dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dubey:v8.1.0
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1
..
compare: dubey:test-v4
Branches Tags
dubey:main dubey:nbaars/refactor-plugin-message dubey:nbaars/1873 dubey:nbaars/build dubey:lang-es dubey:gh-1165 dubey:gh-1329 dubey:develop dubey:label-hint-tests dubey:helm-webgoat dubey:helm
dubey:v2025.3 dubey:v2025.2 dubey:v2025.1 dubey:v2025.0 dubey:v2023.8 dubey:v2023.7 dubey:v2023.6 dubey:v2023.5 dubey:v2023.4 dubey:v2023.04 dubey:v2023.3 dubey:v2023.2 dubey:v2023.1 dubey:v2023.0 dubey:v8.2.2 dubey:v8.2.1 dubey:v8.2.0 dubey:vtest10 dubey:vtest9 dubey:vtest8 dubey:vtest7 dubey:vtest6 dubey:vtest5 dubey:vtest4 dubey:vtest3 dubey:vtest2 dubey:vtest1 dubey:vtest dubey:test-v19 dubey:test-v18 dubey:test-v17 dubey:test-v16 dubey:test-v15 dubey:test-v14 dubey:test-v13 dubey:test-v12 dubey:test-v11 dubey:test-v10 dubey:test-v9 dubey:test-v8 dubey:test-v7 dubey:test-v6 dubey:test-v5 dubey:test-v4 dubey:test-v3 dubey:test-v2 dubey:test-v1.0 dubey:v8.1.0 dubey:v8.0.0.M26 dubey:v8.0.0.M25 dubey:v8.0.0.M24 dubey:v8.0.0.M23 dubey:v8.0.0.M22 dubey:v8.0.0.M21 dubey:v8.0.0.M20 dubey:v8.0.0.M19 dubey:v8.0.0.M18 dubey:v8.0.0.M17 dubey:v8.0.0.M16 dubey:v8.0.0 dubey:v8.0.0.M15 dubey:v8.0.0.M14 dubey:v8.0.0.M13 dubey:v8.0.0.M12 dubey:v8.0.0.M11 dubey:v8.0.0.M10 dubey:v8.0.0.M9 dubey:v8.0.0.M8 dubey:8.0.0 dubey:v8.0.0.M7 dubey:v8.0.0.M6 dubey:v8.0.0.M5 dubey:v8.0.0.M4 dubey:v8.0.0.M3 dubey:v8.0.0.M2 dubey:v8.0.0.M1 dubey:7.1 dubey:7.0.1

86 Commits
v8.1.0 ... test-v4

Author SHA1 Message Date
Nanne Baars
a1246aec9e WIP 2021-03-27 14:58:46 +01:00
Nanne Baars
ae6f9aebcb WIP 2021-03-27 14:57:31 +01:00
Nanne Baars
bc39e5bdba WIP 2021-03-27 14:08:41 +01:00
Nanne Baars
f57412a4f5 WIP 2021-03-27 14:07:24 +01:00
Nanne Baars
889372f2d9 WIP 2021-03-27 12:53:48 +01:00
Nanne Baars
5173ef7923 WIP 2021-03-27 12:51:40 +01:00
Nanne Baars
302f58609b WIP 2021-03-16 15:52:42 +01:00
René Zubcevic
f1853c004a Update main.yml 
after push on all branches
 2021-03-07 12:33:49 +01:00
René Zubcevic
dbab132d46 Create main.yml 
Check the effect of a GitHub workflow
 2021-03-07 12:25:49 +01:00
René Zubcevic
431da30946 Selenium test added (#906) 
* add a selenium test for firefox

* add geckodriver and firefox to travis

* install updated

* install updated

* try out suggested webdriver dependency class

* add more resilience
 2021-02-21 19:57:08 +01:00
Maxim Masiutin
ad5ab4ca2e Fixes #321 (#935) 
Copyright year was "20014", replaced to "2014"
Fixed the old github.io URL which no longer exist
See https://github.com/WebGoat/WebGoat/issues/321
 2021-02-18 19:06:11 +01:00
strollingHeifer
522f6b5fff Fixed a typo (#936) 
Fixed a typo in the documentation and added a colon for better readability
 2021-02-18 19:04:00 +01:00
Toshi
c6789d7ce3 Update Apache Maven from 3.2.1 to 3.2.5 (#932) 
The version of Maven is not compatible with the plugin "org.codehaus.mojo:flatten-maven-plugin:1.2.5" used in webgoat-container
```
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Using 'UTF-8' encoding to copy filtered properties files.
[INFO] Copying 1 resource
[INFO] Copying 111 resources
[INFO] The encoding used to copy filtered properties files have not been set. This means that the same encoding will be used to copy filtered properties files as when copying other filtered resources. This might not be what you want! Run your build with --debug to see which files might be affected. Read more at https://maven.apache.org/plugins/maven-resources-plugin/examples/filtering-properties-files.html
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] webgoat-container ................................. FAILURE [ 18.319 s]
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 26.001 s
[INFO] Finished at: 2021-02-06T09:37:58+00:00
[INFO] Final Memory: 49M/162M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:flatten-maven-plugin:1.2.5:flatten (flatten) on project webgoat-container: The plugin org.codehaus.mojo:flatten-maven-plugin:1.2.5 requires Maven version 3.2.5 -> [Help 1]
```
 2021-02-11 15:14:50 +01:00
avivmu
215b3b4e78 Remove redundant escaping in regex (#929) 2021-02-11 15:13:38 +01:00
NatasG
00c4be63f0 Fix sql injection line comments issue. (#925) 2021-01-19 10:47:04 +01:00
Kelly Marchewa
2e581d6bdb docs: update SQLi lesson text (#928) 
- corrected typos/grammar issues
  - restructured sentences for clarity
 2021-01-19 10:29:16 +01:00
avivmu
b20f6492a3 Simplify regex (#927) 2021-01-15 14:36:04 +01:00
avivmu
74b218b2a7 Use try with resources instead of try (#921) 
* Use try with resources instead of try

* Remove unused lesson

* Remove unused fields
 2021-01-13 18:21:04 +01:00
René Zubcevic
b219854f81 fix in case external site is down (#919) 2021-01-11 20:15:23 +01:00
avivmu
dea4a9d2a9 Small improvements (#918) 
* Typo fix

* No need to use thread-safe object

* Use String case in-sensitive equals
 2021-01-11 16:38:14 +01:00
René Zubcevic
6d3f38e2df Update README.MD (#915) 2021-01-11 15:56:50 +01:00
René Zubcevic
60c7fdd0db activation button tested 2020-12-09 19:40:16 +01:00
René Zubcevic
bce4c775bf initial idea for explanation on static code analysis and experience of the fix 2020-12-09 19:40:16 +01:00
René Zubcevic
8bed91a8dc improved threading and logic based on number of calls and number of tests (#910) 2020-12-08 16:03:36 +01:00
René Zubcevic
e78420fa8e fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
f676b3a3d6 fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
8b4240889a fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
262afedb08 fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
9dbd41c830 fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
3aab59e326 fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
0f7a556b9c fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
48b3c6a07d fix warnings 2020-12-04 08:47:50 +01:00
René Zubcevic
649fce6f42 fix warnings 2020-12-04 08:47:50 +01:00
Gabriel M. Schuyler
b1495a8cd5 Fix typo (#909) 2020-12-03 14:23:23 +01:00
René Zubcevic
69c19d19d4 flattened pom plugin added for easy build of seperate modules (#907) 2020-12-01 17:12:43 +01:00
René Zubcevic
89f43229ab upgrade springboot version and some related unit test fixes (#904) 
* upgrade springboot version and some related unit test fixes

* removed log for test

* removed junit version property
 2020-11-28 17:35:55 +01:00
René Zubcevic
8235ea0f58 Custom menu (#901) 
* added way to customize menu

* fixed unit mock test

* updated release notes

* updated release notes

* default none exclude
 2020-11-27 14:36:57 +01:00
René Zubcevic
6bee0f3fa6 layout of page improved and ordered ranking (#903) 2020-11-27 13:58:58 +01:00
René Zubcevic
574039902d changed version to snapshot version and introduced revision parameter 
for it
 2020-11-27 12:15:19 +01:00
René Zubcevic
090263b279 added start checks with hints on port usage 2020-11-27 12:13:24 +01:00
Eskil Andréen
74cca6d185 Add missing trailing double quote in sql query (#897) 2020-11-19 07:45:07 +01:00
Nanne Baars
f3e3cbd45f Improve navigation bar (#890) 
* Remove Raspberry pi Docker file

* Remove old show-source/solution and plan button

* Remove commented out code

* Improve navigation

* Remove underline from navigation and remove margin of left navigation button

* Make arrow a bit smaller so it aligns a bit better with the navigation bar itself
 2020-11-13 07:24:52 +01:00
Nanne Baars
db3015e0bc When current lesson is not set do not try to remove selected class as there is no element selected. 
The current lesson is now selected correctly so it makes it easier to see which item in the menu is selected
 2020-11-04 21:33:57 +01:00
Nanne Baars
fa9b5ae87d Remove option to hide menu with the lessons 2020-11-04 21:33:57 +01:00
Nanne Baars
36cf028334 Remove blinking navigation buttons 2020-11-04 21:33:57 +01:00
Nanne Baars
488a8e934a #843: Add readonly field and update the layout of the assignment 2020-11-04 20:35:05 +01:00
Nanne Baars
753a2db958 #846: add extra test to verify whether the solution is solved for the original user as well 2020-11-04 20:35:05 +01:00
Nanne Baars
37e9359c9e #841: Clarify the lesson based on the comments 
- Output messages more clear
- Replace success to failure (otherwise lesson is marked complete immediately)
- Fix the layout of the lesson (remove whitespace update buttons)
 2020-11-04 20:35:05 +01:00
Nanne Baars
7b8523dcab #839: fix the SQL statement as this one does not express that the orderBy clause input is user input 2020-11-04 20:35:05 +01:00
Nanne Baars
dac011db78 fix failing test (order) 2020-10-21 08:05:53 +02:00
Nanne Baars
41879c4603 Blind XXE lesson blocks including the file in the comment directly 2020-10-20 22:09:49 +02:00
Nanne Baars
641d75e734 Link to the original lesson for the goal 2020-10-20 22:09:49 +02:00
Kelly Marchewa
e4ec90db8a chore: update CIA grammar and content 
- misc. grammatical edits
  - add a few more examples
 2020-10-15 08:39:28 +02:00
René Zubcevic
d5f78351a2 lesson pages updated based on comments for #834 and #836 (#864) 2020-08-23 15:36:01 +02:00
René Zubcevic
ef6993c636 improving lesson due to issue #845 2020-07-09 19:21:42 +02:00
René Zubcevic
2d2dc22e19 first step 2020-07-09 19:21:42 +02:00
René Zubcevic
db9e1c4c4f first step 2020-07-09 19:21:42 +02:00
René Zubcevic
317573c897 Small fixes june 2020 (#857) 
* issue 849

* another integration test for a challenge

* fixing issue 848

* updated link for issue 833

* fix for 847
 2020-07-08 19:26:09 +02:00
Roy Stultiens
ba8444dd85 Update 1proxysetupsteps.adoc (#854) 
thanks for the fix
 2020-07-04 08:00:32 +02:00
Mike Robinson
219aad0bbc Correcting incorrect information (#835) 
Thanks for the improvement. Hope you liked the lesson.
 2020-06-19 17:00:43 +02:00
René Zubcevic
1cbaade9ab adjustments for arbitrary user support (openshift guideline) (#830) 
* adjustments for arbitrary user support (openshift guideline)

