Compare commits

...

103 Commits

Author SHA1 Message Date
7b8e3cdb52 Merge branch 'release/v8.0.0.M22' 2019-01-18 08:38:10 +01:00
9be4361afc New release, updating pom.xml 2019-01-18 08:37:26 +01:00
b0e3a06b50 Password reset lesson 5 not working #512
Added comment to not use OWASP ZAP
2019-01-17 16:35:04 +01:00
9170dcb87f Fix a grammatical error 2019-01-17 14:50:07 +01:00
dc5f9880af Full implementation of "Update Webgoat Dockerfile to use entrypoints and commands #523" based on the pull request of Nicklaus McClendon 2019-01-17 14:49:42 +01:00
ed490a5ecf Fix for #545
Introduced new macro to make a clear distinction between /WebWolf with
context root and without.
2019-01-16 11:07:30 +01:00
81d6e12ae1 Spring devtools no longer work in combination with Spring and Java 11 2019-01-15 16:29:49 +01:00
c3ee0b7662 Travis build should also use Java 11 2019-01-15 16:24:39 +01:00
959a3c6420 Docker images should use new jar version notation 2019-01-15 16:23:21 +01:00
3fa10c4b10 Update to Java 11 2019-01-15 16:23:03 +01:00
ec225558b9 Move to latest Spring Boot version and move to Java 11 2018-12-15 13:59:54 +01:00
dd1009bc54 Add Maven wrapper 2018-12-14 12:56:21 +01:00
bf45a0a8e5 Fix for XXE docs 2018-12-14 12:43:19 +01:00
f81a6852db YAML structure fix, postgres version fix
The structure of the environment was incorrect. The postgres dialect doesn't match the postgres:latest image.
2018-11-19 08:16:49 +01:00
6699456ee1 Bug fix in sample code 2018-11-19 08:15:41 +01:00
ecbbb5258e encapsulated the WEBGOAT_HOME in quotes
Encapsulating the `WEBGOAT_HOME` variable in quotes allows for spaces to exist in the path
2018-11-19 08:14:29 +01:00
1520c7571f HTML Tampering Mitigation Description Typo 2018-11-19 08:13:17 +01:00
5921a06747 Fix SQL injection mitigation answer (fixes #505)
You need to submit the IP of the webgoat-prd server, not just any of the IPs.
2018-11-19 08:12:17 +01:00
b6e4995d11 Fixed Vagrant file
- Added correct wget urls for .jar files
- changed server address to 0.0.0.0(pointing to all interfaces) because by default it listens for connections on VM's localhost only but we want to access webgoat on NAT adapter via port forwarding
2018-11-19 08:10:11 +01:00
a2f28460c0 Update password_reset.html
Without this attribute it is impossible to pass the lesson "password-reset" `Email functionality with WebWolf`.
2018-11-19 08:08:41 +01:00
0797c3e2bf Merge pull request #519 from pingiun/patch-1
Fix typo
2018-09-13 08:16:11 -07:00
f9a4061604 Fix typo 2018-09-12 09:54:44 +02:00
580e50f558 Same form post is used and with autocomplete this does not work because all fields will be posted. The endpoint could no long distinguish between the different actions (sending e-mail and checking password) 2018-08-10 13:15:40 +02:00
3d58049af6 docker-compose-local.yml now extends docker-compose.yml
WebWolf waits for 8 seconds after WebGoat starts so the database connection can be established
2018-08-08 18:26:12 +02:00
bca8b3c650 Fix buildscripts to wait for Docker and build snapshots 2018-08-08 18:23:27 +02:00
1252e3dc21 Update instructions to use docker-compose only 2018-07-17 20:17:35 +02:00
63a50df7a1 Add hint to lesson users no longer have guess the complete ip address 2018-07-06 18:22:29 +02:00
f9e552f1cd Add instructions how to run WebGoat on Java 9 or higher 2018-07-04 19:15:54 +02:00
2233550fe1 Adding more solutions for SQL order by lesson 2018-06-22 14:12:37 +02:00
cb18295f9f Update hint 2018-06-21 07:53:21 +02:00
651698d96c Add different solution for XXE attack 2018-06-21 07:17:27 +02:00
4d7d0058c3 Update how to create a release document 2018-06-20 18:38:16 +02:00
e3fba396de Merge tag 'v8.0.0.M21' into develop 2018-06-20 18:24:06 +02:00
3536fd0b6d Merge branch 'release/v8.0.0.M21' 2018-06-20 18:23:59 +02:00
bc84e8f207 Build release when tag is set 2018-06-20 18:22:35 +02:00
14dbd47675 Merge tag 'v8.0.0.M20' into develop
New release M20
2018-06-20 18:06:26 +02:00
898dd90c6f Merge branch 'release/v8.0.0.M20' 2018-06-20 18:06:17 +02:00
ac12a009e4 New release v8.0.0.M20 2018-06-20 18:05:59 +02:00
699b1bfd89 Only do releases and Docker updates when building master 2018-06-20 18:05:06 +02:00
ad77a7ab24 Merge tag 'v8.0.0.M19' into develop
New release M19
2018-06-20 16:40:44 +02:00
b7278590f5 Merge branch 'release/v8.0.0.M19' 2018-06-20 16:40:33 +02:00
9dd93d88d9 New release v8.0.0.M19 2018-06-20 16:40:28 +02:00
4c767cb977 Merge tag 'v8.0.0.M18' into develop
New release
2018-06-20 16:32:44 +02:00
12123ef13b Merge branch 'release/v8.0.0.M18' 2018-06-20 16:32:31 +02:00
c7da546249 Improve text for lesson about CSRF login 2018-06-16 17:52:18 +02:00
a41ff0083c Merge pull request #479 from misfir3/develop
Recent updates, including Missing Function AC content & patch for Vuln Components Lesson
2018-06-13 18:44:09 -06:00
701a99cf8f Merge pull request #487 from matthias-g/xssFixes
Small lesson improvements
2018-06-13 18:42:14 -06:00
844808bfa7 Merge pull request #485 from matthias-g/fixSQLInjection
Fix sql injection
2018-06-13 18:41:05 -06:00
81aac93dfe Usage base64 encoded password as expected by JJWT 2018-06-13 17:58:52 +02:00
e5ec2c1ee0 Fix html attribute 2018-06-13 17:56:57 +02:00
b0fbeaff2c This improves the text of the lesson about XSS 2018-06-13 17:56:23 +02:00
b47bb96534 Update changed password in tests 2018-06-13 16:11:28 +02:00
3b9b695ef1 Check host header instead of origin which might not be present #475 2018-06-13 11:38:33 +02:00
1d2575a211 Allow - in usernames because CSRF lesson requires username starting with prefix crsf- #476 2018-06-13 11:38:33 +02:00
56fc983414 Update database layout so that proposed solution works 2018-06-12 17:40:28 +02:00
268adbcf7e Move assignments to correct package so that hints are shown 2018-06-12 17:40:28 +02:00
f383454440 Fix spelling in JWT lesson 2018-06-12 11:02:51 +02:00
bae3e75ae2 Fix minor issues in hint view 2018-06-12 11:02:16 +02:00
a7b82985d4 Fix usage of JJWT API which expects base64 encoded strings as key 2018-06-12 11:01:23 +02:00
3d282e163c Show newest comments first
This prevents new comments from not being displayed after a comment containing invalid html has been posted.
2018-06-12 10:54:13 +02:00
7068c84c6a Fix parameter in url and some spelling 2018-06-12 10:54:13 +02:00
0030c7bdfb Merge pull request #480 from matthias-g/fixPageNum
Fix next page button when url doesn't end with page number
2018-06-07 11:27:29 -06:00
89f6a73275 Fix next page button when url doesn't end with page number 2018-06-07 19:07:58 +02:00
cf0e4e40cf clean up 2018-06-05 14:36:40 -06:00
dfd51f8b54 Merge branch 'develop' of github.com:misfir3/WebGoat into develop 2018-06-05 14:10:51 -06:00
5e8c610fbf gke-deploy.sh 2018-06-05 14:10:29 -06:00
71514fc39b GKE deploy script 2018-06-05 09:45:47 -06:00
1734170e9e updates to missing function ac lesson 2018-06-04 16:53:13 -06:00
c89afe6334 Merge remote-tracking branch 'upstream/develop' into develop 2018-06-01 09:54:03 -06:00
9af0054b5b Merge branch 'release/v8.0.0.M17' 2018-05-30 20:54:18 +02:00
26aa72e721 New release 2018-05-30 20:54:13 +02:00
c510bd9bf1 New develop version 2018-05-30 20:37:25 +02:00
6bf853d953 Merge tag 'v8.0.0.M16' into develop
New release
2018-05-30 20:35:56 +02:00
b298440985 Merge branch 'release/v8.0.0.M16' 2018-05-30 20:35:22 +02:00
c7a714a590 Move to next release 2018-05-30 17:05:50 +02:00
93620f148b Remove challenges which are also incorporated in the lessons themselves 2018-05-30 16:46:50 +02:00
ecb7688e08 Update to new version for develop
Move WebWolf to port 9090 easier since most of the time something is running on 8081
Add scripts for easy building Docker files etc
2018-05-30 13:17:05 +02:00
0de784eb32 Update README and simply the java command to one with optional arguments 2018-05-29 22:16:29 +02:00
4691bc5fd5 Extended proxy lesson with Edit and Resend and explained how to exclude WebGoat internal calls from proxying 2018-05-29 21:30:13 +02:00
fc2c99bcb4 Limit the username to letters and digits only 2018-05-29 16:16:52 +02:00
7292a577e3 Only do a release when we build master and have a tagged the release 2018-05-29 15:20:07 +02:00
396c1c1d47 Update order of starting WebGoat 2018-05-29 15:16:29 +02:00
2911788679 Merge tag 'v8.0.0' into develop
Release v8.0.0
2018-05-29 14:59:32 +02:00
985148ede3 Merge branch 'release/v8.0.0' 2018-05-29 14:59:07 +02:00
9587550bc5 Fixed column name on sql injection lesson 7 2018-05-29 14:42:22 +02:00
9a0995dae5 Fixed column name on sql injection lesson 6 2018-05-29 14:42:02 +02:00
4e07e0ebfa Fix links to open new browser tab 2018-05-29 14:04:33 +02:00
6e95fdfe56 Adjusted documentation 2018-05-29 13:33:52 +02:00
e045bc692d Buying page also calculates the prices
Product image added
2018-05-29 12:47:27 +02:00
589872ad47 Fix for JWT assignment 1 log in now works again.
Reset button only triggers reset when admin is set to true in the token
2018-05-29 11:20:40 +02:00
5f4889cefe Clicking link in first password reset link only switched back and forward 2018-05-29 09:29:50 +02:00
e96ab488ff Merge branch 'develop' of github.com:misfir2/WebGoat into develop 2018-05-14 12:17:32 -06:00
31f7ea6985 script to automate WebGoat deployment on GKE 2018-05-14 12:15:48 -06:00
186f24f1df more hintview patching 2018-05-03 10:49:58 -06:00
089dd56a15 wiring jqueryui to vuln jquery #368 2018-05-03 10:49:31 -06:00
6cfefba0ee work-arounds, fixes for page initialization and some clean-up 2018-05-03 10:25:34 -06:00
20e45da8ae cleanup that was missed in prev. commit 2018-05-02 16:36:34 -06:00
e34faa13d6 fix for periodic fail on StoredXssCommentsTest 2018-05-02 16:35:57 -06:00
927bbad488 merging from release branch ... PR's and Nanne's recent work 2018-05-02 14:27:44 -06:00
a922c00182 Chore - fix spelling issues 2018-02-15 20:12:53 +00:00
f21fe7f2c3 Fixed typos 2018-01-30 05:49:51 +00:00
3cd349bb4b Update HttpBasics_ProxyIntro0.adoc
Fixed typo, Actual : "wihtin" , Expected :  "within"
2018-01-23 18:01:42 +00:00
e3e7ed004f Not making a Docker release is we build develop (putting a tag will create a release which is more a controlled/intuitive way to make a release to Docker) 2018-01-02 22:19:49 +01:00
143 changed files with 1158 additions and 1522 deletions

