dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:v8.0.0.M10
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
...
compare: dubey:v8.0.0.M17
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

79 Commits
v8.0.0.M10 ... v8.0.0.M17

Author SHA1 Message Date
Nanne Baars
9af0054b5b Merge branch 'release/v8.0.0.M17' 2018-05-30 20:54:18 +02:00
Nanne Baars
26aa72e721 New release 2018-05-30 20:54:13 +02:00
Nanne Baars
c510bd9bf1 New develop version 2018-05-30 20:37:25 +02:00
Nanne Baars
6bf853d953 Merge tag 'v8.0.0.M16' into develop 
New release
 2018-05-30 20:35:56 +02:00
Nanne Baars
b298440985 Merge branch 'release/v8.0.0.M16' 2018-05-30 20:35:22 +02:00
Nanne Baars
c7a714a590 Move to next release 2018-05-30 17:05:50 +02:00
Nanne Baars
93620f148b Remove challenges which are also incorporated in the lessons themselves 2018-05-30 16:46:50 +02:00
Nanne Baars
ecb7688e08 Update to new version for develop 
Move WebWolf to port 9090 easier since most of the time something is running on 8081
Add scripts for easy building Docker files etc
 2018-05-30 13:17:05 +02:00
Nanne Baars
0de784eb32 Update README and simply the java command to one with optional arguments 2018-05-29 22:16:29 +02:00
Nanne Baars
4691bc5fd5 Extended proxy lesson with Edit and Resend and explained how to exclude WebGoat internal calls from proxying 2018-05-29 21:30:13 +02:00
Nanne Baars
fc2c99bcb4 Limit the username to letters and digits only 2018-05-29 16:16:52 +02:00
Nanne Baars
7292a577e3 Only do a release when we build master and have a tagged the release 2018-05-29 15:20:07 +02:00
Nanne Baars
396c1c1d47 Update order of starting WebGoat 2018-05-29 15:16:29 +02:00
Nanne Baars
2911788679 Merge tag 'v8.0.0' into develop 
Release v8.0.0
 2018-05-29 14:59:32 +02:00
Nanne Baars
985148ede3 Merge branch 'release/v8.0.0' 2018-05-29 14:59:07 +02:00
MaDuck
9587550bc5 Fixed column name on sql injection lesson 7 2018-05-29 14:42:22 +02:00
MaDuck
9a0995dae5 Fixed column name on sql injection lesson 6 2018-05-29 14:42:02 +02:00
Nanne Baars
4e07e0ebfa Fix links to open new browser tab 2018-05-29 14:04:33 +02:00
Nanne Baars
6e95fdfe56 Adjusted documentation 2018-05-29 13:33:52 +02:00
Nanne Baars
e045bc692d Buying page also calculates the prices 
Product image added
 2018-05-29 12:47:27 +02:00
Nanne Baars
589872ad47 Fix for JWT assignment 1 log in now works again. 
Reset button only triggers reset when admin is set to true in the token
 2018-05-29 11:20:40 +02:00
Nanne Baars
5f4889cefe Clicking link in first password reset link only switched back and forward 2018-05-29 09:29:50 +02:00
Nanne Baars
55793dd153 New release v8.0.0.M15 2018-05-27 20:54:50 +02:00
Nanne Baars
1edceb0aa8 Extended and fixed some lessons 2018-05-27 20:37:44 +02:00
Nanne Baars
d2b6725f3b Moved challenge2 to client-side-filtering as final assignment 2018-05-27 12:41:52 +02:00
Nanne Baars
6e003bc088 Working last password assignment 2018-05-26 18:48:48 +02:00
Nanne Baars
f8a7a61e85 New lesson working 2018-05-26 15:09:18 +02:00
Nanne Baars
eaf68d38c5 Initial commit for password reset lesson 2018-05-25 14:27:45 +02:00
Nanne Baars
8d7ecb19d7 Added testcases for all JWT endpoints 2018-05-23 14:28:19 +02:00
Nanne Baars
e0cf5b4a84 Removed under construction from JWT lesson 2018-05-23 14:28:19 +02:00
Nanne Baars
5b524d3a94 Added more unit tests 2018-05-23 14:28:19 +02:00
Nanne Baars
dda6f674a3 Last assignment for JWT tokens finished 2018-05-23 14:28:19 +02:00
Nanne Baars
e06d4642eb Fix error in testcase 2018-05-23 14:28:19 +02:00
Nanne Baars
4a8fdcf887 Fix content-type for login (gives error in console of browser) 2018-05-23 14:28:19 +02:00
Nanne Baars
fd96ba18f1 Added test cases for solving the lesson 2018-05-23 14:28:19 +02:00
Nanne Baars
60ef35e241 Working lesson 2018-05-23 14:28:19 +02:00
Nanne Baars
9d7886d572 More JWT work 2018-05-23 14:28:19 +02:00
Nanne Baars
7a0820bf89 WIP 2018-05-23 14:28:19 +02:00
Nanne Baars
ea9c1a453d Initial version for JWT 2018-05-23 14:28:19 +02:00
Ryan Thomas
63ca11a1bb Change WebWolf to WebGoat 
The links for the WebGoat download were mislabeled as WebWolf
 2018-05-23 14:07:32 +02:00
Nanne Baars
5378d72600 Change version in pom.xml 2018-05-23 14:04:21 +02:00
Jose Selvi
93d6d0e6b7 Added lesson texts 2018-05-23 13:58:37 +02:00
Jose Selvi
84860e65f6 Insecure Deserialization exercise 2018-05-23 13:58:03 +02:00
Jason
a73bf58d36 more hintview patching 2018-05-23 13:35:51 +02:00
Jason
0ff6000511 wiring jqueryui to vuln jquery #368 2018-05-23 13:35:51 +02:00
Jason
91d9db5f80 work-arounds, fixes for page initialization and some clean-up 2018-05-23 13:35:51 +02:00
Jason
ac1b9e8311 cleanup that was missed in prev. commit 2018-05-23 13:35:51 +02:00
Jason
9d49373486 fix for periodic fail on StoredXssCommentsTest 2018-05-23 13:35:51 +02:00
Nick Smith
ead78d40e6 Chore - fix spelling issues 2018-05-23 13:35:51 +02:00
xanderhades
7b5bb6d6f1 Fixed typos 2018-05-23 13:35:51 +02:00
Nitish
408a637649 Update HttpBasics_ProxyIntro0.adoc 
Fixed typo, Actual : "wihtin" , Expected :  "within"
 2018-05-23 13:35:51 +02:00
Nanne Baars
6cf96f971d Fix typo 2018-05-11 15:14:11 +02:00
TimDG
0b9a027c19 Fix some minor grammatical issues. 2018-05-11 15:13:30 +02:00
pjhggns
6a5ca43e7e Strip out slash-escaped JSON sequence received in client. 
The server will slash-escape some JSON related characters before sending. Need to strip them out before using, on the client side.
 2018-05-02 22:21:22 +02:00
miig
5d28ef9fbe small fix for CSRF content type lesson descrption 2018-05-02 22:10:06 +02:00
miig
9aa674e326 stringfy object so it's visible in the console 2018-05-02 22:04:25 +02:00
Nanne Baars
84e3fcde07 Added .sonatype (author: @maurycupitt) 2018-05-02 21:34:17 +02:00
Nanne Baars
6209b3fe8d Updated lesson for starting WebWolf as a Docker container 2018-05-02 21:25:44 +02:00
Nanne Baars
a1db8e8bd9 Added documentation how to mount the data directory of WebGoat running in Docker to your host system. 2018-05-02 09:29:52 +02:00
Nanne Baars
6b4a488c8c Users shared now between WebGoat and WebWolf by starting HSQLDB 
as standalone database
 2018-05-01 22:00:07 +02:00
Nanne Baars
0e160c19f5 Docker-compose for postgres and hsqldb 2018-05-01 21:58:43 +02:00
Nanne Baars
8050a2b56d XXE lesson not showing correct link for WebWolf 2018-05-01 21:54:28 +02:00
Nanne Baars
11ffa5702c Added "WebWolf" enabled to the lessons which support the usage of WebWolf 2018-04-29 15:02:19 +02:00
Nanne Baars
32927c8109 Bumped Spring Boot version 2018-04-28 16:02:09 +02:00
Nanne Baars
8b8a89a8ab Add extra informational message when a failure occurs while sending an email from WebGoat to WebWolf. 2018-04-28 16:01:57 +02:00
Nanne Baars
e4ca0c4836 Make report working again 2018-04-27 19:26:01 +02:00
Nanne Baars
e422da4c64 Polling for lesson updates (updates the menu and page navigation) 2018-04-27 18:50:13 +02:00
Nanne Baars
76daac0db5 Label was missing for HTTP basic lesson 2018-04-27 11:29:52 +02:00
Nanne Baars
245ba2c3d1 Fix XXE lesson, the exact .webgoat directory including version number will be put in the lesson. 2018-04-24 20:44:05 +02:00
Nanne Baars
672d78eebc Resource bundle in UTF-8 2018-04-23 16:12:50 +02:00
Nanne Baars
f4eb96fc6a Add additional remark WebWolf should be running if interaction is necessary 2018-04-23 11:32:07 +02:00
Nanne Baars
46fedf3764 Fix for Docker command to start WebWolf 2018-04-23 11:20:25 +02:00
Nanne Baars
f30db3abfc New version number 2018-04-11 20:45:12 +02:00
Nanne Baars
58d4b81df2 Wrong image name mentioned in lesson for WebWolf 2018-04-11 20:22:19 +02:00
Nick Smith
a922c00182 Chore - fix spelling issues 2018-02-15 20:12:53 +00:00
nbaars
2ae1b4955f By default binds to ALL network interfaces #431 
Fix for Docker not binding to any address by default
 2018-01-30 07:18:05 +01:00
xanderhades
f21fe7f2c3 Fixed typos 2018-01-30 05:49:51 +00:00
Nitish
3cd349bb4b Update HttpBasics_ProxyIntro0.adoc 
Fixed typo, Actual : "wihtin" , Expected :  "within"
 2018-01-23 18:01:42 +00:00
nbaars
e3e7ed004f Not making a Docker release is we build develop (putting a tag will create a release which is more a controlled/intuitive way to make a release to Docker) 2018-01-02 22:19:49 +01:00
238 changed files with 3760 additions and 1713 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@ -42,3 +42,7 @@ webgoat-lessons/**/target
**/.DS_Store **/.DS_Store
webgoat-server/mongo-data/* webgoat-server/mongo-data/*
webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
**/.sts4-cache/*
**/.vscode/*
/.sonatype

4
CREATE_RELEASE.MD
View File

@ -20,8 +20,8 @@ git flow release publish
Now we can make a new release, be sure you committed all your changes. Now we can make a new release, be sure you committed all your changes.
``` ```
git tag v8.0.0.M3 git tag v8.0.0.M15
git push origin v8.0.0.M3 git push origin v8.0.0.M15
``` ```
Now Travis takes over and will create the release in Github and on Docker Hub. Now Travis takes over and will create the release in Github and on Docker Hub.

