From ca4b0c06b5e168d5f746746b9166bc475fc97a66 Mon Sep 17 00:00:00 2001 From: Jason White Date: Mon, 24 Jul 2017 11:34:10 -0400 Subject: [PATCH 1/2] lesson css file --- .../src/main/resources/static/css/lesson.css | 5 +++-- .../src/main/resources/static/css/lessons.css | 12 ++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 webgoat-container/src/main/resources/static/css/lessons.css diff --git a/webgoat-container/src/main/resources/static/css/lesson.css b/webgoat-container/src/main/resources/static/css/lesson.css index 06174eecd2..0cb8017373 100644 --- a/webgoat-container/src/main/resources/static/css/lesson.css +++ b/webgoat-container/src/main/resources/static/css/lesson.css @@ -1,4 +1,4 @@ -body.page {color: #000000;font-family: Verdana, Tahoma, sans-serif;font-size: 8pt;} +/*body.page {color: #000000;font-family: Verdana, Tahoma, sans-serif;font-size: 8pt;} td {font-family: Verdana, Tahoma, sans-serif;font-size: 8pt; } tr {font-family: Verdana, Tahoma, sans-serif;} span {font-family: Verdana, Tahoma, sans-serif;} @@ -8,4 +8,5 @@ span {font-family: Verdana, Tahoma, sans-serif;} .report_tree_link {width:100%;font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;margin-left:2px;padding-right:2px;margin-top:2px;border-spacing:0px;} .form_link {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;font-weight: bold;} .report_title {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;border: 1px solid #afafaf;background-color: #cfcfef;margin-top:3px;margin-bottom:3px;margin-left:1px;padding:3px;font-weight: bold;} -.middle {vertical-align:middle;} \ No newline at end of file +.middle {vertical-align:middle;} +*/ \ No newline at end of file diff --git a/webgoat-container/src/main/resources/static/css/lessons.css b/webgoat-container/src/main/resources/static/css/lessons.css new file mode 100644 index 0000000000..0cb8017373 --- /dev/null +++ b/webgoat-container/src/main/resources/static/css/lessons.css @@ -0,0 +1,12 @@ +/*body.page {color: #000000;font-family: Verdana, Tahoma, sans-serif;font-size: 8pt;} +td {font-family: Verdana, Tahoma, sans-serif;font-size: 8pt; } +tr {font-family: Verdana, Tahoma, sans-serif;} +span {font-family: Verdana, Tahoma, sans-serif;} +.f8-0 {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;} +.f8-1 {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;} +.div_tree {padding-left:10px;overflow:visible;} +.report_tree_link {width:100%;font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;margin-left:2px;padding-right:2px;margin-top:2px;border-spacing:0px;} +.form_link {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;font-weight: bold;} +.report_title {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;border: 1px solid #afafaf;background-color: #cfcfef;margin-top:3px;margin-bottom:3px;margin-left:1px;padding:3px;font-weight: bold;} +.middle {vertical-align:middle;} +*/ \ No newline at end of file From c44186f9862cff4dd7c6039b2552f170e03c89e7 Mon Sep 17 00:00:00 2001 From: Jason White Date: Mon, 24 Jul 2017 16:26:23 -0400 Subject: [PATCH 2/2] start of missing function