7
.gitignore vendored
View File

@ -44,5 +44,10 @@ webgoat-server/mongo-data/*
webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
**/.sts4-cache/* **/.sts4-cache/*
**/.vscode/* **/.vscode/*
**/.factorypath
/.sonatype /.sonatype
**/bin/*
webgoat.lck
webgoat.log
webgoat.properties
webgoat.script

1
.mvn/wrapper/maven-wrapper.properties vendored Normal file
View File

@ -0,0 +1 @@
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.4/apache-maven-3.5.4-bin.zip

View File

@ -2,7 +2,7 @@ services:
- docker - docker
language: java language: java
jdk: jdk:
- oraclejdk8 - openjdk11
install: "/bin/true" install: "/bin/true"
script: script:
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
@ -28,12 +28,6 @@ deploy:
on: on:
repo: WebGoat/WebGoat repo: WebGoat/WebGoat
tags: true tags: true
- provider: script
skip_cleanup: true
script: bash scripts/deploy-webgoat.sh
on:
repo: WebGoat/WebGoat
branch: develop
- provider: releases - provider: releases
skip_cleanup: true skip_cleanup: true
overwrite: true overwrite: true

View File

@ -13,17 +13,13 @@ At the moment we use Gitflow, for a release you create a new release branch and
git checkout develop git checkout develop
git flow release start <version> git flow release start <version>
mvn versions:set <<version> mvn versions:set <<version>
git commit -am "New release, updaing pom.xml" git commit -am "New release, updating pom.xml"
git flow release publish git flow release publish
``` git push --tags
Now we can make a new release, be sure you committed all your changes.
```
git tag v8.0.0.M15
git push origin v8.0.0.M15
``` ```
Now Travis takes over and will create the release in Github and on Docker Hub. Now Travis takes over and will create the release in Github and on Docker Hub.
NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version

View File

@ -29,70 +29,47 @@ first thing that all hackers claim.*
# Run Instructions: # Run Instructions:
## 1. Run using Docker ## 1. Standalone
From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
First install Docker, then open a command shell/window and type:
```Shell
docker pull webgoat/webgoat-8.0
docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh
```
If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a
folder on the host system as follows:
```Shell
docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh
```
where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system.
Wait for the Docker container to start, and run `docker ps` to verify it's running.
- If you are using `docker-machine`, verify the machine IP using `docker-machine env`
- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge`
- Otherwise, the host will be bound to localhost
Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example:
```
http://192.168.99.100:8080/WebGoat
```
Here you'll be able to register a new user and get started.
_Please note: this version may not be completely in sync with the develop branch._
## 2. Standalone
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases) Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell ```Shell
java -jar webgoat-server-<<version>>.jar java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
``` ```
By default WebGoat starts at port 8080 in order to change this use the following property: By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
can bind it to a different address (default localhost)
If you use Java 9 or higher you need to run WebGoat as follows:
```Shell ```Shell
java -jar webgoat-server-<<version>>.jar --server.port=9090 java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
``` ```
You can specify one of the following arguments when starting WebGoat: ## 2. Run using Docker
```Shell Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
### Using docker-compose
The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml)
from our Github repository. This will start both containers and it also takes care of setting up the
connection between WebGoat and WebWolf.
```shell
curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
``` ```
This will start WebGoat on a different port and/or different address. **Important**: the current directory on your host will be mapped into the container for keeping state.
Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running.
## 3. Run from the sources ## 3. Run from the sources
### Prerequisites: ### Prerequisites:
* Java 8 * Java 11
* Maven > 3.2.1 * Maven > 3.2.1
* Your favorite IDE * Your favorite IDE
* Git, or Git support in your IDE * Git, or Git support in your IDE
@ -127,7 +104,7 @@ server.address=x.x.x.x
# Vagrant # Vagrant
We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed. We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
```shell ```shell
$ cd WebGoat/webgoat-images/vagrant-training $ cd WebGoat/webgoat-images/vagrant-training
@ -135,7 +112,7 @@ We supply a complete development environment using Vagrant, to run WebGoat with
``` ```
Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant. Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
The source code will be available in the home directory. WebGoat and WebWolf will automatically start when you login to this image.
# Building a new Docker image # Building a new Docker image

13
docker-compose-local.yml Normal file
View File

@ -0,0 +1,13 @@
version: '2.1'
services:
webgoat:
image: webgoat/webgoat-v8.0.0.snapshot
extends:
file: docker-compose.yml
service: webgoat
webwolf:
extends:
file: docker-compose.yml
service: webwolf
image: webgoat/webwolf-v8.0.0.snapshot

View File

@ -6,11 +6,14 @@ services:
user: webgoat user: webgoat
environment: environment:
- WEBWOLF_HOST=webwolf - WEBWOLF_HOST=webwolf
- WEBWOLF_PORT=9090
- spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
- spring.datasource.username=webgoat - spring.datasource.username=webgoat
- spring.datasource.password=webgoat - spring.datasource.password=webgoat
- spring.datasource.driver-class-name=org.postgresql.Driver - spring.datasource.driver-class-name=org.postgresql.Driver
- spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
- webgoat.server.directory=/home/webgoat/.webgoat/
- webgoat.user.directory=/home/webgoat/.webgoat/
ports: ports:
- "8080:8080" - "8080:8080"
webwolf: webwolf:
@ -22,10 +25,12 @@ services:
- spring.datasource.driver-class-name=org.postgresql.Driver - spring.datasource.driver-class-name=org.postgresql.Driver
- spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
ports: ports:
- "8081:8081" - "9090:9090"
db: webgoat_db:
container_name: webgoat_db image: postgres:9.4
image: postgres:latest # Uncomment to store the state of the database on the host.
# volumes:
# - ./database:/var/lib/postgresql
environment: environment:
- POSTGRES_PASSWORD=webgoat - POSTGRES_PASSWORD=webgoat
- POSTGRES_USER=webgoat - POSTGRES_USER=webgoat

View File

@ -5,24 +5,14 @@ services:
image: webgoat/webgoat-8.0 image: webgoat/webgoat-8.0
environment: environment:
- WEBWOLF_HOST=webwolf - WEBWOLF_HOST=webwolf
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat - WEBWOLF_PORT=9090
ports: ports:
- "8080:8080" - "8080:8080"
depends_on: - "9001:9001"
- db volumes:
- .:/home/webgoat/.webgoat
webwolf: webwolf:
image: webgoat/webwolf image: webgoat/webwolf
environment:
- spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
ports: ports:
- "8081:8081" - "9090:9090"
depends_on: command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
- db
db:
image: blacklabelops/hsqldb
container_name: webgoat_db
environment:
- HSQLDB_TRACE=false
- HSQLDB_SILENT=true
- HSQLDB_DATABASE_NAME=webgoat
- HSQLDB_DATABASE_ALIAS=webgoat

286
mvnw vendored Executable file
View File

@ -0,0 +1,286 @@
#!/bin/sh
# ----------------------------------------------------------------------------
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# ----------------------------------------------------------------------------
# ----------------------------------------------------------------------------
# Maven2 Start Up Batch script
#
# Required ENV vars:
# ------------------
# JAVA_HOME - location of a JDK home dir
#
# Optional ENV vars
# -----------------
# M2_HOME - location of maven2's installed home dir
# MAVEN_OPTS - parameters passed to the Java VM when running Maven
# e.g. to debug Maven itself, use
# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
# MAVEN_SKIP_RC - flag to disable loading of mavenrc files
# ----------------------------------------------------------------------------
if [ -z "$MAVEN_SKIP_RC" ] ; then
if [ -f /etc/mavenrc ] ; then
. /etc/mavenrc
fi
if [ -f "$HOME/.mavenrc" ] ; then
. "$HOME/.mavenrc"
fi
fi
# OS specific support. $var _must_ be set to either true or false.
cygwin=false;
darwin=false;
mingw=false
case "`uname`" in
CYGWIN*) cygwin=true ;;
MINGW*) mingw=true;;
Darwin*) darwin=true
# Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
# See https://developer.apple.com/library/mac/qa/qa1170/_index.html
if [ -z "$JAVA_HOME" ]; then
if [ -x "/usr/libexec/java_home" ]; then
export JAVA_HOME="`/usr/libexec/java_home`"
else
export JAVA_HOME="/Library/Java/Home"
fi
fi
;;
esac
if [ -z "$JAVA_HOME" ] ; then
if [ -r /etc/gentoo-release ] ; then
JAVA_HOME=`java-config --jre-home`
fi
fi
if [ -z "$M2_HOME" ] ; then
## resolve links - $0 may be a link to maven's home
PRG="$0"
# need this for relative symlinks
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG="`dirname "$PRG"`/$link"
fi
done
saveddir=`pwd`
M2_HOME=`dirname "$PRG"`/..
# make it fully qualified
M2_HOME=`cd "$M2_HOME" && pwd`
cd "$saveddir"
# echo Using m2 at $M2_HOME
fi
# For Cygwin, ensure paths are in UNIX format before anything is touched
if $cygwin ; then
[ -n "$M2_HOME" ] &&
M2_HOME=`cygpath --unix "$M2_HOME"`
[ -n "$JAVA_HOME" ] &&
JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
[ -n "$CLASSPATH" ] &&
CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
fi
# For Mingw, ensure paths are in UNIX format before anything is touched
if $mingw ; then
[ -n "$M2_HOME" ] &&
M2_HOME="`(cd "$M2_HOME"; pwd)`"
[ -n "$JAVA_HOME" ] &&
JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
# TODO classpath?
fi
if [ -z "$JAVA_HOME" ]; then
javaExecutable="`which javac`"
if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
# readlink(1) is not available as standard on Solaris 10.
readLink=`which readlink`
if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
if $darwin ; then
javaHome="`dirname \"$javaExecutable\"`"
javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
else
javaExecutable="`readlink -f \"$javaExecutable\"`"
fi
javaHome="`dirname \"$javaExecutable\"`"
javaHome=`expr "$javaHome" : '\(.*\)/bin'`
JAVA_HOME="$javaHome"
export JAVA_HOME
fi
fi
fi
if [ -z "$JAVACMD" ] ; then
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
else
JAVACMD="`which java`"
fi
fi
if [ ! -x "$JAVACMD" ] ; then
echo "Error: JAVA_HOME is not defined correctly." >&2
echo " We cannot execute $JAVACMD" >&2
exit 1
fi
if [ -z "$JAVA_HOME" ] ; then
echo "Warning: JAVA_HOME environment variable is not set."
fi
CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
# traverses directory structure from process work directory to filesystem root
# first directory with .mvn subdirectory is considered project base directory
find_maven_basedir() {
if [ -z "$1" ]
then
echo "Path not specified to find_maven_basedir"
return 1
fi
basedir="$1"
wdir="$1"
while [ "$wdir" != '/' ] ; do
if [ -d "$wdir"/.mvn ] ; then
basedir=$wdir
break
fi
# workaround for JBEAP-8937 (on Solaris 10/Sparc)
if [ -d "${wdir}" ]; then
wdir=`cd "$wdir/.."; pwd`
fi
# end of workaround
done
echo "${basedir}"
}
# concatenates all lines of a file
concat_lines() {
if [ -f "$1" ]; then
echo "$(tr -s '\n' ' ' < "$1")"
fi
}
BASE_DIR=`find_maven_basedir "$(pwd)"`
if [ -z "$BASE_DIR" ]; then
exit 1;
fi
##########################################################################################
# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
# This allows using the maven wrapper in projects that prohibit checking in binary data.
##########################################################################################
if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
if [ "$MVNW_VERBOSE" = true ]; then
echo "Found .mvn/wrapper/maven-wrapper.jar"
fi
else
if [ "$MVNW_VERBOSE" = true ]; then
echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
fi
jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
while IFS="=" read key value; do
case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
esac
done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
if [ "$MVNW_VERBOSE" = true ]; then
echo "Downloading from: $jarUrl"
fi
wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
if command -v wget > /dev/null; then
if [ "$MVNW_VERBOSE" = true ]; then
echo "Found wget ... using wget"
fi
wget "$jarUrl" -O "$wrapperJarPath"
elif command -v curl > /dev/null; then
if [ "$MVNW_VERBOSE" = true ]; then
echo "Found curl ... using curl"
fi
curl -o "$wrapperJarPath" "$jarUrl"
else
if [ "$MVNW_VERBOSE" = true ]; then
echo "Falling back to using Java to download"
fi
javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
if [ -e "$javaClass" ]; then
if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
if [ "$MVNW_VERBOSE" = true ]; then
echo " - Compiling MavenWrapperDownloader.java ..."
fi
# Compiling the Java class
("$JAVA_HOME/bin/javac" "$javaClass")
fi
if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
# Running the downloader
if [ "$MVNW_VERBOSE" = true ]; then
echo " - Running MavenWrapperDownloader.java ..."
fi
("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
fi
fi
fi
fi
##########################################################################################
# End of extension
##########################################################################################
export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
if [ "$MVNW_VERBOSE" = true ]; then
echo $MAVEN_PROJECTBASEDIR
fi
MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
# For Cygwin, switch paths to Windows format before running java
if $cygwin; then
[ -n "$M2_HOME" ] &&
M2_HOME=`cygpath --path --windows "$M2_HOME"`
[ -n "$JAVA_HOME" ] &&
JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
[ -n "$CLASSPATH" ] &&
CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
[ -n "$MAVEN_PROJECTBASEDIR" ] &&
MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
fi
WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
exec "$JAVACMD" \
$MAVEN_OPTS \
-classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
"-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

161
mvnw.cmd vendored Normal file
View File

@ -0,0 +1,161 @@
@REM ----------------------------------------------------------------------------
@REM Licensed to the Apache Software Foundation (ASF) under one
@REM or more contributor license agreements. See the NOTICE file
@REM distributed with this work for additional information
@REM regarding copyright ownership. The ASF licenses this file
@REM to you under the Apache License, Version 2.0 (the
@REM "License"); you may not use this file except in compliance
@REM with the License. You may obtain a copy of the License at
@REM
@REM http://www.apache.org/licenses/LICENSE-2.0
@REM
@REM Unless required by applicable law or agreed to in writing,
@REM software distributed under the License is distributed on an
