Merge pull request #14 from ismisepaul/dev

Fixing level issues and updating dependencies

.github/workflows/release.yml

@@ -39,7 +39,7 @@ jobs:
  id: meta
  uses: docker/metadata-action@v3
  with:
- images: ismisepaul/securityshepherd
+ images: owasp/security-shepherd
 
  - name: Set up JDK 1.8
  uses: actions/setup-java@v1

README.md

@@ -2,8 +2,7 @@
 # OWASP Security Shepherd [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) 
 The [OWASP Security Shepherd Project](http://bit.ly/owaspSecurityShepherd) is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.
 
-[![Build and Test](https://github.com/ismisepaul/SecurityShepherd/actions/workflows/test.yml/badge.svg)](https://github.com/ismisepaul/SecurityShepherd/actions/workflows/test.yml)
-
+[![Build and Test](https://github.com/OWASP/SecurityShepherd/actions/workflows/test.yml/badge.svg)](https://github.com/OWASP/SecurityShepherd/actions/workflows/test.yml) 
 # Where can I download Security Shepherd?
 
 ### Virtual Machine or Manual Setup

pom.xml

@@ -24,7 +24,7 @@
  <dependency>
  <groupId>de.mkammerer</groupId>
  <artifactId>argon2-jvm</artifactId>
- <version>2.2</version>
+ <version>2.11</version>
  </dependency>
  <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
  <dependency>
@@ -36,7 +36,7 @@
  <dependency>
  <groupId>org.json</groupId>
  <artifactId>json</artifactId>
- <version>20211205</version>
+ <version>20220320</version>
  </dependency>
  <!-- https://mvnrepository.com/artifact/com.googlecode.json-simple/json-simple -->
  <dependency>
@@ -79,7 +79,7 @@
  <dependency>
  <groupId>org.mongodb</groupId>
  <artifactId>mongo-java-driver</artifactId>
- <version>3.4.1</version>
+ <version>3.12.10</version>
  </dependency>
  <dependency>
  <groupId>javax</groupId>
@@ -111,7 +111,7 @@
  <dependency>
  <groupId>org.owasp.encoder</groupId>
  <artifactId>encoder</artifactId>
- <version>1.2.1</version>
+ <version>1.2.3</version>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/commons-logging/commons-logging -->
@@ -125,23 +125,23 @@
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-web</artifactId>
- <version>5.3.16</version>
+ <version>5.3.19</version>
  <scope>test</scope>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework/spring-test -->
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-test</artifactId>
- <version>5.0.7.RELEASE</version>
+ <version>5.3.19</version>
  <scope>test</scope>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework/spring-core -->
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-core</artifactId>
- <version>5.0.11.RELEASE</version>
+ <version>5.3.19</version>
  <scope>test</scope>
  </dependency>
 
@@ -156,22 +156,22 @@
  <dependency>
  <groupId>com.github.fakemongo</groupId>
  <artifactId>fongo</artifactId>
- <version>2.0.6</version>
+ <version>2.1.1</version>
  <scope>test</scope>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework/spring-context -->
  <dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-context</artifactId>
- <version>5.1.1.RELEASE</version>
+ <version>5.3.19</version>
  </dependency>
 
  <!-- https://mvnrepository.com/artifact/org.springframework.data/spring-data-mongodb -->
  <dependency>
  <groupId>org.springframework.data</groupId>
  <artifactId>spring-data-mongodb</artifactId>
- <version>2.1.1.RELEASE</version>
+ <version>3.3.3</version>
  </dependency>
 
  <!-- Test -->
@@ -185,7 +185,7 @@
  <dependency>
  <groupId>org.junit.jupiter</groupId>
  <artifactId>junit-jupiter-engine</artifactId>
- <version>5.0.1</version>
+ <version>5.8.2</version>
  <scope>test</scope>
  </dependency>
 
@@ -220,7 +220,7 @@
  <plugins>
  <plugin>
  <artifactId>maven-clean-plugin</artifactId>
- <version>3.1.0</version>
+ <version>3.2.0</version>
  <configuration>
  <filesets>
  <fileset>
@@ -392,7 +392,7 @@
  <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>properties-maven-plugin</artifactId>
- <version>1.0.0</version>
+ <version>1.1.0</version>
  <executions>
  <execution>
  <phase>initialize</phase>
@@ -409,7 +409,7 @@
  </plugin>
  <plugin>
  <artifactId>maven-compiler-plugin</artifactId>
- <version>3.8.1</version>
+ <version>3.10.1</version>
  <configuration>
  <source>1.8</source>
  <target>1.8</target>
@@ -485,7 +485,7 @@
  <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>build-helper-maven-plugin</artifactId>
- <version>3.0.0</version>
+ <version>3.3.0</version>
  <executions>
  <execution>
  <id>add-test-source</id>

