Added improved quiz for cia-triad and xss

MarcRler · Mar 26, 2019 · 2be2de8 · 2be2de8
1 parent 27a61f0
commit 2be2de8
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 52 deletions.
diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
@@ -15,41 +15,41 @@
 import java.sql.SQLException;
 import java.sql.Statement;
 
-/**
- * @TODO: Get JSON from file not from hardcoded string
- * add a question: 1. Append new question to JSON string
- * 2. add right solution to solutions array
- * 3. add Request param with name of question to method head
- */
 @AssignmentPath("/cia/quiz")
 public class CIAQuiz extends AssignmentEndpoint {
 
     String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
+    boolean[] guesses = new boolean[solutions.length];
 
     @RequestMapping(method = RequestMethod.POST)
     @ResponseBody
     public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) throws IOException {
-        boolean correct = false;
-        String[][] solutionsInput = {question_0_solution, question_1_solution, question_2_solution, question_3_solution};
-        int counter = 0;
-        for(String[] sa : solutionsInput) {
-            for(String s : sa) {
-                if(sa.length == 1 && s.contains(this.solutions[counter])) {
-                    correct = true;
-                    break;
-                } else {
-                    correct = false;
-                    continue;
-                }
+        int correctAnswers = 0;
+
+        String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]};
+
+        for(int i = 0; i < solutions.length; i++) {
+            if (givenAnswers[i].contains(solutions[i])) {
+                // answer correct
+                correctAnswers++;
+                guesses[i] = true;
+            } else {
+                // answer incorrect
+                guesses[i] = false;
             }
-            if(!correct) break;
-            counter++;
         }
-        if(correct) {
+
+        if(correctAnswers == solutions.length) {
             return trackProgress(success().build());
         } else {
             return trackProgress(failed().build());
         }
     }
 
+    @RequestMapping(method = RequestMethod.GET)
+    @ResponseBody
+    public boolean[] getResults() {
+        return this.guesses;
+    }
+
 }
diff --git a/webgoat-lessons/cia/src/main/resources/html/CIA.html b/webgoat-lessons/cia/src/main/resources/html/CIA.html
@@ -20,6 +20,7 @@
 
 <div class="lesson-page-wrapper">
     <span id="quiz_id" data-quiz_id="cia"></span>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
     <div class="adoc-content" th:replace="doc:CIA_quiz.adoc"></div>

diff --git a/...s/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java b/...s/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java
@@ -10,42 +10,41 @@
 
 import java.io.IOException;
 
-
-/**
- * @TODO: Get JSON from file not from hardcoded string
- * add a question: 1. Append new question to JSON string
- * 2. add right solution to solutions array
- * 3. add Request param with name of question to method head
- */
 @AssignmentPath("/cross-site-scripting/quiz")
 public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
 
-        String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
-
-        @RequestMapping(method = RequestMethod.POST)
-        @ResponseBody
-        public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
-            boolean correct = false;
-            String[][] solutionsInput = {question_0_solution, question_1_solution, question_2_solution, question_3_solution, question_4_solution};
-            int counter = 0;
-            for(String[] sa : solutionsInput) {
-                for(String s : sa) {
-                    if(sa.length == 1 && s.contains(this.solutions[counter])) {
-                        correct = true;
-                        break;
-                    } else {
-                        correct = false;
-                        continue;
-                    }
-                }
-                if(!correct) break;
-                counter++;
-            }
-            if(correct) {
-                return trackProgress(success().build());
+    String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
+    boolean[] guesses = new boolean[solutions.length];
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
+        int correctAnswers = 0;
+
+        String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
+
+        for(int i = 0; i < solutions.length; i++) {
+            if (givenAnswers[i].contains(solutions[i])) {
+                // answer correct
+                correctAnswers++;
+                guesses[i] = true;
             } else {
-                return trackProgress(failed().build());
+                // answer incorrect
+                guesses[i] = false;
             }
         }
 
+        if(correctAnswers == solutions.length) {
+            return trackProgress(success().build());
+        } else {
+            return trackProgress(failed().build());
+        }
+    }
+
+    @RequestMapping(method = RequestMethod.GET)
+    @ResponseBody
+    public boolean[] getResults() {
+        return this.guesses;
+    }
+
     }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@@ -173,6 +173,7 @@ <h1>Shopping Cart</h1>
 
 <div class="lesson-page-wrapper">
 	<span id="quiz_id" data-quiz_id="cross_site_scripting"></span>
+	<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
 	<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
 	<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_quiz.adoc"></div>