Compare commits
48 Commits
v8.0.0.M16
...
v8.0.0.M21
| Author | SHA1 | Date | |
|---|---|---|---|
| 3536fd0b6d | |||
| bc84e8f207 | |||
| 14dbd47675 | |||
| 898dd90c6f | |||
| ac12a009e4 | |||
| 699b1bfd89 | |||
| ad77a7ab24 | |||
| b7278590f5 | |||
| 9dd93d88d9 | |||
| 4c767cb977 | |||
| 12123ef13b | |||
| c7da546249 | |||
| a41ff0083c | |||
| 701a99cf8f | |||
| 844808bfa7 | |||
| 81aac93dfe | |||
| e5ec2c1ee0 | |||
| b0fbeaff2c | |||
| b47bb96534 | |||
| 3b9b695ef1 | |||
| 1d2575a211 | |||
| 56fc983414 | |||
| 268adbcf7e | |||
| f383454440 | |||
| bae3e75ae2 | |||
| a7b82985d4 | |||
| 3d282e163c | |||
| 7068c84c6a | |||
| 0030c7bdfb | |||
| 89f6a73275 | |||
| cf0e4e40cf | |||
| dfd51f8b54 | |||
| 5e8c610fbf | |||
| 71514fc39b | |||
| 1734170e9e | |||
| c89afe6334 | |||
| 9af0054b5b | |||
| 26aa72e721 | |||
| c510bd9bf1 | |||
| 6bf853d953 | |||
| e96ab488ff | |||
| 31f7ea6985 | |||
| 186f24f1df | |||
| 089dd56a15 | |||
| 6cfefba0ee | |||
| 20e45da8ae | |||
| e34faa13d6 | |||
| 927bbad488 |
@ -28,12 +28,6 @@ deploy:
|
||||
on:
|
||||
repo: WebGoat/WebGoat
|
||||
tags: true
|
||||
- provider: script
|
||||
skip_cleanup: true
|
||||
script: bash scripts/deploy-webgoat.sh
|
||||
on:
|
||||
repo: WebGoat/WebGoat
|
||||
branch: develop
|
||||
- provider: releases
|
||||
skip_cleanup: true
|
||||
overwrite: true
|
||||
|
||||
4
platformQuickStarts/GCP/GKE-Docker/deploy.cfg
Normal file
4
platformQuickStarts/GCP/GKE-Docker/deploy.cfg
Normal file
@ -0,0 +1,4 @@
|
||||
CURTAG=webgoat/webgoat-8.0
|
||||
DEST_TAG=gcr.io/astech-training/raging-wire-webgoat
|
||||
CLUSTER_NAME=raging-wire-webgoat
|
||||
PORT_NUM=8080
|
||||
4
platformQuickStarts/GCP/GKE-Docker/gke-deploy-config.sh
Normal file
4
platformQuickStarts/GCP/GKE-Docker/gke-deploy-config.sh
Normal file
@ -0,0 +1,4 @@
|
||||
CURTAG=webgoat/webgoat-8.0
|
||||
DEST_TAG=gcr.io/your-gke-project/your-webgoat-tag
|
||||
CLUSTER_NAME=your-cluster-name
|
||||
PORT_NUM=8080
|
||||
2
pom.xml
2
pom.xml
@ -6,7 +6,7 @@
|
||||
<groupId>org.owasp.webgoat</groupId>
|
||||
<artifactId>webgoat-parent</artifactId>
|
||||
<packaging>pom</packaging>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
|
||||
<name>WebGoat Parent Pom</name>
|
||||
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
|
||||
|
||||
@ -6,7 +6,7 @@ export REPO=webgoat/webgoat-8.0
|
||||
cd webgoat-server
|
||||
ls target/
|
||||
|
||||
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
|
||||
if [ ! -z "${TRAVIS_TAG}" ]; then
|
||||
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
|
||||
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
|
||||
docker push $REPO
|
||||
@ -27,14 +27,10 @@ cd ..
