diff --git a/trainingportal/auth.js b/trainingportal/auth.js
index b7731bd9..c5cc4384 100644
--- a/trainingportal/auth.js
+++ b/trainingportal/auth.js
@@ -281,10 +281,11 @@ let processAuthCallback = async(profileId, givenName, familyName, email, cb) =>
user.email = email;
let modules = challenges.getModules();
for(let moduleId in modules){
- let promise = challenges.verifyModuleCompletion(user, moduleId);
- promise.catch((err) => {
+ try {
+ await challenges.verifyModuleCompletion(user, moduleId);
+ } catch (error) {
util.log("Error with badge verification.", user);
- });
+ }
}
}
else{
diff --git a/trainingportal/static/challenges.html b/trainingportal/static/challenges.html
index 4f5c48af..fbc7a9a1 100644
--- a/trainingportal/static/challenges.html
+++ b/trainingportal/static/challenges.html
@@ -72,7 +72,7 @@ Play Link and Instructions
- The play link has been provided to you when solving the previous challenge.
+ The play link has been provided to you when solving the previous module or challenge.
If you have missed it read the challenge description carefully and try to figure out what it is.
diff --git a/trainingportal/static/lessons/blackBelt/definitions.json b/trainingportal/static/lessons/blackBelt/definitions.json
index 60a44e4f..9ac7ae76 100644
--- a/trainingportal/static/lessons/blackBelt/definitions.json
+++ b/trainingportal/static/lessons/blackBelt/definitions.json
@@ -129,15 +129,6 @@
"solution":"cwe134.sol.md",
"codeBlockIds":["safeMemoryManagement","inputAllowListing"]
},
- {
- "id":"cwe502",
- "name":"Deserialization of Untrusted Data",
- "playLink":"/cwe502.jsp",
- "description": "cwe502.html",
- "attackGram":"deserialization.png",
- "solution":"cwe502.sol.md",
- "codeBlockIds":["enforceSafeDeserialization"]
- },
{
"id":"quiz",
"name":"Quiz",
diff --git a/trainingportal/static/lessons/modules.json b/trainingportal/static/lessons/modules.json
index 10360335..83b85a34 100644
--- a/trainingportal/static/lessons/modules.json
+++ b/trainingportal/static/lessons/modules.json
@@ -30,7 +30,7 @@
"name":"Black Belt",
"summary":"Common software security flaws - part 2",
"description":"Lessons are entry level difficulty aimed at introducing the concepts of vulnerability, exploit and software defense.",
- "description2":"Includes 14 lessons. Estimated duration 2 hours.",
+ "description2":"Includes 13 lessons. Estimated duration 2 hours.",
"badgeInfo":{
"line1":"Secure Coding",
"line2":"Black Belt",
@@ -39,18 +39,30 @@
},
"requiredModules":["greenBelt"]
},
- "secondDegreeBlackBelt":{
- "name":"Second Degree Black Belt",
+ "secondDegreeBlackBelt1":{
+ "name":"Second Degree Black Belt - Part 1",
"summary":"Cloud software exploitation techniques",
"description":"Have some fun with this Capture the Flag module which is based on OWASP Top 10. Your goal is to take down the cloud applications used in a worldwide malware campaign.",
"badgeInfo":{
"line1":"Secure Coding",
"line2":"2nd Degree",
"line3":"Black Belt",
- "bg":"darkred"
+ "bg":"red"
},
"requiredModules":["blackBelt"]
},
+ "secondDegreeBlackBelt2":{
+ "name":"Second Degree Black Belt - Part 2",
+ "summary":"Cloud software exploitation techniques",
+ "description":"Have some fun with this Capture the Flag module which is based on OWASP Top 10. Your goal is to take down the cloud applications used in a worldwide malware campaign.",
+ "badgeInfo":{
+ "line1":"Secure Coding",
+ "line2":"2nd Degree",
+ "line3":"Black Belt",
+ "bg":"darkred"
+ },
+ "requiredModules":["secondDegreeBlackBelt1"]
+ },
"redTeam":{
"name":"Red Team",
"summary":"Pen-testing tools and techniques",
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json
deleted file mode 100644
index 9cc6cdf2..00000000
--- a/trainingportal/static/lessons/secondDegreeBlackBelt/definitions.json
+++ /dev/null
@@ -1,74 +0,0 @@
-[
- {
- "level":0,
- "name":"Second Degree Black Belt",
- "badgrInfo":
- {
- "issuer":"JEzPNy2zSGG1XVTsJ5JE0g",
- "badge_class":"6T4w5fU8RaiAedgSsVG4TA",
- "recipient_type":"email",
- "recipient_identifier":"",
- "narrative":"Badge issued for completing the Secure Coding Dojo:Second Degree Black Belt.",
- "create_notification":true,
- "evidence_items":[]
- },
- "challenges":[
- {
- "id":"owasp2017misconfig",
- "name":"Security Misconfiguration",
- "playLink":"",
- "description": "owasp2017misconfig.html",
- "codeBlockIds":["enforceSafeConfig"],
- "mission": "Find the secret file."
