Merge pull request #182 from OWASP/cvss-module

CVSS Lesson Module

Author: paul-ion

trainingportal/challenges.js

@@ -84,7 +84,6 @@ let init = async () => {
         let moduleDefinitions = getDefinitionsForModule(moduleId);
         var modulePath = getModulePath(moduleId);
         for(let level of moduleDefinitions){
-            challengeDefinitions.push(level);
             for(let challenge of level.challenges){
                 if(!util.isNullOrUndefined(challengeNames[challenge.id])){
                     throw new Error(`Duplicate challenge id: '${challenge.id}'!`);
@@ -206,6 +205,7 @@ let getChallengeDefinitions = async (moduleId) => {
 
     if(util.isNullOrUndefined(moduleId)) return [];    
     if(util.isNullOrUndefined(modules[moduleId])) return [];
+    if(!util.isNullOrUndefined(challengeDefinitions[moduleId])) return challengeDefinitions[moduleId];
 
     var modulePath = getModulePath(moduleId);
     var moduleDefinitions = getDefinitionsForModule(moduleId);
@@ -224,12 +224,17 @@ let getChallengeDefinitions = async (moduleId) => {
                 challenge.description = path.join(modulePath, description);
             }
             if(challenge.type === "quiz"){
-                challenge.question = qna.getCode(challenge.id);
+                if(util.isNullOrUndefined(challenge.options)){
+                    challenge.question = qna.getCode(challenge.id);
+                }
+                else if(!util.isNullOrUndefined(challenge.answer)){
+                    challenge.question = { "digest": qna.getDigest(challenge.answer)}
+                }
             }
         }
         returnChallenges.push(level);
     }
-        
+    challengeDefinitions[moduleId] = returnChallenges;    
     return returnChallenges;
 }
 
@@ -452,8 +457,8 @@ let apiChallengeCode = async (req) => {
     }
 
     let answer = null;
-    if(!util.isNullOrUndefined(req.body.answer)){
-        answer = req.body.answer.trim();
+    if(!util.isNullOrUndefined(req.body.answer) && typeof req.body.answer === "string"){
+        answer = req.body.answer.trim().toLowerCase();
     }
 
     if(util.isNullOrUndefined(challengeCode) || 

trainingportal/qna.js

@@ -25,8 +25,12 @@ let getSecretText = (challengeId) => {
   return secretText.toUpperCase();
 }
 
+let getDigest = (val) => {
+  return crypto.createHash('sha256').update(val.trim().toLowerCase() + masterSalt).digest('hex');
+}
+
 let getRes = (mes, code) => {
-  let digest = crypto.createHash('sha256').update(mes.trim()+masterSalt).digest('hex');
+  let digest = getDigest(mes);
   return res = {
     code:code,
     digest:digest, 
@@ -227,6 +231,34 @@ let analysisEnc = (mes) => {
   return getRes(goldenKey, cipher);
 }
 
+let cvss_3_score_1 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_4_score_2 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_5_chain = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_6_score_3 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
+let cvss_7_score_4 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N")};
+}
+
+let cvss_8_score_5 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N")};
+}
+
+let cvss_9_score_6 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -235,12 +267,20 @@ const DEFS = {
   "crypto_hash": hashEnc,
   "crypto_xor": xorEnc,
   "crypto_pbk": pbkEnc,
-  "crypto_analysis": analysisEnc
+  "crypto_analysis": analysisEnc,
+  "cvss_3_score_1": cvss_3_score_1,
+  "cvss_4_score_2": cvss_4_score_2,
+  "cvss_5_chain": cvss_5_chain,
+  "cvss_6_score_3": cvss_6_score_3,
+  "cvss_7_score_4": cvss_7_score_4,
+  "cvss_8_score_5": cvss_8_score_5,
+  "cvss_9_score_6": cvss_9_score_6
 }
 
