Merge pull request WebGoat#647 from WebGoat/separate_project

Nice work. I will add some tests for the missing parts in the SQL mitigations (in a separate pull request)
hazanasec · Sep 9, 2019 · 6e9a52a · 6e9a52a
2 parents f7c8a27 + bf52e7a
commit 6e9a52a
Show file tree

Hide file tree

Showing 33 changed files with 813 additions and 738 deletions.
diff --git a/pom.xml b/pom.xml
@@ -143,6 +143,7 @@
         <module>webgoat-lessons</module>
         <module>webgoat-server</module>
         <module>webwolf</module>
+        <module>webgoat-integration-tests</module>
     </modules>
 
     <dependencies>

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@@ -30,18 +30,14 @@
  */
 package org.owasp.webgoat;
 
-import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.plugins.PluginEndpointPublisher;
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.UserSessionData;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.web.support.SpringBootServletInitializer;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Scope;
@@ -51,17 +47,7 @@
 import java.io.File;
 
 @SpringBootApplication
-@Slf4j
-public class WebGoat extends SpringBootServletInitializer {
-
-    @Override
-    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
-        return application.sources(WebGoat.class);
-    }
-
-    public static void main(String[] args) throws Exception {
-        SpringApplication.run(WebGoat.class, args);
-    }
+public class WebGoat {
 
     @Bean(name = "pluginTargetDirectory")
     public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
@@ -58,7 +58,7 @@ public List<Assignment> getAssignments() {
      * Constructor for the Lesson object
      */
     public AbstractLesson() {
-        id = new Integer(++count);
+        id = ++count;
     }
 
 

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
@@ -36,40 +36,40 @@
  */
 public enum Category {
 
-    INTRODUCTION("Introduction", new Integer(5)),
-    GENERAL("General", new Integer(100)),
+    INTRODUCTION("Introduction", 5),
+    GENERAL("General", 100),
 
-    INJECTION("(A1) Injection", new Integer(300)),
-    AUTHENTICATION("(A2) Broken Authentication", new Integer(302)),
-    INSECURE_COMMUNICATION("(A3) Sensitive Data Exposure", new Integer(303)),
-    XXE("(A4) XML External Entities (XXE)", Integer.valueOf(304)),
-    ACCESS_CONTROL("(A5) Broken Access Control", new Integer(305)),
+    INJECTION("(A1) Injection", 300),
+    AUTHENTICATION("(A2) Broken Authentication", 302),
+    INSECURE_COMMUNICATION("(A3) Sensitive Data Exposure", 303),
+    XXE("(A4) XML External Entities (XXE)", 304),
+    ACCESS_CONTROL("(A5) Broken Access Control", 305),
 
-    XSS("(A7) Cross-Site Scripting (XSS)", new Integer(307)),
-    INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", new Integer(308)),
-    VULNERABLE_COMPONENTS("(A9) Vulnerable Components", new Integer(309)),
+    XSS("(A7) Cross-Site Scripting (XSS)", 307),
+    INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308),
+    VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309),
 
-    REQUEST_FORGERIES("(A8:2013) Request Forgeries", new Integer(318)),
+    REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
 
 
-    REQ_FORGERIES("Request Forgeries", new Integer(450)),
+    REQ_FORGERIES("Request Forgeries", 450),
 
-    INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)),
-    INSECURE_STORAGE("Insecure Storage", new Integer(800)),
+    INSECURE_CONFIGURATION("Insecure Configuration", 600),
+    INSECURE_STORAGE("Insecure Storage", 800),
 
 
-    AJAX_SECURITY("AJAX Security", new Integer(1000)),
-    BUFFER_OVERFLOW("Buffer Overflows", new Integer(1100)),
-    CODE_QUALITY("Code Quality", new Integer(1200)),
-    CONCURRENCY("Concurrency", new Integer(1300)),
-    ERROR_HANDLING("Improper Error Handling", new Integer(1400)),
-    DOS("Denial of Service", new Integer(1500)),
-    MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
-    CLIENT_SIDE("Client side", new Integer(1700)),
-    SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
-    WEB_SERVICES("Web Services", new Integer(1900)),
-    ADMIN_FUNCTIONS("Admin Functions", new Integer(2000)),
-    CHALLENGE("Challenges", new Integer(3000));
+    AJAX_SECURITY("AJAX Security", 1000),
+    BUFFER_OVERFLOW("Buffer Overflows", 1100),
+    CODE_QUALITY("Code Quality", 1200),
+    CONCURRENCY("Concurrency", 1300),
+    ERROR_HANDLING("Improper Error Handling", 1400),
+    DOS("Denial of Service", 1500),
+    MALICIOUS_EXECUTION("Malicious Execution", 1600),
+    CLIENT_SIDE("Client side", 1700),
+    SESSION_MANAGEMENT("Session Management Flaws", 1800),
+    WEB_SERVICES("Web Services", 1900),
+    ADMIN_FUNCTIONS("Admin Functions", 2000),
+    CHALLENGE("Challenges", 3000);
 