* do not create up front .webgoat
 2020-06-08 07:30:55 +02:00
Elie De Brauwer
98d17433f1 HTML Tampering mitigation: Typo fixes 2020-05-25 09:09:26 +02:00
Elie De Brauwer
11a7814626 Dinis Cruz Blog 
This was discussed in ticket https://github.com/WebGoat/WebGoat/issues/724 however the Dinis Cruz Blog remains available through a blogspot.com URL which might be more interesting to reference than an web.archive.org link.
 2020-05-25 09:08:55 +02:00
Elie De Brauwer
5311db8564 XSS Quiz: Fix 404 
The original URL was malformed because it contained a closing ) which did not end up in the link. However the corrected link performs a redirect to the link provided in this patch.
 2020-05-25 09:08:09 +02:00
Elie De Brauwer
ae156a4a0f Function AC User: Spelling and grammar fixes. 2020-05-25 09:07:31 +02:00
Elie De Brauwer
9576c6b9da Function AC Lesson 1: Spelling and grammar fixes. 2020-05-25 09:07:31 +02:00
Elie De Brauwer
6c83457231 Function ac intro: Spelling and grammar update 2020-05-25 09:07:31 +02:00
Elie De Brauwer
060851a4a2 IDOR_intro.adoc: Fix 404 
The closing ')' in the URL was not taken up in the link causing a 404 when clicking the URL.
 2020-05-24 09:57:29 +02:00
Elie De Brauwer
671691a5ed XXE_changing_content_type.adoc: Typo fixes 2020-05-24 09:56:43 +02:00
Elie De Brauwer
f326755190 XXE_intro.adoc: Typo fixes 2020-05-24 09:56:43 +02:00
Elie De Brauwer
99edda6029 XXE_plan.adoc: Typo fixes 2020-05-24 09:56:43 +02:00
Elie De Brauwer
717f852680 InsecureLogin_intro.adoc: Typo fix 2020-05-24 09:56:43 +02:00
Elie De Brauwer
c42d6b15c3 SecurePasswordsAssignment: Fix output formatting 
- When solving the solution (entering a correct password) then the 'Score: 4/4' does not start on a new line, instead it is glue to the Estimated cracking time line. As a solution the </br> is added as a suffix on that line (and successive lines).
- Maximum score is 4, not 5 (see also the assignment, and https://github.com/nulab/zxcvbn4j/blob/master/src/main/java/com/nulabinc/zxcvbn/TimeEstimates.java#L23 which is the origin of getScore() )
 2020-05-24 09:56:01 +02:00
Elie De Brauwer
dfa3242aeb Delete unused PasswordReset_password_reset_link.adoc 
Not referenced in webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html, looks like a placeholder/dead code.
 2020-05-24 09:39:18 +02:00
Elie De Brauwer
23762885fa PasswordReset_host_header.adoc: Typo fixes 2020-05-24 09:39:18 +02:00
Elie De Brauwer
60087e441d PasswordReset_SecurityQuestions.adoc: Typo fix. 2020-05-24 09:39:18 +02:00
Elie De Brauwer
2e8d0dd9b5 PasswordReset_plan.adoc: Spelling fixes 2020-05-24 09:38:25 +02:00
Elie De Brauwer
966d7a7aed JWT_refresh.adoc: Fix spelling issues 2020-05-24 09:37:47 +02:00
Nanne Baars
851fd9ae03 Only push to 1 Docker repo 2020-05-23 17:01:13 +02:00
Nanne Baars
637d393889 Update README.MD 2020-05-23 16:40:54 +02:00
Nanne Baars
2dad97bdcb Docker command without -d option to show output int console 2020-05-23 16:39:37 +02:00
Nanne Baars
90ea59cfca Remove Github pages, too many things to keep in sync. 
Let's keep the focus on the OWASP page and the Github README
 2020-05-23 16:30:42 +02:00
Nanne Baars
c695614fac Fix Docker link 2020-05-23 16:30:42 +02:00
Nanne Baars
304312018b Update README.MD 2020-05-23 16:22:23 +02:00
Nanne Baars
3a2bfc9c24 Cleanup readme 2020-05-23 16:19:22 +02:00
Nanne Baars
3d0f879c12 Remove dep status 2020-05-23 16:17:16 +02:00
211 changed files with 1845 additions and 1676 deletions
Expand all files Collapse all files

42
.github/workflows/main.yml vendored Normal file
View File

@ -0,0 +1,42 @@
name: "CI/CD Pipeline"
on:
push:
branches: [ '*' ]
tags-ignore:
- '*'
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
java: [11, 15]
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java }}
uses: actions/setup-java@v1
with:
java-version: ${{ matrix.java }}
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build with Maven
run: mvn clean install
notify-slack:
if: github.event_name == 'push' && (success() || failure())
needs:
- build
runs-on: ubuntu-latest
steps:
- name: "Slack workflow notification"
uses: Gamesight/slack-workflow-status@master
with:
repo_token: ${{secrets.GITHUB_TOKEN}}
slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}}

48
.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,48 @@
name: "Release Pipeline"
on:
push:
tags:
- test* # replace with v*
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
java: [11, 15]
steps:
- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java }}
uses: actions/setup-java@v1
with:
java-version: ${{ matrix.java }}
architecture: x64
- name: Cache Maven packages
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build with Maven
run: mvn clean install -DskipTests
docker:
runs-on: ubuntu-latest
steps:
- name: "Get tag name"
id: tag
uses: dawidd6/action-get-tag@v1
- name: "Login to DockerHub"
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Build and push"
uses: docker/build-push-action@v2
with:
context: .
file: docker/Dockerfile
push: false
tags: |
webgoat/goatandwolf:${{ steps.tag.outputs.tag }}
build-args: |
webgoat_version=${{ steps.tag.outputs.tag }}

1
.gitignore vendored
View File

@ -53,3 +53,4 @@ webgoat.log
webgoat.properties
webgoat.script
TestClass.class
**/*.flattened-pom.xml

2
.mvn/wrapper/maven-wrapper.properties vendored
View File

@ -1,2 +1,2 @@
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.1/apache-maven-3.2.1-bin.zip
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.5/apache-maven-3.2.5-bin.zip
wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar

23
.travis.yml
View File

@ -1,10 +1,17 @@
services:
- docker
language: java
os:
- linux
- osx
dist: xenial
jdk:
- openjdk11
- openjdk13
install: "/bin/true"
- openjdk15
addons:
firefox: latest
install:
- true
script:
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH;
else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
@ -26,20 +33,22 @@ before_deploy:
- ls $WEBGOAT_ARTIFACTS_FOLDER
deploy:
- provider: script
jdk: openjdk11
skip_cleanup: true
cleanup: false
script: bash scripts/deploy-webgoat.sh
on:
condition: $TRAVIS_OS_NAME == 'linux'
jdk: openjdk11
tags: true
- provider: releases
jdk: openjdk11
skip_cleanup: true
cleanup: false
overwrite: true
api_key:
token:
secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
file_glob: true
file: "$WEBGOAT_ARTIFACTS_FOLDER/*"
on:
condition: $TRAVIS_OS_NAME == 'linux'
jdk: openjdk11
tags: true
env:
global:

60
README.MD
View File

@ -3,9 +3,9 @@
[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
[![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
[![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
[![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
# Introduction
@ -29,19 +29,7 @@ first thing that all hackers claim.*
# Installation Instructions:
## 1. Standalone
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
```
The latest version of WebGoat needs Java 11 or above. By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
can bind it to a different address (default localhost)
## 2. Run using Docker
## 1. Run using Docker
Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
@ -50,7 +38,7 @@ Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat
The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
```shell
docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
docker run -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
```
WebGoat will be located at: http://127.0.0.1:8080/WebGoat
@ -85,6 +73,25 @@ WebWolf will be located at: http://www.webwolf.local/WebWolf
**Important**: the current directory on your host will be mapped into the container for keeping state.
## 2. Standalone
Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```Shell
java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]
```
The latest version of WebGoat needs Java 11 or above. By default WebGoat and WebWolf start on port 8080,9000 and 9090 with the environment variable WEBGOAT_PORT, WEBWOLF_PORT and WEBGOAT_HSQLPORT you can set different values.
```Shell
export WEBGOAT_PORT=18080
export WEBGOAT_HSQLPORT=19001
export WEBWOLF_PORT=19090
java -jar webgoat-server-8.1.0.jar
java -jar webwolf-8.1.0.jar
```
Use set in stead of export on Windows cmd.
## 3. Run from the sources
@ -123,20 +130,17 @@ To change IP address add the following variable to WebGoat/webgoat-container/src
server.address=x.x.x.x
```
# Building a new Docker image
## 4. Run with custom menu
NOTE: Travis will create a new Docker image automatically when making a new release.
For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting environment variables.
For instance running as a jar on a Linux/MacOS it will look like:
```Shell
cd WebGoat/
mvn install
cd webgoat-server
docker build -t webgoat/webgoat-8.0 .
docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
docker login
docker push webgoat/webgoat-8.0
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like:
```Shell
docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
```
# Run Instructions:
Once installed connect to http://localhost:8080/WebGoat and http://localhost:9090/WebWolf

6
docker/Dockerfile
View File

@ -1,14 +1,16 @@
FROM openjdk:11.0.1-jre-slim-stretch
ARG webgoat_version=v8.0.0-SNAPSHOT
ARG webgoat_version=v8.2.0-SNAPSHOT
ENV webgoat_version_env=${webgoat_version}
RUN apt-get update && apt-get install
RUN useradd --home-dir /home/webgoat --create-home -U webgoat
RUN cd /home/webgoat/;
RUN chgrp -R 0 /home/webgoat
RUN chmod -R g=u /home/webgoat
RUN apt-get -y install apt-utils nginx
USER webgoat
RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
COPY nginx.conf /etc/nginx/nginx.conf
COPY index.html /usr/share/nginx/html/

2
docker/Readme.md
View File

@ -2,7 +2,7 @@
## Docker build
docker build --no-cache --build-arg webgoat_version=v8.0.0-SNAPSHOT -t webgoat/goatandwolf:latest .
docker build --no-cache --build-arg webgoat_version=v8.2.0-SNAPSHOT -t webgoat/goatandwolf:latest .
## Docker run

2
docker/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
<dependencies>

4
docker/start.sh
View File

@ -3,10 +3,10 @@
cd /home/webgoat
service nginx start
sleep 1
java -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webgoat.log &
java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webgoat.log &
sleep 10
java -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
tail -300f webgoat.log