@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@REM KIND, either express or implied. See the License for the
@REM specific language governing permissions and limitations
@REM under the License.
@REM ----------------------------------------------------------------------------
@REM ----------------------------------------------------------------------------
@REM Maven2 Start Up Batch script
@REM
@REM Required ENV vars:
@REM JAVA_HOME - location of a JDK home dir
@REM
@REM Optional ENV vars
@REM M2_HOME - location of maven2's installed home dir
@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending
@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
@REM e.g. to debug Maven itself, use
@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
@REM ----------------------------------------------------------------------------
@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
@echo off
@REM set title of command window
title %0
@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on'
@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO%
@REM set %HOME% to equivalent of $HOME
if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
@REM Execute a user defined script before this one
if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
@REM check for pre script, once with legacy .bat ending and once with .cmd ending
if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
:skipRcPre
@setlocal
set ERROR_CODE=0
@REM To isolate internal variables from possible post scripts, we use another setlocal
@setlocal
@REM ==== START VALIDATION ====
if not "%JAVA_HOME%" == "" goto OkJHome
echo.
echo Error: JAVA_HOME not found in your environment. >&2
echo Please set the JAVA_HOME variable in your environment to match the >&2
echo location of your Java installation. >&2
echo.
goto error
:OkJHome
if exist "%JAVA_HOME%\bin\java.exe" goto init
echo.
echo Error: JAVA_HOME is set to an invalid directory. >&2
echo JAVA_HOME = "%JAVA_HOME%" >&2
echo Please set the JAVA_HOME variable in your environment to match the >&2
echo location of your Java installation. >&2
echo.
goto error
@REM ==== END VALIDATION ====
:init
@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
@REM Fallback to current working directory if not found.
set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
set EXEC_DIR=%CD%
set WDIR=%EXEC_DIR%
:findBaseDir
IF EXIST "%WDIR%"\.mvn goto baseDirFound
cd ..
IF "%WDIR%"=="%CD%" goto baseDirNotFound
set WDIR=%CD%
goto findBaseDir
:baseDirFound
set MAVEN_PROJECTBASEDIR=%WDIR%
cd "%EXEC_DIR%"
goto endDetectBaseDir
:baseDirNotFound
set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
cd "%EXEC_DIR%"
:endDetectBaseDir
IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
@setlocal EnableExtensions EnableDelayedExpansion
for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
:endReadAdditionalConfig
SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO (
IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
)
@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
if exist %WRAPPER_JAR% (
echo Found %WRAPPER_JAR%
) else (
echo Couldn't find %WRAPPER_JAR%, downloading it ...
echo Downloading from: %DOWNLOAD_URL%
powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"
echo Finished downloading %WRAPPER_JAR%
)
@REM End of extension
%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
if ERRORLEVEL 1 goto error
goto end
:error
set ERROR_CODE=1
:end
@endlocal & set ERROR_CODE=%ERROR_CODE%
if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
@REM check for post script, once with legacy .bat ending and once with .cmd ending
if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
:skipRcPost
@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
if "%MAVEN_BATCH_PAUSE%" == "on" pause
if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
exit /B %ERROR_CODE%

View File

@ -0,0 +1,4 @@
CURTAG=webgoat/webgoat-8.0
DEST_TAG=gcr.io/astech-training/raging-wire-webgoat
CLUSTER_NAME=raging-wire-webgoat
PORT_NUM=8080

View File

@ -0,0 +1,4 @@
CURTAG=webgoat/webgoat-8.0
DEST_TAG=gcr.io/your-gke-project/your-webgoat-tag
CLUSTER_NAME=your-cluster-name
PORT_NUM=8080

158
pom.xml
View File

@ -1,11 +1,12 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging> <packaging>pom</packaging>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
<name>WebGoat Parent Pom</name> <name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description> <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -20,7 +21,7 @@
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.12.RELEASE</version> <version>1.5.18.RELEASE</version>
</parent> </parent>
<licenses> <licenses>
@ -53,17 +54,17 @@
<developer> <developer>
<id>jwayman</id> <id>jwayman</id>
<name>Jeff Wayman</name> <name>Jeff Wayman</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>dcowden</id> <id>dcowden</id>
<name>Dave Cowden</name> <name>Dave Cowden</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>lawson89</id> <id>lawson89</id>
<name>Richard Lawson</name> <name>Richard Lawson</name>
<email /> <email/>
</developer> </developer>
<developer> <developer>
<id>dougmorato</id> <id>dougmorato</id>
@ -92,8 +93,8 @@
<url>https://github.com/WebGoat/WebGoat</url> <url>https://github.com/WebGoat/WebGoat</url>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection> <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection> <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
<tag>HEAD</tag> <tag>HEAD</tag>
</scm> </scm>
<issueManagement> <issueManagement>
<system>Github Issues</system> <system>Github Issues</system>
@ -106,9 +107,6 @@
</ciManagement> </ciManagement>
<properties> <properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<!-- Use UTF-8 Encoding --> <!-- Use UTF-8 Encoding -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
@ -128,7 +126,7 @@
<commons-digester.version>2.1</commons-digester.version> <commons-digester.version>2.1</commons-digester.version>
<commons-discovery.version>0.5</commons-discovery.version> <commons-discovery.version>0.5</commons-discovery.version>
<commons-fileupload.version>1.3.1</commons-fileupload.version> <commons-fileupload.version>1.3.1</commons-fileupload.version>
<commons-io.version>2.4</commons-io.version> <commons-io.version>2.6</commons-io.version>
<commons-lang3.version>3.4</commons-lang3.version> <commons-lang3.version>3.4</commons-lang3.version>
<coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version> <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
<gatling.version>2.2.5</gatling.version> <gatling.version>2.2.5</gatling.version>
@ -140,30 +138,25 @@
<jackson-core.version>2.6.3</jackson-core.version> <jackson-core.version>2.6.3</jackson-core.version>
<jackson-databind.version>2.6.3</jackson-databind.version> <jackson-databind.version>2.6.3</jackson-databind.version>
<javaee-api.version>6.0</javaee-api.version> <javaee-api.version>6.0</javaee-api.version>
<javax.transaction-api.version>1.2</javax.transaction-api.version> <javax.transaction-api.version>1.3</javax.transaction-api.version>
<jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version> <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
<jtds.version>1.3.1</jtds.version> <jtds.version>1.3.1</jtds.version>
<junit.version>4.12</junit.version> <junit.version>4.12</junit.version>
<lombok.version>1.18.4</lombok.version>
<mail-api.version>1.5.4</mail-api.version> <mail-api.version>1.5.4</mail-api.version>
<maven-compiler-plugin.version>3.3</maven-compiler-plugin.version> <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.19</maven-failsafe-plugin.version> <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
<maven-gpg-plugin.version>1.6</maven-gpg-plugin.version> <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
<maven-jar-plugin.version>2.6</maven-jar-plugin.version> <maven-jar-plugin.version>2.6</maven-jar-plugin.version>
<maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version> <maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version>
<maven-release-plugin.version>2.5.2</maven-release-plugin.version> <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
<maven-source-plugin.version>3.0.1</maven-source-plugin.version> <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
<maven-surefire-plugin.version>2.19</maven-surefire-plugin.version> <maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
<nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version> <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
<scala.version>2.11.7</scala.version> <scala.version>2.11.7</scala.version>
<sauce_junit.version>2.1.20</sauce_junit.version> <sauce_junit.version>2.1.20</sauce_junit.version>
<selenium-java.version>2.48.2</selenium-java.version> <selenium-java.version>2.48.2</selenium-java.version>
<spring.security.version>3.2.4.RELEASE</spring.security.version> <spring.security.version>3.2.4.RELEASE</spring.security.version>
<standard.version>1.1.2</standard.version>
<tiles.version>3.0.5</tiles.version>
<tomcat-catalina.version>7.0.65</tomcat-catalina.version>
<tomcat7-maven-plugin.version>2.3-SNAPSHOT</tomcat7-maven-plugin.version>
<versioneye-maven-plugin.version>3.5.1</versioneye-maven-plugin.version>
<wsdl4j.version>1.6.3</wsdl4j.version>
</properties> </properties>
<modules> <modules>
@ -199,103 +192,12 @@
</pluginRepository> </pluginRepository>
</pluginRepositories> </pluginRepositories>
<profiles>
<profile>
<id>release</id>
<dependencies>
<dependency>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>dist</artifactId>
<version>1.0</version>
<type>zip</type>
<scope>provided</scope>
<classifier>plugins</classifier>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>unpack-lesson</id>
<goals>
<goal>unpack-dependencies</goal>
</goals>
<phase>generate-resources</phase>
<configuration>
<outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory>
<includeArtifactIds>dist</includeArtifactIds>
<includes>*.jar</includes>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>${nexus-staging-maven-plugin.version}</version>
<extensions>true</extensions>
<configuration>
<serverId>ossrh</serverId>
<nexusUrl>https://oss.sonatype.org/</nexusUrl>
<autoReleaseAfterClose>false</autoReleaseAfterClose>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>${maven-source-plugin.version}</version>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar-no-fork</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${maven-javadoc-plugin.version}</version>
<executions>
<execution>
<id>attach-javadocs</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>${maven-gpg-plugin.version}</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<keyname>WebGoat</keyname>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.projectlombok</groupId> <groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId> <artifactId>lombok</artifactId>
<scope>provided</scope> <scope>provided</scope>
<version>${lombok.version}</version>
<optional>true</optional> <optional>true</optional>
</dependency> </dependency>
<dependency> <dependency>
@ -303,10 +205,25 @@
<artifactId>commons-exec</artifactId> <artifactId>commons-exec</artifactId>
<version>1.3</version> <version>1.3</version>
</dependency> </dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.0</version>
</dependency>
</dependencies> </dependencies>
<build> <build>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
<configuration>
<source>11</source>
<target>11</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId> <artifactId>maven-release-plugin</artifactId>
@ -324,7 +241,7 @@
<artifactId>coveralls-maven-plugin</artifactId> <artifactId>coveralls-maven-plugin</artifactId>
<version>${coveralls-maven-plugin.version}</version> <version>${coveralls-maven-plugin.version}</version>
<configuration> <configuration>
<repoToken /> <repoToken/>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
@ -332,22 +249,13 @@
<artifactId>cobertura-maven-plugin</artifactId> <artifactId>cobertura-maven-plugin</artifactId>
<version>${cobertura-maven-plugin.version}</version> <version>${cobertura-maven-plugin.version}</version>
<configuration> <configuration>
<check /> <check/>
<format>xml</format> <format>xml</format>
<maxmem>256m</maxmem> <maxmem>256m</maxmem>
<!-- aggregated reports for multi-module projects --> <!-- aggregated reports for multi-module projects -->
<aggregate>true</aggregate> <aggregate>true</aggregate>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>com.versioneye</groupId>
<artifactId>versioneye-maven-plugin</artifactId>
<version>${versioneye-maven-plugin.version}</version>
<configuration>
<apiKey>a1e4a9da4ed34ee44cab</apiKey>
<projectId>562da95be346d7000e0369ac</projectId>
</configuration>
</plugin>
</plugins> </plugins>
</build> </build>

34
scripts/build-all.sh Executable file
View File

@ -0,0 +1,34 @@
#!/usr/bin/env bash
cd ..
nc -zv 127.0.0.1 8080 2>/dev/null
SUCCESS=$?
nc -zv 127.0.0.1 9090 2>/dev/null
SUCCESS=${SUCCESS}$?
if [[ "${SUCCESS}" -eq 0 ]] ; then
echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
exit 127
fi
sh mvnw clean install
if [[ "$?" -ne 0 ]] ; then
exit y$?
fi
cd -
sh build_docker.sh
if [[ "$?" -ne 0 ]] ; then
exit y$?
fi
while true; do
read -p "Do you want to run docker-compose?" yn
case ${yn} in
[Yy]* ) sh clean-run-docker-compose.sh; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done

10
scripts/build_docker.sh Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
WEBGOAT_HOME=$(pwd)/../
cd "${WEBGOAT_HOME}"/webgoat-server
docker build -t webgoat/webgoat-v8.0.0.snapshot .
cd "${WEBGOAT_HOME}"/webwolf
docker build -t webgoat/webwolf-v8.0.0.snapshot .

View File

@ -0,0 +1,5 @@
#!/usr/bin/env bash
cd ..
docker-compose rm -f
docker-compose -f docker-compose-local.yml up

View File

@ -6,14 +6,14 @@ export REPO=webgoat/webgoat-8.0
cd webgoat-server cd webgoat-server
ls target/ ls target/
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then if [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number # If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO docker push $REPO
elif [ ! -z "${TRAVIS_TAG}" ]; then #elif [ ! -z "${TRAVIS_TAG}" ]; then
# Creating a tag build we push it to Docker with that tag # # Creating a tag build we push it to Docker with that tag
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest . # docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
docker push $REPO # docker push $REPO
#elif [ "${BRANCH}" == "develop" ]; then #elif [ "${BRANCH}" == "develop" ]; then
# docker build -f Dockerfile -t $REPO:snapshot . # docker build -f Dockerfile -t $REPO:snapshot .
# docker push $REPO # docker push $REPO
@ -27,14 +27,10 @@ cd ..
cd webwolf cd webwolf
ls target/ ls target/
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then if [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number # If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} . docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO docker push $REPO
elif [ ! -z "${TRAVIS_TAG}" ]; then
# Creating a tag build we push it to Docker with that tag
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
docker push $REPO
else else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}" echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi fi

View File

@ -0,0 +1,4 @@
#!/usr/bin/env bash
cd ..
docker-compose up

18
scripts/start.sh Normal file
