dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moving forward cleaning up some unnecessary lesson super classes which we

Browse Source 
do not need to support anymore in 8.0:

- Introduced DI thoughout the code base
- Removed most superclasses of a lesson
- Hammerhead is now simplified to only one line of code
- Cleaned up WebSession
- Removed code which dealt with user roles, lesson fetching, username etc
- LessonTracker improvements
- Removed almost all code from the Screen class
- Removed ECS from the container project
- Removed adminstration pages, contained a lot of ECS codes which is much
  simpler to just rewrite when necessary
This commit is contained in:
Nanne Baars 2016-10-31 17:32:34 +01:00
parent 8c231bbd6d
commit 0bec575913
125 changed files with 764 additions and 13515 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java
View File

@ -1,120 +0,0 @@
package org.owasp.webgoat;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since March 13, 2007
* @version $Id: $Id
*/
public class Catcher extends HammerHead
{
/**
*
*/
private static final long serialVersionUID = 7441856110845727651L;
/**
* Description of the Field
*/
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
/** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/** Constant <code>PROPERTY="PROPERTY"</code> */
public static final String PROPERTY = "PROPERTY";
/** Constant <code>EMPTY_STRING=""</code> */
public static final String EMPTY_STRING = "";
/**
* {@inheritDoc}
*
* Description of the Method
* @exception IOException
* Description of the Exception
* @exception ServletException
* Description of the Exception
*/
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
try
{
// System.out.println( "Entering doPost: " );
// System.out.println( " - request " + request);
// System.out.println( " - principle: " + request.getUserPrincipal() );
// setCacheHeaders(response, 0);
WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
session.update(request, response, this.getServletName()); // FIXME: Too much in this
// call.
int scr = session.getCurrentScreen();
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
log(request, lesson.getClass().getName() + " | " + session.getParser().toString());
String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING));
// if the PROPERTY parameter is available - write all the parameters to the
// property file. No other control parameters are supported at this time.
if (!property.equals(EMPTY_STRING))
{
Enumeration<String> e = session.getParser().getParameterNames();
while (e.hasMoreElements())
{
String name = (String) e.nextElement();
String value = session.getParser().getParameterValues(name)[0];
lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value);
}
}
lesson.getLessonTracker(session).store(session, lesson);
// BDM MC
// WEB-173 - removed for testing, as plugin architecture would not allow this
// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();}
} catch (Throwable t)
{
t.printStackTrace();
log("ERROR: " + t);
}
}
}

