Fixing Some Levels, Upgrading Libraries, Enhancement to Tomcat and ve…

…rifying fixes (#638) * publish to OWASP DockerHub * update readme to point to owasp shepherd * closes issue #620 * closes issue #622 * closes issue #624 * removing unused import * fixing linting issue * fixing some weirdness when running on docker where key doesn't get displayed properly * Bump fongo from 2.0.6 to 2.1.1 Bumps [fongo](https:/fakemongo/fongo) from 2.0.6 to 2.1.1. - [Release notes](https:/fakemongo/fongo/releases) - [Changelog](https:/fakemongo/fongo/blob/master/CHANGELOG) - [Commits](fakemongo/fongo@fongo-2.0.6...fongo-2.1.1) --- updated-dependencies: - dependency-name: com.github.fakemongo:fongo dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump argon2-jvm from 2.2 to 2.11 Bumps [argon2-jvm](https:/phxql/argon2-jvm) from 2.2 to 2.11. - [Release notes](https:/phxql/argon2-jvm/releases) - [Changelog](https:/phxql/argon2-jvm/blob/master/CHANGELOG.md) - [Commits](phxql/argon2-jvm@v2.2...v2.11) --- updated-dependencies: - dependency-name: de.mkammerer:argon2-jvm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump spring-context from 5.1.1.RELEASE to 5.3.19 Bumps [spring-context](https:/spring-projects/spring-framework) from 5.1.1.RELEASE to 5.3.19. - [Release notes](https:/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.1.RELEASE...v5.3.19) --- updated-dependencies: - dependency-name: org.springframework:spring-context dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump spring-web from 5.3.16 to 5.3.19 Bumps [spring-web](https:/spring-projects/spring-framework) from 5.3.16 to 5.3.19. - [Release notes](https:/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.16...v5.3.19) --- updated-dependencies: - dependency-name: org.springframework:spring-web dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump encoder from 1.2.1 to 1.2.3 Bumps [encoder](https:/owasp/owasp-java-encoder) from 1.2.1 to 1.2.3. - [Release notes](https:/owasp/owasp-java-encoder/releases) - [Commits](OWASP/owasp-java-encoder@v1.2.1...v1.2.3) --- updated-dependencies: - dependency-name: org.owasp.encoder:encoder dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump junit-jupiter-engine from 5.0.1 to 5.8.2 Bumps [junit-jupiter-engine](https:/junit-team/junit5) from 5.0.1 to 5.8.2. - [Release notes](https:/junit-team/junit5/releases) - [Commits](junit-team/junit5@r5.0.1...r5.8.2) --- updated-dependencies: - dependency-name: org.junit.jupiter:junit-jupiter-engine dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump mongo-java-driver from 3.4.1 to 3.12.10 Bumps [mongo-java-driver](https:/mongodb/mongo-java-driver) from 3.4.1 to 3.12.10. - [Release notes](https:/mongodb/mongo-java-driver/releases) - [Commits](mongodb/mongo-java-driver@r3.4.1...r3.12.10) --- updated-dependencies: - dependency-name: org.mongodb:mongo-java-driver dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Fixing issue where csrf two and three crossover * Bump spring-data-mongodb from 2.1.1.RELEASE to 3.3.3 Bumps spring-data-mongodb from 2.1.1.RELEASE to 3.3.3. --- updated-dependencies: - dependency-name: org.springframework.data:spring-data-mongodb dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Bump maven-compiler-plugin from 3.8.1 to 3.10.1 Bumps [maven-compiler-plugin](https:/apache/maven-compiler-plugin) from 3.8.1 to 3.10.1. - [Release notes](https:/apache/maven-compiler-plugin/releases) - [Commits](apache/maven-compiler-plugin@maven-compiler-plugin-3.8.1...maven-compiler-plugin-3.10.