public function Handle($request) { // This gives complete request path $request = jf::$BaseRequest; if (jf::CurrentUser()) { // Check if the user has permissions to view the challenges if (jf::Check('view_contest_chal')) { $relativePath = $this->getRelativePath($request); $absolutePath = CONTEST_CHALLENGE_PATH . $relativePath; $challengeName = $relativePath; // FIXME: ONLY FOR TESTING, NOT ALWAYS TRUE $challengeDetails = \webgoat\ContestChallenges::getByName($challengeName); $this->ChallengeName = $challengeDetails[0]['ChallengeName']; $fileContents = file_get_contents($absolutePath . "/index.html"); $this->Content = $fileContents; if (isset($_POST['submit'])) { $this->addSubmission($challengeName); } return $this->Present(); } else { // Unauthorized $this->Redirect(SiteRoot); } } else { // User not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
public function Start() { $request = jf::$BaseRequest; if (jf::CurrentUser()) { // User is logged in, check if the user is authorized if (jf::Check("view_contest_chal")) { if (($activeContest = \webgoat\ContestDetails::getActive()) !== null) { $this->ContestName = $activeContest[0]['ContestName']; $startTime = $activeContest[0]['StartTimestamp']; $currentTime = time(); if ($currentTime < $startTime) { $this->TimeRemaining = $startTime - $currentTime; } else { $challenges = \webgoat\ContestChallenges::getByContestID(); if (count($challenges) == 0) { $this->Error = "Currently there are no challenges in this contest"; } else { $this->Challenges = $challenges; } } } else { $this->Error = "Currently there is no active contest. Check back later!!"; } return $this->Present(); } else { // User is not authorized $this->Redirect(SiteRoot); } } else { // User is not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
public function Start() { if (jf::CurrentUser()) { if (jf::Check("contest")) { // User is authorized if (isset($_POST['contest_submit'])) { // Request to store the contest in the database $this->addContest(); } if (\webgoat\ContestDetails::isActivePresent()) { // If an active contest is present $contestDetails = \webgoat\ContestDetails::getActive(); $contestChallenges = \webgoat\ContestChallenges::getByContestID($contestDetails[0]['ID']); $contestUsers = \webgoat\ContestUsers::getAll(); $this->ContestName = $contestDetails[0]['ContestName']; $this->ContestStart = date("d/m/Y h:i:s A", $contestDetails[0]['StartTimestamp']); $this->ContestEnd = date("d/m/Y h:i:s A", $contestDetails[0]['EndTimestamp']); $this->UserCount = count($contestUsers); $this->ChallengeCount = count($contestChallenges); $this->Challenges = $contestChallenges; $this->insertNewChallenges(); } else { // Show the option to start a contest $this->noActiveContest = true; } return $this->Present(); } else { // User is not authorized $this->Redirect(SiteRoot); // Redirect to home page } } else { // User is not authenticated $this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest); } }
<link rel="stylesheet" type="text/css" href="<?php echo jf::url() . '/style/signin.css'; ?> "> <div class="container"> <form class="form-signin" role="form" method="POST" action=""> <?php if (isset($this->Error)) { echo "<div class='alert alert-danger'>{$this->Error}</div>"; } elseif (isset($this->Success)) { echo "<div class='alert alert-success'>{$this->Success}</div>"; } ?> <h2 class="form-signin-heading">Contest sign up</h2> <input type="text" class="form-control" name="Username" placeholder="Username" required autofocus> <input type="password" class="form-control" name="Password" placeholder="Password" required> <input type="password" class="form-control" name="Confirm" placeholder="Confirm password" required> <input type="email" class="form-control" name="Email" placeholder="Email" required> <button class="btn btn-lg btn-primary btn-block" type="submit">Sign up</button> </form> </div>
<div class="navbar navbar-inverse navbar-static-top"> <div class="container"> <a href="<?php echo jf::url(); ?> " class="navbar-brand">OWASP WebGoatPHP</a> <button class="navbar-toggle" data-toggle="collapse" data-target=".navHeaderCollapse"> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <div class="collapse navbar-collapse navHeaderCollapse"> <ul class="nav navbar-nav navbar-right"> <li><a href="<?php echo jf::url(); ?> ">Home</a></li> <li class="active"><a href="#">About</a></li> <li><a href="#">Documentation</a></li> <li><a href="#">Github</a></li> <li><a href="#contact" data-toggle="modal">Contact</a></li> </ul> </div> </div> </div> <div class="container"> <div class="row"> <div class="col-lg-12"> <h2>About OWASP WebGoatPHP</h2>
