url("SqlOnlyInputValidation/attack"), params, true);
checkAssignment(url("/WebGoat/SqlOnlyInputValidation/attack"), params, true);
params.clear();
params.put(
"userid_sql_only_input_validation_on_keywords",
"Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--");
checkAssignment(url("SqlOnlyInputValidationOnKeywords/attack"), params, true);
checkAssignment(url("/WebGoat/SqlOnlyInputValidationOnKeywords/attack"), params, true);
RestAssured.given()
.when()
@ -57,7 +57,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
.contentType(ContentType.JSON)
.get(
url(
"SqlInjectionMitigations/servers?column=(case when (true) then hostname"
"/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname"
+ " else id end)"))
.then()
.statusCode(200);
@ -67,7 +67,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.contentType(ContentType.JSON)
.get(url("SqlInjectionMitigations/servers?column=unknown"))
.get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
.then()
.statusCode(500)
.body(
@ -78,7 +78,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
params.clear();
params.put("ip", "104.130.219.202");
checkAssignment(url("SqlInjectionMitigations/attack12a"), params, true);
checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true);
checkResults();
}

18
src/it/java/org/owasp/webgoat/WebWolfIntegrationTest.java
View File

@ -3,6 +3,7 @@ package org.owasp.webgoat;
import static org.junit.jupiter.api.Assertions.assertTrue;
import io.restassured.RestAssured;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
@ -10,20 +11,21 @@ import org.junit.jupiter.api.Test;
public class WebWolfIntegrationTest extends IntegrationTest {
@Test
public void runTests() {
public void runTests() throws IOException {
startLesson("WebWolfIntroduction");
// Assignment 3
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("email", this.getUser() + "@webgoat.org");
checkAssignment(url("WebWolf/mail/send"), params, false);
checkAssignment(url("/WebGoat/WebWolf/mail/send"), params, false);
String responseBody =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("mail"))
.get(webWolfUrl("/WebWolf/mail"))
.then()
.extract()
.response()
@ -37,7 +39,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
uniqueCode.lastIndexOf("your unique code is: ") + (21 + this.getUser().length()));
params.clear();
params.put("uniqueCode", uniqueCode);
checkAssignment(url("WebWolf/mail"), params, true);
checkAssignment(url("/WebGoat/WebWolf/mail"), params, true);
// Assignment 4
RestAssured.given()
@ -45,7 +47,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.queryParams(params)
.get(url("WebWolf/landing/password-reset"))
.get(url("/WebGoat/WebWolf/landing/password-reset"))
.then()
.statusCode(200);
RestAssured.given()
@ -53,7 +55,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.queryParams(params)
.get(webWolfUrl("landing"))
.get(webWolfUrl("/landing"))
.then()
.statusCode(200);
responseBody =
@ -61,7 +63,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("requests"))
.get(webWolfUrl("/WebWolf/requests"))
.then()
.extract()
.response()
@ -70,7 +72,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
assertTrue(responseBody.contains(uniqueCode));
params.clear();
params.put("uniqueCode", uniqueCode);
checkAssignment(url("WebWolf/landing"), params, true);
checkAssignment(url("/WebGoat/WebWolf/landing"), params, true);
checkResults("/WebWolf");
}

50
src/it/java/org/owasp/webgoat/XSSIntegrationTest.java
View File

@ -14,7 +14,7 @@ public class XSSIntegrationTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("checkboxAttack1", "value");
checkAssignment(url("CrossSiteScripting/attack1"), params, true);
checkAssignment(url("/CrossSiteScripting/attack1"), params, true);
params.clear();
params.put("QTY1", "1");
@ -23,11 +23,11 @@ public class XSSIntegrationTest extends IntegrationTest {
params.put("QTY4", "1");
params.put("field1", "<script>alert('XSS+Test')</script>");
params.put("field2", "111");
checkAssignmentWithGet(url("CrossSiteScripting/attack5a"), params, true);
checkAssignmentWithGet(url("/CrossSiteScripting/attack5a"), params, true);
params.clear();
params.put("DOMTestRoute", "start.mvc#test");
checkAssignment(url("CrossSiteScripting/attack6a"), params, true);
checkAssignment(url("/CrossSiteScripting/attack6a"), params, true);
params.clear();
params.put("param1", "42");
@ -41,7 +41,7 @@ public class XSSIntegrationTest extends IntegrationTest {
.header("webgoat-requested-by", "dom-xss-vuln")
.header("X-Requested-With", "XMLHttpRequest")
.formParams(params)
.post(url("CrossSiteScripting/phone-home-xss"))
.post(url("/CrossSiteScripting/phone-home-xss"))
.then()
.statusCode(200)
.extract()
@ -50,7 +50,7 @@ public class XSSIntegrationTest extends IntegrationTest {
params.clear();
params.put("successMessage", secretNumber);
checkAssignment(url("CrossSiteScripting/dom-follow-up"), params, true);
checkAssignment(url("/CrossSiteScripting/dom-follow-up"), params, true);
params.clear();
params.put(
@ -73,44 +73,8 @@ public class XSSIntegrationTest extends IntegrationTest {
"question_4_solution",
"Solution 4: No there are many other ways. Like HTML, Flash or any other type of code that"
+ " the browser executes.");
checkAssignment(url("CrossSiteScripting/quiz"), params, true);
checkAssignment(url("/CrossSiteScripting/quiz"), params, true);
params.clear();
params.put(
"editor",
"<%@ taglib uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\" %>"
+ "<html>"
+ "<head>"
+ "<title>Using GET and POST Method to Read Form Data</title>"
+ "</head>"
+ "<body>"
+ "<h1>Using POST Method to Read Form Data</h1>"
+ "<table>"
+ "<tbody>"
+ "<tr>"
+ "<td><b>First Name:</b></td>"
+ "<td>${e:forHtml(param.first_name)}</td>"
+ "</tr>"
+ "<tr>"
+ "<td><b>Last Name:</b></td>"
+ "<td>${e:forHtml(param.last_name)}</td>"
+ "</tr>"
+ "</tbody>"
+ "</table>"
+ "</body>"
+ "</html>");
checkAssignment(url("CrossSiteScripting/attack3"), params, true);
params.clear();
params.put(
"editor2",
"Policy.getInstance(\"antisamy-slashdot.xml\");"
+ "Sammy s = new AntiSamy();"
+ "s.scan(newComment,\"\");"
+ "CleanResults();"
+ "MyCommentDAO.addComment(threadID, userID).getCleanHTML());");
checkAssignment(url("CrossSiteScripting/attack4"), params, true);
checkResults("/CrossSiteScripting");
checkResults("/CrossSiteScripting/");
}
}

22
src/it/java/org/owasp/webgoat/XXEIntegrationTest.java
View File

@ -45,10 +45,10 @@ public class XXEIntegrationTest extends IntegrationTest {
.get(url("service/enable-security.mvc"))
.then()
.statusCode(200);
checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, false);
checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, false);
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
checkAssignment(
url("xxe/blind"),
url("/WebGoat/xxe/blind"),
ContentType.XML,
"<comment><text>" + getSecret() + "</text></comment>",
false);
@ -68,7 +68,7 @@ public class XXEIntegrationTest extends IntegrationTest {
}
String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt");
String dtd7String =
dtd7.replace("WEBWOLFURL", webWolfUrl("landing")).replace("SECRET", secretFile);
dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
// upload DTD
RestAssured.given()
@ -76,7 +76,7 @@ public class XXEIntegrationTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "blind.dtd", dtd7String.getBytes())
.post(webWolfUrl("fileupload"))
.post(webWolfUrl("/fileupload"))
.then()
.extract()
.response()
@ -84,8 +84,8 @@ public class XXEIntegrationTest extends IntegrationTest {
.asString();
// upload attack
String xxe7String =
xxe7.replace("WEBWOLFURL", webWolfUrl("files")).replace("USERNAME", this.getUser());
checkAssignment(url("xxe/blind"), ContentType.XML, xxe7String, false);
xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", this.getUser());
checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, xxe7String, false);
// read results from WebWolf
String result =
@ -93,7 +93,7 @@ public class XXEIntegrationTest extends IntegrationTest {
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("requests"))
.get(webWolfUrl("/WebWolf/requests"))
.then()
.extract()
.response()
@ -114,10 +114,10 @@ public class XXEIntegrationTest extends IntegrationTest {
startLesson("XXE", true);
webGoatHomeDirectory = webGoatServerDirectory();
webWolfFileServerLocation = getWebWolfFileServerLocation();
checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, true);
checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, true);
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, true);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, true);
checkAssignment(
url("xxe/blind"),
url("/WebGoat/xxe/blind"),
ContentType.XML,
"<comment><text>" + getSecret() + "</text></comment>",
true);