View File

@ -0,0 +1,18 @@
#!/usr/bin/env bash
DATABASE_PORT=9001
checkDatabaseAvailable(){
#for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s)
local started = $(netstat -lnt | grep ${DATABASE_PORT})
echo $?
}
#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0
$(checkDatabaseAvailable)
#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0

View File

@ -10,7 +10,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<profiles> <profiles>
@ -64,16 +64,6 @@
<useDefaultDelimiters>false</useDefaultDelimiters> <useDefaultDelimiters>false</useDefaultDelimiters>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<encoding>ISO-8859-1</encoding>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId> <artifactId>maven-surefire-plugin</artifactId>
@ -191,7 +181,9 @@
<artifactId>junit</artifactId> <artifactId>junit</artifactId>
<version>${junit.version}</version> <version>${junit.version}</version>
<type>jar</type> <type>jar</type>
<scope>test</scope>
</dependency> </dependency>
<!-- ************* END: Dependencies for Unit and Integration Testing ************** --> <!-- ************* END: Dependencies for Unit and Integration Testing ************** -->
<!-- ************* END: <dependencies> ************** --> <!-- ************* END: <dependencies> ************** -->
</dependencies> </dependencies>

View File

@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
import org.owasp.webgoat.asciidoc.WebWolfMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro;
import org.owasp.webgoat.asciidoc.WebWolfRootMacro;
import org.owasp.webgoat.i18n.Language; import org.owasp.webgoat.i18n.Language;
import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.TemplateProcessingParameters;
import org.thymeleaf.resourceresolver.IResourceResolver; import org.thymeleaf.resourceresolver.IResourceResolver;
@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
StringWriter writer = new StringWriter(); StringWriter writer = new StringWriter();
JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());

View File

@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String ip = request.getRemoteAddr(); String ip = request.getRemoteAddr();
String hostname = StringUtils.hasText(ip) ? ip : host; String hostname = StringUtils.hasText(ip) ? ip : host;
return "http://" + hostname + ":" + port + "/WebWolf"; return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : "");
}
protected boolean includeWebWolfContext() {
return true;
} }
} }

View File

@ -0,0 +1,20 @@
package org.owasp.webgoat.asciidoc;
import java.util.Map;
/**
* Usage in asciidoc:
* <p>
* webWolfLink:here[] will display a href with here as text
* webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
*/
public class WebWolfRootMacro extends WebWolfMacro {
public WebWolfRootMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
protected boolean includeWebWolfContext() {
return false;
}
}

View File

@ -232,7 +232,7 @@ public class CreateDB {
// Create the new table // Create the new table
try { try {
String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," String createTableStatement = "CREATE TABLE user_system_data (" + "userid int not null primary key,"
+ "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")";
statement.executeUpdate(createTableStatement); statement.executeUpdate(createTableStatement);
} catch (SQLException e) { } catch (SQLException e) {
@ -240,11 +240,11 @@ public class CreateDB {
} }
// Populate // Populate
String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; String insertData1 = "INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '')";
String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; String insertData2 = "INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '')";
String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; String insertData3 = "INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '')";
String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; String insertData4 = "INSERT INTO user_system_data VALUES (104,'jeff','jeff', '')";
String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; String insertData5 = "INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '')";
statement.executeUpdate(insertData1); statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2); statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3); statement.executeUpdate(insertData3);

View File

@ -4,6 +4,7 @@ import lombok.Getter;
import lombok.Setter; import lombok.Setter;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import javax.validation.constraints.Pattern;
import javax.validation.constraints.Size; import javax.validation.constraints.Size;
/** /**
@ -16,6 +17,7 @@ public class UserForm {
@NotNull @NotNull
@Size(min=6, max=20) @Size(min=6, max=20)
@Pattern(regexp = "[a-zA-Z0-9-]*", message = "can only contain letters, digits, and -")
private String username; private String username;
@NotNull @NotNull
@Size(min=6, max=10) @Size(min=6, max=10)

View File

@ -37,7 +37,7 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en webgoat.default.language=en
webwolf.host=${WEBWOLF_HOST:localhost} webwolf.host=${WEBWOLF_HOST:localhost}
webwolf.port=${WEBWOLF_PORT:8081} webwolf.port=${WEBWOLF_PORT:9090}
webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail

View File

@ -79,6 +79,7 @@ define(['jquery',
this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton); this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
this.lessonContentView.navToPage(pageNum); this.lessonContentView.navToPage(pageNum);
this.lessonHintView.hideHints(); this.lessonHintView.hideHints();
this.lessonHintView.showFirstHint();
//this.lessonHintView.selectHints(); //this.lessonHintView.selectHints();
this.titleView.render(this.lessonInfoModel.get('lessonTitle')); this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
return; return;
@ -160,7 +161,7 @@ define(['jquery',
} }
// //
this.lessonHintView.render(); this.lessonHintView.render();
if (this.lessonHintView.getHintsCount > 0) { if (this.lessonHintView.getHintsCount() > 0) {
this.helpControlsView.showHintsButton(); this.helpControlsView.showHintsButton();
} else { } else {
this.helpControlsView.hideHintsButton(); this.helpControlsView.hideHintsButton();

View File

@ -32,7 +32,11 @@ define(['jquery',
} }
this.set('content',content); this.set('content',content);
this.set('lessonUrl',document.URL.replace(/\.lesson.*/,'.lesson')); this.set('lessonUrl',document.URL.replace(/\.lesson.*/,'.lesson'));
this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1')); if (/.*\.lesson\/(\d{1,4})$/.test(document.URL)) {
this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
} else {
this.set('pageNum',0);
}
this.trigger('content:loaded',this,loadHelps); this.trigger('content:loaded',this,loadHelps);
}, },

View File

@ -32,21 +32,19 @@ function($,
toggleLabel: function() { toggleLabel: function() {
if (this.isVisible()) { if (this.isVisible()) {
$('show-hints-button').text('Hide hints'); $('#show-hints-button').text('Hide hints');
} else { } else {
$('show-hints-button').text('Show hints'); $('#show-hints-button').text('Show hints');
} }
}, },
render:function() { render:function() {
if (this.isVisible()) { if (this.isVisible()) {
this.$el.hide(350); this.$el.hide(350, this.toggleLabel.bind(this));
} else if (this.hintsToShow.length > 0) { } else if (this.hintsToShow.length > 0) {
this.$el.show(350); this.$el.show(350, this.toggleLabel.bind(this));
} }
this.toggleLabel()
if (this.hintsToShow.length > 0) { if (this.hintsToShow.length > 0) {
this.hideShowPrevNextButtons(); this.hideShowPrevNextButtons();
} }
@ -90,9 +88,9 @@ function($,
hideHints: function() { hideHints: function() {
if (this.$el.is(':visible')) { if (this.$el.is(':visible')) {
this.$el.hide(350); this.$el.hide(350, this.toggleLabel.bind(this));
} }
}, },
showNextHint: function() { showNextHint: function() {
this.curHint = (this.curHint < this.hintsToShow.length -1) ? this.curHint+1 : this.curHint; this.curHint = (this.curHint < this.hintsToShow.length -1) ? this.curHint+1 : this.curHint;
@ -106,6 +104,12 @@ function($,
this.displayHint(this.curHint); this.displayHint(this.curHint);
}, },
showFirstHint: function() {
this.curHint = 0;
this.hideShowPrevNextButtons();
this.displayHint(this.curHint);
},
displayHint: function(curHint) { displayHint: function(curHint) {
if(this.hintsToShow.length == 0) { if(this.hintsToShow.length == 0) {
// this.hideHints(); // this.hideHints();

View File

@ -123,8 +123,9 @@
<section class="main-content-wrapper"> <section class="main-content-wrapper">
<section id="main-content"> <!--ng-controller="goatLesson"--> <section id="main-content"> <!--ng-controller="goatLesson"-->
<div id="lesson-page" class="pages"> <div id="lesson-page" class="pages">
<span th:text="${numUsers}"> Users in WebGoat</span> <span th:text="${numUsers}"></span>
<!-- iterate over users below -->su <span> Users in WebGoat</span>
<div sec:authorize="hasAuthority('WEBGOAT_ADMIN')"> <div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">
<h3>WebGoat Users</h3> <h3>WebGoat Users</h3>
<div th:each="user : ${allUsers}"> <div th:each="user : ${allUsers}">

View File

@ -3,7 +3,7 @@
Vagrant.configure(2) do |config| Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64" config.vm.box = "ubuntu/trusty64"
config.vm.network :forwarded_port, guest: 8080, host: 8080 config.vm.network :forwarded_port, guest: 8080, host: 8080
config.vm.network :forwarded_port, guest: 8081, host: 8081 config.vm.network :forwarded_port, guest: 9090, host: 9090
config.vm.provider "virtualbox" do |vb| config.vm.provider "virtualbox" do |vb|
vb.gui = false vb.gui = false
vb.memory = "4096" vb.memory = "4096"
@ -19,17 +19,17 @@ Vagrant.configure(2) do |config|
end end
config.vm.provision "shell", inline: <<-SHELL config.vm.provision "shell", inline: <<-SHELL
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webgoat-server-8.0.0.M21.jar
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webwolf-8.0.0.M21.jar
sudo add-apt-repository ppa:openjdk-r/ppa sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get update sudo apt-get update
sudo apt-get install openjdk-8-jre -y sudo apt-get install openjdk-8-jre -y
SHELL SHELL
config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL
java -jar webgoat-server-8.0.0.RELEASE.jar & java -jar webgoat-server-8.0.0.M21.jar --server.address=0.0.0.0 &
sleep 40s sleep 40s
java -jar webwolf-8.0.0.RELEASE.jar java -jar webwolf-8.0.0.M21.jar --server.address=0.0.0.0 &
SHELL SHELL
end end

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -58,7 +58,7 @@ public class AccountVerificationHelper {
return false; return false;
} }
if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
return false; return false;
} }

View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>

View File

@ -11,7 +11,5 @@ public interface SolutionConstants {
//TODO should be random generated when starting the server //TODO should be random generated when starting the server
String PASSWORD = "!!webgoat_admin_1234!!"; String PASSWORD = "!!webgoat_admin_1234!!";
String PASSWORD_TOM = "thisisasecretfortomonly"; String PASSWORD_TOM = "thisisasecretfortomonly";
String PASSWORD_LARRY = "larryknows";
String JWT_PASSWORD = "victory";
String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2"; String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
} }

View File

@ -1,150 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import com.beust.jcommander.internal.Lists;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.EvictingQueue;
import com.google.common.collect.Maps;
import com.google.common.io.Files;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.Flag;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.annotation.PostConstruct;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamReader;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.Charset;
import java.util.Collection;
import java.util.Map;
import static org.springframework.http.MediaType.ALL_VALUE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST;
/**
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("/challenge/3")
@Slf4j
public class Assignment3 extends AssignmentEndpoint {
@Value("${webgoat.server.directory}")
private String webGoatHomeDirectory;
@Autowired
private WebSession webSession;
private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
private static final String secretContents = "Congratulations you may now collect your flag";
static {
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
}
@PostConstruct
@SneakyThrows
public void copyFile() {
File targetDirectory = new File(webGoatHomeDirectory);
if (!targetDirectory.exists()) {
targetDirectory.mkdir();
}
log.info("Copied secret.txt to: {}", targetDirectory);
Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
}
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public Collection<Comment> retrieveComments() {
Collection<Comment> allComments = Lists.newArrayList();
Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
if (xmlComments != null) {
allComments.addAll(xmlComments);
}
allComments.addAll(comments);
return allComments;
}
@RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
@ResponseBody
public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
Comment comment = null;
AttackResult attackResult = failed().build();
if (APPLICATION_JSON_VALUE.equals(contentType)) {
comment = parseJson(commentStr);
comment.setDateTime(DateTime.now().toString(fmt));
comment.setUser(webSession.getUserName());
comments.add(comment);
}
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
//Do not show these comments to all users
comment = parseXml(commentStr);
comment.setDateTime(DateTime.now().toString(fmt));
comment.setUser(webSession.getUserName());
EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
comments.add(comment);
userComments.put(webSession.getUserName(), comments);
}
if (checkSolution(comment)) {
attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build();
}
return attackResult;
}
private boolean checkSolution(Comment comment) {
if (comment.getText().contains(secretContents)) {
comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack ");
comments.add(comment);
return true;
}
return false;
}
public static Comment parseXml(String xml) throws Exception {
JAXBContext jc = JAXBContext.newInstance(Comment.class);
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
Unmarshaller unmarshaller = jc.createUnmarshaller();
return (Comment) unmarshaller.unmarshal(xsr);
}
private Comment parseJson(String comment) {
ObjectMapper mapper = new ObjectMapper();
try {
return mapper.readValue(comment, Comment.class);
} catch (IOException e) {
return new Comment();
}
}
}

View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge3 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge3.title";
}
@Override
public String getId() {
return "Challenge3";
}
}

View File

@ -1,24 +0,0 @@
package org.owasp.webgoat.plugin.challenge3;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
import javax.xml.bind.annotation.XmlRootElement;
/**
* @author nbaars
* @since 4/8/17.
*/
@Getter
@Setter
@AllArgsConstructor
@NoArgsConstructor
@XmlRootElement
public class Comment {
private String user;
private String dateTime;
private String text;
}

View File

@ -1,17 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
