shivamdixit / webgoatphp Goto Github PK

This is not a bug but WebScarab is an outdated and inactive OWASP project, ZAP does the same. Please replace the name to reflect a new tool

Remember me not implemented in login.

Chart is displayed perfectly if opened from the url directly (i.e using #analytics in the url) however if you navigate using side panel the values (%) printed on it gets distorted.

WebGoatPHP logo on home page is not responsive and overlaps with heading on medium size resolution.

Currently we don't have any "remember me" feature in user login. We need to implement it in a secure way.

TODO : Running the user supplied code in a sandbox.

In mozilla it dopes not reset
In Chrome you get a the following page (seee printscreen)

When running the app via vagrant, jframework is not able to detect mode because the port is different. Change the conditions so that it works on all the ports.

Chrome XSS Auditor is refusing to execute the script because its source code was found within the request.

Add number of days remaining also in countdown timer of a contest.

In date time picker add a condition to check that contest start date > present date and end date > start date.

1. First of all, the way you are handling challenges is not right. You get the challenge title using GET requests, and display its PHP page. How can you handle challenge resources, such as img files, css files, javascript files and etc. that are served separately? How can your application know about where to find them?

To alleviate this, use jframework's catch controller. Catch controllers catch everything that goes past them, e.g example.com/catch-controller/everything/here/goes/to/catch/controller.css
They receive the rest of the URL, and can decide what to do.

A good design would be to have example.com/webgoatphp/challenges/challenge-name-here/X
and X should be served from within the challenge folder. This allows the challenge to be able to use relative URLs, and access everything it has to offer, and at the same time allows the framework to track and log everything.

1. wgphp is not the best namespace name to choose :D why not simply webgoat? Its already in PHP!
2. The code you have for handling challenge initiation and judgement, should be in a model. Controllers don't know anything about the application logic, they are simply operators that pass things around from view to model, and from user to model and back. When you're writing a controller code, whenever you feel like you need to know more to code something, move it to a model.
3. Do not directly map stuff to files and folders. Have a setup procedure that scans challenges folder, extracts any needed information into an object (or array), stores this in the application config (SaveGeneral), and in later runs, if there is a value in the application config (LoadGeneral) use that to access list of challenges. Provide a refresh mechanism to reset these information as well. Then have a method that matches a challenge with data in this class, instead of directly to the file system. File system comparison is very error prone. A model solely for this purpose is a good idea.
4. I suggest creating a whole different folder to contain challenges, e.g app, _japp, challenges. It is not really your app models, but extensions to the app in a very separated manner. You still need base classes in jframework models though.
5. I have suggestions regarding your base LessonAdapter class too, will list them here. First, LessonAdapter is a name without much meaning. Why not BaseLesson or just Lesson?
6. Separate lesson names from lesson titles. Titles are human-readable texts, names are identifier-following strings (used in business logic)
7. You can provide a function that generates a name from a title, and then dont force the challenge developer to set a name and a title. The function can simply replace whitespaces with dashes, and lowercase everything else.
8. Why would a challenge have to return its category ID? Why not just return its category as a string, and you combine challenges that have the same category string into one? Do not overcomplicate things that you expect people to do :D
9. Do not require challenges to create content. Have an abstract function like start, that when called, moves the control to challenge. Do not supervise them like kids, let them do their own output and everything. If they need help, they will ask for it (through API). This is the object oriented way.
10. I suggest replacing functions that have a specific return syntax (like get hints, which is probably supposed to return an array) with just arrays in the derived challenge. You can fill the getHints in the base class, so that it checks for array existence, and if its there, uses it. Then you can create a template challenge that people can copy and modify to make their owns.
11. Instead of init and destruct, make challenges have a reset function, that does both, the way needed. resetLesson is a bad name, this is Lesson class already. You don't wanna write Lesson::resetLesson
12. I suggest ridding all HTML parts that you have in the base class. Instead provide means for storage and retrieval of persistent information for the challenge, i.e let them store stuff in the session. Many challenges need that!
13. I think you need to send something to a challenge's start function (a GUID) which is generated per user, because they need to store their information separately for each user (specially in non-single modes)
14. Finally, do not complicate things. If I were to make this, I wouldn't have a category at all, because one challenge never has categories. I would add them later when I have like 10 challenges, a few of which should be grouped together.