2
src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
View File

@ -6,6 +6,7 @@ import javax.sql.DataSource;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.flywaydb.core.Flyway;
import org.owasp.webgoat.container.lessons.LessonScanner;
import org.owasp.webgoat.container.service.RestartLessonService;
import org.springframework.boot.autoconfigure.jdbc.DataSourceProperties;
import org.springframework.context.annotation.Bean;
@ -19,6 +20,7 @@ import org.springframework.jdbc.datasource.DriverManagerDataSource;
public class DatabaseConfiguration {
private final DataSourceProperties properties;
private final LessonScanner lessonScanner;
@Bean
@Primary

1
src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
View File

@ -242,7 +242,6 @@ public class MvcConfiguration implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(localeChangeInterceptor());
registry.addInterceptor(new UserInterceptor());
}
@Bean

53
src/main/java/org/owasp/webgoat/container/UserInterceptor.java
View File

@ -1,53 +0,0 @@
package org.owasp.webgoat.container;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.owasp.webgoat.container.asciidoc.EnvironmentExposure;
import org.springframework.core.env.Environment;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
public class UserInterceptor implements HandlerInterceptor {
private Environment env = EnvironmentExposure.getEnv();
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
// Do nothing
return true;
}
@Override
public void postHandle(
HttpServletRequest request,
HttpServletResponse response,
Object handler,
ModelAndView modelAndView)
throws Exception {
if (null != modelAndView) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (null != authentication) {
modelAndView.getModel().put("username", authentication.getName());
}
if (null != env) {
String githubClientId =
env.getProperty("spring.security.oauth2.client.registration.github.client-id");
if (null != githubClientId && !githubClientId.equals("dummy")) {
modelAndView.getModel().put("oauth", Boolean.TRUE);
}
} else {
modelAndView.getModel().put("oauth", Boolean.FALSE);
}
}
}
@Override
public void afterCompletion(
HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
// Do nothing
}
}

16
src/main/java/org/owasp/webgoat/container/WebGoat.java
View File

@ -34,9 +34,6 @@ package org.owasp.webgoat.container;
import java.io.File;
import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.UserRepository;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean;
@ -45,8 +42,6 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
import org.springframework.web.client.RestTemplate;
@Configuration
@ -55,8 +50,6 @@ import org.springframework.web.client.RestTemplate;
@EnableAutoConfiguration
public class WebGoat {
@Autowired private UserRepository userRepository;
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
return new File(webgoatHome);
@ -65,14 +58,7 @@ public class WebGoat {
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public WebSession webSession() {
WebGoatUser webGoatUser = null;
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof WebGoatUser) {
webGoatUser = (WebGoatUser) principal;
} else if (principal instanceof DefaultOAuth2User) {
webGoatUser = userRepository.findByUsername(((DefaultOAuth2User) principal).getName());
}
return new WebSession(webGoatUser);
return new WebSession();
}
@Bean

62
src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -54,41 +54,32 @@ public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(
auth ->
auth.requestMatchers(
"/",
"/favicon.ico",
"/css/**",
"/images/**",
"/js/**",
"fonts/**",
"/plugins/**",
"/registration",
"/register.mvc")
.permitAll()
.anyRequest()
.authenticated())
.formLogin(
login ->
login
.loginPage("/login")
.defaultSuccessUrl("/welcome.mvc", true)
.usernameParameter("username")
.passwordParameter("password")
.permitAll())
.oauth2Login(
oidc -> {
oidc.defaultSuccessUrl("/login-oauth.mvc");
oidc.loginPage("/login");
})
.logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true))
.csrf(csrf -> csrf.disable())
.headers(headers -> headers.disable())
.exceptionHandling(
handling ->
handling.authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")))
.build();
http.authorizeHttpRequests(
auth ->
auth.requestMatchers(
"/css/**",
"/images/**",
"/js/**",
"fonts/**",
"/plugins/**",
"/registration",
"/register.mvc",
"/actuator/**")
.permitAll()
.anyRequest()
.authenticated());
http.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/welcome.mvc", true)
.usernameParameter("username")
.passwordParameter("password")
.permitAll();
http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
http.csrf().disable();
http.headers().cacheControl().disable();
http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
return http.build();
}
@Autowired
@ -107,6 +98,7 @@ public class WebSecurityConfig {
return authenticationConfiguration.getAuthenticationManager();
}
@SuppressWarnings("deprecation")
@Bean
public NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();

2
src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
View File

@ -16,7 +16,7 @@ public class EnvironmentExposure implements ApplicationContextAware {
private static ApplicationContext context;
public static Environment getEnv() {
return (null != context) ? context.getEnvironment() : null;
return context.getEnvironment();
}
@Override

30
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,9 +1,12 @@
package org.owasp.webgoat.container.asciidoc;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
/**
* Usage in asciidoc:
@ -23,7 +26,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
@Override
public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
var env = EnvironmentExposure.getEnv();
var hostname = env.getProperty("webwolf.url");
var hostname = determineHost(env.getProperty("webwolf.port"));
var target = (String) attributes.getOrDefault("target", "home");
var href = hostname + "/" + target;
@ -42,4 +45,29 @@ public class WebWolfMacro extends InlineMacroProcessor {
private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
}
/**
* Determine the host from the hostname and ports that were used. The purpose is to make it
* possible to use the application behind a reverse proxy. For instance in the docker
* compose/stack version with webgoat webwolf and nginx proxy. You do not have to use the
* indicated hostname, but if you do, you should define two hosts aliases 127.0.0.1
* www.webgoat.local www.webwolf.local
*/
private String determineHost(String port) {
HttpServletRequest request =
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String host = request.getHeader("Host");
int semicolonIndex = host.indexOf(":");
if (semicolonIndex == -1 || host.endsWith(":80")) {
host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
} else {
host = host.substring(0, semicolonIndex);
host = host.concat(":").concat(port);
}
return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
}
protected boolean includeWebWolfContext() {
return true;
}
}

5
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
View File

@ -17,4 +17,9 @@ public class WebWolfRootMacro extends WebWolfMacro {
public WebWolfRootMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
@Override
protected boolean includeWebWolfContext() {
return false;
}
}

8
src/main/java/org/owasp/webgoat/container/session/WebSession.java
View File

@ -3,6 +3,7 @@ package org.owasp.webgoat.container.session;
import java.io.Serializable;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.core.context.SecurityContextHolder;
/**
* *************************************************************************************************
@ -39,12 +40,13 @@ import org.owasp.webgoat.container.users.WebGoatUser;
public class WebSession implements Serializable {
private static final long serialVersionUID = -4270066103101711560L;
private WebGoatUser currentUser;
private final WebGoatUser currentUser;
private transient Lesson currentLesson;
private boolean securityEnabled;
public WebSession(WebGoatUser webGoatUser) {
this.currentUser = webGoatUser;
public WebSession() {
this.currentUser =
(WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
/**