|
||||
cd webwolf
|
||||
ls target/
|
||||
|
||||
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
|
||||
if [ ! -z "${TRAVIS_TAG}" ]; then
|
||||
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
|
||||
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
|
||||
docker push $REPO
|
||||
elif [ ! -z "${TRAVIS_TAG}" ]; then
|
||||
# Creating a tag build we push it to Docker with that tag
|
||||
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
|
||||
docker push $REPO
|
||||
else
|
||||
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
|
||||
fi
|
||||
@ -10,7 +10,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat</groupId>
|
||||
<artifactId>webgoat-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<profiles>
|
||||
|
||||
@ -232,7 +232,7 @@ public class CreateDB {
|
||||
|
||||
// Create the new table
|
||||
try {
|
||||
String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key,"
|
||||
String createTableStatement = "CREATE TABLE user_system_data (" + "userid int not null primary key,"
|
||||
+ "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")";
|
||||
statement.executeUpdate(createTableStatement);
|
||||
} catch (SQLException e) {
|
||||
@ -240,11 +240,11 @@ public class CreateDB {
|
||||
}
|
||||
|
||||
// Populate
|
||||
String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')";
|
||||
String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')";
|
||||
String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')";
|
||||
String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')";
|
||||
String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')";
|
||||
String insertData1 = "INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '')";
|
||||
String insertData2 = "INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '')";
|
||||
String insertData3 = "INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '')";
|
||||
String insertData4 = "INSERT INTO user_system_data VALUES (104,'jeff','jeff', '')";
|
||||
String insertData5 = "INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '')";
|
||||
statement.executeUpdate(insertData1);
|
||||
statement.executeUpdate(insertData2);
|
||||
statement.executeUpdate(insertData3);
|
||||
|
||||
@ -17,7 +17,7 @@ public class UserForm {
|
||||
|
||||
@NotNull
|
||||
@Size(min=6, max=20)
|
||||
@Pattern(regexp = "[a-zA-Z0-9]*", message = "can only contain letters and digits")
|
||||
@Pattern(regexp = "[a-zA-Z0-9-]*", message = "can only contain letters, digits, and -")
|
||||
private String username;
|
||||
@NotNull
|
||||
@Size(min=6, max=10)
|
||||
|
||||
@ -79,6 +79,7 @@ define(['jquery',
|
||||
this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
|
||||
this.lessonContentView.navToPage(pageNum);
|
||||
this.lessonHintView.hideHints();
|
||||
this.lessonHintView.showFirstHint();
|
||||
//this.lessonHintView.selectHints();
|
||||
this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
|
||||
return;
|
||||
@ -160,7 +161,7 @@ define(['jquery',
|
||||
}
|
||||
//
|
||||
this.lessonHintView.render();
|
||||
if (this.lessonHintView.getHintsCount > 0) {
|
||||
if (this.lessonHintView.getHintsCount() > 0) {
|
||||
this.helpControlsView.showHintsButton();
|
||||
} else {
|
||||
this.helpControlsView.hideHintsButton();
|
||||
|
||||
@ -32,7 +32,11 @@ define(['jquery',
|
||||
}
|
||||
this.set('content',content);
|
||||
this.set('lessonUrl',document.URL.replace(/\.lesson.*/,'.lesson'));
|
||||
this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
|
||||
if (/.*\.lesson\/(\d{1,4})$/.test(document.URL)) {
|
||||
this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
|
||||
} else {
|
||||
this.set('pageNum',0);
|
||||
}
|
||||
this.trigger('content:loaded',this,loadHelps);
|
||||
},
|
||||
|
||||
|
||||
@ -32,21 +32,19 @@ function($,
|
||||
|
||||
toggleLabel: function() {
|
||||
if (this.isVisible()) {
|
||||
$('show-hints-button').text('Hide hints');
|
||||
$('#show-hints-button').text('Hide hints');
|
||||
} else {
|
||||
$('show-hints-button').text('Show hints');
|
||||
$('#show-hints-button').text('Show hints');
|
||||
}
|
||||
},
|
||||
|
||||
render:function() {
|
||||
if (this.isVisible()) {
|
||||
this.$el.hide(350);
|
||||
this.$el.hide(350, this.toggleLabel.bind(this));
|
||||
} else if (this.hintsToShow.length > 0) {
|
||||
this.$el.show(350);
|
||||
this.$el.show(350, this.toggleLabel.bind(this));
|
||||
}
|
||||
|
||||
this.toggleLabel()
|
||||
|
||||
if (this.hintsToShow.length > 0) {
|
||||
this.hideShowPrevNextButtons();
|
||||
}
|
||||
@ -90,9 +88,9 @@ function($,
|
||||
|
||||
hideHints: function() {
|
||||
if (this.$el.is(':visible')) {
|
||||
this.$el.hide(350);
|
||||
this.$el.hide(350, this.toggleLabel.bind(this));
|
||||
}
|
||||
},
|
||||
},
|
||||
|
||||
showNextHint: function() {
|
||||
this.curHint = (this.curHint < this.hintsToShow.length -1) ? this.curHint+1 : this.curHint;
|
||||
@ -106,6 +104,12 @@ function($,
|
||||
this.displayHint(this.curHint);
|
||||
},
|
||||
|
||||
showFirstHint: function() {
|
||||
this.curHint = 0;
|
||||
this.hideShowPrevNextButtons();
|
||||
this.displayHint(this.curHint);
