A icode

DisplayUser.java

@@ -0,0 +1,63 @@
+package org.owasp.webgoat.lessons.missingac;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.Base64;
+import lombok.Getter;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * <p>
+ */
+@Getter
+public class DisplayUser {
+  // intended to provide a display version of WebGoatUser for admins to view user attributes
+
+  private String username;
+  private boolean admin;
+  private String userHash;
+
+  public DisplayUser(User user, String passwordSalt) {
+    this.username = user.getUsername();
+    this.admin = user.isAdmin();
+
+    try {
+      this.userHash = genUserHash(user.getUsername(), user.getPassword(), passwordSalt);
+    } catch (Exception ex) {
+      this.userHash = "Error generating user hash";
+    }
+  }
+
+  protected String genUserHash(String username, String password, String passwordSalt)
+      throws Exception {
+    MessageDigest md = MessageDigest.getInstance("SHA-256");
+    // salting is good, but static & too predictable ... short too for a salt
+    String salted = password + passwordSalt + username;
+    // md.update(salted.getBytes("UTF-8")); // Change this to "UTF-16" if needed
+    byte[] hash = md.digest(salted.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(hash);
+  }
+}
+

HashingAssignment.java

@@ -0,0 +1,89 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+
+import jakarta.servlet.http.HttpServletRequest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+import javax.xml.bind.DatatypeConverter;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
+public class HashingAssignment implements AssignmentEndpoint {
+  public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
+
+  //Removed MD5 related code
+
+  @RequestMapping(path = "/crypto/hashing/sha256", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String sha256 = (String) request.getSession().getAttribute("sha256");
+    if (sha256 == null) {
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+      sha256 = getHash(secret, "SHA-256");
+      request.getSession().setAttribute("sha256Hash", sha256);
+      request.getSession().setAttribute("sha256Secret", secret);
+    }
+    return sha256;
+  }
+
+  @PostMapping("/crypto/hashing")
+  @ResponseBody
+  public AttackResult completed(
+      HttpServletRequest request,
+      @RequestParam String answer_pwd1,
+      @RequestParam String answer_pwd2) {
+
+    String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
+
+    if (answer_pwd1 != null && answer_pwd2 != null) {
+      if (answer_pwd2.equals(sha256Secret)) {
+        return success(this).feedback("crypto-hashing.success").build();
+      } else if (answer_pwd2.equals(sha256Secret)) {
+        return failed(this).feedback("crypto-hashing.oneok").build();
+      }
+    }
+    return failed(this).feedback("crypto-hashing.empty").build();
+  }
+
+  public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
+    java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm);
+    md.update(secret.getBytes());
+    byte[] digest = md.digest();
+    return DatatypeConverter.printHexBinary(digest).toUpperCase();
+  }
+}
+

JWTDecodeEndpointTest.java

@@ -0,0 +1,39 @@
+package org.owasp.webgoat.lessons.jwt;
+
+import static org.hamcrest.Matchers.is;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+public class JWTDecodeEndpointTest extends LessonTest {
+
+  @BeforeEach
+  public void setup() {
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
+
+  @Test
+  public void solveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/decode").param("jwt-encode-user", "user").content(""))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
+
+  @Test
+  public void wrongUserShouldNotSolveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/decode")
+                .param("jwt-encode-user", "wrong")
+                .content(""))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
+}