dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moving forward cleaning up some unnecessary lesson super classes which we

Browse Source 
do not need to support anymore in 8.0:

- Introduced DI thoughout the code base
- Removed most superclasses of a lesson
- Hammerhead is now simplified to only one line of code
- Cleaned up WebSession
- Removed code which dealt with user roles, lesson fetching, username etc
- LessonTracker improvements
- Removed almost all code from the Screen class
- Removed ECS from the container project
- Removed adminstration pages, contained a lot of ECS codes which is much
  simpler to just rewrite when necessary
This commit is contained in:
Nanne Baars
2016-10-31 17:32:34 +01:00
parent 8c231bbd6d
commit 0bec575913
125 changed files with 764 additions and 13515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java
View File

@ -1,120 +0,0 @@
package org.owasp.webgoat;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since March 13, 2007
* @version $Id: $Id
*/
public class Catcher extends HammerHead
{
/**
*
*/
private static final long serialVersionUID = 7441856110845727651L;
/**
* Description of the Field
*/
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
/** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/** Constant <code>PROPERTY="PROPERTY"</code> */
public static final String PROPERTY = "PROPERTY";
/** Constant <code>EMPTY_STRING=""</code> */
public static final String EMPTY_STRING = "";
/**
* {@inheritDoc}
*
* Description of the Method
* @exception IOException
* Description of the Exception
* @exception ServletException
* Description of the Exception
*/
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
try
{
// System.out.println( "Entering doPost: " );
// System.out.println( " - request " + request);
// System.out.println( " - principle: " + request.getUserPrincipal() );
// setCacheHeaders(response, 0);
WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
session.update(request, response, this.getServletName()); // FIXME: Too much in this
// call.
int scr = session.getCurrentScreen();
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
log(request, lesson.getClass().getName() + " | " + session.getParser().toString());
String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING));
// if the PROPERTY parameter is available - write all the parameters to the
// property file. No other control parameters are supported at this time.
if (!property.equals(EMPTY_STRING))
{
Enumeration<String> e = session.getParser().getParameterNames();
while (e.hasMoreElements())
{
String name = (String) e.nextElement();
String value = session.getParser().getParameterValues(name)[0];
lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value);
}
}
lesson.getLessonTracker(session).store(session, lesson);
// BDM MC
// WEB-173 - removed for testing, as plugin architecture would not allow this
// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();}
} catch (Throwable t)
{
t.printStackTrace();
log("ERROR: " + t);
}
}
}

390
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
View File

@ -1,398 +1,60 @@
package org.owasp.webgoat;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.WelcomeScreen;
import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.ErrorScreen;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
import java.util.TimeZone;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @author Jeff Williams
* @author Bruce Mayhew
* @author Nanne Baars
* @version $Id: $Id
* @since October 28, 2003
*/
public class HammerHead extends HttpServlet {
@Controller
public class HammerHead {
private static final long serialVersionUID = 645640331343188020L;
private static SimpleDateFormat httpDateFormat;
private final Logger logger = LoggerFactory.getLogger(HammerHead.class);
private WebSession webSession;
private final Course course;
public HammerHead() {
//for catcher subclass
}
public HammerHead(WebSession webSession) {
this.webSession = webSession;
public HammerHead(Course course) {
this.course = course;
}
/**
* {@inheritDoc}
*
* Description of the Method
* @exception IOException Description of the Exception
* @exception ServletException Description of the Exception
* Entry point for WebGoat, redirects to the first lesson found within the course.
*/
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
doPost(request, response);
}
/**
* {@inheritDoc}
*
* Description of the Method
* @exception IOException Description of the Exception
* @exception ServletException Description of the Exception
*/
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
Screen screen = null;
WebSession mySession = null;
try {
logger.debug("Entering doPost");
logger.debug("request: " + request);
logger.debug("principle: " + request.getUserPrincipal());
// setCacheHeaders(response, 0);
ServletContext context = getServletContext();
// FIXME: If a response is written by updateSession(), do not
// call makeScreen() and writeScreen()
mySession = updateSession(request, response, context);
if (response.isCommitted()) {
logger.debug("Response already committed, exiting");
return;
}
if ("true".equals(request.getParameter("start")) || request.getQueryString() == null) {
logger.warn("Redirecting to first lesson");
response.sendRedirect("start.mvc" + mySession.getCourse().getFirstLesson().getLink());
return;
}
// Note: For the lesson to track the status, we need to update
// the lesson tracker object
// from the screen.createContent() method. The create content is
// the only point
// where the lesson "knows" what has happened. To track it at a
// latter point would
// require the lesson to have memory.
screen = makeScreen(mySession);
// This calls the lesson's
// handleRequest()
if (response.isCommitted()) {
return;
}
// perform lesson-specific tracking activities
if (screen instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) screen;
// we do not count the initial display of the lesson screen as a visit
if ("GET".equals(request.getMethod())) {
String uri = request.getRequestURI() + "?" + request.getQueryString();
if (!uri.endsWith(lesson.getLink())) {
screen.getLessonTracker(mySession).incrementNumVisits();
}
} else if ("POST".equals(request.getMethod())
&& mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
screen.getLessonTracker(mySession).incrementNumVisits();
}
}
// log the access to this screen for this user
UserTracker userTracker = UserTracker.instance();
userTracker.update(mySession, screen);
log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
// Redirect the request to our View servlet
String userAgent = request.getHeader("user-agent");
String clientBrowser = "Not known!";
if (userAgent != null) {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
// removed - this is being done in updateSession call
//request.getSession().setAttribute(WebSession.SESSION, mySession);
// not sure why this is being set in the session?
//request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage);
logger.debug("Screen: " + screen);
response.sendRedirect("startlesson.mvc");
// request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) {
logger.error("Error handling request", t); screen = new ErrorScreen(mySession, t);
} finally {
try {
if (screen instanceof ErrorScreen) {
this.writeScreen(mySession, screen, response);
}
} catch (Throwable thr) {
logger.error("Could not write error screen", thr);
}
WebSession.returnConnection(mySession);
logger.debug("Leaving doPost: ");
}
}
private String getViewPage(WebSession webSession) {
// now always display the lesson content
String page = "lesson_content";
//page = "/main.jsp";
return page;
}
/**
* Description of the Method
*
* @param date Description of the Parameter
* @return RFC 1123 http date format
*/
protected static String formatHttpDate(Date date) {
synchronized (httpDateFormat) {
return httpDateFormat.format(date);
}
}
/**
* {@inheritDoc}
*
* Return information about this servlet
*/
@Override
public String getServletInfo() {
return "WebGoat is sponsored by Aspect Security.";
}
/**
* {@inheritDoc}
*
* Return properties path
*/
@Override
public void init() throws ServletException {
logger.info("Initializing main webgoat servlet");
httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
}
/**
* Description of the Method
*
* @param request Description of the Parameter
* @param message Description of the Parameter
*/
public void log(HttpServletRequest request, String message) {
String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
log(output);
logger.debug(output);
}
/*
* public List getLessons(Category category, String role) { Course course =
* mySession.getCourse(); // May need to clone the List before returning it. //return new
* ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
*/
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Screen makeScreen(WebSession s) {
Screen screen = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
if (scr == WebSession.WELCOME) {
screen = new WelcomeScreen(s);
} else {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson == null && s.isHackedAdmin()) {
// If admin was hacked, let the user see some of the
// admin screens
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
if (lesson != null) {
screen = lesson;
// We need to do some bookkeeping for the hackable admin
// interface.
// This is the only place we can tell if the user
// successfully hacked the hackable
// admin and has actually accessed an admin screen. You
// need BOTH pieces of information
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin(screen.getRole());
lesson.handleRequest(s);
s.setCurrentMenu(lesson.getCategory().getRanking());
} else {
screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
}
}
} else if (s.isAdmin()) {
if (scr == WebSession.WELCOME) {
screen = new WelcomeAdminScreen(s);
} else {
// Admin can see all roles.
// FIXME: should be able to pass a list of roles.
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
if (lesson == null) {
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
if (lesson == null) {
lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
}
if (lesson != null) {
screen = lesson;
// We need to do some bookkeeping for the hackable admin
// interface.
// This is the only place we can tell if the user
// successfully hacked the hackable
// admin and has actually accessed an admin screen. You
// need BOTH pieces of information
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin(screen.getRole());
lesson.handleRequest(s);
s.setCurrentMenu(lesson.getCategory().getRanking());
} else {
screen = new ErrorScreen(s,
"Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
}
}
}
return (screen);
}
/**
* Description of the Method
*
* @param request Description of the Parameter
* @param response Description of the Parameter
* @param context Description of the Parameter
* @return Description of the Return Value
* @throws java.io.IOException if any.
*/
protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
throws IOException {
HttpSession hs;
// session should already be created by spring security
hs = request.getSession(false);
//TODO rewrite this logic
logger.debug("HH Entering Session_id: " + hs.getId());
// dumpSession( hs );
// Get our session object out of the HTTP session
WebSession session = this.webSession;
Object o = hs.getAttribute(WebSession.SESSION);
if ((o != null) && o instanceof WebSession) {
session = (WebSession) o;
hs.setAttribute(WebSession.COURSE, session.getCourse());
} else {
// Create new custom session and save it in the HTTP session
logger.warn("HH Creating new WebSession");
// Ensure splash screen shows on any restart
// rlawson - removed this since we show splash screen at login now
//hs.removeAttribute(WELCOMED);
//@TODO NO NEED TO PUT IN THE HTTP SESSION, FOCUS WILL FIX LATER
hs.setAttribute(WebSession.SESSION, session);
}
session.update(request, response, this.getServletName());
// update last attack request info (cookies, parms)
// this is so the REST services can have access to them via the session
session.updateLastAttackRequestInfo(request);
// to authenticate
logger.debug("HH Leaving Session_id: " + hs.getId());
//dumpSession( hs );
return (session);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param response Description of the Parameter
* @exception IOException Description of the Exception
* @throws java.io.IOException if any.
*/
protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
if (s == null) {
screen = new ErrorScreen(s, "Page to display was null");
}
// set the content-length of the response.
// Trying to avoid chunked-encoding. (Aspect required)
response.setContentLength(screen.getContentLength());
response.setHeader("Content-Length", screen.getContentLength() + "");
screen.output(out);
out.flush();
out.close();
//// TODO: 11/6/2016 course necessary?
@RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView attack() {
return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
}
}

13
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -31,11 +31,10 @@
package org.owasp.webgoat;
import com.google.common.collect.Sets;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.LabelDebugger;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -103,12 +102,6 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
return engine;
}
@Bean
public ServletRegistrationBean servletRegistrationBean(HammerHead hammerHead) {
return new ServletRegistrationBean(hammerHead, "/attack/*");
}
/**
* This way we expose the plugins target directory as a resource within the web application.
*
@ -120,8 +113,8 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
}
@Bean
public HammerHead hammerHead(WebSession webSession) {
return new HammerHead(webSession);
public HammerHead hammerHead(Course course) {
return new HammerHead(course);
}
@Bean

34
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
View File

@ -35,26 +35,21 @@ import org.owasp.webgoat.plugins.PluginClassLoader;
import org.owasp.webgoat.plugins.PluginEndpointPublisher;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.web.support.SpringBootServletInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import javax.servlet.ServletContext;
import java.io.File;
import java.util.List;
@SpringBootApplication
@PropertySource("classpath:/webgoat.properties")
public class WebGoat extends SpringBootServletInitializer {
@Override
@ -68,13 +63,16 @@ public class WebGoat extends SpringBootServletInitializer {
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory() {
File tempDir = com.google.common.io.Files.createTempDir();
tempDir.deleteOnExit();
return tempDir;
return com.google.common.io.Files.createTempDir();
}
// @Bean
// public ApplicationListener<ContextClosedEvent> closeEvent(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) {
// return e -> pluginTargetDirectory.delete();
// }
@Bean
public PluginClassLoader pluginClassLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) {
public PluginClassLoader pluginClassLoader() {
return new PluginClassLoader(PluginClassLoader.class.getClassLoader());
}
@ -85,25 +83,17 @@ public class WebGoat extends SpringBootServletInitializer {
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public WebSession webSession(Course course, WebgoatContext webgoatContext, ServletContext context) {
return new WebSession(course, webgoatContext, context);
public WebSession webSession(WebgoatContext webgoatContext) {
return new WebSession(webgoatContext);
}
@Bean
public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties,
PluginEndpointPublisher pluginEndpointPublisher) {
Course course = new Course(webgoatProperties);
course.loadCourses(webgoatContext, context, "/");
public Course course(PluginsLoader pluginsLoader, PluginEndpointPublisher pluginEndpointPublisher) {
Course course = new Course();
List<Plugin> plugins = pluginsLoader.loadPlugins();
course.loadLessonFromPlugin(plugins);
course.createLessonsFromPlugins(plugins);
plugins.forEach(p -> pluginEndpointPublisher.publish(p));
return course;
}
@Bean
public UserTracker userTracker() {
UserTracker userTracker = UserTracker.instance();
return userTracker;
}
}

28
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@ -31,8 +31,7 @@
package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
@ -50,24 +49,25 @@ import java.util.Optional;
@Controller
public class StartLesson {
private final WebSession ws;
private final Course course;
public StartLesson(final WebSession ws, final Course course) {
this.ws = ws;
this.course = course;
}
/**
* <p>start.</p>
*
* @param request a {@link HttpServletRequest} object.
* @return a {@link ModelAndView} object.
*/
@RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView start(HttpServletRequest request) {
public ModelAndView start() {
ModelAndView model = new ModelAndView();
WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
model.addObject("has_stages", ws.getCurrentLesson() instanceof RandomLessonAdapter);
model.addObject("course", ws.getCourse());
model.addObject("course", course);
model.addObject("lesson", ws.getCurrentLesson());
model.addObject("message", ws.getMessage());
model.addObject("instructions", ws.getInstructions());
boolean isMigrated = ws.getCurrentLesson() instanceof NewLesson;
model.addObject("migrated", isMigrated); //remove after ECS removal otherwise you will see the lesson twice
model.setViewName("lesson_content");
return model;
}
@ -80,13 +80,11 @@ public class StartLesson {
GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
List<AbstractLesson> lessons = ws.getCourse()
.getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring
List<AbstractLesson> lessons = course.getLessons();
Optional<AbstractLesson> lesson = lessons.stream()
.filter(l -> l.getId().equals(lessonName))
.findFirst();
ws.setCurrentScreen(lesson.get().getScreenId());
ws.setCurrentLesson(lesson.get());
model.setViewName("lesson_content");
model.addObject("lesson", lesson.get());
return model;

2
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java → webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
View File

@ -1,5 +1,5 @@
package org.owasp.webgoat.util;
package org.owasp.webgoat.i18n;
import java.util.Locale;

21
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java → webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java
View File

@ -1,8 +1,7 @@
package org.owasp.webgoat.util;
package org.owasp.webgoat.i18n;
import org.owasp.webgoat.session.LabelDebugger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.io.Serializable;
@ -38,30 +37,22 @@ import java.util.Locale;
* @version $Id: $Id
* @author dm
*/
@Component("labelManager")
@Component
public class LabelManagerImpl implements LabelManager, Serializable
{
private static final long serialVersionUID = 1L;
@Autowired
private transient LabelProvider labelProvider;
@Autowired
private LabelProvider labelProvider;
private LabelDebugger labelDebugger;
/** Locale mapped with current session. */
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
/**
* <p>Constructor for LabelManagerImpl.</p>
*/
protected LabelManagerImpl() {}
/**
* <p>Constructor for LabelManagerImpl.</p>
*
* @param labelProvider a {@link org.owasp.webgoat.util.LabelProvider} object.
* @param labelProvider a {@link LabelProvider} object.
*/
protected LabelManagerImpl(LabelProvider labelProvider) {
protected LabelManagerImpl(LabelProvider labelProvider, LabelDebugger labelDebugger) {
this.labelDebugger = labelDebugger;
this.labelProvider = labelProvider;
}

2
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java → webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java
View File

@ -1,5 +1,5 @@
package org.owasp.webgoat.util;
package org.owasp.webgoat.i18n;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.core.io.Resource;

