Add endpoint for the JavaScript to post to

The JavaScript posts to a random endpoint resulting in a HTTP/405 we now post to an existing endpoint. Resolves: WebGoat#1142
elaOnMars · Nov 16, 2021 · fc6b0f2 · fc6b0f2
1 parent f136325
commit fc6b0f2
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 11 deletions.
diff --git a/...sons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java b/...sons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java
@@ -24,20 +24,26 @@
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.Map;
 
 @RestController
 public class InsecureLoginTask extends AssignmentEndpoint {
 
     @PostMapping("/InsecureLogin/task")
     @ResponseBody
     public AttackResult completed(@RequestParam String username, @RequestParam String password) {
-    	if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
+    	if ("CaptainJack".equals(username) && "BlackPearl".equals(password)) {
     		return success(this).build();
     	}
         return failed(this).build();
     }
+
+    @PostMapping("/InsecureLogin/login")
+    @ResponseStatus(HttpStatus.ACCEPTED)
+    public void login() {
+        //only need to exists as the JS needs to call an existing endpoint
+    }
 }
diff --git a/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js b/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
@@ -1,6 +1,6 @@
 function submit_secret_credentials() {
     var xhttp = new XMLHttpRequest();
-    xhttp['open']('POST', '#attack/307/100', true);
+    xhttp['open']('POST', 'InsecureLogin/login', true);
 	//sending the request is obfuscated, to descourage js reading
 	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
 }
diff --git a/...ssons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc b/...ssons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
@@ -1,7 +1,7 @@
 
-== Concept
-Encryption is a very important tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data.
+=== Concept
+Encryption is an essential tool for secure communication. In this lesson, we will find out why it should always be employed when sending sensitive data.
 
-== Goals
+=== Goals
 * The user should have a basic understanding of packet sniffer usage
 * The user will be able to intercept and read unencrypted requests
diff --git a/...essons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc b/...essons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
@@ -1,4 +1,4 @@
 === Let's try
-Click the "log in" button to send a request containing login credentials of another user.
-Then, write these credentials into the appropriate fields and submit to confirm.
+Click the "log in" button to send a request containing the login credentials of another user.
+Then, write these credentials into the appropriate fields and submit them to confirm.
 Try using a packet sniffer to intercept the request.