568
docs/index.html
View File

@ -2,285 +2,297 @@
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities
commonly found in Java-based applications that use common and popular open source components">
<meta name="author" content="WebGoat">
<title>WebGoat</title>
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom fonts for this template -->
<link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">
<!-- Plugin CSS -->
<link href="vendor/magnific-popup/magnific-popup.css" rel="stylesheet" type="text/css">
<!-- Custom styles for this template -->
<link href="css/freelancer.min.css" rel="stylesheet">
<meta http-equiv="refresh" content="0;url=https://owasp.org/www-project-webgoat/" />
<link rel="canonical" href="https://owasp.org/www-project-webgoat/" />
</head>
<body id="page-top">
<!-- Navigation -->
<nav class="navbar navbar-expand-lg bg-secondary fixed-top text-uppercase" id="mainNav">
<div class="container">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header page-scroll">
<img class="img-responsive" src="img/profile.png" alt="">
</div>
</div>
</nav>
<!-- Header -->
<header class="masthead bg-primary text-white text-center">
<div class="container">
<div class="row">
<div class="col-lg-12">
<h2 class="text-center text-uppercase mb-5">Learn the hack - Stop the attack</h2>
</div>
</div>
<div class="row">
<div class="col-lg-8 mx-auto">
<p>WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities
commonly found in Java-based applications that use common and popular open source components.</p>
</div>
<div class="col-lg-8 mx-auto">
<a href="https://github.com/WebGoat/WebGoat/releases" class="btn btn-xl btn-outline-light">
<i class="fa fa-download"></i> Download standalone
</a>
<a href="https://hub.docker.com/r/webgoat/webgoat-8.0/" class="btn btn-xl btn-outline-light">
<i class="fa fa-download"></i> Run using Docker
</a>
</div>
</div>
</div>
</header>
<!-- Portfolio Grid Section -->
<section class="portfolio" id="portfolio">
<div class="container">
<h3 class="text-center text-uppercase text-secondary mb-0">Learn in 3 steps</h3>
<hr class="star-dark mb-5">
<div class="row">
<div class="col-md-6 col-lg-4 text-center">
<a class="portfolio-item d-block mx-auto" href="#portfolio-modal-1">
<div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
<div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
<i class="fa fa-search-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="img/portfolio/teach.png" alt="">
</a>
</div>
<div class="col-md-6 col-lg-4 text-center">
<a class="portfolio-item d-block mx-auto" href="#portfolio-modal-2">
<div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
<div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
<i class="fa fa-search-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="img/portfolio/assignment.png" alt="">
</a>
</div>
<div class="col-md-6 col-lg-4 text-center" >
<a class="portfolio-item d-block mx-auto" href="#portfolio-modal-3">
<div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
<div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
<i class="fa fa-search-plus fa-3x"></i>
</div>
</div>
<img class="img-fluid" src="img/portfolio/mitigation.png" alt="">
</a>
</div>
</div>
</div>
</section>
<!-- Goals Section -->
<section class="bg-primary text-white mb-0" id="goals">
<div class="container">
<h3 class="text-center text-uppercase text-white">Goals</h3>
<hr class="star-light mb-5">
<div class="row">
<div class="col-lg-6 ml-auto">
<p class="lead">
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book
stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test
tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe
and legal environment.
</p>
</div>
<div class="col-lg-6 mr-auto">
<p class="lead">Even if your intentions are good, we believe you should never attempt to find vulnerabilities without
permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.
In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
</p>
</div>
</div>
</div>
</section>
<!-- Contributing Section -->
<section class="portfolio" id="portfolio">
<div class="container">
<h3 class="text-center text-uppercase text-secondary mb-0">More information</h3>
<hr class="star-dark mb-5">
<div class="row">
<div class="col-lg-4 ml-auto">
<p class="lead">For more information about running WebGoat / FAQ see our <a href="https://github.com/WebGoat/WebGoat/wiki">wiki pages.</a>
</p>
</div>
<div class="col-lg-4 mr-auto">
<p class="lead">Interested in contributing to WebGoat, take a look at our <a href="https://github.com/WebGoat/WebGoat/issues">issues.</a> </p>
</div>
</div>
</div>
</section>
<!-- Footer -->
<footer class="footer text-center">
<div class="container">
<div class="row">
<div class="col-md-4 mb-5 mb-lg-0">
</div>
<div class="col-md-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Around the Web</h4>
<ul class="list-inline mb-0">
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="mailto:webgoat@owasp.org">
<i class="fa fa-fw fa-at"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://github.com/WebGoat">
<i class="fa fa-fw fa-github"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://stackoverflow.com/search?q=webgoat">
<i class="fa fa-fw fa-stack-overflow"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://twitter.com/OWASP_WebGoat">
<i class="fa fa-fw fa-twitter"></i>
</a>
</li>
<li class="list-inline-item">
<a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://owasp.slack.com/messages/#project-webgoat/">
<i class="fa fa-fw fa-slack"></i>
</a>
</li>
</ul>
</div>
</div>
</div>
</footer>
<div class="copyright py-4 text-center text-white">
<div class="container">
<small>Team WebGoat 2019</small>
</div>
</div>
<!-- Scroll to Top Button (Only visible on small and extra-small screen sizes) -->
<div class="scroll-to-top d-lg-none position-fixed ">
<a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">
<i class="fa fa-chevron-up"></i>
</a>
</div>
<!-- Explain modal -->
<div class="portfolio-modal mfp-hide" id="portfolio-modal-1">
<div class="portfolio-modal-dialog bg-white">
<a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
<i class="fa fa-3x fa-times"></i>
</a>
<div class="container text-center">
<div class="row">
<div class="col-lg-8 mx-auto">
<h3 class="text-secondary text-uppercase mb-0">Explain the vulnerability</h3>
<hr class="star-dark mb-5">
<img class="img-fluid mb-5" src="img/portfolio/lesson.png" alt="">
<p class="mb-5">Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of 'just hacking' we now focus on explaining from the beginning what for example a SQL injection is.
</p>
<a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
<i class="fa fa-close"></i>
Close</a>
</div>
</div>
</div>
</div>
</div>
<!-- Assignment modal -->
<div class="portfolio-modal mfp-hide" id="portfolio-modal-2">
<div class="portfolio-modal-dialog bg-white">
<a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
<i class="fa fa-3x fa-times"></i>
</a>
<div class="container text-center">
<div class="row">
<div class="col-lg-8 mx-auto">
<h3 class="text-secondary text-uppercase mb-0">Learn by doing</h3>
<hr class="star-dark mb-5">
<img class="img-fluid mb-5" src="img/portfolio/assignment-example.png" alt="">
<p class="mb-5">During the explanation of a vulnerability we build assignments which will help you understand how it works.</p>
<a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
<i class="fa fa-close"></i>
Close</a>
</div>
</div>
</div>
</div>
</div>
<!-- Mitigation modal -->
<div class="portfolio-modal mfp-hide" id="portfolio-modal-3">
<div class="portfolio-modal-dialog bg-white">
<a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
<i class="fa fa-3x fa-times"></i>
</a>
<div class="container text-center">
<div class="row">
<div class="col-lg-8 mx-auto">
<h3 class="text-secondary text-uppercase mb-0">Explain mitigations</h3>
<hr class="star-dark mb-5">
<img class="img-fluid mb-5" src="img/portfolio/mitigation-example.png" alt="">
<p class="mb-5">At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.</p>
<a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
<i class="fa fa-close"></i>
Close</a>
</div>
</div>
</div>
</div>
</div>
<!-- Bootstrap core JavaScript -->
<script src="vendor/jquery/jquery.min.js"></script>
<script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- Plugin JavaScript -->
<script src="vendor/jquery-easing/jquery.easing.min.js"></script>
<script src="vendor/magnific-popup/jquery.magnific-popup.min.js"></script>
<!-- Custom scripts for this template -->
<script src="js/freelancer.min.js"></script>
<body>
<h1>
The page been moved to <a href="https://owasp.org/www-project-webgoat/">https://owasp.org/www-project-webgoat/</a>
</h1>
</body>
</html>
<!--<head>-->
<!-- <meta charset="utf-8">-->
<!-- <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">-->
<!-- <meta name="description" content="WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities-->
<!-- commonly found in Java-based applications that use common and popular open source components">-->
<!-- <meta name="author" content="WebGoat">-->
<!-- <title>WebGoat</title>-->
<!-- &lt;!&ndash; Bootstrap core CSS &ndash;&gt;-->
<!-- <link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">-->
<!-- &lt;!&ndash; Custom fonts for this template &ndash;&gt;-->
<!-- <link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">-->
<!-- <link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">-->
<!-- <link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">-->
<!-- &lt;!&ndash; Plugin CSS &ndash;&gt;-->
<!-- <link href="vendor/magnific-popup/magnific-popup.css" rel="stylesheet" type="text/css">-->
<!-- &lt;!&ndash; Custom styles for this template &ndash;&gt;-->
<!-- <link href="css/freelancer.min.css" rel="stylesheet">-->
<!--</head>-->
<!--<body id="page-top">-->
<!-- &lt;!&ndash; Navigation &ndash;&gt;-->
<!-- <nav class="navbar navbar-expand-lg bg-secondary fixed-top text-uppercase" id="mainNav">-->
<!-- <div class="container">-->
<!-- &lt;!&ndash; Brand and toggle get grouped for better mobile display &ndash;&gt;-->
<!-- <div class="navbar-header page-scroll">-->
<!-- <img class="img-responsive" src="img/profile.png" alt="">-->
<!-- </div>-->
<!-- </div>-->
<!-- </nav>-->
<!-- &lt;!&ndash; Header &ndash;&gt;-->
<!-- <header class="masthead bg-primary text-white text-center">-->
<!-- <div class="container">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-12">-->
<!-- <h2 class="text-center text-uppercase mb-5">Learn the hack - Stop the attack</h2>-->
<!-- -->
<!-- </div>-->
<!-- </div>-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <p>WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities-->
<!-- commonly found in Java-based applications that use common and popular open source components.</p>-->
<!-- </div>-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <a href="https://github.com/WebGoat/WebGoat/releases" class="btn btn-xl btn-outline-light">-->
<!-- <i class="fa fa-download"></i> Download standalone-->
<!-- </a>-->
<!-- <a href="https://hub.docker.com/r/webgoat/webgoat-8.0/" class="btn btn-xl btn-outline-light">-->
<!-- <i class="fa fa-download"></i> Run using Docker-->
<!-- </a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </header>-->
<!-- &lt;!&ndash; Portfolio Grid Section &ndash;&gt;-->
<!-- <section class="portfolio" id="portfolio">-->
<!-- <div class="container">-->
<!-- <h3 class="text-center text-uppercase text-secondary mb-0">Learn in 3 steps</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <div class="row">-->
<!-- <div class="col-md-6 col-lg-4 text-center">-->
<!-- <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-1">-->
<!-- <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
<!-- <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
<!-- <i class="fa fa-search-plus fa-3x"></i>-->
<!-- </div>-->
<!-- </div>-->
<!-- <img class="img-fluid" src="img/portfolio/teach.png" alt="">-->
<!-- </a>-->
<!-- </div>-->
<!-- <div class="col-md-6 col-lg-4 text-center">-->
<!-- <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-2">-->
<!-- <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
<!-- <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
<!-- <i class="fa fa-search-plus fa-3x"></i>-->
<!-- </div>-->
<!-- </div>-->
<!-- <img class="img-fluid" src="img/portfolio/assignment.png" alt="">-->
<!-- </a>-->
<!-- </div>-->
<!-- <div class="col-md-6 col-lg-4 text-center" >-->
<!-- <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-3">-->
<!-- <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
<!-- <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
<!-- <i class="fa fa-search-plus fa-3x"></i>-->
<!-- </div>-->
<!-- </div>-->
<!-- <img class="img-fluid" src="img/portfolio/mitigation.png" alt="">-->
<!-- </a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </section>-->
<!-- &lt;!&ndash; Goals Section &ndash;&gt;-->
<!-- <section class="bg-primary text-white mb-0" id="goals">-->
<!-- <div class="container">-->
<!-- <h3 class="text-center text-uppercase text-white">Goals</h3>-->
<!-- <hr class="star-light mb-5">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-6 ml-auto">-->
<!-- <p class="lead">-->
<!-- Web application security is difficult to learn and practice. Not many people have full blown web applications like online book -->
<!-- stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test -->
<!-- tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe -->
<!-- and legal environment.-->
<!-- -->
<!-- </p>-->
<!-- </div>-->
<!-- <div class="col-lg-6 mr-auto">-->
<!-- <p class="lead">Even if your intentions are good, we believe you should never attempt to find vulnerabilities without-->
<!-- permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. -->
<!-- In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.-->
<!-- </p>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </section>-->
<!-- &lt;!&ndash; Contributing Section &ndash;&gt;-->
<!-- <section class="portfolio" id="portfolio">-->
<!-- <div class="container">-->
<!-- <h3 class="text-center text-uppercase text-secondary mb-0">More information</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-4 ml-auto">-->
<!-- <p class="lead">For more information about running WebGoat / FAQ see our <a href="https://github.com/WebGoat/WebGoat/wiki">wiki pages.</a>-->
<!-- </p>-->
<!-- </div>-->
<!-- <div class="col-lg-4 mr-auto">-->
<!-- <p class="lead">Interested in contributing to WebGoat, take a look at our <a href="https://github.com/WebGoat/WebGoat/issues">issues.</a> </p>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </section>-->
<!-- -->
<!-- &lt;!&ndash; Footer &ndash;&gt;-->
<!-- <footer class="footer text-center">-->
<!-- <div class="container">-->
<!-- <div class="row">-->
<!-- <div class="col-md-4 mb-5 mb-lg-0">-->
<!-- </div>-->
<!-- <div class="col-md-4 mb-5 mb-lg-0">-->
<!-- <h4 class="text-uppercase mb-4">Around the Web</h4>-->
<!-- <ul class="list-inline mb-0">-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="mailto:webgoat@owasp.org">-->
<!-- <i class="fa fa-fw fa-at"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://github.com/WebGoat">-->
<!-- <i class="fa fa-fw fa-github"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://stackoverflow.com/search?q=webgoat">-->
<!-- <i class="fa fa-fw fa-stack-overflow"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://twitter.com/OWASP_WebGoat">-->
<!-- <i class="fa fa-fw fa-twitter"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- <li class="list-inline-item">-->
<!-- <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://owasp.slack.com/messages/#project-webgoat/">-->
<!-- <i class="fa fa-fw fa-slack"></i>-->
<!-- </a>-->
<!-- </li>-->
<!-- </ul>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </footer>-->
<!-- <div class="copyright py-4 text-center text-white">-->
<!-- <div class="container">-->
<!-- <small>Team WebGoat 2019</small>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Scroll to Top Button (Only visible on small and extra-small screen sizes) &ndash;&gt;-->
<!-- <div class="scroll-to-top d-lg-none position-fixed ">-->
<!-- <a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">-->
<!-- <i class="fa fa-chevron-up"></i>-->
<!-- </a>-->
<!-- </div>-->
<!-- &lt;!&ndash; Explain modal &ndash;&gt;-->
<!-- <div class="portfolio-modal mfp-hide" id="portfolio-modal-1">-->
<!-- <div class="portfolio-modal-dialog bg-white">-->
<!-- <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-3x fa-times"></i>-->
<!-- </a>-->
<!-- <div class="container text-center">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <h3 class="text-secondary text-uppercase mb-0">Explain the vulnerability</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <img class="img-fluid mb-5" src="img/portfolio/lesson.png" alt="">-->
<!-- <p class="mb-5">Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of 'just hacking' we now focus on explaining from the beginning what for example a SQL injection is.-->
<!-- </p>-->
<!-- <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-close"></i>-->
<!-- Close</a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Assignment modal &ndash;&gt;-->
<!-- <div class="portfolio-modal mfp-hide" id="portfolio-modal-2">-->
<!-- <div class="portfolio-modal-dialog bg-white">-->
<!-- <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-3x fa-times"></i>-->
<!-- </a>-->
<!-- <div class="container text-center">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <h3 class="text-secondary text-uppercase mb-0">Learn by doing</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <img class="img-fluid mb-5" src="img/portfolio/assignment-example.png" alt="">-->
<!-- <p class="mb-5">During the explanation of a vulnerability we build assignments which will help you understand how it works.</p>-->
<!-- <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-close"></i>-->
<!-- Close</a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Mitigation modal &ndash;&gt;-->
<!-- <div class="portfolio-modal mfp-hide" id="portfolio-modal-3">-->
<!-- <div class="portfolio-modal-dialog bg-white">-->
<!-- <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-3x fa-times"></i>-->
<!-- </a>-->
<!-- <div class="container text-center">-->
<!-- <div class="row">-->
<!-- <div class="col-lg-8 mx-auto">-->
<!-- <h3 class="text-secondary text-uppercase mb-0">Explain mitigations</h3>-->
<!-- <hr class="star-dark mb-5">-->
<!-- <img class="img-fluid mb-5" src="img/portfolio/mitigation-example.png" alt="">-->
<!-- <p class="mb-5">At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.</p>-->
<!-- <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
<!-- <i class="fa fa-close"></i>-->
<!-- Close</a>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- </div>-->
<!-- &lt;!&ndash; Bootstrap core JavaScript &ndash;&gt;-->
<!-- <script src="vendor/jquery/jquery.min.js"></script>-->
<!-- <script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>-->
<!-- &lt;!&ndash; Plugin JavaScript &ndash;&gt;-->
<!-- <script src="vendor/jquery-easing/jquery.easing.min.js"></script>-->
<!-- <script src="vendor/magnific-popup/jquery.magnific-popup.min.js"></script>-->
<!-- &lt;!&ndash; Custom scripts for this template &ndash;&gt;-->
<!-- <script src="js/freelancer.min.js"></script>-->
<!--</body>-->
<!--</html>-->

