Merged branch 'next' of https://github.com/WebGoat/WebGoat into next

lolandkidtress · Aug 28, 2014 · d6e68e4 · d6e68e4
2 parents ea81253 + 1c72097
commit d6e68e4
Show file tree

Hide file tree

Showing 321 changed files with 896 additions and 229 deletions.
diff --git a/README.txt b/README.txt
@@ -3,14 +3,13 @@
 **********          August 23, 2014
 **********
 **
-**  Home Page:    http://code.google.com/p/webgoat
-**  Home Page:    http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
-**  Source Code:  http://code.google.com/p/webgoat/source/checkout
-**  Download:     http://code.google.com/p/webgoat/downloads/list   
-**  Download:     http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 (older stuff)
-**  User Guide:   http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
-**  Wiki:         http://code.google.com/p/webgoat/w/list
-**  FAQ:          http://code.google.com/p/webgoat/wiki/FAQ
+**  Home Page:              http://webgoat.github.io
+**  Home Page:              http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
+**  Source Code:            https://github.com/WebGoat/WebGoat
+**  Easy-Run Download:      https://webgoat.atlassian.net/builds/browse/WEB-DAIL/latestSuccessful/artifact/JOB1/WebGoat-Embedded-Tomcat/WebGoat-6.0-SNAPSHOT-war-exec.jar  
+**  User Guide:             http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
+**  Wiki:                   http://code.google.com/p/webgoat/w/list
+**  FAQ:                    http://code.google.com/p/webgoat/wiki/FAQ
 **  Contact Info: [email protected] (Direct to Bruce Mayhew)
 **  Mailing List: [email protected] (WebGoat Community - For most questions)
 **
@@ -45,7 +44,7 @@ Follow these instructions if you simply wish to run WebGoat
 
     Prerequisites:  Java VM >= 1.6 installed ( JDK 1.7 recommended)
     Download the executable jar file to any location of your choice from:
-        http://github.com/path/to/download/WebGoat-6.0-exec-war.jar
+        https://webgoat.atlassian.net/builds/browse/WEB-DAIL/latestSuccessful/artifact/JOB1/WebGoat-Embedded-Tomcat/WebGoat-6.0-SNAPSHOT-war-exec.jar
 
     Run it using java:
         java -jar WebGoat-6.0-exec-war.jar

diff --git a/newDesign/index.html b/newDesign/index.html
@@ -164,7 +164,7 @@
                		<div class="col-md-12">
                			<div class="panel">
                             <div class="panel-body">
-               					<h1>About WebGoat</h1>
+               					<h1>About WebGoat</h1> <span style="btn">Text</span>
                					<hr />
                					<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque volutpat feugiat nunc, non vulputate urna dictum ut. Nam consectetur porttitor diam ut ultricies. Aenean dolor dolor, congue sed ornare non, elementum in mauris. Phasellus orci sem, rhoncus eu laoreet eu, aliquam nec ante. Suspendisse sit amet justo eget eros tempor tincidunt vel quis justo. Sed pulvinar enim id neque pellentesque, eu rhoncus lorem eleifend. Morbi congue tortor sit amet pulvinar posuere.</p>
               					<p>Integer rhoncus gravida arcu, at bibendum magna feugiat sit amet. Vivamus id lacinia massa. Praesent eu quam ullamcorper, tempor elit nec, lobortis massa. In in eros eu augue rhoncus semper. Vestibulum ornare purus vitae bibendum vulputate. Cras eleifend commodo lectus, eget pharetra justo mollis quis. Donec tempor magna lectus, vitae suscipit turpis venenatis et. Nulla facilisi.</p>

diff --git a/pom.xml b/pom.xml
@@ -22,6 +22,14 @@
     </properties>
 
     <build>
+        <resources>
+            <resource>
+                <directory>${basedir}/src/main/java</directory>
+            </resource>
+                        <resource>
+                <directory>${basedir}/src/main/resources</directory>
+            </resource>
+        </resources>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -33,23 +41,23 @@
                 </configuration>
             </plugin>
             <plugin>
-              <groupId>org.apache.tomcat.maven</groupId>
-              <artifactId>tomcat7-maven-plugin</artifactId>
-              <version>2.1</version>
-              <executions>
-                <execution>
-                  <id>tomcat-run</id>
-                  <goals>
-                    <goal>exec-war-only</goal>
-                  </goals>
-                  <phase>package</phase>
-                  <configuration>
-                    <url>http://localhost:8080/manager</url>
-                    <path>/WebGoat</path>
-                    <attachArtifactClassifier>exec</attachArtifactClassifier>
-                  </configuration>
-                </execution>
-              </executions>
+                <groupId>org.apache.tomcat.maven</groupId>
+                <artifactId>tomcat7-maven-plugin</artifactId>
+                <version>2.1</version>
+                <executions>
+                    <execution>
+                        <id>tomcat-run</id>
+                        <goals>
+                            <goal>exec-war-only</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <url>http://localhost:8080/manager</url>
+                            <path>/WebGoat</path>
+                            <attachArtifactClassifier>exec</attachArtifactClassifier>
+                        </configuration>
+                    </execution>
+                </executions>
             </plugin>            
         </plugins>
     </build>

