From 0319c477b1bd7aad36fe65bc6f3408787c32e583 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= Date: Sun, 29 Sep 2019 14:46:18 +0200 Subject: [PATCH] XSS lesson completion fixes (#669) * XSS lesson completion fixes * removed log all * lesson progress capable of deprecated assignments in the database * fixed unit test for lesson progress --- .../org/owasp/webgoat/lessons/Assignment.java | 11 +++ .../webgoat/service/LessonMenuService.java | 28 +++++++- .../service/LessonProgressService.java | 45 ++++++++++-- .../org/owasp/webgoat/session/WebSession.java | 8 +-- .../service/LessonMenuServiceTest.java | 2 +- .../service/LessonProgressServiceTest.java | 1 + .../org/owasp/webgoat/GeneralLessonTest.java | 16 +++++ .../org/owasp/webgoat/IntegrationTest.java | 15 +++- .../test/java/org/owasp/webgoat/XSSTest.java | 68 +++++++++++++++++++ .../xss/CrossSiteScriptingLesson3.java | 9 ++- .../xss/CrossSiteScriptingLesson4.java | 24 +++---- .../xss/CrossSiteScriptingLesson5a.java | 4 -- .../xss/CrossSiteScriptingLesson6a.java | 3 - .../webgoat/xss/CrossSiteScriptingQuiz.java | 4 +- .../webgoat/xss/DOMCrossSiteScripting.java | 1 - .../xss/DOMCrossSiteScriptingVerifier.java | 4 -- .../CrossSiteScriptingMitigation.java | 2 +- .../CrossSiteScriptingStored.java | 2 +- .../StoredCrossSiteScriptingVerifier.java | 8 +-- .../xss/{ => stored}/StoredXssComments.java | 12 ++-- .../resources/html/CrossSiteScripting.html | 2 +- .../webgoat/xss/StoredXssCommentsTest.java | 7 +- 22 files changed, 218 insertions(+), 58 deletions(-) create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java rename webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/{ => mitigation}/CrossSiteScriptingMitigation.java (97%) rename webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/{ => stored}/CrossSiteScriptingStored.java (97%) rename webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/{ => stored}/StoredCrossSiteScriptingVerifier.java (92%) rename webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/{ => stored}/StoredXssComments.java (91%) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java index fc44ab7340..91d6b1937f 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java @@ -45,6 +45,7 @@ public class Assignment { private Long id; private String name; private String path; + @Transient private List hints; @@ -64,4 +65,14 @@ public Assignment(String name, String path, List hints) { this.path = path; this.hints = hints; } + + /** + * Set path is here to overwrite stored paths. + * Since a stored path can no longer be used in a lesson while + * the lesson (name) itself is still part of the lesson. + * @param pathName + */ + public void setPath(String pathName) { + this.path = pathName; + } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java index 62864d5622..d1d8c4efca 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java @@ -30,6 +30,7 @@ import lombok.AllArgsConstructor; import org.owasp.webgoat.lessons.Lesson; +import org.owasp.webgoat.lessons.Assignment; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.LessonMenuItem; import org.owasp.webgoat.lessons.LessonMenuItemType; @@ -45,6 +46,7 @@ import java.util.ArrayList; import java.util.Comparator; import java.util.List; +import java.util.Map; import java.util.stream.Collectors; /** @@ -88,7 +90,8 @@ List showLeftNav() { lessonItem.setLink(lesson.getLink()); lessonItem.setType(LessonMenuItemType.LESSON); LessonTracker lessonTracker = userTracker.getLessonTracker(lesson); - lessonItem.setComplete(lessonTracker.isLessonSolved()); + boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson); + lessonItem.setComplete(lessonSolved); categoryItem.addChild(lessonItem); } categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking()); @@ -97,4 +100,27 @@ List showLeftNav() { return menu; } + + /** + * This determines if the lesson is complete based on data in the database + * and the list of assignments actually linked to the existing current lesson. + * This way older removed assignments will not prevent a lesson from being completed. + * @param map + * @param currentLesson + * @return + */ + private boolean lessonCompleted(Map map, Lesson currentLesson) { + boolean result = true; + for (Map.Entry entry : map.entrySet()) { + Assignment storedAssignment = entry.getKey(); + for (Assignment lessonAssignment: currentLesson.getAssignments()) { + if (lessonAssignment.getName().equals(storedAssignment.getName())) { + result = result && entry.getValue(); + break; + } + } + + } + return result; + } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java index 52b02542e4..de29eb0d69 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java @@ -47,7 +47,7 @@ public Map getLessonInfo() { String successMessage = ""; boolean lessonCompleted = false; if (lessonTracker != null) { - lessonCompleted = lessonTracker.isLessonSolved(); + lessonCompleted = lessonCompleted(lessonTracker.getLessonOverview(),webSession.getCurrentLesson()); successMessage = "LessonCompleted"; //@todo we still use this?? } json.put("lessonCompleted", lessonCompleted); @@ -70,19 +70,56 @@ public List lessonOverview() { List result = Lists.newArrayList(); if ( currentLesson != null ) { LessonTracker lessonTracker = userTracker.getLessonTracker(currentLesson); - result = toJson(lessonTracker.getLessonOverview()); + result = toJson(lessonTracker.getLessonOverview(), currentLesson); } return result; } - private List toJson(Map map) { + private List toJson(Map map, Lesson currentLesson) { List result = new ArrayList(); for (Map.Entry entry : map.entrySet()) { - result.add(new LessonOverview(entry.getKey(), entry.getValue())); + Assignment storedAssignment = entry.getKey(); + for (Assignment lessonAssignment: currentLesson.getAssignments()) { + if (lessonAssignment.getName().equals(storedAssignment.getName()) + && !lessonAssignment.getPath().equals(storedAssignment.getPath())) { + //here a stored path in the assignments table will be corrected for the JSON output + //with the value of the actual expected path + storedAssignment.setPath(lessonAssignment.getPath()); + result.add(new LessonOverview(storedAssignment, entry.getValue())); + break; + + } else if (lessonAssignment.getName().equals(storedAssignment.getName())) { + result.add(new LessonOverview(storedAssignment, entry.getValue())); + break; + } + } + //assignments not in the list will not be put in the lesson progress JSON output + } return result; } + /** + * Get the lesson completed based on Assignment data from the database + * while ignoring assignments no longer in the application. + * @param map + * @param currentLesson + * @return + */ + private boolean lessonCompleted(Map map, Lesson currentLesson) { + boolean result = true; + for (Map.Entry entry : map.entrySet()) { + Assignment storedAssignment = entry.getKey(); + for (Assignment lessonAssignment: currentLesson.getAssignments()) { + if (lessonAssignment.getName().equals(storedAssignment.getName())) { + result = result && entry.getValue(); + break; + } + } + + } + return result; + } @AllArgsConstructor @Getter diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java index b1088b3777..667dee5cec 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java @@ -1,10 +1,10 @@ package org.owasp.webgoat.session; -import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.lessons.Lesson; import org.owasp.webgoat.users.WebGoatUser; import org.springframework.security.core.context.SecurityContextHolder; +import java.io.Serializable; import java.sql.Connection; import java.sql.SQLException; @@ -37,10 +37,10 @@ * @version $Id: $Id * @since October 28, 2003 */ -@Slf4j -public class WebSession { +public class WebSession implements Serializable { - private final WebGoatUser currentUser; + private static final long serialVersionUID = -4270066103101711560L; + private final WebGoatUser currentUser; private final WebgoatContext webgoatContext; private Lesson currentLesson; diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java index 0d24821751..64e23be42d 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java @@ -50,7 +50,7 @@ @RunWith(MockitoJUnitRunner.class) public class LessonMenuServiceTest { - @Mock + @Mock(lenient=true) private LessonTracker lessonTracker; @Mock private Course course; diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java index 9dad43bddd..1ddb4189fa 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java @@ -76,6 +76,7 @@ public void setup() { when(userTrackerRepository.findByUser(any())).thenReturn(userTracker); when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker); when(websession.getCurrentLesson()).thenReturn(lesson); + when(lesson.getAssignments()).thenReturn(List.of(assignment)); when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true)); this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTrackerRepository, websession)).build(); } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java index f4ecbc4ea1..9456406c60 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java @@ -123,4 +123,20 @@ public void chrome() { checkResults("/ChromeDevTools/"); } + + @Test + public void authByPass() { + startLesson("AuthBypass"); + Map params = new HashMap<>(); + params.clear(); + params.put("secQuestion2", "John"); + params.put("secQuestion3", "Main"); + params.put("jsEnabled", "1"); + params.put("verifyMethod", "SEC_QUESTIONS"); + params.put("userId", "12309746"); + checkAssignment(url("/auth-bypass/verify-account"), params, true); + checkResults("/auth-bypass/"); + + } + } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java index d5f0924ca4..0355fd4022 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java @@ -211,7 +211,7 @@ public void checkResults(String prefix) { .config(restConfig) .cookie("JSESSIONID", getWebGoatCookie()) .get(url("service/lessonoverview.mvc")) - .then() + .then() .