797
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -1,39 +1,8 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Body;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.Head;
import org.apache.ecs.html.Html;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.Title;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.owasp.webgoat.util.BeanProvider;
import org.owasp.webgoat.util.LabelManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
/**
* ************************************************************************************************
@ -67,57 +36,12 @@ import java.util.Map;
*/
public abstract class AbstractLesson extends Screen implements Comparable<Object> {
private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class);
/**
* Description of the Field
*/
public final static String ADMIN_ROLE = "admin";
/**
* Constant <code>CHALLENGE_ROLE="challenge"</code>
*/
public final static String CHALLENGE_ROLE = "challenge";
/**
* Description of the Field
*/
public final static String HACKED_ADMIN_ROLE = "hacked_admin";
/**
* Description of the Field
*/
public final static String USER_ROLE = "user";
private static int count = 1;
private Integer id = null;
final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next").setBorder(0).setHspace(0).setVspace(0);
final static IMG previousGrey = new IMG("images/left14.gif").setAlt("Previous").setBorder(0).setHspace(0)
.setVspace(0);
private Integer ranking;
private Category category;
private boolean hidden;
private String sourceFileName;
private Map<String, String> lessonPlanFileName = new HashMap<String, String>();
private String lessonSolutionFileName;
private WebgoatContext webgoatContext;
private LinkedList<String> availableLanguages = new LinkedList<String>();
private String defaultLanguage = "en";
private LabelManager labelManager = null;
/**
* Constructor for the Lesson object
*/
@ -144,42 +68,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
this.ranking = ranking;
}
/**
* <p>Setter for the field <code>hidden</code>.</p>
*
* @param hidden a boolean.
*/
public void setHidden(boolean hidden) {
this.hidden = hidden;
}
/**
* <p>update.</p>
*
* @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object.
*/
public void update(WebgoatProperties properties) {
String className = getClass().getName();
className = className.substring(className.lastIndexOf(".") + 1);
setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking()
.intValue())));
String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking";
Category tempCategory = Category.getCategory(getDefaultCategory().getName());
tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory()
.getRanking().intValue())));
category = tempCategory;
setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden()));
}
/**
* <p>isCompleted.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a boolean.
*/
public boolean isCompleted(WebSession s) {
return getLessonTracker(s, this).getCompleted();
}
/**
* {@inheritDoc}
@ -205,7 +93,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
* @return The category value
*/
public Category getCategory() {
return category;
return getDefaultCategory();
}
/**
@ -236,176 +124,20 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public abstract String getSubmitMethod();
/**
* Gets the fileMethod attribute of the Lesson class
*
* @param reader Description of the Parameter
* @param methodName Description of the Parameter
* @param numbers Description of the Parameter
* @return The fileMethod value
*/
public static String getFileMethod(BufferedReader reader, String methodName, boolean numbers) {
int count = 0;
StringBuffer sb = new StringBuffer();
boolean echo = false;
boolean startCount = false;
int parenCount = 0;
try {
String line;
while ((line = reader.readLine()) != null) {
if ((line.indexOf(methodName) != -1)
&& ((line.indexOf("static") != -1) || (line.indexOf("protected") != -1) || (line
.indexOf("private") != -1))) {
echo = true;
startCount = true;
}
if (echo && startCount) {
if (numbers) {
sb.append(pad(++count) + " ");
}
sb.append(line + "\n");
}
if (echo && (line.indexOf("{") != -1)) {
parenCount++;
}
if (echo && (line.indexOf("}") != -1)) {
parenCount--;
if (parenCount == 0) {
startCount = false;
echo = false;
}
}
}
reader.close();
} catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
return (sb.toString());
}
/**
* Reads text from a file into an ElementContainer. Each line in the file is
* represented in the ElementContainer by a StringElement. Each
* StringElement is appended with a new-line character.
*
* @param reader Description of the Parameter
* @param numbers Description of the Parameter
* @return Description of the Return Value
*/
public static String readFromFile(BufferedReader reader, boolean numbers) {
return (getFileText(reader, numbers));
}
/**
* Gets the fileText attribute of the Screen class
*
* @param reader Description of the Parameter
* @param numbers Description of the Parameter
* @return The fileText value
*/
public static String getFileText(BufferedReader reader, boolean numbers) {
int count = 0;
StringBuffer sb = new StringBuffer();
try {
String line;
while ((line = reader.readLine()) != null) {
if (numbers) {
sb.append(pad(++count) + " ");
}
sb.append(line + System.getProperty("line.separator"));
}
reader.close();
} catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
return (sb.toString());
}
/**
* Will this screen be included in an enterprise edition.
*
* @return The ranking value
*/
public boolean isEnterprise() {
return false;
}
/**
* Gets the hintCount attribute of the Lesson object
*
* @param s The user's WebSession
* @return The hintCount value
*/
public int getHintCount(WebSession s) {
return getHints(s).size();
public int getHintCount() {
return getHints().size();
}
/**
* <p>getHints.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.util.List} object.
*/
protected abstract List<String> getHints(WebSession s);
// @TODO we need to restrict access at the service layer
// rather than passing session object around
/**
* <p>getHintsPublic.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.util.List} object.
*/
public List<String> getHintsPublic(WebSession s) {
List<String> hints = getHints(s);
return hints;
}
/**
* Fill in a minor hint that will help people who basically get it, but are
* stuck on somthing silly.
*
* @param s The users WebSession
* @param hintNumber a int.
* @return The hint1 value
*/
public String getHint(WebSession s, int hintNumber) {
return "Hint: " + getHints(s).get(hintNumber);
}
/**
* Gets the instructions attribute of the AbstractLesson object
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return The instructions value
*/
public abstract String getInstructions(WebSession s);
/**
* Gets the lessonPlan attribute of the Lesson object
*
* @return The lessonPlan value
*/
public String getLessonName() {
return this.getClass().getSimpleName();
}
public abstract List<String> getHints();
/**
* Gets the title attribute of the HelloScreen object
@ -414,36 +146,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public abstract String getTitle();
/**
* Gets the content of lessonPlanURL
*
* @param s The user's WebSession
* @return The HTML content of the current lesson plan
*/
public String getLessonPlan(WebSession s) {
StringBuffer src = new StringBuffer();
String lang = s.getCurrrentLanguage();
try {
// System.out.println("Loading lesson plan file: " +
// getLessonPlanFileName());
String filename = getLessonPlanFileName(lang);
if (filename == null) {
filename = getLessonPlanFileName(getDefaultLanguage());
}
src.append(readFromFile(new BufferedReader(new FileReader(filename)), false));
} catch (Exception e) {
// s.setMessage( "Could not find lesson plan for " +
// getLessonName());
src = new StringBuffer("Could not find lesson plan for: " + getLessonName() + " and language " + lang);
}
return src.toString();
}
/**
* Gets the ranking attribute of the Lesson object
*
@ -457,33 +159,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
}
}
/**
* Gets the hidden value of the Lesson Object
*
* @return The hidden value
*/
public boolean getHidden() {
return this.hidden;
}
/**
* Gets the role attribute of the AbstractLesson object
*
* @return The role value
*/
public String getRole() {
// FIXME: Each lesson should have a role assigned to it. Each
// user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to
// hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin
// switch on.
return USER_ROLE;
}
/**
* Gets the uniqueID attribute of the AbstractLesson object
*
@ -493,125 +168,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return id.intValue();
}
/**
* <p>getHtml_DELETE_ME.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getHtml_DELETE_ME(WebSession s) {
String html = null;
// FIXME: This doesn't work for the labs since they do not implement
// createContent().
String rawHtml = createContent(s).toString();
// System.out.println("Getting raw html content: " +
// rawHtml.substring(0, Math.min(rawHtml.length(), 100)));
html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(new StringReader(rawHtml)), true));
// System.out.println("Getting encoded html content: " +
// html.substring(0, Math.min(html.length(), 100)));
return html;
}
/**
* <p>getSource.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getSource(WebSession s) {
String source = null;
String src = null;
try {
// System.out.println("Loading source file: " +
// getSourceFileName());
src = convertMetacharsJavaCode(readFromFile(new BufferedReader(new FileReader(getSourceFileName())), true));
// TODO: For styled line numbers and better memory efficiency,
// use a custom FilterReader
// that performs the convertMetacharsJavaCode() transform plus
// optionally adds a styled
// line number. Wouldn't color syntax be great too?
} catch (Exception e) {
s.setMessage("Could not find source file");
src = ("Could not find the source file or source file does not exist.<br/>"
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
+ "?subject=Source " + getSourceFileName() + " not found. Lesson: "
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext()
.getFeedbackAddress() + "</a>");
}
Html html = new Html();
Head head = new Head();
head.addElement(new Title(getSourceFileName()));
Body body = new Body();
body.addElement(new StringElement(src));
html.addElement(head);
html.addElement(body);
source = html.toString();
return source;
}
/**
* <p>getRawSource.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getRawSource(WebSession s) {
String src = "";
try {
logger.debug("Loading source file: " + getSourceFileName());
if (getSourceFileName() != null) {
src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false);
}
} catch (FileNotFoundException e) {
s.setMessage("Could not find source file");
src = ("Could not find the source file or source file does not exist.<br/>"
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
+ "?subject=Source " + getSourceFileName() + " not found. Lesson: "
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext()
.getFeedbackAddress() + "</a>");
}
return src;
}
/**
* <p>getSolution.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getSolution(WebSession s) {
String src = null;
try {
// System.out.println("Solution: " + getLessonSolutionFileName());
src = readFromFile(new BufferedReader(new FileReader(getLessonSolutionFileName())), false);
} catch (Exception e) {
logger.error("Could not find solution for {}", getLessonSolutionFileName());
s.setMessage("Could not find the solution file");
src = ("Could not find the solution file or solution file does not exist.<br/>"
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
+ "?subject=Solution " + getLessonSolutionFileName() + " not found. Lesson: "
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext()
.getFeedbackAddress() + "</a>");
}
// Solutions are html files
return src;
}
/**
* <p>Returns the default "path" portion of a lesson's URL.</p>
* <p>
@ -643,244 +199,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public String getLink() {
StringBuffer link = new StringBuffer(getPath());
// mvc update:
// return link
// .append("/").append(getScreenId())
// .append("/").append(getCategory().getRanking()).toString();
return link.append(getId()).toString();
}
/**
* Get the link to the target servlet.
* <p>
* Unlike getLink() this method does not require rendering the output of
* the request to the link in order to execute the servlet's method with
* conventional HTTP query parameters.
*
* @return a {@link java.lang.String} object.
*/
public String getServletLink() {
StringBuffer link = new StringBuffer("attack");
return link
.append("?Screen=").append(getScreenId())
.append("&menu=").append(getCategory().getRanking()).toString();
}
/**
* Get the link to the jsp page used to render this screen.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getPage(WebSession s) {
return null;
}
/**
* Get the link to the jsp template page used to render this screen.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getTemplatePage(WebSession s) {
return null;
}
/**
* <p>getCurrentAction.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public abstract String getCurrentAction(WebSession s);
/**
* Initiates lesson restart functionality
*/
public abstract void restartLesson();
/**
* <p>setCurrentAction.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonScreen a {@link java.lang.String} object.
*/
public abstract void setCurrentAction(WebSession s, String lessonScreen);
/**
* Override this method to implement accesss control in a lesson.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param functionId a {@link java.lang.String} object.
* @param employeeId a int.
* @return a boolean.
*/
public boolean isAuthorized(WebSession s, int employeeId, String functionId) {
return false;
}
/**
* Override this method to implement accesss control in a lesson.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param functionId a {@link java.lang.String} object.
* @param role a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean isAuthorized(WebSession s, String role, String functionId) {
logger.info("Checking if " + role + " authorized for: " + functionId);
boolean authorized = false;
try {
String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'";
try {
Statement answer_statement = WebSession.getConnection(s)
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
authorized = answer_results.first();
logger.info("authorized: " + authorized);
} catch (SQLException sqle) {
s.setMessage("Error authorizing");
logger.error("Error authorizing", sqle);
}
} catch (Exception e) {
s.setMessage("Error authorizing");
logger.error("Error authorizing", e);
}
return authorized;
}
/**
* <p>getUserId.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a int.
* @throws org.owasp.webgoat.session.ParameterNotFoundException if any.
*/
public int getUserId(WebSession s) throws ParameterNotFoundException {
return -1;
}
/**
* <p>getUserName.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
* @throws org.owasp.webgoat.session.ParameterNotFoundException if any.
*/
public String getUserName(WebSession s) throws ParameterNotFoundException {
return null;
}
/**
* Description of the Method
*
* @param windowName Description of the Parameter
* @return Description of the Return Value
*/
public static String makeWindowScript(String windowName) {
// FIXME: make this string static
StringBuffer script = new StringBuffer();
script.append("<script language=\"JavaScript\">\n");
script.append(" <!--\n");
script.append(" function makeWindow(url) {\n");
script.append("\n");
script.append(" agent = navigator.userAgent;\n");
script.append("\n");
script.append(" params = \"\";\n");
script.append(" params += \"toolbar=0,\";\n");
script.append(" params += \"location=0,\";\n");
script.append(" params += \"directories=0,\";\n");
script.append(" params += \"status=0,\";\n");
script.append(" params += \"menubar=0,\";\n");
script.append(" params += \"scrollbars=1,\";\n");
script.append(" params += \"resizable=1,\";\n");
script.append(" params += \"width=500,\";\n");
script.append(" params += \"height=350\";\n");
script.append("\n");
script.append(" // close the window to vary the window size\n");
script.append(" if (typeof(win) == \"object\" && !win.closed){\n");
script.append(" win.close();\n");
script.append(" }\n");
script.append("\n");
script.append(" win = window.open(url, '" + windowName + "' , params);\n");
script.append("\n");
script.append(" // bring the window to the front\n");
script.append(" win.focus();\n");
script.append(" }\n");
script.append(" //-->\n");
script.append(" </script>\n");
return script.toString();
}
/**
* Simply reads a url into an Element for display. CAUTION: you might want
* to tinker with any non-https links (href)
*
* @param url Description of the Parameter
* @return Description of the Return Value
*/
public static Element readFromURL(String url) {
ElementContainer ec = new ElementContainer();
try {
URL u = new URL(url);
HttpURLConnection huc = (HttpURLConnection) u.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(huc.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
ec.addElement(new StringElement(line));
}
reader.close();
} catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
return (ec);
}
/**
* Description of the Method
*
* @param reader Description of the Parameter
* @param numbers Description of the Parameter
* @param methodName Description of the Parameter
* @return Description of the Return Value
*/
public static Element readMethodFromFile(BufferedReader reader, String methodName, boolean numbers) {
PRE pre = new PRE().addElement(getFileMethod(reader, methodName, numbers));
return (pre);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
*/
public void handleRequest(WebSession s) {
// call createContent first so messages will go somewhere
Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
form.addElement(createContent(s));
setContent(form);
s.getRequest().getRequestURL();
}
/**
* <p>getFormAction.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getFormAction() {
return getLink();
}
/**
* Description of the Method
*
@ -890,116 +211,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return getTitle();
}
/**
* <p>Getter for the field <code>defaultLanguage</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getDefaultLanguage() {
return this.defaultLanguage;
}
/**
* <p>Getter for the field <code>lessonPlanFileName</code>.</p>
*
* @param lang a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public String getLessonPlanFileName(String lang) {
String ret = lessonPlanFileName.get(lang);
if (ret == null) {
ret = lessonPlanFileName.get(getDefaultLanguage());
}
return ret;
}
/**
* <p>Setter for the field <code>lessonPlanFileName</code>.</p>
*
* @param lang a {@link java.lang.String} object.
* @param lessonPlanFileName a {@link java.lang.String} object.
*/
public void setLessonPlanFileName(String lang, String lessonPlanFileName) {
this.lessonPlanFileName.put(lang, lessonPlanFileName);
this.availableLanguages.add(lang);
}
/**
* <p>Getter for the field <code>availableLanguages</code>.</p>
*
* @return a {@link java.util.List} object.
*/
public List<String> getAvailableLanguages() {
return this.availableLanguages;
}
/**
* <p>Getter for the field <code>lessonSolutionFileName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getLessonSolutionFileName() {
return lessonSolutionFileName;
}
/**
* <p>Setter for the field <code>lessonSolutionFileName</code>.</p>
*
* @param lessonSolutionFileName a {@link java.lang.String} object.
*/
public void setLessonSolutionFileName(String lessonSolutionFileName) {
this.lessonSolutionFileName = lessonSolutionFileName;
}
/**
* <p>Getter for the field <code>sourceFileName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSourceFileName() {
return sourceFileName;
}
/**
* <p>Setter for the field <code>sourceFileName</code>.</p>
*
* @param sourceFileName a {@link java.lang.String} object.
*/
public void setSourceFileName(String sourceFileName) {
logger.debug("Setting source file of lesson " + this + " to: " + sourceFileName);
this.sourceFileName = sourceFileName;
}
/**
* <p>Getter for the field <code>webgoatContext</code>.</p>
*
* @return a {@link org.owasp.webgoat.session.WebgoatContext} object.
*/
public WebgoatContext getWebgoatContext() {
return webgoatContext;
}
/**
* <p>Setter for the field <code>webgoatContext</code>.</p>
*
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
*/
public void setWebgoatContext(WebgoatContext webgoatContext) {
this.webgoatContext = webgoatContext;
}
/**
* <p>Getter for the field <code>labelManager</code>.</p>
*
* @return a {@link org.owasp.webgoat.util.LabelManager} object.
*/
protected LabelManager getLabelManager() {
if (labelManager == null) {
labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
}
return labelManager;
}
public String getId() {
return "";
}

20
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java → webgoat-container/src/main/java/org/owasp/webgoat/lessons/AssignmentEndpoint.java
View File

@ -28,7 +28,6 @@ package org.owasp.webgoat.lessons;
import org.owasp.webgoat.lessons.model.AttackResult;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.endpoint.Endpoint;
@ -46,14 +45,13 @@ import java.io.File;
* Note: each subclass should declare this annotation otherwise the WebGoat framework cannot find your endpoint.
*/
@LessonEndpointMapping
public abstract class LessonEndpoint implements MvcEndpoint {
public abstract class AssignmentEndpoint implements MvcEndpoint {
@Autowired
@Qualifier("pluginTargetDirectory")
private File pluginDirectory;
@Autowired
private WebSession webSession;
private boolean solved = false;
private UserTracker userTracker;
/**
* The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will
@ -71,15 +69,21 @@ public abstract class LessonEndpoint implements MvcEndpoint {
return new File(this.pluginDirectory, "plugin");
}
/**
* Get the lesson tracker which is based on the current user and do the
* @return
*/
protected LessonTracker getLessonTracker() {
UserTracker userTracker = UserTracker.instance();
LessonTracker lessonTracker = userTracker.getLessonTracker(webSession, webSession.getCurrentLesson());
LessonTracker lessonTracker = userTracker.getCurrentLessonTracker();
return lessonTracker;
}
protected AttackResult trackProgress(AttackResult attackResult) {
this.solved = attackResult.isLessonCompleted();
getLessonTracker().setCompleted(solved);
//// TODO: 11/5/2016 improve
if (attackResult.isLessonCompleted()) {
getLessonTracker().incrementNumVisits();
}
getLessonTracker().setCompleted(attackResult.isLessonCompleted());
return attackResult;
}

39
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java
View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.lessons;
import org.owasp.webgoat.lessons.model.AttackResult;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since August 08, 2016
*/
public interface Attack {
AttackResult attack();
}