|
||||
},
|
||||
|
||||
displayHint: function(curHint) {
|
||||
if(this.hintsToShow.length == 0) {
|
||||
// this.hideHints();
|
||||
|
||||
@ -123,8 +123,9 @@
|
||||
<section class="main-content-wrapper">
|
||||
<section id="main-content"> <!--ng-controller="goatLesson"-->
|
||||
<div id="lesson-page" class="pages">
|
||||
<span th:text="${numUsers}"> Users in WebGoat</span>
|
||||
<!-- iterate over users below -->su
|
||||
<span th:text="${numUsers}"></span>
|
||||
<span> Users in WebGoat</span>
|
||||
|
||||
<div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">
|
||||
<h3>WebGoat Users</h3>
|
||||
<div th:each="user : ${allUsers}">
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
</project>
|
||||
|
||||
@ -6,6 +6,6 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
</project>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
</project>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
<build>
|
||||
<plugins>
|
||||
|
||||
@ -49,10 +49,7 @@ import org.owasp.encoder.*;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.*;
|
||||
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||
|
||||
@ -72,20 +69,19 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
|
||||
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too."));
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Comment> retrieveComments() {
|
||||
Collection<Comment> allComments = Lists.newArrayList();
|
||||
List<Comment> allComments = Lists.newArrayList();
|
||||
Collection<Comment> newComments = userComments.get(webSession.getUserName());
|
||||
allComments.addAll(comments);
|
||||
if (newComments != null) {
|
||||
allComments.addAll(newComments);
|
||||
}
|
||||
|
||||
allComments.addAll(comments);
|
||||
|
||||
Collections.reverse(allComments);
|
||||
return allComments;
|
||||
}
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ xss-reflected-5a-failure=Try again. We do want to see this specific javascript (
|
||||
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
|
||||
xss-reflected-5b-failure=Nope, pretty easy to guess now though.
|
||||
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
|
||||
xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
|
||||
xss-reflected-6a-failure=No, look at the example. Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
|
||||
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
|
||||
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
|
||||
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
|
||||
|
||||
@ -4,7 +4,7 @@ You should have been able to execute script with the last example. At this point
|
||||
|
||||
Why is that?
|
||||
|
||||
That is because there is no link that would tigger that XSS.
|
||||
That is because there is no link that would trigger that XSS.
|
||||
You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
|
||||
|
||||
link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111
|
||||
link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
== Ientify Potential for DOM-Based XSS
|
||||
== Identify Potential for DOM-Based XSS
|
||||
|
||||
DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
|
||||
Look for a route that takes inputs that you can ID being 'reflected' to the page.
|
||||
Look for a route that takes inputs that are being 'reflected' to the page.
|
||||
|
||||
For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
|
||||
Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
|
||||
|
||||
Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is:
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
|
||||
*start.mvc#lesson/*
|
||||
The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
|
||||
|
||||
The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
|
||||
|
||||
So, what is test route for this test code?
|
||||
So, what is the route for the test code that stayed in the app during production?
|
||||
To answer this question, you have to check the javascript source.
|
||||
@ -8,4 +8,4 @@ The function you want to execute is ...
|
||||
|
||||
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
|
||||
|
||||
Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
|
||||
Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.
|
||||
|
||||
@ -6,6 +6,6 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
</project>
|
||||
@ -64,11 +64,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
|
||||
|
||||
private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
|
||||
String referer = request.getHeader("referer");
|
||||
String origin = request.getHeader("origin");
|
||||
String host = request.getHeader("host");
|
||||
if (referer != null) {
|
||||
return !referer.contains(origin);
|
||||
return !referer.contains(host);
|
||||
} else {
|
||||
return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
action="/WebGoat/csrf/basic-get-flag"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<input name="csrf" type="hidden" value="false"/>
|
||||
<input type="submit" name="ubmit="/>
|
||||
<input type="submit" name="submit"/>
|
||||
|
||||
</form>
|
||||
|
||||
|
||||
@ -16,9 +16,11 @@ the activities of the user.