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true))); Assert.assertThat(RestAssured.given() @@ -238,5 +238,18 @@ public void checkAssignment(String url, ContentType contentType, String body, bo .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); } + public void checkAssignmentWithGet(String url, Map params, boolean expectedResult) { + Assert.assertThat( + RestAssured.given() + .when() + .config(restConfig) + .cookie("JSESSIONID", getWebGoatCookie()) + .queryParams(params) + .get(url) + .then() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); + } + } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java new file mode 100644 index 0000000000..b773841c90 --- /dev/null +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java @@ -0,0 +1,68 @@ +package org.owasp.webgoat; + +import org.junit.Test; + +import io.restassured.RestAssured; + +import java.util.HashMap; +import java.util.Map; + +public class XSSTest extends IntegrationTest { + + + @Test + public void crossSiteScriptingAssignments() { + startLesson("CrossSiteScripting"); + + Map params = new HashMap<>(); + params.clear(); + params.put("answer_xss_1", "yes"); + checkAssignment(url("/CrossSiteScripting/attack1"), params, true); + + params.clear(); + params.put("QTY1", "1"); + params.put("QTY2", "1"); + params.put("QTY3", "1"); + params.put("QTY4", "1"); + params.put("field1", ""); + params.put("field2", "111"); + checkAssignmentWithGet(url("/CrossSiteScripting/attack5a"), params, true); + + params.clear(); + params.put("DOMTestRoute", "start.mvc#test"); + checkAssignment(url("/CrossSiteScripting/attack6a"), params, true); + + params.clear(); + params.put("param1", "42"); + params.put("param2", "24"); + + String result = + RestAssured.given() + .when() + .config(restConfig) + .cookie("JSESSIONID", getWebGoatCookie()) + .header("webgoat-requested-by", "dom-xss-vuln") + .header("X-Requested-With", "XMLHttpRequest") + .formParams(params) + .post(url("/CrossSiteScripting/phone-home-xss")) + .then() + .statusCode(200) + .extract().path("output"); + String secretNumber = result.substring("phoneHome Response is ".length()); + + params.clear(); + params.put("successMessage", secretNumber); + checkAssignment(url("/CrossSiteScripting/dom-follow-up"), params, true); + + params.clear(); + params.put("question_0_solution", "Solution 4: No because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."); + params.put("question_1_solution", "Solution 3: The data is included in dynamic content that is sent to a web user without being validated for malicious content."); + params.put("question_2_solution", "Solution 1: The script is permanently stored on the server and the victim gets the malicious script when requesting information from the server."); + params.put("question_3_solution", "Solution 2: They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request."); + params.put("question_4_solution", "Solution 4: No there are many other ways. Like HTML, Flash or any other type of code that the browser executes."); + checkAssignment(url("/CrossSiteScripting/quiz"), params, true); + + checkResults("/CrossSiteScripting/"); + + } +} diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java index ddb5bd564e..3a37f6c036 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java @@ -27,15 +27,18 @@ import org.jsoup.nodes.Document; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.*; -@RestController +//@RestController +@Deprecated +//TODO This assignment seems not to be in use in the UI +// it is there to make sure the lesson can be marked complete +// in order to restore it, make it accessible through the UI and uncomment RestController @AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"}) public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { - @PostMapping("CrossSiteScripting/attack3") + @PostMapping("/CrossSiteScripting/attack3") @ResponseBody public AttackResult completed(@RequestParam String editor) { String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true); diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java index b9f46e348c..6e30f7f7d6 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java @@ -24,28 +24,26 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.web.bind.annotation.*; -import javax.tools.