43
README.MD
View File

@ -29,7 +29,18 @@ first thing that all hackers claim.*
# Run Instructions: # Run Instructions:
## 1. Run using Docker ## 1. Standalone
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-<<version>>.jar [--server.port=8080] [--server.address=localhost]
```
By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
can bind it to a different address (default localhost)
## 2. Run using Docker
From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/). [https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
@ -40,6 +51,15 @@ docker pull webgoat/webgoat-8.0
docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh
``` ```
If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a
folder on the host system as follows:
```Shell
docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh
```
where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system.
Wait for the Docker container to start, and run `docker ps` to verify it's running. Wait for the Docker container to start, and run `docker ps` to verify it's running.
- If you are using `docker-machine`, verify the machine IP using `docker-machine env` - If you are using `docker-machine`, verify the machine IP using `docker-machine env`
@ -56,27 +76,6 @@ Here you'll be able to register a new user and get started.
_Please note: this version may not be completely in sync with the develop branch._ _Please note: this version may not be completely in sync with the develop branch._
## 2. Standalone
Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-<<version>>.jar
```
By default WebGoat starts at port 8080 in order to change this use the following property:
```Shell
java -jar webgoat-server-<<version>>.jar --server.port=9090
```
You can specify one of the following arguments when starting WebGoat:
```Shell
java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
```
This will start WebGoat on a different port and/or different address.
## 3. Run from the sources ## 3. Run from the sources

36
docker-compose-postgres.yml Normal file
View File

@ -0,0 +1,36 @@
version: '2.0'
services:
webgoat:
image: webgoat/webgoat-8.0
user: webgoat
environment:
- WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
- spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
- spring.datasource.username=webgoat
- spring.datasource.password=webgoat
- spring.datasource.driver-class-name=org.postgresql.Driver
- spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
ports:
- "8080:8080"
webwolf:
image: webgoat/webwolf
environment:
- spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
- spring.datasource.username=webgoat
- spring.datasource.password=webgoat
- spring.datasource.driver-class-name=org.postgresql.Driver
- spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
ports:
- "9090:9090"
db:
container_name: webgoat_db
image: postgres:latest
environment:
- POSTGRES_PASSWORD=webgoat
- POSTGRES_USER=webgoat
- POSTGRES_DB=webgoat
ports:
- "5432:5432"

30
docker-compose.yml
View File

@ -1,15 +1,29 @@
version: '2.0' version: '2.1'
services: services:
webgoat: webgoat:
build: webgoat-server/ image: webgoat/webgoat-8.0
command: "sh /home/webgoat/start.sh" environment:
- WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports: ports:
- "8080:8080" - "8080:8080"
webwolf:
build: webwolf/
command: "sh /home/webwolf/start.sh"
depends_on: depends_on:
- webgoat - db
webwolf:
image: webgoat/webwolf
environment:
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports: ports:
- "8081:8081" - "9090:9090"
depends_on:
- db
db:
image: blacklabelops/hsqldb
container_name: webgoat_db
environment:
- HSQLDB_TRACE=false
- HSQLDB_SILENT=true
- HSQLDB_DATABASE_NAME=webgoat
- HSQLDB_DATABASE_ALIAS=webgoat

31
pom.xml
View File

@ -1,11 +1,12 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging> <packaging>pom</packaging>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
<name>WebGoat Parent Pom</name> <name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -20,7 +21,7 @@
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.9.RELEASE</version> <version>1.5.12.RELEASE</version>
</parent> </parent>
<licenses> <licenses>
@ -53,17 +54,17 @@
<developer> <developer>
<id>jwayman</id> <id>jwayman</id>
<name>Jeff Wayman</name> <name>Jeff Wayman</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>dcowden</id> <id>dcowden</id>
<name>Dave Cowden</name> <name>Dave Cowden</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>lawson89</id> <id>lawson89</id>
<name>Richard Lawson</name> <name>Richard Lawson</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>dougmorato</id> <id>dougmorato</id>
@ -92,8 +93,8 @@
<url>https://github.com/WebGoat/WebGoat</url> <url>https://github.com/WebGoat/WebGoat</url>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection> <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection> <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
<tag>HEAD</tag> <tag>HEAD</tag>
</scm> </scm>
<issueManagement> <issueManagement>
<system>Github Issues</system> <system>Github Issues</system>
@ -135,7 +136,7 @@
<gatling-plugin.version>2.2.4</gatling-plugin.version> <gatling-plugin.version>2.2.4</gatling-plugin.version>
<guava.version>18.0</guava.version> <guava.version>18.0</guava.version>
<h2.version>1.4.190</h2.version> <h2.version>1.4.190</h2.version>
<hsqldb.version>2.3.2</hsqldb.version> <hsqldb.version>2.3.4</hsqldb.version>
<j2h.version>1.3.1</j2h.version> <j2h.version>1.3.1</j2h.version>
<jackson-core.version>2.6.3</jackson-core.version> <jackson-core.version>2.6.3</jackson-core.version>
<jackson-databind.version>2.6.3</jackson-databind.version> <jackson-databind.version>2.6.3</jackson-databind.version>
@ -202,7 +203,7 @@
<profiles> <profiles>
<profile> <profile>
<id>release</id> <id>release</id>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>dist</artifactId> <artifactId>dist</artifactId>
@ -214,7 +215,7 @@
</dependencies> </dependencies>
<build> <build>
<plugins> <plugins>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId> <artifactId>maven-dependency-plugin</artifactId>
<executions> <executions>
@ -225,7 +226,9 @@
</goals> </goals>
<phase>generate-resources</phase> <phase>generate-resources</phase>
<configuration> <configuration>
<outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory> <outputDirectory>
${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons
</outputDirectory>
<includeArtifactIds>dist</includeArtifactIds> <includeArtifactIds>dist</includeArtifactIds>
<includes>*.jar</includes> <includes>*.jar</includes>
</configuration> </configuration>
@ -324,7 +327,7 @@
<artifactId>coveralls-maven-plugin</artifactId> <artifactId>coveralls-maven-plugin</artifactId>
<version>${coveralls-maven-plugin.version}</version> <version>${coveralls-maven-plugin.version}</version>
<configuration> <configuration>
<repoToken /> <repoToken/>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
@ -332,7 +335,7 @@
<artifactId>cobertura-maven-plugin</artifactId> <artifactId>cobertura-maven-plugin</artifactId>
<version>${cobertura-maven-plugin.version}</version> <version>${cobertura-maven-plugin.version}</version>
<configuration> <configuration>
<check /> <check/>
<format>xml</format> <format>xml</format>
<maxmem>256m</maxmem> <maxmem>256m</maxmem>
<!-- aggregated reports for multi-module projects --> <!-- aggregated reports for multi-module projects -->

32
scripts/build-all.sh Normal file
View File

@ -0,0 +1,32 @@
#!/usr/bin/env bash
cd ..
nc -zv 127.0.0.1 8080 2>/dev/null
SUCCESS=$?
nc -zv 127.0.0.1 9090 2>/dev/null
SUCCESS=${SUCCESS}$?
if [[ "${SUCCESS}" -eq 00 ]] ; then
echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
exit 127
fi
#mvn clean install
#if [[ "$?" -ne 0 ]] ; then
# exit y$?
#fi
cd -
sh build_docker.sh
echo "Do you want to run docker-compose?"
while true; do
read -p "Do you want to run docker-compose?" yn
case ${yn} in
[Yy]* ) sh clean-run-docker-compose.sh; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done

10
scripts/build_docker.sh Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
WEBGOAT_HOME=$(pwd)/../
cd ${WEBGOAT_HOME}/webgoat-server
docker build -t webgoat/webgoat-8.0 .
cd ${WEBGOAT_HOME}/webwolf
docker build -t webgoat/webwolf .

5
scripts/clean-run-docker-compose.sh Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/env bash
cd ..
docker-compose rm -f
docker-compose up

26
scripts/deploy-webgoat.sh
View File

@ -10,13 +10,31 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number # If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO docker push $REPO
elif [ ! -z "${TRAVIS_TAG}" ]; then #elif [ ! -z "${TRAVIS_TAG}" ]; then
# Creating a tag build we push it to Docker with that tag # # Creating a tag build we push it to Docker with that tag
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . # docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
docker push $REPO # docker push $REPO
#elif [ "${BRANCH}" == "develop" ]; then #elif [ "${BRANCH}" == "develop" ]; then
# docker build -f Dockerfile -t $REPO:snapshot . # docker build -f Dockerfile -t $REPO:snapshot .
# docker push $REPO # docker push $REPO
else else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}" echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi fi
export REPO=webgoat/webwolf
cd ..
cd webwolf
ls target/
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO
elif [ ! -z "${TRAVIS_TAG}" ]; then
# Creating a tag build we push it to Docker with that tag
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi

4
scripts/run-docker-compose.sh Normal file
View File

@ -0,0 +1,4 @@
#!/usr/bin/env bash
cd ..
docker-compose up

2
webgoat-container/pom.xml
View File

@ -10,7 +10,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
<profiles> <profiles>

2
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
View File

@ -35,6 +35,7 @@ import com.google.common.collect.Sets;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor; import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
import org.owasp.webgoat.asciidoc.WebWolfMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro;
import org.owasp.webgoat.i18n.Language; import org.owasp.webgoat.i18n.Language;
import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.TemplateProcessingParameters;
@ -86,6 +87,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
StringWriter writer = new StringWriter(); StringWriter writer = new StringWriter();
JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8)); return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));

2
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -130,6 +130,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
@Bean @Bean
public PluginMessages pluginMessages(Messages messages, Language language) { public PluginMessages pluginMessages(Messages messages, Language language) {
PluginMessages pluginMessages = new PluginMessages(messages, language); PluginMessages pluginMessages = new PluginMessages(messages, language);
pluginMessages.setDefaultEncoding("UTF-8");
pluginMessages.setBasenames("i18n/WebGoatLabels"); pluginMessages.setBasenames("i18n/WebGoatLabels");
return pluginMessages; return pluginMessages;
} }
@ -142,6 +143,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
@Bean @Bean
public Messages messageSource(Language language) { public Messages messageSource(Language language) {
Messages messages = new Messages(language); Messages messages = new Messages(language);
messages.setDefaultEncoding("UTF-8");
messages.setBasename("classpath:i18n/messages"); messages.setBasename("classpath:i18n/messages");
return messages; return messages;
} }

23
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java Normal file
View File

@ -0,0 +1,23 @@
package org.owasp.webgoat.asciidoc;
import org.asciidoctor.ast.AbstractBlock;
import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.core.env.Environment;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
import java.util.Map;
public class WebGoatVersionMacro extends InlineMacroProcessor {
public WebGoatVersionMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
@Override
protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
return EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
}
}

14
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
View File

@ -10,6 +10,12 @@ import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.util.Map; import java.util.Map;
/**
* Usage in asciidoc:
* <p>
* webWolfLink:here[] will display a href with here as text
* webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
*/
public class WebWolfMacro extends InlineMacroProcessor { public class WebWolfMacro extends InlineMacroProcessor {
public WebWolfMacro(String macroName, Map<String, Object> config) { public WebWolfMacro(String macroName, Map<String, Object> config) {
@ -20,9 +26,17 @@ public class WebWolfMacro extends InlineMacroProcessor {
protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) { protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
Environment env = EnvironmentExposure.getEnv(); Environment env = EnvironmentExposure.getEnv();
String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port")); String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
if (displayCompleteLinkNoFormatting(attributes)) {
return hostname + (hostname.endsWith("/") ? "" : "/") + target;
}
return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>"; return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
} }
private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent();
}
/** /**
* Look at the remote address from received from the browser first. This way it will also work if you run * Look at the remote address from received from the browser first. This way it will also work if you run
* the browser in a Docker container and WebGoat on your local machine. * the browser in a Docker container and WebGoat on your local machine.