src/main/java/servlets/module/challenge/CsrfChallengeSeven.java

@@ -47,8 +47,6 @@ public class CsrfChallengeSeven extends HttpServlet {
  * Allows users to set their CSRF attack string to complete this module. They should be using this
  * to force users to visit their own pages that forces the victim to submit a post request to the
  * CSRFChallengeTargetSeven
- *
- * @param myMessage To Be stored as the users message for this module
  */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, IOException {
@@ -73,8 +71,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
  ses.getAttribute("userName").toString());
  log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
  Cookie tokenCookie = Validate.getToken(request.getCookies());
- Object tokenParmeter = request.getParameter("csrfToken");
- if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
+ Object tokenParameter = request.getParameter("csrfToken");
+ if (Validate.validateTokens(tokenCookie, tokenParameter)) {
  String myMessage = request.getParameter("myMessage");
  log.debug("User Submitted - " + myMessage);
  myMessage = Validate.makeValidUrl(myMessage);

src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java

@@ -90,7 +90,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
  int i = 0;
  while (rs.next()) {
  i++;
- htmlOutput += Encode.forHtml("\"" + rs.getString(1) + "\"") + " <br/>";
+ htmlOutput += Encode.forHtml(rs.getString(1)) + " <br/>";
  }
  log.debug("Returned " + i + " CSRF Tokens for ID: " + userId);
  conn.close();

src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java

@@ -71,10 +71,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
  log.debug("Account Number - " + accountNumber);
  String applicationRoot = getServletContext().getRealPath("");
  String htmlOutput = new String();
- float currentBalance =
+ long currentBalance =
  DirectObjectBankLogin.getAccountBalance(accountNumber, applicationRoot);
  log.debug("Outputting HTML");
- htmlOutput = Float.toString(currentBalance);
+ htmlOutput = Long.toString(currentBalance);
  out.write(htmlOutput);
  } catch (SQLException e) {
  out.write(

src/main/java/servlets/module/challenge/DirectObjectBankLogin.java

@@ -141,7 +141,7 @@ public static String bankForm(
  ResourceBundle errors)
  throws SQLException {
 
- float currentBalance = getAccountBalance(accountNumber, applicationRoot);
+ long currentBalance = getAccountBalance(accountNumber, applicationRoot);
  String bankForm =
  "<h2 class='title'>"
  + bundle.getString("bankForm.yourAccount")
@@ -161,9 +161,8 @@ public static String bankForm(
  + "<br><br>"
  + ""
  + bundle.getString("result.theKeyIs")
- + " <a>"
- + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"))
- + "</a>";
+ + ""
+ + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"));
  }
  bankForm +=
  ""
@@ -233,7 +232,7 @@ public static String bankForm(String accountNumber, String applicationRoot, Http
  ResourceBundle bundle =
  ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale);
 
- float currentBalance = getAccountBalance(accountNumber, applicationRoot);
+ long currentBalance = getAccountBalance(accountNumber, applicationRoot);
  String bankForm =
  "<h2 class='title'>"
  + bundle.getString("bankForm.yourAccount")
@@ -317,18 +316,18 @@ public static String bankForm(String accountNumber, String applicationRoot, Http
  * @return Returns a Float Value representing the balance
  * @throws SQLException If no rows found or if SQL error occurs
  */
- public static float getAccountBalance(String accountNumber, String applicationRoot)
+ public static long getAccountBalance(String accountNumber, String applicationRoot)
  throws SQLException {
  Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank");
  CallableStatement callstmt;
- float toReturn = 0;
+ long toReturn = 0;
  try {
 
  callstmt = conn.prepareCall("CALL currentFunds(?)");
  callstmt.setString(1, accountNumber);
  ResultSet rs = callstmt.executeQuery();
  if (rs.next()) {
- toReturn = rs.getFloat(1);
+ toReturn = rs.getLong(1);
  } else {
  throw new SQLException("Could not Get Funds. No Rows Found From Query");
  }

src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java

@@ -85,12 +85,12 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
  // Positive Transfer Amount?
  if (tranferAmount > 0) {
  // Sender Account Has necessary funds?
- float senderFunds =
+ long senderFunds =
  DirectObjectBankLogin.getAccountBalance(senderAccountNumber, applicationRoot);
  if ((senderFunds - tranferAmount) > 0) {
  // Check Receiver Account Exists
  try {
- float recieverAccountBalanace =
+ long recieverAccountBalanace =
  DirectObjectBankLogin.getAccountBalance(recieverAccountNumber, applicationRoot);
  if (recieverAccountBalanace >= 0) {
  performTransfer = true;