">Home</a></li> <li><a href="<?php echo jf::url() . '/about'; ?> ">About</a></li> <li><a href="<?php echo CONTEST_MODE_HOME; ?> ">Challenges</a></li> <li><a href="<?php echo GITHUB_URL; ?> " target="_blank">Github</a></li> <li><a href="#contact" data-toggle="modal">Contact</a></li> <li><a href="<?php echo jf::url() . '/user/logout'; ?> ">Logout</a></li> </ul> </div> </div> </div> <div class="container"> <h1 class="text-center text-warning"><?php echo $this->ChallengeName; ?> </h1> <?php if (isset($this->Submission)) {
public function Start() { if (jf::CurrentUser()) { // Authorize the user if (jf::Check('workshop')) { $hiddenLessons = jf::LoadGeneralSetting("hiddenWorkshopLessons"); // If request to hide the lesson if (isset($_POST['hide'])) { if ($hiddenLessons === null) { // If first request i.e settings not present $hiddenLessons = array($_POST['hide']); } else { array_push($hiddenLessons, $_POST['hide']); } jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons); echo json_encode(array('status' => true)); return true; } // If request to show the lesson if (isset($_POST['show'])) { if ($hiddenLessons !== null) { $position = array_search($_POST['show'], $hiddenLessons); if ($position !== false) { unset($hiddenLessons[$position]); } } jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons); echo json_encode(array('status' => true)); return true; } // Get the list of all the lessons/categories $this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons"); $this->hiddenLessons = $hiddenLessons; // To generate 'overview' section of the dashboard // Store all the stats $obj = new \webgoat\WorkshopUsers(); if (($workshopUsers = $obj->getAll()) === null) { // Will return 'null' if no users are present $workshopUsers = array(); // Initialize it to empty array } $this->totalUsers = count($workshopUsers); $this->totalCategories = count($this->allCategoryLesson); $lessonCount = 0; foreach ($this->allCategoryLesson as $category => $lessons) { $lessonCount += count($lessons); } $this->totalLessons = $lessonCount; $this->totalVisibleLessons = $lessonCount - count($this->hiddenLessons); // For each lesson store a list of users // who have completed it $lessonsCompletedBy = array(); $lessonPrefix = "completed_webgoat\\"; foreach ($this->allCategoryLesson as $category => $lessons) { foreach ($lessons as $lesson) { $lessonsCompletedBy[$lesson[0]] = array(); // Index 0 is for name foreach ($workshopUsers as $user) { if (jf::LoadUserSetting($lessonPrefix . $lesson[0], $user['ID'])) { array_push($lessonsCompletedBy[$lesson[0]], $user['Username']); } } } } // To generate the reports page $this->reports = $lessonsCompletedBy; // To generate analytics $noOfLessonsInCategories = array(array('Category', 'No of Lessons')); // Initialize with heading foreach ($this->allCategoryLesson as $category => $lessons) { array_push($noOfLessonsInCategories, array($category, count($lessons))); } $this->analytics = $noOfLessonsInCategories; return $this->Present(); } else { // User not authorized $this->Redirect(SiteRoot); // Redirect to home page instead of Login Page } } else { // User not authenticated $this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest); } }
<div class="col-lg-2" style="padding-left: 0;"> <img src="<?php echo jf::url() . "/images/logo.png"; ?> " class="img-responsive"> </div> </div> <p> WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. In each challenge the user must exploit the real vulnerability to demonstrate their understanding. The application is a realistic teaching environment and supports four different modes. </p> <a href="<?php echo jf::url() . '/about'; ?> " class="btn btn-primary btn-lg">Learn more »</a> </div> <hr> </div> <div class="container"> <div class="row"> <div class="col-md-3"> <h3>Single-User Mode</h3> <p>Browse all the lessons that are available. You can view hints and submit solutions. This mode is suitable for individuals who want a hands-on experience with various security flaws.</p> <a href="<?php echo SINGLE_MODE_LESSON_URL; ?>
<div id="rememberme"> <input type="checkbox" value="yes" name="Remember" title='checking this will make you automatically login everytime you visit this page for one month unless you logout'/> Remember me on this computer </div> <input type="submit" value="Login" /> <input type="button" value="Back" onclick="history.back()" /> <?php if (jf::CurrentUser()) { ?> <br/><a style="font-size:small" href="<?php echo jf::url(); ?> /sys/xuser/logout?return=<?php echo urlencode(jf::url()); ?> /sys/xuser/login">Sign in as a different user</a> <br/> <?php } ?> <?php if (isset($this->Error)) { ?> <div class='error'> <?php echo $this->Error; ?> </div>