220
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -1,220 +1,76 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import lombok.Getter;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
* @since October 28, 2003
*/
public class Category implements Comparable {
public enum Category {
/** Constant <code>INTRODUCTION</code> */
public final static Category INTRODUCTION = new Category("Introduction", new Integer(5));
/** Constant <code>GENERAL</code> */
public final static Category GENERAL = new Category("General", new Integer(100));
/** Constant <code>ACCESS_CONTROL</code> */
public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200));
/** Constant <code>AJAX_SECURITY</code> */
public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400));
/** Constant <code>AUTHENTICATION</code> */
public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500));
/** Constant <code>BUFFER_OVERFLOW</code> */
public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600));
/** Constant <code>CODE_QUALITY</code> */
public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700));
/** Constant <code>CONCURRENCY</code> */
public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800));
/** Constant <code>XSS</code> */
public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
/** Constant <code>ERROR_HANDLING</code> */
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
/** Constant <code>INJECTION</code> */
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
/** Constant <code>DOS</code> */
public final static Category DOS = new Category("Denial of Service", new Integer(1200));
/** Constant <code>INSECURE_COMMUNICATION</code> */
public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
/** Constant <code>INSECURE_CONFIGURATION</code> */
public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400));
/** Constant <code>INSECURE_STORAGE</code> */
public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500));
/** Constant <code>MALICIOUS_EXECUTION</code> */
public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600));
/** Constant <code>PARAMETER_TAMPERING</code> */
public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700));
/** Constant <code>SESSION_MANAGEMENT</code> */
public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800));
/** Constant <code>WEB_SERVICES</code> */
public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900));
/** Constant <code>ADMIN_FUNCTIONS</code> */
public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000));
/** Constant <code>CHALLENGE</code> */
public final static Category CHALLENGE = new Category("Challenge", new Integer(3000));
private static final List<Category> categories = new ArrayList<Category>();
private String category;
INTRODUCTION("Introduction", new Integer(5)),
GENERAL("General", new Integer(100)),
ACCESS_CONTROL("Access Control Flaws", new Integer(200)),
AJAX_SECURITY("AJAX Security", new Integer(400)),
AUTHENTICATION("Authentication Flaws", new Integer(500)),
BUFFER_OVERFLOW("Buffer Overflows", new Integer(600)),
CODE_QUALITY("Code Quality", new Integer(700)),
CONCURRENCY("Concurrency", new Integer(800)),
XSS("Cross-Site Scripting (XSS)", new Integer(900)),
ERROR_HANDLING("Improper Error Handling", new Integer(1000)),
INJECTION("Injection Flaws", new Integer(1100)),
DOS("Denial of Service", new Integer(1200)),
INSECURE_COMMUNICATION("Insecure Communication", new Integer(1300)),
INSECURE_CONFIGURATION("Insecure Configuration", new Integer(1400)),
INSECURE_STORAGE("Insecure Storage", new Integer(1500)),
MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
PARAMETER_TAMPERING("Parameter Tampering", new Integer(1700)),
SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
WEB_SERVICES("Web Services", new Integer(1900)),
ADMIN_FUNCTIONS("Admin Functions", new Integer(2000)),
CHALLENGE("Challenge", new Integer(3000));
@Getter
private String name;
@Getter
private Integer ranking;
static {
categories.add(INTRODUCTION);
categories.add(PARAMETER_TAMPERING);
categories.add(ACCESS_CONTROL);
categories.add(AUTHENTICATION);
categories.add(SESSION_MANAGEMENT);
categories.add(XSS);
categories.add(BUFFER_OVERFLOW);
categories.add(INJECTION);
categories.add(MALICIOUS_EXECUTION);
categories.add(ERROR_HANDLING);
categories.add(INSECURE_STORAGE);
categories.add(DOS);
categories.add(INSECURE_CONFIGURATION);
categories.add(WEB_SERVICES);
categories.add(AJAX_SECURITY);
categories.add(ADMIN_FUNCTIONS);
categories.add(GENERAL);
categories.add(CODE_QUALITY);
categories.add(CONCURRENCY);
categories.add(INSECURE_COMMUNICATION);
categories.add(CHALLENGE);
}
/**
* <p>addCategory.</p>
*
* @param c a {@link org.owasp.webgoat.lessons.Category} object.
*/
public static synchronized void addCategory(Category c) {
categories.add(c);
}
/**
* <p>Getter for the field <code>category</code>.</p>
*
* @param name a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.lessons.Category} object.
*/
public static synchronized Category getCategory(String name) {
Iterator<Category> it = categories.iterator();
while (it.hasNext()) {
Category c = it.next();
if (c.getName().equals(name)) {
return c;
}
}
return null;
}
/**
* <p>Constructor for Category.</p>
*
* @param category a {@link java.lang.String} object.
* @param ranking a {@link java.lang.Integer} object.
*/
public Category(String category, Integer ranking) {
this.category = category;
Category(String name, Integer ranking) {
this.name = name;
this.ranking = ranking;
}
/** {@inheritDoc} */
@Override
public int compareTo(Object obj) {
int value = 1;
if (obj instanceof Category) {
value = this.getRanking().compareTo(((Category) obj).getRanking());
}
return value;
}
/**
* <p>Getter for the field <code>ranking</code>.</p>
*
* @return a {@link java.lang.Integer} object.
* {@inheritDoc}
*/
public Integer getRanking() {
return ranking;
}
/**
* <p>Setter for the field <code>ranking</code>.</p>
*
* @param ranking a {@link java.lang.Integer} object.
* @return a {@link java.lang.Integer} object.
*/
public Integer setRanking(Integer ranking) {
return this.ranking = ranking;
}
/**
* <p>getName.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getName() {
return category;
}
/** {@inheritDoc} */
@Override
public boolean equals(Object obj) {
return (obj instanceof Category) && getName().equals(((Category) obj).getName());
}
/** {@inheritDoc} */
@Override
public String toString() {
return getName();

195
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -30,76 +30,8 @@
*/
package org.owasp.webgoat.lessons;
import com.google.common.base.Joiner;
import org.apache.commons.io.IOUtils;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
public abstract class LessonAdapter extends AbstractLesson {
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s) {
// Mark this lesson as completed.
makeSuccess(s);
ElementContainer ec = new ElementContainer();
ec.addElement(new Center().addElement(new H3().addElement(new StringElement(
"Detailed Lesson Creation Instructions."))));
ec.addElement(new P());
ec
.addElement(new StringElement(
"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
+ "In fact, most lessons can be created by following the easy to use instructions in the "
+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+ "If you would prefer, send your lesson ideas to "
+ getWebgoatContext().getFeedbackAddressHTML()));
try (InputStream is = Thread.currentThread().getContextClassLoader()
.getResourceAsStream("New Lesson Instructions.txt")) {
if (is != null) {
PRE pre = new PRE();
pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is)));
ec.addElement(pre);
}
} catch (IOException e) {
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the LessonAdapter object. The default
* category is "General" Only override this method if you wish to create a
* new category or if you wish this lesson to reside within a category other
* the "General"
*
* @return The category value
*/
protected Category getDefaultCategory() {
return Category.GENERAL;
}
/**
* <p>getDefaultHidden.</p>
@ -129,29 +61,6 @@ public abstract class LessonAdapter extends AbstractLesson {
return DEFAULT_RANKING;
}
/**
* {@inheritDoc}
*
* Gets the hintCount attribute of the LessonAdapter object
*/
public int getHintCount(WebSession s) {
return getHints(s).size();
}
/**
* {@inheritDoc}
*
* Fill in a minor hint that will help people who basically get it, but are
* stuck on somthing silly. Hints will be returned to the user in the order
* they appear below. The user must click on the "next hint" button before
* the hint will be displayed.
*/
protected List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>();
hints.add("There are no hints defined.");
return hints;
}
/**
* provide a default submitMethod of lesson does not implement
*
@ -161,44 +70,6 @@ public abstract class LessonAdapter extends AbstractLesson {
return "GET";
}
/**
* {@inheritDoc}
*
* Gets the instructions attribute of the LessonAdapter object. Instructions
* will rendered as html and will appear below the control area and above
* the actual lesson area. Instructions should provide the user with the
* general setup and goal of the lesson.
*/
public String getInstructions(WebSession s) {
StringBuffer buff = new StringBuffer();
String lang = s.getCurrrentLanguage();
try {
String fileName = getLessonPlanFileName(lang);
if (fileName != null) {
BufferedReader in = new BufferedReader(new FileReader(fileName));
String line = null;
boolean startAppending = false;
while ((line = in.readLine()) != null) {
if (line.indexOf("<!-- Start Instructions -->") != -1) {
startAppending = true;
continue;
}
if (line.indexOf("<!-- Stop Instructions -->") != -1) {
startAppending = false;
continue;
}
if (startAppending) {
buff.append(line + "\n");
}
}
}
} catch (Exception e) {
}
return buff.toString();
}
/**
* Fill in a descriptive title for this lesson. The title of the lesson.
* This will appear above the control area at the top of the page. This
@ -210,71 +81,5 @@ public abstract class LessonAdapter extends AbstractLesson {
return "Untitled Lesson " + getScreenId();
}
/** {@inheritDoc} */
public String getCurrentAction(WebSession s) {
return s.getLessonSession(this).getCurrentLessonScreen();
}
/** {@inheritDoc} */
public void setCurrentAction(WebSession s, String lessonScreen) {
s.getLessonSession(this).setCurrentLessonScreen(lessonScreen);
}
@Override
protected Element makeMessages(WebSession s) {
return super.makeMessages(s);
}
/**
* <p>getSessionAttribute.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param key a {@link java.lang.String} object.
* @return a {@link java.lang.Object} object.
*/
public Object getSessionAttribute(WebSession s, String key) {
return s.getRequest().getSession().getAttribute(key);
}
/**
* <p>setSessionAttribute.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param key a {@link java.lang.String} object.
* @param value a {@link java.lang.Object} object.
*/
public void setSessionAttribute(WebSession s, String key, Object value) {
s.getRequest().getSession().setAttribute(key, value);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeSuccess(WebSession s) {
getLessonTracker(s).setCompleted(true);
//s.setMessage(getLabelManager().get("LessonCompleted"));
return (null);
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
* @param text a {@link java.lang.String} object.
* @param e a {@link org.apache.ecs.Element} object.
*/
protected Element getCustomCredits(String text, Element e) {
Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT");
TR tr = new TR();
tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%"));
tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT"));
t.addElement(tr);
return t;
}
}

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpointMapping.java
View File

@ -39,7 +39,7 @@ import java.lang.annotation.Target;
/**
* Annotation as a marker annotation. During the startup we scan the plugins for classes which use this annotation.
* @see LessonEndpoint for more information.
* @see AssignmentEndpoint for more information.
*/
@Component
@Target(ElementType.TYPE)

20
webgoat-container/src/main/java/org/owasp/webgoat/lessons/NewLesson.java
View File

@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons;
import lombok.Getter;
import lombok.Setter;
import org.owasp.webgoat.session.WebSession;
import java.util.List;
@ -35,18 +37,28 @@ import java.util.List;
*/
public abstract class NewLesson extends LessonAdapter {
@Setter
@Getter
private int totalNumberOfAssignments = 0;
@Override
public abstract Category getDefaultCategory();
@Override
public abstract List<String> getHints(WebSession s); //TODO we should probably remove WebSession due to old lessons still here
public abstract List<String> getHints();
@Override
public abstract Integer getDefaultRanking();
public abstract Integer getDefaultRanking();
@Override
public abstract String getTitle();
public abstract String getTitle();
@Override
public abstract String getId();
public final List<String> getHints(WebSession w) {
throw new IllegalStateException("Do not use");
}
}

143
webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java
View File

@ -1,143 +0,0 @@
package org.owasp.webgoat.lessons;
import org.owasp.webgoat.session.CreateDB;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.RandomLessonTracker;
import org.owasp.webgoat.session.WebSession;
import java.sql.Connection;
import java.sql.SQLException;
/**
* <p>Abstract RandomLessonAdapter class.</p>
*
* @version $Id: $Id
* @author dm
*/
public abstract class RandomLessonAdapter extends LessonAdapter
{
/**
* <p>getStages.</p>
*
* @return an array of {@link java.lang.String} objects.
*/
public abstract String[] getStages();
/**
* <p>setStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @param stage a {@link java.lang.String} object.
*/
public void setStage(WebSession s, String stage)
{
getLessonTracker(s).setStage(stage);
try
{
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);
System.out.println("Successfully refreshed the database.");
} catch (SQLException sqle)
{
System.out.println("Error refreshing the database!");
sqle.printStackTrace();
}
}
/**
* <p>getStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getStage(WebSession s)
{
return getLessonTracker(s).getStage();
}
/**
* <p>setStageComplete.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @param stage a {@link java.lang.String} object.
*/
public void setStageComplete(WebSession s, String stage)
{
RandomLessonTracker lt = getLessonTracker(s);
lt.setStageComplete(stage, true);
if (lt.getCompleted())
{
//s.setMessage("Congratulations, you have completed this lab");
}
else
{
s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + ".");
if (!stage.equals(lt.getStage()))
s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage());
}
try
{
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);
System.out.println("Successfully refreshed the database.");
} catch (SQLException sqle)
{
System.out.println("Error refreshing the database!");
sqle.printStackTrace();
}
}
/**
* <p>isStageComplete.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @param stage a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean isStageComplete(WebSession s, String stage)
{
return getLessonTracker(s).hasCompleted(stage);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s)
{
return (RandomLessonTracker) super.getLessonTracker(s);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
return (RandomLessonTracker) super.getLessonTracker(s, lesson);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride);
}
/** {@inheritDoc} */
@Override
public LessonTracker createLessonTracker()
{
return new RandomLessonTracker(getStages());
}
}

214
webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java
View File

@ -1,214 +0,0 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.SequentialLessonTracker;
import org.owasp.webgoat.session.WebSession;
/**
* <p>Abstract SequentialLessonAdapter class.</p>
*
* @version $Id: $Id
* @author dm
*/
public abstract class SequentialLessonAdapter extends LessonAdapter
{
/**
* <p>setStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a int.
* @param stage a int.
*/
public void setStage(WebSession s, int stage)
{
// System.out.println("Changed to stage " + stage);
getLessonTracker(s).setStage(stage);
}
/*
* By default returns 1 stage. (non-Javadoc)
*/
/**
* <p>getStageCount.</p>
*
* @return a int.
*/
public int getStageCount()
{
return 1;
}
/**
* <p>getStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a int.
*/
public int getStage(WebSession s)
{
int stage = getLessonTracker(s).getStage();
// System.out.println("In stage " + stage);
return stage;
}
/** {@inheritDoc} */
@Override
public SequentialLessonTracker getLessonTracker(WebSession s)
{
return (SequentialLessonTracker) super.getLessonTracker(s);
}
/** {@inheritDoc} */
@Override
public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
return (SequentialLessonTracker) super.getLessonTracker(s, lesson);
}
/** {@inheritDoc} */
@Override
public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride);
}
/** {@inheritDoc} */
@Override
public LessonTracker createLessonTracker()
{
return new SequentialLessonTracker();
}
/**
* <p>createStagedContent.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element createStagedContent(WebSession s)
{
try
{
int stage = getLessonTracker(s).getStage();
// int stage = Integer.parseInt(
// getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
switch (stage)
{
case 1:
return (doStage1(s));
case 2:
return (doStage2(s));
case 3:
return (doStage3(s));
case 4:
return (doStage4(s));
case 5:
return (doStage5(s));
case 6:
return (doStage6(s));
default:
throw new Exception("Invalid stage");
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
// System.out.println(e);
e.printStackTrace();
}
return (new StringElement(""));
}
/**
* <p>doStage1.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage1(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 1 Stub");
return ec;
}
/**
* <p>doStage2.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage2(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 2 Stub");
return ec;
}
/**
* <p>doStage3.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage3(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 3 Stub");
return ec;
}
/**
* <p>doStage4.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage4(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 4 Stub");
return ec;
}
/**
* <p>doStage5.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage5(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 5 Stub");
return ec;
}
/**
* <p>doStage6.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage6(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 6 Stub");
return ec;
}
}

159
webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java
View File

@ -1,159 +0,0 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class WelcomeScreen extends Screen
{
/**
* Constructor for the WelcomeScreen object
*
* @param s
* Description of the Parameter
*/
public WelcomeScreen(WebSession s)
{
setup(s);
}
/**
* Constructor for the WelcomeScreen object
*/
public WelcomeScreen()
{
}
/**
* <p>setup.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public void setup(WebSession s)
{
// call createContent first so messages will go somewhere
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
form.addElement(wrapForm(s));
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
layout.addElement(row);
setContent(layout);
}
/**
* <p>wrapForm.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element wrapForm(WebSession s)
{
if (s == null) { return new StringElement("Invalid Session"); }
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s);
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
container.addElement(new TR());
return (container);
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
Element b = ECSFactory.makeButton("Start the Course!");
ec.addElement(new Center(b));
return (ec);
}
/**
* Gets the instructions attribute of the WelcomeScreen object
*
* @return The instructions value
*/
protected String getInstructions()
{
String instructions = "Enter your name and learn how HTTP really works!";
return (instructions);
}
/**
* Gets the title attribute of the WelcomeScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Welcome to the Penetration Testing Course");
}
/*
* (non-Javadoc)
* @see session.Screen#getRole()
*/
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

109
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java
View File

@ -1,109 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public abstract class AdminScreen extends Screen
{
/**
* Description of the Field
*/
protected String query = null;
/**
* Constructor for the AdminScreen object
*
* @param s
* Description of the Parameter
* @param q
* Description of the Parameter
*/
public AdminScreen(WebSession s, String q)
{
setQuery(q);
// setupAdmin(s); FIXME: what was this supposed to do?
}
/**
* Constructor for the AdminScreen object
*
* @param s
* Description of the Parameter
*/
public AdminScreen(WebSession s)
{
}
/**
* Constructor for the AdminScreen object
*/
public AdminScreen()
{
}
/**
* Gets the title attribute of the AdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Admin Information");
}
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.ADMIN_ROLE;
}
/**
* Sets the query attribute of the AdminScreen object
*
* @param q
* The new query value
*/
public void setQuery(String q)
{
query = q;
}
}

162
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/MenuToLessonMapperScreen.java
View File

@ -1,162 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.WebSession;
import java.net.URL;
import static org.springframework.util.StringUtils.getFilename;
import static org.springframework.util.StringUtils.stripFilenameExtension;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class MenuToLessonMapperScreen extends LessonAdapter
{
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement("This page describes an overview of all the lessons and maps the lesson to the WebGoat-Lessons project"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(makeMenuToLessonMapping(s));
return ec;
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Lesson information");
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
public Element makeMenuToLessonMapping(WebSession s)
{
ElementContainer ec = new ElementContainer();
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
t.addElement(makeHeaderRow());
for (AbstractLesson lesson : s.getCourse().getLessons(s, AbstractLesson.USER_ROLE)) {
TR tr = new TR();
tr.addElement(new TD().addElement(lesson.getName()));
URL jarLocation = lesson.getClass().getProtectionDomain().getCodeSource().getLocation();
String projectName = removeVersion(stripFilenameExtension(getFilename(jarLocation.getFile())));
tr.addElement(new TD().addElement(projectName));
tr.addElement(new TD().addElement(lesson.getClass().getName() + ".java"));
t.addElement(tr);
}
ec.addElement(t);
return (ec);
}
//Remove version number and last '-'
private static String removeVersion(String s) {
return s.replaceAll("[^a-z\\-]", "").replaceAll("-$", "");
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
private TR makeHeaderRow()
{
TR tr = new TR();
tr.addElement(new TH("Lesson menu item"));
tr.addElement(new TH("Lesson project"));
tr.addElement(new TH("Lesson source class"));
return tr;
}
}

124
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
View File

@ -1,124 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class ProductsAdminScreen extends LessonAdapter
{
private final static String QUERY = "SELECT * FROM product_system_data";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(QUERY);
if (results != null)
{
makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the ProductsAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
/**
* Gets the role attribute of the ProductsAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the ProductsAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Product Information");
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
}

160
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
View File

@ -1,160 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class RefreshDBScreen extends LessonAdapter
{
private final static String REFRESH = "Refresh";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
boolean refresh = s.getParser().getBooleanParameter(REFRESH, false);
if (refresh)
{
refreshDB(s);
ec.addElement(new StringElement("Successfully refreshed the database."));
}
else
{
Element label = new StringElement("Refresh the database? ");
A link1 = ECSFactory.makeLink("Yes", REFRESH, true);
A link2 = ECSFactory.makeLink("No", REFRESH, false);
TD td1 = new TD().addElement(label);
TD td2 = new TD().addElement(link1);
TD td3 = new TD().addElement(link2);
TR row = new TR().addElement(td1).addElement(td2).addElement(td3);
Table t = new Table().setCellSpacing(40).setWidth("50%");
if (s.isColor())
{
t.setBorder(1);
}
t.addElement(row);
ec.addElement(t);
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the RefreshDBScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the RefreshDBScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the RefreshDBScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Refresh Database");
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
*/
public void refreshDB(WebSession s)
{
try
{
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);
System.out.println("Successfully refreshed the database.");
} catch (Exception e)
{
s.setMessage("Error refreshing database " + this.getClass().getName());
e.printStackTrace();
}
}
}

