From 8d488c6ac685b06e1368a674273d3c660aba1931 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 13 Oct 2017 09:28:41 -0600
Subject: [PATCH] More CSRF Updates

---
 .../owasp/webgoat/plugin/ForgedReviews.java   |  2 ++
 .../csrf/src/main/resources/html/CSRF.html    |  6 ++++--
 .../resources/i18n/WebGoatLabels.properties   |  6 +++++-
 .../lessonPlans/en/CSRF_Basic_Get.adoc        |  9 ---------
 .../lessonPlans/en/CSRF_Impact_Defense.adoc   | 20 +++++++++++++++++++
 .../lessonPlans/en/CSRF_Reviews.adoc          |  9 +++++++++
 .../resources/lessonPlans/en/CSRF_plan.adoc   | 10 ----------
 7 files changed, 40 insertions(+), 22 deletions(-)
 delete mode 100644 webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get.adoc
 create mode 100644 webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc
 create mode 100644 webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc
 delete mode 100644 webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_plan.adoc

diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
index 89485a874b..b3305b4151 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
@@ -40,6 +40,7 @@
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.WebSession;
@@ -58,6 +59,7 @@
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
 @AssignmentPath("/csrf/review")
+@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
 public class ForgedReviews extends AssignmentEndpoint {
 
     @Autowired
diff --git a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
index 53417c6acd..64f8c03ab2 100644
--- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
+++ b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
@@ -50,7 +50,7 @@
 
     <div class="lesson-page-wrapper">
 
-        <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>-->
+        <div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
 
         <!-- comment area -->
         <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@@ -113,7 +113,9 @@ <h6 class="text-muted time">24 days ago</h6>
 
     </div>
 
-
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adocc"></div>
+    </div>
     <!--</div>-->
 
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
index 4af1fb4274..84c2697775 100644
--- a/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
@@ -12,4 +12,8 @@ csrf-same-host=It appears your request is coming from the same host you are subm
 
 csrf-you-forgot-something=There's something missing from your request it appears, so I can't process it.
 
-csrf-review.success=It appears you have submitted correctly from another site. Go reload and see if your post is there.
\ No newline at end of file
+csrf-review.success=It appears you have submitted correctly from another site. Go reload and see if your post is there.
+
+csrf-review-hint1=Again, you will need to submit from an external domain/host to trigger this action. While CSRF can often be triggered from the same host (e.g. via persisted payload), this doesn't work that way.
+csrf-review-hint2=Remember, you need to mimic the existing workflow/form.
+csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get.adoc
deleted file mode 100644
index d5f420ee4f..0000000000
--- a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get.adoc
+++ /dev/null
@@ -1,9 +0,0 @@
-== The Base Form
-
-The form below has hidden elements and submits to an action of TBD.  You can try it out and watch what it does, but it won't get you the flag. Once you can
-
-Every attack in this lesson will need to be done through another page or site. To see your progress, you will need to reload the
-pages or re-navigate back through the lesson to see your progress.
-
-Just to get your feet wet, issue a request to _SERVER_/WebGoat/csrf/basic-get-flag with a parameter named 'csrf' equal to 'true'. Your request needs to
-come from a local file or be hosted on a different website.
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc
new file mode 100644
index 0000000000..f1faab81b8
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc
@@ -0,0 +1,20 @@
+== CSRF Impact
+
+The impact is limited only by what the logged in user can do (if the site/function/action is not protected properly).
+The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances.  Sadly, many consumer-grade routers
+have also proven vulnerable to CSRF.
+
+== CSRF Solution
+
+Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks.  For example, Spring and
+Tomcat have this on by default.  As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks.
+
+See the following for more information on CSRF protections:
+
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet (Prevention/Defense)
+
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  (Attack)
+
+https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter / https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter (Tomcat)
+
+https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc
new file mode 100644
index 0000000000..6fb15da4e4
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc
@@ -0,0 +1,9 @@
+== Post a review on someone else's behalf
+
+The page below simulates a comment/review page.  The difference here is that you have to inititate the submission elsewhere as you might
+with a CSRF attack and like the previous exercise. It's easier than you think. In most cases, the trickier part is
+finding somewhere that you want to execute the CSRF attack. The classic example is account/wire transfers in someone's bank account.
+
+But we're keepoing it simple here.  In this case, you just need to trigger a review submission on behalf of the currently
+logged in user.
+
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_plan.adoc b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_plan.adoc
deleted file mode 100644
index 1cb953de97..0000000000
--- a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_plan.adoc
+++ /dev/null
@@ -1,10 +0,0 @@
-= Cross-site request forgery (CSRF)
-
-== Concept
-
-This lesson teaches how to what a CSRF attack is and how it can be abused and protected against.
-
-== Goals
-
-* The user should have basic knowledge of JavaScript
-* The user will learn to perform a CSRF attack and how to protected against it.