- Added new challenges

- Added new webapplication called WebWolf to make attacks more realistic - Added WebWolf lesson to explain the concepts behind this new application
fuckup1337 · Sep 12, 2017 · 46c5365 · 46c5365
1 parent 56f19ca
commit 46c5365
Show file tree

Hide file tree

Showing 104 changed files with 4,199 additions and 70 deletions.
diff --git a/pom.xml b/pom.xml
@@ -172,9 +172,11 @@
     </properties>
 
     <modules>
+        <module>webgoat-commons</module>
         <module>webgoat-container</module>
         <module>webgoat-lessons</module>
         <module>webgoat-server</module>
+        <module>webwolf</module>
     </modules>
 
     <distributionManagement>

diff --git a/webgoat-commons/pom.xml b/webgoat-commons/pom.xml
@@ -0,0 +1,37 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webgoat-commons</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat</groupId>
+        <artifactId>webgoat-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>1.8</source>
+                    <target>1.8</target>
+                    <encoding>ISO-8859-1</encoding>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+
+</project>
diff --git a/webgoat-commons/src/main/java/org/owasp/webgoat/login/LoginEvent.java b/webgoat-commons/src/main/java/org/owasp/webgoat/login/LoginEvent.java
@@ -0,0 +1,15 @@
+package org.owasp.webgoat.login;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@Data
+@AllArgsConstructor
+public class LoginEvent {
+    private String user;
+    private String cookie;
+}
diff --git a/webgoat-commons/src/main/java/org/owasp/webgoat/login/LogoutEvent.java b/webgoat-commons/src/main/java/org/owasp/webgoat/login/LogoutEvent.java
@@ -0,0 +1,14 @@
+package org.owasp.webgoat.login;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@AllArgsConstructor
+@Data
+public class LogoutEvent {
+    private String user;
+}
diff --git a/webgoat-commons/src/main/java/org/owasp/webgoat/mail/IncomingMailEvent.java b/webgoat-commons/src/main/java/org/owasp/webgoat/mail/IncomingMailEvent.java
@@ -0,0 +1,21 @@
+package org.owasp.webgoat.mail;
+
+import lombok.Builder;
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@Builder
+@Data
+public class IncomingMailEvent {
+
+    private LocalDateTime time;
+    private String contents;
+    private String sender;
+    private String title;
+    private String recipient;
+}
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
@@ -34,6 +34,23 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>local</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>de.flapdoodle.embed</groupId>
+                    <artifactId>de.flapdoodle.embed.mongo</artifactId>
+                </dependency>
+            </dependencies>
+
+        </profile>
+        <profile>
+            <id>ctf</id>
+            <!-- Connect to real mongodb -->
+        </profile>
 
     </profiles>
 
@@ -132,6 +149,19 @@
     </build>
 
     <dependencies>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webgoat-commons</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -144,6 +174,19 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-cache</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-activemq</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-jms</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>org.asciidoctor</groupId>
             <artifactId>asciidoctorj</artifactId>
@@ -153,10 +196,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-mongodb</artifactId>
         </dependency>
-        <dependency>
-            <groupId>de.flapdoodle.embed</groupId>
-            <artifactId>de.flapdoodle.embed.mongo</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
@@ -1,11 +1,24 @@
 package org.owasp.webgoat;
 
+import lombok.AllArgsConstructor;
+import org.owasp.webgoat.login.LoginEvent;
 import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.users.WebGoatUser;
+import org.springframework.jms.core.JmsTemplate;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;
 
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Optional;
+
+import static java.util.Optional.empty;
+import static java.util.Optional.of;
+
 /**
  * *************************************************************************************************
  * <p>
@@ -41,19 +54,38 @@
  * @since October 28, 2003
  */
 @Controller
+@AllArgsConstructor
 public class HammerHead {
 
     private final Course course;
-
-    public HammerHead(Course course) {
-        this.course = course;
-    }
+    private JmsTemplate jmsTemplate;
 