ac lesson --- .../org/owasp/webgoat/session/CreateDB.java | 4 + webgoat-lessons/missing-function-ac/.DS_Store | Bin 0 -> 8196 bytes webgoat-lessons/missing-function-ac/pom.xml | 12 ++ .../missing-function-ac/src/.DS_Store | Bin 0 -> 8196 bytes .../missing-function-ac/src/main/.DS_Store | Bin 0 -> 10244 bytes .../src/main/java/.DS_Store | Bin 0 -> 8196 bytes .../src/main/java/org/.DS_Store | Bin 0 -> 8196 bytes .../src/main/java/org/owasp/.DS_Store | Bin 0 -> 8196 bytes .../src/main/java/org/owasp/webgoat/.DS_Store | Bin 0 -> 8196 bytes .../owasp/webgoat/plugin/HiddenMenuItems.java | 61 ++++++++++ .../webgoat/plugin/MissingACListUsers.java | 54 +++++++++ .../webgoat/plugin/MissingFunctionAC.java | 62 ++++++++++ .../java/org/owasp/webgoat/plugin/Users.java | 113 ++++++++++++++++++ .../src/main/resources/.DS_Store | Bin 0 -> 6148 bytes .../src/main/resources/html/.DS_Store | Bin 0 -> 6148 bytes .../resources/html/MissingFunctionAC.html | 81 +++++++++++++ .../resources/i18n/WebGoatLabels.properties | 9 ++ .../main/resources/js/missing-function-ac.js | 6 + .../en/missing-function-ac-01-intro.adoc | 9 ++ ...issing-function-ac-02-client-controls.adoc | 16 +++ .../en/missing-function-ac-03-list-users.adoc | 10 ++ webgoat-lessons/pom.xml | 3 +- webgoat-server/pom.xml | 5 + 23 files changed, 444 insertions(+), 1 deletion(-) create mode 100644 webgoat-lessons/missing-function-ac/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/pom.xml create mode 100644 webgoat-lessons/missing-function-ac/src/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/HiddenMenuItems.java create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionAC.java create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/html/.DS_Store create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-list-users.adoc diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java index 725507cacb..a6743024fc 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java @@ -260,6 +260,8 @@ private void createUserDataTable(Connection connection) throws SQLException { String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)"; String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)"; String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)"; + String insertData14 = "INSERT INTO user_data VALUES (15837,'Chaos','Monkey','32849386533','CM',' ',0)"; + String insertData15 = "INSERT INTO user_data VALUES (19204,'Mr','Goat','33812953533','VISA',' ',0)"; statement.executeUpdate(insertData1); statement.executeUpdate(insertData2); statement.executeUpdate(insertData3); @@ -273,6 +275,8 @@ private void createUserDataTable(Connection connection) throws SQLException { statement.executeUpdate(insertData11); statement.executeUpdate(insertData12); statement.executeUpdate(insertData13); + statement.executeUpdate(insertData14); + statement.executeUpdate(insertData15); } diff --git a/webgoat-lessons/missing-function-ac/.DS_Store b/webgoat-lessons/missing-function-ac/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0d597e3dbf596974fdd877729e0dab83badc8e41 GIT binary patch literal 8196 zcmeHLT}&KB9RL3hN_Y6M1BG%uY`qkbiidKAf@o6@xMCaH6g}X8qPTavz{X|wa=Uk+ zgos9?ZPcjI2VYFAAJx9-ix29HFE*{l_+U*+)ED1;GEpCV@WKD=EFb0Ltp~q-?YAOKVUD2m}b+k_d?PAxc@ugfEw*^p*}Pydwa~Qc`<~ z>RePvMtzy^<&uh=DSk^ikh0;mai{WjLUJ_(1>7=$}x~dpq?X_1pmy zQU+y!K!Ctz1jOE70uJOMo0(gGem4!rZEIV`P)X^IvYiSmuMiKfE`KaFW6z~r)h#%^ zYW|GZGBiEo*9TR1W~Dx4+vaLr&5RiO+$68@l5iDg@x95M`w2|8gIXUF&15jx3?dPMY|4n zEH3h26s6(r!