1
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -46,6 +46,7 @@ public enum Category {
INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)), INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)),
INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)), INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)),
INSECURE_STORAGE("Insecure Storage", new Integer(800)), INSECURE_STORAGE("Insecure Storage", new Integer(800)),
INSECURE_DESERIALIZATION("Insecure Deserialization", new Integer(850)),
REQUEST_FORGERIES("Request Forgeries", new Integer(900)), REQUEST_FORGERIES("Request Forgeries", new Integer(900)),
VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)), VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)),
AJAX_SECURITY("AJAX Security", new Integer(1000)), AJAX_SECURITY("AJAX Security", new Integer(1000)),

1
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonInfoModel.java
View File

@ -2,7 +2,6 @@ package org.owasp.webgoat.lessons;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import org.owasp.webgoat.session.WebSession;
/** /**
* <p>LessonInfoModel class.</p> * <p>LessonInfoModel class.</p>

20
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@ -40,17 +40,19 @@ public class LessonProgressService {
@RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json") @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
@ResponseBody @ResponseBody
public Map getLessonInfo() { public Map getLessonInfo() {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
Map json = Maps.newHashMap(); Map json = Maps.newHashMap();
String successMessage = ""; UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
boolean lessonCompleted = false; if (webSession.getCurrentLesson() != null) {
if (lessonTracker != null) { LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
lessonCompleted = lessonTracker.isLessonSolved(); String successMessage = "";
successMessage = "LessonCompleted"; //@todo we still use this?? boolean lessonCompleted = false;
if (lessonTracker != null) {
lessonCompleted = lessonTracker.isLessonSolved();
successMessage = "LessonCompleted"; //@todo we still use this??
}
json.put("lessonCompleted", lessonCompleted);
json.put("successMessage", successMessage);
} }
json.put("lessonCompleted", lessonCompleted);
json.put("successMessage", successMessage);
return json; return json;
} }

4
webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
View File

@ -32,6 +32,7 @@ import com.google.common.collect.Lists;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;
import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
@ -57,6 +58,7 @@ public class ReportCardService {
private final WebSession webSession; private final WebSession webSession;
private final UserTrackerRepository userTrackerRepository; private final UserTrackerRepository userTrackerRepository;
private final Course course; private final Course course;
private final PluginMessages pluginMessages;
/** /**
* Endpoint which generates the report card for the current use to show the stats on the solved lessons * Endpoint which generates the report card for the current use to show the stats on the solved lessons
@ -74,7 +76,7 @@ public class ReportCardService {
for (AbstractLesson lesson : lessons) { for (AbstractLesson lesson : lessons) {
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson); LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
LessonStatistics lessonStatistics = new LessonStatistics(); LessonStatistics lessonStatistics = new LessonStatistics();
lessonStatistics.setName(lesson.getTitle()); lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts()); lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
lessonStatistics.setSolved(lessonTracker.isLessonSolved()); lessonStatistics.setSolved(lessonTracker.isLessonSolved());
reportCard.lessonStatistics.add(lessonStatistics); reportCard.lessonStatistics.add(lessonStatistics);

34
webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
View File

@ -81,6 +81,39 @@ public class CreateDB {
} }
} }
/**
* Description of the Method
*
* @param connection Description of the Parameter
* @throws SQLException Description of the Exception
*/
private void createJWTKeys(Connection connection) throws SQLException {
Statement statement = connection.createStatement();
// Drop servers table
try {
String dropTable = "DROP TABLE jwt_keys";
statement.executeUpdate(dropTable);
} catch (SQLException e) {
System.out.println("Info - Could not drop jwtkeys table");
}
// Create the new table
try {
String createTableStatement = "CREATE TABLE jwt_keys"
+ " (" + "id varchar(20),"
+ "key varchar(20))";
statement.executeUpdate(createTableStatement);
String insertData1 = "INSERT INTO jwt_keys VALUES ('webgoat_key', 'qwertyqwerty1234')";
String insertData2 = "INSERT INTO jwt_keys VALUES ('webwolf_key', 'doesnotreallymatter')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
} catch (SQLException e) {
System.out.println("Error creating product table " + e.getLocalizedMessage());
}
}
/** /**
* Description of the Method * Description of the Method
@ -975,6 +1008,7 @@ public class CreateDB {
createTanTable(connection); createTanTable(connection);
createMFEImagesTable(connection); createMFEImagesTable(connection);
createModifyWithSQLLessonTable(connection); createModifyWithSQLLessonTable(connection);
createJWTKeys(connection);
System.out.println("Success: creating tables."); System.out.println("Success: creating tables.");
} }
} }

2
webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
View File

@ -4,6 +4,7 @@ import lombok.Getter;
import lombok.Setter; import lombok.Setter;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import javax.validation.constraints.Pattern;
import javax.validation.constraints.Size; import javax.validation.constraints.Size;
/** /**
@ -16,6 +17,7 @@ public class UserForm {
@NotNull @NotNull
@Size(min=6, max=20) @Size(min=6, max=20)
@Pattern(regexp = "[a-zA-Z0-9]*", message = "can only contain letters and digits")
private String username; private String username;
@NotNull @NotNull
@Size(min=6, max=10) @Size(min=6, max=10)

1
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
View File

@ -52,6 +52,7 @@ public class UserTracker {
@Id @Id
@GeneratedValue(strategy = GenerationType.AUTO) @GeneratedValue(strategy = GenerationType.AUTO)
private Long id; private Long id;
@Column(name = "username")
private String user; private String user;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER) @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private Set<LessonTracker> lessonTrackers = Sets.newHashSet(); private Set<LessonTracker> lessonTrackers = Sets.newHashSet();

13
webgoat-container/src/main/resources/application.properties
View File

@ -5,12 +5,14 @@ server.contextPath=/WebGoat
server.port=8080 server.port=8080
server.address=127.0.0.1 server.address=127.0.0.1
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat
spring.jpa.hibernate.ddl-auto=update spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
logging.level.org.springframework=WARN logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=WARN logging.level.org.springframework.boot.devtools=INFO
logging.level.org.owasp=DEBUG logging.level.org.owasp=DEBUG
logging.level.org.owasp.webgoat=TRACE logging.level.org.owasp.webgoat=TRACE
@ -20,6 +22,7 @@ security.enable-csrf=false
spring.resources.cache-period=0 spring.resources.cache-period=0
spring.thymeleaf.cache=false spring.thymeleaf.cache=false
webgoat.start.hsqldb=true
webgoat.clean=false webgoat.clean=false
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/ webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@ -34,9 +37,9 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en webgoat.default.language=en
webwolf.host=${WEBWOLF_HOST:localhost} webwolf.host=${WEBWOLF_HOST:localhost}
webwolf.port=${WEBWOLF_PORT:8081} webwolf.port=${WEBWOLF_PORT:9090}
webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
spring.jackson.serialization.indent_output=true spring.jackson.serialization.indent_output=true

13
webgoat-container/src/main/resources/static/css/main.css
View File

@ -1066,6 +1066,7 @@ span.show-next-page, span.show-prev-page {
/* ATTACK DISPLAY */ /* ATTACK DISPLAY */
.attack-container { .attack-container {
position: relative;
background-color: #f1f1f1; background-color: #f1f1f1;
border: 2px solid #a66; border: 2px solid #a66;
border-radius: 12px; border-radius: 12px;
@ -1151,3 +1152,15 @@ div.captured-flag {
width: 1268px; width: 1268px;
margin-bottom: 20px; margin-bottom: 20px;
} }
#content {
position:relative;
}
.webwolf-enabled {
position:absolute;
top: 10px;
right: 25px;
width: 42px;
height: 47px;
}

61
webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
View File

@ -73,6 +73,7 @@ define(['jquery',
} }
this.loadLesson = function(name,pageNum) { this.loadLesson = function(name,pageNum) {
if (this.name === name) { if (this.name === name) {
this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton); this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton); this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
@ -83,15 +84,15 @@ define(['jquery',
return; return;
} }
if (pageNum && !this.name) {
//placeholder
}
this.helpsLoaded = {}; this.helpsLoaded = {};
if (typeof(name) === 'undefined' || name === null) { if (typeof(name) === 'undefined' || name === null) {
//TODO: implement lesson not found or return to welcome page? //TODO: implement lesson not found or return to welcome page?
} }
this.lessonContent.loadData({'name':name}); this.lessonContent.loadData({'name':name});
// this.planView = {};
// this.solutionView = {};
// this.sourceView = {};
// this.lessonHintView = {};
this.name = name; this.name = name;
}; };
@ -124,15 +125,8 @@ define(['jquery',
this.helpControlsView = null; this.helpControlsView = null;
this.lessonContentView.model = this.lessonContent; this.lessonContentView.model = this.lessonContent;
this.lessonContentView.render(); this.lessonContentView.render();
//TODO: consider moving hintView as child of lessonContentView ...