diff --git a/src/main/java/org/owasp/webgoat/HammerHead.java b/src/main/java/org/owasp/webgoat/HammerHead.java
@@ -129,6 +129,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
             // FIXME: If a response is written by updateSession(), do not
             // call makeScreen() and writeScreen()
             mySession = updateSession(request, response, context);
+
             if (response.isCommitted()) {
                 logger.debug("Response already committed, exiting");
                 return;

diff --git a/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
@@ -30,6 +30,8 @@
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.session.WebgoatProperties;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * *************************************************************************************************
@@ -66,6 +68,8 @@
  */
 public abstract class AbstractLesson extends Screen implements Comparable<Object> {
 
+    final Logger logger = LoggerFactory.getLogger(AbstractLesson.class);
+
     /**
      * Description of the Field
      */
@@ -496,9 +500,8 @@ public String getRawSource(WebSession s) {
         String src;
 
         try {
-            // System.out.println("Loading source file: " +
-            // getSourceFileName());
-            src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getSourceFileName()))), true);
+            logger.debug("Loading source file: " + getSourceFileName());
+            src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getSourceFileName()))), false);
 
         } catch (FileNotFoundException e) {
             s.setMessage("Could not find source file");
@@ -782,8 +785,7 @@ public String getSourceFileName() {
     }
 
     public void setSourceFileName(String sourceFileName) {
-        // System.out.println("Setting source file of lesson " + this + " to: "
-        // + sourceFileName);
+        logger.debug("Setting source file of lesson " + this + " to: " + sourceFileName);
         this.sourceFileName = sourceFileName;
     }
 

diff --git a/src/main/java/org/owasp/webgoat/service/BaseService.java b/src/main/java/org/owasp/webgoat/service/BaseService.java
@@ -30,6 +30,8 @@
  */
 package org.owasp.webgoat.service;
 
+import java.io.PrintWriter;
+import java.io.StringWriter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.controller.Welcome;
@@ -59,7 +61,8 @@ ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
         logger.error("Exception handler for service caught exception when processing: " + url, ex);
         ExceptionInfo response = new ExceptionInfo();
         response.setUrl(url);
-        response.setMessage(ex.toString());
+
+        response.setMessage(getStringStackTrace(ex));
 
         return response;
     }
@@ -77,4 +80,10 @@ public WebSession getWebSession(HttpSession session) {
         return ws;
     }
 
+    public String getStringStackTrace(Throwable t){
+        StringWriter sw = new StringWriter();
+        PrintWriter pw = new PrintWriter(sw);
+        t.printStackTrace(pw);
+        return sw.toString();
+    }
 }
diff --git a/src/main/java/org/owasp/webgoat/service/CookieService.java b/src/main/java/org/owasp/webgoat/service/CookieService.java
@@ -30,13 +30,16 @@
  */
 package org.owasp.webgoat.service;
 
+import java.util.Collections;
 import java.util.List;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpSession;
+import org.owasp.webgoat.lessons.model.RequestParameter;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.servlet.ModelAndView;
 
 /**
  *
@@ -58,4 +61,23 @@ List<Cookie> showCookies(HttpSession session) {
         List<Cookie> cookies = ws.getCookiesOnLastRequest();
         return cookies;
     }
+
+    /**
+     * Returns cookies and params for current lesson
+     *
+     * @param session
+     * @return
+     */
+    @RequestMapping(value = "/cookies_widget.mvc", produces = "text/html")
+    public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) {
+        ModelAndView model = new ModelAndView();
+        WebSession ws = getWebSession(session);
+        List<Cookie> cookies = ws.getCookiesOnLastRequest();
+        List<RequestParameter> listParms = ws.getParmsOnLastRequest();
+        Collections.sort(listParms);
+        model.addObject("wgcookies", cookies);
+        model.addObject("wgparams", listParms);
+        model.setViewName("widgets/cookies_and_params");
+        return model;
+    }
 }
diff --git a/src/main/java/org/owasp/webgoat/service/HintService.java b/src/main/java/org/owasp/webgoat/service/HintService.java
@@ -14,6 +14,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.servlet.ModelAndView;
 
