dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make attack links ajaxy

Browse Source 
Fix hints on StoredXSS
This commit is contained in:
Rick Lawson
2014-09-25 21:05:07 -04:00
parent 2d1abcbd19
commit 019a148c9d
5 changed files with 311 additions and 336 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
src/main/java/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -1,10 +1,8 @@
package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
@ -25,43 +23,46 @@ import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @created October 28, 2003
*/
public class StoredXss extends LessonAdapter
{
public class StoredXss extends LessonAdapter {
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
.addElement(
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
.setVspace(0));
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
.setVspace(0));
private final static String MESSAGE = "message";
@ -82,17 +83,13 @@ public class StoredXss extends LessonAdapter
private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
// message
/**
* Adds a feature to the Message attribute of the MessageBoardScreen object
*
* @param s
* The feature to be added to the Message attribute
*
* @param s The feature to be added to the Message attribute
*/
protected void addMessage(WebSession s)
{
try
{
protected void addMessage(WebSession s) {
try {
String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
String message = s.getParser().getRawParameter(MESSAGE, "");
@ -101,20 +98,18 @@ public class StoredXss extends LessonAdapter
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet.CONCUR_READ_ONLY);
statement.setInt(1, count++);
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
{
} catch (Exception e) {
// ignore the empty resultset on the insert. There are a few more SQL Injection errors
// that could be trapped here but we will let them try. One error would be something
// like "Characters found after end of SQL statement."
if (e.getMessage().indexOf("No ResultSet was produced") == -1)
{
if (e.getMessage().indexOf("No ResultSet was produced") == -1) {
s.setMessage(WebGoatI18N.get("CouldNotAddMessage"));
}
e.printStackTrace();
@ -123,13 +118,11 @@ public class StoredXss extends LessonAdapter
/**
* Description of the Method
*
* @param s
* Description of the Parameter
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
protected Element createContent(WebSession s) {
addMessage(s);
ElementContainer ec = new ElementContainer();
@ -144,62 +137,53 @@ public class StoredXss extends LessonAdapter
/**
* Gets the category attribute of the StoredXss object
*
*
* @return The category value
*/
protected Category getDefaultCategory()
{
protected Category getDefaultCategory() {
return Category.XSS;
}
/**
* Gets the hints attribute of the MessageBoardScreen object
*
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
protected List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint2"));
hints.add(WebGoatI18N.get("StoredXssHint3"));
hints.add(WebGoatI18N.get("StoredXssHint4"));
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(100);
protected Integer getDefaultRanking()
{
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the MessageBoardScreen object
*
*
* @return The title value
*/
public String getTitle()
{
public String getTitle() {
return ("Stored XSS Attacks");
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeCurrent(WebSession s)
{
protected Element makeCurrent(WebSession s) {
ElementContainer ec = new ElementContainer();
try
{
try {
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
Connection connection = DatabaseUtilities.getConnection(s);
@ -208,25 +192,23 @@ public class StoredXss extends LessonAdapter
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())
{
ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor")+": " + results.getString(TITLE_COL)));
if ((results != null) && results.first()) {
ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL)));
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title")+":"))));
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":"))));
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
t.addElement(row1);
String messageData = results.getString(MESSAGE_COL);
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message")+":"))));
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":"))));
row2.addElement(new TD(new StringElement(messageData)));
t.addElement(row2);
@ -235,8 +217,7 @@ public class StoredXss extends LessonAdapter
// if users use a cross site request forgery or XSS to make another user post a
// message,
// they can see that the message is attributed to that user
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy")+":")));
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":")));
row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
t.addElement(row3);
@ -245,21 +226,16 @@ public class StoredXss extends LessonAdapter
// Some sanity checks that the script may be correct
if (messageData.toLowerCase().indexOf("<script>") != -1
&& messageData.toLowerCase().indexOf("</script>") != -1
&& messageData.toLowerCase().indexOf("alert") != -1)
{
&& messageData.toLowerCase().indexOf("alert") != -1) {
makeSuccess(s);
}
}
else
{
if (messageNum != 0)
{
} else {
if (messageNum != 0) {
ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
}
}
} catch (Exception e)
{
} catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -269,24 +245,22 @@ public class StoredXss extends LessonAdapter
/**
* Description of the Method
*
* @param s
* Description of the Parameter
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeInput(WebSession s)
{
protected Element makeInput(WebSession s) {
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title")+": ")));
row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title") + ": ")));
Input inputTitle = new Input(Input.TEXT, TITLE, "");
row1.addElement(new TD(inputTitle));
TD item1 = new TD();
item1.setVAlign("TOP");
item1.addElement(new StringElement(WebGoatI18N.get("Message")+": "));
item1.addElement(new StringElement(WebGoatI18N.get("Message") + ": "));
row2.addElement(item1);
TD item2 = new TD();
@ -306,45 +280,38 @@ public class StoredXss extends LessonAdapter
/**
* Description of the Method
*
* @param s
* Description of the Parameter
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public Element makeList(WebSession s)
{
public Element makeList(WebSession s) {
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
try
{
try {
Connection connection = DatabaseUtilities.getConnection(s);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true))
{
if ((results != null) && (results.first() == true)) {
results.beforeFirst();
for (int i = 0; results.next(); i++)
{
for (int i = 0; results.next(); i++) {
A a = ECSFactory.makeLink(results.getString(TITLE_COL), NUMBER, results.getInt(NUM_COL));
TD td = new TD().addElement(a);
TR tr = new TR().addElement(td);
t.addElement(tr);
}
}
} catch (Exception e)
{
} catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
}
@ -355,18 +322,15 @@ public class StoredXss extends LessonAdapter
return (ec);
}
private static String getNameroot(String name)
{
private static String getNameroot(String name) {
String nameroot = name;
if (nameroot.indexOf('-') != -1)
{
if (nameroot.indexOf('-') != -1) {
nameroot = nameroot.substring(0, nameroot.indexOf('-'));
}
return nameroot;
}
public Element getCredits()
{
public Element getCredits() {
return super.getCustomCredits("", ASPECT_LOGO);
}
}