//this.planView = new PlanView(); this.createLessonHintView();
//this.solutionView = new SolutionView();
//this.sourceView = new SourceView();
if (this.lessonHintView) {
this.lessonHintView.stopListening();
this.lessonHintView = null;
}
this.lessonHintView = new HintView();
//TODO: instantiate model with values (not sure why was not working before) //TODO: instantiate model with values (not sure why was not working before)
var paramModel = new ParamModel({}); var paramModel = new ParamModel({});
@ -148,40 +142,23 @@ define(['jquery',
this.lessonProgressModel.completed(); this.lessonProgressModel.completed();
}; };
this.createLessonHintView = function () {
if (this.lessonHintView) {
this.lessonHintView.stopListening();
this.lessonHintView = null;
}
this.lessonHintView = new HintView();
}
this.addCurHelpState = function (curHelp) { this.addCurHelpState = function (curHelp) {
this.helpsLoaded[curHelp.helpElement] = curHelp.value; this.helpsLoaded[curHelp.helpElement] = curHelp.value;
}; };
// this.hideShowHelps = function(showHelp) {
// var showId = '#lesson-' + showHelp + '-row';
// var contentId = '#lesson-' + showHelp + '-content';
// $('.lesson-help').not(showId).hide();
// if (!showId) {
// return;
// }
//
// if ($(showId).is(':visible')) {
// $(showId).hide();
// return;
// } else {
// //TODO: move individual .html operations into individual help views
// switch(showHelp) {
// case 'plan':
// $(contentId).html(this.planView.model.get('content'));
// break;
// case 'solution':
// $(showId).html(this.solutionView.model.get('content'));
// break;
// case 'source':
// $(contentId).html('<pre>' + this.sourceView.model.get('content') + '</pre>');
// break;
// }
// $(showId).show();
// GoatUtils.scrollToHelp()
// }
// };
this.showHintsView = function() { this.showHintsView = function() {
if (!this.lessonHintView) {
this.createLessonHintView();
}
//
this.lessonHintView.render(); this.lessonHintView.render();
if (this.lessonHintView.getHintsCount > 0) { if (this.lessonHintView.getHintsCount > 0) {
this.helpControlsView.showHintsButton(); this.helpControlsView.showHintsButton();

54
webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js
View File

@ -1,29 +1,33 @@
define(['jquery', define(['jquery',
'underscore', 'underscore',
'backbone', 'backbone',
'goatApp/model/MenuModel'], 'goatApp/model/MenuModel'],
function($,_,Backbone,MenuModel) { function ($, _, Backbone, MenuModel) {
return Backbone.Collection.extend({ return Backbone.Collection.extend({
model: MenuModel, model: MenuModel,
url:'service/lessonmenu.mvc', url: 'service/lessonmenu.mvc',
initialize: function () {
var self = this;
this.fetch();
},
onDataLoaded: function() { initialize: function () {
this.trigger('menuData:loaded'); var self = this;
}, this.fetch();
setInterval(function () {
this.fetch()
}.bind(this), 5000);
},
fetch: function() { onDataLoaded: function () {
var self=this; this.trigger('menuData:loaded');
Backbone.Collection.prototype.fetch.apply(this,arguments).then( },
function(data) {
this.models = data; fetch: function () {
self.onDataLoaded(); var self = this;
} Backbone.Collection.prototype.fetch.apply(this, arguments).then(
); function (data) {
} this.models = data;
}); self.onDataLoaded();
}); }
);
}
});
});

2
webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
View File

@ -67,7 +67,7 @@ define(['jquery',
contentType: 'application/x-www-form-urlencoded; charset=UTF-8', contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
success: function (data) { success: function (data) {
//devs leave stuff like this in all the time //devs leave stuff like this in all the time
console.log('phone home said ' + data); console.log('phone home said ' + JSON.stringify(data));
} }
}); });
} }

35
webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
View File

@ -25,6 +25,9 @@ define(['jquery',
self.navToPage(page); self.navToPage(page);
} }
}); });
setInterval(function () {
this.updatePagination();
}.bind(this), 5000);
}, },
findPage: function(assignment) { findPage: function(assignment) {
@ -56,11 +59,13 @@ define(['jquery',
var currentPage = (!isNaN(startPageNum) && startPageNum && startPageNum < this.$contentPages) ? startPageNum : 0; var currentPage = (!isNaN(startPageNum) && startPageNum && startPageNum < this.$contentPages) ? startPageNum : 0;
//init views & pagination //init views & pagination
this.showCurContentPage(currentPage); this.showCurContentPage(currentPage);
this.paginationControlView = new PaginationControlView(this.$contentPages,this.model.get('lessonUrl')); this.paginationControlView = new PaginationControlView(this.$contentPages,this.model.get('lessonUrl'),startPageNum);
}, },
updatePagination: function() { updatePagination: function() {
this.paginationControlView.updateCollection(); if ( this.paginationControlView != undefined ) {
this.paginationControlView.updateCollection();
}
}, },
getCurrentPage: function () { getCurrentPage: function () {
@ -85,6 +90,8 @@ define(['jquery',
var prepareDataFunctionName = $(curForm).attr('prepareData'); var prepareDataFunctionName = $(curForm).attr('prepareData');
var callbackFunctionName = $(curForm).attr('callback'); var callbackFunctionName = $(curForm).attr('callback');
var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize(); var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
var additionalHeadersFunctionName = $(curForm).attr('additionalHeaders');
var additionalHeaders = (typeof webgoat.customjs[additionalHeadersFunctionName] === 'function') ? webgoat.customjs[additionalHeadersFunctionName]() : function() {};
var successCallBackFunctionName = $(curForm).attr('successCallback'); var successCallBackFunctionName = $(curForm).attr('successCallback');
var failureCallbackFunctionName = $(curForm).attr('failureCallback'); var failureCallbackFunctionName = $(curForm).attr('failureCallback');
var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {}; var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
@ -99,6 +106,7 @@ define(['jquery',
$.ajax({ $.ajax({
//data:submitData, //data:submitData,
url:formUrl, url:formUrl,
headers: additionalHeaders,
method:formMethod, method:formMethod,
contentType:contentType, contentType:contentType,
data: submitData, data: submitData,
@ -146,14 +154,23 @@ define(['jquery',
return false; return false;
}, },
removeSlashesFromJSON: function(str) {
// slashes are leftover escapes from JSON serialization by server
// for every two char sequence starting with backslash,
// replace them in the text with second char only
return str.replace(/\\(.)/g, "$1");
},
renderFeedback: function(feedback) { renderFeedback: function(feedback) {
this.$curFeedback.html(polyglot.t(feedback) || ""); var s = this.removeSlashesFromJSON(feedback);
this.$curFeedback.html(polyglot.t(s) || "");
this.$curFeedback.show(400) this.$curFeedback.show(400)
}, },
renderOutput: function(output) { renderOutput: function(output) {
this.$curOutput.html(polyglot.t(output) || ""); var s = this.removeSlashesFromJSON(output);
this.$curOutput.html(polyglot.t(s) || "");
this.$curOutput.show(400) this.$curOutput.show(400)
}, },
@ -173,13 +190,19 @@ define(['jquery',
return endpoints; return endpoints;
}, },
onNavToPage: function(pageNum) {
var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum);
this.trigger('endpoints:filtered',assignmentPaths);
},
navToPage: function (pageNum) { navToPage: function (pageNum) {
this.paginationControlView.setCurrentPage(pageNum);//provides validation this.paginationControlView.setCurrentPage(pageNum);//provides validation
this.showCurContentPage(this.paginationControlView.currentPage); this.showCurContentPage(this.paginationControlView.currentPage);
this.paginationControlView.render(); this.paginationControlView.render();
this.paginationControlView.hideShowNavButtons(); this.paginationControlView.hideShowNavButtons();
var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum); this.onNavToPage(pageNum);
this.trigger('endpoints:filtered',assignmentPaths); //var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum);
//this.trigger('endpoints:filtered',assignmentPaths);
}, },
/* for testing */ /* for testing */

10
webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js
View File

@ -12,14 +12,14 @@ define(['jquery',
template: PaginationTemplate, template: PaginationTemplate,
el: '#lesson-page-controls', el: '#lesson-page-controls',
initialize: function ($contentPages,baseLessonUrl) { initialize: function ($contentPages,baseLessonUrl,initPageNum) {
this.$contentPages = $contentPages; this.$contentPages = $contentPages;
this.collection = new LessonOverviewCollection(); this.collection = new LessonOverviewCollection();
this.listenTo(this.collection, 'reset', this.render); this.listenTo(this.collection, 'reset', this.render);
this.numPages = this.$contentPages.length; this.numPages = this.$contentPages.length;
this.baseUrl = baseLessonUrl; this.baseUrl = baseLessonUrl;
this.collection.fetch({reset:true}); this.collection.fetch({reset:true});
this.initPagination(); this.initPagination(initPageNum);
//this.render(); //this.render();
}, },
@ -117,9 +117,9 @@ define(['jquery',
$('span.glyphicon-class.glyphicon.glyphicon-circle-arrow-right.show-next-page').hide(); $('span.glyphicon-class.glyphicon.glyphicon-circle-arrow-right.show-next-page').hide();
}, },
initPagination: function() { initPagination: function(initPageNum) {
//track pagination state in this view ... start at 0 //track pagination state in this view ... start at 0 .. unless a pageNum was provided
this.currentPage = 0; this.currentPage = !initPageNum ? 0 : initPageNum;
}, },
setCurrentPage: function (pageNum) { setCurrentPage: function (pageNum) {

2
webgoat-container/src/main/resources/static/js/main.js
View File

@ -30,7 +30,7 @@ require.config({
shim: { shim: {
"jqueryui": { "jqueryui": {
exports:"$", exports:"$",
deps: ['jquery'] deps: ['libs/jquery-2.1.4.min']
}, },
underscore: { underscore: {
exports: "_" exports: "_"

21
webgoat-container/src/main/resources/templates/main_new.html
View File

@ -76,24 +76,25 @@
</a> </a>
</li> </li>
<li role="presentation" class="divider"></li> <li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">
th:text="#{version}">Version: <span <span th:text="#{version}">Version:</span><span>: </span>
th:text="${@environment.getProperty('webgoat.build.version')}"></span></a> <span th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
</li> </li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">
th:text="#{build}">Build: <span th:text="#{build}">Build:</span><span>: </span>
<span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li> <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
</ul> </ul>
</div> </div>
<div style="display:inline" id="settings"> <div style="display:inline" id="settings">
<!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">--> <!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">-->
<!--<i class="fa fa-cog"></i>--> <!--<i class="fa fa-cog"></i>-->
<!--</button>--> <!--</button>-->
<button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up" <a href="#reportCard">
th:title="#{report.card}"> <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
<a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a> th:title="#{report.card}">
</button> <i class="fa fa-bar-chart-o"></i>
</button>
</a>
<!--<button type="button" id="user-management" class="btn btn-default right_nav_button"--> <!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
<!--title="User management">--> <!--title="User management">-->
<!--<i class="fa fa-users"></i>--> <!--<i class="fa fa-users"></i>-->

6
webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
View File

@ -6,6 +6,7 @@ import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner; import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
@ -40,10 +41,13 @@ public class ReportCardServiceTest {
private UserTrackerRepository userTrackerRepository; private UserTrackerRepository userTrackerRepository;
@Mock @Mock
private WebSession websession; private WebSession websession;
@Mock
private PluginMessages pluginMessages;
@Before @Before
public void setup() { public void setup() {
this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course)).build(); this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build();
when(pluginMessages.getMessage(anyString())).thenReturn("Test");
} }
@Test @Test

14
webgoat-container/src/test/resources/logback-test.xml
View File

@ -1 +1,15 @@
<configuration /> <configuration />
<!--
Enable below if you want to debug a unit test and see why the controller fails the configuration above is there
to keep the Travis build going otherwise it fails with too much logging.
