Skip to content

Commit

Permalink
Merge pull request WebGoat#620 from zubcevic/july2019-bugfixes
Browse files Browse the repository at this point in the history 
increased sql form fields and fixed chrome progress
  • Loading branch information
@zubcevic
zubcevic authored Jul 25, 2019
2 parents 33c73a7 + 7ad3996 commit ae674b9
Show file tree
Hide file tree
Showing 20 changed files with 89 additions and 86 deletions.
5 changes: 5 additions & 0 deletions webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@
*/
@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {

private static final String UTF8 = "UTF-8";

@Autowired
@Qualifier("pluginTargetDirectory")
Expand All @@ -80,6 +82,7 @@ public TemplateResolver springThymeleafTemplateResolver(ApplicationContext appli
resolver.setSuffix(".html");
resolver.setOrder(1);
resolver.setCacheable(false);
resolver.setCharacterEncoding(UTF8);
resolver.setApplicationContext(applicationContext);
return resolver;
}
Expand All @@ -89,6 +92,7 @@ public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoad
LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory, resourceLoader);
resolver.setOrder(2);
resolver.setCacheable(false);
resolver.setCharacterEncoding(UTF8);
return resolver;
}

Expand All @@ -97,6 +101,7 @@ public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language
AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language);
resolver.setCacheable(false);
resolver.setOrder(3);
resolver.setCharacterEncoding(UTF8);
return resolver;
}

Expand Down
8 changes: 7 additions & 1 deletion webgoat-container/src/main/resources/static/css/main.css
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1001,9 +1001,15 @@ cookie-container {
margin: 3px;
}

@keyframes blink {
50% { border-color: white; }
}

.cur-page {
border-bottom: 2px solid #000;
animation: blink 1.5s 2 forwards;
border: 3px solid blue;
color:#aaa;
background-color: lightsalmon;
}

span.show-next-page, span.show-prev-page {
Expand Down
14 changes: 12 additions & 2 deletions webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
Expand All @@ -21,7 +22,16 @@ public class NetworkDummy extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String networkNum) throws IOException {
return trackProgress(failed().feedback("network.request").build());
AttackResult completed(@RequestParam String successMessage) throws IOException {

UserSessionData userSessionData = getUserSessionData();
String answer = (String) userSessionData.getValue("randValue");

if (successMessage!=null && successMessage.equals(answer)) {
return trackProgress(success().feedback("xss-dom-message-success").build());
} else {
return trackProgress(failed().feedback("xss-dom-message-failure").build());
}

}
}
10 changes: 9 additions & 1 deletion webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
Expand All @@ -21,7 +22,7 @@
@AssignmentHints({"networkHint1", "networkHint2"})
public class NetworkLesson extends AssignmentEndpoint {

@RequestMapping(method = RequestMethod.POST)
@RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
public
@ResponseBody
AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
Expand All @@ -31,4 +32,11 @@ AttackResult completed(@RequestParam String network_num, @RequestParam String nu
return trackProgress(failed().feedback("network.failed").build());
}
}

@RequestMapping(method = RequestMethod.POST, params="networkNum")
public
@ResponseBody
ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
return ResponseEntity.ok().build();
}
}
41 changes: 8 additions & 33 deletions webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,29 @@

<html xmlns:th="http://www.thymeleaf.org">

<!-- 1 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_intro.adoc"></div>
</div>

<!-- 2 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_elements.adoc"></div>
</div>

<!-- 3 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_console.adoc"></div>
</div>

<!-- 4 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
action="/WebGoat/CrossSiteScripting/dom-follow-up"
action="/WebGoat/ChromeDevTools/dummy"
enctype="application/json;charset=UTF-8">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
Expand All @@ -30,17 +34,19 @@
</div>
</div>

<!-- 5 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_sources.adoc"></div>
</div>

<!-- 6 -->
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment_Network.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/ChromeDevTools/dummy"
action="/WebGoat/ChromeDevTools/network"
enctype="application/json;charset=UTF-8">
<script>
// sample custom javascript in the recommended way ...
Expand Down Expand Up @@ -79,35 +85,4 @@
</div>
</div>