     /**
      * Entry point for WebGoat, redirects to the first lesson found within the course.
      */
     @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
-    public ModelAndView attack() {
+    public ModelAndView attack(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
+        sendUserLoggedInMessage(request, response, authentication);
         return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
     }
+
+    private void sendUserLoggedInMessage(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+        WebGoatUser user = (WebGoatUser) authentication.getPrincipal();
+        getWebGoatCookie(request).ifPresent(c -> {
+            jmsTemplate.convertAndSend("webgoat", new LoginEvent(user.getUsername(), c.getValue()), m -> {
+                        m.setStringProperty("type", LoginEvent.class.getSimpleName());
+                        return m;
+                    }
+            );
+        });
+    }
+
+    private Optional<Cookie> getWebGoatCookie(HttpServletRequest request) {
+        for (Cookie c : request.getCookies()) {
+            if (c.getName().equals("JSESSIONID")) {
+                return of(c);
+            }
+        }
+        return empty();
+    }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/JmsConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/JmsConfig.java
@@ -0,0 +1,35 @@
+package org.owasp.webgoat;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.activemq.broker.BrokerService;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.jms.support.converter.MappingJackson2MessageConverter;
+import org.springframework.jms.support.converter.MessageConverter;
+import org.springframework.jms.support.converter.MessageType;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@Configuration
+public class JmsConfig {
+
+    @Bean(initMethod = "start", destroyMethod = "stop")
+    public BrokerService broker() throws Exception {
+        final BrokerService broker = new BrokerService();
+        broker.addConnector("tcp://localhost:61616");
+        broker.addConnector("vm://localhost");
+        broker.setPersistent(false);
+        return broker;
+    }
+
+    @Bean
+    public MessageConverter jacksonJmsMessageConverter(ObjectMapper objectMapper) {
+        MappingJackson2MessageConverter converter = new MappingJackson2MessageConverter();
+        converter.setTargetType(MessageType.TEXT);
+        converter.setObjectMapper(objectMapper);
+        converter.setTypeIdPropertyName("_type");
+        return converter;
+    }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
@@ -39,11 +39,9 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.MessageSource;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ResourceLoader;
-import org.springframework.validation.beanvalidation.LocalValidatorFactoryBean;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
@@ -154,13 +152,9 @@ public LocaleResolver localeResolver() {
         return slr;
     }
 
-    @Bean
-    public HammerHead hammerHead(Course course) {
-        return new HammerHead(course);
-    }
-
     @Bean
     public LabelDebugger labelDebugger() {
         return new LabelDebugger();
     }
+
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@@ -30,7 +30,6 @@
  */
 package org.owasp.webgoat;
 
-import com.fasterxml.jackson.annotation.JsonInclude;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.catalina.Context;
 import org.owasp.webgoat.plugins.PluginEndpointPublisher;
@@ -49,10 +48,8 @@
 import org.springframework.boot.web.support.SpringBootServletInitializer;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Primary;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
-import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
 
 import java.io.File;
 import java.util.Arrays;
@@ -70,15 +67,6 @@ public static void main(String[] args) throws Exception {
         SpringApplication.run(WebGoat.class, args);
     }
 
-    @Bean
-    @Primary
-    public Jackson2ObjectMapperBuilder jacksonBuilder() {
-        Jackson2ObjectMapperBuilder builder = new Jackson2ObjectMapperBuilder();
-        builder.indentOutput(true);
-        builder.serializationInclusion(JsonInclude.Include.NON_NULL);
-        return builder;
-    }
-
     @Bean(name = "pluginTargetDirectory")
     public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
         return new File(webgoatHome);
@@ -93,7 +81,7 @@ public WebSession webSession(WebgoatContext webgoatContext) {
     @Bean
     @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
     public UserSessionData userSessionData() {
-        return new UserSessionData("test","data");
+        return new UserSessionData("test", "data");
     }
 
     @Bean

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -31,6 +31,7 @@
 package org.owasp.webgoat;
 
 import lombok.AllArgsConstructor;
+import org.owasp.webgoat.login.LogoutHandler;
 import org.owasp.webgoat.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -52,6 +53,7 @@
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     private final UserService userDetailsService;
+    private final LogoutHandler logoutHandler;
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
@@ -69,8 +71,8 @@ protected void configure(HttpSecurity http) throws Exception {
                 .passwordParameter("password")
                 .permitAll();
         security.and()
-                .logout()
-                .permitAll();
+                .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true)
+                .permitAll().logoutSuccessHandler(logoutHandler);
         security.and().csrf().disable();
 
         http.headers().cacheControl().disable();

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
@@ -108,4 +108,8 @@ protected AttackResult.AttackResultBuilder success() {
     protected AttackResult.AttackResultBuilder failed() {
         return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved");
     }
+
+    protected AttackResult.AttackResultBuilder informationMessage() {
+        return AttackResult.builder(messages).lessonCompleted(false);
+    }
 }