//TODO we should use a different Spring profile for Travis
-->
<!--
<configuration>
<include resource="org/springframework/boot/logging/logback/base.xml"/>
<logger name="org.springframework.web" level="DEBUG"/>
</configuration>
-->

2
webgoat-images/vagrant-training/Vagrantfile vendored
View File

@ -3,7 +3,7 @@
Vagrant.configure(2) do |config| Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64" config.vm.box = "ubuntu/trusty64"
config.vm.network :forwarded_port, guest: 8080, host: 8080 config.vm.network :forwarded_port, guest: 8080, host: 8080
config.vm.network :forwarded_port, guest: 8081, host: 8081 config.vm.network :forwarded_port, guest: 9090, host: 9090
config.vm.provider "virtualbox" do |vb| config.vm.provider "virtualbox" do |vb|
vb.gui = false vb.gui = false
vb.memory = "4096" vb.memory = "4096"

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
</project> </project>

4
webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
View File

@ -1,4 +1,4 @@
== Authentication Bpasses == Authentication Bypasses
Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions. Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
@ -12,4 +12,4 @@ Sometimes, if an attacker doesn't know the correct value of a parameter, they ma
=== Forced Browsing === Forced Browsing
If an area of a site is not protected properly by configuation, that area of the site may be accessed by guessing/brute-forcing. If an area of a site is not protected properly by configuration, that area of the site may be accessed by guessing/brute-forcing.

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>

5
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
View File

@ -10,11 +10,6 @@ public interface SolutionConstants {
//TODO should be random generated when starting the server //TODO should be random generated when starting the server
String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD = "!!webgoat_admin_1234!!";
String SUPER_COUPON_CODE = "get_it_for_free";
String PASSWORD_TOM = "thisisasecretfortomonly"; String PASSWORD_TOM = "thisisasecretfortomonly";
String PASSWORD_LARRY = "larryknows";
String JWT_PASSWORD = "victory";
String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2"; String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
String TOM_EMAIL = "tom@webgoat-cloud.org";
} }

39
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge2/Challenge2.java
View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.plugin.challenge2;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge2 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge2.title";
}
@Override
public String getId() {
return "Challenge2";
}
}

150
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
View File

@ -1,150 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import com.beust.jcommander.internal.Lists;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.EvictingQueue;
import com.google.common.collect.Maps;
import com.google.common.io.Files;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.Flag;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.annotation.PostConstruct;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamReader;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.Charset;
import java.util.Collection;
import java.util.Map;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST;
/**
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("/challenge/3")
@Slf4j
public class Assignment3 extends AssignmentEndpoint {
@Value("${webgoat.server.directory}")
private String webGoatHomeDirectory;
@Autowired
private WebSession webSession;
private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
private static final String secretContents = "Congratulations you may now collect your flag";
static {
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
}
@PostConstruct
@SneakyThrows
public void copyFile() {
File targetDirectory = new File(webGoatHomeDirectory);
if (!targetDirectory.exists()) {
targetDirectory.mkdir();
}
log.info("Copied secret.txt to: {}", targetDirectory);
Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
}
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public Collection<Comment> retrieveComments() {
Collection<Comment> allComments = Lists.newArrayList();
Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
if (xmlComments != null) {
allComments.addAll(xmlComments);
}
allComments.addAll(comments);
return allComments;
}
@RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
Comment comment = null;
AttackResult attackResult = failed().build();
if (APPLICATION_JSON_VALUE.equals(contentType)) {
comment = parseJson(commentStr);
comment.setDateTime(DateTime.now().toString(fmt));
comment.setUser(webSession.getUserName());
comments.add(comment);
}
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
//Do not show these comments to all users
comment = parseXml(commentStr);
comment.setDateTime(DateTime.now().toString(fmt));
comment.setUser(webSession.getUserName());
EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
comments.add(comment);
userComments.put(webSession.getUserName(), comments);
}
if (checkSolution(comment)) {
attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build();
}
return attackResult;
}
private boolean checkSolution(Comment comment) {
if (comment.getText().contains(secretContents)) {
comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack ");
comments.add(comment);
return true;
}
return false;
}
public static Comment parseXml(String xml) throws Exception {
JAXBContext jc = JAXBContext.newInstance(Comment.class);
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
Unmarshaller unmarshaller = jc.createUnmarshaller();
return (Comment) unmarshaller.unmarshal(xsr);
}
private Comment parseJson(String comment) {
ObjectMapper mapper = new ObjectMapper();
try {
return mapper.readValue(comment, Comment.class);
} catch (IOException e) {
return new Comment();
}
}
}

39
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge3 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge3.title";
}
@Override
public String getId() {
return "Challenge3";
}
}

24
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
View File

@ -1,24 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
import javax.xml.bind.annotation.XmlRootElement;
/**
* @author nbaars
* @since 4/8/17.
*/
@Getter
@Setter
@AllArgsConstructor
@NoArgsConstructor
@XmlRootElement
public class Comment {
private String user;
private String dateTime;
private String text;
}

17
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
View File

@ -1,17 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
/**
* @author nbaars
* @since 5/3/17.
*/
@AssignmentPath("/challenge/4")
@Slf4j
public class Assignment4 extends AssignmentEndpoint {
//just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here
}

39
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java
View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge4 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge4.title";
}
@Override
public String getId() {
return "Challenge4";
}
}

16
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java
View File

@ -1,16 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
/**
* @author nbaars
* @since 4/30/17.
*/
public class Views {
interface GuestView {
}
interface UserView extends GuestView {
}
interface AdminView extends UserView {
}
}

75
webgoat-lessons/challenge/src/main/resources/css/challenge3.css
View File

@ -1,75 +0,0 @@
/* Component: Posts */
.post .post-heading {
height: 95px;
padding: 20px 15px;
}
.post .post-heading .avatar {
width: 60px;
height: 60px;
display: block;
margin-right: 15px;
}
.post .post-heading .meta .title {
margin-bottom: 0;
}
.post .post-heading .meta .title a {
color: black;
}
.post .post-heading .meta .title a:hover {
color: #aaaaaa;
}
.post .post-heading .meta .time {
margin-top: 8px;
color: #999;
}
.post .post-image .image {
width:20%;
height: 40%;
}
.post .post-description {
padding: 5px;
}
.post .post-footer {
border-top: 1px solid #ddd;
padding: 15px;
}
.post .post-footer .input-group-addon a {
color: #454545;
}
.post .post-footer .comments-list {
padding: 0;
margin-top: 20px;
list-style-type: none;
}
.post .post-footer .comments-list .comment {
display: block;
width: 100%;
margin: 20px 0;
}
.post .post-footer .comments-list .comment .avatar {
width: 35px;
height: 35px;
}
.post .post-footer .comments-list .comment .comment-heading {
display: block;
width: 100%;
}
.post .post-footer .comments-list .comment .comment-heading .user {
font-size: 14px;
font-weight: bold;
display: inline;
margin-top: 0;
margin-right: 10px;
}
.post .post-footer .comments-list .comment .comment-heading .time {
font-size: 12px;
color: #aaa;
margin-top: 0;
display: inline;
}
.post .post-footer .comments-list .comment .comment-body {
margin-left: 50px;
}
.post .post-footer .comments-list .comment > .comments-list {
margin-left: 50px;
}

12
webgoat-lessons/challenge/src/main/resources/css/challenge4.css
View File

@ -1,12 +0,0 @@
a.list-group-item {
height:auto;
}
a.list-group-item.active small {
color:#fff;
}
.stars {
margin:20px auto 1px;
}
.img-responsive {
min-width: 100%;
}

112
webgoat-lessons/challenge/src/main/resources/html/Challenge2.html
View File

@ -1,112 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Challenge_2.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
<script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/2"
enctype="application/json;charset=UTF-8">
<input id="discount" type="hidden" value="0"/>
<div class="row">
<div class="col-xs-3 item-photo">
<img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
</div>
<div class="col-xs-5" style="border:0px solid gray">
<h3>Samsung Galaxy S8</h3>
<h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
<small style="color:#337ab7">(124421 reviews)</small>
</h5>
<h6 class="title-price">
<small>PRICE</small>
</h6>
<h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
<div class="section">
<h6 class="title-attr" style="margin-top:15px;">
<small>COLOR</small>
</h6>
<div>
<div class="attr" style="width:25px;background:lightgrey;"></div>
<div class="attr" style="width:25px;background:black;"></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CAPACITY</small>
</h6>
<div>
<div class="attr2">64 GB</div>
<div class="attr2">128 GB</div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>QUANTITY</small>
</h6>
<div>
<div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
<input class="quantity" value="1"/>
<div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CHECKOUT CODE</small>
</h6>
<!--
Checkout code: webgoat, owasp, owasp-webgoat
-->
<input name="checkoutCode" class="checkoutCode" value=""/>
</div>
<div class="section" style="padding-bottom:20px;">
<button type="submit" class="btn btn-success"><span style="margin-right:20px"
class="glyphicon glyphicon-shopping-cart"
aria-hidden="true"></span>Buy
</button>
<h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
style="cursor:pointer;"></span>
Like</a></h6>
</div>
</div>
</div>
</form>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

72
webgoat-lessons/challenge/src/main/resources/html/Challenge3.html
View File

@ -1,72 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
<script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="panel post">
<div class="post-heading">
<div class="pull-left image">
<img th:src="@{/images/avatar1.png}"
class="img-circle avatar" alt="user profile image"/>
</div>
<div class="pull-left meta">
<div class="title h5">
<a href="#"><b>John Doe</b></a>
uploaded a photo.
</div>
<h6 class="text-muted time">24 days ago</h6>
</div>
</div>
<div class="post-image">
<img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
</div>
<div class="post-description">
</div>
<div class="post-footer">
<div class="input-group">
<input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
<span class="input-group-addon">
<i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
</span>
</div>
<ul class="comments-list">
<div id="list">
</div>
</ul>
</div>
</div>
</div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

75
webgoat-lessons/challenge/src/main/resources/html/Challenge4.html
View File

@ -1,75 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
<script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="well">
<div class="pull-right">
<div class="dropdown">
<button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle">
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Guest')"
th:text="Guest">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Tom')"
th:text="Tom">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Jerry')"
th:text="Jerry">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Sylvester')"
th:text="Sylvester">current</a></li>
</ul>
</div>
<div>
<p class="text-right">Welcome back, <b><span id="name"></span></b></p>
</div>
</div>
<div>
<h3>Vote for your favorite</h3>
</div>
<div id ="votesList" class="list-group">
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

109
webgoat-lessons/challenge/src/main/resources/html/Challenge9.html
View File

@ -1,109 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Challenge_9.adoc"></div>
<script th:src="@{/lesson_js/challenge9.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="col-md-6">
<h4 style="border-bottom: 1px solid #c5c5c5;">
<i class="glyphicon glyphicon-user"></i>
Account Access
</h4>
<div style="padding: 20px;" id="form-login">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/9/login"
enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<div class="form-group input-group">
<span class="input-group-addon"> @ </span>
<input class="form-control" placeholder="Email" name="email" type="email"
required="" autofocus=""/>
</div>
<div class="form-group input-group">
<span class="input-group-addon">
<i class="glyphicon glyphicon-lock">
</i>
</span>
<input class="form-control" placeholder="Password" name="password" type="password"
value="" required=""/>
</div>
<div class="form-group">
<button type="submit" class="btn btn-primary btn-block">
Access
</button>
<p class="help-block">
<a class="pull-right text-muted" href="#" id="login">
<small>Forgot your password?</small>
</a>
</p>
</div>
</fieldset>
</form>
</div>
<div style="display: none;" id="form-login">
<h4 class="">
Forgot your password?