 /**
  *
@@ -53,4 +54,33 @@ List<Hint> showHint(HttpSession session) {
         }
         return listHints;
     }
+
+    @RequestMapping(value = "/hint_widget.mvc", produces = "text/html")
+    public
+            ModelAndView showHintsAsHtml(HttpSession session) {
+        ModelAndView model = new ModelAndView();
+        List<Hint> listHints = new ArrayList<Hint>();
+        model.addObject("hints", listHints);
+        WebSession ws = getWebSession(session);
+        AbstractLesson l = ws.getCurrentLesson();
+        if (l == null) {            
+            return model;
+        }
+        List<String> hints;
+        hints = l.getHintsPublic(ws);
+        if (hints == null) {
+            return model;
+        }
+        int idx = 0;
+        for (String h : hints) {
+            Hint hint = new Hint();
+            hint.setHint(h);
+            hint.setLesson(l.getName());
+            hint.setNumber(idx);
+            listHints.add(hint);
+            idx++;
+        }
+        model.setViewName("widgets/hints");
+        return model;
+    }
 }
diff --git a/src/main/java/org/owasp/webgoat/service/LessonPlanService.java b/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
@@ -54,14 +54,15 @@ public class LessonPlanService extends BaseService {
      * @param session
      * @return
      */
-    @RequestMapping(value = "/lessonplan.mvc", produces = "application/json")
+    @RequestMapping(value = "/lessonplan.mvc", produces = "application/html")
     public @ResponseBody
-    SourceListing showSource(HttpSession session) {
+    String showPlan(HttpSession session) {
         WebSession ws = getWebSession(session);
-        String source = getSource(ws);
-        SourceListing sl = new SourceListing();
-        sl.setSource(source);
-        return sl;
+        String plan = getPlan(ws);
+        return plan;
+        //SourceListing sl = new SourceListing();
+        //sl.setSource(source);
+        //return sl;
     }
 
     /**
@@ -70,9 +71,9 @@ SourceListing showSource(HttpSession session) {
      * @param s Description of the Parameter
      * @return Description of the Return Value
      */
-    protected String getSource(WebSession s) {
+    protected String getPlan(WebSession s) {
 
-        String source = null;
+        String plan = null;
         int scr = s.getCurrentScreen();
         Course course = s.getCourse();
 
@@ -81,14 +82,12 @@ protected String getSource(WebSession s) {
             AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
 
             if (lesson != null) {
-                source = lesson.getRawSource(s);
+                plan = lesson.getLessonPlan(s);
             }
         }
-        if (source == null) {
-            return "Source code is not available. Contact "
-                    + s.getWebgoatContext().getFeedbackAddressHTML();
+        if (plan == null) {
+            plan = "Plan is not available for this lesson.";
         }
-        return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
-                "Code Section Deliberately Omitted"));
+        return plan;
     }
 }
diff --git a/src/main/java/org/owasp/webgoat/service/ParameterService.java b/src/main/java/org/owasp/webgoat/service/ParameterService.java
@@ -33,7 +33,6 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.lessons.model.RequestParameter;
 import org.owasp.webgoat.session.WebSession;
@@ -61,9 +60,8 @@ public class ParameterService extends BaseService {
     @RequestMapping(value = "/parameter.mvc", produces = "application/json")
     public @ResponseBody
     List<RequestParameter> showParameters(HttpSession session) {
-        List<RequestParameter> listParms = new ArrayList<RequestParameter>();
         WebSession ws = getWebSession(session);
-        listParms = ws.getParmsOnLastRequest();
+        List<RequestParameter> listParms = ws.getParmsOnLastRequest();
         Collections.sort(listParms);
         return listParms;
     }

diff --git a/src/main/java/org/owasp/webgoat/service/SolutionService.java b/src/main/java/org/owasp/webgoat/service/SolutionService.java
@@ -31,10 +31,7 @@
 package org.owasp.webgoat.service;
 
 import javax.servlet.http.HttpSession;
-import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
-import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
 import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.model.SourceListing;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;

diff --git a/src/main/java/org/owasp/webgoat/service/SourceService.java b/src/main/java/org/owasp/webgoat/service/SourceService.java
@@ -34,7 +34,6 @@
 import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
 import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
 import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.model.SourceListing;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
@@ -54,14 +53,18 @@ public class SourceService extends BaseService {
      * @param session
      * @return
      */
-    @RequestMapping(value = "/source.mvc", produces = "application/json")
+    @RequestMapping(value = "/source.mvc", produces = "application/text")
     public @ResponseBody
-    SourceListing showSource(HttpSession session) {
+    String showSource(HttpSession session) {
         WebSession ws = getWebSession(session);
         String source = getSource(ws);
-        SourceListing sl = new SourceListing();
-        sl.setSource(source);
-        return sl;
+        if (source == null) {
+            source = "No source listing found";
+        }
+        return source;
+        //SourceListing sl = new SourceListing();
+        //sl.setSource(source);
+        //return sl;
     }
 
     /**
@@ -85,8 +88,7 @@ protected String getSource(WebSession s) {
             }
         }
         if (source == null) {
-            return "Source code is not available. Contact "
-                    + s.getWebgoatContext().getFeedbackAddressHTML();
+            return "Source code is not available for this lesson.";
         }
         return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
                 "Code Section Deliberately Omitted"));