390
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
View File

@ -1,398 +1,60 @@
package org.owasp.webgoat;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.WelcomeScreen;
import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.ErrorScreen;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
import java.util.TimeZone;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @author Jeff Williams
* @author Bruce Mayhew
* @author Nanne Baars
* @version $Id: $Id
* @since October 28, 2003
*/
public class HammerHead extends HttpServlet {
@Controller
public class HammerHead {
private static final long serialVersionUID = 645640331343188020L;
private static SimpleDateFormat httpDateFormat;
private final Logger logger = LoggerFactory.getLogger(HammerHead.class);
private WebSession webSession;
private final Course course;
public HammerHead() {
//for catcher subclass
}
public HammerHead(WebSession webSession) {
this.webSession = webSession;
public HammerHead(Course course) {
this.course = course;
}
/**
* {@inheritDoc}
*
* Description of the Method
* @exception IOException Description of the Exception
* @exception ServletException Description of the Exception
* Entry point for WebGoat, redirects to the first lesson found within the course.
*/
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
doPost(request, response);
}
/**
* {@inheritDoc}
*
* Description of the Method
* @exception IOException Description of the Exception
* @exception ServletException Description of the Exception
*/
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
Screen screen = null;
WebSession mySession = null;
try {
logger.debug("Entering doPost");
logger.debug("request: " + request);
logger.debug("principle: " + request.getUserPrincipal());
// setCacheHeaders(response, 0);
ServletContext context = getServletContext();
// FIXME: If a response is written by updateSession(), do not
// call makeScreen() and writeScreen()
mySession = updateSession(request, response, context);
if (response.isCommitted()) {
logger.debug("Response already committed, exiting");
return;
}
if ("true".equals(request.getParameter("start")) || request.getQueryString() == null) {
logger.warn("Redirecting to first lesson");
response.sendRedirect("start.mvc" + mySession.getCourse().getFirstLesson().getLink());
return;
}
// Note: For the lesson to track the status, we need to update
// the lesson tracker object
// from the screen.createContent() method. The create content is
// the only point
// where the lesson "knows" what has happened. To track it at a
// latter point would
// require the lesson to have memory.
screen = makeScreen(mySession);
// This calls the lesson's
// handleRequest()
if (response.isCommitted()) {
return;
}
// perform lesson-specific tracking activities
if (screen instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) screen;
// we do not count the initial display of the lesson screen as a visit
if ("GET".equals(request.getMethod())) {
String uri = request.getRequestURI() + "?" + request.getQueryString();
if (!uri.endsWith(lesson.getLink())) {
screen.getLessonTracker(mySession).incrementNumVisits();
}
} else if ("POST".equals(request.getMethod())
&& mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
screen.getLessonTracker(mySession).incrementNumVisits();
}
}
// log the access to this screen for this user
UserTracker userTracker = UserTracker.instance();
userTracker.update(mySession, screen);
log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
// Redirect the request to our View servlet
String userAgent = request.getHeader("user-agent");
String clientBrowser = "Not known!";
if (userAgent != null) {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
// removed - this is being done in updateSession call
//request.getSession().setAttribute(WebSession.SESSION, mySession);
// not sure why this is being set in the session?
//request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage);
logger.debug("Screen: " + screen);
response.sendRedirect("startlesson.mvc");
// request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) {
logger.error("Error handling request", t); screen = new ErrorScreen(mySession, t);
} finally {
try {
if (screen instanceof ErrorScreen) {
this.writeScreen(mySession, screen, response);
}
} catch (Throwable thr) {
logger.error("Could not write error screen", thr);
}
WebSession.returnConnection(mySession);
logger.debug("Leaving doPost: ");
}
}
private String getViewPage(WebSession webSession) {
// now always display the lesson content
String page = "lesson_content";
//page = "/main.jsp";
return page;
}
/**
* Description of the Method
*
* @param date Description of the Parameter
* @return RFC 1123 http date format
*/
protected static String formatHttpDate(Date date) {
synchronized (httpDateFormat) {
return httpDateFormat.format(date);
}
}
/**
* {@inheritDoc}
*
* Return information about this servlet
*/
@Override
public String getServletInfo() {
return "WebGoat is sponsored by Aspect Security.";
}
/**
* {@inheritDoc}
*
* Return properties path
*/
@Override
public void init() throws ServletException {
logger.info("Initializing main webgoat servlet");
httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
}
/**
* Description of the Method
*
* @param request Description of the Parameter
* @param message Description of the Parameter
*/
public void log(HttpServletRequest request, String message) {
String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
log(output);
logger.debug(output);
}
/*
* public List getLessons(Category category, String role) { Course course =
* mySession.getCourse(); // May need to clone the List before returning it. //return new
* ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
*/
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Screen makeScreen(WebSession s) {
Screen screen = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
if (scr == WebSession.WELCOME) {
screen = new WelcomeScreen(s);
} else {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson == null && s.isHackedAdmin()) {
// If admin was hacked, let the user see some of the
// admin screens
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
if (lesson != null) {
screen = lesson;
// We need to do some bookkeeping for the hackable admin
// interface.
// This is the only place we can tell if the user
// successfully hacked the hackable
// admin and has actually accessed an admin screen. You
// need BOTH pieces of information
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin(screen.getRole());
lesson.handleRequest(s);
s.setCurrentMenu(lesson.getCategory().getRanking());
} else {
screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
}
}
} else if (s.isAdmin()) {
if (scr == WebSession.WELCOME) {
screen = new WelcomeAdminScreen(s);
} else {
// Admin can see all roles.
// FIXME: should be able to pass a list of roles.
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
if (lesson == null) {
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
if (lesson == null) {
lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
}
if (lesson != null) {
screen = lesson;
// We need to do some bookkeeping for the hackable admin
// interface.
// This is the only place we can tell if the user
// successfully hacked the hackable
// admin and has actually accessed an admin screen. You
// need BOTH pieces of information
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin(screen.getRole());
lesson.handleRequest(s);
s.setCurrentMenu(lesson.getCategory().getRanking());
} else {
screen = new ErrorScreen(s,
"Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
}
}
}
return (screen);
}
/**
* Description of the Method
*
* @param request Description of the Parameter
* @param response Description of the Parameter
* @param context Description of the Parameter
* @return Description of the Return Value
* @throws java.io.IOException if any.
*/
protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
throws IOException {
HttpSession hs;
// session should already be created by spring security
hs = request.getSession(false);
//TODO rewrite this logic
logger.debug("HH Entering Session_id: " + hs.getId());
// dumpSession( hs );
// Get our session object out of the HTTP session
WebSession session = this.webSession;
Object o = hs.getAttribute(WebSession.SESSION);
if ((o != null) && o instanceof WebSession) {
session = (WebSession) o;
hs.setAttribute(WebSession.COURSE, session.getCourse());
} else {
// Create new custom session and save it in the HTTP session
logger.warn("HH Creating new WebSession");
// Ensure splash screen shows on any restart
// rlawson - removed this since we show splash screen at login now
//hs.removeAttribute(WELCOMED);
//@TODO NO NEED TO PUT IN THE HTTP SESSION, FOCUS WILL FIX LATER
hs.setAttribute(WebSession.SESSION, session);
}
session.update(request, response, this.getServletName());
// update last attack request info (cookies, parms)
// this is so the REST services can have access to them via the session
session.updateLastAttackRequestInfo(request);
// to authenticate
logger.debug("HH Leaving Session_id: " + hs.getId());
//dumpSession( hs );
return (session);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param response Description of the Parameter
* @exception IOException Description of the Exception
* @throws java.io.IOException if any.
*/
protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
if (s == null) {
screen = new ErrorScreen(s, "Page to display was null");
}
// set the content-length of the response.
// Trying to avoid chunked-encoding. (Aspect required)
response.setContentLength(screen.getContentLength());
response.setHeader("Content-Length", screen.getContentLength() + "");
screen.output(out);
out.flush();
out.close();
//// TODO: 11/6/2016 course necessary?
@RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView attack() {
return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
}
}

13
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -31,11 +31,10 @@
package org.owasp.webgoat;
import com.google.common.collect.Sets;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.LabelDebugger;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -103,12 +102,6 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
return engine;
}
@Bean
public ServletRegistrationBean servletRegistrationBean(HammerHead hammerHead) {
return new ServletRegistrationBean(hammerHead, "/attack/*");
}
/**
* This way we expose the plugins target directory as a resource within the web application.
*
@ -120,8 +113,8 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
}
@Bean
public HammerHead hammerHead(WebSession webSession) {
return new HammerHead(webSession);
public HammerHead hammerHead(Course course) {
return new HammerHead(course);
}
@Bean