</h4>
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/challenge/9/create-password-reset-link"
enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<span class="help-block">
Email address you use to log in to your account
<br/>
We'll send you an email with instructions to choose a new password.
</span>
<div class="form-group input-group">
<span class="input-group-addon">
@
</span>
<input class="form-control" placeholder="Email" name="email" type="email"
required=""/>
</div>
<button type="submit" class="btn btn-primary btn-block" id="btn-login">
Continue
</button>
<p class="help-block">
<a class="text-muted" href="#" id="forgot">
<small>Account Access</small>
</a>
</p>
</fieldset>
</form>
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

4
webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge
challenge1.title=Admin lost password challenge1.title=Admin lost password
challenge2.title=Get it for free challenge2.title=Get it for free
challenge3.title=Photo comments challenge3.title=Photo comments
challenge4.title=Voting
challenge5.title=Without password challenge5.title=Without password
challenge6.title=Creating a new account challenge6.title=Creating a new account
challenge7.title=Admin password reset challenge7.title=Admin password reset
@ -22,8 +21,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
ip.address.unknown=IP address unknown, e-mail has been sent. ip.address.unknown=IP address unknown, e-mail has been sent.
login_failed=Login failed
login_failed.tom=Sorry only Tom can login at the moment
required4=Missing username or password, please specify both. required4=Missing username or password, please specify both.
user.not.larry=Please try to log in as Larry not {0}. user.not.larry=Please try to log in as Larry not {0}.

BIN
webgoat-lessons/challenge/src/main/resources/images/cat.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.9 KiB

45
webgoat-lessons/challenge/src/main/resources/js/challenge3.js
View File

@ -1,45 +0,0 @@
$(document).ready(function () {
$("#postComment").on("click", function () {
var commentInput = $("#commentInput").val();
$.ajax({
type: 'POST',
url: 'challenge/3',
data: JSON.stringify({text: commentInput}),
contentType: "application/json",
dataType: 'json'
}).then(
function () {
getChallenges();
$("#commentInput").val('');
}
)
})
var html = '<li class="comment">' +
'<div class="pull-left">' +
'<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
'</div>' +
'<div class="comment-body">' +
'<div class="comment-heading">' +
'<h4 class="user">USER</h4>' +
'<h5 class="time">DATETIME</h5>' +
'</div>' +
'<p>COMMENT</p>' +
'</div>' +
'</li>';
getChallenges();
function getChallenges() {
$("#list").empty();
$.get("challenge/3", function (result, status) {
for (var i = 0; i < result.length; i++) {
var comment = html.replace('USER', result[i].user);
comment = comment.replace('DATETIME', result[i].dateTime);
comment = comment.replace('COMMENT', result[i].text);
$("#list").append(comment);
}
});
}
})

10
webgoat-lessons/challenge/src/main/resources/js/challenge9.js
View File

@ -1,10 +0,0 @@
$(document).ready(function() {
$('#login').click(function(e) {
e.preventDefault();
$('div#form-login').toggle('500');
});
$('#forgot').click(function(e) {
e.preventDefault();
$('div#form-login').toggle('500');
});
});

1
webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
View File

@ -1 +0,0 @@
Changing language can help you find the 'secret' file

1
webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc
View File

@ -1 +0,0 @@
Try to change to a different user, maybe you can find the flag?

3
webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_9.adoc
View File

@ -1,3 +0,0 @@
Tom always resets his password immediately after receiving the email with the link.
Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
that password.

49
webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java
View File

@ -1,49 +0,0 @@
package org.owasp.webgoat.plugin.challenge2;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.plugin.Flag;
import org.owasp.webgoat.plugin.SolutionConstants;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(MockitoJUnitRunner.class)
public class Assignment2Test extends AssignmentEndpointTest {
private MockMvc mockMvc;
@Before
public void setup() {
Assignment2 assignment2 = new Assignment2();
init(assignment2);
new Flag().initFlags();
this.mockMvc = standaloneSetup(assignment2).build();
}
@Test
public void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
.param("checkoutCode", SolutionConstants.SUPER_COUPON_CODE))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(2))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
public void wrongCouponCode() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
.param("checkoutCode", "test"))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

161
webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java
View File

@ -1,161 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.plugin.Flag;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import javax.servlet.http.Cookie;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(MockitoJUnitRunner.class)
public class VotesEndpointTest {
private MockMvc mockMvc;
@Before
public void setup() {
VotesEndpoint votesEndpoint = new VotesEndpoint();
votesEndpoint.initVotes();
new Flag().initFlags();
this.mockMvc = standaloneSetup(votesEndpoint).build();
}
@Test
public void loginWithUnknownUser() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "uknown"))
.andExpect(unauthenticated());
}
@Test
public void loginWithTomShouldGiveJwtToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token"));
}
@Test
public void loginWithGuestShouldNotGiveJwtToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Guest"))
.andExpect(unauthenticated()).andExpect(cookie().value("access_token", ""));
}
@Test
public void userShouldSeeMore() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.get("/votings")
.cookie(mvcResult.getResponse().getCookie("access_token")))
.andExpect(jsonPath("$.[*].numberOfVotes").exists());
}
@Test
public void guestShouldNotSeeNumberOfVotes() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Guest"))
.andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.get("/votings")
.cookie(mvcResult.getResponse().getCookie("access_token")))
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void adminShouldSeeFlags() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ.")))
.andExpect(jsonPath("$.[*].flag").isNotEmpty());
}
@Test
public void votingIsNotAllowedAsGuest() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free"))
.andExpect(unauthenticated());
}
@Test
public void normalUserShouldBeAbleToVote() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
.cookie(mvcResult.getResponse().getCookie("access_token")));
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(mvcResult.getResponse().getCookie("access_token")))
.andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001)));
}
@Test
public void votingForUnknownLessonShouldNotCrash() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
.cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted());
}
@Test
public void votingWithInvalidToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
.cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
}
@Test
public void gettingVotesWithInvalidToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
}
@Test
public void gettingVotesWithUnknownUserInToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9.")))
.andExpect(unauthenticated())
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void gettingVotesForUnknownShouldWork() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
.andExpect(unauthenticated())
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0.")))
.andExpect(status().isOk())
.andExpect(jsonPath("$.[*].numberOfVotes").exists());
}
@Test
public void gettingVotesWithEmptyToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "")))
.andExpect(status().isOk())
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void votingAsUnknownUserShouldNotBeAllowed() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
.andExpect(unauthenticated());
}
}

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
</project> </project>

2
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
View File

@ -56,7 +56,7 @@ public class ClientSideFiltering extends NewLesson {
@Override @Override
public String getTitle() { public String getTitle() {
return "Client side filtering"; return "client.side.filtering.title";
} }
@Override @Override

19
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge2/Assignment2.java → webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
View File

@ -1,9 +1,9 @@
package org.owasp.webgoat.plugin.challenge2; package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.Flag;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
@ -11,22 +11,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException; import java.io.IOException;
import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
/** /**
* @author nbaars * @author nbaars
* @since 4/6/17. * @since 4/6/17.
*/ */
@AssignmentPath("/challenge/2") @AssignmentPath("/clientSideFiltering/getItForFree")
public class Assignment2 extends AssignmentEndpoint { @AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
public static final String SUPER_COUPON_CODE = "get_it_for_free";
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)
public public
@ResponseBody @ResponseBody
AttackResult completed(@RequestParam String checkoutCode) throws IOException { AttackResult completed(@RequestParam String checkoutCode) {
if (SUPER_COUPON_CODE.equals(checkoutCode)) { if (SUPER_COUPON_CODE.equals(checkoutCode)) {
return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build(); return trackProgress(success().build());
} }
return failed().build(); return trackProgress(failed().build());
} }
} }

8
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge2/ShopEndpoint.java → webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.plugin.challenge2; package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists; import com.beust.jcommander.internal.Lists;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
@ -12,21 +12,21 @@ import org.springframework.web.bind.annotation.RestController;
import java.util.List; import java.util.List;
import java.util.Optional; import java.util.Optional;
import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
/** /**
* @author nbaars * @author nbaars
* @since 4/6/17. * @since 4/6/17.
*/ */
@RestController @RestController
@RequestMapping("challenge-store") @RequestMapping("/clientSideFiltering/challenge-store")
public class ShopEndpoint { public class ShopEndpoint {
@AllArgsConstructor @AllArgsConstructor
private class CheckoutCodes { private class CheckoutCodes {
@Getter @Getter
private List<CheckoutCode> codes = Lists.newArrayList(); private List<CheckoutCode> codes;
public Optional<CheckoutCode> get(String code) { public Optional<CheckoutCode> get(String code) {
return codes.stream().filter(c -> c.getCode().equals(code)).findFirst(); return codes.stream().filter(c -> c.getCode().equals(code)).findFirst();

0
webgoat-lessons/challenge/src/main/resources/css/challenge2.css → webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFilteringFree.css
View File

89
webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html
View File

@ -73,7 +73,96 @@
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ClientSideFiltering_final.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
<script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/clientSideFiltering/getItForFree"
enctype="application/json;charset=UTF-8">
<input id="discount" type="hidden" value="0"/>
<div class="row">
<div class="col-xs-3 item-photo">
<img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
</div>
<div class="col-xs-5" style="border:0px solid gray">
<h3>Samsung Galaxy S8</h3>
<h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
<small style="color:#337ab7">(124421 reviews)</small>
</h5>
<h6 class="title-price">
<small>PRICE</small>
</h6>
<h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
<div class="section">
<h6 class="title-attr" style="margin-top:15px;">
<small>COLOR</small>
</h6>
<div>
<div class="attr" style="width:25px;background:lightgrey;"></div>
<div class="attr" style="width:25px;background:black;"></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CAPACITY</small>
</h6>
<div>
<div class="attr2">64 GB</div>
<div class="attr2">128 GB</div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>QUANTITY</small>
</h6>
<div>
<div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
<input class="quantity" value="1"/>
<div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
</div>
</div>
<div class="section" style="padding-bottom:5px;">
<h6 class="title-attr">
<small>CHECKOUT CODE</small>
</h6>
<!--
Checkout code: webgoat, owasp, owasp-webgoat
-->
<input name="checkoutCode" class="checkoutCode" value=""/>
</div>
<div class="section" style="padding-bottom:20px;">
<button type="submit" class="btn btn-success"><span style="margin-right:20px"
class="glyphicon glyphicon-shopping-cart"
aria-hidden="true"></span>Buy
</button>
<h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
style="cursor:pointer;"></span>
Like</a></h6>
</div>
</div>
</div>
</form>
</div>
<br/>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html> </html>

5
webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,3 +1,4 @@
client.side.filtering.title=Client side filtering
ClientSideFilteringSelectUser=Select user: ClientSideFilteringSelectUser=Select user:
ClientSideFilteringUserID=User ID ClientSideFilteringUserID=User ID
ClientSideFilteringFirstName=First Name ClientSideFilteringFirstName=First Name
@ -25,3 +26,7 @@ ClientSideFilteringHint10=Stage 2: Your filter operator should look something li
ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, . Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find. ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO, . Or at least you shouldn't have access to the CEO's information. For this exercise, examine the contents of the page to see what extra information you can find.
ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see. ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see.
ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew... ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew...
client.side.filtering.free.hint1=Look through the webpage inspect the sources etc
client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend
client.side.fiterling.free.hint3=One of the responses contains the answer

0
webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg → webgoat-lessons/client-side-filtering/src/main/resources/images/samsung-black.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

0
webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg → webgoat-lessons/client-side-filtering/src/main/resources/images/samsung-grey.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

2
webgoat-lessons/challenge/src/main/resources/js/challenge2.js → webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFilteringFree.js
View File

@ -38,7 +38,7 @@ $(document).ready(function () {
}) })
$(".checkoutCode").on("blur", function () { $(".checkoutCode").on("blur", function () {
var checkoutCode = $(".checkoutCode").val(); var checkoutCode = $(".checkoutCode").val();
$.get("challenge-store/coupons/" + checkoutCode, function (result, status) { $.get("clientSideFiltering/challenge-store/coupons/" + checkoutCode, function (result, status) {
var discount = result.discount; var discount = result.discount;
if (discount > 0) { if (discount > 0) {
$('#discount').text(discount); $('#discount').text(discount);

0
webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc → webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_final.adoc
View File

49
webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignmentTest.java Normal file
View File

@ -0,0 +1,49 @@
package org.owasp.webgoat.plugin;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
private MockMvc mockMvc;
@Before
public void setup() {
ClientSideFiltering clientSideFiltering = new ClientSideFiltering();
when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
.param("checkoutCode", SUPER_COUPON_CODE))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
public void wrongCouponCode() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
.param("checkoutCode", "test"))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

12
webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/ShopEndpointTest.java → webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/plugin/ShopEndpointTest.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.plugin.challenge2; package org.owasp.webgoat.plugin;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.junit.Before; import org.junit.Before;
@ -9,7 +9,7 @@ import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE; import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
@ -30,28 +30,28 @@ public class ShopEndpointTest {
@Test @Test
public void getSuperCoupon() throws Exception { public void getSuperCoupon() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/" + SUPER_COUPON_CODE)) mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/" + SUPER_COUPON_CODE))
.andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE))) .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE)))
.andExpect(jsonPath("$.discount", CoreMatchers.is(100))); .andExpect(jsonPath("$.discount", CoreMatchers.is(100)));
} }
@Test @Test
public void getCoupon() throws Exception { public void getCoupon() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/webgoat")) mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/webgoat"))
.andExpect(jsonPath("$.code", CoreMatchers.is("webgoat"))) .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat")))
.andExpect(jsonPath("$.discount", CoreMatchers.is(25))); .andExpect(jsonPath("$.discount", CoreMatchers.is(25)));
} }
@Test @Test
public void askForUnknownCouponCode() throws Exception { public void askForUnknownCouponCode() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/does-not-exists")) mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/does-not-exists"))
.andExpect(jsonPath("$.code", CoreMatchers.is("no"))) .andExpect(jsonPath("$.code", CoreMatchers.is("no")))
.andExpect(jsonPath("$.discount", CoreMatchers.is(0))); .andExpect(jsonPath("$.discount", CoreMatchers.is(0)));
} }
@Test @Test
public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception { public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/")) mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/"))
.andExpect(jsonPath("$.codes[3].code", is("get_it_for_free"))); .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
} }

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
<build> <build>
<plugins> <plugins>

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java
View File

@ -60,7 +60,7 @@ public class CrossSiteScripting extends NewLesson {
@Override @Override
public String getTitle() { public String getTitle() {
return "Cross Site Scripting"; return "xss.title";
} }
@Override @Override

1
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,4 +1,5 @@
# XSS success, failure messages and hints # XSS success, failure messages and hints
xss.title=Cross Site Scripting
xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue. xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue.
xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy) xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul> xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>

4
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
View File

@ -2,10 +2,10 @@
=== Why? === Why?
Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session
=== What to encode? === What to encode?
The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen. The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters* That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters*
Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted). Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).

16
webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java
View File

@ -33,8 +33,10 @@ import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.assignments.AssignmentEndpointTest; import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.ResultActions; import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.util.Assert;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@ -80,13 +82,13 @@ public class StoredXssCommentsTest extends AssignmentEndpointTest {
*/ */
//Ensures it is vulnerable //Ensures it is vulnerable
// @Test @Test
// public void isNotEncoded() throws Exception { public void isNotEncoded() throws Exception {
// //do get to get comments after posting xss payload //do get to get comments after posting xss payload
// ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss")); ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
// taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("<script>console.warn('unit test me')</script>")))); MvcResult mvcResult = taintedResults.andReturn();
// } assert(mvcResult.getResponse().getContentAsString().contains("<script>console.warn"));
}
//Could be used to test an encoding solution ... commented out so build will pass. Uncommenting will fail build, but leaving in as positive Security Unit Test //Could be used to test an encoding solution ... commented out so build will pass. Uncommenting will fail build, but leaving in as positive Security Unit Test
// @Test // @Test

2
webgoat-lessons/csrf/pom.xml
View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
</project> </project>

17
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
View File

@ -6,30 +6,31 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
/** /**
* Created by jason on 9/29/17. * Created by jason on 9/29/17.
*/ */
@AssignmentPath("/csrf/confirm-flag-1") @AssignmentPath("/csrf/confirm-flag-1")
@AssignmentHints({"csrf-get.hint1","csrf-get.hint2","csrf-get.hint3","csrf-get.hint4"}) @AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
public class CSRFConfirmFlag1 extends AssignmentEndpoint { public class CSRFConfirmFlag1 extends AssignmentEndpoint {
@Autowired @Autowired
UserSessionData userSessionData; UserSessionData userSessionData;
@PostMapping(produces = {"application/json"}) @PostMapping(produces = {"application/json"})
public @ResponseBody AttackResult completed(String confirmFlagVal) { public @ResponseBody
AttackResult completed(String confirmFlagVal) {
if (confirmFlagVal.equals(userSessionData.getValue("csrf-get-success").toString())) { Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
return success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build(); if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
return trackProgress(
success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build()
);
} }
return failed().feedback("").build(); return trackProgress(failed().build());
} }
} }

10
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
View File

@ -40,7 +40,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
try { try {
objectMapper.readValue(feedback.getBytes(), Map.class); objectMapper.readValue(feedback.getBytes(), Map.class);
} catch (IOException e) { } catch (IOException e) {
return failed().feedback(ExceptionUtils.getStackTrace(e)).build(); return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
} }
boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().equals(MediaType.TEXT_PLAIN_VALUE); boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().equals(MediaType.TEXT_PLAIN_VALUE);
correctCSRF &= hostOrRefererDifferentHost(request); correctCSRF &= hostOrRefererDifferentHost(request);
@ -64,8 +64,12 @@ public class CSRFFeedback extends AssignmentEndpoint {
private boolean hostOrRefererDifferentHost(HttpServletRequest request) { private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
String referer = request.getHeader("referer"); String referer = request.getHeader("referer");
String host = request.getHeader("host"); String origin = request.getHeader("origin");
return !StringUtils.contains(referer, host); if (referer != null) {
return !referer.contains(origin);
} else {
return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false
}
} }
private boolean requestContainsWebGoatCookie(Cookie[] cookies) { private boolean requestContainsWebGoatCookie(Cookie[] cookies) {

32
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
View File

@ -31,7 +31,7 @@ public class CSRFGetFlag extends Endpoint {
@ResponseBody @ResponseBody
public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
Map<String,Object> response = new HashMap<>(); Map<String, Object> response = new HashMap<>();
String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host"); String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin"); // String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
@ -40,22 +40,32 @@ public class CSRFGetFlag extends Endpoint {
String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer"); String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
String[] refererArr = referer.split("/"); String[] refererArr = referer.split("/");
if (referer.equals("NULL") && req.getParameter("csrf").equals("true")) {
Random random = new Random();
userSessionData.setValue("csrf-get-success", random.nextInt(65536)); if (referer.equals("NULL")) {
response.put("success",true); if (req.getParameter("csrf").equals("true")) {
response.put("message",pluginMessages.getMessage("csrf-get-null-referer.success")); Random random = new Random();
response.put("flag",userSessionData.getValue("csrf-get-success")); userSessionData.setValue("csrf-get-success", random.nextInt(65536));
} else if (refererArr[2].equals(host)) { response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
response.put("flag", userSessionData.getValue("csrf-get-success"));
} else {
Random random = new Random();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
response.put("flag", userSessionData.getValue("csrf-get-success"));
}
} else if (refererArr[2].equals(host)) {
response.put("success", false); response.put("success", false);
response.put("message", "Appears the request came from the original host"); response.put("message", "Appears the request came from the original host");
response.put("flag", null); response.put("flag", null);
} else { } else {
Random random = new Random(); Random random = new Random();
userSessionData.setValue("csrf-get-success", random.nextInt(65536)); userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success",true); response.put("success", true);
response.put("message",pluginMessages.getMessage("csrf-get-other-referer.success")); response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
response.put("flag",userSessionData.getValue("csrf-get-success")); response.put("flag", userSessionData.getValue("csrf-get-success"));
} }
return response; return response;

69
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetXhrFlag.java
View File

@ -1,69 +0,0 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.Endpoint;
import org.owasp.webgoat.i18n.PluginMessages;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
/**
* Created by jason on 9/30/17.