Thanks
-A

Following warning is encountered while the running tests from test/sys/main :
Unable to call Doctrine Plugin::Shutdown() - function does not exist in Unknown on line 0

Reset lesson is not working for any of the lessons in firefox.

Reason: An AJAX request is made to reset the lesson and when response comes, the page is refreshed. However in firefox on refreshing the page it is also sending the POST data again causing the completion of the lesson again. Hence the success message is displayed and the lesson is marked completed again.

Solution: Use a different way of refreshing the page.

Fatal Error 1 in /app/control/mode/single/challenges/__catch.php line 33

My php version is 5.5.12

The Reset Lesson button does not reset the lesson, the "Error" message stays after.

Issue found in Mozilla Firefox version 29.0.1

If one lesson is completed, all are marked as "Completed".

Fix window.open arguments in script/challenges.js to make it work.

In secure coding mode, developer is specifying start and end line number that will be available for editing. (In function isSecureCodingAllowed()) However this is not the best way because if in future developer modifies the code, line numbers will change and wrong lines will be displayed to the user.

1.- zGo XSS 2 (Stored) challenge
2. Fill in a script in the message box such as <SCRIPT>alert(document.cookie);</SCRIPT>
3. Submit

Result
The user is not allow to go out of this challenge nor reset due to the"stored" xss.Everytime the XSS is been displayed. You need to delete the message XSS after the challenge is finished

We need to switch to SQLite database for single-user mode so that minimum db setup is required.

If a user tries to access the workshop admin dashboard and if he is not authorized to do so, it results in error "Too many redirects". Instead of redirecting the user to the login page if he is not authorized, redirect him to SiteRoot.

On hover color should not change if that element is selected.

Add an option of "Change Password"

In function "Check" of \jf\RBACManager if an integer User Id is supplied in the second parameter then it will generate error "Undefined variable: UserID" at line 130 _japp/model/lib/rbac.php

When deleting a workshop user, corresponding user-role association must also be deleted from the database.

Add a media query for small screen sizes. Preferably create a new navigation panel at the bottom and hide side panel when screen size is small.

In order to consider module challenges complete, solutions should be also completed.Right now there are no solutions provided to users

When displaying source code to the user, it is not indented because we are using "trim" function and hence all the white-spaces are removed. If we will not use this function, it will show extra white-spaces, extra new lines.

We need something to remove extra spaces but at the same time keep indentation intact.

Hi,
This is not an issue per se with your repo, I am wondering whats happening with the webgoat project now that it is down.

Thanks.

jframework throws a "ShutdownError : Class not found" error in deploy mode. Working fine in develop mode.

In workshop mode->dashboard->lesson settings, the ON/OFF visibility buttons only work if you refresh the page. They will not work if you use the side panel to navigate.

After finishing this challenges the user press reset button, but the message "Congratulations ..." stays after reset

Need to create a custom 404 page.

When adding challenge add a verification on input.

Display a countdown timer.

Solution: Add a condition to check if no workshop users are present.

Add condition in date time picker if contest is already present.

In the Forgot password challenge, the reset button does not reset the lesson.
happen in Firefox mozilla 29.0.1 (Windows version)

if email is better for this, let me know. I saw WebGoat PHP demo'd briefly at the AppSec USA project summit. I am attempting to run it on a LAMP stack (apache 2.4.18, mysql 5.7.16 & php 7.0.8), but am getting nowhere. One persistent error in the log is:
Uncaught Error: Class 'jf' not found in /var/www/html/webgoat-php/app/view/default/about.php:3\nStack trace:\n#0 {main}\n thrown in /var/www/html/webgoat-php/app/view/default/about.php on line 3, referer: http://localhost/webgoat-php/app/view/default/
The db is created and all wired up ... not getting any errors that way. Any ideas/help?

Fix the hash based navigation. The current method create duplicate ids which causes unexpected behavior.

In contest mode and an option for the admin to re-evaluate all submissions.

At certain resolution Reset Lesson button distorts the top menu and for side menu col-md class should be used instead of col-lg.

We need to create a logo for WebGoatPHP. If anyone is willing to create one, please go ahead.

Fix the bootstrap form structure.

In ACE editor extra spaces are displayed at the last line.

In class SingleModeController if static content is requested, it is returned by using file_get_contents, however this is not complete correct as audio/video/images etc cannot be returned in this way.

It would be better to use jframework dwnload manager.