34
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
View File

@ -35,26 +35,21 @@ import org.owasp.webgoat.plugins.PluginClassLoader;
import org.owasp.webgoat.plugins.PluginEndpointPublisher;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.web.support.SpringBootServletInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import javax.servlet.ServletContext;
import java.io.File;
import java.util.List;
@SpringBootApplication
@PropertySource("classpath:/webgoat.properties")
public class WebGoat extends SpringBootServletInitializer {
@Override
@ -68,13 +63,16 @@ public class WebGoat extends SpringBootServletInitializer {
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory() {
File tempDir = com.google.common.io.Files.createTempDir();
tempDir.deleteOnExit();
return tempDir;
return com.google.common.io.Files.createTempDir();
}
// @Bean
// public ApplicationListener<ContextClosedEvent> closeEvent(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) {
// return e -> pluginTargetDirectory.delete();
// }
@Bean
public PluginClassLoader pluginClassLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) {
public PluginClassLoader pluginClassLoader() {
return new PluginClassLoader(PluginClassLoader.class.getClassLoader());
}
@ -85,25 +83,17 @@ public class WebGoat extends SpringBootServletInitializer {
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public WebSession webSession(Course course, WebgoatContext webgoatContext, ServletContext context) {
return new WebSession(course, webgoatContext, context);
public WebSession webSession(WebgoatContext webgoatContext) {
return new WebSession(webgoatContext);
}
@Bean
public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties,
PluginEndpointPublisher pluginEndpointPublisher) {
Course course = new Course(webgoatProperties);
course.loadCourses(webgoatContext, context, "/");
public Course course(PluginsLoader pluginsLoader, PluginEndpointPublisher pluginEndpointPublisher) {
Course course = new Course();
List<Plugin> plugins = pluginsLoader.loadPlugins();
course.loadLessonFromPlugin(plugins);
course.createLessonsFromPlugins(plugins);
plugins.forEach(p -> pluginEndpointPublisher.publish(p));
return course;
}
@Bean
public UserTracker userTracker() {
UserTracker userTracker = UserTracker.instance();
return userTracker;
}
}

28
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@ -31,8 +31,7 @@
package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
@ -50,24 +49,25 @@ import java.util.Optional;
@Controller
public class StartLesson {
private final WebSession ws;
private final Course course;
public StartLesson(final WebSession ws, final Course course) {
this.ws = ws;
this.course = course;
}
/**
* <p>start.</p>
*
* @param request a {@link HttpServletRequest} object.
* @return a {@link ModelAndView} object.
*/
@RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView start(HttpServletRequest request) {
public ModelAndView start() {
ModelAndView model = new ModelAndView();
WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
model.addObject("has_stages", ws.getCurrentLesson() instanceof RandomLessonAdapter);
model.addObject("course", ws.getCourse());
model.addObject("course", course);
model.addObject("lesson", ws.getCurrentLesson());
model.addObject("message", ws.getMessage());
model.addObject("instructions", ws.getInstructions());
boolean isMigrated = ws.getCurrentLesson() instanceof NewLesson;
model.addObject("migrated", isMigrated); //remove after ECS removal otherwise you will see the lesson twice
model.setViewName("lesson_content");
return model;
}
@ -80,13 +80,11 @@ public class StartLesson {
GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
List<AbstractLesson> lessons = ws.getCourse()
.getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring
List<AbstractLesson> lessons = course.getLessons();
Optional<AbstractLesson> lesson = lessons.stream()
.filter(l -> l.getId().equals(lessonName))
.findFirst();
ws.setCurrentScreen(lesson.get().getScreenId());
ws.setCurrentLesson(lesson.get());
model.setViewName("lesson_content");
model.addObject("lesson", lesson.get());
return model;

2
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java → webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
View File

@ -1,5 +1,5 @@
package org.owasp.webgoat.util;
package org.owasp.webgoat.i18n;
import java.util.Locale;

21
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java → webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java
View File

@ -1,8 +1,7 @@
package org.owasp.webgoat.util;
package org.owasp.webgoat.i18n;
import org.owasp.webgoat.session.LabelDebugger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.io.Serializable;
@ -38,30 +37,22 @@ import java.util.Locale;
* @version $Id: $Id
* @author dm
*/
@Component("labelManager")
@Component
public class LabelManagerImpl implements LabelManager, Serializable
{
private static final long serialVersionUID = 1L;
@Autowired
private transient LabelProvider labelProvider;
@Autowired
private LabelProvider labelProvider;
private LabelDebugger labelDebugger;
/** Locale mapped with current session. */
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
/**
* <p>Constructor for LabelManagerImpl.</p>
*/
protected LabelManagerImpl() {}
/**
* <p>Constructor for LabelManagerImpl.</p>
*
* @param labelProvider a {@link org.owasp.webgoat.util.LabelProvider} object.
* @param labelProvider a {@link LabelProvider} object.
*/
protected LabelManagerImpl(LabelProvider labelProvider) {
protected LabelManagerImpl(LabelProvider labelProvider, LabelDebugger labelDebugger) {
this.labelDebugger = labelDebugger;
this.labelProvider = labelProvider;
}

2
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java → webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java
View File

@ -1,5 +1,5 @@
package org.owasp.webgoat.util;
package org.owasp.webgoat.i18n;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.core.io.Resource;