#$_Qa*OBAzxVzJA71$A(q#z(`U?r{-T=y#HAFNgYi8&hgsTtI6zMjo z%;|V4YtOE~@$j8Zr#L8YL_&{bauU&NtBA6Sa8GS--z4V+M}Jf|Ro5u$N!8VzNxsV= zkWXZ7%m4Ot);0^X7FnvZs+ld2v)*HxDdTC~8Flq}SJcKGJMZ>+j-v*}3f&~H5!jv1 zxrS{yBYNH;$=Jopy2$>r)uHd$kfqM*GO9kjm+{Y(35|wx%GQLB=2^n^;eCp7M(F$UI+aq*qTvIKtICi= zLz7)Jv1Y~{HuNMBK!&!kn8GzSY^oXEl&bq!T;T&OU6kXO$`014RAY>d68N(;LPx5* z!w)L_vhuii_es@pPv>-NZB!2_%9yb9Xqv7mjfsPD_8Svzvckniv=?G<6#8KtvS7g+ zybQ0vtME3Qhl}tjd;wp>CAb3L!1r(smf~Q#JBJrydcLDTA^uDwpU90 zm}+Y@^Do{)>8)rM>92Y?`M=O?xl)j;x@LE6ozJ$O)!FiBw4NazDdensY*?A?4KsN? z+4c|xBMofdcH|u=cY)KDIB+;*|sEmmnilLd#lD3f;8*w^ z{w7+LA;&#fj}fBPKD-N?u?6oTVs#R!y72)#g2%8QkK+j(z#$@68b>{HX*h+`XkZ>4 zEMO7m@mYKhpT`&QMSKlk$2TP1HjwT33eBYS$mo-8)=nn1f|~{Sv1{gY&%SEWwz1@9 zwp$^Ksk~*{)-?4ah+YORsI(VNgAVTc)mM%qC~qhNC9=1$_y;(){r&$9eP_^FfIxu2 z&4mD#CR52?8q>U}^vv!p76O=^~eoIn%Ayiy<5kPJKIPUpI$yLN8e7Pj07fO0B Ul;nSO5fJSE!Tv7@c#Efh0lIMvPyhe` literal 0 HcmV?d00001 diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml new file mode 100644 index 0000000000..b473966300 --- /dev/null +++ b/webgoat-lessons/missing-function-ac/pom.xml @@ -0,0 +1,12 @@ + + 4.0.0 + missing-function-ac + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + 8.0-SNAPSHOT + + + diff --git a/webgoat-lessons/missing-function-ac/src/.DS_Store b/webgoat-lessons/missing-function-ac/src/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0913be2c6a6da292e48938f7d77736dcbcacfda0 GIT binary patch literal 8196 zcmeHLTWl0n82-t&h|31SzQbY(u z2t)`(2t)`(2>cfipgo(H_#FGbv_^G=K!m_ei2z?840^asDLEyjSURW@M*xzIq!xwR zj5kOcN~V;Yl9DV`P==C}p{R}+D8or_D8H1FQ&P%sKy~;)^=4Ej6clf#@eSb)n36K8 zBLpG@W+K4P?v0QK6CCjB&+plS>jdG}tyeMD&^T}Yg1EMD5&yBo!UrC*JfE$#1<;_U!zACa;YRGDf^sYp@dz7(KVBc@MX6Tgd9y7FqQMN1~ zun*;YPhl{a^W9S3BTFJ@y15cL+g+}kaUQXQq0l}Z^43V;7sGDhIOI?)*Nw8}9K&OU z(DA)sz%B+PHSPT3RqJkT-neC3$L`BZmM&w7<(f7^=zF1a%CU?66+Q*SW{|Tz%kjnr z%N&2#?(@vNorqo1G!eCWjjo-rD3znW#p5jYVO(08*68|iZs{)CR9o@52v~3ET3{LM$qAUsyEJ<95$di@^CYM9%)EQ{w9Z%%EL^VXc&DjSS%No%1M_QHM`fgE^H zfoI`4cphGbv+y2#03XAr@Ht$9FX1b=0zbfy@DuzDzrr>60|7N$iVPFD9GlR<+prlo z;1+Dh9k>%aFog&4UObFPupdvNiCN5{ixW7BkK$u^24BRN@MU}jU&C`UpIDWyJ#_@5 zCcaBmJ<-$^Tx@VQq9yk)IgtKWh<0_cq}Pg-s}$e5YLh0|RL>GY4LSFM6V*ANHlNo~ z?lO^Z?Ybr{*-s?0PtV0%wm?#Zd#^V%je(>w?{8>HCRvQQ8yACZ+MLu_gJ3AP68VyB zp5P+y674kBDA>xoox8|7Uyzb__w1#i;(~Czn{J_@kQS_&M4OXlufutGA3lOl-~xOB zU&HtC3;YJxu#t$h8g-)8EttgHaU4(=+%bJ(3Xu z5d!~11hBCu)03tTtNw>E{TumN+o0z`dU)Y}Q&Nf$s;;{TpuRee3txj=c}z;lDJexL a=|w2Xf9N70+W({dAHuv}+f8rI{r^umCXx04 literal 0 HcmV?d00001 diff --git a/webgoat-lessons/missing-function-ac/src/main/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..7ee598c2b590178fb052c7c2e0e89086ab62c78b GIT binary patch literal 10244 zcmeHMU2GIp6h3F$!t4Mt+k#!F3u{Uv#TF?oP!w=mihw|9+|oa)>+H_hj?T_(c4l`` ztk#hD7o+hfF)`7^R>f%KNu%+>#211w{v~MagT9y;^~uC16B9l6-r2e?