/**
* @author nbaars
* @since 5/3/17.
*/
@AssignmentPath("/challenge/4")
@Slf4j
public class Assignment4 extends AssignmentEndpoint {
//just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here
}

View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* @author nbaars
* @since 3/21/17.
*/
public class Challenge4 extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.CHALLENGE;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 10;
}
@Override
public String getTitle() {
return "challenge4.title";
}
@Override
public String getId() {
return "Challenge4";
}
}

View File

@ -1,16 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
/**
* @author nbaars
* @since 4/30/17.
*/
public class Views {
interface GuestView {
}
interface UserView extends GuestView {
}
interface AdminView extends UserView {
}
}

View File

@ -1,49 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import com.fasterxml.jackson.annotation.JsonView;
import lombok.Getter;
import lombok.Setter;
/**
* @author nbaars
* @since 5/2/17.
*/
@Getter
public class Vote {
@JsonView(Views.GuestView.class)
private final String title;
@JsonView(Views.GuestView.class)
private final String information;
@JsonView(Views.GuestView.class)
private final String imageSmall;
@JsonView(Views.GuestView.class)
private final String imageBig;
@JsonView(Views.UserView.class)
private int numberOfVotes;
@JsonView(Views.AdminView.class)
@Setter
private String flag;
@JsonView(Views.UserView.class)
private boolean votingAllowed = true;
@JsonView(Views.UserView.class)
private long average = 0;
public Vote(String title, String information, String imageSmall, String imageBig, int numberOfVotes, int totalVotes) {
this.title = title;
this.information = information;
this.imageSmall = imageSmall;
this.imageBig = imageBig;
this.numberOfVotes = numberOfVotes;
this.average = calculateStars(totalVotes);
}
public void incrementNumberOfVotes(int totalVotes) {
this.numberOfVotes = this.numberOfVotes + 1;
this.average = calculateStars(totalVotes);
}
private long calculateStars(int totalVotes) {
return Math.round(((double) numberOfVotes / (double) totalVotes) * 4);
}
}

View File

@ -1,124 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import com.google.common.collect.Maps;
import io.jsonwebtoken.*;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.http.converter.json.MappingJacksonValue;
import org.springframework.web.bind.annotation.*;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import static java.util.Comparator.comparingLong;
import static java.util.Optional.ofNullable;
import static java.util.stream.Collectors.toList;
import static org.owasp.webgoat.plugin.Flag.FLAGS;
import static org.owasp.webgoat.plugin.SolutionConstants.JWT_PASSWORD;
/**
* @author nbaars
* @since 4/23/17.
*/
@RestController
@RequestMapping("/votings")
public class VotesEndpoint {
private static String validUsers = "TomJerrySylvester";
private static int totalVotes = 38929;
private Map<String, Vote> votes = Maps.newHashMap();
@PostConstruct
public void initVotes() {
votes.put("Admin lost password", new Vote("Admin lost password",
"In this challenge you will need to help the admin and find the password in order to login",
"challenge1-small.png", "challenge1.png", 36000, totalVotes));
votes.put("Vote for your favourite",
new Vote("Vote for your favourite",
"In this challenge ...",
"challenge5-small.png", "challenge5.png", 30000, totalVotes));
votes.put("Get it for free",
new Vote("Get it for free",
"The objective for this challenge is to buy a Samsung phone for free.",
"challenge2-small.png", "challenge2.png", 20000, totalVotes));
votes.put("Photo comments",
new Vote("Photo comments",
"n this challenge you can comment on the photo you will need to find the flag somewhere.",
"challenge3-small.png", "challenge3.png", 10000, totalVotes));
}
@GetMapping("/login")
public void login(@RequestParam("user") String user, HttpServletResponse response) {
if (validUsers.contains(user)) {
Map<String, Object> claims = Maps.newHashMap();
claims.put("admin", "false");
claims.put("user", user);
String token = Jwts.builder()
.setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
.setClaims(claims)
.signWith(SignatureAlgorithm.HS512, JWT_PASSWORD)
.compact();
Cookie cookie = new Cookie("access_token", token);
response.addCookie(cookie);
response.setStatus(HttpStatus.OK.value());
} else {
Cookie cookie = new Cookie("access_token", "");
response.addCookie(cookie);
response.setStatus(HttpStatus.UNAUTHORIZED.value());
}
}
@GetMapping
public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList()));
if (StringUtils.isEmpty(accessToken)) {
value.setSerializationView(Views.GuestView.class);
} else {
try {
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
Claims claims = (Claims) jwt.getBody();
String user = (String) claims.get("user");
boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
if ("Guest".equals(user) || !validUsers.contains(user)) {
value.setSerializationView(Views.GuestView.class);
} else {
((Collection<Vote>) value.getValue()).forEach(v -> v.setFlag(FLAGS.get(4)));
value.setSerializationView(isAdmin ? Views.AdminView.class : Views.UserView.class);
}
} catch (JwtException e) {
value.setSerializationView(Views.GuestView.class);
}
}
return value;
}
@PostMapping(value = "{title}")
@ResponseBody
@ResponseStatus(HttpStatus.ACCEPTED)
public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
if (StringUtils.isEmpty(accessToken)) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
} else {
try {
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
Claims claims = (Claims) jwt.getBody();
String user = (String) claims.get("user");
if (validUsers.contains(user)) {
ofNullable(votes.get(title)).ifPresent(v -> v.incrementNumberOfVotes(totalVotes));
return ResponseEntity.accepted().build();
} else {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
} catch (JwtException e) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
}
}
}

View File

@ -1,75 +0,0 @@
/* Component: Posts */
.post .post-heading {
height: 95px;
padding: 20px 15px;
}
.post .post-heading .avatar {
width: 60px;
height: 60px;
display: block;
margin-right: 15px;
}
.post .post-heading .meta .title {
margin-bottom: 0;
}
.post .post-heading .meta .title a {
color: black;
}
.post .post-heading .meta .title a:hover {
color: #aaaaaa;
}
.post .post-heading .meta .time {
margin-top: 8px;
color: #999;
}
.post .post-image .image {
width:20%;
height: 40%;
}
.post .post-description {
padding: 5px;
}
.post .post-footer {
border-top: 1px solid #ddd;
padding: 15px;
}
.post .post-footer .input-group-addon a {
color: #454545;
}
.post .post-footer .comments-list {
padding: 0;
margin-top: 20px;
list-style-type: none;
}
.post .post-footer .comments-list .comment {
display: block;
width: 100%;
margin: 20px 0;
}
.post .post-footer .comments-list .comment .avatar {
width: 35px;
height: 35px;
}
.post .post-footer .comments-list .comment .comment-heading {
display: block;
width: 100%;
}
.post .post-footer .comments-list .comment .comment-heading .user {
font-size: 14px;
font-weight: bold;
display: inline;
margin-top: 0;
margin-right: 10px;
}
.post .post-footer .comments-list .comment .comment-heading .time {
font-size: 12px;
color: #aaa;
margin-top: 0;
display: inline;
}
.post .post-footer .comments-list .comment .comment-body {
margin-left: 50px;
}
.post .post-footer .comments-list .comment > .comments-list {
margin-left: 50px;
}

View File

@ -1,12 +0,0 @@
a.list-group-item {
height:auto;
}
a.list-group-item.active small {
color:#fff;
}
.stars {
margin:20px auto 1px;
}
.img-responsive {
min-width: 100%;
}

View File

@ -1,72 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
<script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="panel post">
<div class="post-heading">
<div class="pull-left image">
<img th:src="@{/images/avatar1.png}"
class="img-circle avatar" alt="user profile image"/>
</div>
<div class="pull-left meta">
<div class="title h5">
<a href="#"><b>John Doe</b></a>
uploaded a photo.
</div>
<h6 class="text-muted time">24 days ago</h6>
</div>
</div>
<div class="post-image">
<img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
</div>
<div class="post-description">
</div>
<div class="post-footer">
<div class="input-group">
<input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
<span class="input-group-addon">
<i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
</span>
</div>
<ul class="comments-list">
<div id="list">
</div>
</ul>
</div>
</div>
</div>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

View File

@ -1,75 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
<script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<div class="row">
<div class="well">
<div class="pull-right">
<div class="dropdown">
<button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle">
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Guest')"
th:text="Guest">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Tom')"
th:text="Tom">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Jerry')"
th:text="Jerry">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Sylvester')"
th:text="Sylvester">current</a></li>
</ul>
</div>
<div>
<p class="text-right">Welcome back, <b><span id="name"></span></b></p>
</div>
</div>
<div>
<h3>Vote for your favorite</h3>
</div>
<div id ="votesList" class="list-group">
</div>
</div>
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

View File

@ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge
challenge1.title=Admin lost password challenge1.title=Admin lost password
challenge2.title=Get it for free challenge2.title=Get it for free
challenge3.title=Photo comments challenge3.title=Photo comments
challenge4.title=Voting
challenge5.title=Without password challenge5.title=Without password
challenge6.title=Creating a new account challenge6.title=Creating a new account
challenge7.title=Admin password reset challenge7.title=Admin password reset

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8.9 KiB

View File

@ -1,45 +0,0 @@
$(document).ready(function () {
$("#postComment").on("click", function () {
var commentInput = $("#commentInput").val();
$.ajax({
type: 'POST',
url: 'challenge/3',
data: JSON.stringify({text: commentInput}),
contentType: "application/json",
dataType: 'json'
}).then(
function () {
getChallenges();
$("#commentInput").val('');
}
)
})
var html = '<li class="comment">' +
'<div class="pull-left">' +
'<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
'</div>' +
'<div class="comment-body">' +
'<div class="comment-heading">' +
'<h4 class="user">USER</h4>' +
'<h5 class="time">DATETIME</h5>' +
'</div>' +
'<p>COMMENT</p>' +
'</div>' +
'</li>';
getChallenges();
function getChallenges() {
$("#list").empty();
$.get("challenge/3", function (result, status) {
for (var i = 0; i < result.length; i++) {
var comment = html.replace('USER', result[i].user);
comment = comment.replace('DATETIME', result[i].dateTime);
comment = comment.replace('COMMENT', result[i].text);
$("#list").append(comment);
}
});
}
})

View File

@ -1,84 +0,0 @@
$(document).ready(function () {
login('Guest');
})
function login(user) {
$("#name").text(user);
$.ajax({
url: "votings/login?user=" + user,
complete: function (result, status) {
getVotings();
}
});
}
var html = '<a href="#" class="list-group-item ACTIVE">' +
'<div class="media col-md-3">' +
'<figure> ' +
'<img class="media-object img-rounded" src="images/IMAGE_SMALL" alt="placehold.it/350x250"/>' +
'</figure>' +
'</div> ' +
'<div class="col-md-6">' +
'<h4 class="list-group-item-heading">TITLE</h4>' +
'<p class="list-group-item-text">INFORMATION</p>' +
'</div>' +
'<div class="col-md-3 text-center">' +
'<h2 HIDDEN_VIEW_VOTES>NO_VOTES' +
'<small HIDDEN_VIEW_VOTES> votes</small>' +
'</h2>' +
'<button type="button" id="TITLE" class="btn BUTTON btn-lg btn-block" onclick="vote(this.id)">Vote Now!</button>' +
'<div style="visibility:HIDDEN_VIEW_RATING;" class="stars"> ' +
'<span class="glyphicon glyphicon-star"></span>' +
'<span class="glyphicon glyphicon-star"></span>' +
'<span class="glyphicon glyphicon-star"></span>' +
'<span class="glyphicon glyphicon-star-empty"></span>' +
'</div>' +
'<p HIDDEN_VIEW_RATING>Average AVERAGE<small> /</small>4</p>' +
'</div>' +
'<div class="clearfix"></div>' +
'</a>';
function getVotings() {
$("#votesList").empty();
$.get("votings/", function (result, status) {
for (var i = 0; i < result.length; i++) {
var voteTemplate = html.replace('IMAGE_SMALL', result[i].imageSmall);
if (i === 0) {
voteTemplate = voteTemplate.replace('ACTIVE', 'active');
voteTemplate = voteTemplate.replace('BUTTON', 'btn-default');
} else {
voteTemplate = voteTemplate.replace('ACTIVE', '');
voteTemplate = voteTemplate.replace('BUTTON', 'btn-primary');
}
voteTemplate = voteTemplate.replace(/TITLE/g, result[i].title);
voteTemplate = voteTemplate.replace('INFORMATION', result[i].information || '');
voteTemplate = voteTemplate.replace('NO_VOTES', result[i].numberOfVotes || '');
voteTemplate = voteTemplate.replace('AVERAGE', result[i].average || '');
var hidden = (result[i].numberOfVotes === undefined ? 'hidden' : '');
voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_VOTES/g, hidden);
hidden = (result[i].average === undefined ? 'hidden' : '');
voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_RATING/g, hidden);
$("#votesList").append(voteTemplate);
}
})
}
function vote(title) {
var user = $("#name").text();
if (user === 'Guest') {
alert("As a guest you are not allowed to vote, please login first.")
} else {
$.ajax({
type: 'POST',
url: 'votings/' + title
}).then(
function () {
getVotings();
}
)
}
}

View File

@ -1 +0,0 @@
Changing language can help you find the 'secret' file

View File

@ -1 +0,0 @@
Try to change to a different user, maybe you can find the flag?

View File

@ -1,161 +0,0 @@
package org.owasp.webgoat.plugin.challenge4;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.runners.MockitoJUnitRunner;
import org.owasp.webgoat.plugin.Flag;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import javax.servlet.http.Cookie;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
/**
* @author nbaars
* @since 5/2/17.
*/
@RunWith(MockitoJUnitRunner.class)
public class VotesEndpointTest {
private MockMvc mockMvc;
@Before
public void setup() {
VotesEndpoint votesEndpoint = new VotesEndpoint();
votesEndpoint.initVotes();
new Flag().initFlags();
this.mockMvc = standaloneSetup(votesEndpoint).build();
}
@Test
public void loginWithUnknownUser() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "uknown"))
.andExpect(unauthenticated());
}
@Test
public void loginWithTomShouldGiveJwtToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token"));
}
@Test
public void loginWithGuestShouldNotGiveJwtToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Guest"))
.andExpect(unauthenticated()).andExpect(cookie().value("access_token", ""));
}
@Test
public void userShouldSeeMore() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.get("/votings")
.cookie(mvcResult.getResponse().getCookie("access_token")))
.andExpect(jsonPath("$.[*].numberOfVotes").exists());
}
@Test
public void guestShouldNotSeeNumberOfVotes() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Guest"))
.andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.get("/votings")