- },
- {
- "id":"owasp2017sensitive",
- "name":"Sensitive Data Exposure",
- "description": "owasp2017sensitive.html",
- "attackGram":"missingenc.png",
- "codeBlockIds":["useStrongDataEncryption"],
- "mission": "Login as the test user."
- },
- {
- "id":"owasp2017brokenauth",
- "name":"Broken Authentication & Broken Access Control",
- "description": "owasp2017brokenauth.html",
- "attackGram":"missingauthz.png",
- "codeBlockIds":["loginBestPractices","principleOfLeastPrivilege","serverSideValidation"],
- "mission": "View the chat messages."
- },
- {
- "id":"owasp2017xss",
- "name":"Cross-Site Scripting",
- "description": "owasp2017xss.html",
- "attackGram":"xss.png",
- "codeBlockIds":["neutralizeOutput","inputAllowListing","requestForgeryPrevention"],
- "mission":"Alter the html code of the page by inserting the following tag: 
"
- },
- {
- "id":"owasp2017injection",
- "name":"Injection",
- "description": "owasp2017injection.html",
- "attackGram":"commandinjection.png",
- "codeBlockIds":["parameterizedCommands","inputAllowListing","principleOfLeastPrivilege"],
- "mission":"Output the contents of the secret file on internal host 1."
- },
- {
- "id":"owasp2017xxe",
- "name":"XML External Entities",
- "description": "owasp2017xxe.html",
- "attackGram":"xxe.png",
- "codeBlockIds":["disableXmlExternalEntities","principleOfLeastPrivilege"],
- "mission": "Login into the web application hosted on internal host 2."
- },
- {
- "id":"owasp2017deserialization",
- "name":"Using Components with Known Vulnerabilities & Insecure Deserialization",
- "description": "owasp2017deserialization.html",
- "attackGram":"deserialization.png",
- "codeBlockIds":["enforceSafeDeserialization","keep3rdPartyUpToDate"],
- "mission": "Submit a STOP command object."
- }
- ]
- }
-]
\ No newline at end of file
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt1/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt1/definitions.json
new file mode 100644
index 00000000..058f645d
--- /dev/null
+++ b/trainingportal/static/lessons/secondDegreeBlackBelt1/definitions.json
@@ -0,0 +1,40 @@
+[
+ {
+ "level":0,
+ "name":"Second Degree Black Belt - Part 1",
+ "challenges":[
+ {
+ "id":"owasp2017misconfig",
+ "name":"Security Misconfiguration",
+ "playLink":"",
+ "description": "owasp2017misconfig.html",
+ "codeBlockIds":["enforceSafeConfig"],
+ "mission": "Find the secret file."
+ },
+ {
+ "id":"owasp2017sensitive",
+ "name":"Sensitive Data Exposure",
+ "description": "owasp2017sensitive.html",
+ "attackGram":"missingenc.png",
+ "codeBlockIds":["useStrongDataEncryption"],
+ "mission": "Login as the test user."
+ },
+ {
+ "id":"owasp2017brokenauth",
+ "name":"Broken Authentication & Broken Access Control",
+ "description": "owasp2017brokenauth.html",
+ "attackGram":"missingauthz.png",
+ "codeBlockIds":["loginBestPractices","principleOfLeastPrivilege","serverSideValidation"],
+ "mission": "View the chat messages."
+ },
+ {
+ "id":"owasp2017xss",
+ "name":"Cross-Site Scripting",
+ "description": "owasp2017xss.html",
+ "attackGram":"xss.png",
+ "codeBlockIds":["neutralizeOutput","inputAllowListing","requestForgeryPrevention"],
+ "mission":"Alter the html code of the page by inserting the following tag: "
+ }
+ ]
+ }
+]
\ No newline at end of file
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017brokenauth.html b/trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017brokenauth.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017brokenauth.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017brokenauth.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017misconfig.html b/trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017misconfig.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017misconfig.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017misconfig.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017sensitive.html b/trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017sensitive.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017sensitive.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017sensitive.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017xss.html b/trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017xss.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017xss.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt1/owasp2017xss.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt2/definitions.json b/trainingportal/static/lessons/secondDegreeBlackBelt2/definitions.json
new file mode 100644
index 00000000..c82884aa
--- /dev/null
+++ b/trainingportal/static/lessons/secondDegreeBlackBelt2/definitions.json
@@ -0,0 +1,32 @@
+[
+ {
+ "level":0,
+ "name":"Second Degree Black Belt - Part 2",
+ "challenges":[
+ {
+ "id":"owasp2017injection",
+ "name":"Injection",
+ "description": "owasp2017injection.html",
+ "attackGram":"commandinjection.png",
+ "codeBlockIds":["parameterizedCommands","inputAllowListing","principleOfLeastPrivilege"],
+ "mission":"Output the contents of the secret file on internal host 1."