295
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
View File

@ -1,295 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.util.Iterator;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class ReportCardScreen extends LessonAdapter
{
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
String user = null;
try
{
if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
{
user = s.getParser().getRawParameter(USERNAME);
}
else
{
user = s.getUserName();
}
} catch (Exception e)
{
}
if (user == null)
{
user = s.getUserName();
}
ec.addElement(makeFeedback(s));
ec.addElement(makeReportCard(s, user));
return ec;
}
private Element makeFeedback(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement("Comments and suggestions are welcome. "
+ getWebgoatContext().getFeedbackAddressHTML() + "<br><br>"));
return ec;
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return USER_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Report Card");
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
private TR makeLessonRow(WebSession s, String user, Screen screen)
{
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
TR tr = new TR();
if (lessonTracker.getCompleted())
{
tr.setBgColor(HtmlColor.LIGHTGREEN);
}
else if (lessonTracker.getNumVisits() == 0)
{
tr.setBgColor(HtmlColor.LIGHTBLUE);
}
else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10)
{
tr.setBgColor(HtmlColor.RED);
}
else
{
tr.setBgColor(HtmlColor.YELLOW);
}
tr.addElement(new TD().addElement(screen.getTitle()));
tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N"));
tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits())));
tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel())));
return tr;
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element makeMessages(WebSession s)
{
ElementContainer ec = new ElementContainer();
return (ec);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
public Element makeReportCard(WebSession s, String user)
{
ElementContainer ec = new ElementContainer();
ec.addElement(makeUser(s, user));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
t.addElement(makeUserHeaderRow());
// These are all the user lesson
tr = new TR();
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons"));
t.addElement(tr);
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
.hasNext();)
{
Screen screen = (Screen) lessonIter.next();
t.addElement(makeLessonRow(s, user, screen));
}
// The user figured out there was a hackable admin acocunt
tr = new TR();
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens"));
t.addElement(tr);
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
.hasNext();)
{
Screen screen = (Screen) lessonIter.next();
t.addElement(makeLessonRow(s, user, screen));
}
// The user figured out how to actually hack the admin acocunt
tr = new TR();
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens"));
t.addElement(tr);
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter
.hasNext();)
{
Screen screen = (Screen) lessonIter.next();
t.addElement(makeLessonRow(s, user, screen));
}
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeUser(WebSession s, String user)
{
H2 h2 = new H2();
// FIXME: The session is the current session, not the session of the user we are reporting.
// String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ?
// " [Normal User - Hacked Admin Access]" : " [Normal User]";
String type = "";
h2.addElement(new StringElement("Results for: " + user + type));
return h2;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
private TR makeUserHeaderRow()
{
TR tr = new TR();
tr.addElement(new TH("Lesson"));
tr.addElement(new TH("Complete"));
tr.addElement(new TH("Visits"));
tr.addElement(new TH("Hints"));
return tr;
}
}

326
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
View File

@ -1,326 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.util.Enumeration;
import java.util.Iterator;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce mayhew <a href="http://code.google.com">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class SummaryReportCardScreen extends LessonAdapter
{
private int totalUsersNormalComplete = 0;
private int totalUsersAdminComplete = 0;
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
String selectedUser = null;
try
{
if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
{
Enumeration e = s.getParser().getParameterNames();
while (e.hasMoreElements())
{
String key = (String) e.nextElement();
if (key.startsWith("View_"))
{
selectedUser = key.substring("View_".length());
ReportCardScreen reportCard = new ReportCardScreen();
return reportCard.makeReportCard(s, selectedUser);
}
if (key.startsWith("Delete_"))
{
selectedUser = key.substring("Delete_".length());
deleteUser(selectedUser);
}
}
}
} catch (Exception e)
{
e.printStackTrace();
}
ec.addElement(new Center().addElement(makeSummary(s)));
ec.addElement(new P());
Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%");
if (s.isColor())
{
t.setBorder(1);
}
t.addElement(makeUserSummaryHeader());
for (Iterator<String> userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter
.hasNext();)
{
String user = userIter.next();
t.addElement(makeUserSummaryRow(s, user));
}
ec.addElement(new Center().addElement(t));
return ec;
}
/**
* <p>makeSummary.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element makeSummary(WebSession s)
{
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%");
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
// tr.addElement( new TH().addElement( "Summary").setColSpan(1));
// t.addElement( tr );
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users"));
tr.addElement(new TD().setAlign("LEFT").addElement(
Integer.toString(UserTracker.instance()
.getAllUsers(WebSession.WEBGOAT_USER).size())));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons"));
tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete)));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons"));
tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete)));
t.addElement(tr);
return t;
}
private void deleteUser(String user)
{
UserTracker.instance().deleteUser(user);
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Summary Report Card");
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element makeMessages(WebSession s)
{
ElementContainer ec = new ElementContainer();
return (ec);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeUserSummaryHeader()
{
TR tr = new TR();
tr.addElement(new TH("User Name"));
tr.addElement(new TH("Normal Complete"));
tr.addElement(new TH("Admin Complete"));
tr.addElement(new TH("View"));
tr.addElement(new TH("Delete"));
return tr;
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeUserSummaryRow(WebSession s, String user)
{
TR tr = new TR();
tr.addElement(new TD().setAlign("LEFT").addElement(user));
int lessonCount = 0;
int passedCount = 0;
boolean normalComplete = false;
boolean adminComplete = false;
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
.hasNext();)
{
lessonCount++;
Screen screen = (Screen) lessonIter.next();
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
if (lessonTracker.getCompleted())
{
passedCount++;
}
}
if (lessonCount == passedCount)
{
normalComplete = true;
totalUsersNormalComplete++;
}
String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
tr.addElement(new TD().setAlign("CENTER").addElement(text));
lessonCount = 0;
passedCount = 0;
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
.hasNext();)
{
lessonCount++;
Screen screen = (Screen) lessonIter.next();
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
if (lessonTracker.getCompleted())
{
passedCount++;
}
}
if (lessonCount == passedCount)
{
adminComplete = true;
totalUsersAdminComplete++;
}
text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
tr.addElement(new TD().setAlign("CENTER").addElement(text));
tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View")));
tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete")));
if (normalComplete && adminComplete)
{
tr.setBgColor(HtmlColor.GREEN);
}
else if (normalComplete)
{
tr.setBgColor(HtmlColor.LIGHTGREEN);
}
else
{
tr.setBgColor(HtmlColor.LIGHTBLUE);
}
return (tr);
}
/**
* <p>isEnterprise.</p>
*
* @return a boolean.
*/
public boolean isEnterprise()
{
return true;
}
}

124
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -1,124 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class UserAdminScreen extends LessonAdapter
{
private final static String QUERY = "SELECT * FROM user_system_data";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(QUERY);
if (results != null)
{
makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("User Information");
}
}

165
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java
View File

@ -1,165 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.*;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class ViewDatabase extends LessonAdapter
{
private final static String SQL = "sql";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
ec.addElement(new StringElement("Enter a SQL statement: "));
StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, ""));
Input input = new Input(Input.TEXT, SQL, sqlStatement.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton("Go!");
ec.addElement(b);
Connection connection = DatabaseUtilities.getConnection(s);
if (sqlStatement.length() > 0)
{
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(sqlStatement.toString());
if ((results != null) && (results.first() == true))
{
makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the DatabaseScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* {@inheritDoc}
*
* Gets the hints attribute of the DatabaseScreen object
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("There are no hints defined");
return hints;
}
/**
* {@inheritDoc}
*
* Gets the instructions attribute of the ViewDatabase object
*/
public String getInstructions(WebSession s)
{
String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
return (instructions);
}
/**
* Gets the role attribute of the ViewDatabase object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the DatabaseScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Adhoc Query");
}
}

87
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
View File

@ -1,87 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.WelcomeScreen;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class WelcomeAdminScreen extends WelcomeScreen
{
/**
* Constructor for the WelcomeAdminScreen object
*
* @param s
* Description of the Parameter
*/
public WelcomeAdminScreen(WebSession s)
{
super(s);
}
/**
* Constructor for the WelcomeAdminScreen object
*/
public WelcomeAdminScreen()
{
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new Center(new H1("You are logged on as an administrator")));
ec.addElement(super.createContent(s));
return (ec);
}
/**
* Gets the title attribute of the WelcomeAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Admin Welcome");
}
}

77
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java
View File

@ -1,7 +1,6 @@
package org.owasp.webgoat.lessons.model;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.session.WebSession;
/**
@ -10,6 +9,7 @@ import org.owasp.webgoat.session.WebSession;
* @author dm
* @version $Id: $Id
*/
//// TODO: 11/5/2016 this can be removed???
public class LessonInfoModel {
private String lessonTitle;
@ -27,78 +27,11 @@ public class LessonInfoModel {
public LessonInfoModel(WebSession webSession) {
AbstractLesson lesson = webSession.getCurrentLesson();
//TODO make these first class citizens of the lesson itself; and stop passing the session all over ... and generally tighten the checks up
this.hasSource = !lesson.getSource(webSession).contains("Could not find the source file or source file does not exist");
this.hasPlan = !lesson.getSource(webSession).contains("Could not find lesson plan");
this.hasSolution = !lesson.getSolution(webSession).contains("Could not find the solution file or solution file does not exist");
this.hasSource = false;
this.hasPlan = false;
this.hasSolution = false;
this.lessonTitle = lesson.getTitle();
this.numberHints = lesson.getHintCount(webSession);
this.numberHints = lesson.getHintCount();
this.submitMethod = lesson.getSubmitMethod();
if ( this.numberHints < 1 || lesson.getHint(webSession,0).equals("Hint: There are no hints defined.")) {
this.numberHints = 0;
}
//special challenge case
if (lesson.getCategory().equals(Category.CHALLENGE)) {
this.numberHints = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)) ? lesson.getHintCount(webSession) : 0;
this.hasSource = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS));
this.hasSolution = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this to fall in line with source and solution
this.hasPlan = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this to fall in line with source and solutionn
}
}
// GETTERS
/**
* <p>Getter for the field <code>lessonTitle</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getLessonTitle() {
return lessonTitle;
}
/**
* <p>Getter for the field <code>numberHints</code>.</p>
*
* @return a int.
*/
public int getNumberHints() {
return numberHints;
}
/**
* <p>isHasSource.</p>
*
* @return a boolean.
*/
public boolean isHasSource() {
return hasSource;
}
/**
* <p>isHasSolution.</p>
*
* @return a boolean.
*/
public boolean isHasSolution() {
return hasSolution;
}
/**
* <p>isHasPlan.</p>
*
* @return a boolean.
*/
public boolean isHasPlan() {
return hasPlan;
}
/**
* <p>Getter for the field <code>submitMethod</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSubmitMethod() {
return submitMethod;
}
}

270
webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java
View File

@ -1,270 +0,0 @@
package org.owasp.webgoat.plugins;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.SimpleBeanDefinitionRegistry;
import org.springframework.context.annotation.ClassPathBeanDefinitionScanner;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.core.type.filter.AssignableTypeFilter;
import org.springframework.core.type.filter.TypeFilter;
import javax.servlet.ServletContext;
import java.io.File;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
/**
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @version $Id: $Id
* @since October 28, 2003
*/
@Slf4j
public class LegacyLoader {
private final List<String> files = new LinkedList<String>();
/**
* <p>Constructor for LegacyLoader.</p>
*/
public LegacyLoader() {
}
/**
* Take an absolute file and return the filename.
* <p>
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s) {
String fileName = new File(s).getName();
if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
}
if (fileName.contains(".")) {
fileName = fileName.substring(0, fileName.indexOf("."));
}
return fileName;
}
/**
* Take a class name and return the equivalent file name
* <p>
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className) {
StringBuilder sb = new StringBuilder();
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
/**
* Takes a file name and builds the class file name
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path) {
String ext = ".class";
fileName = fileName.trim();
/**
* We do not handle directories. We do not handle files with different
* extensions
*/
if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
return null;
}
// skip over plugins and/or extracted plugins
if (fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) {
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1) {
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
} else {
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
}
return fileName;
}
/**
* Load all of the filenames into a temporary cache
*
* @param context a {@link javax.servlet.ServletContext} object.
* @param path a {@link java.lang.String} object.
*/
public void loadFiles(ServletContext context, String path) {
log.debug("Loading files into cache, path: " + path);
Resource resource = new ClassPathResource("/");
//resource.get
Set resourcePaths = null;
if (resourcePaths == null) {
log.error("Unable to load file cache for courses, this is probably a bug or configuration issue");
return;
}
Iterator itr = resourcePaths.iterator();
while (itr.hasNext()) {
String file = (String) itr.next();
if (file.length() != 1 && file.endsWith("/")) {
loadFiles(context, file);
} else {
files.add(file);
}
}
}
/**
* Instantiate all the lesson objects into a cache
*
* @param path a {@link java.lang.String} object.
* @param context a {@link javax.servlet.ServletContext} object.
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
* @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties) {
BeanDefinitionRegistry bdr = new SimpleBeanDefinitionRegistry();
ClassPathBeanDefinitionScanner s = new ClassPathBeanDefinitionScanner(bdr);
TypeFilter tf = new AssignableTypeFilter(AbstractLesson.class);
s.addIncludeFilter(tf);
s.setIncludeAnnotationConfig(false);
s.scan("org.owasp.webgoat.lessons.admin");
String[] beanDefinitionNames = bdr.getBeanDefinitionNames();
List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
for (String file : beanDefinitionNames) {
String className = bdr.getBeanDefinition(file).getBeanClassName();
try {
Class c = Class.forName(className);
Object o = c.newInstance();
if (o instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) o;
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if (lesson.getHidden() == false) {
lessons.add(lesson);
}
}
} catch (Exception e) {
// Bruce says:
// I don't think we want to log the exception here. We could
// be potentially showing a lot of exceptions that don't matter.
// We would only care if the lesson extended AbstractLesson and we
// can't tell that because it threw the exception. Catch 22
// logger.error("Error in loadLessons: ", e);
}
}
loadResources(lessons);
return lessons;
}
private String getLanguageFromFileName(String first, String absoluteFile) {
int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1);
int p2 = absoluteFile.indexOf("/", p1 + 1);
String langStr = absoluteFile.substring(p1 + 1, p2);
return langStr;
}
/**
* For each lesson, set the source file and lesson file
*
* @param lessons a {@link java.util.List} object.
*/
public void loadResources(List<AbstractLesson> lessons) {
for (AbstractLesson lesson : lessons) {
log.info("Loading resources for lesson -> " + lesson.getName());
String className = lesson.getClass().getName();
String classFile = getSourceFile(className);
log.info("Lesson classname: " + className);
log.info("Lesson java file: " + classFile);
for (String absoluteFile : files) {
String fileName = getFileName(absoluteFile);
//logger.debug("Course: looking at file: " + absoluteFile);
if (absoluteFile.endsWith(classFile)) {
log.info("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile);
}
if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) {
log.info("setting lesson plan file " + absoluteFile + " for lesson "
+ lesson.getClass().getName());
log.info("fileName: " + fileName + " == className: " + className);
String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
lesson.setLessonPlanFileName(language, absoluteFile);
}
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) {
log.info("setting lesson solution file " + absoluteFile + " for lesson "
+ lesson.getClass().getName());
log.info("fileName: " + fileName + " == className: " + className);
lesson.setLessonSolutionFileName(absoluteFile);
}
}
}
}
}

19
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -3,7 +3,7 @@ package org.owasp.webgoat.plugins;
import com.google.common.base.Optional;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.LessonEndpoint;
import org.owasp.webgoat.lessons.AssignmentEndpoint;
import org.owasp.webgoat.lessons.NewLesson;
import org.springframework.util.StringUtils;
@ -28,9 +28,8 @@ public class Plugin {
private static final String NAME_LESSON_PLANS_DIRECTORY = "lessonPlans";
private PluginClassLoader classLoader;
private Class<AbstractLesson> lesson;
private Class<NewLesson> newLesson;
private List<Class<LessonEndpoint>> lessonEndpoints = Lists.newArrayList();
private List<Class<AssignmentEndpoint>> lessonEndpoints = Lists.newArrayList();
private Map<String, File> solutionLanguageFiles = new HashMap<>();
private Map<String, File> lessonPlansLanguageFiles = new HashMap<>();
private List<File> pluginFiles = Lists.newArrayList();
@ -40,7 +39,7 @@ public class Plugin {
this.classLoader = classLoader;
}
public List<Class<LessonEndpoint>> getLessonEndpoints() {
public List<Class<AssignmentEndpoint>> getLessonEndpoints() {
return this.lessonEndpoints;
}
@ -56,15 +55,10 @@ public class Plugin {
}
private void findLesson(String name) {
//Old code remove after we migrated the lessons
String realClassName = StringUtils.trimLeadingCharacter(name, '/').replaceAll("/", ".").replaceAll(".class", "");
try {
Class clazz = classLoader.loadClass(realClassName);
if (AbstractLesson.class.isAssignableFrom(clazz)) {
this.lesson = clazz;
}
if (NewLesson.class.isAssignableFrom(clazz)) {
this.newLesson = clazz;
}
@ -80,7 +74,7 @@ public class Plugin {
try {
Class clazz = classLoader.loadClass(realClassName);
if (LessonEndpoint.class.isAssignableFrom(clazz)) {
if (AssignmentEndpoint.class.isAssignableFrom(clazz)) {
this.lessonEndpoints.add(clazz);
}
} catch (ClassNotFoundException ce) {
@ -118,14 +112,11 @@ public class Plugin {
*/
public Optional<AbstractLesson> getLesson() {
try {
if (lesson != null) {
return Optional.of(lesson.newInstance());
}
if (newLesson != null) {
return Optional.of(newLesson.newInstance());
}
} catch (IllegalAccessException | InstantiationException e) {
throw new PluginLoadingFailure("Unable to instantiate the lesson " + lesson.getName(), e);
throw new PluginLoadingFailure("Unable to instantiate the lesson " + newLesson.getName(), e);
}
return Optional.absent();
}

4
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java
View File

@ -3,8 +3,7 @@ package org.owasp.webgoat.plugins;
import com.google.common.collect.Lists;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.FileUtils;
import org.owasp.webgoat.util.LabelProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.owasp.webgoat.i18n.LabelProvider;
import org.springframework.util.ResourceUtils;
import java.io.File;
@ -43,7 +42,6 @@ public class PluginsLoader {
private final File pluginTargetDirectory;
private final PluginClassLoader classLoader;
@Autowired
public PluginsLoader(File pluginTargetDirectory, PluginClassLoader pluginClassLoader) {
this.classLoader = pluginClassLoader;
this.pluginTargetDirectory = pluginTargetDirectory;

