Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 99048d6d9d | |||
| 971f11534d | |||
| c06e4d462b | |||
| 39029f604f | |||
| 36fcb58caa | |||
| 6c91e7dc8a | |||
| a543deca04 |
@ -7,6 +7,7 @@ install: "/bin/true"
|
||||
script:
|
||||
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
|
||||
- echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
|
||||
- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi
|
||||
- mvn clean install -q
|
||||
cache:
|
||||
directories:
|
||||
|
||||
29
CREATE_RELEASE.MD
Normal file
29
CREATE_RELEASE.MD
Normal file
@ -0,0 +1,29 @@
|
||||
## Release WebGoat
|
||||
|
||||
|
||||
### Version numbers
|
||||
|
||||
For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
|
||||
and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use
|
||||
`v8.0.0` and 8.0.0 in the `pom.xml`
|
||||
|
||||
At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
|
||||
|
||||
```
|
||||
git checkout develop
|
||||
git flow release start <version>
|
||||
mvn versions:set <<version>
|
||||
git commit -am "New release, updaing pom.xml"
|
||||
git flow release publish
|
||||
```
|
||||
|
||||
Now we can make a new release, be sure you committed all your changes.
|
||||
|
||||
```
|
||||
git tag v8.0.0.M3
|
||||
git push origin v8.0.0.M3
|
||||
```
|
||||
|
||||
Now Travis takes over and will create the release in Github and on Docker Hub.
|
||||
|
||||
|
||||
@ -1,12 +1,6 @@
|
||||
version: '2.0'
|
||||
|
||||
services:
|
||||
activemq:
|
||||
image: webcenter/activemq:latest
|
||||
ports:
|
||||
- 8161:8161
|
||||
- 61616:61616
|
||||
- 61613:61613
|
||||
mongo:
|
||||
image: mongo:latest
|
||||
expose:
|
||||
|
||||
@ -4,6 +4,7 @@ docker login -u $DOCKER_USER -p $DOCKER_PASS
|
||||
export REPO=webgoat/webgoat-8.0
|
||||
|
||||
cd webgoat-server
|
||||
ls target/
|
||||
|
||||
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
|
||||
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
|
||||
|
||||
@ -34,7 +34,7 @@ webwolf.host=${WEBWOLF_HOST:localhost}
|
||||
webwolf.port=${WEBWOLF_PORT:8081}
|
||||
webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
|
||||
webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
|
||||
webworf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
|
||||
webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
|
||||
|
||||
spring.jackson.serialization.indent_output=true
|
||||
spring.jackson.serialization.write-dates-as-timestamps=false
|
||||
|
||||
@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
private RestTemplate restTemplate;
|
||||
@Value("${webworf.url.mail}")
|
||||
@Value("${webwolf.url.mail}")
|
||||
private String webWolfMailURL;
|
||||
|
||||
@GetMapping("/reset-password/{link}")
|
||||
|
||||
@ -22,7 +22,7 @@ public class MailAssignment extends AssignmentEndpoint {
|
||||
private final String webWolfURL;
|
||||
private RestTemplate restTemplate;
|
||||
|
||||
public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url}") String webWolfURL) {
|
||||
public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
|
||||
this.restTemplate = restTemplate;
|
||||
this.webWolfURL = webWolfURL;
|
||||
}
|
||||
@ -36,10 +36,10 @@ public class MailAssignment extends AssignmentEndpoint {
|
||||
.recipient(username)
|
||||
.title("Test messages from WebWolf")
|
||||
.time(LocalDateTime.now())
|
||||
.contents("This is a test message from WebWolf, your unique code is" + StringUtils.reverse(username))
|
||||
.contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
|
||||
.sender("webgoat@owasp.org")
|
||||
.build();
|
||||
restTemplate.postForEntity(webWolfURL + "/WebWolf/mail", mailEvent, Object.class);
|
||||
restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
|
||||
return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
|
||||
} else {
|
||||
return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();
|
||||
|
||||
@ -12,9 +12,10 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<form accept-charset="UNKNOWN"
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/WebWolf/send"
|
||||
action="/WebGoat/WebWolf/mail/send"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
|
||||
@ -2,8 +2,6 @@ package org.owasp.webwolf;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.requests.WebWolfTraceRepository;
|
||||
import org.owasp.webwolf.user.UserRepository;
|
||||