10
src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
View File

@ -3,10 +3,8 @@ package org.owasp.webgoat.container.users;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import java.util.UUID;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping;
@ -46,12 +44,4 @@ public class RegistrationController {
return "redirect:/attack";
}
@GetMapping("/login-oauth.mvc")
public String registrationOAUTH(Authentication authentication, HttpServletRequest request)
throws ServletException {
log.info("register oauth user in database");
userService.addUser(authentication.getName(), UUID.randomUUID().toString());
return "redirect:/welcome.mvc";
}
}

2
src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
View File

@ -42,7 +42,6 @@ public class AccountVerificationHelper {
static {
secQuestionStore.put(verifyUserId, userSecQuestions);
}
// end 'data store set up'
// this is to aid feedback in the attack process and is not intended to be part of the
@ -69,7 +68,6 @@ public class AccountVerificationHelper {
return likely;
}
// end of cheating check ... the method below is the one of real interest. Can you find the flaw?
public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {

3
src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/

15
src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java → src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
@ -46,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
"idor.hints.otherProfile8",
"idor.hints.otherProfile9"
})
public class IDOREditOtherProfile extends AssignmentEndpoint {
public class IDOREditOtherProfiile extends AssignmentEndpoint {
@Autowired private UserSessionData userSessionData;
@ -70,7 +69,7 @@ public class IDOREditOtherProfile extends AssignmentEndpoint {
// we will persist in the session object for now in case we want to refer back or use it later
userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
if (currentUserProfile.getRole() <= 1
&& currentUserProfile.getColor().equalsIgnoreCase("red")) {
&& currentUserProfile.getColor().toLowerCase().equals("red")) {
return success(this)
.feedback("idor.edit.profile.success1")
.output(currentUserProfile.profileToMap().toString())
@ -78,16 +77,16 @@ public class IDOREditOtherProfile extends AssignmentEndpoint {
}
if (currentUserProfile.getRole() > 1
&& currentUserProfile.getColor().equalsIgnoreCase("red")) {
return failed(this)
&& currentUserProfile.getColor().toLowerCase().equals("red")) {
return success(this)
.feedback("idor.edit.profile.failure1")
.output(currentUserProfile.profileToMap().toString())
.build();
}
if (currentUserProfile.getRole() <= 1
&& !currentUserProfile.getColor().equalsIgnoreCase("red")) {
return failed(this)
&& !currentUserProfile.getColor().toLowerCase().equals("red")) {
return success(this)
.feedback("idor.edit.profile.failure2")
.output(currentUserProfile.profileToMap().toString())
.build();

3
src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/

12
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
@ -24,6 +23,8 @@
package org.owasp.webgoat.lessons.idor;
import jakarta.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
@ -55,9 +56,9 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
produces = {"application/json"})
@ResponseBody
public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
Map<String, Object> details = new HashMap<>();
Object obj = userSessionData.getValue("idor-authenticated-as");
if (obj != null && obj.equals("tom")) {
if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
// going to use session auth to view this one
String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
if (userId != null && !userId.equals(authUserId)) {
@ -65,8 +66,7 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
UserProfile requestedProfile = new UserProfile(userId);
// secure code would ensure there was a horizontal access control check prior to dishing up
// the requested profile
if (requestedProfile.getUserId() != null
&& requestedProfile.getUserId().equals("2342388")) {
if (requestedProfile.getUserId().equals("2342388")) {
return success(this)
.feedback("idor.view.profile.success")
.output(requestedProfile.profileToMap().toString())

3
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/

5
src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
@ -69,7 +68,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
return failed(this).feedback("idor.view.own.profile.failure2").build();
}
} catch (Exception ex) {
return failed(this).output("an error occurred with your request").build();
return failed(this).feedback("an error occurred with your request").build();
}
}
}

3
src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/

24
src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java → src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
View File

@ -20,7 +20,7 @@
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.lessons.jwt.claimmisuse;
package org.owasp.webgoat.lessons.jwt;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
@ -38,30 +38,28 @@ import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
@AssignmentHints({
"jwt-kid-hint1",
"jwt-kid-hint2",
"jwt-kid-hint3",
"jwt-kid-hint4",
"jwt-kid-hint5",
"jwt-kid-hint6"
"jwt-final-hint1",
"jwt-final-hint2",
"jwt-final-hint3",
"jwt-final-hint4",
"jwt-final-hint5",
"jwt-final-hint6"
})
@RequestMapping("/JWT/kid")
public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
public class JWTFinalEndpoint extends AssignmentEndpoint {
private final LessonDataSource dataSource;
private JWTHeaderKIDEndpoint(LessonDataSource dataSource) {
private JWTFinalEndpoint(LessonDataSource dataSource) {
this.dataSource = dataSource;
}
@PostMapping("/follow/{user}")
@PostMapping("/JWT/final/follow/{user}")
public @ResponseBody String follow(@PathVariable("user") String user) {
if ("Jerry".equals(user)) {
return "Following yourself seems redundant";
@ -70,7 +68,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
}
}
@PostMapping("/delete")
@PostMapping("/JWT/final/delete")
public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
if (StringUtils.isEmpty(token)) {
return failed(this).feedback("jwt-invalid-token").build();

70
src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
View File

@ -1,70 +0,0 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RequestMapping("/JWT/jku")
@RestController
@AssignmentHints({
"jwt-jku-hint1",
"jwt-jku-hint2",
"jwt-jku-hint3",
"jwt-jku-hint4",
"jwt-jku-hint5"
})
public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
@PostMapping("/follow/{user}")
public @ResponseBody String follow(@PathVariable("user") String user) {
if ("Jerry".equals(user)) {
return "Following yourself seems redundant";
} else {
return "You are now following Tom";
}
}
@PostMapping("/delete")
public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
if (StringUtils.isEmpty(token)) {
return failed(this).feedback("jwt-invalid-token").build();
} else {
try {
var decodedJWT = JWT.decode(token);
var jku = decodedJWT.getHeaderClaim("jku");
JwkProvider jwkProvider = new JwkProviderBuilder(new URL(jku.asString())).build();
var jwk = jwkProvider.get(decodedJWT.getKeyId());
var algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey());
JWT.require(algorithm).build().verify(decodedJWT);
String username = decodedJWT.getClaims().get("username").asString();
if ("Jerry".equals(username)) {
return failed(this).feedback("jwt-final-jerry-account").build();
}
if ("Tom".equals(username)) {
return success(this).build();
} else {
return failed(this).feedback("jwt-final-not-tom").build();
}
} catch (MalformedURLException | JWTVerificationException | JwkException e) {
return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
}
}
}
}

3
src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
View File

@ -39,8 +39,7 @@ import org.springframework.web.bind.annotation.RestController;
"access-control.hash.hint9",
"access-control.hash.hint10",
"access-control.hash.hint11",
"access-control.hash.hint12",
"access-control.hash.hint13"
"access-control.hash.hint12"
})
public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint {

13
src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
View File

@ -48,19 +48,16 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
private final RestTemplate restTemplate;
private String webWolfHost;
private String webWolfPort;
private String webWolfURL;
private final String webWolfMailURL;
public ResetLinkAssignmentForgotPassword(
RestTemplate restTemplate,
@Value("${webwolf.host}") String webWolfHost,
@Value("${webwolf.port}") String webWolfPort,
@Value("${webwolf.url}") String webWolfURL,
@Value("${webwolf.mail.url}") String webWolfMailURL) {
this.restTemplate = restTemplate;
this.webWolfHost = webWolfHost;
this.webWolfPort = webWolfPort;
this.webWolfURL = webWolfURL;
this.webWolfMailURL = webWolfMailURL;
}
@ -70,12 +67,12 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
@RequestParam String email, HttpServletRequest request) {
String resetLink = UUID.randomUUID().toString();
ResetLinkAssignment.resetLinks.add(resetLink);
String host = request.getHeader(HttpHeaders.HOST);
String host = request.getHeader("host");
if (ResetLinkAssignment.TOM_EMAIL.equals(email)
&& (host.contains(webWolfPort)
&& host.contains(webWolfHost))) { // User indeed changed the host header.
|| host.contains(webWolfHost))) { // User indeed changed the host header.
ResetLinkAssignment.userToTomResetLink.put(getWebSession().getUserName(), resetLink);
fakeClickingLinkEmail(webWolfURL, resetLink);
fakeClickingLinkEmail(host, resetLink);
} else {
try {
sendMailToUser(email, host, resetLink);
@ -100,13 +97,13 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
this.restTemplate.postForEntity(webWolfMailURL, mail, Object.class);
}
private void fakeClickingLinkEmail(String webWolfURL, String resetLink) {
private void fakeClickingLinkEmail(String host, String resetLink) {
try {
HttpHeaders httpHeaders = new HttpHeaders();
HttpEntity httpEntity = new HttpEntity(httpHeaders);
new RestTemplate()
.exchange(
String.format("%s/PasswordReset/reset/reset-password/%s", webWolfURL, resetLink),
String.format("http://%s/PasswordReset/reset/reset-password/%s", host, resetLink),
HttpMethod.GET,
httpEntity,
Void.class);

3
src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/

5
src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
@ -28,7 +27,6 @@ import jakarta.servlet.http.HttpServletResponse;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
@ -46,7 +44,6 @@ import org.springframework.web.bind.annotation.RestController;
*
*/
@AssignmentHints({"spoofcookie.hint1", "spoofcookie.hint2", "spoofcookie.hint3"})
@RestController
public class SpoofCookieAssignment extends AssignmentEndpoint {

3
src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
View File

@ -58,8 +58,7 @@ public class LandingAssignment extends AssignmentEndpoint {
public ModelAndView openPasswordReset(HttpServletRequest request) throws URISyntaxException {
URI uri = new URI(request.getRequestURL().toString());
ModelAndView modelAndView = new ModelAndView();
modelAndView.addObject(
"webwolfLandingPageUrl", landingPageUrl.replace("//landing", "/landing"));
modelAndView.addObject("webwolfUrl", landingPageUrl);
modelAndView.addObject("uniqueCode", StringUtils.reverse(getWebSession().getUserName()));
modelAndView.setViewName("lessons/webwolfintroduction/templates/webwolfPasswordReset.html");

2
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
View File

@ -35,6 +35,6 @@ public class CrossSiteScripting extends Lesson {
@Override
public String getTitle() {
return "4.xss.title";
return "xss.title";
}
}

16
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
@ -31,9 +30,12 @@ import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
// @RestController
@Deprecated
// TODO This assignment seems not to be in use in the UI
// it is there to make sure the lesson can be marked complete
// in order to restore it, make it accessible through the UI and uncomment RestController
@AssignmentHints(
value = {
"xss-mitigation-3-hint1",
@ -58,9 +60,9 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
String lastNameElement =
doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
boolean includeCorrect = false;
boolean firstNameCorrect = false;
boolean lastNameCorrect = false;
Boolean includeCorrect = false;
Boolean firstNameCorrect = false;
Boolean lastNameCorrect = false;
if (include.contains("<%@")
&& include.contains("taglib")

12
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
View File

@ -22,15 +22,20 @@
package org.owasp.webgoat.lessons.xss;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
// @RestController
@Deprecated
// TODO This assignment seems not to be in use in the UI
// it is there to make sure the lesson can be marked complete
// in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j
@Slf4j
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
@ -39,6 +44,7 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
public AttackResult completed(@RequestParam String editor2) {
String editor = editor2.replaceAll("\\<.*?>", "");
log.debug(editor);
if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"")
|| editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"")
@ -48,8 +54,10 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
&& editor.contains("CleanResults")
&& editor.contains("MyCommentDAO.addComment(threadID, userID")
&& editor.contains(".getCleanHTML());")) {
log.debug("true");
return success(this).feedback("xss-mitigation-4-success").build();
} else {
log.debug("false");
return failed(this).feedback("xss-mitigation-4-failed").build();
}
}

7
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
View File

@ -15,8 +15,7 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
@ -25,9 +24,7 @@ package org.owasp.webgoat.lessons.xss;
import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson;
import org.springframework.stereotype.Component;
@Component
public class CrossSiteScriptingMitigation extends Lesson {
@Override
public Category getDefaultCategory() {
@ -36,6 +33,6 @@ public class CrossSiteScriptingMitigation extends Lesson {
@Override
public String getTitle() {
return "6.xss-mitigation.title";
return "xss-mitigation.title";
}
}

4
src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
View File

@ -24,9 +24,7 @@ package org.owasp.webgoat.lessons.xss.stored;
import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson;
import org.springframework.stereotype.Component;
@Component
public class CrossSiteScriptingStored extends Lesson {
@Override
public Category getDefaultCategory() {
@ -35,6 +33,6 @@ public class CrossSiteScriptingStored extends Lesson {
@Override
public String getTitle() {
return "5.xss-stored.title";
return "xss-stored.title";
}
}

8
src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
View File

@ -34,15 +34,21 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
// TODO This assignment seems not to be in use in the UI
@PostMapping("/CrossSiteScriptingStored/stored-xss-follow-up")
@ResponseBody
public AttackResult completed(@RequestParam String successMessage) {
UserSessionData userSessionData = getUserSessionData();
if (successMessage.equals(userSessionData.getValue("randValue"))) {
if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
return success(this).feedback("xss-stored-callback-success").build();
} else {
return failed(this).feedback("xss-stored-callback-failure").build();
}
}
}
// something like ...
// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
// or
// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

2
src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
View File

@ -72,6 +72,7 @@ public class StoredXssComments extends AssignmentEndpoint {
"Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
}
// TODO This assignment seems not to be in use in the UI
@GetMapping(
path = "/CrossSiteScriptingStored/stored-xss",
produces = MediaType.APPLICATION_JSON_VALUE,
@ -88,6 +89,7 @@ public class StoredXssComments extends AssignmentEndpoint {
return allComments;
}
// TODO This assignment seems not to be in use in the UI
@PostMapping("/CrossSiteScriptingStored/stored-xss")
@ResponseBody
public AttackResult createNewComment(@RequestBody String commentStr) {

30
src/main/java/org/owasp/webgoat/server/StartWebGoat.java
View File

@ -31,30 +31,20 @@ import org.owasp.webgoat.webwolf.WebWolf;
import org.springframework.boot.Banner;
import org.springframework.boot.WebApplicationType;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.ApplicationContext;
@Slf4j
public class StartWebGoat {
public static void main(String[] args) {
var parentBuilder =
new SpringApplicationBuilder()
.parent(ParentConfig.class)
.web(WebApplicationType.NONE)
.bannerMode(Banner.Mode.OFF);
parentBuilder.child(WebWolf.class).web(WebApplicationType.SERVLET).run(args);
ApplicationContext webGoatContext =
parentBuilder.child(WebGoat.class).web(WebApplicationType.SERVLET).run(args);
printStartUpMessage(webGoatContext);
}
private static void printStartUpMessage(ApplicationContext webGoatContext) {
var url = webGoatContext.getEnvironment().getProperty("webgoat.url");
var sslEnabled =
webGoatContext.getEnvironment().getProperty("server.ssl.enabled", Boolean.class);
log.warn(
"Please browse to " + "{} to start using WebGoat...",
sslEnabled ? url.replace("http", "https") : url);
new SpringApplicationBuilder()
.parent(ParentConfig.class)
.web(WebApplicationType.NONE)
.bannerMode(Banner.Mode.OFF)
.child(WebGoat.class)
.web(WebApplicationType.SERVLET)
.sibling(WebWolf.class)
.bannerMode(Banner.Mode.OFF)
.web(WebApplicationType.SERVLET)
.run(args);
}
}