108
webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java
View File

@ -1,108 +0,0 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import java.io.PrintWriter;
import java.io.StringWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
/**
* <p>Abstract BaseService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@RequestMapping("/service")
public abstract class BaseService {
private static final Logger logger = LoggerFactory.getLogger(BaseService.class);
/**
* <p>handleException.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param ex a {@link java.lang.Exception} object.
* @return a {@link org.owasp.webgoat.service.ExceptionInfo} object.
*/
@ExceptionHandler(Exception.class)
@ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
public @ResponseBody
ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
String url = request.getRequestURL().toString();
logger.error("Exception handler for service caught exception when processing: " + url, ex);
ExceptionInfo response = new ExceptionInfo();
response.setUrl(url);
response.setMessage(getStringStackTrace(ex));
return response;
}
/**
* <p>getWebSession.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.session.WebSession} object.
*/
public WebSession getWebSession(HttpSession session) {
WebSession ws;
Object o = session.getAttribute(WebSession.SESSION);
if (o == null) {
throw new IllegalArgumentException("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
}
if (!(o instanceof WebSession)) {
throw new IllegalArgumentException("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
}
ws = (WebSession) o;
return ws;
}
/**
* <p>getStringStackTrace.</p>
*
* @param t a {@link java.lang.Throwable} object.
* @return a {@link java.lang.String} object.
*/
public String getStringStackTrace(Throwable t){
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
t.printStackTrace(pw);
return sw.toString();
}
}

34
webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java
View File

@ -29,16 +29,13 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.model.RequestParameter;
import org.owasp.webgoat.session.WebSession;
import com.google.common.collect.Lists;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpSession;
import java.util.Collections;
import java.util.List;
/**
@ -48,7 +45,7 @@ import java.util.List;
* @version $Id: $Id
*/
@Controller
public class CookieService extends BaseService {
public class CookieService {
/**
* Returns cookies for last attack
@ -56,30 +53,11 @@ public class CookieService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/cookie.mvc", produces = "application/json")
@RequestMapping(path = "/service/cookie.mvc", produces = "application/json")
public @ResponseBody
List<Cookie> showCookies(HttpSession session) {
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
List<Cookie> showCookies() {
//// TODO: 11/6/2016 to be decided
List<Cookie> cookies = Lists.newArrayList();
return cookies;
}
/**
* Returns cookies and params for current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/cookies_widget.mvc", produces = "text/html")
public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) {
ModelAndView model = new ModelAndView();
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
List<RequestParameter> listParms = ws.getParmsOnLastRequest();
Collections.sort(listParms);
model.addObject("wgcookies", cookies);
model.addObject("wgparams", listParms);
model.setViewName("widgets/cookies_and_params");
return model;
}
}

75
webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java
View File

@ -1,75 +0,0 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.service;
/**
* <p>ExceptionInfo class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
public class ExceptionInfo {
private String url;
private String message;
/**
* <p>Getter for the field <code>url</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getUrl() {
return url;
}
/**
* <p>Setter for the field <code>url</code>.</p>
*
* @param url a {@link java.lang.String} object.
*/
public void setUrl(String url) {
this.url = url;
}
/**
* <p>Getter for the field <code>message</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getMessage() {
return message;
}
/**
* <p>Setter for the field <code>message</code>.</p>
*
* @param message a {@link java.lang.String} object.
*/
public void setMessage(String message) {
this.message = message;
}
}

80
webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
View File

@ -5,17 +5,17 @@
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.model.Hint;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
import java.util.ArrayList;
import java.util.List;
import static java.util.stream.Collectors.toList;
/**
* <p>HintService class.</p>
@ -24,73 +24,43 @@ import org.springframework.web.servlet.ModelAndView;
* @version $Id: $Id
*/
@Controller
public class HintService extends BaseService {
public class HintService {
private final WebSession webSession;
public HintService(WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns hints for current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/hint.mvc", produces = "application/json")
public @ResponseBody
List<Hint> showHint(HttpSession session) {
@RequestMapping(path = "/service/hint.mvc", produces = "application/json")
public
@ResponseBody
List<Hint> showHint() {
List<Hint> listHints = new ArrayList<Hint>();
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
AbstractLesson l = webSession.getCurrentLesson();
if (l == null) {
return listHints;
}
List<String> hints = (l.getCategory().equals(Category.CHALLENGE)) ? null : l.getHintsPublic(ws);
List<String> hints = l.getHints();
if (hints == null) {
return listHints;
}
int idx = 0;
for (String h : hints) {
Hint hint = new Hint();
hint.setHint(h);
hint.setLesson(l.getName());
hint.setNumber(idx);
listHints.add(hint);
idx++;
}
return listHints;
return hints.stream().map(h -> createHint(h, l.getName(), idx)).collect(toList());
}
/**
* <p>showHintsAsHtml.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/hint_widget.mvc", produces = "text/html")
public
ModelAndView showHintsAsHtml(HttpSession session) {
ModelAndView model = new ModelAndView();
List<Hint> listHints = new ArrayList<Hint>();
model.addObject("hints", listHints);
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
if (l == null) {
return model;
}
List<String> hints;
hints = l.getHintsPublic(ws);
if (hints == null) {
return model;
}
int idx = 0;
for (String h : hints) {
Hint hint = new Hint();
hint.setHint(h);
hint.setLesson(l.getName());
hint.setNumber(idx);
listHints.add(hint);
idx++;
}
model.setViewName("widgets/hints");
return model;
private Hint createHint(String hintText, String lesson, int idx) {
Hint hint = new Hint();
hint.setHint(hintText);
hint.setLesson(lesson);
hint.setNumber(idx);
return hint;
}
}

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
View File

@ -51,9 +51,9 @@ import java.util.Map;
* @version $Id: $Id
*/
@Controller
public class LabelDebugService extends BaseService {
public class LabelDebugService {
private static final String URL_DEBUG_LABELS_MVC = "/debug/labels.mvc";
private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
private static final String KEY_ENABLED = "enabled";
private static final String KEY_SUCCESS = "success";

47
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
View File

@ -1,19 +1,10 @@
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.LessonInfoModel;
import org.owasp.webgoat.lessons.model.LessonMenuItem;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpSession;
@Controller
/**
@ -22,45 +13,23 @@ import javax.servlet.http.HttpSession;
* @author dm
* @version $Id: $Id
*/
public class LessonInfoService extends BaseService {
public class LessonInfoService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private final WebSession webSession;
public LessonInfoService(WebSession webSession) {
this.webSession = webSession;
}
/**
* <p>getLessonInfo.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
*/
@RequestMapping(path = "/lessoninfo.mvc", produces = "application/json")
@RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
public @ResponseBody
LessonInfoModel getLessonInfo(HttpSession session) {
WebSession webSession = getWebSession(session);
LessonInfoModel getLessonInfo() {
return new LessonInfoModel(webSession);
}
/**
* <p>handleException.</p>
*
* @param ex a {@link java.lang.Exception} object.
* @return a {@link java.lang.String} object.
*/
@ExceptionHandler(Exception.class)
@ResponseBody
@ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR)
public String handleException(Exception ex) {
return "An error occurred retrieving the LessonInfoModel:" + ex.getMessage();
}
/**
* <p>getLessonInfoModel.</p>
*
* @param webSession a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
*/
protected LessonInfoModel getLessonInfoModel(WebSession webSession) {
return new LessonInfoModel(webSession);
}
}

75
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -1,50 +1,49 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
*/
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.lessons.model.LessonMenuItem;
import org.owasp.webgoat.lessons.model.LessonMenuItemType;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
/**
* <p>LessonMenuService class.</p>
@ -53,23 +52,23 @@ import java.util.List;
* @version $Id: $Id
*/
@Controller
public class LessonMenuService extends BaseService {
@AllArgsConstructor
public class LessonMenuService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private final Course course;
private final UserTracker userTracker;
private final WebSession webSession;
/**
* Returns the lesson menu which is used to build the left nav
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/lessonmenu.mvc", produces = "application/json")
public @ResponseBody
List<LessonMenuItem> showLeftNav(HttpSession session) {
@RequestMapping(path = "/service/lessonmenu.mvc", produces = "application/json")
public
@ResponseBody
List<LessonMenuItem> showLeftNav() {
List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();
WebSession ws = getWebSession(session);
// Get the categories, these are the main menu items
Course course = ws.getCourse();
List<Category> categories = course.getCategories();
for (Category category : categories) {
@ -77,41 +76,15 @@ public class LessonMenuService extends BaseService {
categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY);
// check for any lessons for this category
List<AbstractLesson> lessons = ws.getLessons(category);
String role = ws.getRole();
logger.info("Role: " + role);
List<AbstractLesson> lessons = course.getLessons(category);
for (AbstractLesson lesson : lessons) {
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());
lessonItem.setType(LessonMenuItemType.LESSON);
if (lesson.isCompleted(ws)) {
lessonItem.setComplete(true);
}
Optional<LessonTracker> lessonTracker = userTracker.getLessonTracker(lesson);
lessonItem.setComplete(lessonTracker.isPresent() ? lessonTracker.get().getCompleted() : false);
categoryItem.addChild(lessonItem);
// Does the lesson have stages
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null) {
String lessonLink = lesson.getLink();
int stageIdx = 1;
for (String stage : stages) {
LessonMenuItem stageItem = new LessonMenuItem();
stageItem.setName("Stage " + stageIdx + ": " + stage);
// build the link for the stage
String stageLink = lessonLink + "/" + stageIdx;
stageItem.setLink(stageLink);
stageItem.setType(LessonMenuItemType.STAGE);
if (rla.isStageComplete(ws, stage)) {
stageItem.setComplete(true);
}
lessonItem.addChild(stageItem);
stageIdx++;
}
}
}
}
menu.add(categoryItem);
}

39
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
View File

@ -29,15 +29,11 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>LessonPlanService class.</p>
*
@ -45,42 +41,33 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class LessonPlanService extends BaseService {
//TODO remove
public class LessonPlanService {
private final WebSession webSession;
public LessonPlanService(WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns source for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/lessonplan.mvc", produces = "application/html")
@RequestMapping(path = "/service/lessonplan.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
String plan = getPlan(ws);
String showPlan() {
String plan = getPlan();
return plan;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getPlan(WebSession s) {
String plan = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
plan = lesson.getLessonPlan(s);
}
}
if (plan == null) {
plan = "Plan is not available for this lesson.";
}
return plan;
protected String getPlan() {
return "Plan is not available for this lesson.";
}
}

38
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@ -1,51 +1,41 @@
package org.owasp.webgoat.service;
import com.google.common.collect.Maps;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.model.LessonInfoModel;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.LabelManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.Map;
@Controller
/**
* <p>LessonProgressService class.</p>
*
* @author webgoat
*/
public class LessonProgressService extends BaseService {
@Controller
@AllArgsConstructor
public class LessonProgressService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private LabelManager labelManager;
@Autowired
public LessonProgressService(final LabelManager labelManager) {
this.labelManager = labelManager;
}
private UserTracker userTracker;
/**
* <p>LessonProgressService.</p>
*
* @param session a {@link HttpSession} object.
* @return a {@link LessonInfoModel} object.
*/
@RequestMapping(value = "/lessonprogress.mvc", produces = "application/json")
@RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
@ResponseBody
public Map getLessonInfo(HttpSession session) {
WebSession webSession = getWebSession(session);
AbstractLesson lesson = webSession.getCurrentLesson();
boolean lessonCompleted = lesson.isCompleted(webSession);
String successMessage = lesson instanceof RandomLessonAdapter ? "Congratulations, you have completed this lab" : labelManager
.get("LessonCompleted");
public Map getLessonInfo() {
LessonTracker lessonTracker = userTracker.getCurrentLessonTracker();
boolean lessonCompleted = lessonTracker.getCompleted();
String successMessage = labelManager.get("LessonCompleted");
Map json = Maps.newHashMap();
json.put("lessonCompleted", lessonCompleted);
json.put("successMessage", successMessage);

42
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
View File

@ -1,46 +1,38 @@
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
/**
* <p>LessonTitleService class.</p>
*
* @version $Id: $Id
* @author dm
* @version $Id: $Id
*/
public class LessonTitleService extends BaseService {
@Controller
public class LessonTitleService {
private final WebSession webSession;
public LessonTitleService(final WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns the title for the current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/lessontitle.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
return getLessonTitle(ws);
}
private String getLessonTitle(WebSession s) {
String title = "";
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
title = lesson != null ? lesson.getTitle() : "";
}
return title;
@RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
public
@ResponseBody
String showPlan() {
AbstractLesson lesson = webSession.getCurrentLesson();
return lesson != null ? lesson.getTitle() : "";
}
}

22
webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java
View File

@ -29,18 +29,16 @@
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpSession;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.model.RequestParameter;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.Collections;
import java.util.List;
/**
* <p>ParameterService class.</p>
*
@ -48,9 +46,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class ParameterService extends BaseService {
final Logger logger = LoggerFactory.getLogger(ParameterService.class);
public class ParameterService {
/**
* Returns request parameters for last attack
@ -58,11 +54,11 @@ public class ParameterService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/parameter.mvc", produces = "application/json")
@RequestMapping(path = "/service/parameter.mvc", produces = "application/json")
public @ResponseBody
List<RequestParameter> showParameters(HttpSession session) {
WebSession ws = getWebSession(session);
List<RequestParameter> listParms = ws.getParmsOnLastRequest();
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
List<RequestParameter> listParms = Lists.newArrayList();
Collections.sort(listParms);
return listParms;
}

25
webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
View File

@ -29,9 +29,6 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@ -50,9 +47,7 @@ import java.util.Map;
* @version $Id: $Id
*/
@Controller
public class PluginReloadService extends BaseService {
private static final Logger logger = LoggerFactory.getLogger(PluginReloadService.class);
public class PluginReloadService {
/**
* Reload all the plugins
@ -60,17 +55,17 @@ public class PluginReloadService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.http.ResponseEntity} object.
*/
@RequestMapping(path = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = "/service/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
ResponseEntity<Map<String, Object>> reloadPlugins(HttpSession session) {
WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
logger.debug("Loading plugins into cache");
String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
String targetPath = session.getServletContext().getRealPath("plugin_extracted");
//TODO fix me
//new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
//webSession.getCourse().loadLessonFromPlugin();
// WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
//
// logger.debug("Loading plugins into cache");
// String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
// String targetPath = session.getServletContext().getRealPath("plugin_extracted");
// //TODO fix me
// //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
// //webSession.getCourse().createLessonsFromPlugins();
Map<String, Object> result = new HashMap<String, Object>();
result.put("success", true);

44
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -1,32 +1,31 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@ -39,22 +38,25 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class RestartLessonService extends BaseService {
@AllArgsConstructor
public class RestartLessonService {
private final WebSession webSession;
private final UserTracker userTracker;
/**
* Returns current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/restartlesson.mvc", produces = "text/text")
public @ResponseBody
String restartLesson(HttpSession session) {
WebSession ws = getWebSession(session);
int currentScreen = ws.getCurrentScreen();
if(currentScreen > 0){
ws.restartLesson(currentScreen);
}
return ws.getCurrentLesson().getLink();
@RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
public
@ResponseBody
String restartLesson() {
AbstractLesson al = webSession.getCurrentLesson();
System.out.println("Restarting lesson: " + al);
userTracker.getCurrentLessonTracker().setCompleted(false);
return webSession.getCurrentLesson().getLink();
}
}

15
webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
View File

@ -5,16 +5,17 @@
*/
package org.owasp.webgoat.service;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* <p>SessionService class.</p>
@ -23,7 +24,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class SessionService extends BaseService {
public class SessionService {
/**
* Returns hints for current lesson
@ -32,7 +33,7 @@ public class SessionService extends BaseService {
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/session.mvc", produces = "application/json")
@RequestMapping(path = "/service/session.mvc", produces = "application/json")
public @ResponseBody
String showSession(HttpServletRequest request, HttpSession session) {
StringBuilder sb = new StringBuilder();

54
webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
View File

@ -1,43 +1,37 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>SolutionService class.</p>
*
@ -45,42 +39,28 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class SolutionService extends BaseService {
public class SolutionService {
/**
* Returns solution for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/solution.mvc", produces = "text/html")
public @ResponseBody
String showSolution(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSolution(ws);
@RequestMapping(path = "/service/solution.mvc", produces = "text/html")
public
@ResponseBody
String showSolution() {
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSolution();
return source;
}
/**
* <p>getSolution.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
protected String getSolution(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getSolution(s);
}
}
if (source == null) {
return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddressHTML();
}
return source;
protected String getSolution() {
return "Solution is not available";
}
}

51
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -1,38 +1,34 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@ -46,7 +42,8 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class SourceService extends BaseService {
//TODO REMOVE!
public class SourceService {
/**
* Description of the Field
@ -62,11 +59,12 @@ public class SourceService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/source.mvc", produces = "application/text")
public @ResponseBody
@RequestMapping(path = "/service/source.mvc", produces = "application/text")
public
@ResponseBody
String showSource(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSource(ws);
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSource();
if (source == null) {
source = "No source listing found";
}
@ -76,24 +74,9 @@ public class SourceService extends BaseService {
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getRawSource(s);
}
}
if (source == null) {
return "Source code is not available for this lesson.";
}
return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted");
protected String getSource() {
return "Source code is not available for this lesson.";
}
}

73
webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java
View File

@ -1,73 +0,0 @@
package org.owasp.webgoat.session;
import java.util.Hashtable;
import java.util.Map;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* * @version $Id: $Id
*
* @author dm
* @version $Id: $Id
*/
public class Authorization
{
Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
/**
* <p>Constructor for Authorization.</p>
*/
public Authorization()
{
}
/**
* <p>setPermission.</p>
*
* @param userId a int.
* @param functionId a int.
*/
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
/**
* <p>isAllowed.</p>
*
* @param userId a int.
* @param functionId a int.
* @return a boolean.
*/
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}