28
pom.xml
View File

@ -6,7 +6,7 @@
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<packaging>pom</packaging>
<version>v8.1.0</version>
<version>${revision}</version>
<name>WebGoat Parent Pom</name>
<description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -15,13 +15,13 @@
<organization>
<name>OWASP</name>
<url>https://webgoat.github.io/</url>
<url>https://github.com/WebGoat/WebGoat/</url>
</organization>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.2.RELEASE</version>
<version>2.4.0</version>
</parent>
<licenses>
@ -127,7 +127,6 @@
<commons-lang3.version>3.4</commons-lang3.version>
<commons-io.version>2.6</commons-io.version>
<guava.version>18.0</guava.version>
<junit.version>4.12</junit.version>
<lombok.version>1.18.4</lombok.version>
<maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
@ -135,6 +134,7 @@
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.1.0</maven-source-plugin.version>
<maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
<revision>v8.2.0-SNAPSHOT</revision>
</properties>
<modules>
@ -147,6 +147,10 @@
</modules>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
@ -166,6 +170,22 @@
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>flatten-maven-plugin</artifactId>
<version>1.2.5</version>
<configuration>
</configuration>
<executions>
<execution>
<id>flatten</id>
<phase>process-resources</phase>
<goals>
<goal>flatten</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>

26
scripts/deploy-webgoat.sh
View File

@ -1,32 +1,6 @@
#!/usr/bin/env bash
docker login -u $DOCKER_USER -p $DOCKER_PASS
export REPO=webgoat/webgoat-8.0
cd webgoat-server
ls target/
if [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi
export REPO=webgoat/webwolf
cd ..
cd webwolf
ls target/
if [ ! -z "${TRAVIS_TAG}" ]; then
# If we push a tag to master this will update the LATEST Docker image and tag with the version number
docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
docker push $REPO
else
echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
fi
export REPO=webgoat/goatandwolf
cd ..

2
webgoat-container/pom.xml
View File

@ -9,7 +9,7 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
<build>

2
webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
View File

@ -4,7 +4,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
View File

@ -18,7 +18,7 @@ import javax.servlet.http.HttpServletResponse;
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
View File

@ -3,7 +3,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
View File

@ -34,8 +34,6 @@ import org.springframework.beans.factory.annotation.Autowired;
public abstract class AssignmentEndpoint {
@Autowired
private UserTrackerRepository userTrackerRepository;
@Autowired
private WebSession webSession;
@Autowired

2
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
View File

@ -11,7 +11,7 @@ import java.util.List;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -9,7 +9,7 @@ import lombok.Getter;
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
View File

@ -4,7 +4,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java
View File

@ -4,7 +4,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

15
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
@ -40,6 +40,7 @@ import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.users.LessonTracker;
import org.owasp.webgoat.users.UserTracker;
import org.owasp.webgoat.users.UserTrackerRepository;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@ -65,6 +66,12 @@ public class LessonMenuService {
private final WebSession webSession;
private UserTrackerRepository userTrackerRepository;
@Value("#{'${exclude.categories}'.split(',')}")
private List<String> excludeCategories;
@Value("#{'${exclude.lessons}'.split(',')}")
private List<String> excludeLessons;
/**
* Returns the lesson menu which is used to build the left nav
*
@ -79,6 +86,9 @@ public class LessonMenuService {
UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
for (Category category : categories) {
if (excludeCategories.contains(category.name())) {
continue;
}
LessonMenuItem categoryItem = new LessonMenuItem();
categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY);
@ -86,6 +96,9 @@ public class LessonMenuService {
List<Lesson> lessons = course.getLessons(category);
lessons = lessons.stream().sorted(Comparator.comparing(l -> l.getTitle())).collect(Collectors.toList());
for (Lesson lesson : lessons) {
if (excludeLessons.contains(lesson.getName())) {
continue;
}
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());

2
webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
View File

@ -5,7 +5,7 @@
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software

2
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -2,7 +2,7 @@
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -15,7 +15,7 @@ import static java.util.stream.Collectors.toList;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

@ -15,7 +15,7 @@ import java.sql.SQLException;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
* http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
* License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later

2
webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
View File

@ -17,7 +17,7 @@ import java.util.stream.Collectors;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

10
webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
View File

@ -8,6 +8,7 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.stream.Collectors;
@ -45,6 +46,15 @@ public class Scoreboard {
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
}
/* sort on number of captured flags to present an ordered ranking */
rankings.sort(new Comparator<Ranking>() {
@Override
public int compare(Ranking o1, Ranking o2) {
return o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size();
}
});
return rankings;
}

2
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
View File

@ -20,7 +20,7 @@ import java.util.stream.Collectors;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

6
webgoat-container/src/main/resources/application-webgoat.properties
View File

@ -50,3 +50,9 @@ spring.jackson.serialization.write-dates-as-timestamps=false
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
exclude.categories=${EXCLUDE_CATEGORIES:none,none}
#exclude based on the enum of the Category
exclude.lessons=${EXCLUDE_LESSONS:none,none}
#exclude based on the class name of a lesson e.g.: LessonTemplate