33
src/main/java/org/owasp/webgoat/server/StartupMessage.java Normal file
View File

@ -0,0 +1,33 @@
package org.owasp.webgoat.server;
import lombok.NoArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.context.event.ApplicationReadyEvent;
import org.springframework.context.event.ContextStoppedEvent;
import org.springframework.context.event.EventListener;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
@Component
@Slf4j
@NoArgsConstructor
public class StartupMessage {
private String port;
private String address;
@EventListener
void onStartup(ApplicationReadyEvent event) {
if (StringUtils.hasText(port)
&& !StringUtils.hasText(System.getProperty("running.in.docker"))) {
log.info("Please browse to http://{}:{}/WebGoat to get started...", address, port);
}
if (event.getApplicationContext().getApplicationName().contains("WebGoat")) {
port = event.getApplicationContext().getEnvironment().getProperty("server.port");
address = event.getApplicationContext().getEnvironment().getProperty("server.address");
}
}
@EventListener
void onShutdown(ContextStoppedEvent event) {}
}

65
src/main/java/org/owasp/webgoat/webwolf/FileServer.java
View File

@ -22,23 +22,20 @@
package org.owasp.webgoat.webwolf;
import static java.util.Comparator.comparing;
import static org.springframework.http.MediaType.ALL_VALUE;
import jakarta.servlet.http.HttpServletRequest;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.attribute.FileTime;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.TimeZone;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.FileUtils;
import org.owasp.webgoat.webwolf.user.WebGoatUser;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.GetMapping;
@ -55,18 +52,12 @@ import org.springframework.web.servlet.view.RedirectView;
@Slf4j
public class FileServer {
private static final DateTimeFormatter dateTimeFormatter =
DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss");
@Value("${webwolf.fileserver.location}")
private String fileLocation;
@Value("${server.address}")
private String server;
@Value("${server.servlet.context-path}")
private String contextPath;
@Value("${server.port}")
private int port;
@ -80,11 +71,9 @@ public class FileServer {
}
@PostMapping(value = "/fileupload")
public ModelAndView importFile(
@RequestParam("file") MultipartFile myFile, Authentication authentication)
throws IOException {
String username = authentication.getName();
var destinationDir = new File(fileLocation, username);
public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
var destinationDir = new File(fileLocation, user.getUsername());
destinationDir.mkdirs();
myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
@ -94,47 +83,41 @@ public class FileServer {
new ModelMap().addAttribute("uploadSuccess", "File uploaded successful"));
}
@AllArgsConstructor
@Getter
private class UploadedFile {
private final String name;
private final String size;
private final String link;
}
@GetMapping(value = "/files")
public ModelAndView getFiles(
HttpServletRequest request, Authentication authentication, TimeZone timezone) {
String username = (null != authentication) ? authentication.getName() : "anonymous";
public ModelAndView getFiles(HttpServletRequest request) {
WebGoatUser user =
(WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String username = user.getUsername();
File destinationDir = new File(fileLocation, username);
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("files");
File changeIndicatorFile = new File(destinationDir, username + "_changed");
File changeIndicatorFile = new File(destinationDir, user.getUsername() + "_changed");
if (changeIndicatorFile.exists()) {
modelAndView.addObject("uploadSuccess", request.getParameter("uploadSuccess"));
}
changeIndicatorFile.delete();
record UploadedFile(String name, String size, String link, String creationTime) {}
var uploadedFiles = new ArrayList<UploadedFile>();
var uploadedFiles = new ArrayList<>();
File[] files = destinationDir.listFiles(File::isFile);
if (files != null) {
for (File file : files) {
String size = FileUtils.byteCountToDisplaySize(file.length());
String link = String.format("files/%s/%s", username, file.getName());
uploadedFiles.add(
new UploadedFile(file.getName(), size, link, getCreationTime(timezone, file)));
uploadedFiles.add(new UploadedFile(file.getName(), size, link));
}
}
modelAndView.addObject(
"files",
uploadedFiles.stream().sorted(comparing(UploadedFile::creationTime).reversed()).toList());
modelAndView.addObject("webwolf_url", "http://" + server + ":" + port + contextPath);
modelAndView.addObject("files", uploadedFiles);
modelAndView.addObject("webwolf_url", "http://" + server + ":" + port);
return modelAndView;
}
private String getCreationTime(TimeZone timezone, File file) {
try {
FileTime creationTime = (FileTime) Files.getAttribute(file.toPath(), "creationTime");
ZonedDateTime zonedDateTime = creationTime.toInstant().atZone(timezone.toZoneId());
return dateTimeFormatter.format(zonedDateTime);
} catch (IOException e) {
return "unknown";
}
}
}

8
src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
View File

@ -24,10 +24,8 @@ package org.owasp.webgoat.webwolf;
import jakarta.annotation.PostConstruct;
import java.io.File;
import org.owasp.webgoat.container.UserInterceptor;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@ -57,12 +55,6 @@ public class MvcConfiguration implements WebMvcConfigurer {
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("webwolf-login");
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("home");
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new UserInterceptor());
}
@PostConstruct

44
src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
View File

@ -22,7 +22,6 @@
package org.owasp.webgoat.webwolf;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.AjaxAuthenticationEntryPoint;
import org.owasp.webgoat.webwolf.user.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
@ -47,39 +46,16 @@ public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(
auth -> {
auth.requestMatchers("/css/**", "/webjars/**", "/favicon.ico", "/js/**", "/images/**")
.permitAll();
auth.requestMatchers(
HttpMethod.GET,
"/fileupload/**",
"/files/**",
"/landing/**",
"/PasswordReset/**")
.permitAll();
auth.requestMatchers(HttpMethod.POST, "/files", "/mail", "/requests").permitAll();
auth.anyRequest().authenticated();
})
.csrf(csrf -> csrf.disable())
.formLogin(
login ->
login
.loginPage("/login")
.failureUrl("/login?error=true")
.defaultSuccessUrl("/home", true)
.usernameParameter("username")
.passwordParameter("password")
.permitAll())
.oauth2Login(
oidc -> {
oidc.defaultSuccessUrl("/home");
})
.logout(logout -> logout.deleteCookies("WEBWOLFSESSION").invalidateHttpSession(true))
.exceptionHandling(
handling ->
handling.authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")))
.build();
http.authorizeHttpRequests(
auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
http.authorizeHttpRequests(
auth ->
auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
http.authorizeHttpRequests().anyRequest().permitAll();
http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
http.logout().permitAll();
return http.build();
}
@Autowired

6
src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
View File

@ -1,11 +1,11 @@
package org.owasp.webgoat.webwolf.jwt;
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.springframework.util.Base64Utils.decodeFromUrlSafeString;
import static org.springframework.util.StringUtils.hasText;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Base64;
import java.util.Map;
import java.util.TreeMap;
import lombok.AllArgsConstructor;
@ -103,8 +103,8 @@ public class JWTToken {
var builder = JWTToken.builder().encoded(jwt);
if (token.length >= 2) {
var header = new String(Base64.getUrlDecoder().decode(token[0]), UTF_8);
var payloadAsString = new String(Base64.getUrlDecoder().decode(token[1]), UTF_8);
var header = new String(decodeFromUrlSafeString(token[0]), UTF_8);
var payloadAsString = new String(decodeFromUrlSafeString(token[1]), UTF_8);
var headers = parse(header);
var payload = parse(payloadAsString);
builder.header(write(header, headers));