+XoY&nA|&= zd+yIU_ul#LH*@x$1pw?X7+nBy08r>=Qd>z`jl}xdeMt%hEgDHAdq|hOT-tWiRR7}= zZP_3ZkO)WwBmxoviNMu>0Qqc|lodkCTp}P5kO(Xwz`hT0x|vJ_az;r0>7a}s0Z7(U zGfz}z#{p&&4`d>cGeS}iB^0J4g((I{3>4qft(Rim;(lf4-96;;DmyFb{ap< z)d3Si%3LBK5x5iq_PW%=y`V!8^vd&lI%iv+zirz*hU)4YmMvGp>I!yg5%tdGlv_&r zx?k}6_54X*vkWsGlm~Txs$3p&U3;Odr-v=Gl+xDhcO75195Y{GIx%87hFj`)3y$GU zB*l0mmf=sOw6%kIvq+|cx?>Joo|U$2%fDXwoIc&z)zh=PBi_~3JKYgK-PPT_ zy(7MBN6+-M_MM`%wD0IUHkO-ya(3>u*WWn%=J^W(1`IwW&{PG>CzY7klU>P-o6S|| zEZ}8(#X%A82)SjvzOBG3IuKEBOKFX4?Z%Q4%+ezyI(;M~8Q$8z=dv4y}&lOXeR`AR_OwzN8<^XAXqZSRv)HDpg zwQ}wH4Xv9yx9{3>an&`ewMe6?juWVkZ{1^=`4c6E?3nIlOvkXC$&n(1)i#G5J!?in zpM}HR>e}Y0I$_Y*$6SNi8QOb_=xJ$=Mo+Sy{dtpeLs7WF#&}d6^4JpeKyg!>st(;p zd#icDpzT}K=m}d-o3>_zh1u4d)aXc2K%*TA8oPVc=qN#-rA2!Y>41-qNn%FEhG~All7Hq8o>tHK6x43!8v#rK7#Y`DSQrJz?U!&Kf+J&GyDR-!Ji0-sN!mjU?Vo+b$C6t z;wEgvt=NM*aToStA0EadcodJ}Fs3k#88k4958^}kFwWo;_$I;S5wR6MR{NHi zs?~A&vR-0lOl#moWmV#&s?~EUvuf{d>RrYe%c^_#Q7?$sht%SpG-{jH#Bzl-two!DM!0OqvA%sK;t3>h#H8YlApYAW-0%RDkUdF?yJd3%kIrzjaXLUjfLL zQn4Q>t*`{yn6PnS7r3Pw3dmi_a#s{r4CL-q9uw{2!Y**j-2uhr1I5TFZYb!FPW{LH z=74c-gE&wiP++41>}OK~4&-4fJ+t=yZkevv+PaLPlG3s*TcxnPjeV4ed{1)PnMrz@ zS8#i@{3$PA|m2Q_bcB|YRg*2T1z9x;uXl(Mteu|3VSjrfUrpsT#~1MRFa~Y-7Z9&9rHm-h)z@eNsy8++1^8dwW+?tgWqcz9}}>cHqGN zrdY?p_W60`2T7`JJlH)jo|}Jqap{dW-#YX5x$|5E6dMUtt`p_6RYk0+wq(Z1u6>sw zw6fgdAb-~pa?&}j)%R<(QWFvR&XiKY=6y2fnU3v_78%z7*};W~M**Ke3ol!9yAZBRS2Xe6k$J7!XMteJx0 zceYpU+FiG|d4I>D3p=hWS0WX%JVAomo_W7%Kwmr$&oRQp*^!wX6{d zeGv}(Ue{Nv@}y3E4>&sW)0Gb-UQ=7Gs;5{@Z{DC-mn7d|PfV4ETs8$wG^}rs<)H^? zT@_b!+PF_vhb=8_Sc)FzZY{US>S&QmqZ}872ij$IjD*k9q}>QMiQ>*KRlS#ud_r@* zlR3ktS)Hfh4hgz-ntbCRAUs00AnOC>2(`@VFd-;Ng>*B3q=_ROv7CPdN!Xy}w zgVXQ~JPXgkE3gD-;eGf7&cWyKC42>6!!rB~zre5X8~g!(BOs!TyOk)Oh%;LlN2tJAn_!K^mFXQXDh)eh$p2ZLGBR;3l z3ZDI9j>6!llvssOyl@MRUJk-&U!~lCbs${c&e5yfStVHPzPO<4mT)agK0urhpPUsk zd^j(`@d5!_v#VB)4ijL;?D{2NK|$Hd@nNm^#G+9}@`+*D`Uc8|2y4mjt8rgcR!V$$ zSuJrHRmyx!S(b>Dl~NyMmhJ4K+ATh>EPMC})dK(Vuza{7D%0-tZ%|u=cj03nvv1%# z_z`}B-{DUJtc>8Q#u`E^io5Y9Y{Z+f37ZM7PP`3o$3xhM{e;+E1lbTFHiqLkL68|Z zh0|za9z87L49?OrG&@UZ2$X$5_O85{eyZ`rX{{H{UPb3&2P#{p?swse_ ziDaUOhTm)}W_RrvJ@?VW0&BOxt?xpSe;p_5U&qO^dxak;9b*ZyabXv@r4kDN`HKMd SkC7eH!TBGY|2~1&X7mqKp#rV| literal 0 HcmV?d00001 diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/org/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..8339472c99d019461c40bd63bbc20760ebcabff9 GIT binary patch literal 8196 zcmeI0U1%It6vxlmB<<|9HM2=$CXL&!B*CU8G25ml(Y9{BOlun&+&hCuK;Oxw@ zGrJp&(MZ8BMDYUzLBT|=DE3KFd=Pvo74ZwIm&TQFint~Lx(7DUp zb3e|xbN7FLduQ(e0QTq9D1ZzA0$t2X+bFw4V*TvekOE!{>qLqN$RrDPCTUp74ZePZ zuYj+BuYj+BuYj+>)u8}Avsn^0dG5Qte(o#aD{xIJ!1jj-UChQjyX;!Nbx_8S0Awqv znI|gKIe^DRJR9@uvTJ!Ljp?2q&flkaiAOrlaVlmMsaLozzX$D)d`9 zQ?+N~?s${B>dYsky3wqbr_fQw)FyOWPwIy5JSYU&Cm}U1F1AOzx_a9p(P+<7TVyeM z;K2U2NcX|6r6uVHL1=6}*f%nrS$cY9^^G^*I`j6q^R5u+Z6;7#Cd_B+RWatG@syR$ zlz5eBX4v^r_nk+;Dr)w9iDvR(NW3#4)v)=W%s9Gb+7nvVCYz9|Z4&ZW$}+w0H<_}G zT-vk~QYfVushpuWTAyLW^@lWj%Fz}aR+_P`tTVtJ6Oxp(wYxR))AQOOdD~Mu4aeLh z48F6yZrARnz3uzE4_(-CU9}Xd5ycr2)^zmybuBwyVCqgQc1kl<-JF}uGieQN%v91^ zDDXuv$fK^Wm&I9?