301
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -1,156 +1,58 @@
package org.owasp.webgoat.session;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.plugins.LegacyLoader;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.plugins.Plugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext;
import java.io.File;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import static java.util.stream.Collectors.toList;
/**
*************************************************************************************************
*
*
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
* @since October 28, 2003
*/
@Slf4j
public class Course {
final Logger logger = LoggerFactory.getLogger(Course.class);
private List<AbstractLesson> lessons = new LinkedList<>();
private WebgoatProperties properties = null;
private WebgoatContext webgoatContext;
/**
* <p>Constructor for Course.</p>
*/
public Course(WebgoatProperties properties) {
this.properties = properties;
}
/**
* Take an absolute file and return the filename.
*
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s) {
String fileName = new File(s).getName();
if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
}
if (fileName.contains(".")) {
fileName = fileName.substring(0, fileName.indexOf("."));
}
return fileName;
}
/**
* Take a class name and return the equivalent file name
*
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className) {
StringBuilder sb = new StringBuilder();
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
/**
* Takes a file name and builds the class file name
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path) {
String ext = ".class";
fileName = fileName.trim();
/**
* We do not handle directories. We do not handle files with different
* extensions
*/
if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1) {
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
} else {
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
}
return fileName;
}
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories() {
List<Category> categories = new ArrayList<Category>();
for (AbstractLesson lesson : lessons) {
if (!categories.contains(lesson.getCategory())) {
categories.add(lesson.getCategory());
}
}
Collections.sort(categories);
return categories;
public List<Category> getCategories() {
return lessons.parallelStream().map(l -> l.getCategory()).distinct().sorted().collect(toList());
}
/**
@ -159,148 +61,28 @@ public class Course {
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson() {
List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is normally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0));
}
/**
* Gets the lesson attribute of the Course object
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonId Description of the Parameter
* @param roles a {@link java.util.List} object.
* @return The lesson value
*/
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles) {
if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
// System.out.println("getLesson() with roles: " + roles);
Iterator<AbstractLesson> iter = lessons.iterator();
while (iter.hasNext()) {
AbstractLesson lesson = iter.next();
if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) {
return lesson;
}
}
return null;
}
/**
* <p>getLesson.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonId a int.
* @param role a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
*/
public AbstractLesson getLesson(WebSession s, int lessonId, String role) {
List<String> roles = new ArrayList<String>();
roles.add(role);
return getLesson(s, lessonId, roles);
return getLessons(getCategories().get(0)).get(0);
}
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> getLessons(WebSession s, String role) {
List<String> roles = new ArrayList<String>();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param roles a {@link java.util.List} object.
* @return The lessons value
*/
public List<AbstractLesson> getLessons(WebSession s, List<String> roles) {
if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext()) {
lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category Description of the Parameter
* @param roles Description of the Parameter
* @return The lessons value
*/
private List<AbstractLesson> getLessons(Category category, List roles) {
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
for (AbstractLesson lesson : lessons) {
if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) {
lessonList.add(lesson);
}
}
Collections.sort(lessonList);
return lessonList;
public List<AbstractLesson> getLessons() {
return this.lessons;
}
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
public List getLessons(WebSession s, Category category, String role) {
List<String> roles = new ArrayList<String>();
roles.add(role);
return getLessons(s, category, roles);
}
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @param roles a {@link java.util.List} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles) {
if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* <p>getLesson.</p>
*
* @param lessonId a int.
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
*/
public AbstractLesson getLesson(int lessonId) {
for (AbstractLesson l : lessons) {
if (l.getScreenId() == lessonId) {
return l;
}
}
return null;
public List<AbstractLesson> getLessons(Category category) {
return this.lessons.stream().filter(l -> l.getCategory() == category).collect(toList());
}
public void setLessons(List<AbstractLesson> lessons) {
@ -308,44 +90,17 @@ public class Course {
}
/**
* <p>loadLessonFromPlugin.</p>
* <p>createLessonsFromPlugins.</p>
*/
public void loadLessonFromPlugin(List<Plugin> plugins) {
public void createLessonsFromPlugins(List<Plugin> plugins) {
for (Plugin plugin : plugins) {
try {
AbstractLesson lesson = plugin.getLesson().get();
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if (!lesson.getHidden()) {
lessons.add(lesson);
}
for(Map.Entry<String, File> lessonPlan : plugin.getLessonPlans().entrySet()) {
lesson.setLessonPlanFileName(lessonPlan.getKey(), lessonPlan.getValue().toString());
}
if (plugin.getLessonSolution("en").isPresent()) {
lesson.setLessonSolutionFileName(plugin.getLessonSolution("en").get().toString());
}
if (plugin.getLessonSource().isPresent()) {
lesson.setSourceFileName(plugin.getLessonSource().get().toString());
}
NewLesson lesson = (NewLesson) plugin.getLesson().get();
lesson.setTotalNumberOfAssignments(plugin.getLessonEndpoints().size());
lessons.add(lesson);
} catch (Exception e) {
logger.error("Error in loadLessons: ", e);
log.error("Error in loadLessons: ", e);
}
}
}
/**
* Description of the Method
*
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
* @param path Description of the Parameter
* @param context Description of the Parameter
*/
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
logger.info("Loading courses: " + path);
this.webgoatContext = webgoatContext;
LegacyLoader loader = new LegacyLoader();
lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties));
}
}

23
webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
View File

@ -4,7 +4,6 @@ package org.owasp.webgoat.session;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
import org.owasp.webgoat.lessons.AbstractLesson;
/**
@ -759,16 +758,16 @@ public class CreateDB
String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')";
String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')";
// Add a permission for the webgoat role to see the source.
// The challenge(s) will change the default role to "challenge"
String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
+ "')";
String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
+ "')";
// // Add a permission for the webgoat role to see the source.
// // The challenge(s) will change the default role to "challenge"
// String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
// + "')";
// String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
// + "')";
// Add a permission for the webgoat role to see the solution.
// The challenge(s) will change the default role to "challenge"
String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
+ "')";
// String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
// + "')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
@ -803,9 +802,9 @@ public class CreateDB
statement.executeUpdate(insertData25);
statement.executeUpdate(insertData25_1);
statement.executeUpdate(insertData25_2);
statement.executeUpdate(insertData26);
statement.executeUpdate(insertData27);
statement.executeUpdate(insertData28);
//statement.executeUpdate(insertData26);
//statement.executeUpdate(insertData27);
//statement.executeUpdate(insertData28);
}
private void createOwnershipTable(Connection connection) throws SQLException

79
webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
View File

@ -1,17 +1,8 @@
package org.owasp.webgoat.session;
import org.apache.ecs.MultiPartElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
@ -132,73 +123,5 @@ public class DatabaseUtilities
String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
return DriverManager.getConnection(url, "sa", "");
}
/**
* Description of the Method
*
* @param results
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @return Description of the Return Value
* @exception IOException
* Description of the Exception
* @exception SQLException
* Description of the Exception
* @throws java.io.IOException if any.
* @throws java.sql.SQLException if any.
*/
public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
SQLException
{
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
if (results.next())
{
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
TR tr = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
t.addElement(tr);
results.beforeFirst();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
String str = results.getString(i);
if (str == null) str = "";
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
}
t.addElement(row);
}
return (t);
}
else
{
return (new B("Query Successful; however no data was returned from this query."));
}
}
}

754
webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java
View File

@ -1,754 +0,0 @@
package org.owasp.webgoat.session;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import java.util.Vector;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Label;
import org.apache.ecs.html.Option;
import org.apache.ecs.html.P;
import org.apache.ecs.html.Select;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.U;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams (jeff.williams@aspectsecurity.com)
* @since October 29, 2003
* @version $Id: $Id
*/
public class ECSFactory
{
/**
* Description of the Field
*/
public final static String ON = "On";
/**
* Description of the Field
*/
public final static String PASSWORD = "Password";
/**
* Don't let anyone instantiate this class
*/
private ECSFactory()
{
}
/**
* Description of the Method
*
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeBox(String name, String value)
{
Input i = new Input(Input.CHECKBOX, name, ON);
i.setChecked(value.equals(ON));
return (i);
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeButton(String text)
{
Input b = new Input();
b.setType(Input.SUBMIT);
b.setValue(text);
b.setName(Input.SUBMIT);
return (b);
}
/**
* <p>makeButton.</p>
*
* @param text a {@link java.lang.String} object.
* @param onClickFunction a {@link java.lang.String} object.
* @return a {@link org.apache.ecs.Element} object.
*/
public static Element makeButton(String text, String onClickFunction)
{
Input b = (Input) makeButton(text);
b.setOnClick(onClickFunction);
return (b);
}
/**
* Description of the Method
*
* @param labeltext
* Description of the Parameter
* @param value
* Description of the Parameter
* @param e
* Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeField(String labeltext, String value, Element e)
{
TD left = new TD().setAlign("right");
Label label = new Label().addElement(labeltext);
left.addElement(label);
TD right = new TD().setAlign("left");
right.addElement(e);
TR row = new TR();
row.addElement(left);
row.addElement(right);
return (row);
}
/**
* Description of the Method
*
* @param labeltext
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @param size
* Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeField(String labeltext, String name, String value, int size)
{
Input field = new Input().setName(name).setValue(value).setSize(size).setMaxlength(size);
// double check in case someone means to make a * starred out password field
if (name.equals(PASSWORD))
{
field.setType(Input.PASSWORD);
}
return (makeField(labeltext, value, field));
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param type
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @param alignment
* Description of the Parameter
* @param selected
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name, boolean value, boolean selected,
String alignment)
{
return makeInput(label, type, name, new Boolean(value).toString(), selected, alignment);
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param type
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name, String value)
{
return makeInput(label, type, name, value, new Boolean(value).booleanValue(), "RIGHT");
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param type
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @param alignment
* Description of the Parameter
* @param selected
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name, String value, boolean selected,
String alignment)
{
ElementContainer ec = new ElementContainer();
if (!alignment.equalsIgnoreCase("LEFT"))
{
ec.addElement(new StringElement(label));
}
Input input = new Input(type, name, value);
ec.addElement(input);
if (alignment.equalsIgnoreCase("LEFT"))
{
ec.addElement(new StringElement(label));
}
if (type.equalsIgnoreCase("CHECKBOX"))
{
input.setChecked(selected);
}
return (ec);
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, String value)
{
String href = "attack?" + name;
if (value.length() > 0)
{
href = href + "=" + value;
}
A a = new A(href);
a.addElement(new U().addElement(text));
a.addAttribute("style", "cursor:hand");
return (a);
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, int value)
{
return (makeLink(text, name, Integer.toString(value)));
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, boolean value)
{
return (makeLink(text, name, new Boolean(value).toString()));
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param clickAction
* Description of the Parameter
* @param type
* Description of the Parameter
* @return Description of the Return Value
*/
public static Input makeOnClickInput(String text, String clickAction, String type)
{
Input b = new Input();
b.setType(type);
b.setValue(text);
b.setOnClick(clickAction);
return (b);
}
/**
* Description of the Method
*
* @param labeltext
* Description of the Parameter
* @param value
* Description of the Parameter
* @param e
* Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeOption(String labeltext, String value, Element e)
{
TD left = new TD().setAlign("left").setWidth("10%");
left.addElement(e);
TD right = new TD().setAlign("right");
Label label = new Label().addElement(labeltext);
right.addElement(label);
TR row = new TR();
row.addElement(right);
row.addElement(left);
return (row);
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static Option makeOption(String label, boolean value)
{
Option option = new Option(label, new Boolean(value).toString());
option.setSelected(value);
return option;
}
/**
* Description of the Method
*
* @param line
* Description of the Parameter
* @return Description of the Return Value
*/
private static org.apache.ecs.html.Option makeOption(String line)
{
StringTokenizer st = new StringTokenizer(line, "|");
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option();
String token = "";
if (st.hasMoreTokens())
{
token = st.nextToken();
}
o.addElement(token);
return (o);
}
/**
* Description of the Method
*
* @param name
* Description of the Parameter
* @param options
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makePulldown(String name, List<String> options)
{
Select s = new Select(name);
s.addElement(options.toArray(new String[options.size()]));
return (s);
}
/**
* Description of the Method
*
* @param results
* Description of the Parameter
* @return Description of the Return Value
* @param name a {@link java.lang.String} object.
*/
public static Element makePulldown(String name, String results)
{
Select select = new Select(name);
StringTokenizer st = new StringTokenizer(results, "\n");
if (!st.hasMoreTokens()) {
return (new StringElement("")); }
while (st.hasMoreTokens())
{
String line = st.nextToken();
select.addElement(makeOption(line));
}
select.addElement("-------------------------");
return (select);
}
/**
* Description of the Method
*
* @param name
* Description of the Parameter
* @param list
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param rowsShowing
* Description of the Parameter
* @return Description of the Return Value
*/
public static Select makePulldown(String name, Object[] list, String selected, int rowsShowing)
{
Select select = new Select(name);
for (int loop = 0; loop < list.length; loop++)
{
String value = list[loop].toString();
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value, value, value);
if (value.equals(selected))
{
o.setSelected(true);
}
select.addElement(o);
}
select.setSize(rowsShowing);
return select;
}
/**
* Default size of 1 for rows showing in select box.
*
* @param diffNames
* Description of the Parameter
* @param select
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param name
* Description of the Parameter
* @param options
* Description of the Parameter
* @param list
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeSelect(boolean diffNames, Select select, String name, Vector<Option> options,
String[] list, String selected)
{
return makeSelect(diffNames, select, name, options, list, selected, 1);
}
/**
* Description of the Method
*
* @param diffNames
* Description of the Parameter
* @param select
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param name
* Description of the Parameter
* @param options
* Description of the Parameter
* @param list
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param rowsShowing
* Description of the Parameter
* @return Description of the Return Value
*/
public static Select makeSelect(boolean diffNames, Select select, String name, Vector<Option> options,
String[] list, String selected, int rowsShowing)
{
if (select == null)
{
select = new Select(name);
if (diffNames)
{
for (int loop = 0; loop < list.length; loop += 2)
{
String value = list[loop];
String label = list[loop + 1];
Option o = new Option(value);
if (loop == 0)
{
o.setSelected(true);
}
options.addElement(o);// add to Vector containing all options
select.addElement(o);
select.addElement(label);
}
}
else
{
for (int loop = 0; loop < list.length; loop++)
{
String value = list[loop];
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value);
if (loop == 0)
{
o.setSelected(true);
}
options.addElement(o);// add to Vector containing all options
select.addElement(o);
select.addElement(value);
}
}
}
// find selected option and set selected
Iterator i = options.iterator();
while (i.hasNext())
{
org.apache.ecs.html.Option o = (org.apache.ecs.html.Option) i.next();
if (selected.equalsIgnoreCase(o.getAttribute("value")))
{
o.setSelected(true);
}
}
select.setSize(rowsShowing);
return (select);
}
/**
* Description of the Method
*
* @param title
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeTallHeader(String title)
{
StringBuffer buff = new StringBuffer();
for (int i = 0; i < title.length(); i++)
{
buff.append(title.charAt(i));
buff.append("<BR>");
}
return new TH(buff.toString());
}
/**
* Description of the Method
*
* @param title
* Description of the Parameter
* @param text
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeTextArea(String title, String text)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new BR());
ec.addElement(new H3().addElement(title));
ec.addElement(new P());
ec.addElement("<CENTER><TEXTAREA ROWS=10 COLS=90 READONLY>" + text + "</TEXTAREA></CENTER>");
ec.addElement(new BR());
ec.addElement(new BR());
return (ec);
}
}

283
webgoat-container/src/main/java/org/owasp/webgoat/session/ErrorScreen.java
View File

@ -1,283 +0,0 @@
package org.owasp.webgoat.session;
import java.io.ByteArrayOutputStream;
import java.io.PrintWriter;
import java.util.StringTokenizer;
import javax.servlet.ServletException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.Small;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since November 4, 2003
* @version $Id: $Id
*/
public class ErrorScreen extends Screen
{
/**
* Description of the Field
*/
protected Throwable error;
/**
* Description of the Field
*/
protected String message;
/**
* Constructor for the ErrorScreen object
*
* @param s
* Description of the Parameter
* @param t
* Description of the Parameter
*/
public ErrorScreen(WebSession s, Throwable t)
{
this.error = t;
fixCurrentScreen(s);
setup(s);
}
/**
* Constructor for the ErrorScreen object
*
* @param s
* Description of the Parameter
* @param msg
* Description of the Parameter
*/
public ErrorScreen(WebSession s, String msg)
{
this.message = msg;
fixCurrentScreen(s);
setup(s);
}
/**
* <p>fixCurrentScreen.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public void fixCurrentScreen(WebSession s)
{
// So the user can't get stuck on the error screen, reset the
// current screen to something known
if (s != null)
{
try
{
s.setCurrentScreen(s.getCourse().getFirstLesson().getScreenId());
} catch (Throwable t)
{
s.setCurrentScreen(WebSession.WELCOME);
}
}
}
/**
* <p>setup.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public void setup(WebSession s)
{
// call createContent first so messages will go somewhere
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
form.addElement(wrapForm(s));
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
layout.addElement(row);
setContent(layout);
}
/**
* <p>wrapForm.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element wrapForm(WebSession s)
{
if (s == null) { return new StringElement("Invalid Session"); }
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s);
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
container.addElement(new TR());
return (container);
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
System.out.println("errorscreen createContent Error:" + this.error + " message:" + this.message);
Element content;
if (this.error != null)
{
content = createContent(this.error);
}
else if (this.message != null)
{
content = createContent(this.message);
}
else
{
content = new StringElement("An unknown error occurred.");
}
return content;
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(String s)
{
StringElement list = new StringElement(s);
return (list);
}
/**
* Description of the Method
*
* @param t
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(Throwable t)
{
StringElement list = new StringElement();
list.addElement(new H2().addElement(new StringElement("Error Message: " + t.getMessage())));
list.addElement(formatStackTrace(t));
if (t instanceof ServletException)
{
Throwable root = ((ServletException) t).getRootCause();
if (root != null)
{
list.addElement(new H2().addElement(new StringElement("Root Message: " + root.getMessage())));
list.addElement(formatStackTrace(root));
}
}
return (new Small().addElement(list));
}
/**
* Description of the Method
*
* @param t
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element formatStackTrace(Throwable t)
{
String trace = getStackTrace(t);
StringElement list = new StringElement();
StringTokenizer st = new StringTokenizer(trace, "\r\n\t");
while (st.hasMoreTokens())
{
String line = st.nextToken();
list.addElement(new Div(line));
}
return (list);
}
/**
* Gets the stackTrace attribute of the ErrorScreen class
*
* @param t
* Description of the Parameter
* @return The stackTrace value
*/
public static String getStackTrace(Throwable t)
{
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
PrintWriter writer = new PrintWriter(bytes, true);
t.printStackTrace(writer);
return (bytes.toString());
}
/**
* Gets the title attribute of the ErrorScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Error");
}
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

83
webgoat-container/src/main/java/org/owasp/webgoat/session/LessonSession.java
View File

@ -1,83 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* Represents a virtual session for a lesson. Lesson-specific session data may be stored here.
*
* @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since January 19, 2006
* @version $Id: $Id
*/
public class LessonSession
{
private boolean isAuthenticated = false;
private String currentLessonScreen;
/**
* <p>setAuthenticated.</p>
*
* @param isAuthenticated a boolean.
*/
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
/**
* <p>isAuthenticated.</p>
*
* @return a boolean.
*/
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
/**
* <p>Setter for the field <code>currentLessonScreen</code>.</p>
*
* @param currentLessonScreen a {@link java.lang.String} object.
*/
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
/**
* <p>Getter for the field <code>currentLessonScreen</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
}