73
webgoat-container/src/main/resources/static/css/main.css
View File

@ -104,24 +104,15 @@ img {
font-weight: 700;
}
#header .toggle-navigation button:hover,
#header .toggle-navigation button:active,
#header button#toggle-mail:hover,
#header button#toggle-mail:active {
background: #e84c3d;
}
#header .toggle-navigation button:hover i,
#header button#toggle-mail:hover i {
color: #F6F6F6;
}
#header .toggle-navigation.toggle-left {
margin-top: 5px;
margin-left: 20px;
display: inline-block;
}
#header .btn-default {
padding: 3px 9px;
background: #F6F6F6;
@ -157,7 +148,7 @@ img {
#header #lesson-title-wrapper {
display: inline-block;
margin: 0 0 0 20px;
margin: 0 0 0 30px;
}
#header .pull-right {
@ -212,14 +203,6 @@ img {
font-family: 'Source Sans Pro', Arial, sans-serif;
}
.main-content-toggle-left {
margin-left: 0;
}
.main-content-toggle-right {
margin-right: 240px;
}
/*==========================================================================
lesson content / wrapper
========================================================================= */
@ -797,27 +780,10 @@ fieldset[disabled] .btn-warning.active {
padding-left: 0;
}
#header .toggle-navigation.toggle-left {
float: left;
}
.sidebar {
margin-left: -240px;
}
.sidebar-toggle {
margin-left: 0;
width: 100%;
}
.main-content-wrapper {
margin-left: 0;
}
.main-content-toggle-left {
margin-left: 660px;
}
.sidebarRight {
top: 160px;
width: 100%;
@ -931,10 +897,6 @@ cookie-container {
overflow-x: hidden;
}
.sidebar-toggle {
margin-left: -240px;
}
#menu-container ul,
#menu-container ul ul {
margin: -2px 0 0;
@ -1060,10 +1022,9 @@ cookie-container {
display: inline-block;
background-color: #555;
border-radius: 8px;
min-width: 20px;
min-width: 25px;
text-align: center;
font-weight: bold;
padding-top: 2px;
}
.attack-link.solved-false {
@ -1094,21 +1055,14 @@ cookie-container {
margin: 3px;
}
@keyframes blink {
50% {
border-color: white;
}
}
.cur-page {
animation: blink 1.5s 2 forwards;
border: 3px solid blue;
color: #aaa;
background-color: lightsalmon;
border: 3px solid #000;
color:#aaa;
}
span.show-next-page, span.show-prev-page {
font-size: 1.3em;
font-size: 1.1em;
align-content: space-evenly;
}
.show-prev-page {
@ -1119,6 +1073,10 @@ span.show-next-page, span.show-prev-page {
cursor: pointer;
}
.no-underline:hover {
text-decoration: none;
}
/* attack ... */
.attack-feedback {
@ -1227,7 +1185,7 @@ div.scoreboard-username {
color: aliceblue;
padding: 4px;
padding-left: 8px;
font-size: x-large;
font-size: medium;
border-radius: 6px;
}
@ -1245,7 +1203,7 @@ div.captured-flag {
background-color: #444;
color: white;
padding: 4px;
font-size: x-large;
font-size: medium;
display: inline-block;
}
@ -1258,13 +1216,6 @@ div.captured-flag {
color: red
}
.appseceu-banner {
background: url('img/owasp_logo.jpg') no-repeat 0px 0px;
height: 117px;
width: 1268px;
margin-bottom: 20px;
}
#content {
position: relative;
}

45
webgoat-container/src/main/resources/static/js/application.js
View File

@ -3,8 +3,6 @@ var app = function() {
var init = function() {
tooltips();
toggleMenuLeft();
toggleMenuRight();
// menu is handled by angular
//menu();
togglePanel();
@ -28,38 +26,6 @@ var app = function() {
};
var toggleMenuLeft = function() {
$('#toggle-left').bind('click', function(e) {
if (!$('.sidebarRight').hasClass('.sidebar-toggle-right')) {
$('.sidebarRight').removeClass('sidebar-toggle-right');
$('.main-content-wrapper').removeClass('main-content-toggle-right');
}
$('.sidebar').toggleClass('sidebar-toggle');
$('.main-content-wrapper').toggleClass('main-content-toggle-left');
e.stopPropagation();
});
};
var toggleMenuRight = function() {
$('#toggle-right').bind('click', function(e) {
if (!$('.sidebar').hasClass('.sidebar-toggle')) {
$('.sidebar').addClass('sidebar-toggle');
$('.main-content-wrapper').addClass('main-content-toggle-left');
}
$('.sidebarRight').toggleClass('sidebar-toggle-right animated bounceInRight');
$('.main-content-wrapper').toggleClass('main-content-toggle-right');
if ( $(window).width() < 660 ) {
$('.sidebar').removeClass('sidebar-toggle');
$('.main-content-wrapper').removeClass('main-content-toggle-left main-content-toggle-right');
};
e.stopPropagation();
});
};
var closePanel = function() {
$('.actions > .fa-times').click(function() {
$(this).parent().parent().parent().fadeOut();
@ -67,17 +33,6 @@ var app = function() {
}
/*
var menu = function() {
$("#leftside-navigation .sub-menu a").click(function(e) {
$("#leftside-navigation ul ul").slideUp();
if (!$(this).next().is(":visible")) {
$(this).next().slideDown();
}
e.stopPropagation();
});
};
*/
//End functions
//Dashboard functions

6
webgoat-container/src/main/resources/static/js/goatApp/templates/paging_controls.html
View File

@ -1,9 +1,9 @@
<div>
<div class="page-nav-wrapper"><span class="glyphicon-class glyphicon glyphicon-circle-arrow-left show-prev-page"></span></div>
<div class="page-link-wrapper">
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-left show-prev-page"></span>
<% var baseUrl = overview.baseUrl; %>
<% _.each(overview.pages, function(page,index) { %>
<a href="<%=overview.baseUrl%>/<%=index%>" alt="Page <%=index++ %>">
<a href="<%=overview.baseUrl%>/<%=index%>" alt="Page <%=index++ %>" class="no-underline">
<% if (page.content === 'assignment') { %>
<div class="<%=page.pageClass%> <%=page.solvedClass%> <%=page.curPageClass%>"><%=index++%></div>
<% } else { %>
@ -11,6 +11,6 @@
<% } %>
</a>
<% }); %>
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-right show-next-page"></span>
</div>
<div class="page-nav-wrapper"><span class="glyphicon-class glyphicon glyphicon-circle-arrow-right show-next-page"></span></div>
</div>

4
webgoat-container/src/main/resources/static/js/goatApp/templates/scoreboard.html
View File

@ -1,9 +1,7 @@
<div class="scoreboard-title">WebGoat Challenge</div>
<div class="appseceu-banner"></div>
<table class="scoreboard-table">
<% _.each(rankings, function(userRanking, index) { %>
<tr>
<th class="username"> <div class="scoreboard-username"><%= index%> <%=userRanking.username %> </div></th>
<th class="username"> <div class="scoreboard-username"><%= index+1%> - <%=userRanking.username %> </div></th>
<td class="user-flags"> <% _.each(userRanking.flagsCaptured, function(flag) { %>
<div class="captured-flag">

13
webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js
View File

@ -22,18 +22,7 @@ function($,_,Backbone) {
$('#show-hints-button').hide();
},
render:function(title) {
$('#show-source-button').hide();
$('#show-solution-button').hide();
$('#show-plan-button').hide();
if (this.hasSource) {
this.$el.find('#show-source-button').unbind().on('click',_.bind(this.showSource,this)).show();
}
if (this.hasSolution) {
this.$el.find('#show-solution-button').unbind().on('click',_.bind(this.showSolution,this)).show();
}
render:function() {
this.$el.find('#restart-lesson-button').unbind().on('click',_.bind(this.restartLesson,this)).show();
},

2
webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
View File

@ -108,7 +108,9 @@ define(['jquery',
},
onLessonClick: function (elementId) {
if (this.curLessonLinkId) {
$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
}
//update
$('#'+elementId).addClass('selected').parent().addClass('selected');
this.curLessonLinkId = elementId;

2
webgoat-container/src/main/resources/templates/login.html
View File

@ -13,8 +13,6 @@
<div class="brand">
<a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<div class="toggle-navigation toggle-left">
</div>
<div class="lessonTitle">
</div>

16
webgoat-container/src/main/resources/templates/main_new.html
View File

@ -37,12 +37,6 @@
<a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
<button type="button" class="btn btn-default" id="toggle-menu" data-toggle="tooltip" data-placement="right"
title="Toggle Navigation">
<i class="fa fa-bars"></i>
</button>
</div><!--toggle navigation end-->
<div id="lesson-title-wrapper">
</div><!--lesson title end-->
@ -109,14 +103,10 @@
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content"> <!--ng-controller="goatLesson"-->
<section id="main-content">
<div id="lesson-page" class="pages">
<div class="row">
<div class="col-md-8">
<!--<div class="col-md-12" align="left">-->
<!---->
<!--&lt;!&ndash; hints moved into lesson template &ndash;&gt;-->
<!--</div>-->
<div class="col-md-12" align="left">
<div id="lesson-content-wrapper" class="panel">
<div class="" id="error-notification-container">
@ -126,10 +116,6 @@
</div>
</div>
<div class="" id="help-controls">
<button class="btn btn-primary btn-xs btn-danger help-button"
id="show-source-button">
<i class="fa fa-code"></i>
</button>
<button class="btn btn-primary btn-xs btn-danger help-button"
id="show-hints-button" th:text="#{show.hints}">Show hints
</button>

2
webgoat-container/src/main/resources/templates/registration.html
View File

@ -13,8 +13,6 @@
<div class="brand">
<a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<div class="toggle-navigation toggle-left">
</div>
<div class="lessonTitle">
</div>

32
webgoat-container/src/main/resources/templates/scoreboard.html
View File

@ -7,14 +7,6 @@
<meta http-equiv="Cache-Control" CONTENT="no-cache"/>
<meta http-equiv="Cache-Control" CONTENT="no-store"/>
<!--[if lt IE 7]>
<id class="no-js lt-ie9 lt-ie8 lt-ie7"/> <![endif]-->
<!--[if IE 7]>
<id class="no-js lt-ie9 lt-ie8"/> <![endif]-->
<!--[if IE 8]>
<id class="no-js lt-ie9"/> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
@ -28,13 +20,35 @@
<meta http-equiv="Content-Type" content="text/id; charset=ISO-8859-1"/>
<title>WebGoat</title>
</head>
<body class="scoreboard-page">
<!-- <body class="scoreboard-page"> -->
<body>
<header id="header">
<!--logo start-->
<div class="brand">
<a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div id="lesson-title-wrapper">
<h1 id="lesson-title">WebGoat challenges ranking</h1>
</div><!--lesson title end-->
<div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
</div>
</header>
<section id="container">
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content">
<div id="scoreboard-wrapper">
<div id="scoreboard">
<!-- will use _ template here -->
</div>
</div>
</section>
</section>
</section>
</body>

8
webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
View File

@ -23,7 +23,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
@ -53,12 +53,6 @@ public class LabelServiceTest {
@Autowired
public MockMvc mockMvc;
@MockBean
private Course course;
@MockBean
private UserService userService;
@MockBean
private LessonTrackerInterceptor interceptor;
@Test
@WithMockUser(username = "guest", password = "guest")

4
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
View File

@ -47,6 +47,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import java.util.Arrays;
@RunWith(MockitoJUnitRunner.class)
public class LessonMenuServiceTest {
@ -64,7 +66,7 @@ public class LessonMenuServiceTest {
@Before
public void setup() {
this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository)).build();
this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository, Arrays.asList("none"), Arrays.asList("none"))).build();
}
@Test

2
webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
View File

@ -30,7 +30,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/test/java/org/owasp/webgoat/session/CourseTest.java
View File

@ -5,7 +5,7 @@ package org.owasp.webgoat.session;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
View File

@ -18,7 +18,7 @@ import static org.mockito.Mockito.when;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

13
webgoat-integration-tests/pom.xml
View File

@ -6,10 +6,21 @@
<parent>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
<dependencies>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>4.2.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-server</artifactId>