12
src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
View File

@ -25,8 +25,8 @@ package org.owasp.webgoat.webwolf.mailbox;
import java.util.List;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.ui.Model;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
@ -42,16 +42,16 @@ public class MailboxController {
private final MailboxRepository mailboxRepository;
@GetMapping("/mail")
public ModelAndView mail(Authentication authentication, Model model) {
String username = (null != authentication) ? authentication.getName() : "anonymous";
public ModelAndView mail() {
UserDetails user =
(UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
ModelAndView modelAndView = new ModelAndView();
List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(username);
List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
if (emails != null && !emails.isEmpty()) {
modelAndView.addObject("total", emails.size());
modelAndView.addObject("emails", emails);
}
modelAndView.setViewName("mailbox");
model.addAttribute("username", username);
return modelAndView;
}

24
src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
View File

@ -22,6 +22,8 @@
package org.owasp.webgoat.webwolf.requests;
import static java.util.stream.Collectors.toList;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.time.Instant;
@ -31,7 +33,8 @@ import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.boot.actuate.web.exchanges.HttpExchange;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@ -61,29 +64,30 @@ public class Requests {
}
@GetMapping
public ModelAndView get(Authentication authentication) {
public ModelAndView get() {
var model = new ModelAndView("requests");
String username = (null != authentication) ? authentication.getName() : "anonymous";
var user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
var traces =
traceRepository.findAll().stream()
.filter(t -> allowedTrace(t, username))
traceRepository.findAllTraces().stream()
.filter(t -> allowedTrace(t, user))
.map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t)))
.toList();
.collect(toList());
model.addObject("traces", traces);
return model;
}
private boolean allowedTrace(HttpExchange t, String username) {
private boolean allowedTrace(HttpExchange t, UserDetails user) {
HttpExchange.Request req = t.getRequest();
boolean allowed = true;
/* do not show certain traces to other users in a classroom setup */
if (req.getUri().getPath().contains("/files") && !req.getUri().getPath().contains(username)) {
if (req.getUri().getPath().contains("/files")
&& !req.getUri().getPath().contains(user.getUsername())) {
allowed = false;
} else if (req.getUri().getPath().contains("/landing")
&& req.getUri().getQuery() != null
&& req.getUri().getQuery().contains("uniqueCode")
&& !req.getUri().getQuery().contains(StringUtils.reverse(username))) {
&& !req.getUri().getQuery().contains(StringUtils.reverse(user.getUsername()))) {
allowed = false;
}
@ -91,7 +95,7 @@ public class Requests {
}
private String path(HttpExchange t) {
return t.getRequest().getUri().getPath();
return (String) t.getRequest().getUri().getPath();
}
private String toJsonString(HttpExchange t) {

55
src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
View File

@ -22,12 +22,10 @@
package org.owasp.webgoat.webwolf.requests;
import static org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository.Exclusion.contains;
import static org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository.Exclusion.endsWith;
import com.google.common.collect.EvictingQueue;
import java.util.ArrayList;
import java.util.List;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.actuate.web.exchanges.HttpExchange;
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
@ -38,51 +36,34 @@ import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
* @author nbaars
* @since 8/13/17.
*/
@Slf4j
public class WebWolfTraceRepository implements HttpExchangeRepository {
private enum MatchingMode {
CONTAINS,
ENDS_WITH,
EQUALS;
}
record Exclusion(String path, MatchingMode mode) {
public boolean matches(String path) {
return switch (mode) {
case CONTAINS -> path.contains(this.path);
case ENDS_WITH -> path.endsWith(this.path);
case EQUALS -> path.equals(this.path);
};
}
public static Exclusion contains(String exclusionPattern) {
return new Exclusion(exclusionPattern, MatchingMode.CONTAINS);
}
public static Exclusion endsWith(String exclusionPattern) {
return new Exclusion(exclusionPattern, MatchingMode.ENDS_WITH);
}
}
private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
private final List<Exclusion> exclusionList =
private final List<String> exclusionList =
List.of(
contains("/tmpdir"),
contains("/home"),
endsWith("/files"),
contains("/images/"),
contains("/js/"),
contains("/webjars/"),
contains("/requests"),
contains("/css/"),
contains("/mail"));
"/tmpdir",
"/home",
"/files",
"/images/",
"/favicon.ico",
"/js/",
"/webjars/",
"/requests",
"/css/",
"/mail");
@Override
public List<HttpExchange> findAll() {
return List.of();
}
public List<HttpExchange> findAllTraces() {
return new ArrayList<>(traces);
}
private boolean isInExclusionList(String path) {
return exclusionList.stream().anyMatch(e -> e.matches(path));
return exclusionList.stream().anyMatch(e -> path.contains(e));
}
@Override

23
src/main/resources/application-webgoat.properties
View File

@ -1,12 +1,10 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.servlet.context-path=${WEBGOAT_CONTEXT:/WebGoat}
server.servlet.context-path=/WebGoat
server.servlet.session.persistent=false
server.port=${WEBGOAT_PORT:8080}
server.address=${WEBGOAT_HOST:127.0.0.1}
server.port=${webgoat.port:8080}
server.address=${webgoat.host}
webgoat.host=${WEBGOAT_HOST:127.0.0.1}
webgoat.port=${WEBGOAT_PORT:8080}
webgoat.context=${WEBGOAT_CONTEXT:/WebGoat}
spring.application.name=WebGoat
server.ssl.key-store-type=${WEBGOAT_KEYSTORE_TYPE:PKCS12}
@ -29,10 +27,9 @@ logging.level.org.thymeleaf.TemplateEngine.cache.TEMPLATE_CACHE=INFO
logging.level.org.springframework.web=INFO
logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=INFO
logging.level.org.owasp.webgoat=INFO
logging.level.org.hidbernate.SQL=INFO
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=DEBUG
logging.level.org.hidbernate.SQL=DEBUG
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@ -43,12 +40,10 @@ webgoat.feedback.address=webgoat@owasp.org
webgoat.feedback.address.html=<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>
webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en
webgoat.url=http://${server.address}:${server.port}${server.servlet.context-path}
webwolf.host=${WEBWOLF_HOST:127.0.0.1}
webwolf.port=${WEBWOLF_PORT:9090}
webwolf.context=${WEBWOLF_CONTEXT:/WebWolf}
webwolf.url=http://${WEBWOLF_HOST:127.0.0.1}:${WEBWOLF_PORT:9090}${WEBWOLF_CONTEXT:/WebWolf}
webwolf.url=http://${webwolf.host}:${webwolf.port}
webwolf.landingpage.url=${webwolf.url}/landing
webwolf.mail.url=${webwolf.url}/mail
@ -67,7 +62,3 @@ exclude.lessons=${EXCLUDE_LESSONS:none,none}
management.health.db.enabled=true
management.endpoint.health.show-details=always
management.endpoints.web.exposure.include=env, health,configprops
spring.security.oauth2.client.registration.github.client-id=${WEBGOAT_OAUTH_CLIENTID:dummy}
spring.security.oauth2.client.registration.github.client-secret=${WEBGOAT_OAUTH_CLIENTSECRET:dummy}

8
src/main/resources/application-webwolf.properties
View File

@ -1,13 +1,10 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.servlet.context-path=${webwolf.context}
server.port=${webwolf.port}
server.port=${webwolf.port:9090}
server.address=${webwolf.host}
spring.application.name=WebWolf
webwolf.host=${WEBWOLF_HOST:127.0.0.1}
webwolf.port=${WEBWOLF_PORT:9090}
webwolf.context=${WEBWOLF_CONTEXT:/WebWolf}
management.server.port=-1
server.servlet.session.cookie.name=WEBWOLFSESSION
@ -50,6 +47,3 @@ spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webwolf/src/main/resources/static/
spring.security.oauth2.client.registration.github.client-id=${WEBWOLF_OAUTH_CLIENTID:dummy}
spring.security.oauth2.client.registration.github.client-secret=${WEBWOLF_OAUTH_CLIENTSECRET:dummy}