.cookie(mvcResult.getResponse().getCookie("access_token")))
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void adminShouldSeeFlags() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ.")))
.andExpect(jsonPath("$.[*].flag").isNotEmpty());
}
@Test
public void votingIsNotAllowedAsGuest() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free"))
.andExpect(unauthenticated());
}
@Test
public void normalUserShouldBeAbleToVote() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
.cookie(mvcResult.getResponse().getCookie("access_token")));
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(mvcResult.getResponse().getCookie("access_token")))
.andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001)));
}
@Test
public void votingForUnknownLessonShouldNotCrash() throws Exception {
MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
.param("user", "Tom"))
.andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
.cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted());
}
@Test
public void votingWithInvalidToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
.cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
}
@Test
public void gettingVotesWithInvalidToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
}
@Test
public void gettingVotesWithUnknownUserInToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9.")))
.andExpect(unauthenticated())
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void gettingVotesForUnknownShouldWork() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
.andExpect(unauthenticated())
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0.")))
.andExpect(status().isOk())
.andExpect(jsonPath("$.[*].numberOfVotes").exists());
}
@Test
public void gettingVotesWithEmptyToken() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
.cookie(new Cookie("access_token", "")))
.andExpect(status().isOk())
.andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
}
@Test
public void votingAsUnknownUserShouldNotBeAllowed() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
.cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
.andExpect(unauthenticated());
}
}

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<build> <build>
<plugins> <plugins>

View File

@ -49,10 +49,7 @@ import org.owasp.encoder.*;
import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.ALL_VALUE;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.*;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import static org.springframework.web.bind.annotation.RequestMethod.GET; import static org.springframework.web.bind.annotation.RequestMethod.GET;
@ -72,20 +69,19 @@ public class StoredXssComments extends AssignmentEndpoint {
comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing")); comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe")); comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too.")); comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too."));
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?")); comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
} }
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE) @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
@ResponseBody @ResponseBody
public Collection<Comment> retrieveComments() { public Collection<Comment> retrieveComments() {
Collection<Comment> allComments = Lists.newArrayList(); List<Comment> allComments = Lists.newArrayList();
Collection<Comment> newComments = userComments.get(webSession.getUserName()); Collection<Comment> newComments = userComments.get(webSession.getUserName());
allComments.addAll(comments);
if (newComments != null) { if (newComments != null) {
allComments.addAll(newComments); allComments.addAll(newComments);
} }
Collections.reverse(allComments);
allComments.addAll(comments);
return allComments; return allComments;
} }

View File

@ -5,7 +5,7 @@ xss-reflected-5a-failure=Try again. We do want to see this specific javascript (
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul> xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
xss-reflected-5b-failure=Nope, pretty easy to guess now though. xss-reflected-5b-failure=Nope, pretty easy to guess now though.
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment. xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine. xss-reflected-6a-failure=No, look at the example. Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
xss.lesson1.failure=Are you sure? Try using a tab from a different site. xss.lesson1.failure=Are you sure? Try using a tab from a different site.
xss-dom-message-success=Correct, I hope you didn't cheat, using the console! xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful. xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.

View File

@ -4,7 +4,7 @@ You should have been able to execute script with the last example. At this point
Why is that? Why is that?
That is because there is no link that would tigger that XSS. That is because there is no link that would trigger that XSS.
You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to): You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111 link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111

View File

@ -1,15 +1,15 @@
== Ientify Potential for DOM-Based XSS == Identify Potential for DOM-Based XSS
DOM-Based XSS can usually be found by looking for the route configurations in the client-side code. DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
Look for a route that takes inputs that you can ID being 'reflected' to the page. Look for a route that takes inputs that are being 'reflected' to the page.
For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library). For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!). Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ... Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is: it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
*start.mvc#lesson/* *start.mvc#lesson/*
The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler. So, what is the route for the test code that stayed in the app during production?
To answer this question, you have to check the javascript source.
So, what is test route for this test code?

View File

@ -8,4 +8,4 @@ The function you want to execute is ...
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab. Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below. Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.

View File

@ -6,6 +6,6 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -64,11 +64,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
private boolean hostOrRefererDifferentHost(HttpServletRequest request) { private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
String referer = request.getHeader("referer"); String referer = request.getHeader("referer");
String origin = request.getHeader("origin"); String host = request.getHeader("host");
if (referer != null) { if (referer != null) {
return !referer.contains(origin); return !referer.contains(host);
} else { } else {
return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false return true;
} }
} }

View File

@ -20,7 +20,7 @@
action="/WebGoat/csrf/basic-get-flag" action="/WebGoat/csrf/basic-get-flag"
enctype="application/json;charset=UTF-8"> enctype="application/json;charset=UTF-8">
<input name="csrf" type="hidden" value="false"/> <input name="csrf" type="hidden" value="false"/>
<input type="submit" name="ubmit="/> <input type="submit" name="submit"/>
</form> </form>

View File

@ -16,9 +16,11 @@ the activities of the user.
image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"] image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]
{blank} {blank}
For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper] For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper].
In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack.
based on your own username prefixed with csrf. So if your username is `tom` you must create Leave this tab open and in another tab create a user based on your own username prefixed with `csrf-`.
a new user called `csrf-tom` So if your username is `tom` you must create a new user called `csrf-tom`.
Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab.
Because you are logged in as a different user, the attacker learns that you clicked the button.

View File

@ -46,7 +46,7 @@ public class CSRFFeedbackTest extends LessonTest {
mockMvc.perform(post("/csrf/feedback/message") mockMvc.perform(post("/csrf/feedback/message")
.contentType(MediaType.TEXT_PLAIN) .contentType(MediaType.TEXT_PLAIN)
.cookie(new Cookie("JSESSIONID", "test")) .cookie(new Cookie("JSESSIONID", "test"))
.header("origin", "localhost:8080") .header("host", "localhost:8080")
.header("referer", "webgoat.org") .header("referer", "webgoat.org")
.content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}")) .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
.andExpect(jsonPath("lessonCompleted", is(true))) .andExpect(jsonPath("lessonCompleted", is(true)))

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<dependencies> <dependencies>

View File

@ -1,6 +1,6 @@
=== Mitigation === Mitigation
In this simple example you noticed that the price is calculated server side and send to the server. The server In this simple example you noticed that the price is calculated client-side and sent to the server. The server
accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up
the price of the television in your database and calculate the total price again. the price of the television in your database and calculate the total price again.

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<dependencies> <dependencies>

View File

@ -3,36 +3,27 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div> <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro5.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request" <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@ -48,4 +39,8 @@
<div class="attack-output"></div> <div class="attack-output"></div>
</div> </div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro6.adoc"></div>
</div>
</html> </html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 176 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 56 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 170 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 60 KiB

View File

@ -1,26 +1,25 @@
=== Use the intercept === Exclude WebGoat internal requests
To intercept a request, you start by clicking the green button. This will set a break point for the next request. Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below:
image::images/zap_exclude.png[Select URL from history,style="lesson-image"]
{nbsp}
A new window will open and add the following entries:
```
http://localhost:8080/WebGoat/service/.*
http://localhost:8080/WebGoat/.*.lesson.lesson
```
Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests.
*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore. image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"]
That's part of what hackers do ... explore!
Once you are intercepting requests and a request is made, it should look something like this:
image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
=== Intercept and modify a request
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
modify it as follows.
* Change the Method to GET
* Add a header 'x-request-intercepted:true'
* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
Then let the request continue through (by hitting the play button).
NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

View File

@ -0,0 +1,26 @@
=== Use the intercept
To intercept a request, you start by clicking the green button. This will set a break point for the next request.
image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
That's part of what hackers do ... explore!
Once you are intercepting requests and a request is made, it should look something like this:
image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
=== Intercept and modify a request
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
modify it as follows.
* Change the Method to GET
* Add a header 'x-request-intercepted:true'
* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
Then let the request continue through (by hitting the play button).
NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

View File

@ -0,0 +1,29 @@
=== Use the "Edit and resend" functionality in ZAP
Another way to send a request again instead of clicking in WebGoat on a button and intercept the request there is also
an option to resend the same request again from within ZAP.
This may significantly help you to solve an assignment because you do not have to switch to ZAP enable the intercept button
and go back to WebGoat and perform the request again from within the browser.
Let's look at an example, we are going to use the e-mail example from the WebWolf introduction lesson. This lesson
will generate a request for `/WebGoat/WebWolf/mail`, in the "History" window select the URL you want to resend right click
on the URL and select `Open/Resend with Request Editor`. You can also find the request in the left pane of ZAP as indicated
with the red arrow in the image below:
image::images/zap_edit_and_resend.png[Open/Resend with Request Editor,style="lesson-image"]
{nbsp}
A new window will open and here you can modify the request for example change the e-mail address to someone else and send it again.
In the response tab you can inspect the response of the request. In some assignments the response will show a solved message
but sometimes you get a code/flag which you need to submit in WebGoat in order to complete the assignment. Always be on the
lookout for the response. If you solved the assignment by make a request in this way WebGoat will automatically mark
the lesson as solved.
image::images/zap_edit_and_send.png[Open/Resend with Request Editor,style="lesson-image"]
{nbsp}
image::images/zap_edit_and_response.png[Open/Resend response,style="lesson-image"]

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<dependencies> <dependencies>

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<dependencies> <dependencies>

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<dependencies> <dependencies>

View File

@ -1,6 +1,7 @@
package org.owasp.webgoat.plugin; package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import io.jsonwebtoken.impl.TextCodec;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
@ -23,7 +24,7 @@ import java.util.List;
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"}) @AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
public class JWTSecretKeyEndpoint extends AssignmentEndpoint { public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
public static final String JWT_SECRET = "victory"; public static final String JWT_SECRET = TextCodec.BASE64.encode("victory");
private static final String WEBGOAT_USER = "WebGoat"; private static final String WEBGOAT_USER = "WebGoat";
private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role"); private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");

View File

@ -5,6 +5,7 @@ import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt; import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException; import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts; import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.TextCodec;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentHints;