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.actuate.trace.TraceRepository;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
@ -16,8 +14,8 @@ import org.springframework.context.annotation.Bean;
|
||||
public class WebWolf extends SpringBootServletInitializer {
|
||||
|
||||
@Bean
|
||||
public TraceRepository traceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
|
||||
return new WebWolfTraceRepository(repository, userRepository);
|
||||
public TraceRepository traceRepository() {
|
||||
return new WebWolfTraceRepository();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -5,11 +5,16 @@ import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.user.UserRepository;
|
||||
import org.owasp.webwolf.user.WebGoatUser;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
@ -37,13 +42,16 @@ public class MailboxController {
|
||||
}
|
||||
|
||||
@PostMapping(value = "/mail")
|
||||
@ResponseStatus(HttpStatus.CREATED)
|
||||
public void sendEmail(@RequestBody Email email) {
|
||||
public Callable<ResponseEntity<?>> sendEmail(@RequestBody Email email) {
|
||||
return () -> {
|
||||
if (userRepository.findByUsername(email.getRecipient()) != null) {
|
||||
mailboxRepository.save(email);
|
||||
return ResponseEntity.status(HttpStatus.CREATED).build();
|
||||
} else {
|
||||
log.trace("Mail received for unknown user: {}", email.getRecipient());
|
||||
return ResponseEntity.notFound().build();
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -2,13 +2,13 @@ package org.owasp.webwolf.requests;
|
||||
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseStatus;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
@Controller
|
||||
@Slf4j
|
||||
@ -16,9 +16,11 @@ import javax.servlet.http.HttpServletRequest;
|
||||
public class LandingPage {
|
||||
|
||||
@RequestMapping(method = {RequestMethod.POST, RequestMethod.GET, RequestMethod.DELETE, RequestMethod.PATCH, RequestMethod.PUT})
|
||||
@ResponseStatus(HttpStatus.OK)
|
||||
public void ok(HttpServletRequest request) {
|
||||
public Callable<ResponseEntity<?>> ok(HttpServletRequest request) {
|
||||
return () -> {
|
||||
log.trace("Incoming request for: {}", request.getRequestURL());
|
||||
return ResponseEntity.ok().build();
|
||||
};
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -5,9 +5,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Getter;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.user.WebGoatUser;
|
||||
import org.springframework.boot.actuate.trace.Trace;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
@ -46,8 +44,7 @@ public class Requests {
|
||||
@GetMapping
|
||||
public ModelAndView get(HttpServletRequest request) {
|
||||
ModelAndView m = new ModelAndView("requests");
|
||||
WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
|
||||
List<Tracert> traces = traceRepository.findTraceForUser(user.getUsername()).stream()
|
||||
List<Tracert> traces = traceRepository.findAllTraces().stream()
|
||||
.map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
|
||||
m.addObject("traces", traces);
|
||||
|
||||
|
||||
@ -1,30 +1,17 @@
|
||||
package org.owasp.webwolf.requests;
|
||||
|
||||
import com.google.common.cache.CacheBuilder;
|
||||
import com.google.common.cache.CacheLoader;
|
||||
import com.google.common.cache.LoadingCache;
|
||||
import com.google.common.collect.EvictingQueue;
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Maps;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webwolf.user.UserRepository;
|
||||
import org.owasp.webwolf.user.WebGoatUser;
|
||||
import org.owasp.webwolf.user.WebGoatUserCookie;
|
||||
import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
|
||||
import org.springframework.boot.actuate.trace.Trace;
|
||||
import org.springframework.boot.actuate.trace.TraceRepository;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
|
||||
import java.net.HttpCookie;
|
||||
import java.util.*;
|
||||
import java.util.concurrent.ConcurrentLinkedDeque;
|
||||
|
||||
import static java.util.Optional.empty;
|
||||
import static java.util.Optional.of;
|
||||
|
||||
/**
|
||||
* Keep track of all the incoming requests, we are only keeping track of request originating from
|
||||
* WebGoat and only if there is a cookie (otherwise we can never relate it back to a user).
|
||||
* WebGoat.
|
||||
*
|
||||
* @author nbaars
|
||||
* @since 8/13/17.