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-compiler-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Conforming to the way xxe challenge 1 is set up * cheats for xxe levels * fixing lint issue * Bump properties-maven-plugin from 1.0.0 to 1.1.0 Bumps [properties-maven-plugin](https:/mojohaus/properties-maven-plugin) from 1.0.0 to 1.1.0. - [Release notes](https:/mojohaus/properties-maven-plugin/releases) - [Commits](mojohaus/properties-maven-plugin@properties-maven-plugin-1.0.0...properties-maven-plugin-1.1.0) --- updated-dependencies: - dependency-name: org.codehaus.mojo:properties-maven-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump json from 20211205 to 20220320 Bumps [json](https:/douglascrockford/JSON-java) from 20211205 to 20220320. - [Release notes](https:/douglascrockford/JSON-java/releases) - [Changelog](https:/stleary/JSON-java/blob/master/docs/RELEASES.md) - [Commits](https:/douglascrockford/JSON-java/commits) --- updated-dependencies: - dependency-name: org.json:json dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Bump spring-test from 5.0.7.RELEASE to 5.3.19 Bumps [spring-test](https:/spring-projects/spring-framework) from 5.0.7.RELEASE to 5.3.19. - [Release notes](https:/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.0.7.RELEASE...v5.3.19) --- updated-dependencies: - dependency-name: org.springframework:spring-test dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump spring-core from 5.0.11.RELEASE to 5.3.19 Bumps [spring-core](https:/spring-projects/spring-framework) from 5.0.11.RELEASE to 5.3.19. - [Release notes](https:/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.0.11.RELEASE...v5.3.19) --- updated-dependencies: - dependency-name: org.springframework:spring-core dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump maven-clean-plugin from 3.1.0 to 3.2.0 Bumps [maven-clean-plugin](https:/apache/maven-clean-plugin) from 3.1.0 to 3.2.0. - [Release notes](https:/apache/maven-clean-plugin/releases) - [Commits](apache/maven-clean-plugin@maven-clean-plugin-3.1.0...maven-clean-plugin-3.2.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-clean-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump build-helper-maven-plugin from 3.0.0 to 3.3.0 Bumps [build-helper-maven-plugin](https:/mojohaus/build-helper-maven-plugin) from 3.0.0 to 3.3.0. - [Release notes](https:/mojohaus/build-helper-maven-plugin/releases) - [Commits](mojohaus/build-helper-maven-plugin@build-helper-maven-plugin-3.0.0...build-helper-maven-plugin-3.3.0) --- updated-dependencies: - dependency-name: org.codehaus.mojo:build-helper-maven-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * fixing csrf challenge 2 where id was not displayed and cheat had a typo * marking adjustments to CSRF levels to make them clearer * fixing lint issue * adjusting xxe * fixing lint issue * fixing lint issue * fixing lint issue * fixing lint issue * Revert "adjusting xxe" * fixing lint issue * Bump spring-data-mongodb from 2.1.1.RELEASE to 3.3.4 Bumps spring-data-mongodb from 2.1.1.RELEASE to 3.3.4. --- updated-dependencies: - dependency-name: org.springframework.data:spring-data-mongodb dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Bump mockito-core from 4.4.0 to 4.5.1 Bumps [mockito-core](https:/mockito/mockito) from 4.4.0 to 4.5.1. - [Release notes](https:/mockito/mockito/releases) - [Commits](mockito/mockito@v4.4.0...v4.5.1) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump mongo-java-driver from 3.12.10 to 3.12.11 Bumps [mongo-java-driver](https:/mongodb/mongo-java-driver) from 3.12.10 to 3.12.11. - [Release notes](https:/mongodb/mongo-java-driver/releases) - [Commits](mongodb/mongo-java-driver@r3.12.10...r3.12.11) --- updated-dependencies: - dependency-name: org.mongodb:mongo-java-driver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Increase maximum header size to allow proxy headers Increase the maxHttpHeaderSize to "65536" to allow oauth proxy headers Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Niemi <[email protected]>
OWASP · May 16, 2022 · 14ba710 · 14ba710
1 parent 72f8767
commit 14ba710
Show file tree