#vZX$7N<%d2yRbfy)2(%Jp);da#av`z@CUKj@fJqis#teB8p=V z(E3WYH)!iVQ64vxq-IEJ&<*RjMU*G=t~Andukk>aC{L02X_~Yh!ZxqDr&pHmWp_TI z*v`p}X40(A)9nu*xnqZ1FZUO}O8Hk5glQJlr>ZpDrr2J0NrO$XPH%AqXn+oS=p2Pv z&>#b+;Td=qo`Y9l70$x@@ClrQ&*4k>3ciLl_!)kIU*R|S1O7%pL=meogf&=;H{gxf zgw5E39oU7pVmJ0+A0ETwcmhXo0uz|T6snlUhw%}76qoTSd>&uM*Kq|`@jX0?AL2*u zoB~Bmhf4sYB7REQdJw&rZ-L26ffydD6^H*H5ZAW5_|@*L^LXsLxTs~zSjrQJ$fbnS zQ>23fx(>+;1Zl&rMln22kZB9$%U;Am+Ug?2y!S-HVM*ZBuxfJ)RRe^!z{hIc7Z#-o z4lwH_Hp5aCN0n8HN>QrhFtch;FZFKW%(Cj?Bh(A-4~W%+En$&%s(*vq3cL#+bJV_p z@8C!H34Vt^39>2ztR5Q(uQ2Y$o3Isc#x`sxz`~H6PEKhGovtm__*4PsOiYxdIjL5HdUe4{iSb|H^OVkKildD{$2+ zfR%&s!G4YM< V0sJo{dn)_SfB*T<5xgd|e*j!~4)Op1 literal 0 HcmV?d00001 diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..2609cccd36d669cdf7efd8f2caf906bc80c36410 GIT binary patch literal 8196 zcmeI0TTC2P7{|YFfigR7WfqDI#ckIBu~a~A6{>ArZqnM45*JvY=sLSI!o=B`&CcvD ziYTUuw-}9=#Kc4sL9Nl)CymAj6JMGd<1ML19`wb;s81$7nV9Hz&dfHjln`IMq;ocN zzH|A$GiUziH#2(%0B|6ub^^!%Ake|Aw3D(cB-YQ4O)22Duui0S01Fgwk_9`HG&Xtr z4ZZ@t0=@#i0=@#i0{;aC=$*}yu*G}d?e%kC0bhZuQUUgSh|s}o)U(U3<&O@^_!fX{ zIW_Y{W!eYun22Yio?Uh=52Z2P-2-}|=xs634X6GHb0-`1?6Pa!a6mU4&^t4FI~3$+ zr??1r2aLMb&wT}a1vV?dZktLdfCfpJTfcv|lGO7@GGpkr)6ubpfwJ<79hE{*+{u1Y zNW3dHZxv#W;^gcBC3}X~bX7}w;Jt0-I>o}cpbj!3SwX97xAywHV=!ukN zde<3GSw=2x+6gI?QjAp2P#mq_Fk<=xnmy%c3l1yI*jCmV zDV>I6ZW0FH+Eu%EU*mzcuHGY;c3)E^g{nnyh6FYp{a#(mP868R(~6zaOjS4M;&~>q zp^ckLS_=g}3kG@AwRN&MtJ2t`mdfH(={>>iX{eLsGpuJYt5L2B0uR_9k;QSFO+oP- zo0>&&{61P|$@T_qIVj2#hLY3_Ne#MT?Kg>XJnu>)o%9;JdqjDP79dTNwnNzJHTNBs z<-6ILPbs!@I-{91tBZ8{qsMOBE!W8d#Y-u@L_wHlQT?h)vu%tXaF;dM813*DSb%zH zrx(z1n57#e183nWcp9F8mtYmn!@KYiT!2sEbNB+jgf;jPeuAIj7x)eSL_kClt1yJs zScBK$_1K6_*o^JigEwO@_F+Gsz>|0iM{yDpn8XySn8pY3A$%B@@dWBf`mhKFm!k$(rqwOuZPHG673Ci^chY{^ot zXNrU5lEMip62c+ffaN6uwSI4d7@i=|w1v{8FCrmTx)?F<{gH535;!@m+SE+d0O2k0 zv04s>MX8KK%zBB>uvEcuWmO_ml*&2KtlD>&dUtScS@q~K>IL^EV)bBiSfr=c-$8B# z-i8l3ZePJS@ICwhzrybXS_MH?hxLS5828}~*n&4=E4C42eRvDribrr5M+mh$2)1!T zZ3?GxhG5fh4(CzFEIOFS0xsYqcorYU$MA7N?>T%PU%;2~l@jQVmq2%JGjwTdXh_XD zDS)r-iZJ&t!7^>B+jwN=w|ma!V_DO%%sCprctdQQnqS*qfil-cX8Zr)t-t?oKalU? zE8r{ezf}OshhjqmH2tj}r2*=T&~XnPEHS@j*YXg`me*%2 YQVXSj{6oNof4Bbo-+%ve46nNEFVWu}lmGw# literal 0 HcmV?d00001 diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..3efe5f71232d664d8ac3a94aab516092ac613b82 GIT binary patch literal 8196 zcmeHLU1%It6h3G3)7fcjW|PKD8n<0Zf=x|g{%TTf>*mk2wxPjIvPl|UXLrVAaCT)iuear%!9rNqCN>e34)$`XSO7prXU3^bnbHR zx%ZxP?!EKfZ|>bQ0DuEIwG%)F0D&@-(sn8?k(i$4O)22@FeQ>dfDUG|U}utsmE2_Q zclZeS2>1y22>1y22wV*a(4Ebau*JRaYW>njz(?SkM1Y+S5z0(PJ-O^kesoa5LjaQH z)XfvsDGuO15l==vx$H{rN@Kdw1A4CLg&63%lRm=CNk%=n>`K=i&~*p&W=1bUK|VYA zMYuU&)RlheBj6*j83Fd%R6+&}$iZAm{Qg%mW9YWi(Xobsvhs?`Z9-7o&VEuzyeBqq z6=II!?@dy2PoRZDvHF~ylL*2gW&xL8+`le$(&NV^6t(@}I&%dT^sjq9dr6$Y%F zsoJwKcf7c+I`avsb}Xyq$#qOIwMpI9le(ch4+=r{OGpiii*21<-QBH`&Yqs7*2rRK zcXwB7r1wD2(vtLpAT+cb=pUWVEIqxl`o^1Yoq7A*c^3-wjuWUUf#$PPT#UKSSjtLg z*4b^q&9L)h?st!XRmAQ4b-2kxA@ROX^V~<)Y^HZe{1Xt5gC(EapW-zN!sR{yj*c*|>ahokc@eG@qMREKA z+GEM~25s3d$`gi?)C@@tx^C^ah;lsdLL(jbI=g#Bd5Yjq)1vJVwtC%t2W9zQHuDL^ zc1~tAlU8+}raye-j-7IyJWza;(nl18Y39|hs0Tx z^m?3zXW&_Q4qky(I1BH?CvXlvhcDqP_!