4
src/main/resources/lessons/authbypass/html/AuthBypass.html
View File

@ -23,7 +23,7 @@
<form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
method="POST" name="form"
successCallback="onBypassResponse"
action="auth-bypass/verify-account">
action="/WebGoat/auth-bypass/verify-account">
<p>Verify Your Account by answering the questions below:</p>
<p>What is the name of your favorite teacher?</p>
@ -43,7 +43,7 @@
<form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
method="POST" name="form"
successCallback="onBypassResponse"
action="auth-bypass/verify-account"
action="/WebGoat/auth-bypass/verify-account"
style="display:none"><!-- start off hidden -->
<p>Please provide a new password for your account</p>

2
src/main/resources/lessons/authbypass/js/bypass.js
View File

@ -9,7 +9,7 @@ var onViewProfile = function () {
console.warn("on view profile activated")
webgoat.customjs.jquery.ajax({
method: "GET",
url: "IDOR/profile",
url: "/WebGoat/IDOR/profile",
contentType: 'application/json; charset=UTF-8'
}).then(webgoat.customjs.idorViewProfile);
}

4
src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
View File

@ -18,7 +18,7 @@
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
method="POST"
action="BypassRestrictions/FieldRestrictions">
action="/WebGoat/BypassRestrictions/FieldRestrictions">
<div class="bypass-input-container"><b>Select field with two possible value</b>
<div class="input-group">
@ -66,7 +66,7 @@
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
id="frontendValidation"
method="POST"
action="BypassRestrictions/frontendValidation"
action="/WebGoat/BypassRestrictions/frontendValidation/"
onsubmit="return validate()">
<div>
<strong>Field 1:</strong> exactly three lowercase characters(^[a-z]{3}$)

2
src/main/resources/lessons/challenges/documentation/Challenge_introduction.adoc
View File

@ -4,7 +4,7 @@
The challenges contain more a CTF like lessons where we do not provide any explanations what you need to do, no hints
will be provided. You can use these challenges in a CTF style where you can run WebGoat on one server and all
participants can join and hack the challenges. A scoreboard is available at link:scoreboard["scoreboard",window=_blank]
participants can join and hack the challenges. A scoreboard is available at link:/WebGoat/scoreboard["/WebGoat/scoreboard",window=_blank]
:hardbreaks:
In this CTF you will need to solve a couple of challenges, each challenge will give you a flag which you will

4
src/main/resources/lessons/challenges/html/Challenge1.html
View File

@ -17,7 +17,7 @@
<div class="panel-body">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="challenge/1"
action="/WebGoat/challenge/1"
style="width: 200px;">
<div class="form-group">
@ -37,7 +37,7 @@
</div>
</div>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

4
src/main/resources/lessons/challenges/html/Challenge5.html
View File

@ -25,7 +25,7 @@
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="challenge/5" role="form">
action="/WebGoat/challenge/5" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
@ -66,7 +66,7 @@
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

6
src/main/resources/lessons/challenges/html/Challenge6.html
View File

@ -29,7 +29,7 @@
<div class="col-lg-12">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="challenge/6" role="form">
action="/WebGoat/challenge/6" role="form">
<div class="form-group">
<input type="text" name="username_login" id="username4" tabindex="1"
class="form-control" placeholder="Username" value=""/>
@ -64,7 +64,7 @@
</form>
<form id="register-form" class="attack-form" accept-charset="UNKNOWN"
method="PUT" name="form"
action="challenge/6" style="display: none;" role="form">
action="/WebGoat/challenge/6" style="display: none;" role="form">
<div class="form-group">
<input type="text" name="username_reg" id="username" tabindex="1"
class="form-control" placeholder="Username" value=""/>
@ -99,7 +99,7 @@
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

6
src/main/resources/lessons/challenges/html/Challenge7.html
View File

@ -28,7 +28,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="challenge/7" role="form">
action="/WebGoat/challenge/7" role="form">
<div class="form-group">
<div class="input-group">
@ -43,7 +43,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
value="Reset Password" type="submit"/>
</div>
<div class="form-group">
<p>(c) 2023 WebGoat Cloud Platform</p>
<p>(c) 2017 WebGoat Cloud Platform</p>
</div>
<input type="hidden" class="hide" name="token" id="token" value=""/>
@ -57,7 +57,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

2
src/main/resources/lessons/challenges/html/Challenge8.html
View File

@ -231,7 +231,7 @@
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

6
src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
View File

@ -24,7 +24,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
action="ChromeDevTools/dummy">
action="/WebGoat/ChromeDevTools/dummy">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
</form>
@ -45,7 +45,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="ChromeDevTools/network">
action="/WebGoat/ChromeDevTools/network">
<script>
// sample custom javascript in the recommended way ...
// a namespace has been assigned for it, but you can roll your own if you prefer
@ -66,7 +66,7 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="ChromeDevTools/network">
action="/WebGoat/ChromeDevTools/network">
<table>
<tr>
<td>What is the number you found: </td>

4
src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
View File

@ -14,7 +14,7 @@
<input type="hidden" id="user_id" value="102"/>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
action="clientSideFiltering/attack1">
action="/WebGoat/clientSideFiltering/attack1">
<link rel="stylesheet" type="text/css"
th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
<script th:src="@{/lesson_js/clientSideFiltering.js}"
@ -83,7 +83,7 @@
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="clientSideFiltering/getItForFree">
action="/WebGoat/clientSideFiltering/getItForFree">
<input id="discount" type="hidden" value="0"/>
<div class="row">

14
src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc
View File

@ -14,19 +14,19 @@ endif::[]
The goal is to get familiar with the following forms of techniques:
* link:start.mvc#lesson/Cryptography.lesson/1[Encoding]
* link:start.mvc#lesson/Crypto.lesson/1[Encoding]
* link:start.mvc#lesson/Cryptography.lesson/3[Hashing]
* link:start.mvc#lesson/Crypto.lesson/3[Hashing]
* link:start.mvc#lesson/Cryptography.lesson/4[Encryption]
* link:start.mvc#lesson/Crypto.lesson/4[Encryption]
* link:start.mvc#lesson/Cryptography.lesson/5[Signing]
* link:start.mvc#lesson/Crypto.lesson/5[Signing]
* link:start.mvc#lesson/Cryptography.lesson/6[Keystores]
* link:start.mvc#lesson/Crypto.lesson/6[Keystores]
* link:start.mvc#lesson/Cryptography.lesson/7[Security defaults]
* link:start.mvc#lesson/Crypto.lesson/7[Security defaults]
* link:start.mvc#lesson/Cryptography.lesson/8[Post quantum crypto]
* link:start.mvc#lesson/Crypto.lesson/8[Post quantum crypto]
=== Assignments

