Skip to content

Commit

Permalink
Merge branch 'next' of https://github.com/WebGoat/WebGoat into next
Browse files Browse the repository at this point in the history 
Conflicts:
	.gitignore
  • Loading branch information
@act-ive
act-ive committed Sep 10, 2014
2 parents 624e8a4 + 8eac6ef commit 1cfbe2b
Show file tree
Hide file tree
Showing 313 changed files with 563 additions and 218 deletions.
15 changes: 13 additions & 2 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
/nb-configuration.xml
/nbactions.xml
/target/
/.classpath
/.project
/.settings/.jsdtscope
/.settings/org.eclipse.jdt.core.prefs
/.settings/org.eclipse.m2e.core.prefs
/.settings/org.eclipse.wst.common.component
/.settings/org.eclipse.wst.common.project.facet.core.prefs.xml
/.settings/org.eclipse.wst.common.project.facet.core.xml
/.settings/org.eclipse.wst.jsdt.ui.superType.container
/.settings/org.eclipse.wst.jsdt.ui.superType.name
/.settings/org.eclipse.wst.validation.prefs
/.externalToolBuilders/
.project
/target
.classpath
Expand All @@ -11,5 +24,3 @@ src/main/main.iml
*.LOCAL.*.jsp
*.REMOTE.*.jsp



4 changes: 2 additions & 2 deletions src/main/java/org/owasp/webgoat/HammerHead.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
logger.debug("Response already committed, exiting");
return;
}

if ("true".equals(request.getParameter("start"))) {
if ("true".equals(request.getParameter("start")) || request.getQueryString() == null) {
logger.warn("Redirecting to start controller");
response.sendRedirect("start.mvc");
return;
Expand Down
49 changes: 49 additions & 0 deletions src/main/java/org/owasp/webgoat/controller/About.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

/**
*
* @author rlawson
*/
@Controller
public class About {

final Logger logger = LoggerFactory.getLogger(About.class);
private static final String WELCOMED = "welcomed";

@RequestMapping(value = "about.mvc", method = RequestMethod.GET)
public ModelAndView welcome(HttpServletRequest request,
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {

// set the welcome attribute
// this is so the attack servlet does not also
// send them to the welcome page
HttpSession session = request.getSession();
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
}

//go ahead and send them to webgoat (skip the welcome page)
ModelAndView model = new ModelAndView();
//model.setViewName("welcome");
//model.setViewName("main_new");
model.setViewName("about");
return model;
}

}
5 changes: 2 additions & 3 deletions src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Body;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Head;
import org.apache.ecs.html.Html;
import org.apache.ecs.html.IMG;
Expand Down Expand Up @@ -729,11 +731,8 @@ public static Element readMethodFromFile(BufferedReader reader, String methodNam
*/
public void handleRequest(WebSession s) {
// call createContent first so messages will go somewhere

Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");

form.addElement(createContent(s));

setContent(form);
}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ public String getLessonSolutionFileName(WebSession s)
{
String solutionFileName = null;
String stage = getStage(s);
solutionFileName = "/lesson_solutions/Lab XSS/Lab " + stage + ".html";
solutionFileName = "/lesson_solutions_1/Lab XSS/Lab " + stage + ".html";
return solutionFileName;
}

Expand Down
3 changes: 3 additions & 0 deletions src/main/java/org/owasp/webgoat/lessons/HttpBasics.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@

import java.util.ArrayList;
import java.util.List;

import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
Expand Down Expand Up @@ -58,6 +60,7 @@ protected Element createContent(WebSession s) {

StringBuffer person = null;
try {
ec.addElement(new BR());
ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName") + ": "));

person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@

package org.owasp.webgoat.lessons;

import java.io.PrintWriter;
import java.net.URLDecoder;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
Expand Down Expand Up @@ -54,7 +53,8 @@ public class HttpSplitting extends SequentialLessonAdapter
private static String STAGE = "stage";

public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
/**

/**
* Description of the Method
*
* @param s
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ public String getLessonSolutionFileName(WebSession s)
{
String solutionFileName = null;
String stage = getStage(s);
solutionFileName = "/lesson_solutions/Lab Access Control/Lab " + stage + ".html";
solutionFileName = "/lesson_solutions_1/Lab Access Control/Lab " + stage + ".html";
return solutionFileName;
}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ public String getLessonSolutionFileName(WebSession s)
{
String solutionFileName = null;
String stage = getStage(s);
solutionFileName = "/lesson_solutions/Lab SQL Injection/Lab " + stage + ".html";
solutionFileName = "/lesson_solutions_1/Lab SQL Injection/Lab " + stage + ".html";
return solutionFileName;
}
}
40 changes: 40 additions & 0 deletions src/main/java/org/owasp/webgoat/service/LessonTitleService.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
package org.owasp.webgoat.service;

import javax.servlet.http.HttpSession;

import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class LessonTitleService extends BaseService {

/**
* Returns the title for the current attack
*
* @param session
* @return
*/
@RequestMapping(value = "/lessontitle.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
return getLessonTitle(ws);
}

private String getLessonTitle(WebSession s) {
String title = "";
int scr = s.getCurrentScreen();
Course course = s.getCourse();

if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
title = lesson != null ? lesson.getTitle() : "";
}
return title;
}

}
124 changes: 124 additions & 0 deletions src/main/webapp/WEB-INF/pages/about.jsp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>

<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="plugins/bootstrap/css/bootstrap.min.css"/>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />

<div class="modal-header">
<button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
<h1 class="modal-title" id="myModalLabel">About WebGoat</h1>
</div>
<div class="modal-body">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].</p>

<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div>
</td>
<td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style1">
WebGoat Authors </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Bruce Mayhew </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Jeff Williams </span></div>
</td>
</tr>
<tr>
<td width="50%">
<div align="center"><span class="style1"><br />
WebGoat Design Team </span></div>
</td>
<td width="50%">
<div align="center"><span class="style1"><br />
V5.4 Lesson Contributers </span></div>
</td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div>
<div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Bruce Mayhew</div>
</td>
<td valign="top">
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Yiannis Pavlosoglou</div>
<div align="center" class="style2"></div>

</td>
</tr>
<tr>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks
for V5.4</span></div>
</td>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation
Contributers</span></div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
<div align="center" class="style2">To all who have sent comments</div>

</td>
<td>
<div align="center" class="style2">
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
<div align="center" class="style2">
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
<div align="center" class="style2">
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>


Loading

0 comments on commit 1cfbe2b

Please sign in to comment.