@ -25,7 +26,6 @@ import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.Date; import java.util.Date;
import java.util.Map; import java.util.Map;
import java.util.concurrent.TimeUnit;
import static java.util.Comparator.comparingLong; import static java.util.Comparator.comparingLong;
import static java.util.Optional.ofNullable; import static java.util.Optional.ofNullable;
@ -39,7 +39,7 @@ import static java.util.stream.Collectors.toList;
@AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"}) @AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
public class JWTVotesEndpoint extends AssignmentEndpoint { public class JWTVotesEndpoint extends AssignmentEndpoint {
public static final String JWT_PASSWORD = "victory"; public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
private static String validUsers = "TomJerrySylvester"; private static String validUsers = "TomJerrySylvester";
private static int totalVotes = 38929; private static int totalVotes = 38929;
@ -143,7 +143,6 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
Claims claims = (Claims) jwt.getBody(); Claims claims = (Claims) jwt.getBody();
boolean isAdmin = Boolean.valueOf((String) claims.get("admin")); boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
if (!isAdmin) { if (!isAdmin) {
votes.values().forEach(vote -> vote.reset());
return trackProgress(failed().feedback("jwt-only-admin").build()); return trackProgress(failed().feedback("jwt-only-admin").build());
} else { } else {
votes.values().forEach(vote -> vote.reset()); votes.values().forEach(vote -> vote.reset());

View File

@ -16,8 +16,10 @@
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
<script th:src="@{/lesson_js/jwt-signing.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/jwt-voting.js}" language="JavaScript"></script>
<div class="attack-container"> <div class="attack-container">
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
method="POST" method="POST"
@ -37,16 +39,16 @@
</button> </button>
<ul class="dropdown-menu dropdown-menu-left"> <ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1" <li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Guest')" onclick="javascript:loginVotes('Guest')"
th:text="Guest">current</a></li> th:text="Guest">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1" <li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Tom')" onclick="javascript:loginVotes('Tom')"
th:text="Tom">current</a></li> th:text="Tom">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1" <li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Jerry')" onclick="javascript:loginVotes('Jerry')"
th:text="Jerry">current</a></li> th:text="Jerry">current</a></li>
<li role="presentation"><a role="menuitem" tabindex="-1" <li role="presentation"><a role="menuitem" tabindex="-1"
onclick="javascript:login('Sylvester')" onclick="javascript:loginVotes('Sylvester')"
th:text="Sylvester">current</a></li> th:text="Sylvester">current</a></li>
</ul> </ul>
<button type="button" class="btn btn-default fa fa-refresh" title="Refresh votes" <button type="button" class="btn btn-default fa fa-refresh" title="Refresh votes"
@ -70,8 +72,7 @@
</form> </form>
<br/> <br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div> </div>
</div> </div>
@ -110,7 +111,7 @@
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
<script th:src="@{/lesson_js/jwt-refresh.js}" language="JavaScript"></script> <script th:src="@{/lesson_js/jwt-buy.js}" language="JavaScript"></script>
<div class="attack-container"> <div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
@ -135,9 +136,11 @@
<tr> <tr>
<td class="col-sm-8 col-md-6"> <td class="col-sm-8 col-md-6">
<div class="media"> <div class="media">
<img class="media-object" src="http://icons.iconarchive.com/icons/custom-icon-design/flatastic-2/72/product-icon.png" style="width: 72px; height: 72px;"></img> <img class="media-object" th:src="@{/images/product-icon.png}"
style="width: 72px; height: 72px;"></img>
<div class="media-body"> <div class="media-body">
<h4 class="media-heading"><a href="#">Learn defending your application with WebGoat</a></h4> <h4 class="media-heading"><a href="#">Learn to defend your application with
WebGoat</a></h4>
<h5 class="media-heading"> by <a href="#">WebGoat Publishing</a></h5> <h5 class="media-heading"> by <a href="#">WebGoat Publishing</a></h5>
<span>Status: </span><span <span>Status: </span><span
class="text-success"><strong>In Stock</strong></span> class="text-success"><strong>In Stock</strong></span>
@ -147,8 +150,11 @@
<td class="col-sm-1 col-md-1" style="text-align: center"> <td class="col-sm-1 col-md-1" style="text-align: center">
<input type="text" class="form-control" id="quantity1" value="3"></input> <input type="text" class="form-control" id="quantity1" value="3"></input>
</td> </td>
<td class="col-sm-1 col-md-1 text-center"><strong>$4.87</strong></td> <td class="col-sm-1 col-md-1 text-center"><strong>$
<td class="col-sm-1 col-md-1 text-center"><strong>$14.61</strong></td> <span id="piecePrice1">4.87</span></strong>
</td>
<td class="col-sm-1 col-md-1 text-center"><strong>$<span
id="totalPrice1">14.61</span></strong></td>
<td class="col-sm-1 col-md-1"> <td class="col-sm-1 col-md-1">
<button type="button" class="btn btn-danger"> <button type="button" class="btn btn-danger">
<span class="glyphicon glyphicon-remove"></span> Remove <span class="glyphicon glyphicon-remove"></span> Remove
@ -158,7 +164,9 @@
<tr> <tr>
<td class="col-md-6"> <td class="col-md-6">
<div class="media"> <div class="media">
<img class="media-object" src="http://icons.iconarchive.com/icons/custom-icon-design/flatastic-2/72/product-icon.png" style="width: 72px; height: 72px;"></img> <img class="media-object"
th:src="@{/images/product-icon.png}"
style="width: 72px; height: 72px;"></img>
<div class="media-body"> <div class="media-body">
<h4 class="media-heading"><a href="#">Pentesting for professionals</a></h4> <h4 class="media-heading"><a href="#">Pentesting for professionals</a></h4>
<h5 class="media-heading"> by <a href="#">WebWolf Publishing</a></h5> <h5 class="media-heading"> by <a href="#">WebWolf Publishing</a></h5>
@ -166,11 +174,12 @@
</div> </div>
</div> </div>
</td> </td>
<td class="col-md-1" style="text-align: center"> <td class="col-sm-1 col-md-1" style="text-align: center">
<input type="text" class="form-control" id="quantity2" value="2"></input> <input type="text" class="form-control" id="quantity2" value="2"></input>
</td> </td>
<td class="col-md-1 text-center"><strong>$4.99</strong></td> <td class="col-sm-1 col-md-1 text-center"><strong>$<span id="piecePrice2">4.99</span></strong>
<td class="col-md-1 text-center"><strong>$9.98</strong></td> </td>
<td class="col-sm-1 col-md-1 text-center"><strong>$<span id="totalPrice2">9.98</span></strong></td>
<td class="col-md-1"> <td class="col-md-1">
<button type="button" class="btn btn-danger"> <button type="button" class="btn btn-danger">
<span class="glyphicon glyphicon-remove"></span> Remove <span class="glyphicon glyphicon-remove"></span> Remove
@ -185,8 +194,8 @@
<td>  </td> <td>  </td>
<td><h5>Subtotal<br></br>Estimated shipping</h5> <td><h5>Subtotal<br></br>Estimated shipping</h5>
<h3>Total</h3></td> <h3>Total</h3></td>
<td class="text-right"><h5><strong>$24.59<br></br>$6.94</strong></h5> <td class="text-right"><h5><strong>$<span id="subtotalJwt">24.59</span><br></br>$6.94</strong></h5>
<h3>$31.53</h3></td> <h3>$<span id="totalJwt">31.53</span></h3></td>
</tr> </tr>
<tr> <tr>
<td>  </td> <td>  </td>

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.5 KiB

View File

@ -0,0 +1,36 @@
$(document).ready(function () {
$("#quantity1").on("blur", function () {
var quantity = $("#quantity1").val();
if (!$.isNumeric(quantity) || quantity < 0) {
$("#quantity1").val("1");
quantity = 1;
}
var piecePrice = $("#piecePrice1").text();
$('#totalPrice1').text((quantity * piecePrice).toFixed(2));
updateTotal();
});
$("#quantity2").on("blur", function () {
var quantity = $("#quantity2").val();
if (!$.isNumeric(quantity) || quantity < 0) {
$("#quantity2").val("1");
quantity = 1;
}
var piecePrice = $("#piecePrice2").text();
$('#totalPrice2').text((quantity * piecePrice).toFixed(2));
updateTotal();
})
})
function updateTotal() {
var price1 = parseFloat($('#totalPrice1').text());
var price2 = parseFloat($('#totalPrice2').text());
var subTotal = price1 + price2;
$('#subtotalJwt').text(subTotal.toFixed(2));
var total = subTotal + 6.94;
$('#totalJwt').text(total.toFixed(2));
}

View File

@ -1,8 +1,8 @@
$(document).ready(function () { $(document).ready(function () {
login('Guest'); loginVotes('Guest');
}) })
function login(user) { function loginVotes(user) {
$("#name").text(user); $("#name").text(user);
$.ajax({ $.ajax({
url: 'JWT/votings/login?user=' + user, url: 'JWT/votings/login?user=' + user,

View File

@ -1,8 +1,11 @@
:linkattrs:
== Refreshing a token == Refreshing a token
=== Introduction === Introduction
In this section we touch upon refreshing an access token. There are many solutions some might In this section we touch upon refreshing an access token.
=== Types of tokens === Types of tokens
@ -31,7 +34,7 @@ The server returns:
``` ```
As you can see the refresh token is a random string which the server can keep track of (in memory or store in a database) As you can see the refresh token is a random string which the server can keep track of (in memory or store in a database)
With storing you can match the refresh token to the specific user the refresh token was granted to. in order to match the refresh token to the user the refresh token was granted to.
So in this case whenever the access token is still valid we can speak of a "stateless" session, there is So in this case whenever the access token is still valid we can speak of a "stateless" session, there is
no burden on the server side to setup the user session, the token is self contained. no burden on the server side to setup the user session, the token is self contained.
When the access token is no longer valid the server needs to query for the stored refresh token to make sure the token When the access token is no longer valid the server needs to query for the stored refresh token to make sure the token
@ -51,7 +54,7 @@ Regardless of the chosen solution you should store enough information on the ser
is still trusted. You can think of many things, like store the ip address, keep track of how many times the refresh is still trusted. You can think of many things, like store the ip address, keep track of how many times the refresh
token is used (using the refresh token multiple times in the valid time window of the access token might indicate strange token is used (using the refresh token multiple times in the valid time window of the access token might indicate strange
behavior, you can revoke all the tokens an let the user authenticate again). behavior, you can revoke all the tokens an let the user authenticate again).
It is also a good to keep track of which access token belonged to which refresh token. Otherwise an attacker might Also keep track of which access token belonged to which refresh token otherwise an attacker might
be able to get a new access token for a different user with the refresh token of the attacker be able to get a new access token for a different user with the refresh token of the attacker
(see https://emtunc.org/blog/11/2017/jwt-refresh-token-manipulation/ for a nice write up about how this attack works) (see https://emtunc.org/blog/11/2017/jwt-refresh-token-manipulation/ for a nice write up about how this attack works)
Also a good thing to check for is the ip address or geolocation of the user. If you need to give out a new token check Also a good thing to check for is the ip address or geolocation of the user. If you need to give out a new token check
@ -60,19 +63,26 @@ whether the location is still the same if not revoke all the tokens and let the
=== Need for refresh tokens === Need for refresh tokens
Does it make sense to use a refresh token in a modern single page application (SPA)? As we have seen in the section Does it make sense to use a refresh token in a modern single page application (SPA)? As we have seen in the section
about storing tokens there are two option: web storage or a cookie which mean a refresh token is right beside an about storing tokens there are two options: web storage or a cookie which mean a refresh token is right beside an
access token, so if the access token is leaked changes are the refresh token will also be compromised. Most of the time access token, so if the access token is leaked chances are the refresh token will also be compromised. Most of the time
there is a difference of course, the access token is send when you make an API call, the refresh token is only send there is a difference of course. The access token is sent when you make an API call, the refresh token is only sent
when a new access token should be obtained, which in most cases is a different endpoint. If you end up on the same when a new access token should be obtained, which in most cases is a different endpoint. If you end up on the same
server you can chose to only use the access token. server you can choose to only use the access token.
As stated above using an access token and a separate refresh token gives some leverage for the server not to check As stated above using an access token and a separate refresh token gives some leverage for the server not to check
the access token over and over. Only perform the check when the user needs a new access token. the access token over and over. Only perform the check when the user needs a new access token.
It is certainly possible to only use an access token, at the server you store the exact same information you would It is certainly possible to only use an access token. At the server you store the exact same information you would
store for a refresh token, see previous paragraph. This way you need to check the token each time but this might store for a refresh token, see previous paragraph. This way you need to check the token each time but this might
be suitable depending on the application. In the case the refresh tokens are stored for validation it is important to protect these tokens as well (at least be suitable depending on the application. In the case the refresh tokens are stored for validation it is important to protect these tokens as well (at least
use a hash function to store them in your database). use a hash function to store them in your database).
=== JWT a good idea?
There are a lot of resources available which question the usecase for using JWT token for client to server authentication
with regards to cookies. The best place to use a JWT token is between server to server communication. In a normal web
application you are better of using plain old cookies. See for more information:
- http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/[stop-using-jwt-for-sessions, window="_blank"]
- http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/[stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work, window="_blank"]
- http://cryto.net/~joepie91/blog/attachments/jwt-flowchart.png[flowchart, window="_blank"]