18
src/main/resources/lessons/cryptography/html/Cryptography.html
View File

@ -7,10 +7,10 @@
* JavaScript to load initial assignment tokens
*/
function initialise() {
$("#sha256token").load('crypto/hashing/sha256');
$("#md5token").load('crypto/hashing/md5');
$("#basicauthtoken").load('crypto/encoding/basic');
$("#privatekey").load('crypto/signing/getprivate');
$("#sha256token").load('/WebGoat/crypto/hashing/sha256');
$("#md5token").load('/WebGoat/crypto/hashing/md5');
$("#basicauthtoken").load('/WebGoat/crypto/encoding/basic');
$("#privatekey").load('/WebGoat/crypto/signing/getprivate');
}
$(document).ready(initialise);
</script>
@ -28,7 +28,7 @@ $(document).ready(initialise);
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
Now suppose you have intercepted the following header:<br/>
<div id="basicauthtoken" ></div><br/>
<form class="attack-form" method="POST" name="form" action="crypto/encoding/basic-auth">
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/basic-auth">
Then what was the username
<input name="answer_user" value="" type="TEXT"/>
and what was the password:
@ -45,7 +45,7 @@ $(document).ready(initialise);
<!-- 3. assignment xor -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" method="POST" name="form" action="crypto/encoding/xor">
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/encoding/xor">
Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
What would be the actual password
<input name="answer_pwd1" value="" type="TEXT"/><br/>
@ -62,7 +62,7 @@ $(document).ready(initialise);
<!-- 4. weak hashing exercise -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" method="POST" name="form" action="crypto/hashing">
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/hashing">
Which password belongs to this hash: <div id="md5token" ></div>
<input name="answer_pwd1" value="" type="TEXT"/><br/>
Which password belongs to this hash: <div id="sha256token" ></div>
@ -87,7 +87,7 @@ $(document).ready(initialise);
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
Now suppose you have the following private key:<br/>
<pre><div id="privatekey" ></div></pre><br/>
<form class="attack-form" method="POST" name="form" action="crypto/signing/verify">
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/signing/verify">
Then what was the modulus of the public key
<input name="modulus" value="" type="TEXT"/>
and now provide a signature for us based on that modulus
@ -110,7 +110,7 @@ $(document).ready(initialise);
<!-- 8. assignment -->
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" method="POST" name="form" action="crypto/secure/defaults">
<form class="attack-form" method="POST" name="form" action="/WebGoat/crypto/secure/defaults">
What is the unencrypted message<br/>
<input name="secretText" value="" type="TEXT"/><br/>
and what is the name of the file that stored the password <br/>

12
src/main/resources/lessons/csrf/html/CSRF.html
View File

@ -17,7 +17,7 @@
method="POST" name="form1"
target="_blank"
successCallback=""
action="csrf/basic-get-flag">
action="/WebGoat/csrf/basic-get-flag">
<input name="csrf" type="hidden" value="false"/>
<input type="submit" name="submit"/>
@ -35,7 +35,7 @@
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
method="POST" name="form2"
successCallback=""
action="csrf/confirm-flag-1">
action="/WebGoat/csrf/confirm-flag-1">
Confirm Flag Value:
<input type="text" length="6" name="confirmFlagVal" value=""/>
@ -93,7 +93,7 @@
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-review"
method="POST" name="review-form"
successCallback=""
action="csrf/review">
action="/WebGoat/csrf/review">
<input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
type="text"/>
<input class="form-control" id="reviewStars" name="stars" type="text"/>
@ -146,7 +146,7 @@
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
method="POST"
prepareData="feedback"
action="csrf/feedback/message"
action="/WebGoat/csrf/feedback/message"
contentType="application/json">
<div class="row">
<div class="col-md-6">
@ -212,7 +212,7 @@
</div>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
method="POST" name="form2"
action="csrf/feedback">
action="/WebGoat/csrf/feedback">
Confirm Flag Value:
<input type="text" length="6" name="confirmFlagVal" value=""/>
@ -236,7 +236,7 @@
</div>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
method="POST" name="form2"
action="csrf/login">
action="/WebGoat/csrf/login">
Press the button below when your are logged in as the other user<br/>

2
src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
View File

@ -25,7 +25,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
method="POST"
action="InsecureDeserialization/task">
action="/WebGoat/InsecureDeserialization/task">
<input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/>
<input type="submit" value="Submit" />

2
src/main/resources/lessons/hijacksession/html/HijackSession.html
View File

@ -19,7 +19,7 @@
</div>
<div class="container-fluid">
<div th:insert="~{/lessons/hijacksession/templates/hijackform.html}" id="content"></div>
<div th:include="/lessons/hijacksession/templates/hijackform.html" id="content"></div>
</div>
<div class="attack-feedback"></div>

2
src/main/resources/lessons/hijacksession/templates/hijackform.html
View File

@ -1,7 +1,7 @@
<div class="row">
<div class="col-md-4">
<form class="attack-form" accept-charset="UNKNOWN" method="POST"
action="HijackSession/login">
action="/WebGoat/HijackSession/login">
<div style="padding: 20px;" id="password-login">
<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
<fieldset>

2
src/main/resources/lessons/htmltampering/html/HtmlTampering.html
View File

@ -13,7 +13,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
method="POST"
action="HtmlTampering/task">
action="/WebGoat/HtmlTampering/task">
<script>
var regex = /^2999.99$/;
var price = 2999.99;

4
src/main/resources/lessons/httpbasics/html/HttpBasics.html
View File

@ -21,7 +21,7 @@
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="HttpBasics/attack1">
action="/WebGoat/HttpBasics/attack1">
<div id="lessonContent">
<form accept-charset="UNKNOWN" method="POST" name="form"
action="#attack/307/100">
@ -51,7 +51,7 @@
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="HttpBasics/attack2">
action="/WebGoat/HttpBasics/attack2">
<script>
// sample custom javascript in the recommended way ...
// a namespace has been assigned for it, but you can roll your own if you prefer

2
src/main/resources/lessons/httpproxies/html/HttpProxies.html
View File

@ -24,7 +24,7 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
method="POST"
action="HttpProxies/intercept-request">
action="/WebGoat/HttpProxies/intercept-request">
<input type="text" value="doesn't matter really" name="changeMe" />
<input type="submit" value="Submit" />

10
src/main/resources/lessons/idor/html/IDOR.html
View File

@ -22,7 +22,7 @@
<!-- modify the action to point to the intended endpoint -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="IDOR/login">
action="/WebGoat/IDOR/login">
<table>
<tr>
<td>user/pass</td>
@ -57,7 +57,7 @@
<!-- modify the action to point to the intended endpoint -->
<form class="attack-form" accept-charset="UNKNOWN"
method="GET" name="form"
action="IDOR/profile">
action="/WebGoat/IDOR/profile">
<script th:src="@{/lesson_js/idor.js}" />
<input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />
@ -107,7 +107,7 @@
<!-- modify the action to point to the intended endpoint -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="IDOR/profile/alt-path">
action="/WebGoat/IDOR/profile/alt-path">
<div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_inputAltPath.adoc}"></div>
<input name="url" value="WebGoat/" type="text"/>
<input name="submit" value="Submit" type="SUBMIT"/>
@ -134,7 +134,7 @@
<!-- modify the action to point to the intended endpoint -->
<form class="attack-form" accept-charset="UNKNOWN" id="view-other"
method="GET" name="view-other-profile"
action="IDOR/profile/{userId}">
action="/WebGoat/IDOR/profile/{userId}">
<script th:src="@{/lesson_js/idor.js}" />
<input name="View Profile" value="View Profile" type="submit" />
@ -158,7 +158,7 @@
<!-- modify the action to point to the intended endpoint -->
<form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
method="GET" name="edit-other-profile"
action="IDOR/profile/{userId}">
action="/WebGoat/IDOR/profile/{userId}">
<script th:src="@{/lesson_js/idor.js}" />
<input name="View Profile" value="View Profile" type="submit" />

2
src/main/resources/lessons/idor/i18n/WebGoatLabels.properties
View File

@ -27,7 +27,7 @@ idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare
idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
idor.edit.profile.success2=Good work! View the updated profile below
idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.
idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
idor.edit.profile.failure3=Try again. Use the hints if you need to.
idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.

2
src/main/resources/lessons/idor/js/idor.js
View File

@ -12,7 +12,7 @@ var onViewProfile = function () {
console.warn("on view profile activated")
webgoat.customjs.jquery.ajax({
method: "GET",
url: "IDOR/profile",
url: "/WebGoat/IDOR/profile",
contentType: 'application/json; charset=UTF-8'
}).then(webgoat.customjs.idorViewProfile);
}

Some files were not shown because too many files have changed in this diff Show More