|
||||
image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]
|
||||
|
||||
{blank}
|
||||
For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper]
|
||||
For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper].
|
||||
|
||||
In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user
|
||||
based on your own username prefixed with csrf. So if your username is `tom` you must create
|
||||
a new user called `csrf-tom`
|
||||
In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack.
|
||||
Leave this tab open and in another tab create a user based on your own username prefixed with `csrf-`.
|
||||
So if your username is `tom` you must create a new user called `csrf-tom`.
|
||||
|
||||
Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab.
|
||||
Because you are logged in as a different user, the attacker learns that you clicked the button.
|
||||
|
||||
@ -46,7 +46,7 @@ public class CSRFFeedbackTest extends LessonTest {
|
||||
mockMvc.perform(post("/csrf/feedback/message")
|
||||
.contentType(MediaType.TEXT_PLAIN)
|
||||
.cookie(new Cookie("JSESSIONID", "test"))
|
||||
.header("origin", "localhost:8080")
|
||||
.header("host", "localhost:8080")
|
||||
.header("referer", "webgoat.org")
|
||||
.content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
|
||||
.andExpect(jsonPath("lessonCompleted", is(true)))
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
</project>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
</project>
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import io.jsonwebtoken.impl.TextCodec;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
@ -23,7 +24,7 @@ import java.util.List;
|
||||
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
|
||||
public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
|
||||
|
||||
public static final String JWT_SECRET = "victory";
|
||||
public static final String JWT_SECRET = TextCodec.BASE64.encode("victory");
|
||||
private static final String WEBGOAT_USER = "WebGoat";
|
||||
private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
|
||||
|
||||
|
||||
@ -5,6 +5,7 @@ import io.jsonwebtoken.Claims;
|
||||
import io.jsonwebtoken.Jwt;
|
||||
import io.jsonwebtoken.JwtException;
|
||||
import io.jsonwebtoken.Jwts;
|
||||
import io.jsonwebtoken.impl.TextCodec;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
@ -25,7 +26,6 @@ import java.time.Duration;
|
||||
import java.time.Instant;
|
||||
import java.util.Date;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import static java.util.Comparator.comparingLong;
|
||||
import static java.util.Optional.ofNullable;
|
||||
@ -39,7 +39,7 @@ import static java.util.stream.Collectors.toList;
|
||||
@AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
|
||||
public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
|
||||
public static final String JWT_PASSWORD = "victory";
|
||||
public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
|
||||
private static String validUsers = "TomJerrySylvester";
|
||||
|
||||
private static int totalVotes = 38929;
|
||||
|
||||
@ -63,15 +63,15 @@ whether the location is still the same if not revoke all the tokens and let the
|
||||
=== Need for refresh tokens
|
||||
|
||||
Does it make sense to use a refresh token in a modern single page application (SPA)? As we have seen in the section
|
||||
about storing tokens there are two option: web storage or a cookie which mean a refresh token is right beside an
|
||||
access token, so if the access token is leaked changes are the refresh token will also be compromised. Most of the time
|
||||
there is a difference of course, the access token is send when you make an API call, the refresh token is only send
|
||||
about storing tokens there are two options: web storage or a cookie which mean a refresh token is right beside an
|
||||
access token, so if the access token is leaked chances are the refresh token will also be compromised. Most of the time
|
||||
there is a difference of course. The access token is sent when you make an API call, the refresh token is only sent
|
||||
when a new access token should be obtained, which in most cases is a different endpoint. If you end up on the same
|
||||
server you can chose to only use the access token.
|
||||
server you can choose to only use the access token.
|
||||
|
||||
As stated above using an access token and a separate refresh token gives some leverage for the server not to check
|
||||
the access token over and over. Only perform the check when the user needs a new access token.
|
||||
It is certainly possible to only use an access token, at the server you store the exact same information you would
|
||||
It is certainly possible to only use an access token. At the server you store the exact same information you would
|
||||
store for a refresh token, see previous paragraph. This way you need to check the token each time but this might
|
||||
be suitable depending on the application. In the case the refresh tokens are stored for validation it is important to protect these tokens as well (at least
|
||||
use a hash function to store them in your database).
|
||||
|
||||
@ -9,5 +9,5 @@ dictionary attack is not feasible. Once you have a token you can start an offlin
|
||||
Given we have the following token try to find out secret key and submit a new key with the userId changed to WebGoat.