632
webgoat-container/src/main/java/org/owasp/webgoat/session/LessonTracker.java
View File

@ -1,435 +1,329 @@
package org.owasp.webgoat.session;
import lombok.extern.slf4j.Slf4j;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.Properties;
/**
*************************************************************************************************
*
*
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 29, 2003
* @version $Id: $Id
* @since October 29, 2003
*/
public class LessonTracker
{
@Slf4j
public class LessonTracker {
private boolean completed = false;
private boolean completed = false;
private int maxHintLevel = 0;
private int maxHintLevel = 0;
private int numVisits = 0;
private int numVisits = 0;
private boolean viewedCookies = false;
private boolean viewedCookies = false;
private boolean viewedHtml = false;
private boolean viewedHtml = false;
private boolean viewedLessonPlan = false;
private boolean viewedLessonPlan = false;
private boolean viewedParameters = false;
private boolean viewedParameters = false;
private boolean viewedSource = false;
private boolean viewedSource = false;
private boolean viewedSolution = false;
private boolean viewedSolution = false;
Properties lessonProperties = new Properties();
Properties lessonProperties = new Properties();
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
{
return completed;
}
private int totalNumberOfAssignments = 0;
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
return maxHintLevel;
}
public void setTotalNumberOfAssignments(int totalNumberOfAssignments) {
this.totalNumberOfAssignments = totalNumberOfAssignments;
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits()
{
return numVisits;
}
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted() {
return completed;
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
return viewedCookies;
}
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel() {
return maxHintLevel;
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
return viewedHtml;
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits() {
return numVisits;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
return viewedLessonPlan;
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies() {
return viewedCookies;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
return viewedParameters;
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml() {
return viewedHtml;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
return viewedSource;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan() {
return viewedLessonPlan;
}
/**
* <p>Getter for the field <code>viewedSolution</code>.</p>
*
* @return a boolean.
*/
public boolean getViewedSolution()
{
return viewedSource;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters() {
return viewedParameters;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
numVisits++;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource() {
return viewedSource;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props
* The new properties value
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
*/
protected void setProperties(Properties props, Screen screen)
{
completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0"));
viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies", "false")).booleanValue();
viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml", "false")).booleanValue();
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue();
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue();
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue();
}
/**
* <p>Getter for the field <code>viewedSolution</code>.</p>
*
* @return a boolean.
*/
public boolean getViewedSolution() {
return viewedSource;
}
/**
* <p>getUserDir.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public static String getUserDir(WebSession s)
{
return s.getContext().getRealPath("users") + "/";
}
/**
* Description of the Method
*/
public void incrementNumVisits() {
numVisits++;
}
private static String getTrackerFile(WebSession s, String user, Screen screen)
{
return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @param user a {@link java.lang.String} object.
*/
public static LessonTracker load(WebSession s, String user, Screen screen)
{
FileInputStream in = null;
try
{
String fileName = getTrackerFile(s, user, screen);
if (fileName != null)
{
Properties tempProps = new Properties();
// System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen.createLessonTracker(tempProps);
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
} catch (FileNotFoundException e)
{
// Normal if the lesson has not been accessed yet.
} catch (Exception e)
{
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
} finally
{
try
{
in.close();
} catch (Exception e)
{
}
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props The new properties value
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
*/
protected void setProperties(Properties props, Screen screen) {
completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0"));
viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies", "false")).booleanValue();
viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml", "false")).booleanValue();
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue();
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue();
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue();
totalNumberOfAssignments = Integer.parseInt(props.getProperty(screen.getTitle() + ".totalNumberOfAssignments", "0"));
}
return screen.createLessonTracker();
}
/**
* <p>getUserDir.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public static String getUserDir(WebSession s) {
return "";
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed
* The new completed value
*/
public void setCompleted(boolean completed)
{
this.completed = completed;
}
private static String getTrackerFile(WebSession s, String user, Screen screen) {
return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel
* The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel)
{
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @param user a {@link java.lang.String} object.
* @return Description of the Return Value
*/
public static LessonTracker load(WebSession s, String user, Screen screen) {
FileInputStream in = null;
try {
String fileName = getTrackerFile(s, user, screen);
if (fileName != null) {
Properties tempProps = new Properties();
// System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = new LessonTracker();
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
} catch (FileNotFoundException e) {
// Normal if the lesson has not been accessed yet.
} catch (Exception e) {
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
} finally {
try {
in.close();
} catch (Exception e) {
}
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies
* The new viewedCookies value
*/
public void setViewedCookies(boolean viewedCookies)
{
this.viewedCookies = viewedCookies;
}
return new LessonTracker();
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml
* The new viewedHtml value
*/
public void setViewedHtml(boolean viewedHtml)
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed The new completed value
*/
public void setCompleted(boolean completed) {
this.completed = completed;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan
* The new viewedLessonPlan value
*/
public void setViewedLessonPlan(boolean viewedLessonPlan)
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel) {
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters
* The new viewedParameters value
*/
public void setViewedParameters(boolean viewedParameters)
{
this.viewedParameters = viewedParameters;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
*/
public void store(WebSession s, Screen screen) {
store(s, screen, s.getUserName());
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource
* The new viewedSource value
*/
public void setViewedSource(boolean viewedSource)
{
this.viewedSource = viewedSource;
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param user a {@link java.lang.String} object.
*/
public void store(WebSession s, Screen screen, String user) {
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSolution a boolean.
*/
public void setViewedSolution(boolean viewedSolution)
{
this.viewedSolution = viewedSolution;
}
String fileName = getTrackerFile(s, user, screen);
// System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel", Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer.toString(numVisits));
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies", Boolean.toString(viewedCookies));
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean.toString(viewedHtml));
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource));
lessonProperties.setProperty(screen.getTitle() + ".totalNumberOfAssignments", Integer.toString(totalNumberOfAssignments));
try (FileOutputStream out = new FileOutputStream(fileName)) {
lessonProperties.store(out, s.getUserName());
} catch (IOException e) {
log.warn("Warning User data for {} will not persist", s.getUserName());
}
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s
* Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
*/
public void store(WebSession s, Screen screen)
{
store(s, screen, s.getUserName());
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString() {
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:................. " + completed + "\n");
buff.append(" - maxHintLevel:.............. " + maxHintLevel + "\n");
buff.append(" - numVisits:................. " + numVisits + "\n");
buff.append(" - viewedCookies:............. " + viewedCookies + "\n");
buff.append(" - viewedHtml:................ " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:.......... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:.......... " + viewedParameters + "\n");
buff.append(" - viewedSource:.............. " + viewedSource + "\n" + "\n");
buff.append(" - totalNumberOfAssignments:.. " + viewedSource + "\n" + "\n");
return buff.toString();
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s
* Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param user a {@link java.lang.String} object.
*/
public void store(WebSession s, Screen screen, String user)
{
FileOutputStream out = null;
String fileName = getTrackerFile(s, user, screen);
// System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel", Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer.toString(numVisits));
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies", Boolean.toString(viewedCookies));
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean.toString(viewedHtml));
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource));
try
{
out = new FileOutputStream(fileName);
lessonProperties.store(out, s.getUserName());
} catch (Exception e)
{
// what do we want to do, I think nothing.
System.out.println("Warning User data for " + s.getUserName() + " will not persist");
} finally
{
try
{
out.close();
} catch (Exception e)
{
}
}
/**
* <p>Getter for the field <code>lessonProperties</code>.</p>
*
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties() {
return lessonProperties;
}
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:... " + viewedParameters + "\n");
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
return buff.toString();
}
/**
* <p>Getter for the field <code>lessonProperties</code>.</p>
*
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* <p>Setter for the field <code>lessonProperties</code>.</p>
*
* @param lessonProperties
* The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
/**
* <p>Setter for the field <code>lessonProperties</code>.</p>
*
* @param lessonProperties The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties) {
this.lessonProperties = lessonProperties;
}
}

111
webgoat-container/src/main/java/org/owasp/webgoat/session/Parameter.java
View File

@ -1,111 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class Parameter implements Comparable
{
String name;
String value;
/**
* <p>Constructor for Parameter.</p>
*
* @param name a {@link java.lang.String} object.
* @param value a {@link java.lang.String} object.
*/
public Parameter(String name, String value)
{
this.name = name;
this.value = value;
}
/**
* <p>Getter for the field <code>name</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getName()
{
return name;
}
/**
* <p>Getter for the field <code>value</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getValue()
{
return value;
}
// @Override
/** {@inheritDoc} */
public boolean equals(Object obj)
{
if (obj instanceof Parameter)
{
Parameter other = (Parameter) obj;
return (name.equals(other.getName()) && value.equals(other.getValue()));
}
return false;
}
// @Override
/**
* <p>hashCode.</p>
*
* @return a int.
*/
public int hashCode()
{
return toString().hashCode();
}
// @Override
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
return (name + "=" + value);
}
/** {@inheritDoc} */
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
}

59
webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterNotFoundException.java
View File

@ -1,59 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @version $Id: $Id
*/
public class ParameterNotFoundException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 3286112913299408382L;
/**
* Constructs a new ParameterNotFoundException with no detail message.
*/
public ParameterNotFoundException()
{
super();
}
/**
* Constructs a new ParameterNotFoundException with the specified detail message.
*
* @param s
* the detail message
*/
public ParameterNotFoundException(String s)
{
super(s);
}
}

1010
webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterParser.java
View File

File diff suppressed because it is too large Load Diff

165
webgoat-container/src/main/java/org/owasp/webgoat/session/RandomLessonTracker.java
View File

@ -1,165 +0,0 @@
package org.owasp.webgoat.session;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
/**
* <p>RandomLessonTracker class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class RandomLessonTracker extends LessonTracker
{
private String[] stages;
private String stage;
private Map<String, Boolean> completed = new HashMap<String, Boolean>();
/**
* <p>Constructor for RandomLessonTracker.</p>
*
* @param stages an array of {@link java.lang.String} objects.
*/
public RandomLessonTracker(String[] stages)
{
if (stages == null) stages = new String[0];
this.stages = stages;
}
/**
* <p>Setter for the field <code>stage</code>.</p>
*
* @param stage a {@link java.lang.String} object.
*/
public void setStage(String stage)
{
this.stage = stage;
}
/**
* <p>Getter for the field <code>stage</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getStage()
{
if (this.stage == null && stages.length > 0) return stages[0];
return this.stage;
}
/**
* <p>setStageComplete.</p>
*
* @param stage a {@link java.lang.String} object.
* @param complete a boolean.
*/
public void setStageComplete(String stage, boolean complete)
{
completed.put(stage, Boolean.valueOf(complete));
if (!complete) return;
int i = getStageNumber(stage);
if (i < stages.length - 1) setStage(stages[i + 1]);
}
/**
* <p>getStageNumber.</p>
*
* @param stage a {@link java.lang.String} object.
* @return a int.
*/
public int getStageNumber(String stage)
{
for (int i = 0; i < stages.length; i++)
if (stages[i].equals(stage)) return i;
return -1;
}
/**
* <p>hasCompleted.</p>
*
* @param stage a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean hasCompleted(String stage)
{
Boolean complete = completed.get(stage);
return complete == null ? false : complete.booleanValue();
}
/** {@inheritDoc} */
@Override
public boolean getCompleted()
{
for (int i = 0; i < stages.length; i++)
if (!hasCompleted(stages[i])) return false;
return true;
}
/** {@inheritDoc} */
@Override
public void setCompleted(boolean complete)
{
if (complete == true) throw new UnsupportedOperationException("Use individual stage completion instead");
for (int i = 0; i < stages.length; i++)
setStageComplete(stages[i], false);
setStage(stages[0]);
}
/** {@inheritDoc} */
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
for (int i = 0; i < stages.length; i++)
{
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
if (p != null)
{
setStageComplete(stages[i], Boolean.valueOf(p));
}
}
setStage(props.getProperty(screen.getTitle() + ".stage"));
}
/** {@inheritDoc} */
public void store(WebSession s, Screen screen, String user)
{
for (int i = 0; i < stages.length; i++)
{
if (hasCompleted(stages[i]))
{
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString());
}
else
{
lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed");
}
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);
}
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append(super.toString());
for (int i = 0; i < stages.length; i++)
{
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
}
buff.append(" - currentStage:....... " + getStage() + "\n");
return buff.toString();
}
}

29
webgoat-container/src/main/java/org/owasp/webgoat/session/Role.java
View File

@ -1,29 +0,0 @@
package org.owasp.webgoat.session;
/**
* <p>Role class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class Role {
private String rolename;
/**
* <p>Constructor for Role.</p>
*
* @param rolename a {@link java.lang.String} object.
*/
public Role(String rolename) {
this.rolename = rolename;
}
/**
* <p>Getter for the field <code>rolename</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRolename() {
return this.rolename;
}
}

263
webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java
View File

@ -1,15 +1,5 @@
package org.owasp.webgoat.session;
import java.io.PrintWriter;
import java.util.Properties;
import org.apache.ecs.Element;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.Font;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.AbstractLesson;
/**
* *************************************************************************************************
*
@ -45,102 +35,12 @@ import org.owasp.webgoat.lessons.AbstractLesson;
*/
public abstract class Screen {
/**
* Description of the Field
*/
public static int MAIN_SIZE = 375;
// private Head head;
private Element content;
final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg").setAlt("Aspect Security").setBorder(0)
.setHspace(0).setVspace(0);
/**
* Constructor for the Screen object
*/
public Screen() {
}
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public abstract String getRole();
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent(WebSession s);
/**
* Creates a new lessonTracker object.
*
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker(Properties props) {
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
return createLessonTracker();
}
/**
* This allows the screens to provide a custom LessonTracker object if
* needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker() {
return new LessonTracker();
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @return The lessonTracker value
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public LessonTracker getLessonTracker(WebSession s) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param userNameOverride a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, String userNameOverride) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lesson a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
/**
* Fill in a descriptive title for this lesson
@ -149,168 +49,5 @@ public abstract class Screen {
*/
public abstract String getTitle();
/**
* <p>Setter for the field <code>content</code>.</p>
*
* @param content a {@link org.apache.ecs.Element} object.
*/
protected void setContent(Element content) {
this.content = content;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeLogo() {
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
/**
* <p>getSponsor.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSponsor() {
return "Aspect Security";
}
/**
* <p>getSponsorLogoResource.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSponsorLogoResource() {
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s) {
if (s == null) {
return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED);
String message = s.getMessage();
f.addElement(message);
return (f);
}
/**
* Returns the content length of the the html.
*
* @return a int.
*/
public int getContentLength() {
return getContent().length();
}
/**
* Description of the Method
*
* @param out Description of the Parameter
*/
public void output(PrintWriter out) {
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(getContent());
}
// hook all the links
/**
* <p>Getter for the field <code>content</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getContent() {
//String makeAllAjax = "<script>goat.utils.makeFormsAjax();goat.utils.ajaxifyAttackHref();</script>";
// need to do this here as some of the lessons render forms after submission of an ajax form
return (content == null) ? "" : content.toString();// + makeAllAjax;
}
/**
* Description of the Method
*
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x) {
StringBuilder sb = new StringBuilder();
if (x < 10) {
sb.append(" ");
}
if (x < 100) {
sb.append(" ");
}
sb.append(x);
return (sb.toString());
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token) {
int mci = 0;
/*
* meta char array FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for
* the html to be automatically wrapped in client browser. It is better to add line length
* checking and only do "&nbsp" conversion in lines that won't exceed screen size, say less
* than 80 characters.
*/
String[] metaChar = {"&", "<", ">", "\"", "\t", System.getProperty("line.separator")};
String[] htmlCode = {"&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>"};
String replacedString = token;
for (; mci < metaChar.length; mci += 1) {
replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]);
}
return (replacedString);
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token) {
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
// protected abstract Element wrapForm( WebSession s );
}

61
webgoat-container/src/main/java/org/owasp/webgoat/session/SequentialLessonTracker.java
View File

@ -1,61 +0,0 @@
package org.owasp.webgoat.session;
import java.util.Properties;
/**
* <p>SequentialLessonTracker class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class SequentialLessonTracker extends LessonTracker
{
private int currentStage = 1;
/**
* <p>getStage.</p>
*
* @return a int.
*/
public int getStage()
{
return currentStage;
}
/**
* <p>setStage.</p>
*
* @param stage a int.
*/
public void setStage(int stage)
{
currentStage = stage;
}
/** {@inheritDoc} */
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle() + ".currentStage"));
}
/** {@inheritDoc} */
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage", Integer.toString(currentStage));
super.store(s, screen, user);
}
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
}

41
webgoat-container/src/main/java/org/owasp/webgoat/session/UnauthenticatedException.java
View File

@ -1,41 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class UnauthenticatedException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 97865025446819061L;
}

41
webgoat-container/src/main/java/org/owasp/webgoat/session/UnauthorizedException.java
View File

@ -1,41 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class UnauthorizedException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 5245519486798464814L;
}

52
webgoat-container/src/main/java/org/owasp/webgoat/session/User.java
View File

@ -1,52 +0,0 @@
package org.owasp.webgoat.session;
import java.util.ArrayList;
import java.util.Iterator;
/**
* <p>User class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class User {
private String username;
private ArrayList<Role> roles;
/**
* <p>Constructor for User.</p>
*
* @param username a {@link java.lang.String} object.
*/
public User(String username) {
this.username = username;
this.roles = new ArrayList<Role>();
}
/**
* <p>Getter for the field <code>username</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getUsername() {
return username;
}
/**
* <p>Getter for the field <code>roles</code>.</p>
*
* @return a {@link java.util.Iterator} object.
*/
public Iterator<Role> getRoles() {
return roles.iterator();
}
/**
* <p>addRole.</p>
*
* @param rolename a {@link java.lang.String} object.
*/
public void addRole(String rolename) {
roles.add(new Role(rolename));
}
}