+ },
+ {
+ "id":"owasp2017xxe",
+ "name":"XML External Entities",
+ "description": "owasp2017xxe.html",
+ "attackGram":"xxe.png",
+ "codeBlockIds":["disableXmlExternalEntities","principleOfLeastPrivilege"],
+ "mission": "Login into the web application hosted on internal host 2."
+ },
+ {
+ "id":"owasp2017deserialization",
+ "name":"Using Components with Known Vulnerabilities & Insecure Deserialization",
+ "description": "owasp2017deserialization.html",
+ "attackGram":"deserialization.png",
+ "codeBlockIds":["enforceSafeDeserialization","keep3rdPartyUpToDate"],
+ "mission": "Submit a STOP command object."
+ }
+ ]
+ }
+]
\ No newline at end of file
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017deserialization.html b/trainingportal/static/lessons/secondDegreeBlackBelt2/owasp2017deserialization.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017deserialization.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt2/owasp2017deserialization.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017injection.html b/trainingportal/static/lessons/secondDegreeBlackBelt2/owasp2017injection.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017injection.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt2/owasp2017injection.html
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017xxe.html b/trainingportal/static/lessons/secondDegreeBlackBelt2/owasp2017xxe.html
similarity index 100%
rename from trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017xxe.html
rename to trainingportal/static/lessons/secondDegreeBlackBelt2/owasp2017xxe.html
diff --git a/trainingportal/test/challenge.test.js b/trainingportal/test/challenge.test.js
index 11ebf6d3..b027124b 100644
--- a/trainingportal/test/challenge.test.js
+++ b/trainingportal/test/challenge.test.js
@@ -108,13 +108,18 @@ describe('challengeTests', () => {
test('should issue a badge', async () => {
- let result = await challenges.verifyModuleCompletion(user, "secondDegreeBlackBelt");
+ let result = await challenges.verifyModuleCompletion(user, "secondDegreeBlackBelt1");
assert.equal(result,true,"Should have completed the module");
+
+ result = await challenges.verifyModuleCompletion(user, "secondDegreeBlackBelt2");
+ assert.equal(result,true,"Should have completed the module");
+
let promise = db.fetchBadges(user.id);
let badges = await promise;
assert.notEqual(null, badges, "badges should NOT be null");
- assert.equal(badges.length, 1, "Incorrect number of badges");
- assert.equal(badges[0].moduleId, "secondDegreeBlackBelt", "Wrong badge module");
+ assert.equal(badges.length, 2, "Incorrect number of badges");
+ assert.equal(badges[0].moduleId, "secondDegreeBlackBelt1", "Wrong badge module");
+ assert.equal(badges[1].moduleId, "secondDegreeBlackBelt2", "Wrong badge module");
//cleanup
return promise;
});
diff --git a/trainingportal/tools/devSetup.js b/trainingportal/tools/devSetup.js
index e9325eb1..7a753547 100755
--- a/trainingportal/tools/devSetup.js
+++ b/trainingportal/tools/devSetup.js
@@ -17,10 +17,11 @@ async function setup(){
await db.getPromise(db.insertUser, dojoUserInfo);
auth.createUpdateUserInternal("dojouser", dojoUserInfo, "SecureCodingDojo");
- util.log("Unlocking all challenges for 'dojouser'");
+ util.log("Unlocking challenges for 'dojouser'");
let user = await db.getPromise(db.getUser,"Local_dojouser");
- await challengeUtil.passChallenges("securityCodeReviewMaster",user,["codereview101_indirectReferences"]);
- await challengeUtil.passChallenges("blackBelt",user,["cwe502"]);
+ await challengeUtil.passChallenges("securityCodeReviewMaster",user,[]);
+ await challengeUtil.passChallenges("greenBelt",user,[]);
+ await challengeUtil.passChallenges("blackBelt",user,["cwe134"]);
} catch (error) {
console.error(error);