Hide file tree

Showing 16 changed files with 114 additions and 112 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -39,7 +39,7 @@ jobs:
  id: meta
  uses: docker/metadata-action@v3
  with:
- images: ismisepaul/securityshepherd
+ images: owasp/security-shepherd
 
  - name: Set up JDK 1.8
  uses: actions/setup-java@v1

diff --git a/README.md b/README.md
@@ -2,8 +2,7 @@
 # OWASP Security Shepherd [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) 
 The [OWASP Security Shepherd Project](http://bit.ly/owaspSecurityShepherd) is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.
 
-[![Build and Test](https:/ismisepaul/SecurityShepherd/actions/workflows/test.yml/badge.svg)](https:/ismisepaul/SecurityShepherd/actions/workflows/test.yml)
-
+[![Build and Test](https:/OWASP/SecurityShepherd/actions/workflows/test.yml/badge.svg)](https:/OWASP/SecurityShepherd/actions/workflows/test.yml) 
 # Where can I download Security Shepherd?
 
 ### Virtual Machine or Manual Setup

diff --git a/docker/tomcat/serverxml.patch b/docker/tomcat/serverxml.patch
@@ -25,10 +25,10 @@
  </SSLHostConfig>
  </Connector>
  -->
-+ <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
++ <Connector port="8443" protocol="HTTP/1.1" maxHttpHeaderSize="65536" SSLEnabled="true"
 + maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
 + keystoreFile="conf/TLS_KEYSTORE_FILE" keystorePass="TLS_KEYSTORE_PASS" keyAlias="ALIAS">
 + </Connector>
 
  <!-- Define an AJP 1.3 Connector on port 8009 -->
- <!--
+ <!--
diff --git a/pom.xml b/pom.xml
@@ -24,7 +24,7 @@
  <dependency>
  <groupId>de.mkammerer</groupId>
  <artifactId>argon2-jvm</artifactId>
- <version>2.2</version>
+ <version>2.11</version>
  </dependency>
  <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
  <dependency>
@@ -36,7 +36,7 @@
  <dependency>
  <groupId>org.json</groupId>
  <artifactId>json</artifactId>
- <version>20211205</version>
+ <version>20220320</version>
  </dependency>
  <!-- https://mvnrepository.com/artifact/com.googlecode.json-simple/json-simple -->
  <dependency>
@@ -79,7 +79,7 @@
  <dependency>
  <groupId>org.mongodb</groupId>
  <artifactId>mongo-java-driver</artifactId>
- <version>3.4.1</version>
+ <version>3.12.11</version>
  </dependency>
  <dependency>
  <groupId>javax</groupId>
@@ -111,7 +111,7 @@
  <dependency>
  <groupId>org.owasp.encoder</groupId>
  <artifactId>encoder</artifactId>
- <version>1.2.1</version>
+ <version>1.2.3</version>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/commons-logging/commons-logging -->
@@ -125,23 +125,23 @@
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-web</artifactId>
- <version>5.3.16</version>
+ <version>5.3.19</version>
  <scope>test</scope>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework/spring-test -->
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-test</artifactId>
- <version>5.0.7.RELEASE</version>
+ <version>5.3.19</version>
  <scope>test</scope>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework/spring-core -->
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-core</artifactId>
- <version>5.0.11.RELEASE</version>
+ <version>5.3.19</version>
  <scope>test</scope>
  </dependency>
 
@@ -156,22 +156,22 @@
  <dependency>
  <groupId>com.github.fakemongo</groupId>
  <artifactId>fongo</artifactId>
- <version>2.0.6</version>
+ <version>2.1.1</version>
  <scope>test</scope>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework/spring-context -->
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-context</artifactId>
- <version>5.1.1.RELEASE</version>
+ <version>5.3.19</version>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework.data/spring-data-mongodb -->
  <dependency>
  <groupId>org.springframework.data</groupId>
  <artifactId>spring-data-mongodb</artifactId>
- <version>2.1.1.RELEASE</version>
+ <version>3.3.4</version>
  </dependency>
 
  <!-- Test -->
@@ -185,7 +185,7 @@
  <dependency>
  <groupId>org.junit.jupiter</groupId>
  <artifactId>junit-jupiter-engine</artifactId>
- <version>5.0.1</version>
+ <version>5.8.2</version>
  <scope>test</scope>
  </dependency>
 
@@ -201,7 +201,7 @@
  <dependency>
  <groupId>org.mockito</groupId>
  <artifactId>mockito-core</artifactId>
- <version>4.4.0</version>
+ <version>4.5.1</version>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/io.github.cdimascio/java-dotenv -->
@@ -220,7 +220,7 @@
  <plugins>
  <plugin>
  <artifactId>maven-clean-plugin</artifactId>
- <version>3.1.0</version>
+ <version>3.2.0</version>
  <configuration>
  <filesets>
  <fileset>
@@ -392,7 +392,7 @@
  <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>properties-maven-plugin</artifactId>
- <version>1.0.0</version>
+ <version>1.1.0</version>
  <executions>
  <execution>
  <phase>initialize</phase>
@@ -409,7 +409,7 @@
  </plugin>
  <plugin>
  <artifactId>maven-compiler-plugin</artifactId>
- <version>3.8.1</version>
+ <version>3.10.1</version>
  <configuration>
  <source>1.8</source>
  <target>1.8</target>
@@ -485,7 +485,7 @@
  <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>build-helper-maven-plugin</artifactId>
- <version>3.0.0</version>
+ <version>3.3.0</version>
  <executions>
  <execution>
  <id>add-test-source</id>

diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeSeven.java b/src/main/java/servlets/module/challenge/CsrfChallengeSeven.java
@@ -47,8 +47,6 @@ public class CsrfChallengeSeven extends HttpServlet {
  * Allows users to set their CSRF attack string to complete this module. They should be using this
  * to force users to visit their own pages that forces the victim to submit a post request to the
  * CSRFChallengeTargetSeven
- *
- * @param myMessage To Be stored as the users message for this module
  */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, IOException {
@@ -73,8 +71,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
  ses.getAttribute("userName").toString());
  log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
  Cookie tokenCookie = Validate.getToken(request.getCookies());
- Object tokenParmeter = request.getParameter("csrfToken");
- if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
+ Object tokenParameter = request.getParameter("csrfToken");
+ if (Validate.validateTokens(tokenCookie, tokenParameter)) {
  String myMessage = request.getParameter("myMessage");
  log.debug("User Submitted - " + myMessage);
  myMessage = Validate.makeValidUrl(myMessage);

diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java b/src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java
@@ -90,7 +90,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
  int i = 0;
  while (rs.next()) {
  i++;
- htmlOutput += Encode.forHtml("\"" + rs.getString(1) + "\"") + " <br/>";
+ htmlOutput += Encode.forHtml(rs.getString(1)) + " <br/>";
  }
  log.debug("Returned " + i + " CSRF Tokens for ID: " + userId);
  conn.close();

diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java b/src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java
@@ -71,10 +71,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
  log.debug("Account Number - " + accountNumber);
  String applicationRoot = getServletContext().getRealPath("");
  String htmlOutput = new String();
- float currentBalance =
+ long currentBalance =
  DirectObjectBankLogin.getAccountBalance(accountNumber, applicationRoot);
  log.debug("Outputting HTML");
- htmlOutput = Float.toString(currentBalance);
+ htmlOutput = Long.toString(currentBalance);
  out.write(htmlOutput);
  } catch (SQLException e) {
  out.write(

diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankLogin.java b/src/main/java/servlets/module/challenge/DirectObjectBankLogin.java
@@ -141,7 +141,7 @@ public static String bankForm(
  ResourceBundle errors)
  throws SQLException {
 
- float currentBalance = getAccountBalance(accountNumber, applicationRoot);
+ long currentBalance = getAccountBalance(accountNumber, applicationRoot);
  String bankForm =
  "<h2 class='title'>"
  + bundle.getString("bankForm.yourAccount")
@@ -161,9 +161,8 @@ public static String bankForm(
  + "<br><br>"
  + ""
  + bundle.getString("result.theKeyIs")
- + " <a>"
- + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"))
- + "</a>";
+ + ""
+ + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"));
  }
  bankForm +=
  ""
@@ -233,7 +232,7 @@ public static String bankForm(String accountNumber, String applicationRoot, Http
  ResourceBundle bundle =
  ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale);
 
- float currentBalance = getAccountBalance(accountNumber, applicationRoot);
+ long currentBalance = getAccountBalance(accountNumber, applicationRoot);
  String bankForm =
  "<h2 class='title'>"
  + bundle.getString("bankForm.yourAccount")
@@ -317,18 +316,18 @@ public static String bankForm(String accountNumber, String applicationRoot, Http
  * @return Returns a Float Value representing the balance
  * @throws SQLException If no rows found or if SQL error occurs
  */
- public static float getAccountBalance(String accountNumber, String applicationRoot)
+ public static long getAccountBalance(String accountNumber, String applicationRoot)
  throws SQLException {
  Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank");
  CallableStatement callstmt;
- float toReturn = 0;
+ long toReturn = 0;
  try {
 
  callstmt = conn.prepareCall("CALL currentFunds(?)");
  callstmt.setString(1, accountNumber);
  ResultSet rs = callstmt.executeQuery();
  if (rs.next()) {
- toReturn = rs.getFloat(1);
+ toReturn = rs.getLong(1);
  } else {
  throw new SQLException("Could not Get Funds. No Rows Found From Query");
  }

diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java b/src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java
@@ -85,12 +85,12 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
  // Positive Transfer Amount?
  if (tranferAmount > 0) {
  // Sender Account Has necessary funds?
- float senderFunds =
+ long senderFunds =
  DirectObjectBankLogin.getAccountBalance(senderAccountNumber, applicationRoot);
  if ((senderFunds - tranferAmount) > 0) {
  // Check Receiver Account Exists
  try {
- float recieverAccountBalanace =
+ long recieverAccountBalanace =
  DirectObjectBankLogin.getAccountBalance(recieverAccountNumber, applicationRoot);
  if (recieverAccountBalanace >= 0) {
  performTransfer = true;