*/
public class CSRFGetXhrFlag extends Endpoint {
@Autowired
UserSessionData userSessionData;
@Autowired
private PluginMessages pluginMessages;
@RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
@ResponseBody
public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
Map<String,Object> response = new HashMap<>();
String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
// String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
// Integer serverPort = (req.getServerPort() < 1) ? 0 : req.getServerPort();
// String serverName = (req.getServerName() == null) ? "NULL" : req.getServerName();
String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
String[] refererArr = referer.split("/");
if (referer.equals("NULL") && req.getParameter("csrf").equals("true")) {
Random random = new Random();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success",true);
response.put("message",pluginMessages.getMessage("csrf-get-null-referer.success"));
response.put("flag",userSessionData.getValue("csrf-get-success"));
} else if (refererArr[2].equals(host)) {
response.put("success", false);
response.put("message", "Appears the request came from the original host");
response.put("flag", null);
} else {
Random random = new Random();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success",true);
response.put("message",pluginMessages.getMessage("csrf-get-other-referer.success"));
response.put("flag",userSessionData.getValue("csrf-get-success"));
}
return response;
}
@Override
public String getPath() {
return "/csrf/get-xhr-flag";
}
}

15
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
View File

@ -115,22 +115,13 @@ public class ForgedReviews extends AssignmentEndpoint {
userReviews.put(webSession.getUserName(), reviews); userReviews.put(webSession.getUserName(), reviews);
//short-circuit //short-circuit
if (validateReq == null || !validateReq.equals(weakAntiCSRF)) { if (validateReq == null || !validateReq.equals(weakAntiCSRF)) {
return failed().feedback("csrf-you-forgot-something").build(); return trackProgress(failed().feedback("csrf-you-forgot-something").build());
} }
//we have the spoofed files //we have the spoofed files
if (referer != "NULL" && refererArr[2].equals(host) ) { if (referer != "NULL" && refererArr[2].equals(host) ) {
return (failed().feedback("csrf-same-host").build()); return trackProgress(failed().feedback("csrf-same-host").build());
} else { } else {
return (success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure") return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
}
}
private Review parseJson(String comment) {
ObjectMapper mapper = new ObjectMapper();
try {
return mapper.readValue(comment, Review.class);
} catch (IOException e) {
return new Review();
} }
} }
} }

121
webgoat-lessons/csrf/src/main/resources/html/CSRF.html
View File

@ -15,6 +15,7 @@
<form accept-charset="UNKNOWN" id="basic-csrf-get" <form accept-charset="UNKNOWN" id="basic-csrf-get"
method="GET" name="form1" method="GET" name="form1"
target="_blank"
successCallback="" successCallback=""
action="/WebGoat/csrf/basic-get-flag" action="/WebGoat/csrf/basic-get-flag"
enctype="application/json;charset=UTF-8"> enctype="application/json;charset=UTF-8">
@ -26,10 +27,12 @@
<div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div> <div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"> <div class="assignment-success">
<i class="fa fa-2 fa-check hidden" aria-hidden="true"> <i class="fa fa-2 fa-check hidden" aria-hidden="true">
</i> </i>
</div> </div>
<br/>
<form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1" <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
method="POST" name="form2" method="POST" name="form2"
successCallback="" successCallback=""
@ -40,7 +43,10 @@
<input type="text" length="6" name="confirmFlagVal" value=""/> <input type="text" length="6" name="confirmFlagVal" value=""/>
<input name="submit" value="Submit" type="submit"/> <input name="submit" value="Submit" type="submit"/>
<br/>
<br/>
<br/>
<br/>
</form> </form>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
@ -56,9 +62,9 @@
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
<script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="attack-container"> <div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid"> <div class="container-fluid">
<div class="panel post"> <div class="panel post">
<div class="post-heading"> <div class="post-heading">
@ -133,65 +139,71 @@
padding: 7px; padding: 7px;
margin-top:7px; margin-top:7px;
padding:5px;"> padding:5px;">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="attack-container">
<div class="container-fluid"> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="row"> <div class="container-fluid">
<div class="col-md-8"> <div class="row">
<div class="well well-sm"> <div class="col-md-8">
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback" <div class="well well-sm">
method="POST" <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
prepareData="feedback" method="POST"
action="/WebGoat/csrf/feedback/message" prepareData="feedback"
contentType="application/json"> action="/WebGoat/csrf/feedback/message"
<div class="row"> contentType="application/json">
<div class="col-md-6"> <div class="row">
<div class="form-group"> <div class="col-md-6">
<label for="name"> <div class="form-group">
Name</label> <label for="name">
<input type="text" class="form-control" name="name" id="name" Name</label>
placeholder="Enter name" <input type="text" class="form-control" name="name" id="name"
required="required"/> placeholder="Enter name"
</div> required="required"/>
<div class="form-group"> </div>
<label for="email"> <div class="form-group">
Email Address</label> <label for="email">
<div class="input-group"> Email Address</label>
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span> <span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span>
</span> </span>
<input type="email" name="email" class="form-control" id="email" <input type="email" name="email" class="form-control" id="email"
placeholder="Enter email" placeholder="Enter email"
required="required"/></div> required="required"/></div>
</div>
<div class="form-group">
<label for="subject">
Subject</label>
<select id="subject" name="subject" class="form-control"
required="required">
<option value="na" selected="">Choose One:</option>
<option value="service">General Customer Service</option>
<option value="suggestions">Suggestions</option>
<option value="product">Product Support</option>
</select>
</div>
</div> </div>
<div class="form-group"> <div class="col-md-6">
<label for="subject"> <div class="form-group">
Subject</label> <label for="name">
<select id="subject" name="subject" class="form-control" required="required"> Message</label>
<option value="na" selected="">Choose One:</option> <textarea name="message" id="message" class="form-control" rows="9"
<option value="service">General Customer Service</option> cols="25"
<option value="suggestions">Suggestions</option> required="required"
<option value="product">Product Support</option> placeholder="Message"></textarea>
</select> </div>
</div>
<div class="col-md-12">
<button class="btn btn-primary pull-right" id="btnContactUs">
Send Message
</button>
</div> </div>
</div> </div>
<div class="col-md-6"> </form>
<div class="form-group"> </div>
<label for="name">
Message</label>
<textarea name="message" id="message" class="form-control" rows="9" cols="25"
required="required"
placeholder="Message"></textarea>
</div>
</div>
<div class="col-md-12">
<button class="btn btn-primary pull-right" id="btnContactUs">
Send Message
</button>
</div>
</div>
</form>
</div> </div>
</div> </div>
</div> </div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div> </div>
</div> </div>
@ -211,7 +223,6 @@
<input name="submit" value="Submit" type="submit"/> <input name="submit" value="Submit" type="submit"/>
</form> </form>
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
</div> </div>

4
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc
View File

@ -8,11 +8,11 @@ In this assignment you need to achieve to POST the following JSON message to our
[source] [source]
---- ----
POST /csrf/feedback HTTP/1.1 POST /csrf/feedback/message HTTP/1.1
{ {
"name" : "WebGoat", "name" : "WebGoat",
"email" : "webgoat@webgoat.org" "email" : "webgoat@webgoat.org",
"content" : "WebGoat is the best!!" "content" : "WebGoat is the best!!"
} }
---- ----

7
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc
View File

@ -13,9 +13,14 @@ match and this will ensure the server the request is running on the same domain.
Remember the session cookie should always be defined with http-only flag. Remember the session cookie should always be defined with http-only flag.
Another effective defense can be to add a custom request header to each call. This will work if all the interactions == Custom headers not safe
Another defense can be to add a custom request header to each call. This will work if all the interactions
with the server are performed with JavaScript. On the server side you only need to check the presence of this header with the server are performed with JavaScript. On the server side you only need to check the presence of this header
if this header is not present deny the request. if this header is not present deny the request.
Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed
as well. You can read about: http://insert-blogspot.nl/2018/05/adobe-reader-pdf-client-side-request.html?m=1[Adobe Reader PDF - Client Side Request Injection]

15
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc
View File

@ -4,7 +4,20 @@ The impact is limited only by what the logged in user can do (if the site/functi
The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances. Sadly, many consumer-grade routers The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances. Sadly, many consumer-grade routers
have also proven vulnerable to CSRF. have also proven vulnerable to CSRF.
== CSRF Solution == CSRF solutions
=== Same site cookie attribute
This is a new extension which modern browsers support which limits the scope of the cookie such that it will only be
attached to requests if those requests are 'same-site'
For example requests for `http://webgoat.org/something` will attach same-site cookies if the request is initiated from
`webgoat.org`.
There are two modes, strict and lax. The first one does not allow cross site request, this means when you are on
github.com and you want to like it through Facebook (and Facebook specifies same-site as strict) you will be
redirected to the login page, because the browser does not attach the cookie for Facebook.
More information can be found here: www.sjoerdlangkemper.nl/2016/04/14/preventin-csrf-with-samesite-cookie-attribute/
=== Other protections
Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks. For example, Spring and Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks. For example, Spring and
Tomcat have this on by default. As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks. Tomcat have this on by default. As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks.

2
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc
View File

@ -3,7 +3,7 @@
A lot of web applications implement no protection against CSRF they are somehow protected by the fact that A lot of web applications implement no protection against CSRF they are somehow protected by the fact that
they only work with `application/json` as content type. The only way to make a request with this content-type from the they only work with `application/json` as content type. The only way to make a request with this content-type from the
browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards
the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin the server (remember the CSRF request will be cross origin). If the pre-flight response does not allow the cross origin
request the browser will not make the call. request the browser will not make the call.
To make a long answer short: this is *not* a valid protection against CSRF. To make a long answer short: this is *not* a valid protection against CSRF.

5
webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java
View File

@ -46,13 +46,10 @@ public class CSRFFeedbackTest extends LessonTest {
mockMvc.perform(post("/csrf/feedback/message") mockMvc.perform(post("/csrf/feedback/message")
.contentType(MediaType.TEXT_PLAIN) .contentType(MediaType.TEXT_PLAIN)
.cookie(new Cookie("JSESSIONID", "test")) .cookie(new Cookie("JSESSIONID", "test"))
.header("host", "localhost:8080") .header("origin", "localhost:8080")
.header("referer", "webgoat.org") .header("referer", "webgoat.org")
.content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}")) .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
.andExpect(jsonPath("lessonCompleted", is(true))) .andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("feedback", StringContains.containsString("the flag is: "))); .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: ")));
} }
} }

2
webgoat-lessons/html-tampering/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/http-basics/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
</project> </project>

1
webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -8,6 +8,7 @@ http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features
http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a> http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>
http-basics.empty=Try again, name cannot be empty.
http-basics.reversed=The server has reversed your name: {0} http-basics.reversed=The server has reversed your name: {0}
http-basics.close=Try again: but this time enter a value before hitting go. http-basics.close=Try again: but this time enter a value before hitting go.

2
webgoat-lessons/http-proxies/pom.xml
View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version> <version>v8.0.0.M17</version>
</parent> </parent>
<dependencies> <dependencies>

2
webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
View File

@ -48,7 +48,7 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.GET) @RequestMapping(method = RequestMethod.GET)
public @ResponseBody public @ResponseBody
AttackResult completed(HttpServletRequest request) throws IOException { AttackResult completed(HttpServletRequest request) {
String header = null; String header = null;
String param = null; String param = null;
if (request != null && (header = request.getHeader("x-request-intercepted")) != null if (request != null && (header = request.getHeader("x-request-intercepted")) != null

23
webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
View File

@ -3,36 +3,27 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro5.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request" <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@ -48,4 +39,8 @@
<div class="attack-output"></div> <div class="attack-output"></div>
</div> </div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro6.adoc"></div>
</div>
</html> </html>

BIN
webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_resend.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 176 KiB

BIN
webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_response.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

Some files were not shown because too many files have changed in this diff Show More