start of missing function ac lesson

webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java

@@ -260,6 +260,8 @@ private void createUserDataTable(Connection connection) throws SQLException {
         String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)";
         String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)";
         String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)";
+        String insertData14 = "INSERT INTO user_data VALUES (15837,'Chaos','Monkey','32849386533','CM',' ',0)";
+        String insertData15 = "INSERT INTO user_data VALUES (19204,'Mr','Goat','33812953533','VISA',' ',0)";
         statement.executeUpdate(insertData1);
         statement.executeUpdate(insertData2);
         statement.executeUpdate(insertData3);
@@ -273,6 +275,8 @@ private void createUserDataTable(Connection connection) throws SQLException {
         statement.executeUpdate(insertData11);
         statement.executeUpdate(insertData12);
         statement.executeUpdate(insertData13);
+        statement.executeUpdate(insertData14);
+        statement.executeUpdate(insertData15);
 
     }
 

webgoat-lessons/missing-function-ac/pom.xml

@@ -0,0 +1,12 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>missing-function-ac</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+</project>

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/HiddenMenuItems.java

@@ -0,0 +1,61 @@
+package org.owasp.webgoat.plugin;
+
+import com.google.common.collect.Lists;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+
+import java.util.Map;
+
+/**
+ * Created by jason on 1/5/17.
+ */
+
+@AssignmentPath("/access-control/hidden-menu")
+@AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
+public class HiddenMenuItems extends AssignmentEndpoint {
+    //UserSessionData is bound to session and can be used to persist data across multiple assignments
+    @Autowired
+    UserSessionData userSessionData;
+
+
+    @PostMapping(produces = {"application/json"})
+    public @ResponseBody
+    AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+
+        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
+        if (hiddenMenu1.equals("List Users") && hiddenMenu2.equals("Add User")) {
+            return trackProgress(success()
+                    .output("")
+                    .feedback("access-control.hidden-menus.success")
+                    .build());
+        }
+
+        if (hiddenMenu1.equals("Add User") && hiddenMenu2.equals("List Users")) {
+            return trackProgress(success()
+                    .output("")
+                    .feedback("access-control.hidden-menus.close")
+                    .build());
+        }
+
+        return trackProgress(failed()
+                .feedback("access-control.hidden-menus.failure")
+                .output("")
+                .build());
+    }
+
+}

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java

@@ -0,0 +1,54 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+
+/**
+ * Created by jason on 1/5/17.
+ */
+
+@AssignmentPath("/access-control/list-users")
+@AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
+public class MissingACListUsers extends AssignmentEndpoint {
+    //UserSessionData is bound to session and can be used to persist data across multiple assignments
+    @Autowired
+    UserSessionData userSessionData;
+
+    @PostMapping(produces = {"application/json"})
+    public @ResponseBody
+    AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+
+        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
+        if (hiddenMenu1.equals("List Users") && hiddenMenu2.equals("Add User")) {
+            return trackProgress(success()
+                    .output("")
+                    .feedback("access-control.hidden-menus.success")
+                    .build());
+        }
+
+        if (hiddenMenu1.equals("Add User") && hiddenMenu2.equals("List Users")) {
+            return trackProgress(success()
+                    .output("")
+                    .feedback("access-control.hidden-menus.close")
+                    .build());
+        }
+
+        return trackProgress(failed()
+                .feedback("access-control.hidden-menus.failure")
+                .output("")
+                .build());
+    }
+
+}

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionAC.java

@@ -0,0 +1,62 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ */
+public class MissingFunctionAC  extends NewLesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.ACCESS_CONTROL;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 40;
+    }
+
+    @Override
+    public String getTitle() {
+        return "missing-function-access-control.title";
+    }
+
+    @Override
+    public String getId() {
+        return "MissingFunctionAC";
+    }
+
+}

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java

@@ -0,0 +1,113 @@
+package org.owasp.webgoat.plugin;
+
+import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker;
+import org.owasp.webgoat.assignments.Endpoint;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.sql.*;
+import java.util.HashMap;
+import java.util.Map;
+
+import static javax.swing.UIManager.getString;
+
+public class Users extends Endpoint{
+
+    @Autowired
+    private WebSession webSession;
+
+    @Autowired
+    UserSessionData userSessionData;
+
+    @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
+    @ResponseBody
+    protected HashMap<Integer, HashMap> getUsers  (HttpServletRequest req) {
+
+        try {
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
+            String query = "SELECT * FROM user_data";
+
+            try {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                        ResultSet.CONCUR_READ_ONLY);
+                ResultSet results = statement.executeQuery(query);
+                HashMap<Integer,HashMap> allUsersMap = new HashMap();
+
+                if ((results != null) && (results.first() == true)) {
+                    ResultSetMetaData resultsMetaData = results.getMetaData();
+                    StringBuffer output = new StringBuffer();
+
+                    while (results.next()) {
+                        int id = results.getInt(0);
+                        HashMap<String,String> userMap = new HashMap<>();
+                        userMap.put("first", results.getString(1));
+                        userMap.put("last", results.getString(2));
+                        userMap.put("cc", results.getString(3));
+                        userMap.put("ccType", results.getString(4));
+                        userMap.put("cookie", results.getString(5));
+                        userMap.put("loginCOunt",Integer.toString(results.getInt(6)));
+                        allUsersMap.put(id,userMap);
+                    }
+                    userSessionData.setValue("allUsers",allUsersMap);
+                    return allUsersMap;
+
+                }
+            } catch (SQLException sqle) {
+                sqle.printStackTrace();
+                HashMap<String,String> errMap = new HashMap() {{
+                    put("err",sqle.getErrorCode() + "::" + sqle.getMessage());
+                }};
+
+                return new HashMap<Integer,HashMap>() {{
+                    put(0,errMap);
+                }};
+            } catch (Exception e) {
+                e.printStackTrace();
+                HashMap<String,String> errMap = new HashMap() {{
+                    put("err",e.getMessage() + "::" + e.getCause());
+                }};
+                e.printStackTrace();
+                return new HashMap<Integer,HashMap>() {{
+                    put(0,errMap);
+                }};
+
+
+            } finally {
+                try {
+                    if (connection != null) {
+                        connection.close();
+                    }
+                } catch (SQLException sqle) {
+                    sqle.printStackTrace();
+                }
+            }
+
+        } catch (Exception e) {
+            e.printStackTrace();
+            HashMap<String,String> errMap = new HashMap() {{
+                put("err",e.getMessage() + "::" + e.getCause());
+            }};
+            e.printStackTrace();
+            return new HashMap<Integer,HashMap>() {{
+                put(0,errMap);
+            }};
+
+        }
+        return null;
+    }
+
+    protected  WebSession getWebSession() {
+        return webSession;
+    }
+
+    @Override
+    public String getPath() {
+        return  "/access-control/list-users";
+    }
+}