|
||||
|
||||
```
|
||||
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.m-jSyfYEsVzD3CBI6N39wZ7AcdKdp_GiO7F_Ym12u-0
|
||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.vPe-qQPOt78zK8wrbN1TjNJj3LeX9Qbch6oo23RUJgM
|
||||
```
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
</project>
|
||||
|
||||
@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
|
||||
@AssignmentPath("/access-control/user-hash")
|
||||
@AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3",
|
||||
"access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7",
|
||||
"access-control.hash.hint8","access-control.hash.hint9"})
|
||||
"access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"})
|
||||
public class MissingFunctionACYourHash extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
|
||||
@ -51,7 +51,7 @@ public class Users extends Endpoint{
|
||||
userMap.put("cc", results.getString(3));
|
||||
userMap.put("ccType", results.getString(4));
|
||||
userMap.put("cookie", results.getString(5));
|
||||
userMap.put("loginCOunt",Integer.toString(results.getInt(6)));
|
||||
userMap.put("loginCount",Integer.toString(results.getInt(6)));
|
||||
allUsersMap.put(id,userMap);
|
||||
}
|
||||
userSessionData.setValue("allUsers",allUsersMap);
|
||||
|
||||
@ -11,12 +11,15 @@ access-control.hidden-menus.hint3=Look for something a super-user or administato
|
||||
access-control.hash.success=Congrats! You really succeeded when you added the user.
|
||||
access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
|
||||
|
||||
access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now.
|
||||
access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user.
|
||||
access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors?
|
||||
access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header.
|
||||
access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
|
||||
access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request.
|
||||
access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request. Look at how registration works first and extrapolate out from there.
|
||||
access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user.
|
||||
access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that.
|
||||
access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request.
|
||||
access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first.
|
||||
access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role.
|
||||
access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types?
|
||||
access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json'
|
||||
access-control.hash.hint6=Now for the harder way ... it builds on the easier way
|
||||
access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
|
||||
access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
|
||||
access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
|
||||
access-control.hash.hint10=You will want to add WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting.
|
||||
access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"}
|
||||
access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -5,12 +5,12 @@
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<packaging>pom</packaging>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat</groupId>
|
||||
<artifactId>webgoat-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<modules>
|
||||
|
||||
@ -6,6 +6,6 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
</project>
|
||||
@ -1,10 +1,11 @@
|
||||
|
||||
package org.owasp.webgoat.plugin.introduction;
|
||||
package org.owasp.webgoat.plugin.advanced;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
@ -55,7 +56,6 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
|
||||
AttackResult completed(@RequestParam String userid_6a) throws IOException {
|
||||
return injectableQuery(userid_6a);
|
||||
// The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
|
||||
|
||||
}
|
||||
|
||||
protected AttackResult injectableQuery(String accountName) {
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
package org.owasp.webgoat.plugin.introduction;
|
||||
package org.owasp.webgoat.plugin.advanced;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
@ -3,7 +3,7 @@
|
||||
Lets try to exploit a join to another table. One of the tables in the WebGoat database is:
|
||||
|
||||
-------------------------------------------------------
|
||||
CREATE TABLE user_system_data (userid varchar(5) not null primary key,
|
||||
CREATE TABLE user_system_data (userid int not null primary key,
|
||||
user_name varchar(12),
|
||||
password varchar(10),
|
||||
cookie varchar(30));
|
||||
|
||||
@ -64,7 +64,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
|
||||
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$.lessonCompleted", is(true)))
|
||||
.andExpect(jsonPath("$.feedback", containsString("dave")));
|
||||
.andExpect(jsonPath("$.feedback", containsString("passW0rD")));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@ -30,7 +30,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
|
||||
@Test
|
||||
public void submitCorrectPassword() throws Exception {
|
||||
mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
|
||||
.param("userid_6b", "dave"))
|
||||
.param("userid_6b", "passW0rD"))
|
||||
|
||||
.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
|
||||
}
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
|
||||
@ -6,6 +6,6 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
</project>
|
||||
@ -6,6 +6,6 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
</project>
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat.lesson</groupId>
|
||||
<artifactId>webgoat-lessons-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat</groupId>
|
||||
<artifactId>webgoat-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<properties>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<parent>
|
||||
<groupId>org.owasp.webgoat</groupId>
|
||||
<artifactId>webgoat-parent</artifactId>
|
||||
<version>v8.0.0.M16</version>
|
||||
<version>v8.0.0.M20</version>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
|
||||
Reference in New Issue
Block a user