797
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -1,39 +1,8 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Body;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.Head;
import org.apache.ecs.html.Html;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.Title;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.owasp.webgoat.util.BeanProvider;
import org.owasp.webgoat.util.LabelManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
/**
* ************************************************************************************************
@ -67,57 +36,12 @@ import java.util.Map;
*/
public abstract class AbstractLesson extends Screen implements Comparable<Object> {
private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class);
/**
* Description of the Field
*/
public final static String ADMIN_ROLE = "admin";
/**
* Constant <code>CHALLENGE_ROLE="challenge"</code>
*/
public final static String CHALLENGE_ROLE = "challenge";
/**
* Description of the Field
*/
public final static String HACKED_ADMIN_ROLE = "hacked_admin";
/**
* Description of the Field
*/
public final static String USER_ROLE = "user";
private static int count = 1;
private Integer id = null;
final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next").setBorder(0).setHspace(0).setVspace(0);
final static IMG previousGrey = new IMG("images/left14.gif").setAlt("Previous").setBorder(0).setHspace(0)
.setVspace(0);
private Integer ranking;
private Category category;
private boolean hidden;
private String sourceFileName;
private Map<String, String> lessonPlanFileName = new HashMap<String, String>();
private String lessonSolutionFileName;
private WebgoatContext webgoatContext;
private LinkedList<String> availableLanguages = new LinkedList<String>();
private String defaultLanguage = "en";
private LabelManager labelManager = null;
/**
* Constructor for the Lesson object
*/
@ -144,42 +68,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
this.ranking = ranking;
}
/**
* <p>Setter for the field <code>hidden</code>.</p>
*
* @param hidden a boolean.
*/
public void setHidden(boolean hidden) {
this.hidden = hidden;
}
/**
* <p>update.</p>
*
* @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object.
*/
public void update(WebgoatProperties properties) {
String className = getClass().getName();
className = className.substring(className.lastIndexOf(".") + 1);
setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking()
.intValue())));
String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking";
Category tempCategory = Category.getCategory(getDefaultCategory().getName());
tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory()
.getRanking().intValue())));
category = tempCategory;
setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden()));
}
/**
* <p>isCompleted.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a boolean.
*/
public boolean isCompleted(WebSession s) {
return getLessonTracker(s, this).getCompleted();
}
/**
* {@inheritDoc}
@ -205,7 +93,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
* @return The category value
*/
public Category getCategory() {
return category;
return getDefaultCategory();
}
/**
@ -236,176 +124,20 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public abstract String getSubmitMethod();
/**
* Gets the fileMethod attribute of the Lesson class
*
* @param reader Description of the Parameter
* @param methodName Description of the Parameter
* @param numbers Description of the Parameter
* @return The fileMethod value
*/
public static String getFileMethod(BufferedReader reader, String methodName, boolean numbers) {
int count = 0;
StringBuffer sb = new StringBuffer();
boolean echo = false;
boolean startCount = false;
int parenCount = 0;
try {
String line;
while ((line = reader.readLine()) != null) {
if ((line.indexOf(methodName) != -1)
&& ((line.indexOf("static") != -1) || (line.indexOf("protected") != -1) || (line
.indexOf("private") != -1))) {
echo = true;
startCount = true;
}
if (echo && startCount) {
if (numbers) {
sb.append(pad(++count) + " ");
}
sb.append(line + "\n");
}
if (echo && (line.indexOf("{") != -1)) {
parenCount++;
}
if (echo && (line.indexOf("}") != -1)) {
parenCount--;
if (parenCount == 0) {
startCount = false;
echo = false;
}
}
}
reader.close();
} catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
return (sb.toString());
}
/**
* Reads text from a file into an ElementContainer. Each line in the file is
* represented in the ElementContainer by a StringElement. Each
* StringElement is appended with a new-line character.
*
* @param reader Description of the Parameter
* @param numbers Description of the Parameter
* @return Description of the Return Value
*/
public static String readFromFile(BufferedReader reader, boolean numbers) {
return (getFileText(reader, numbers));
}
/**
* Gets the fileText attribute of the Screen class
*
* @param reader Description of the Parameter
* @param numbers Description of the Parameter
* @return The fileText value
*/
public static String getFileText(BufferedReader reader, boolean numbers) {
int count = 0;
StringBuffer sb = new StringBuffer();
try {
String line;
while ((line = reader.readLine()) != null) {
if (numbers) {
sb.append(pad(++count) + " ");
}
sb.append(line + System.getProperty("line.separator"));
}
reader.close();
} catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
return (sb.toString());
}
/**
* Will this screen be included in an enterprise edition.
*
* @return The ranking value
*/
public boolean isEnterprise() {
return false;
}
/**
* Gets the hintCount attribute of the Lesson object
*
* @param s The user's WebSession
* @return The hintCount value
*/
public int getHintCount(WebSession s) {
return getHints(s).size();
public int getHintCount() {
return getHints().size();
}
/**
* <p>getHints.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.util.List} object.
*/
protected abstract List<String> getHints(WebSession s);
// @TODO we need to restrict access at the service layer
// rather than passing session object around
/**
* <p>getHintsPublic.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.util.List} object.
*/
public List<String> getHintsPublic(WebSession s) {
List<String> hints = getHints(s);
return hints;
}
/**
* Fill in a minor hint that will help people who basically get it, but are
* stuck on somthing silly.
*
* @param s The users WebSession
* @param hintNumber a int.
* @return The hint1 value
*/
public String getHint(WebSession s, int hintNumber) {
return "Hint: " + getHints(s).get(hintNumber);
}
/**
* Gets the instructions attribute of the AbstractLesson object
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return The instructions value
*/
public abstract String getInstructions(WebSession s);
/**
* Gets the lessonPlan attribute of the Lesson object
*
* @return The lessonPlan value
*/
public String getLessonName() {
return this.getClass().getSimpleName();
}
public abstract List<String> getHints();
/**
* Gets the title attribute of the HelloScreen object
@ -414,36 +146,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public abstract String getTitle();
/**
* Gets the content of lessonPlanURL
*
* @param s The user's WebSession
* @return The HTML content of the current lesson plan
*/
public String getLessonPlan(WebSession s) {
StringBuffer src = new StringBuffer();
String lang = s.getCurrrentLanguage();
try {
// System.out.println("Loading lesson plan file: " +
// getLessonPlanFileName());
String filename = getLessonPlanFileName(lang);
if (filename == null) {
filename = getLessonPlanFileName(getDefaultLanguage());
}
src.append(readFromFile(new BufferedReader(new FileReader(filename)), false));
} catch (Exception e) {
// s.setMessage( "Could not find lesson plan for " +
// getLessonName());
src = new StringBuffer("Could not find lesson plan for: " + getLessonName() + " and language " + lang);
}
return src.toString();
}
/**
* Gets the ranking attribute of the Lesson object
*
@ -457,33 +159,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
}
}
/**
* Gets the hidden value of the Lesson Object
*
* @return The hidden value
*/
public boolean getHidden() {
return this.hidden;
}
/**
* Gets the role attribute of the AbstractLesson object
*
* @return The role value
*/
public String getRole() {
// FIXME: Each lesson should have a role assigned to it. Each
// user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to
// hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin
// switch on.
return USER_ROLE;
}
/**
* Gets the uniqueID attribute of the AbstractLesson object
*
@ -493,125 +168,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return id.intValue();
}
/**
* <p>getHtml_DELETE_ME.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getHtml_DELETE_ME(WebSession s) {
String html = null;
// FIXME: This doesn't work for the labs since they do not implement
// createContent().
String rawHtml = createContent(s).toString();
// System.out.println("Getting raw html content: " +
// rawHtml.substring(0, Math.min(rawHtml.length(), 100)));
html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(new StringReader(rawHtml)), true));
// System.out.println("Getting encoded html content: " +
// html.substring(0, Math.min(html.length(), 100)));
return html;
}
/**
* <p>getSource.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getSource(WebSession s) {
String source = null;
String src = null;
try {
// System.out.println("Loading source file: " +
// getSourceFileName());
src = convertMetacharsJavaCode(readFromFile(new BufferedReader(new FileReader(getSourceFileName())), true));
// TODO: For styled line numbers and better memory efficiency,
// use a custom FilterReader
// that performs the convertMetacharsJavaCode() transform plus
// optionally adds a styled
// line number. Wouldn't color syntax be great too?
} catch (Exception e) {
s.setMessage("Could not find source file");
src = ("Could not find the source file or source file does not exist.<br/>"
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
+ "?subject=Source " + getSourceFileName() + " not found. Lesson: "
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext()
.getFeedbackAddress() + "</a>");
}
Html html = new Html();
Head head = new Head();
head.addElement(new Title(getSourceFileName()));
Body body = new Body();
body.addElement(new StringElement(src));
html.addElement(head);
html.addElement(body);
source = html.toString();
return source;
}
/**