     @Getter
     private String name;

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
@@ -51,7 +51,7 @@ public void restartLesson() {
         // Do Nothing - called when restart lesson is pressed. Each lesson can do something
     }
 
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
+    private final static Integer DEFAULT_RANKING = 1000;
 
     /**
      * <p>getDefaultRanking.</p>

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
@@ -16,7 +16,7 @@
 public class UserForm {
 
     @NotNull
-    @Size(min=6, max=20)
+    @Size(min=6, max=40)
     @Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -")
     private String username;
     @NotNull

diff --git a/...src/main/resources/application.properties → .../resources/application-webgoat.properties b/...src/main/resources/application.properties → .../resources/application-webgoat.properties
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
@@ -22,7 +22,7 @@
  * @since 5/20/17.
  */
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-@TestPropertySource(locations = "classpath:/application-test.properties")
+@TestPropertySource(locations = {"classpath:/application-webgoat.properties", "classpath:/application-test.properties"})
 public abstract class LessonTest {
 
     @LocalServerPort

diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml
@@ -0,0 +1,66 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webgoat-integration-tests</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat</groupId>
+        <artifactId>webgoat-parent</artifactId>
+        <version>v8.0.0-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webgoat-server</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webgoat-server</artifactId>
+            <version>${project.version}</version>
+            <classifier>internal</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webwolf</artifactId>
+            <version>${project.version}</version>
+            <classifier>internal</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webwolf</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>io.rest-assured</groupId>
+			<artifactId>rest-assured</artifactId>
+			<version>4.0.0</version>
+			<scope>test</scope>
+		</dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven-surefire-plugin.version}</version>
+                <configuration>
+                    <forkCount>0</forkCount>
+                    <reuseForks>true</reuseForks>
+                    <argLine>
+                        --illegal-access=permit
+                    </argLine>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java
@@ -0,0 +1,127 @@
+package org.owasp.webgoat;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.hamcrest.CoreMatchers;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+
+public class GeneralLessonTest extends IntegrationTest {
+
+    @Test
+    public void httpBasics() {
+        startLesson("HttpBasics");
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("person", "goatuser");
+        checkAssignment(url("HttpBasics/attack1"), params, true);
+
+        params.clear();
+        params.put("answer", "POST");
+        params.put("magic_answer", "33");
+        params.put("magic_num", "4");
+        checkAssignment(url("HttpBasics/attack2"), params, false);
+
+        params.clear();
+        params.put("answer", "POST");
+        params.put("magic_answer", "33");
+        params.put("magic_num", "33");
+        checkAssignment(url("HttpBasics/attack2"), params, true);
+
+        checkResults("/HttpBasics/");
+    }
+
+    @Test
+    public void httpProxies() {
+        startLesson("HttpProxies");
+        Assert.assertThat(RestAssured.given()
+                .when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
+                .contentType(ContentType.JSON)
+                .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+                .then()
+                .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
+
+        checkResults("/HttpProxies/");
+    }
+
+    @Test
+    public void cia() {
+        startLesson("CIA");
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
+        params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database.");
+        params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers.");
+        params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed.");
+        checkAssignment(url("/WebGoat/cia/quiz"), params, true);
+        checkResults("/cia/");
+
+    }
+
+    @Test
+    public void securePasswords() {
+        startLesson("SecurePasswords");
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("password", "ajnaeliclm^&&@kjn.");
+        checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
+        checkResults("SecurePasswords/");
+
+        startLesson("AuthBypass");
+        params.clear();
+        params.put("secQuestion2", "John");
+        params.put("secQuestion3", "Main");
+        params.put("jsEnabled", "1");
+        params.put("verifyMethod", "SEC_QUESTIONS");
+        params.put("userId", "12309746");
+        checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
+        checkResults("/auth-bypass/");
+
+        startLesson("HttpProxies");
+        Assert.assertThat(RestAssured.given().when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
+                .contentType(ContentType.JSON)
+                .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
+                .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
+        checkResults("/HttpProxies/");
+
+    }
+
+    @Test
+    public void chrome() {
+        startLesson("ChromeDevTools");
+
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("param1", "42");
+        params.put("param2", "24");
+
+        String result =
+                RestAssured.given()
+                        .when()
+                        .config(restConfig)
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .header("webgoat-requested-by", "dom-xss-vuln")
+                        .header("X-Requested-With", "XMLHttpRequest")
+                        .formParams(params)
+                        .post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
+                        .then()
+                        .statusCode(200)
+                        .extract().path("output");
+        String secretNumber = result.substring("phoneHome Response is ".length());
+
+        params.clear();
+        params.put("successMessage", secretNumber);
+        checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
+
+        params.clear();
+        params.put("number", "24");
+        params.put("network_num", "24");
+        checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
+
+        checkResults("/ChromeDevTools/");
+    }
+}