71
webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
View File

@ -1,8 +1,15 @@
package org.owasp.webgoat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import lombok.Data;
import lombok.SneakyThrows;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import org.owasp.webgoat.lessons.Assignment;
import java.io.IOException;
import java.nio.file.Files;
@ -12,14 +19,9 @@ import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
import org.junit.jupiter.api.TestFactory;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import lombok.SneakyThrows;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.DynamicTest.dynamicTest;
public class CSRFTest extends IntegrationTest {
@ -65,10 +67,10 @@ public class CSRFTest extends IntegrationTest {
@TestFactory
Iterable<DynamicTest> testCSRFLesson() {
return Arrays.asList(
dynamicTest("assignement 3",()-> checkAssignment3(callTrickHtml("csrf3.html"))),
dynamicTest("assignement 4",()-> checkAssignment4(callTrickHtml("csrf4.html"))),
dynamicTest("assignement 7",()-> checkAssignment7(callTrickHtml("csrf7.html"))),
dynamicTest("assignement 8",()-> checkAssignment8(callTrickHtml("csrf8.html")))
dynamicTest("assignement 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
dynamicTest("assignement 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
dynamicTest("assignement 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
dynamicTest("assignement 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
);
}
@ -84,8 +86,8 @@ public class CSRFTest extends IntegrationTest {
//remove any left over html
Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)));
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)).toFile().exists()) {
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)));
}
//upload trick html
@ -105,10 +107,10 @@ public class CSRFTest extends IntegrationTest {
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/files/"+getWebgoatUser()+"/"+htmlName))
.get(webWolfUrl("/files/" + getWebgoatUser() + "/" + htmlName))
.then()
.extract().response().getBody().asString();
result = result.substring(8+result.indexOf("action=\""));
result = result.substring(8 + result.indexOf("action=\""));
result = result.substring(0, result.indexOf("\""));
return result;
@ -164,11 +166,11 @@ public class CSRFTest extends IntegrationTest {
.cookie("JSESSIONID", getWebGoatCookie())
.header("Referer", webWolfUrl("/files/fake.html"))
.contentType(ContentType.TEXT)
.body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!"+ "=\"}")
.body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!" + "=\"}")
.post(goatURL)
.then()
.extract().asString();
flag = flag.substring(9+flag.indexOf("flag is:"));
flag = flag.substring(9 + flag.indexOf("flag is:"));
flag = flag.substring(0, flag.indexOf("\""));
params.clear();
@ -184,8 +186,8 @@ public class CSRFTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username", "csrf-"+getWebgoatUser());
params.put("password","password");
params.put("username", "csrf-" + getWebgoatUser());
params.put("password", "password");
//login and get the new cookie
String newCookie = RestAssured.given()
@ -217,9 +219,28 @@ public class CSRFTest extends IntegrationTest {
.statusCode(200)
.extract().path("lessonCompleted");
//vaidate the result
assertEquals(true, result);
assertThat(result).isTrue();
login();
startLesson("CSRF", false);
Overview[] assignments = RestAssured.given()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/service/lessonoverview.mvc"))
.then()
.extract()
.jsonPath()
.getObject("$", Overview[].class);
assertThat(assignments)
.filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
.extracting(o -> o.solved)
.containsExactly(true);
}
@Data
private static class Overview {
Assignment assignment;
boolean solved;
}
/**
@ -230,7 +251,7 @@ public class CSRFTest extends IntegrationTest {
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.formParam("username", "csrf-"+getWebgoatUser())
.formParam("username", "csrf-" + getWebgoatUser())
.formParam("password", "password")
.formParam("matchingPassword", "password")
.formParam("agree", "agree")

41
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
View File

@ -70,4 +70,45 @@ public class ChallengeTest extends IntegrationTest {
assertTrue(capturefFlags.contains("Admin lost password"));
}
@Test
public void testChallenge5() {
startLesson("Challenge5");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("username_login", "Larry");
params.put("password_login", "1' or '1'='1");
String result =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url("/WebGoat/challenge/5"))
.then()
.statusCode(200)
.extract().asString();
String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
params.clear();
params.put("flag", flag);
checkAssignment(url("/WebGoat/challenge/flag"), params, true);
checkResults("/challenge/5");
List<String> capturefFlags =
RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/scoreboard-data"))
.then()
.statusCode(200)
.extract().jsonPath()
.get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
assertTrue(capturefFlags.contains("Without password"));
}
}

21
webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java
View File

@ -3,7 +3,7 @@ package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Test;
import java.util.HashMap;
@ -38,7 +38,7 @@ public class GeneralLessonTest extends IntegrationTest {
@Test
public void httpProxies() {
startLesson("HttpProxies");
Assert.assertThat(RestAssured.given()
MatcherAssert.assertThat(RestAssured.given()
.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
@ -64,11 +64,16 @@ public class GeneralLessonTest extends IntegrationTest {
@Test
public void vulnerableComponents() {
String solution = "<contact>\n" +
" <java.lang.Integer>1</java.lang.Integer>\n" +
" <firstName>Bruce</firstName>\n" +
" <lastName>Mayhew</lastName>\n" +
" <email>webgoat@owasp.org</email>\n" +
String solution = "<contact class='dynamic-proxy'>\n" +
"<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>\n" +
" <handler class='java.beans.EventHandler'>\n" +
" <target class='java.lang.ProcessBuilder'>\n" +
" <command>\n" +
" <string>calc.exe</string>\n" +
" </command>\n" +
" </target>\n" +
" <action>start</action>\n" +
" </handler>\n" +
"</contact>";
startLesson("VulnerableComponents");
Map<String, Object> params = new HashMap<>();
@ -109,7 +114,7 @@ public class GeneralLessonTest extends IntegrationTest {
checkResults("/auth-bypass/");
startLesson("HttpProxies");
Assert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java
View File

@ -9,7 +9,7 @@ import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
@ -53,7 +53,7 @@ public class IDORTest extends IntegrationTest {
}
private void profile() {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -70,7 +70,7 @@ public class IDORTest extends IntegrationTest {
params.put("url", "WebGoat/IDOR/profile/2342384");
checkAssignment(url("/WebGoat/IDOR/profile/alt-path"), params, true);
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -80,7 +80,7 @@ public class IDORTest extends IntegrationTest {
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(true));
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()

20
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -4,10 +4,7 @@ import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
@ -49,7 +46,6 @@ public abstract class IntegrationTest {
private static boolean started = false;
@BeforeClass
@BeforeAll
public static void beforeAll() {
if (WG_SSL) {
@ -91,7 +87,6 @@ public abstract class IntegrationTest {
return WEBWOLF_URL + url;
}
@Before
@BeforeEach
public void login() {
@ -143,7 +138,6 @@ public abstract class IntegrationTest {
.cookie("WEBWOLFSESSION");
}
@After
@AfterEach
public void logout() {
RestAssured.given()
@ -193,7 +187,7 @@ public abstract class IntegrationTest {
* @param expectedResult
*/
public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -215,7 +209,7 @@ public abstract class IntegrationTest {
* @param expectedResult
*/
public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -231,7 +225,7 @@ public abstract class IntegrationTest {
public void checkResults(String prefix) {
checkResults();
Assert.assertThat(RestAssured.given()
MatcherAssert.assertThat(RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
@ -242,7 +236,7 @@ public abstract class IntegrationTest {
}
public void checkResults() {
Assert.assertThat(RestAssured.given()
MatcherAssert.assertThat(RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
@ -252,7 +246,7 @@ public abstract class IntegrationTest {
}
public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -266,7 +260,7 @@ public abstract class IntegrationTest {
}
public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()

10
webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
View File

@ -12,7 +12,7 @@ import java.util.HashMap;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;
@ -86,7 +86,7 @@ public class JWTLessonTest extends IntegrationTest {
String secret = getSecretToken(accessToken);
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -126,7 +126,7 @@ public class JWTLessonTest extends IntegrationTest {
.concat(new String(Base64.getUrlEncoder().encode(bodyObject.toString().getBytes())).toString())
.concat(".").replace("=", "");
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -154,7 +154,7 @@ public class JWTLessonTest extends IntegrationTest {
.concat(new String(Base64.getUrlEncoder().encode(body.getBytes())).toString())
.concat(".").replace("=", "");
Assert.assertThat(RestAssured.given()
MatcherAssert.assertThat(RestAssured.given()
.when().relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("Authorization","Bearer "+replacedToken)
@ -180,7 +180,7 @@ public class JWTLessonTest extends IntegrationTest {
.claim("Role", new String[] {"Manager", "Project Administrator"})
.signWith(SignatureAlgorithm.HS256, "deletingTom").compact();
Assert.assertThat(RestAssured.given()
MatcherAssert.assertThat(RestAssured.given()
.when().relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.post(url("/WebGoat/JWT/final/delete?token="+token))

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java
View File

@ -10,7 +10,7 @@ import java.util.Arrays;
import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DynamicTest;
@ -49,7 +49,7 @@ public class PathTraversalTest extends IntegrationTest {
}
public void assignment1() throws IOException {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -63,7 +63,7 @@ public class PathTraversalTest extends IntegrationTest {
}
public void assignment2() throws IOException {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()
@ -77,7 +77,7 @@ public class PathTraversalTest extends IntegrationTest {
}
public void assignment3() throws IOException {
Assert.assertThat(
MatcherAssert.assertThat(
RestAssured.given()
.when()
.relaxedHTTPSValidation()

27
webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
View File

@ -2,6 +2,8 @@ package org.owasp.webgoat;
import io.restassured.RestAssured;
import io.restassured.response.Response;
import lombok.extern.log4j.Log4j;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
@ -18,26 +20,37 @@ public class ProgressRaceConditionTest extends IntegrationTest {
@Test
public void runTests() throws InterruptedException {
int NUMBER_OF_CALLS = 40;
int NUMBER_OF_PARALLEL_THREADS = 5;
startLesson("Challenge1");
Callable<Response> call = () ->
RestAssured.given()
Callable<Response> call = () -> {
//System.out.println("thread "+Thread.currentThread().getName());
return RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(Map.of("flag", "test"))
.post(url("/challenge/flag/"));
ExecutorService executorService = Executors.newFixedThreadPool(20);
List<? extends Callable<Response>> flagCalls = IntStream.range(0, 20).mapToObj(i -> call).collect(Collectors.toList());
};
ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
List<? extends Callable<Response>> flagCalls = IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
var responses = executorService.invokeAll(flagCalls);
//A certain amount of parallel calls should fail as optimistic locking in DB is applied
Assertions.assertThat(responses.stream().filter(r -> {
long countStatusCode500 = responses.stream().filter(r -> {
try {
return r.get().getStatusCode() == 500;
//System.err.println(r.get().getStatusCode());
return r.get().getStatusCode() != 200;
} catch (InterruptedException | ExecutionException e) {
//System.err.println(e);
throw new IllegalStateException(e);
}
}).count()).isGreaterThan(8);
}).count();
System.out.println("counted status 500: "+countStatusCode500);
Assertions.assertThat(countStatusCode500).isLessThanOrEqualTo((NUMBER_OF_CALLS - (NUMBER_OF_CALLS/NUMBER_OF_PARALLEL_THREADS)));
Assertions.assertThat(countStatusCode500).isGreaterThan((NUMBER_OF_CALLS/NUMBER_OF_PARALLEL_THREADS));
}
}

30
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java Normal file
View File

@ -0,0 +1,30 @@
package org.owasp.webgoat;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Test;
public class SSRFTest extends IntegrationTest {
@Test
public void runTests() throws IOException {
startLesson("SSRF");
Map<String, Object> params = new HashMap<>();
params.clear();
params.put("url", "images/jerry.png");
checkAssignment(url("/WebGoat/SSRF/task1"),params,true);
params.clear();
params.put("url", "http://ifconfig.pro");
checkAssignment(url("/WebGoat/SSRF/task2"),params,true);
checkResults("/SSRF/");
}
}

111
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java Normal file
View File