*; -import java.io.IOException; -import java.net.URI; -import java.util.Arrays; -import java.util.List; -import java.util.regex.Matcher; -import java.util.regex.Pattern; +import lombok.extern.slf4j.Slf4j; -@RestController +//@RestController +@Deprecated +//TODO This assignment seems not to be in use in the UI +//it is there to make sure the lesson can be marked complete +//in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j +@Slf4j @AssignmentHints(value = {"xss-mitigation-4-hint1"}) public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { - @PostMapping("CrossSiteScripting/attack4") + @PostMapping("/CrossSiteScripting/attack4") @ResponseBody public AttackResult completed(@RequestParam String editor2) { String editor = editor2.replaceAll("\\<.*?>", ""); - System.out.println(editor); + log.debug(editor); if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) && editor.contains("new AntiSamy();") && @@ -53,10 +51,10 @@ public AttackResult completed(@RequestParam String editor2) { editor.contains("CleanResults") && editor.contains("MyCommentDAO.addComment(threadID, userID") && editor.contains(".getCleanHTML());")) { - System.out.println("true"); + log.debug("true"); return trackProgress(success().feedback("xss-mitigation-4-success").build()); } else { - System.out.println("false"); + log.debug("false"); return trackProgress(failed().feedback("xss-mitigation-4-failed").build()); } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java index 75dec4dffe..e21a49c153 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java @@ -25,15 +25,11 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.*; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; - @RestController @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"}) diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java index c89c25115b..3b4d673d85 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java @@ -25,14 +25,11 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.*; -import java.io.IOException; - @RestController @AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"}) diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java index 67aea81438..671d5c2b9f 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java @@ -34,7 +34,7 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint { String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"}; boolean[] guesses = new boolean[solutions.length]; - @PostMapping("/cross-site-scripting/quiz") + @PostMapping("/CrossSiteScripting/quiz") @ResponseBody public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException { int correctAnswers = 0; @@ -59,7 +59,7 @@ public AttackResult completed(@RequestParam String[] question_0_solution, @Reque } } - @GetMapping("/cross-site-scripting/quiz") + @GetMapping("/CrossSiteScripting/quiz") @ResponseBody public boolean[] getResults() { return this.guesses; diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java index 3f2aeb5edf..7bc84b7a23 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java @@ -28,7 +28,6 @@ import org.springframework.web.bind.annotation.*; import javax.servlet.http.HttpServletRequest; -import java.io.IOException; import java.security.SecureRandom; @RestController diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java index 50d121c69d..596a510dde 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java @@ -24,14 +24,10 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.springframework.web.bind.annotation.*; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; - /** * Created by jason on 11/23/16. */ diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingMitigation.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java similarity index 97% rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingMitigation.java rename to webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java index 5a7839baf5..ee5ccd62ea 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingMitigation.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java @@ -20,7 +20,7 @@ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ -package org.owasp.webgoat.xss; +package org.owasp.webgoat.xss.mitigation; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Lesson; diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingStored.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java similarity index 97% rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingStored.java rename to webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java index e1701a4985..f91865e51d 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingStored.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java @@ -20,7 +20,7 @@ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ -package org.owasp.webgoat.xss; +package org.owasp.webgoat.xss.stored; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Lesson; diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/StoredCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java similarity index 92% rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/StoredCrossSiteScriptingVerifier.java rename to webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java index b510c7a6e9..840445e97a 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/StoredCrossSiteScriptingVerifier.