* <p>getRawSource.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getRawSource(WebSession s) {
String src = "";
try {
logger.debug("Loading source file: " + getSourceFileName());
if (getSourceFileName() != null) {
src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false);
}
} catch (FileNotFoundException e) {
s.setMessage("Could not find source file");
src = ("Could not find the source file or source file does not exist.<br/>"
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
+ "?subject=Source " + getSourceFileName() + " not found. Lesson: "
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext()
.getFeedbackAddress() + "</a>");
}
return src;
}
/**
* <p>getSolution.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getSolution(WebSession s) {
String src = null;
try {
// System.out.println("Solution: " + getLessonSolutionFileName());
src = readFromFile(new BufferedReader(new FileReader(getLessonSolutionFileName())), false);
} catch (Exception e) {
logger.error("Could not find solution for {}", getLessonSolutionFileName());
s.setMessage("Could not find the solution file");
src = ("Could not find the solution file or solution file does not exist.<br/>"
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
+ "?subject=Solution " + getLessonSolutionFileName() + " not found. Lesson: "
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext()
.getFeedbackAddress() + "</a>");
}
// Solutions are html files
return src;
}
/**
* <p>Returns the default "path" portion of a lesson's URL.</p>
* <p>
@ -643,244 +199,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public String getLink() {
StringBuffer link = new StringBuffer(getPath());
// mvc update:
// return link
// .append("/").append(getScreenId())
// .append("/").append(getCategory().getRanking()).toString();
return link.append(getId()).toString();
}
/**
* Get the link to the target servlet.
* <p>
* Unlike getLink() this method does not require rendering the output of
* the request to the link in order to execute the servlet's method with
* conventional HTTP query parameters.
*
* @return a {@link java.lang.String} object.
*/
public String getServletLink() {
StringBuffer link = new StringBuffer("attack");
return link
.append("?Screen=").append(getScreenId())
.append("&menu=").append(getCategory().getRanking()).toString();
}
/**
* Get the link to the jsp page used to render this screen.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getPage(WebSession s) {
return null;
}
/**
* Get the link to the jsp template page used to render this screen.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getTemplatePage(WebSession s) {
return null;
}
/**
* <p>getCurrentAction.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public abstract String getCurrentAction(WebSession s);
/**
* Initiates lesson restart functionality
*/
public abstract void restartLesson();
/**
* <p>setCurrentAction.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonScreen a {@link java.lang.String} object.
*/
public abstract void setCurrentAction(WebSession s, String lessonScreen);
/**
* Override this method to implement accesss control in a lesson.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param functionId a {@link java.lang.String} object.
* @param employeeId a int.
* @return a boolean.
*/
public boolean isAuthorized(WebSession s, int employeeId, String functionId) {
return false;
}
/**
* Override this method to implement accesss control in a lesson.
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param functionId a {@link java.lang.String} object.
* @param role a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean isAuthorized(WebSession s, String role, String functionId) {
logger.info("Checking if " + role + " authorized for: " + functionId);
boolean authorized = false;
try {
String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'";
try {
Statement answer_statement = WebSession.getConnection(s)
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
authorized = answer_results.first();
logger.info("authorized: " + authorized);
} catch (SQLException sqle) {
s.setMessage("Error authorizing");
logger.error("Error authorizing", sqle);
}
} catch (Exception e) {
s.setMessage("Error authorizing");
logger.error("Error authorizing", e);
}
return authorized;
}
/**
* <p>getUserId.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a int.
* @throws org.owasp.webgoat.session.ParameterNotFoundException if any.
*/
public int getUserId(WebSession s) throws ParameterNotFoundException {
return -1;
}
/**
* <p>getUserName.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
* @throws org.owasp.webgoat.session.ParameterNotFoundException if any.
*/
public String getUserName(WebSession s) throws ParameterNotFoundException {
return null;
}
/**
* Description of the Method
*
* @param windowName Description of the Parameter
* @return Description of the Return Value
*/
public static String makeWindowScript(String windowName) {
// FIXME: make this string static
StringBuffer script = new StringBuffer();
script.append("<script language=\"JavaScript\">\n");
script.append(" <!--\n");
script.append(" function makeWindow(url) {\n");
script.append("\n");
script.append(" agent = navigator.userAgent;\n");
script.append("\n");
script.append(" params = \"\";\n");
script.append(" params += \"toolbar=0,\";\n");
script.append(" params += \"location=0,\";\n");
script.append(" params += \"directories=0,\";\n");
script.append(" params += \"status=0,\";\n");
script.append(" params += \"menubar=0,\";\n");
script.append(" params += \"scrollbars=1,\";\n");
script.append(" params += \"resizable=1,\";\n");
script.append(" params += \"width=500,\";\n");
script.append(" params += \"height=350\";\n");
script.append("\n");
script.append(" // close the window to vary the window size\n");
script.append(" if (typeof(win) == \"object\" && !win.closed){\n");
script.append(" win.close();\n");
script.append(" }\n");
script.append("\n");
script.append(" win = window.open(url, '" + windowName + "' , params);\n");
script.append("\n");
script.append(" // bring the window to the front\n");
script.append(" win.focus();\n");
script.append(" }\n");
script.append(" //-->\n");
script.append(" </script>\n");
return script.toString();
}
/**
* Simply reads a url into an Element for display. CAUTION: you might want
* to tinker with any non-https links (href)
*
* @param url Description of the Parameter
* @return Description of the Return Value
*/
public static Element readFromURL(String url) {
ElementContainer ec = new ElementContainer();
try {
URL u = new URL(url);
HttpURLConnection huc = (HttpURLConnection) u.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(huc.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
ec.addElement(new StringElement(line));
}
reader.close();
} catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
return (ec);
}
/**
* Description of the Method
*
* @param reader Description of the Parameter
* @param numbers Description of the Parameter
* @param methodName Description of the Parameter
* @return Description of the Return Value
*/
public static Element readMethodFromFile(BufferedReader reader, String methodName, boolean numbers) {
PRE pre = new PRE().addElement(getFileMethod(reader, methodName, numbers));
return (pre);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
*/
public void handleRequest(WebSession s) {
// call createContent first so messages will go somewhere
Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
form.addElement(createContent(s));
setContent(form);
s.getRequest().getRequestURL();
}
/**
* <p>getFormAction.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getFormAction() {
return getLink();
}
/**
* Description of the Method
*
@ -890,116 +211,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return getTitle();
}
/**
* <p>Getter for the field <code>defaultLanguage</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getDefaultLanguage() {
return this.defaultLanguage;
}
/**
* <p>Getter for the field <code>lessonPlanFileName</code>.</p>
*
* @param lang a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public String getLessonPlanFileName(String lang) {
String ret = lessonPlanFileName.get(lang);
if (ret == null) {
ret = lessonPlanFileName.get(getDefaultLanguage());
}
return ret;
}
/**
* <p>Setter for the field <code>lessonPlanFileName</code>.</p>
*
* @param lang a {@link java.lang.String} object.
* @param lessonPlanFileName a {@link java.lang.String} object.
*/
public void setLessonPlanFileName(String lang, String lessonPlanFileName) {
this.lessonPlanFileName.put(lang, lessonPlanFileName);
this.availableLanguages.add(lang);
}
/**
* <p>Getter for the field <code>availableLanguages</code>.</p>
*
* @return a {@link java.util.List} object.
*/
public List<String> getAvailableLanguages() {
return this.availableLanguages;
}
/**
* <p>Getter for the field <code>lessonSolutionFileName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getLessonSolutionFileName() {
return lessonSolutionFileName;
}
/**
* <p>Setter for the field <code>lessonSolutionFileName</code>.</p>
*
* @param lessonSolutionFileName a {@link java.lang.String} object.
*/
public void setLessonSolutionFileName(String lessonSolutionFileName) {
this.lessonSolutionFileName = lessonSolutionFileName;
}
/**
* <p>Getter for the field <code>sourceFileName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSourceFileName() {
return sourceFileName;
}
/**
* <p>Setter for the field <code>sourceFileName</code>.</p>
*
* @param sourceFileName a {@link java.lang.String} object.
*/
public void setSourceFileName(String sourceFileName) {
logger.debug("Setting source file of lesson " + this + " to: " + sourceFileName);
this.sourceFileName = sourceFileName;
}
/**
* <p>Getter for the field <code>webgoatContext</code>.</p>
*
* @return a {@link org.owasp.webgoat.session.WebgoatContext} object.
*/
public WebgoatContext getWebgoatContext() {
return webgoatContext;
}
/**
* <p>Setter for the field <code>webgoatContext</code>.</p>
*
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
*/
public void setWebgoatContext(WebgoatContext webgoatContext) {
this.webgoatContext = webgoatContext;
}
/**
* <p>Getter for the field <code>labelManager</code>.</p>
*
* @return a {@link org.owasp.webgoat.util.LabelManager} object.
*/
protected LabelManager getLabelManager() {
if (labelManager == null) {
labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
}
return labelManager;
}
public String getId() {
return "";
}