@ -0,0 +1,111 @@
package org.owasp.webgoat;
import java.util.concurrent.TimeUnit;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.firefox.FirefoxBinary;
import org.openqa.selenium.firefox.FirefoxDriver;
import org.openqa.selenium.firefox.FirefoxOptions;
import io.github.bonigarcia.wdm.WebDriverManager;
import io.github.bonigarcia.wdm.config.DriverManagerType;
public class SeleniumTest extends IntegrationTest {
static {
try {
WebDriverManager.getInstance(DriverManagerType.FIREFOX).setup();
} catch (Exception e) {
//sometimes a 403 cause an ExceptionInInitializerError
}
}
private WebDriver driver;
@BeforeEach
public void setUpAndLogin() {
try {
FirefoxBinary firefoxBinary = new FirefoxBinary();
firefoxBinary.addCommandLineOptions("--headless");
FirefoxOptions firefoxOptions = new FirefoxOptions();
firefoxOptions.setBinary(firefoxBinary);
driver = new FirefoxDriver(firefoxOptions);
driver.get(url("/login"));
driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
// Login
driver.findElement(By.name("username")).sendKeys(getWebgoatUser());
driver.findElement(By.name("password")).sendKeys("password");
driver.findElement(By.className("btn")).click();
// Check if user exists. If not, create user.
if (driver.getCurrentUrl().equals(url("/login?error"))) {
driver.get(url("/registration"));
driver.findElement(By.id("username")).sendKeys(getWebgoatUser());
driver.findElement(By.id("password")).sendKeys("password");
driver.findElement(By.id("matchingPassword")).sendKeys("password");
driver.findElement(By.name("agree")).click();
driver.findElement(By.className("btn-primary")).click();
}
} catch (IllegalStateException e) {
System.err.println("Web driver not found here: "+System.getProperty("webdriver.gecko.driver"));
}
}
@AfterEach
public void tearDown() {
if (null != driver) {
driver.close();
}
}
@Test
public void sqlInjection() {
if (null==driver) return;
driver.get(url("/start.mvc#lesson/SqlInjection.lesson"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.id("restart-lesson-button")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonTest.sql_2);
driver.findElement(By.name("query")).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonTest.sql_3);
driver.findElements(By.name("query")).get(1).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_add);
driver.findElements(By.name("query")).get(2).submit();
driver.findElements(By.name("query")).get(2).clear();
driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
driver.findElements(By.name("query")).get(2).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonTest.sql_5);
driver.findElements(By.name("query")).get(3).submit();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
driver.findElement(By.name("account")).sendKeys("Smith'");
driver.findElement(By.name("operator")).sendKeys("OR");
driver.findElement(By.name("injection")).sendKeys("'1'='1");
driver.findElement(By.name("Get Account Info")).click();
driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonTest.sql_10_userid);
driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonTest.sql_10_login_count);
driver.findElements(By.name("Get Account Info")).get(1).click();
}
}

30
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
View File

@ -7,24 +7,24 @@ import org.junit.jupiter.api.Test;
public class SqlInjectionLessonTest extends IntegrationTest {
private static final String sql_2 = "select department from employees where last_name='Franco'";
private static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
private static final String sql_4_drop = "alter table employees drop column phone";
private static final String sql_4_add = "alter table employees add column phone varchar(20)";
private static final String sql_5 = "grant alter table to UnauthorizedUser";
private static final String sql_9_account = " ' ";
private static final String sql_9_operator = "or";
private static final String sql_9_injection = "'1'='1";
private static final String sql_10_login_count = "2";
private static final String sql_10_userid = "1 or 1=1";
public static final String sql_2 = "select department from employees where last_name='Franco'";
public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
public static final String sql_4_drop = "alter table employees drop column phone";
public static final String sql_4_add = "alter table employees add column phone varchar(20)";
public static final String sql_5 = "grant alter table to UnauthorizedUser";
public static final String sql_9_account = " ' ";
public static final String sql_9_operator = "or";
public static final String sql_9_injection = "'1'='1";
public static final String sql_10_login_count = "2";
public static final String sql_10_userid = "1 or 1=1";
private static final String sql_11_a = "Smith' or '1' = '1";
private static final String sql_11_b = "3SL99A' or '1'='1";
public static final String sql_11_a = "Smith' or '1' = '1";
public static final String sql_11_b = "3SL99A' or '1'='1";
private static final String sql_12_a = "Smith";
private static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
public static final String sql_12_a = "Smith";
public static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
private static final String sql_13 = "%update% '; drop table access_log ; --'";
public static final String sql_13 = "%update% '; drop table access_log ; --'";
@Test
public void runTests() {

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
View File

@ -59,7 +59,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
.get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
.then()
.statusCode(500)
.body("message", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by"));
.body("trace", containsString("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by"));
params.clear();
params.put("ip", "104.130.219.202");

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java
View File

@ -1,6 +1,6 @@
package org.owasp.webgoat;
import static org.junit.Assert.assertTrue;
import static org.junit.jupiter.api.Assertions.assertTrue;
import java.io.IOException;
import java.util.HashMap;

17
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
View File

@ -31,6 +31,21 @@ public class XXETest extends IntegrationTest {
checkResults("xxe/");
}
/*
* This test is to verify that all is secure when XXE security patch is applied.
*/
@Test
public void xxeSecure() throws IOException {
startLesson("XXE");
webGoatHomeDirectory = getWebGoatServerPath();
webwolfFileDir = getWebWolfServerPath();
RestAssured.given().when().relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie()).get(url("/xxe/applysecurity"));
checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false);
checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false);
}
/**
* This performs the steps of the exercise before the secret can be committed in the final step.
*
@ -68,7 +83,9 @@ public class XXETest extends IntegrationTest {
.then()
.extract().response().getBody().asString();
result = result.replace("%20", " ");
if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
}
return result;
}
}

2
webgoat-lessons/auth-bypass/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
</project>

2
webgoat-lessons/bypass-restrictions/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
</project>

5
webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
View File

@ -34,7 +34,7 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
@PostMapping("/BypassRestrictions/FieldRestrictions")
@ResponseBody
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput, @RequestParam String readOnlyInput) {
if (select.equals("option1") || select.equals("option2")) {
return failed(this).build();
}
@ -47,6 +47,9 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
if (shortInput.length() <= 5) {
return failed(this).build();
}
if ("change".equals(readOnlyInput)) {
return failed(this).build();
}
return success(this).build();
}
}

5
webgoat-lessons/bypass-restrictions/src/main/resources/css/bypass-restrictions.css Normal file
View File

@ -0,0 +1,5 @@
.bypass-input-container {
position: relative;
padding: 7px;
margin-top: 7px;
}

121
webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html
View File

@ -1,45 +1,64 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<html xmlns:th="http://www.thymeleaf.org" xmlns="http://www.w3.org/1999/html">
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid">
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
method="POST"
action="/WebGoat/BypassRestrictions/FieldRestrictions">
<div>Select field with two possible values</div>
<div class="bypass-input-container"><b>Select field with two possible value</b>
<div class="input-group">
<select name="select">
<option value="option1">Option 1</option>
<option value="option2">Option 2</option>
</select>
<div>Radio button with two possible values</div>
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br />
<input type="radio" name="radio" value="option2" /> Option 2<br />
<div>Checkbox: value either on or off</div>
<input type="checkbox" name="checkbox" checked="checked"/> Checkbox
<div>Input restricted to max 5 characters</div>
<input type="text" value="12345" name="shortInput" maxlength="5"/>
<div>Disabled input field</div>
<input type="submit" value="submit"/>
</div>
</div>
<div class="bypass-input-container"><b>Radio button with two possible values</b>
<div class="input-group">
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br/>
<input type="radio" name="radio" value="option2"/> Option 2<br/>
</div>
</div>
<div class="bypass-input-container"><b>Checkbox: value either on or off</b>
<div class="input-group">
<input type="checkbox" name="checkbox" checked="checked"> Checkbox</input>
</div>
</div>
<div class="bypass-input-container"><b>Input restricted to max 5 characters</b>
<div class="input-group"><input type="text" value="12345" name="shortInput" maxlength="5"/>
</div>
</div>
<div class="bypass-input-container"><b>Readonly input field</b>
<div class="input-group">
<input type="text" value="change" readonly="readonly" name="readOnlyInput"/>
</div>
</div>
<br>
<input type="submit" class="btn btn-primary" value="Submit"/>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -66,7 +85,8 @@
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
</div>
<p></p>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)</div>
<div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)
</div>
<div>
<textarea cols="25" name="field4" rows="1">seven</textarea>
</div>
@ -85,30 +105,53 @@
<div>
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
</div>
<input type="hidden" value="" name="error" />
<p><button type="submit" class="btn btn-primary">Submit</button></p>
<input type="hidden" value="" name="error"/>
<p>
<button type="submit" class="btn btn-primary">Submit</button>
</p>
</form>
<script>
var regex1=/^[a-z]{3}$/;
var regex2=/^[0-9]{3}$/;
var regex3=/^[a-zA-Z0-9 ]*$/;
var regex4=/^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5=/^\d{5}$/;
var regex6=/^\d{5}(-\d{4})?$/;
var regex7=/^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function() {
var msg='JavaScript found form errors';
var err=0;
if (!regex1.test(document.frontendValidation.field1.value)) {err+=1; msg+='\n Value entered for field 1 is not correct';}
if (!regex2.test(document.frontendValidation.field2.value)) {err+=1; msg+='\n Value entered for field 2 is not correct';}
if (!regex3.test(document.frontendValidation.field3.value)) {err+=1; msg+='\n Value entered for field 3 is not correct';}
if (!regex4.test(document.frontendValidation.field4.value)) {err+=1; msg+='\n Value entered for field 4 is not correct';}
if (!regex5.test(document.frontendValidation.field5.value)) {err+=1; msg+='\n Value entered for field 5 is not correct';}
if (!regex6.test(document.frontendValidation.field6.value)) {err+=1; msg+='\n Value entered for field 6 is not correct';}
if (!regex7.test(document.frontendValidation.field7.value)) {err+=1; msg+='\n Value entered for field 7 is not correct';}
var regex1 = /^[a-z]{3}$/;
var regex2 = /^[0-9]{3}$/;
var regex3 = /^[a-zA-Z0-9 ]*$/;
var regex4 = /^(one|two|three|four|five|six|seven|eight|nine)$/;
var regex5 = /^\d{5}$/;
var regex6 = /^\d{5}(-\d{4})?$/;
var regex7 = /^[2-9]\d{2}-?\d{3}-?\d{4}$/;
var validate = function () {
var msg = 'JavaScript found form errors';
var err = 0;
if (!regex1.test(document.frontendValidation.field1.value)) {
err += 1;
msg += '\n Value entered for field 1 is not correct';
}
if (!regex2.test(document.frontendValidation.field2.value)) {
err += 1;
msg += '\n Value entered for field 2 is not correct';
}
if (!regex3.test(document.frontendValidation.field3.value)) {
err += 1;
msg += '\n Value entered for field 3 is not correct';
}
if (!regex4.test(document.frontendValidation.field4.value)) {
err += 1;
msg += '\n Value entered for field 4 is not correct';
}
if (!regex5.test(document.frontendValidation.field5.value)) {
err += 1;
msg += '\n Value entered for field 5 is not correct';
}
if (!regex6.test(document.frontendValidation.field6.value)) {
err += 1;
msg += '\n Value entered for field 6 is not correct';
}
if (!regex7.test(document.frontendValidation.field7.value)) {
err += 1;
msg += '\n Value entered for field 7 is not correct';
}
document.frontendValidation.error.value = err
if ( err > 0 ) {
if (err > 0) {
alert(msg)
return false;
}
@ -120,5 +163,5 @@
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</div>
</html>