View File

@ -1,5 +1,10 @@
:linkattrs:
== Refreshing a token == Refreshing a token
It is important to implement a good strategy for refreshing an access token. This assignment is based on a vulnerability
found in a private bug bounty program on Bugcrowd, you can read the full write up https://emtunc.org/blog/11/2017/jwt-refresh-token-manipulation/[here, window="_blank"]
=== Assignment === Assignment
From a breach of last year the following logfile is available link:images/logs.txt[here] From a breach of last year the following logfile is available link:images/logs.txt[here]

View File

@ -9,5 +9,5 @@ dictionary attack is not feasible. Once you have a token you can start an offlin
Given we have the following token try to find out secret key and submit a new key with the userId changed to WebGoat. Given we have the following token try to find out secret key and submit a new key with the userId changed to WebGoat.
``` ```
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.m-jSyfYEsVzD3CBI6N39wZ7AcdKdp_GiO7F_Ym12u-0 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.vPe-qQPOt78zK8wrbN1TjNJj3LeX9Qbch6oo23RUJgM
``` ```

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
</project> </project>

View File

@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@AssignmentPath("/access-control/user-hash") @AssignmentPath("/access-control/user-hash")
@AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3", @AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3",
"access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7", "access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7",
"access-control.hash.hint8","access-control.hash.hint9"}) "access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"})
public class MissingFunctionACYourHash extends AssignmentEndpoint { public class MissingFunctionACYourHash extends AssignmentEndpoint {
@Autowired @Autowired

View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.plugin; package org.owasp.webgoat.plugin;
import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker;
import org.owasp.webgoat.assignments.Endpoint; import org.owasp.webgoat.assignments.Endpoint;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.UserSessionData;
@ -13,9 +12,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.sql.*; import java.sql.*;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map;
import static javax.swing.UIManager.getString;
public class Users extends Endpoint{ public class Users extends Endpoint{
@ -51,7 +47,7 @@ public class Users extends Endpoint{
userMap.put("cc", results.getString(3)); userMap.put("cc", results.getString(3));
userMap.put("ccType", results.getString(4)); userMap.put("ccType", results.getString(4));
userMap.put("cookie", results.getString(5)); userMap.put("cookie", results.getString(5));
userMap.put("loginCOunt",Integer.toString(results.getInt(6))); userMap.put("loginCount",Integer.toString(results.getInt(6)));
allUsersMap.put(id,userMap); allUsersMap.put(id,userMap);
} }
userSessionData.setValue("allUsers",allUsersMap); userSessionData.setValue("allUsers",allUsersMap);

View File

@ -11,12 +11,15 @@ access-control.hidden-menus.hint3=Look for something a super-user or administato
access-control.hash.success=Congrats! You really succeeded when you added the user. access-control.hash.success=Congrats! You really succeeded when you added the user.
access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help. access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now. access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request.
access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user. access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first.
access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors? access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role.
access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header. access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types?
access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it? access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json'
access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request. access-control.hash.hint6=Now for the harder way ... it builds on the easier way
access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request. Look at how registration works first and extrapolate out from there. access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user. access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that. access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
access-control.hash.hint10=You will want to add WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting.
access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"}
access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

View File

@ -6,7 +6,7 @@
<parent> <parent>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId> <artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0.M15</version> <version>v8.0.0.M22</version>
</parent> </parent>
<dependencies> <dependencies>

View File

@ -62,7 +62,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
resetLinks.add(resetLink); resetLinks.add(resetLink);
String host = request.getHeader("host"); String host = request.getHeader("host");
if (org.springframework.util.StringUtils.hasText(email)) { if (org.springframework.util.StringUtils.hasText(email)) {
if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header. if (email.equals(TOM_EMAIL) && host.contains("9090")) { //User indeed changed the host header.
userToTomResetLink.put(getWebSession().getUserName(), resetLink); userToTomResetLink.put(getWebSession().getUserName(), resetLink);
fakeClickingLinkEmail(host, resetLink); fakeClickingLinkEmail(host, resetLink);
} else { } else {

View File

@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.PasswordResetEmail;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import java.util.Map;
import java.util.Optional;
import static java.util.Optional.ofNullable; import static java.util.Optional.ofNullable;
@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
@ResponseBody @ResponseBody
public AttackResult sendEmail(@RequestParam Map<String, Object> json) { public AttackResult login(@RequestParam String email, @RequestParam String password) {
String email = (String) json.get("emailReset"); String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
if (StringUtils.isEmpty(email)) { String username = extractUsername(emailAddress);
email = (String) json.getOrDefault("email", "unknown@webgoat.org");
}
String password = (String) json.getOrDefault("password", "");
int index = email.indexOf("@");
String username = email.substring(0, index == -1 ? email.length() : index);
if (StringUtils.isEmpty(password)) {
return sendEmail(username, email);
} else {
return checkPassword(password, username);
}
}
private AttackResult checkPassword(String password, String username) {
if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) { if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
return trackProgress(success().build()); return trackProgress(success().build());
} else { } else {
@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
} }
} }
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
@ResponseBody
public AttackResult resetPassword(@RequestParam String emailReset) {
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
return sendEmail(extractUsername(email), email);
}
private String extractUsername(String email) {
int index = email.indexOf("@");
return email.substring(0, index == -1 ? email.length() : index);
}
private AttackResult sendEmail(String username, String email) { private AttackResult sendEmail(String username, String email) {
if (username.equals(getWebSession().getUserName())) { if (username.equals(getWebSession().getUserName())) {
PasswordResetEmail mailEvent = PasswordResetEmail.builder() PasswordResetEmail mailEvent = PasswordResetEmail.builder()

Some files were not shown because too many files have changed in this diff Show More