20
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java → webgoat-container/src/main/java/org/owasp/webgoat/lessons/AssignmentEndpoint.java
View File

@ -28,7 +28,6 @@ package org.owasp.webgoat.lessons;
import org.owasp.webgoat.lessons.model.AttackResult;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.endpoint.Endpoint;
@ -46,14 +45,13 @@ import java.io.File;
* Note: each subclass should declare this annotation otherwise the WebGoat framework cannot find your endpoint.
*/
@LessonEndpointMapping
public abstract class LessonEndpoint implements MvcEndpoint {
public abstract class AssignmentEndpoint implements MvcEndpoint {
@Autowired
@Qualifier("pluginTargetDirectory")
private File pluginDirectory;
@Autowired
private WebSession webSession;
private boolean solved = false;
private UserTracker userTracker;
/**
* The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will
@ -71,15 +69,21 @@ public abstract class LessonEndpoint implements MvcEndpoint {
return new File(this.pluginDirectory, "plugin");
}
/**
* Get the lesson tracker which is based on the current user and do the
* @return
*/
protected LessonTracker getLessonTracker() {
UserTracker userTracker = UserTracker.instance();
LessonTracker lessonTracker = userTracker.getLessonTracker(webSession, webSession.getCurrentLesson());
LessonTracker lessonTracker = userTracker.getCurrentLessonTracker();
return lessonTracker;
}
protected AttackResult trackProgress(AttackResult attackResult) {
this.solved = attackResult.isLessonCompleted();
getLessonTracker().setCompleted(solved);
//// TODO: 11/5/2016 improve
if (attackResult.isLessonCompleted()) {
getLessonTracker().incrementNumVisits();
}
getLessonTracker().setCompleted(attackResult.isLessonCompleted());
return attackResult;
}