public function Handle($request) { // This gives complete request path $request = jf::$BaseRequest; //FIXME: Fix JCatchControl so that this is not required if (jf::CurrentUser()) { // If user is logged in // Check if the user has permissions // to view the challenges if (jf::Check('view_single_chal')) { // Extract the relative request path // i.e the path after the controller URL // Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test // $request will be mode/single/challenges/HTTPBasics/static/test // $relativePath will be HTTPBasics/static/test $relativePath = $this->getRelativePath($request); $absolutePath = LESSON_PATH . $relativePath; if (strpos($relativePath, "/static/") !== false) { if (file_exists($absolutePath)) { $FileMan = new \jf\DownloadManager(); return $FileMan->Feed($absolutePath); } } else { $nameOfLesson = stristr($relativePath, "/", true); \webgoat\LessonScanner::loadClasses(); if (strpos($relativePath, "reset/") !== false) { $lessonNameWithNS = "\\webgoat\\" . $nameOfLesson; $obj = new $lessonNameWithNS(); $obj->reset(); echo json_encode(array("status" => true)); return true; } else { if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) { \webgoat\LessonScanner::run(); } $this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons"); try { $lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson); $lessonObj->start(); $this->lessonTitle = $lessonObj->getTitle(); $this->hints = $lessonObj->getHints(); $this->htmlContent = $lessonObj->getContent(); $this->nameOfLesson = $nameOfLesson; $secureCoding = $lessonObj->isSecureCodingAllowed(); $sourceCodeToDisplay = ""; if ($secureCoding['status'] === true) { $sourceCode = file($absolutePath . "index.php"); $firstLine = $sourceCode[$secureCoding['start']]; $this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine)); for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) { $sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n"; } $this->sourceCode = $sourceCodeToDisplay; } // To show complete PHP Code $sourceCode = file_get_contents($absolutePath . "index.php"); $this->completeSourceCode = htmlentities($sourceCode); if (isset($_POST['sourceCode'])) { // Code to handle source code evaluation } } catch (Exception $e) { //$this->error = "Lesson Not found. Please select a lesson."; $this->error = $e->getMessage(); } header("X-XSS-Protection: 0"); // Disable XSS protection return $this->Present(); } } } else { // Not sufficient permissions, redirect // to home page of the application $this->Redirect(SiteRoot); } } else { // User not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
function CSS() { if (!$this->IsFirstTime(__CLASS__)) { return; } ?> .jWidget_label { float:left; clear:left; width:200px; } .jFormFrame { padding:20px; margin:10px; border:1px gray solid; width:auto; } .jWidget_valid:not([type='submit']) { background-image: url("<?php echo jf::url(); ?> /img/jwidget/valid.png"); background-position: top right; background-repeat: no-repeat; background-color: #FAFFFA; } select.jWidget_valid { background-image: none !important; -webkit-appearance: menulist !important; } .jWidget_invalid { background-image: url("<?php echo jf::url(); ?> /img/jwidget/invalid.png"); background-position:top right; background-repeat: no-repeat; background-color: #FFFAFA; } .jWidget_description { font-size:small; color:#444444; } .jForm .jWidget_container { padding:5px; border-radius:5px; } .jForm .jWidget_container.selected { background-color:#DDDDDD; border:1px solid gray; padding:4px; } <?php }
<?php #################################################################################### # add any more configuration you need for your application here, examples provided # #################################################################################### //Path to lessons directory define('LESSON_PATH', dirname(__FILE__) . "/../../challenges/single/"); define('CONTEST_CHALLENGE_PATH', dirname(__FILE__) . "/../../challenges/contest/"); //URL of lessons define('SINGLE_MODE_LESSON_URL', jf::url() . "/mode/single/challenges/"); define('WORKSHOP_MODE_LESSON_URL', jf::url() . "/mode/workshop/challenges/"); define('WORKSHOP_ADMIN_URL', jf::url() . "/mode/workshop/admin"); define('CONTEST_MODE_DIR', jf::url() . "/mode/contest/"); // Notice the trailing slash define('CONTEST_MODE_HOME', CONTEST_MODE_DIR . "home"); define('CONTEST_ADMIN_URL', CONTEST_MODE_DIR . "admin"); define('CONTEST_MODE_LESSON_URL', CONTEST_MODE_DIR . "challenges/"); // GitHub URL define('GITHUB_URL', 'https://github.com/shivamdixit/WebGoatPHP/'); //Add autoload rules #\jf\Autoload::AddRuleArray(array("Classname"=>jf::root()."/app/model/filepath.php")); DoctrinePlugin::Load();