Ch1 less default (WebGoat#814)

* random pincode in challenge1 * unit test fix
zubcevic · Dec 3, 2020 · e20534c · e20534c
1 parent c7327b3
commit e20534c
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 4 deletions.
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
@@ -3,24 +3,38 @@
 
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import org.junit.jupiter.api.Test;
 
 import io.restassured.RestAssured;
+import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
+
 
 public class ChallengeTest extends IntegrationTest {
 
 	@Test
     public void testChallenge1() {
     	startLesson("Challenge1");      
 
+    	byte[] resultBytes = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/challenge/logo"))
+                .then()
+                .statusCode(200)
+                .extract().asByteArray();
+
+    	String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
     	Map<String, Object> params = new HashMap<>();
         params.clear();
         params.put("username", "admin");
-        params.put("password", "!!webgoat_admin_1234!!");
+        params.put("password", PASSWORD.replace("1234", pincode));
 
 
         checkAssignment(url("/WebGoat/challenge/1"), params, true);

diff --git a/...-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java b/...-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
@@ -46,7 +46,7 @@ public class Assignment1 extends AssignmentEndpoint {
     @ResponseBody
     public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
         boolean ipAddressKnown =  true;
-        boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
+        boolean passwordCorrect = "admin".equals(username) && PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE)).equals(password);
         if (passwordCorrect && ipAddressKnown) {
             return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
         } else if (passwordCorrect) {

diff --git a/...lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java b/...lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
@@ -0,0 +1,44 @@
+package org.owasp.webgoat.challenges.challenge1;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.http.MediaType;
+import org.springframework.util.FileCopyUtils;
+
+@WebServlet(name = "ImageServlet", urlPatterns = "/challenge/logo")
+public class ImageServlet extends HttpServlet {
+
+	private static final long serialVersionUID = 9132775506936676850L;
+	static final public int PINCODE = new SecureRandom().nextInt(10000);
+
+	@Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+
+		byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes();
+
+		String pincode = String.format("%04d", PINCODE);
+
+		in[81216]=(byte) pincode.charAt(0);
+		in[81217]=(byte) pincode.charAt(1);
+		in[81218]=(byte) pincode.charAt(2);
+		in[81219]=(byte) pincode.charAt(3);
+
+	    response.setContentType(MediaType.IMAGE_PNG_VALUE);
+	    FileCopyUtils.copy(in, response.getOutputStream());
+	}
+
+	@Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		doGet(request, response);
+	}
+}
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
@@ -12,7 +12,7 @@
         <div class="container-fluid">
             <div class="panel panel-default">
                 <div class="panel-heading">
-                    <img th:src="@{/images/webgoat2.png}" class="img-thumbnail"/>
+                    <img th:src="@{/challenge/logo}" class="img-thumbnail"/>
                 </div>
                 <div class="panel-body">
                     <form class="attack-form" accept-charset="UNKNOWN"

diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
@@ -29,12 +29,14 @@
 import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.owasp.webgoat.challenges.challenge1.Assignment1;
+import org.owasp.webgoat.challenges.challenge1.ImageServlet;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import java.net.InetAddress;
 
 import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
@@ -62,7 +64,7 @@ public void success() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
                 .header("X-Forwarded-For", host)
                 .param("username", "admin")
-                .param("password", SolutionConstants.PASSWORD))
+                .param("password", SolutionConstants.PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE))))
                 .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }

diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@@ -28,6 +28,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.util.StringUtils;
 
@@ -38,6 +39,7 @@
  * @date 2/21/17
  */
 @SpringBootApplication(scanBasePackages = "org.owasp.webgoat")
+@ServletComponentScan
 @Slf4j
 public class StartWebGoat extends SpringBootServletInitializer {