package org.owasp.webgoat; import io.restassured.RestAssured; import io.restassured.http.ContentType; import io.restassured.path.json.JsonPath; import java.io.FileInputStream; import java.io.InputStream; import java.util.List; import java.util.Properties; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; public class LabelAndHintIntegrationTest extends IntegrationTest { static final String ESCAPE_JSON_PATH_CHAR = "\'"; @Test public void testSingleLabel() { Assertions.assertTrue(true); JsonPath jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "en") .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/labels.mvc")) .then() .statusCode(200) .extract() .jsonPath(); Assertions.assertEquals( "Try again: but this time enter a value before hitting go.", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "http-basics.close" + ESCAPE_JSON_PATH_CHAR)); // check if lang parameter overrules Accept-Language parameter jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "en") .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/labels.mvc?lang=nl")) .then() .statusCode(200) .extract() .jsonPath(); Assertions.assertEquals( "Gebruikersnaam", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "en") .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/labels.mvc?lang=de")) .then() .statusCode(200) .extract() .jsonPath(); Assertions.assertEquals( "Benutzername", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); // check if invalid language returns english jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "nl") .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/labels.mvc?lang=xx")) .then() .statusCode(200) .extract() .jsonPath(); Assertions.assertEquals( "Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); // check if invalid language returns english jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", "xx_YY") .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/labels.mvc")) .then() .statusCode(200) .extract() .jsonPath(); Assertions.assertEquals( "Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR + "username" + ESCAPE_JSON_PATH_CHAR)); } @Test public void testHints() { JsonPath jsonPathLabels = getLabels("en"); List allLessons = List.of( "HttpBasics", "HttpProxies", "CIA", "InsecureLogin", "Cryptography", "PathTraversal", "XXE", "JWT", "IDOR", "SSRF", "WebWolfIntroduction", "CrossSiteScripting", "CSRF", "HijackSession", "SqlInjection", "SqlInjectionMitigations", "SqlInjectionAdvanced", "Challenge1"); for (String lesson : allLessons) { startLesson(lesson); List hintKeys = getHints(); for (String key : hintKeys) { String keyValue = jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR); // System.out.println("key: " + key + " ,value: " + keyValue); Assertions.assertNotNull(keyValue); Assertions.assertNotEquals(key, keyValue); } } // Assertions.assertEquals("http-basics.hints.http_basics_lesson.1", // ""+jsonPath.getList("hint").get(0)); } @Test public void testLabels() { JsonPath jsonPathLabels = getLabels("en"); Properties propsDefault = getProperties(""); for (String key : propsDefault.stringPropertyNames()) { String keyValue = jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR); Assertions.assertNotNull(keyValue); } checkLang(propsDefault, "nl"); checkLang(propsDefault, "de"); checkLang(propsDefault, "fr"); checkLang(propsDefault, "ru"); } private Properties getProperties(String lang) { Properties prop = null; if (lang == null || lang.equals("")) { lang = ""; } else { lang = "_" + lang; } try (InputStream input = new FileInputStream("src/main/resources/i18n/messages" + lang + ".properties")) { prop = new Properties(); // load a properties file prop.load(input); } catch (Exception e) { e.printStackTrace(); } return prop; } private void checkLang(Properties propsDefault, String lang) { JsonPath jsonPath = getLabels(lang); Properties propsLang = getProperties(lang); for (String key : propsLang.stringPropertyNames()) { if (!propsDefault.containsKey(key)) { System.err.println("key: " + key + " in (" + lang + ") is missing from default properties"); Assertions.fail(); } if (!jsonPath .getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR) .equals(propsLang.get(key))) { System.out.println( "key: " + key + " in (" + lang + ") has incorrect translation in label service"); System.out.println( "actual:" + jsonPath.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR)); System.out.println("expected: " + propsLang.getProperty(key)); System.out.println(); Assertions.fail(); } } } private JsonPath getLabels(String lang) { return RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .header("Accept-Language", lang) .cookie("JSESSIONID", getWebGoatCookie()) // .log().headers() .get(url("service/labels.mvc")) .then() // .log().all() .statusCode(200) .extract() .jsonPath(); } private List getHints() { JsonPath jsonPath = RestAssured.given() .when() .relaxedHTTPSValidation() .contentType(ContentType.JSON) .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/hint.mvc")) .then() // .log().all() .statusCode(200) .extract() .jsonPath(); return jsonPath.getList("hint"); } }