39
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java
View File

@ -1,39 +0,0 @@
package org.owasp.webgoat.lessons;
import org.owasp.webgoat.lessons.model.AttackResult;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since August 08, 2016
*/
public interface Attack {
AttackResult attack();
}

220
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -1,220 +1,76 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import lombok.Getter;
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
* @since October 28, 2003
*/
public class Category implements Comparable {
public enum Category {
/** Constant <code>INTRODUCTION</code> */
public final static Category INTRODUCTION = new Category("Introduction", new Integer(5));
/** Constant <code>GENERAL</code> */
public final static Category GENERAL = new Category("General", new Integer(100));
/** Constant <code>ACCESS_CONTROL</code> */
public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200));
/** Constant <code>AJAX_SECURITY</code> */
public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400));
/** Constant <code>AUTHENTICATION</code> */
public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500));
/** Constant <code>BUFFER_OVERFLOW</code> */
public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600));
/** Constant <code>CODE_QUALITY</code> */
public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700));
/** Constant <code>CONCURRENCY</code> */
public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800));
/** Constant <code>XSS</code> */
public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
/** Constant <code>ERROR_HANDLING</code> */
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
/** Constant <code>INJECTION</code> */
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
/** Constant <code>DOS</code> */
public final static Category DOS = new Category("Denial of Service", new Integer(1200));
/** Constant <code>INSECURE_COMMUNICATION</code> */
public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
/** Constant <code>INSECURE_CONFIGURATION</code> */
public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400));
/** Constant <code>INSECURE_STORAGE</code> */
public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500));
/** Constant <code>MALICIOUS_EXECUTION</code> */
public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600));
/** Constant <code>PARAMETER_TAMPERING</code> */
public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700));
/** Constant <code>SESSION_MANAGEMENT</code> */
public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800));
/** Constant <code>WEB_SERVICES</code> */
public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900));
/** Constant <code>ADMIN_FUNCTIONS</code> */
public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000));
/** Constant <code>CHALLENGE</code> */
public final static Category CHALLENGE = new Category("Challenge", new Integer(3000));
private static final List<Category> categories = new ArrayList<Category>();
private String category;
INTRODUCTION("Introduction", new Integer(5)),
GENERAL("General", new Integer(100)),
ACCESS_CONTROL("Access Control Flaws", new Integer(200)),
AJAX_SECURITY("AJAX Security", new Integer(400)),
AUTHENTICATION("Authentication Flaws", new Integer(500)),
BUFFER_OVERFLOW("Buffer Overflows", new Integer(600)),
CODE_QUALITY("Code Quality", new Integer(700)),
CONCURRENCY("Concurrency", new Integer(800)),
XSS("Cross-Site Scripting (XSS)", new Integer(900)),
ERROR_HANDLING("Improper Error Handling", new Integer(1000)),
INJECTION("Injection Flaws", new Integer(1100)),
DOS("Denial of Service", new Integer(1200)),
INSECURE_COMMUNICATION("Insecure Communication", new Integer(1300)),
INSECURE_CONFIGURATION("Insecure Configuration", new Integer(1400)),
INSECURE_STORAGE("Insecure Storage", new Integer(1500)),
MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
PARAMETER_TAMPERING("Parameter Tampering", new Integer(1700)),
SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
WEB_SERVICES("Web Services", new Integer(1900)),
ADMIN_FUNCTIONS("Admin Functions", new Integer(2000)),
CHALLENGE("Challenge", new Integer(3000));
@Getter
private String name;
@Getter
private Integer ranking;
static {
categories.add(INTRODUCTION);
categories.add(PARAMETER_TAMPERING);
categories.add(ACCESS_CONTROL);
categories.add(AUTHENTICATION);
categories.add(SESSION_MANAGEMENT);
categories.add(XSS);
categories.add(BUFFER_OVERFLOW);
categories.add(INJECTION);
categories.add(MALICIOUS_EXECUTION);
categories.add(ERROR_HANDLING);
categories.add(INSECURE_STORAGE);
categories.add(DOS);
categories.add(INSECURE_CONFIGURATION);
categories.add(WEB_SERVICES);
categories.add(AJAX_SECURITY);
categories.add(ADMIN_FUNCTIONS);
categories.add(GENERAL);
categories.add(CODE_QUALITY);
categories.add(CONCURRENCY);
categories.add(INSECURE_COMMUNICATION);
categories.add(CHALLENGE);
}
/**
* <p>addCategory.</p>
*
* @param c a {@link org.owasp.webgoat.lessons.Category} object.
*/
public static synchronized void addCategory(Category c) {
categories.add(c);
}
/**
* <p>Getter for the field <code>category</code>.</p>
*
* @param name a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.lessons.Category} object.
*/
public static synchronized Category getCategory(String name) {
Iterator<Category> it = categories.iterator();
while (it.hasNext()) {
Category c = it.next();
if (c.getName().equals(name)) {
return c;
}
}
return null;
}
/**
* <p>Constructor for Category.</p>
*
* @param category a {@link java.lang.String} object.
* @param ranking a {@link java.lang.Integer} object.
*/
public Category(String category, Integer ranking) {
this.category = category;
Category(String name, Integer ranking) {
this.name = name;
this.ranking = ranking;
}
/** {@inheritDoc} */
@Override
public int compareTo(Object obj) {
int value = 1;
if (obj instanceof Category) {
value = this.getRanking().compareTo(((Category) obj).getRanking());
}
return value;
}
/**
* <p>Getter for the field <code>ranking</code>.</p>
*
* @return a {@link java.lang.Integer} object.
* {@inheritDoc}
*/
public Integer getRanking() {
return ranking;
}
/**
* <p>Setter for the field <code>ranking</code>.</p>
*
* @param ranking a {@link java.lang.Integer} object.
* @return a {@link java.lang.Integer} object.
*/
public Integer setRanking(Integer ranking) {
return this.ranking = ranking;
}
/**
* <p>getName.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getName() {
return category;
}
/** {@inheritDoc} */
@Override
public boolean equals(Object obj) {
return (obj instanceof Category) && getName().equals(((Category) obj).getName());
}
/** {@inheritDoc} */
@Override
public String toString() {
return getName();