2
webgoat-lessons/challenge/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>

2
webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
View File

@ -15,7 +15,7 @@ import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

2
webgoat-lessons/chrome-dev-tools/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
</project>

2
webgoat-lessons/cia/pom.xml
View File

@ -6,6 +6,6 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
</project>

31
webgoat-lessons/cia/src/main/resources/js/questions_cia.json
View File

@ -1,5 +1,6 @@
{
"questions": [{
"questions": [
{
"text": "How could an intruder harm the security goal of confidentiality?",
"solutions": {
"1": "By deleting all the databases.",
@ -7,29 +8,33 @@
"3": "By stealing a database where names and emails are stored and uploading it to a website.",
"4": "Confidentiality can't be harmed by an intruder."
}
}, {
},
{
"text": "How could an intruder harm the security goal of integrity?",
"solutions": {
"1": "By changing the names and emails of one or more users stored in a database.",
"2": "By listening to incoming and outgoing network traffic.",
"3": "By bypassing authentication mechanisms that are in place to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database storage."
"3": "By bypassing the access control mechanisms used to manage database access.",
"4": "Integrity can only be harmed when the intruder has physical access to the database."
}
}, {
},
{
"text": "How could an intruder harm the security goal of availability?",
"solutions": {
"1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.",
"2": "By redirecting emails with sensitive data to other individuals.",
"1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.",
"2": "By redirecting sensitive emails to other individuals.",
"3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
"4": "By launching a denial of service attack on the servers."
}
}, {
},
{
"text": "What happens if at least one of the CIA security goals is harmed?",
"solutions": {
"1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.",
"2": "The systems security is compromised even if only one goal is harmed.",
"3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.",
"4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
"1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.",
"2": "The system's security is compromised even if only one goal is harmed.",
"3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.",
"4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed."
}
}]
}
]
}

16
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
View File

@ -1,22 +1,24 @@
== Availability
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed.
Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times.
{nbsp} +
=== Examples that compromise availability:
** denial-of-service attacks (Dos)
** server crashes
** even fire or natural disasters
** denial-of-service attacks (DOS)
** hardware failures
** fire or other natural disasters
** software or network misconfigurations
{nbsp} +
=== Examples of methods ensuring availability
** intrusion detection systems
** intrusion detection systems (IDSs)
** network traffic control
** firewalls
** physically and geographically isolated location
*** fire- and waterproof
** physical security of hardware and underlying infrastructure
*** protections against fire, water, and other elements
** hardware maintenance
** redundancy

16
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
View File

@ -1,25 +1,25 @@
== Confidentiality
Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it.
Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for.
While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers.
Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
{nbsp} +
=== Examples that compromise confidentiality:
** a hacker gets access to the password database of a company
** sensitive emails being sent to incorrect individuals
** a hacker reads sensitive information by intercepting and eavesdropping an information transfer
** a sensitive emails is sent to the incorrect individual
** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
{nbsp} +
=== Examples of methods ensuring confidentiality
** data encryption
** authentication methods
*** passwords
*** two-factor authentication
** properly implemented authentication and access control
*** securely stored passwords
*** multi-factor authentication (MFA)
*** biometric verification
** minimizing the number of places/times the information appears
** physical security measurements like protected server rooms etc.
** physical security controls such as properly secured server rooms

7
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
View File

@ -1,6 +1,6 @@
== Integrity
Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality).
Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data.
{nbsp} +
@ -8,7 +8,7 @@ Integrity is "the property of accuracy and completeness." In other words, integr
** human error when entering data
** errors during data transmission
** software bugs, hardware failures
** software bugs and hardware failures
** hackers change information that they should not have access to
{nbsp} +
@ -17,4 +17,5 @@ Integrity is "the property of accuracy and completeness." In other words, integr
** well functioning authentication methods and access control
** checking integrity with hash functions
** backups, redundancy
** backups and redundancy
** auditing and logging

4
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
View File

@ -2,6 +2,6 @@
The CIA Triad (confidentiality, integrity, availability) is a model for information security.
The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. +
If only one of those three elements can be breached it can have serious consequences for the parties concerned.
Serious consequences can result if even one these elements is breached.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization.
The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.

4
webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
View File

@ -1,3 +1,3 @@
Now it's time for a quiz! Answer the following question to check, if you understood the topic.
Now it's time for a quiz! Answer the following question to check if you understood the topic.
Today every system is protected by a firewall. The firewall keeps intruders locked out of the system and guarantees, that the data handled there is safe. Imagine a system that handles personal data and is not protected by a firewall:
Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

2
webgoat-lessons/client-side-filtering/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
</project>

2
webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java
View File

@ -9,7 +9,7 @@ import org.springframework.stereotype.Component;
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the

34
webgoat-lessons/command-injection/pom.xml
View File

@ -1,34 +0,0 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>http-proxies</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.0.0-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.1.3.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<type>jar</type>
<scope>test</scope>
</dependency>
</dependencies>
</project>

58
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
View File

@ -1,58 +0,0 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/HttpProxies/intercept-request")
public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.GET)
public @ResponseBody
AttackResult completed(HttpServletRequest request) throws IOException {
if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
return trackProgress(success().feedback("http-proxies.intercept.success").build());
} else {
return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
}
}
}

53
webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java
View File

@ -1,53 +0,0 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.Lesson;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
public class HttpProxies extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.GENERAL;
}
@Override
public String getTitle() {
return "http-proxies.title";
}
@Override
public String getId() {
return "HttpProxies";
}
}

50
webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html
View File

@ -1,50 +0,0 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
method="POST"
action="/WebGoat/HttpBasics/intercept-request">
<input type="text" value="doesn't matter really" name="changeMe" />
<input type="submit" value="Submit" />
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

4
webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,4 +0,0 @@
http-proxies.title=HTTP Proxies
http-proxies.intercept.success=Well done, you tampered the request as expected
http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!

20
webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc
View File

@ -1,20 +0,0 @@
== HTTP Proxy Overview
Many times proxies are used as a way of accessing otherwise blocked content. A user might connect to server A, which relays content from server B
... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
relationship to proxies.
=== Proxy Capabilities
Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to
modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and
analyzing the security of a website.
=== Other Uses for Proxies
ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does
not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
CI/CD with Jenkins, Maven or other build processes.

2
webgoat-lessons/cross-site-scripting/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>v8.1.0</version>
<version>${revision}</version>
</parent>
<dependencies>
<dependency>

17
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
View File

@ -30,11 +30,17 @@ import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import java.util.function.Predicate;
import java.util.regex.Pattern;
@RestController
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
public static final Predicate<String> XSS_PATTERN = Pattern.compile(
".*<script>(console\\.log|alert)\\(.*\\);?</script>.*"
, Pattern.CASE_INSENSITIVE).asMatchPredicate();
@Autowired
UserSessionData userSessionData;
@ -45,13 +51,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
@RequestParam Integer QTY4, @RequestParam String field1,
@RequestParam String field2) {
if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
if (XSS_PATTERN.test(field2)) {
return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
}
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
userSessionData.setValue("xss-reflected1-complete", "false");
StringBuffer cart = new StringBuffer();
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
cart.append("<p>We have charged credit card:" + field1 + "<br />");
@ -60,11 +66,10 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
//init state
if (userSessionData.getValue("xss-reflected1-complete") == null) {
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
userSessionData.setValue("xss-reflected1-complete", "false");
}
if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
//return )
if (XSS_PATTERN.test(field1)) {
userSessionData.setValue("xss-reflected-5a-complete", "true");
if (field1.toLowerCase().contains("console.log")) {
return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
@ -73,7 +78,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
}
} else {
userSessionData.setValue("xss-reflected1-complete", "false");
return success(this)
return failed(this)
.feedback("xss-reflected-5a-failure")
.output(cart.toString())
.build();

17
webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
View File

@ -48,9 +48,8 @@
<form class="attack-form" accept-charset="UNKNOWN"
method="GET" name="xss-5a"
action="/WebGoat/CrossSiteScripting/attack5a">
<hr width="90%" />
<center>
<h1>Shopping Cart</h1>
<h4>Shopping Cart</h4>
</center>
<table width="90%" cellspacing="0" cellpadding="2" border="1"
align="center">
@ -92,18 +91,9 @@
</tr>
</tbody>
</table>
<br />
<table width="90%" cellspacing="0" cellpadding="2" border="0"
<table width="90%" cellspacing="0" cellpadding="2"
align="center">
<tbody>
<tr>
<td>The total charged to your credit card:</td>
<td>$0.00</td>
<td><input name="SUBMIT" value="UpdateCart" type="SUBMIT" /></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td>Enter your credit card number:</td>
<td><input name="field1" value="4128 3214 0002 1999"
@ -113,8 +103,9 @@
<td>Enter your three digit access code:</td>
<td><input name="field2" value="111" type="TEXT" /></td>
</tr>
<br/>
<tr>
<td colspan="2" align="center"><input name="SUBMIT"
<td colspan="3" align="center"><input name="SUBMIT" class="btn btn-primary"
value="Purchase" type="SUBMIT" /></td>
</tr>
</tbody>

6
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -2,10 +2,10 @@
xss.title=Cross Site Scripting
xss-stored.title=Cross Site Scripting (stored)
xss-mitigation.title=Cross Site Scripting (mitigation)
xss-reflected-5a-success-alert=Well done, but alerts are not very impressive are they? Please continue.
xss-reflected-5a-success-console=Well done, but console logs are not very impressive are they? Please continue.
xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
xss-reflected-5a-failure=Try again. We do want to see this specific JavaScript (in case you are trying to do something more fancy).
xss-reflected-5a-failure=Try again. We do want to see a specific JavaScript mentioned in the goal of the assignment (in case you are trying to do something fancier).
xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?

8
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
View File

@ -1,8 +1,6 @@
== What is XSS?
Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines ...
# the allowance of html/script tags as input that are ...
# rendered into a browser without encoding or sanitization
Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines the allowance of html/script tags as input that are rendered into a browser without encoding or sanitization
=== Cross-Site Scripting (XSS) is the most prevalent and pernicious web application security issue
@ -11,12 +9,12 @@ coverage of fixes also tends to be a problem. We will talk more about the defens
=== XSS has significant impact
Especially as 'Rich Internet Applications' are more and more common place, privileged function calls linked to via JavaScript may be compromised.
Especially as 'Rich Internet Applications' are more and more commonplace, privileged function calls linked to via JavaScript may be compromised.
And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
==== Quick examples:
* From the JavaScript console in the developer tools of the browser (chrome, Firefox)
* From the JavaScript console in the developer tools of the browser (Chrome, Firefox)
+
----
alert("XSS Test");

6
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
View File

@ -1,8 +1,8 @@
== Try It! Reflected XSS
Identify which field is susceptible to XSS
The goal of the assignment is to identify which field is susceptible to XSS.
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
It is always a good practice to validate all input on the server-side. XSS can occur when unvalidated user input gets used in an HTTP response.
In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.
An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.

2
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_quiz.adoc
View File

@ -1 +1 @@
Now it is time for a quiz! It is recommended to check the OWASP Cross-Site Scripting explanations https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) . Answer all questions correctly to complete the assignment.
Now it is time for a quiz! It is recommended to check the OWASP Cross-Site Scripting explanations https://owasp.org/www-community/attacks/xss/. Answer all questions correctly to complete the assignment.

Some files were not shown because too many files have changed in this diff Show More