Hijack Session Lesson

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java

@@ -0,0 +1,47 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+class SessionManagementTest extends IntegrationTest {
+
+    private static final String HIJACK_LOGIN_CONTEXT_PATH = "/HijackSession/login";
+
+
+    @Test
+    void hijackSessionTest() {
+        startLesson("HijackSession");
+
+        checkAssignment(HIJACK_LOGIN_CONTEXT_PATH, Map.of("username", "webgoat", "password", "webgoat"), false);
+    }
+}

webgoat-lessons/hijack-session/pom.xml

@@ -0,0 +1,58 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>hijack-session</artifactId>
+	<packaging>jar</packaging>
+	<parent>
+		<groupId>org.owasp.webgoat.lesson</groupId>
+		<artifactId>webgoat-lessons-parent</artifactId>
+		<version>8.2.3-SNAPSHOT</version>
+	</parent>
+
+	<properties>
+		<jacoco.version>0.8.7</jacoco.version>
+	</properties>
+
+	<profiles>
+		<profile>
+			<!-- mvn clean verify -Pcoverage -->
+			<id>coverage</id>
+			<activation>
+				<activeByDefault>false</activeByDefault>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.jacoco</groupId>
+						<artifactId>jacoco-maven-plugin</artifactId>
+						<version>${jacoco.version}</version>
+						<executions>
+							<execution>
+								<id>default-prepare-agent</id>
+								<goals>
+									<goal>prepare-agent</goal>
+								</goals>
+							</execution>
+							<execution>
+								<id>default-report</id>
+								<phase>verify</phase>
+								<goals>
+									<goal>report</goal>
+								</goals>
+								<configuration>
+									<dataFile>${project.build.directory}/jacoco.exec</dataFile>
+									<outputDirectory>${project.reporting.outputDirectory}/jacoco</outputDirectory>
+									<excludes>
+										<exclude>**/HijackSession.*</exclude>
+									</excludes>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+
+</project>

webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java

@@ -0,0 +1,48 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.Lesson;
+import org.springframework.stereotype.Component;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Component
+public class HijackSession extends Lesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.SESSION_MANAGEMENT;
+    }
+
+    @Override
+    public String getTitle() {
+        return "hijacksession.title";
+    }
+}

webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java

@@ -0,0 +1,92 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.hijacksession.cas.Authentication;
+import org.owasp.webgoat.hijacksession.cas.HijackSessionAuthenticationProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@RestController
+@AssignmentHints({
+    "hijacksession.hints.1",
+    "hijacksession.hints.2",
+    "hijacksession.hints.3",
+    "hijacksession.hints.4",
+    "hijacksession.hints.5"
+})
+public class HijackSessionAssignment extends AssignmentEndpoint {
+
+    private static final String COOKIE_NAME = "hijack_cookie";
+
+    @Autowired
+    HijackSessionAuthenticationProvider provider;
+
+    @PostMapping(path = "/HijackSession/login")
+    @ResponseBody
+    public AttackResult login(
+        @RequestParam String username,
+        @RequestParam String password,
+        @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+        HttpServletResponse response) {
+
+        Authentication authentication;
+        if (StringUtils.isEmpty(cookieValue)) {
+            authentication = provider.authenticate(Authentication.builder().name(username).credentials(password).build());
+            setCookie(response, authentication.getId());
+        } else {
+            authentication = provider.authenticate(Authentication.builder().id(cookieValue).build());
+        }
+
+        if (authentication.isAuthenticated()) {
+            return success(this).build();
+        }
+
+        return failed(this).build();
+    }
+
+    private void setCookie(HttpServletResponse response, String cookieValue) {
+        Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
+        cookie.setPath("/WebGoat");
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+    }
+
+}

webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession.cas;
+
+import java.security.Principal;
+
+import lombok.Builder;
+import lombok.Getter;
+import lombok.ToString;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Getter
+@ToString
+public class Authentication implements Principal {
+
+    private boolean authenticated = false;
+    private String name;
+    private Object credentials;
+    private String id;
+
+    @Builder
+    public Authentication(String name, Object credentials, String id) {
+        this.name = name;
+        this.credentials = credentials;
+        this.id = id;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    protected void setAuthenticated(boolean authenticated) {
+        this.authenticated = authenticated;
+    }
+
+    protected void setId(String id) {
+        this.id = id;
+    }
+
+}

webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java

@@ -0,0 +1,39 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession.cas;
+
+import java.security.Principal;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@FunctionalInterface
+public interface AuthenticationProvider<T extends Principal> {
+
+    T authenticate(T t);
+
+}