|
||||
@ -32,20 +19,7 @@ import static java.util.Optional.of;
|
||||
@Slf4j
|
||||
public class WebWolfTraceRepository implements TraceRepository {
|
||||
|
||||
private final LoadingCache<String, ConcurrentLinkedDeque<Trace>> cookieTraces = CacheBuilder.newBuilder()
|
||||
.maximumSize(4000).build(new CacheLoader<String, ConcurrentLinkedDeque<Trace>>() {
|
||||
@Override
|
||||
public ConcurrentLinkedDeque<Trace> load(String s) throws Exception {
|
||||
return new ConcurrentLinkedDeque<>();
|
||||
}
|
||||
});
|
||||
private final WebGoatUserToCookieRepository repository;
|
||||
private final UserRepository userRepository;
|
||||
|
||||
public WebWolfTraceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
|
||||
this.repository = repository;
|
||||
this.userRepository = userRepository;
|
||||
}
|
||||
private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
|
||||
|
||||
@Override
|
||||
public List<Trace> findAll() {
|
||||
@ -55,58 +29,18 @@ public class WebWolfTraceRepository implements TraceRepository {
|
||||
return Lists.newArrayList(trace);
|
||||
}
|
||||
|
||||
public List<Trace> findTraceForUser(String username) {
|
||||
return Lists.newArrayList(cookieTraces.getUnchecked(username));
|
||||
public List<Trace> findAllTraces() {
|
||||
return Lists.newArrayList(traces);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(Map<String, Object> map) {
|
||||
Optional<String> host = getFromHeaders("host", map);
|
||||
String path = (String) map.getOrDefault("path", "");
|
||||
if (host.isPresent() && path.contains("/landing/")) {
|
||||
Optional<String> cookie = getFromHeaders("cookie", map);
|
||||
Optional<String> user = cookie.isPresent() ? findUserBasedOnCookie(cookie.get()) : getLoggedInUser();
|
||||
user.ifPresent(u -> {
|
||||
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u);
|
||||
traces.addFirst(new Trace(new Date(), map));
|
||||
cookieTraces.put(u, traces);
|
||||
});
|
||||
//No user found based on cookie and logged in user, so add the trace to all users
|
||||
//In case of XXE no cookie will be send we cannot retrieve who is logged in.
|
||||
//Standalone this is ok, in a challenge you need to make sure the solution or secret the users need to
|
||||
//fetch is unique
|
||||
if (!user.isPresent()) {
|
||||
List<WebGoatUser> users = this.userRepository.findAll();
|
||||
users.forEach(u -> {
|
||||
ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u.getUsername());
|
||||
traces.addFirst(new Trace(new Date(), map));
|
||||
cookieTraces.put(u.getUsername(), traces);
|
||||
});
|
||||
if (host.isPresent() && path.contains("/landing")) {
|
||||
traces.add(new Trace(new Date(), map));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private Optional<String> findUserBasedOnCookie(String cookiesIncomingRequest) {
|
||||
//Request from WebGoat to WebWolf will contain the session cookie of WebGoat try to map it to a user
|
||||
//this mapping is added to userSession by the CookieFilter in WebGoat code
|
||||
HttpCookie cookie = HttpCookie.parse(cookiesIncomingRequest).get(0);
|
||||
Optional<WebGoatUserCookie> userToCookie = repository.findByCookie(cookie.getValue());
|
||||
Optional<String> user = userToCookie.map(u -> u.getUsername());
|
||||
|
||||
return user;
|
||||
}
|
||||
|
||||
private Optional<String> getLoggedInUser() {
|
||||
Optional<String> user = empty();
|
||||
//User is maybe logged in to WebWolf use this user
|
||||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
|
||||
WebGoatUser wg = (WebGoatUser) authentication.getPrincipal();
|
||||
user = of(wg.getUsername());
|
||||
}
|
||||
return user;
|
||||
}
|
||||
|
||||
|
||||
private Optional<String> getFromHeaders(String header, Map<String, Object> map) {
|
||||
Map<String, Object> headers = (Map<String, Object>) map.get("headers");
|
||||
|
||||
@ -1,14 +0,0 @@
|
||||
package org.owasp.webwolf.user;
|
||||
|
||||
import org.springframework.data.mongodb.repository.MongoRepository;
|
||||
|
||||
import java.util.Optional;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
public interface WebGoatUserToCookieRepository extends MongoRepository<WebGoatUserCookie, String> {
|
||||
|
||||
Optional<WebGoatUserCookie> findByCookie(String cookie);
|
||||
}
|
||||
Reference in New Issue
Block a user