88
webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java
View File

@ -1,9 +1,12 @@
package org.owasp.webgoat.session;
import java.sql.*;
import java.util.ArrayList;
import java.util.Iterator;
import java.io.File;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
class UserDatabase {
private Connection userDB;
@ -20,9 +23,6 @@ class UserDatabase {
private final String QUERY_ALL_ROLES_FOR_USERNAME = "SELECT rolename FROM roles, user_roles, users WHERE roles.id = user_roles.role_id AND user_roles.user_id = users.id AND users.username = ?;";
private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM table;";
private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);";
private final String DELETE_USER = "DELETE FROM users WHERE username = ?;";
/**
* <p>Constructor for UserDatabase.</p>
*/
@ -101,42 +101,6 @@ class UserDatabase {
return count;
}
/**
* <p>getUsers.</p>
*
* @return a {@link java.util.Iterator} object.
*/
public Iterator<User> getUsers() {
ArrayList<User> users = new ArrayList<User>();
User currentUser;
ResultSet userResults, roleResults;
try {
open();
Statement statement = userDB.createStatement();
PreparedStatement rolesForUsers = userDB.prepareStatement(QUERY_ALL_ROLES_FOR_USERNAME);
userResults = statement.executeQuery(QUERY_ALL_USERS);
while (userResults.next()) {
currentUser = new User(userResults.getString("username"));
rolesForUsers.setString(1, currentUser.getUsername());
roleResults = rolesForUsers.executeQuery();
while (roleResults.next()) {
currentUser.addRole(roleResults.getString("rolename"));
}
roleResults.close();
}
rolesForUsers.close();
userResults.close();
close();
} catch (SQLException e) {
e.printStackTrace();
users = new ArrayList<User>();
}
return users.iterator();
}
/**
* <p>addRoleToUser.</p>
*
@ -160,46 +124,6 @@ class UserDatabase {
return true;
}
/**
* <p>removeUser.</p>
*
* @param user a {@link org.owasp.webgoat.session.User} object.
* @return a boolean.
*/
public boolean removeUser(User user) {
return removeUser(user.getUsername());
}
/**
* <p>removeUser.</p>
*
* @param username a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean removeUser(String username) {
try {
open();
PreparedStatement deleteUserRoles = userDB.prepareStatement(DELETE_ALL_ROLES_FOR_USER);
PreparedStatement deleteUser = userDB.prepareStatement(DELETE_USER);
deleteUserRoles.setString(1, username);
deleteUser.setString(1, username);
deleteUserRoles.execute();
deleteUser.execute();
deleteUserRoles.close();
deleteUser.close();
close();
} catch (SQLException e) {
e.printStackTrace();
return false;
}
return true;
}
/*
* Methods to initialise the default state of the database.
*/

324
webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java
View File

@ -1,300 +1,106 @@
package org.owasp.webgoat.session;
import java.util.ArrayList;
import java.util.Collection;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
/**
*************************************************************************************************
*
*
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 29, 2003
* @version $Id: $Id
* @since October 29, 2003
*/
public class UserTracker
{
@Component
public class UserTracker {
private static UserTracker instance;
private static Map<String, HashMap<String, LessonTracker>> storage = new HashMap<>();
private final String webgoatHome;
private final WebSession webSession;
// FIXME: persist this somehow!
public UserTracker(@Value("${webgoat.user.directory}") final String webgoatHome, final WebSession webSession) {
this.webgoatHome = webgoatHome;
this.webSession = webSession;
}
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
/**
* <p>getCurrentLessonTracker.</p>
*
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getCurrentLessonTracker() {
String lessonTitle = webSession.getCurrentLesson().getTitle();
String username = webSession.getUserName();
HashMap<String, LessonTracker> usermap = getUserMap(username);
LessonTracker tracker = usermap.get(lessonTitle);
if (tracker == null) {
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(webSession, username, webSession.getCurrentLesson());
usermap.put(lessonTitle, tracker);
}
return tracker;
}
private static UserDatabase usersDB = new UserDatabase();
/**
* Returns the lesson tracker for a specific lesson if available.
*
* @param lesson the lesson
* @return the optional lesson tracker
*/
public Optional<LessonTracker> getLessonTracker(AbstractLesson lesson) {
String username = webSession.getUserName();
return Optional.ofNullable(getUserMap(username).getOrDefault(lesson.getTitle(), null));
}
/**
* Constructor for the UserTracker object
*/
private UserTracker()
{
}
/**
* Gets the completed attribute of the UserTracker object
*
* @param userName
* Description of the Parameter
* @return The completed value
*/
public int getCompleted(String userName)
{
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The userMap value
*/
private HashMap<String, LessonTracker> getUserMap(String userName) {
HashMap usermap = getUserMap(userName);
HashMap<String, LessonTracker> usermap = storage.get(userName);
Iterator i = usermap.entrySet().iterator();
if (usermap == null) {
int count = 0;
usermap = new HashMap<>();
while (i.hasNext())
{
storage.put(userName, usermap);
Map.Entry entry = (Map.Entry) i.next();
}
int value = ((Integer) entry.getValue()).intValue();
if (value > 5)
{
count++;
}
}
return count;
}
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
{
return storage.keySet();
}
/**
* <p>getAllUsers.</p>
*
* @param roleName a {@link java.lang.String} object.
* @return a {@link java.util.Collection} object.
*/
public Collection<String> getAllUsers(String roleName)
{
synchronized (usersDB)
{
Collection<String> allUsers = new ArrayList<String>();
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User user = (User) users.next();
Iterator roles = user.getRoles();
while (roles.hasNext())
{
Role role = (Role) roles.next();
if (role.getRolename().trim().equals(roleName))
{
allUsers.add(user.getUsername());
}
}
}
usersDB.close();
} catch (Exception e)
{
}
return allUsers;
}
}
/**
* <p>deleteUser.</p>
*
* @param user a {@link java.lang.String} object.
*/
public void deleteUser(String user)
{
synchronized (usersDB)
{
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User tomcatUser = (User) users.next();
if (tomcatUser.getUsername().equals(user))
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
}
usersDB.close();
} catch (Exception e)
{
}
}
}
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen
* Description of the Parameter
* @return The lessonTracker value
* @param screen
* Description of the Parameter
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public LessonTracker getLessonTracker(WebSession s, Screen screen)
{
return getLessonTracker(s, s.getUserName(), screen);
}
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param user a {@link java.lang.String} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, String user, Screen screen)
{
HashMap<String, LessonTracker> usermap = getUserMap(user);
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
if (tracker == null)
{
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(s, user, screen);
usermap.put(screen.getTitle(), tracker);
}
// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
// tracker.hashCode() + " for " + screen );
return tracker;
}
/**
* Gets the status attribute of the UserTracker object
*
* @param screen
* Description of the Parameter
* @return The status value
* @param screen
* Description of the Parameter
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public String getStatus(WebSession s, Screen screen)
{
return ("User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker(
s,
screen)
.hashCode());
}
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName
* Description of the Parameter
* @return The userMap value
*/
private HashMap<String, LessonTracker> getUserMap(String userName)
{
HashMap<String, LessonTracker> usermap = storage.get(userName);
if (usermap == null)
{
usermap = new HashMap<String, LessonTracker>();
storage.put(userName, usermap);
}
return (usermap);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
{
if (instance == null)
{
instance = new UserTracker();
}
return instance;
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
LessonTracker tracker = getLessonTracker(s, screen);
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen +
// " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
}
return (usermap);
}
}

58
webgoat-container/src/main/java/org/owasp/webgoat/session/ValidationException.java
View File

@ -1,58 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class ValidationException extends Exception
{
/**
*
*/
private static final long serialVersionUID = -8358754606830400708L;
/**
* <p>Constructor for ValidationException.</p>
*/
public ValidationException()
{
super();
}
/**
* <p>Constructor for ValidationException.</p>
*
* @param message a {@link java.lang.String} object.
*/
public ValidationException(String message)
{
super(message);
}
}

1251
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

File diff suppressed because it is too large Load Diff

113
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatProperties.java
View File

@ -1,113 +0,0 @@
package org.owasp.webgoat.session;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @version $Id: $Id
* @author dm
*/
@Component
public class WebgoatProperties {
@Autowired
private Environment env;
/**
*
*/
private static final long serialVersionUID = 4351681705558227918L;
final Logger logger = LoggerFactory.getLogger(WebgoatProperties.class);
/**
* <p>getIntProperty.</p>
*
* @param key a {@link java.lang.String} object.
* @param defaultValue a int.
* @return a int.
*/
public int getIntProperty(String key, int defaultValue) {
int value = defaultValue;
String s = env.getProperty(key);
if (s != null) {
value = Integer.parseInt(s);
}
return value;
}
/**
* <p>getBooleanProperty.</p>
*
* @param key a {@link java.lang.String} object.
* @param defaultValue a boolean.
* @return a boolean.
*/
public boolean getBooleanProperty(String key, boolean defaultValue) {
boolean value = defaultValue;
key = this.trimLesson(key);
String s = env.getProperty(key);
if (s != null) {
if (s.equalsIgnoreCase("true")) {
value = true;
} else if (s.equalsIgnoreCase("yes")) {
value = true;
} else if (s.equalsIgnoreCase("on")) {
value = true;
} else if (s.equalsIgnoreCase("false")) {
value = false;
} else if (s.equalsIgnoreCase("no")) {
value = false;
} else if (s.equalsIgnoreCase("off")) {
value = false;
}
}
return value;
}
private String trimLesson(String lesson) {
String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons.")) {
result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length());
} else {
result = lesson;
}
return result;
}
}

67
webgoat-container/src/main/java/org/owasp/webgoat/util/BeanProvider.java
View File

@ -1,67 +0,0 @@
package org.owasp.webgoat.util;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.stereotype.Component;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* @version $Id: $Id
* @author dm
*/
@Component
public class BeanProvider implements ApplicationContextAware
{
private static ApplicationContext ctx;
/** {@inheritDoc} */
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
ctx = applicationContext;
}
/**
* Get access to managed beans from id.
*
* @param beanName
* the id of the searched bean
* @param beanClass
* the type of tye searched bean
* @param <T> a T object.
* @return a T object.
*/
@SuppressWarnings("unchecked")
public static <T> T getBean(final String beanName, final Class<T> beanClass)
{
return (T) ctx.getBean(beanName);
}
}

228
webgoat-container/src/main/java/org/owasp/webgoat/util/HtmlEncoder.java
View File

@ -1,228 +0,0 @@
package org.owasp.webgoat.util;
import java.util.HashMap;
import java.util.Map;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class HtmlEncoder
{
static Map<String, Integer> e2i = new HashMap<String, Integer>();
static Map<Integer, String> i2e = new HashMap<Integer, String>();
// html entity list
private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote
{ "amp", new Integer(38) }, // - ampersand
{ "lt", new Integer(60) }, // - less-than
{ "gt", new Integer(62) }, // - greater-than
{ "nbsp", new Integer(160) }, // non-breaking space
{ "copy", new Integer(169) }, // - copyright
{ "reg", new Integer(174) }, // - registered trademark
{ "Agrave", new Integer(192) }, // - uppercase A, grave accent
{ "Aacute", new Integer(193) }, // - uppercase A, acute accent
{ "Acirc", new Integer(194) }, // - uppercase A, circumflex accent
{ "Atilde", new Integer(195) }, // - uppercase A, tilde
{ "Auml", new Integer(196) }, // - uppercase A, umlaut
{ "Aring", new Integer(197) }, // - uppercase A, ring
{ "AElig", new Integer(198) }, // - uppercase AE
{ "Ccedil", new Integer(199) }, // - uppercase C, cedilla
{ "Egrave", new Integer(200) }, // - uppercase E, grave accent
{ "Eacute", new Integer(201) }, // - uppercase E, acute accent
{ "Ecirc", new Integer(202) }, // - uppercase E, circumflex accent
{ "Euml", new Integer(203) }, // - uppercase E, umlaut
{ "Igrave", new Integer(204) }, // - uppercase I, grave accent
{ "Iacute", new Integer(205) }, // - uppercase I, acute accent
{ "Icirc", new Integer(206) }, // - uppercase I, circumflex accent
{ "Iuml", new Integer(207) }, // - uppercase I, umlaut
{ "ETH", new Integer(208) }, // - uppercase Eth, Icelandic
{ "Ntilde", new Integer(209) }, // - uppercase N, tilde
{ "Ograve", new Integer(210) }, // - uppercase O, grave accent
{ "Oacute", new Integer(211) }, // - uppercase O, acute accent
{ "Ocirc", new Integer(212) }, // - uppercase O, circumflex accent
{ "Otilde", new Integer(213) }, // - uppercase O, tilde
{ "Ouml", new Integer(214) }, // - uppercase O, umlaut
{ "Oslash", new Integer(216) }, // - uppercase O, slash
{ "Ugrave", new Integer(217) }, // - uppercase U, grave accent
{ "Uacute", new Integer(218) }, // - uppercase U, acute accent
{ "Ucirc", new Integer(219) }, // - uppercase U, circumflex accent
{ "Uuml", new Integer(220) }, // - uppercase U, umlaut
{ "Yacute", new Integer(221) }, // - uppercase Y, acute accent
{ "THORN", new Integer(222) }, // - uppercase THORN, Icelandic
{ "szlig", new Integer(223) }, // - lowercase sharps, German
{ "agrave", new Integer(224) }, // - lowercase a, grave accent
{ "aacute", new Integer(225) }, // - lowercase a, acute accent
{ "acirc", new Integer(226) }, // - lowercase a, circumflex accent
{ "atilde", new Integer(227) }, // - lowercase a, tilde
{ "auml", new Integer(228) }, // - lowercase a, umlaut
{ "aring", new Integer(229) }, // - lowercase a, ring
{ "aelig", new Integer(230) }, // - lowercase ae
{ "ccedil", new Integer(231) }, // - lowercase c, cedilla
{ "egrave", new Integer(232) }, // - lowercase e, grave accent
{ "eacute", new Integer(233) }, // - lowercase e, acute accent
{ "ecirc", new Integer(234) }, // - lowercase e, circumflex accent
{ "euml", new Integer(235) }, // - lowercase e, umlaut
{ "igrave", new Integer(236) }, // - lowercase i, grave accent
{ "iacute", new Integer(237) }, // - lowercase i, acute accent
{ "icirc", new Integer(238) }, // - lowercase i, circumflex accent
{ "iuml", new Integer(239) }, // - lowercase i, umlaut
{ "igrave", new Integer(236) }, // - lowercase i, grave accent
{ "iacute", new Integer(237) }, // - lowercase i, acute accent
{ "icirc", new Integer(238) }, // - lowercase i, circumflex accent
{ "iuml", new Integer(239) }, // - lowercase i, umlaut
{ "eth", new Integer(240) }, // - lowercase eth, Icelandic
{ "ntilde", new Integer(241) }, // - lowercase n, tilde
{ "ograve", new Integer(242) }, // - lowercase o, grave accent
{ "oacute", new Integer(243) }, // - lowercase o, acute accent
{ "ocirc", new Integer(244) }, // - lowercase o, circumflex accent
{ "otilde", new Integer(245) }, // - lowercase o, tilde
{ "ouml", new Integer(246) }, // - lowercase o, umlaut
{ "oslash", new Integer(248) }, // - lowercase o, slash
{ "ugrave", new Integer(249) }, // - lowercase u, grave accent
{ "uacute", new Integer(250) }, // - lowercase u, acute accent
{ "ucirc", new Integer(251) }, // - lowercase u, circumflex accent
{ "uuml", new Integer(252) }, // - lowercase u, umlaut
{ "yacute", new Integer(253) }, // - lowercase y, acute accent
{ "thorn", new Integer(254) }, // - lowercase thorn, Icelandic
{ "yuml", new Integer(255) }, // - lowercase y, umlaut
{ "euro", new Integer(8364) },// Euro symbol
};
/**
* Initialises the mappings between entities and characters
*/
static {
for (int i = 0; i < entities.length; i++)
e2i.put((String) entities[i][0], (Integer) entities[i][1]);
for (int i = 0; i < entities.length; i++)
i2e.put((Integer) entities[i][1], (String) entities[i][0]);
}
/**
* Turns funky characters into HTML entity equivalents
*
* e.g. {@code "bread" & "butter"} = {@code &amp;quot;bread&amp;quot; &amp;amp;
* &amp;quot;butter&amp;quot;}. Update: supports nearly all HTML entities, including funky
* accents. See the source code for more detail. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1
* Description of the Parameter
* @return Description of the Return Value
*/
public static String encode(String s1)
{
StringBuffer buf = new StringBuffer();
int i;
for (i = 0; i < s1.length(); ++i)
{
char ch = s1.charAt(i);
String entity = i2e.get(new Integer((int) ch));
if (entity == null)
{
if (((int) ch) > 128)
{
buf.append("&#" + ((int) ch) + ";");
}
else
{
buf.append(ch);
}
}
else
{
buf.append("&" + entity + ";");
}
}
return buf.toString();
}
/**
* Given a string containing entity escapes, returns a string containing the actual Unicode
* characters corresponding to the escapes. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1
* Description of the Parameter
* @return Description of the Return Value
*/
public static String decode(String s1)
{
StringBuffer buf = new StringBuffer();
int i;
for (i = 0; i < s1.length(); ++i)
{
char ch = s1.charAt(i);
if (ch == '&')
{
int semi = s1.indexOf(';', i + 1);
if (semi == -1)
{
buf.append(ch);
continue;
}
String entity = s1.substring(i + 1, semi);
Integer iso;
if (entity.charAt(0) == '#')
{
iso = new Integer(entity.substring(1));
}
else
{
iso = e2i.get(entity);
}
if (iso == null)
{
buf.append("&" + entity + ";");
}
else
{
buf.append((char) (iso.intValue()));
}
i = semi;
}
else
{
buf.append(ch);
}
}
return buf.toString();
}
}

95
webgoat-container/src/main/java/org/owasp/webgoat/util/WebGoatI18N.java
View File

@ -1,95 +0,0 @@
package org.owasp.webgoat.util;
import org.owasp.webgoat.session.WebgoatContext;
import java.util.HashMap;
import java.util.Locale;
import java.util.ResourceBundle;
@Deprecated
/**
* <p>WebGoatI18N class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class WebGoatI18N
{
private static HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>();
private static Locale currentLocale;
private static WebGoatResourceBundleController localeController;
/**
* <p>Constructor for WebGoatI18N.</p>
*
* @param context a {@link org.owasp.webgoat.session.WebgoatContext} object.
*/
public WebGoatI18N(WebgoatContext context)
{
currentLocale = new Locale(context.getDefaultLanguage());
localeController = new WebGoatResourceBundleController(currentLocale);
}
/**
* <p>loadLanguage.</p>
*
* @param language a {@link java.lang.String} object.
*/
@Deprecated
public static void loadLanguage(String language)
{
// Do nothing
}
/**
* <p>Setter for the field <code>currentLocale</code>.</p>
*
* @param locale a {@link java.util.Locale} object.
*/
public static void setCurrentLocale(Locale locale)
{
if (!currentLocale.equals(locale))
{
if (!labels.containsKey(locale))
{
ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, localeController);
labels.put(locale, resBundle);
}
WebGoatI18N.currentLocale = locale;
}
}
/**
* <p>get.</p>
*
* @param strName a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public static String get(String strName)
{
return labels.get(WebGoatI18N.currentLocale).getString(strName);
}
private static class WebGoatResourceBundleController extends ResourceBundle.Control
{
private Locale fallbackLocale;
public WebGoatResourceBundleController(Locale l)
{
fallbackLocale = l;
}
@Override
public Locale getFallbackLocale(String baseName, Locale locale)
{
if(! fallbackLocale.equals(locale)) {
return fallbackLocale;
}
return Locale.ROOT;
}
}
}