Solved issue with POST in vulnerable components lesson

WebGoat · Feb 7, 2017 · 8d3b028 · 8d3b028
1 parent a005466
commit 8d3b028
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 22 deletions.
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
@@ -44,6 +44,30 @@
             <classifier>tests</classifier>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>1.10.19</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     <dependencyManagement>
         <dependencies>

diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml
@@ -11,9 +11,14 @@
 	<dependencies>
 		<dependency>
 			<groupId>com.thoughtworks.xstream</groupId>
-			<artifactId>XStream</artifactId>
+			<artifactId>xstream</artifactId>
 			<version>1.4.7</version>
 		</dependency>
-	</dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+        </dependency>
+
+    </dependencies>
 
 </project>
diff --git a/...nerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java b/...nerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
@@ -1,17 +1,15 @@
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-
-import javax.servlet.http.HttpServletRequest;
-
+import com.thoughtworks.xstream.XStream;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-import com.thoughtworks.xstream.XStream;
+
+import java.io.IOException;
 
 /**
  * *************************************************************************************************
@@ -51,11 +49,11 @@
 public class VulnerableComponentsLesson extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
+	public @ResponseBody AttackResult completed(@RequestBody String payload) throws IOException {
 		String process = "open"; 		
 		String arguments = "/Applications/Calculator.app";		
 
-		String payload2 = "<sorted-set>" +  
+		String payload2 = "<sorted-set>" +
 						 "<string>foo</string>" +
 						 "<dynamic-proxy>" + 
 						 "<interface>java.lang.Comparable</interface>" +

diff --git a/...-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html b/...-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
@@ -131,23 +131,35 @@
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+				<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+				<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+				<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+				<form class="attack-form" accept-charset="UNKNOWN"
+					  method="POST" name="form"
+					  action="/WebGoat/VulnerableComponents/attack1"
+					  enctype="application/json;charset=UTF-8">
+							Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
+								name="SUBMIT" value="Go!" type="SUBMIT"/>
+				</form>
+				<!-- do not remove the two following div's, this is where your feedback/output will land -->
+				<div class="attack-feedback"></div>
+				<div class="attack-output"></div>
+				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+			</div>
+
+		</div>
+
+
+
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
             <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-			<form class="attack-form" accept-charset="UNKNOWN"
-				method="POST" name="form"
-				action="/WebGoat/VulnerableComponents/attack1"
-				enctype="application/json;charset=UTF-8">
-				<div id="lessonContent">
-					<form accept-charset="UNKNOWN" method="POST" name="form"
-						action="#attack/307/100" enctype="">
-						Enter Your XML payload: <input name="paylod" value="" type="TEXT"/><input
-							name="SUBMIT" value="Go!" type="SUBMIT"/>
-					</form>
-				</div>
-			</form>
+
 			<!-- do not remove the two following div's, this is where your feedback/output will land -->
 			<div class="attack-feedback"></div>
 			<div class="attack-output"></div>

diff --git a/...ble-components/src/test/java/org/owasp/webgoat/plugin/VulnerableComponentsLessonTest.java b/...ble-components/src/test/java/org/owasp/webgoat/plugin/VulnerableComponentsLessonTest.java
@@ -0,0 +1,60 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.plugin;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+/**
+ * @author nbaars
+ * @date 2/7/17
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class VulnerableComponentsLessonTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        VulnerableComponentsLesson vulnerableComponentsLesson = new VulnerableComponentsLesson();
+        init(vulnerableComponentsLesson);
+        this.mockMvc = standaloneSetup(vulnerableComponentsLesson).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+//        mockMvc.perform(MockMvcRequestBuilders.post("/VulnerableComponents/attack1").content("Test"))
+//                .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print())
+//                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.success"))))
+//                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+}