`#WXZQtvh2P*0_!|KcMXbUQR$~p`fHz_z zHeoZiV-Mbnz1WBScnpu@2^_^qOkfgIsA3u)#z*i`T*jyHd3+gP#}!<~_wX!!h#$FY z3KXe2vW|jO#ZRdyrK0xiC)#kCzS0c&>EdW`J9xUD4{xt>v+MlMe{ ze~SFz6x~3|3q;fU-3?-Rf@r2Klx}>H5Yjf6M9g|`Bpj9m&KuTjYNlp@$Sv@(TK0!U zsf<&YX^EX-se+T0HHnv^RL<$lntcaJTgh3=num{&7Ti~ewS&!Jk z`v$&)AK@qX9sVSmRS?DMu$~AO#yxlww&2a!ifu%(KD-TY$3r-bBSf^jh-%|Rv?-j% z8KRnob2yJWX3@bs7H|O{!_)XUK7mgX@m|0e@g;l}Un`;9(Gtp?DWzQ68X8h_P72^# zyCTA^H&8Ndsh8Df<}ZJ`=3`mYu*^9cx%e9JN&Mmp5GZqfWfuPrZ~guM3TE(KeFS_2 zu66{ld?+?FK&#y9Xl1c>gz|lqSz>m}uH-IM@Nk?Y564NexPm9DM_7eq)RW7uq#jED U`G)}h-`2nX{rjKO@0u + * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + */ +public class MissingFunctionAC extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.ACCESS_CONTROL; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 40; + } + + @Override + public String getTitle() { + return "missing-function-access-control.title"; + } + + @Override + public String getId() { + return "MissingFunctionAC"; + } + +} diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java new file mode 100644 index 0000000000..26e48709d9 --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java @@ -0,0 +1,113 @@ +package org.owasp.webgoat.plugin; + +import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker; +import org.owasp.webgoat.assignments.Endpoint; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.UserSessionData; +import org.owasp.webgoat.session.WebSession; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; +import java.sql.*; +import java.util.HashMap; +import java.util.Map; + +import static javax.swing.UIManager.getString; + +public class Users extends Endpoint{ + + @Autowired + private WebSession webSession; + + @Autowired + UserSessionData userSessionData; + + @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET) + @ResponseBody + protected HashMap getUsers (HttpServletRequest req) { + + try { + Connection connection = DatabaseUtilities.getConnection(getWebSession()); + String query = "SELECT * FROM user_data"; + + try { + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet results = statement.executeQuery(query); + HashMap allUsersMap = new HashMap(); + + if ((results != null) && (results.first() == true)) { + ResultSetMetaData resultsMetaData = results.getMetaData(); + StringBuffer output = new StringBuffer(); + + while (results.next()) { + int id = results.getInt(0); + HashMap userMap = new HashMap<>(); + userMap.put("first", results.getString(1)); + userMap.put("last", results.getString(2)); + userMap.put("cc", results.getString(3)); + userMap.put("ccType", results.getString(4)); + userMap.put("cookie", results.getString(5)); + userMap.put("loginCOunt",Integer.toString(results.getInt(6))); + allUsersMap.put(id,userMap); + } + userSessionData.setValue("allUsers",allUsersMap); + return allUsersMap; + + } + } catch (SQLException sqle) { + sqle.printStackTrace(); + HashMap errMap = new HashMap() {{ + put("err",sqle.getErrorCode() + "::" + sqle.getMessage()); + }}; + + return new HashMap() {{ + put(0,errMap); + }}; + } catch (Exception e) { + e.printStackTrace(); + HashMap errMap = new HashMap() {{ + put("err",e.getMessage() + "::" + e.getCause()); + }}; + e.printStackTrace(); + return new HashMap() {{ + put(0,errMap); + }}; + + + } finally { + try { + if (connection != null) { + connection.close(); + } + } catch (SQLException sqle) { + sqle.printStackTrace(); + } + } + + } catch (Exception e) { + e.printStackTrace(); + HashMap errMap = new HashMap() {{ + put("err",e.getMessage() + "::" + e.getCause()); + }}; + e.printStackTrace(); + return new HashMap() {{ + put(0,errMap); + }}; + + } + return null; + } + + protected WebSession getWebSession() { + return webSession; + } + + @Override + public String getPath() { + return "/access-control/list-users"; + } +} diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/resources/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..6efa04a20a9e4d079ccb94bd03cc4336d7391b9f GIT binary patch literal 6148 zcmeH~y-veW426#&LY2C7WW2A?jq$1~PrwWCQv^sU9a{EmeQl0?jTDHGIx)~=$@e6_ zcCPXbaSXs#ADbnx05GGw;^@oNeBXUy7a6&vnm=Q+f9fB1yPh|vn%8!C#Q|IN$~-eFPFV_@|xaj3;mw{Wz3Cq mF42mq(TaKFt@wJBSNxj$HFanj<%~x;RX+mGMJ57&LEsaswH=rM literal 0 HcmV?d00001 diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/html/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/resources/html/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6 GIT binary patch literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 + +

+
+
+ +
+
+ + + +
+
+
+

Account

+
+
    +
  • My Profile
    • +
  • Privacy/Security
    • +
  • Log Out
    • +
+
+

Messages

+
+
    +
  • Unread Messages (3)
    • +
  • Compose Message
    • +
+
+

Admin

+
+
    +
  • List Users
    • +
  • Add User
    • +
+
+
+
+ +
+ +
+
+ +

Hidden Item 1

+

Hidden Item 2

+
+ + +
+ +
+
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties new file mode 100644 index 0000000000..6f028a433b --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties @@ -0,0 +1,9 @@ +missing-function-access-control.title=Missing Function Level Access Control + +access-control.hidden-menus.success=Correct! And not hard to find are they?!? For the next lab, note that the endpoints are at /WebGoat/access-control/list-users and /WebGoat/access-control/add-user +access-control.hidden-menus.close=Close. Remember that when hacking ... details such as order,case and the like matter. +access-control.hidden-menus.failure=Please try again. + +access-control.hidden-menus.hint1=You can inspect the DOM or review the source in the proxy request/response cycle. +access-control.hidden-menus.hint2=Look for indications of something that would not be available to a typical user +access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them \ No newline at end of file diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js b/webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js new file mode 100644 index 0000000000..0f98933b5e --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js @@ -0,0 +1,6 @@ +webgoat.customjs.accessControlMenu = function() { + //webgoat.customjs.jquery('#ac-menu-ul').menu(); + webgoat.customjs.jquery('#ac-menu').accordion(); +} + +webgoat.customjs.accessControlMenu(); \ No newline at end of file diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc new file mode 100644 index 0000000000..921fe7126e --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc @@ -0,0 +1,9 @@ +== Missing Function Level Access Control + +Access control, like output encoding XSS can be tricky to maintain and ensure it is enforced properly throughout an application, including at each method/function. + +=== IDOR vs Missing Function Level Access Control + +The fact is many people (including the author of this lesson) would lump function level access control and IDOR into 'Access Control'. For sake of OWASP, Top 10 and these lessons, we will make a +distinction. The distinction most make is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality'. Even though, +the IDOR lesson here demonstrates how functionality may also be exposed, (at least to another user in the same role), we will look at other ways functionality might be exposed. \ No newline at end of file diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc new file mode 100644 index 0000000000..0ea8c2b795 --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc @@ -0,0 +1,16 @@ +== Relying on Obscurity + +If you are relying on HTML, CSS or javascript to hide links that users don't normally access. +It's a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable + +=== Finding Hidden Items + +There are usually hints to finding functionality the UI does not openly expose in ... + +* HTML or javascript comments +* Commented out elements +* Items hidden via css controls/classes + +=== Your Mission + +Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus). \ No newline at end of file diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-list-users.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-list-users.adoc new file mode 100644 index 0000000000..8bbab9125f --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-list-users.adoc @@ -0,0 +1,10 @@ +== Just Try It + +As the previous page noted, sometimes apps rely on client controls. to control access (obscurity). If you can find items that don't have visible links, just try them, see what happens. Yes, it +can be that simple! + +=== Gathering User Info + +Often times, data dumps from vulnerabilities such as sql injection, but they can also come from poor or lacking access control. Use the info. you already gathered to pull the list of users and +then provide the CC# for Chaos Monkey. + diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 9c9dbc2800..e03e44aeda 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -27,7 +27,8 @@ xxe idor vulnerable-components - auth-bypass + auth-bypass + missing-function-ac diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 3135915985..d0f118a1b7 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -154,6 +154,11 @@ auth-bypass ${project.version} + + org.owasp.webgoat.lesson + missing-function-ac + ${project.version} +