<!--
<div class="lesson-page-wrapper">
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/HttpBasics/attack1"
enctype="application/json;charset=UTF-8">
<script>
console.log("in listener");
document.getElementById("butn").addEventListener("click", function() {
document.getElementById("inp").value = Math.random() * 100;
});
</script>
<table>
<tr>
<td>Click this Button to make a request</td>
<td><Button id="butn"></Button></td>
<td><input id="inp" name="networkNumber" value="" type="hidden"/><input
name="SUBMIT" value="Go!" type="SUBMIT" /></td>
</tr>
<tr>
<td>The Network Number is:</td>
<td><input name="number" value="" type="text" /></td>
<td><button type="submit" formaction="/WebGoat/ChromeDevTools/network">Check</button></td>
</tr>
</table>
</form>
</div>
</div>
-->
</html>
2 changes: 1 addition & 1 deletion .../sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
* @author nbaars
* @since 4/8/17.
*/
@AssignmentPath("SqlInjection/challenge")
@AssignmentPath("/SqlInjectionAdvanced/challenge")
@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
@Slf4j
public class SqlInjectionChallenge extends AssignmentEndpoint {
Expand Down
2 changes: 1 addition & 1 deletion ...injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

import static org.springframework.web.bind.annotation.RequestMethod.POST;

@AssignmentPath("SqlInjection/challenge_Login")
@AssignmentPath("/SqlInjectionAdvanced/challenge_Login")
@Slf4j
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
Expand Down
4 changes: 2 additions & 2 deletions ...s/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack6a")
@AssignmentPath("/SqlInjectionAdvanced/attack6a")
@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
"SqlStringInjectionHint-advanced-6a-4"})
public class SqlInjectionLesson6a extends AssignmentEndpoint {
Expand Down Expand Up @@ -83,7 +83,7 @@ protected AttackResult injectableQuery(String accountName) {

if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
output.append(appendingWhenSucceded);
return trackProgress(informationMessage().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
} else {
return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
}
Expand Down
2 changes: 1 addition & 1 deletion ...s/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack6b")
@AssignmentPath("/SqlInjectionAdvanced/attack6b")
public class SqlInjectionLesson6b extends AssignmentEndpoint {

@RequestMapping(method = RequestMethod.POST)
Expand Down
2 changes: 1 addition & 1 deletion ...ssons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
* 3. add Request param with name of question to method head
* For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js
*/
@AssignmentPath("/SqlInjection/quiz")
@AssignmentPath("/SqlInjectionAdvanced/quiz")
public class SqlInjectionQuiz extends AssignmentEndpoint {

String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};
Expand Down
2 changes: 1 addition & 1 deletion webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
* @since 6/13/17.
*/
@RestController
@RequestMapping("SqlInjection/servers")
@RequestMapping("SqlInjectionMitigations/servers")
public class Servers {

@AllArgsConstructor
Expand Down
2 changes: 1 addition & 1 deletion ...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@AssignmentPath("SqlInjection/attack10a")
@AssignmentPath("SqlInjectionMitigations/attack10a")
@Slf4j
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"})
public class SqlInjectionLesson10a extends AssignmentEndpoint {
Expand Down
2 changes: 1 addition & 1 deletion ...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;

@AssignmentPath("SqlInjection/attack10b")
@AssignmentPath("SqlInjectionMitigations/attack10b")
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"})
public class SqlInjectionLesson10b extends AssignmentEndpoint {

Expand Down
2 changes: 1 addition & 1 deletion ...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
* @author nbaars
* @since 6/13/17.
*/
@AssignmentPath("SqlInjection/attack12a")
@AssignmentPath("SqlInjectionMitigations/attack12a")
@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"})
@Slf4j
public class SqlInjectionLesson12a extends AssignmentEndpoint {
Expand Down
8 changes: 4 additions & 4 deletions webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
<td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
Expand All @@ -46,7 +46,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
<td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
Expand All @@ -71,7 +71,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
<td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
Expand All @@ -96,7 +96,7 @@
<table>
<tr>
<td><label>SQL query</label></td>
<td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
<td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
Expand Down
Loading

0 comments on commit ae674b9

Please sign in to comment.