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java @@ -20,23 +20,21 @@ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ -package org.owasp.webgoat.xss; +package org.owasp.webgoat.xss.stored; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.springframework.web.bind.annotation.*; -import java.io.IOException; - /** * Created by jason on 11/23/16. */ @RestController public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint { - @PostMapping("/CrossSiteScripting/stored-xss-follow-up") + //TODO This assignment seems not to be in use in the UI + @PostMapping("/CrossSiteScriptingStored/stored-xss-follow-up") @ResponseBody public AttackResult completed(@RequestParam String successMessage) { UserSessionData userSessionData = getUserSessionData(); diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/StoredXssComments.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java similarity index 91% rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/StoredXssComments.java rename to webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java index 4fc360b861..6669cfe372 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/StoredXssComments.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java @@ -20,7 +20,7 @@ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ -package org.owasp.webgoat.xss; +package org.owasp.webgoat.xss.stored; import com.beust.jcommander.internal.Lists; import com.fasterxml.jackson.databind.ObjectMapper; @@ -30,20 +30,18 @@ import org.joda.time.format.DateTimeFormat; import org.joda.time.format.DateTimeFormatter; import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.xss.Comment; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.*; -import org.owasp.encoder.*; import static org.springframework.http.MediaType.ALL_VALUE; import java.io.IOException; import java.util.*; -import static org.springframework.web.bind.annotation.RequestMethod.GET; @RestController public class StoredXssComments extends AssignmentEndpoint { @@ -64,7 +62,8 @@ public class StoredXssComments extends AssignmentEndpoint { comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?")); } - @GetMapping(path = "/CrossSiteScripting/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE) + //TODO This assignment seems not to be in use in the UI + @GetMapping(path = "/CrossSiteScriptingStored/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE) @ResponseBody public Collection retrieveComments() { List allComments = Lists.newArrayList(); @@ -77,7 +76,8 @@ public Collection retrieveComments() { return allComments; } - @PostMapping("/CrossSiteScripting/stored-xss") + //TODO This assignment seems not to be in use in the UI + @PostMapping("/CrossSiteScriptingStored/stored-xss") @ResponseBody public AttackResult createNewComment(@RequestBody String commentStr) { Comment comment = parseJson(commentStr); diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html index 6e7247ca2c..405d35e505 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html @@ -182,7 +182,7 @@

Shopping Cart


diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java index b5ec4bb728..ed78dc28df 100644 --- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java +++ b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java @@ -28,6 +28,7 @@ import org.junit.runner.RunWith; import org.mockito.junit.MockitoJUnitRunner; import org.owasp.webgoat.assignments.AssignmentEndpointTest; +import org.owasp.webgoat.xss.stored.StoredXssComments; import org.springframework.http.MediaType; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; @@ -53,7 +54,7 @@ public void setup() { @Test public void success() throws Exception { - ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/stored-xss") + ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss") .content("{\"text\":\"someTextHereMoreTextHere\"}") .contentType(MediaType.APPLICATION_JSON)); @@ -63,7 +64,7 @@ public void success() throws Exception { @Test public void failure() throws Exception { - ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/stored-xss") + ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss") .content("{\"text\":\"someTextHereMoreTextHere\"}") .contentType(MediaType.APPLICATION_JSON)); @@ -80,7 +81,7 @@ public void failure() throws Exception { @Test public void isNotEncoded() throws Exception { //do get to get comments after posting xss payload - ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss")); + ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScriptingStored/stored-xss")); MvcResult mvcResult = taintedResults.andReturn(); assert(mvcResult.getResponse().getContentAsString().contains("