Added new endpoint for POST so it will give feedback to the UI. It now

ended up in a HTTP/405 which does not give any feedback to the UI
fynch3r · Aug 17, 2019 · 6d36e7d · 6d36e7d
1 parent e01c2a3
commit 6d36e7d
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 26 deletions.
diff --git a/...ssons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/...ssons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
@@ -3,41 +3,37 @@
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
+import org.springframework.web.bind.MissingServletRequestParameterException;
+import org.springframework.web.bind.annotation.*;
 
 /**
  * *************************************************************************************************
- *
- *
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
- *
+ * <p>
  * For details, please see http://webgoat.github.io
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@@ -46,18 +42,25 @@
 @AssignmentPath("/HttpProxies/intercept-request")
 public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
 
-	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody
-	AttackResult completed(HttpServletRequest request) {
-		String header = null;
-		String param = null;
-		if (request != null && (header = request.getHeader("x-request-intercepted")) != null
-			&& header.toLowerCase().equals("true") 
-			&& (param = request.getParameter("changeMe")) != null
-			&& param.equals("Requests are tampered easily")) {
+    @GetMapping
+    @ResponseBody
+    public AttackResult completed(@RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue,
+                                  @RequestParam(value = "changeMe", required = false) String paramValue) {
+        if (headerValue != null && paramValue != null && headerValue && "Requests are tampered easily".equalsIgnoreCase(paramValue)) {
             return trackProgress(success().feedback("http-proxies.intercept.success").build());
-		} else {
+        } else {
             return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
         }
-	}
+    }
+
+    @PostMapping
+    @ResponseBody
+    public AttackResult post() {
+        return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
+    }
+
+    @ExceptionHandler(MissingServletRequestParameterException.class)
+    public AttackResult handleMissingParams() {
+        return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
+    }
 }
diff --git a/...s/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java b/...s/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
@@ -69,4 +69,32 @@ public void failure() throws Exception {
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
+
+    @Test
+    public void missingParam() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+                .header("x-request-intercepted", "false"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    public void missingHeader() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+                .param("changeMe", "Requests are tampered easily"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    public void whenPostAssignmentShouldNotPass() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/HttpProxies/intercept-request")
+                .header("x-request-intercepted", "true")
+                .param("changeMe", "Requests are tampered easily"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
 }