 module.exports = {
   DEFS,
   getCode,
+  getDigest,
   checkCode,
   xorOp
 }

trainingportal/static/challenges.html

@@ -74,24 +74,38 @@ <h4>Challenge</h4>
                                 The play link has been provided to you when solving the previous module or challenge. 
                                 If you have missed it read the challenge description carefully and try to figure out what it is.
                             </p>
-                            <div ng-if="challenge.question" class="alert alert-info" style="color: black;">
+                            <div ng-if="challenge.question.code" class="alert alert-info" style="color: black;">
                                 <textarea rows="10" readonly style="background-color: transparent; border: 0px; width: 100%">{{challenge.question.code}}</textarea> 
                             </div>
 
+                            <span ng-if="challenge.options">
+                                <div class="form-check" ng-repeat="op in challenge.options">
+                                    <input class="form-check-input option-{{challenge.id}}" type="radio" value="{{op.value}}" name="option" id="option-{{challenge.id}}-{{$index}}">
+                                    <label class="form-check-label" for="option-{{challenge.id}}-{{$index}}">
+                                        {{op.display}}
+                                    </label>
+                                </div>
+                            </span>
+
                             <span ng-if="!challenge.passed">
 
+                                <span ng-if="challenge.options">
+                                    <br>
+                                    <a ng-click="submitOption(challenge.id, challenge.question.digest)" class="btn btn-info btn-sm" role="button">Submit Answer</a>
+                                </span>
+
                                 <span ng-if="challenge.type !== 'quiz'">
                                     <p>
                                         Once you were able to complete the challenge you can generate a code which you can submit below.
                                     </p>
                                     <a ng-href="#!submitCode/{{moduleId}}/{{challenge.id}}/page/0" class="btn btn-info btn-sm" role="button">Submit Code</a>
                                 </span>
 
-                                <span ng-if="challenge.type === 'quiz'">
-                                    <p>
-                                        Once you were able to find the answer you can submit it below.
-                                    </p>
-                                    <a ng-href="#!submitCode/{{moduleId}}/{{challenge.id}}/quiz/{{challenge.question.digest}}" class="btn btn-info btn-sm" role="button">Submit Answer</a>
+                                <span ng-if="challenge.type === 'quiz' && !challenge.options">
+                                    <label for="answer-{{challenge.id}}">Answer:</label> &nbsp;
+                                    <input type="text" autocomplete="off" class="form-control" style="width: 100%;" id="answer-{{challenge.id}}" value=""/>
+                                    <br>
+                                    <a ng-click="submitAnswer(challenge.id, challenge.question.digest)" class="btn btn-info btn-sm" role="button">Submit Answer</a>                                
                                 </span>
 
                             </span>

trainingportal/static/challengesCtrl.js

@@ -24,6 +24,36 @@ app.controller("challengesCtrl", function($scope, $http, $routeParams) {
 
     }
 
+    $scope.submitOption = function(id, digest){
+        let answer = null;
+        let options = document.getElementsByClassName(`option-${id}`);
+        for(let op of options){
+            if(op.checked){
+                answer = op.value
+                break;
+            }
+        }
+        $scope.saveAnswer(answer,id,digest);   
+    }
+
+    $scope.submitAnswer = function(id, digest){
+        let answer = null;
+        let el = document.getElementById(`answer-${id}`);
+        if(el){
+            answer = el.value;
+        }
+        $scope.saveAnswer(answer,id,digest);
+    }
+
+    $scope.saveAnswer = function(answer, id, digest){
+        if(answer !== null){
+            localStorage.setItem("dojo.current.answer", answer);
+            localStorage.setItem("dojo.current.challenge", window.location.href);
+            window.location.href = `#!submitCode/${$scope.moduleId}/${id}/quiz/${digest}`;
+        }
+    }
+
+
     $scope.loadChallenges = function(){
         $http.get(`/challenges/${$scope.moduleId}`)
         .then(function(response) {