195
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -30,76 +30,8 @@
*/
package org.owasp.webgoat.lessons;
import com.google.common.base.Joiner;
import org.apache.commons.io.IOUtils;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
public abstract class LessonAdapter extends AbstractLesson {
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s) {
// Mark this lesson as completed.
makeSuccess(s);
ElementContainer ec = new ElementContainer();
ec.addElement(new Center().addElement(new H3().addElement(new StringElement(
"Detailed Lesson Creation Instructions."))));
ec.addElement(new P());
ec
.addElement(new StringElement(
"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
+ "In fact, most lessons can be created by following the easy to use instructions in the "
+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+ "If you would prefer, send your lesson ideas to "
+ getWebgoatContext().getFeedbackAddressHTML()));
try (InputStream is = Thread.currentThread().getContextClassLoader()
.getResourceAsStream("New Lesson Instructions.txt")) {
if (is != null) {
PRE pre = new PRE();
pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is)));
ec.addElement(pre);
}
} catch (IOException e) {
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the LessonAdapter object. The default
* category is "General" Only override this method if you wish to create a
* new category or if you wish this lesson to reside within a category other
* the "General"
*
* @return The category value
*/
protected Category getDefaultCategory() {
return Category.GENERAL;
}
/**
* <p>getDefaultHidden.</p>
@ -129,29 +61,6 @@ public abstract class LessonAdapter extends AbstractLesson {
return DEFAULT_RANKING;
}
/**
* {@inheritDoc}
*
* Gets the hintCount attribute of the LessonAdapter object
*/
public int getHintCount(WebSession s) {
return getHints(s).size();
}
/**
* {@inheritDoc}
*
* Fill in a minor hint that will help people who basically get it, but are
* stuck on somthing silly. Hints will be returned to the user in the order
* they appear below. The user must click on the "next hint" button before
* the hint will be displayed.
*/
protected List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>();
hints.add("There are no hints defined.");
return hints;
}
/**
* provide a default submitMethod of lesson does not implement
*
@ -161,44 +70,6 @@ public abstract class LessonAdapter extends AbstractLesson {
return "GET";
}
/**
* {@inheritDoc}
*
* Gets the instructions attribute of the LessonAdapter object. Instructions
* will rendered as html and will appear below the control area and above
* the actual lesson area. Instructions should provide the user with the
* general setup and goal of the lesson.
*/
public String getInstructions(WebSession s) {
StringBuffer buff = new StringBuffer();
String lang = s.getCurrrentLanguage();
try {
String fileName = getLessonPlanFileName(lang);
if (fileName != null) {
BufferedReader in = new BufferedReader(new FileReader(fileName));
String line = null;
boolean startAppending = false;
while ((line = in.readLine()) != null) {
if (line.indexOf("<!-- Start Instructions -->") != -1) {
startAppending = true;
continue;
}
if (line.indexOf("<!-- Stop Instructions -->") != -1) {
startAppending = false;
continue;
}
if (startAppending) {
buff.append(line + "\n");
}
}
}
} catch (Exception e) {
}
return buff.toString();
}
/**
* Fill in a descriptive title for this lesson. The title of the lesson.
* This will appear above the control area at the top of the page. This
@ -210,71 +81,5 @@ public abstract class LessonAdapter extends AbstractLesson {
return "Untitled Lesson " + getScreenId();
}
/** {@inheritDoc} */
public String getCurrentAction(WebSession s) {
return s.getLessonSession(this).getCurrentLessonScreen();
}
/** {@inheritDoc} */
public void setCurrentAction(WebSession s, String lessonScreen) {
s.getLessonSession(this).setCurrentLessonScreen(lessonScreen);
}
@Override
protected Element makeMessages(WebSession s) {
return super.makeMessages(s);
}
/**
* <p>getSessionAttribute.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param key a {@link java.lang.String} object.
* @return a {@link java.lang.Object} object.
*/
public Object getSessionAttribute(WebSession s, String key) {
return s.getRequest().getSession().getAttribute(key);
}
/**
* <p>setSessionAttribute.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param key a {@link java.lang.String} object.
* @param value a {@link java.lang.Object} object.
*/
public void setSessionAttribute(WebSession s, String key, Object value) {
s.getRequest().getSession().setAttribute(key, value);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeSuccess(WebSession s) {
getLessonTracker(s).setCompleted(true);
//s.setMessage(getLabelManager().get("LessonCompleted"));
return (null);
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
* @param text a {@link java.lang.String} object.
* @param e a {@link org.apache.ecs.Element} object.
*/
protected Element getCustomCredits(String text, Element e) {
Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT");
TR tr = new TR();
tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%"));
tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT"));
t.addElement(tr);
return t;
}
}

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpointMapping.java
View File

@ -39,7 +39,7 @@ import java.lang.annotation.Target;
/**
* Annotation as a marker annotation. During the startup we scan the plugins for classes which use this annotation.
* @see LessonEndpoint for more information.
* @see AssignmentEndpoint for more information.
*/
@Component
@Target(ElementType.TYPE)

16
webgoat-container/src/main/java/org/owasp/webgoat/lessons/NewLesson.java
View File

@ -1,5 +1,7 @@
package org.owasp.webgoat.lessons;
import lombok.Getter;
import lombok.Setter;
import org.owasp.webgoat.session.WebSession;
import java.util.List;
@ -35,11 +37,14 @@ import java.util.List;
*/
public abstract class NewLesson extends LessonAdapter {
@Setter
@Getter
private int totalNumberOfAssignments = 0;
@Override
public abstract Category getDefaultCategory();
@Override
public abstract List<String> getHints(WebSession s); //TODO we should probably remove WebSession due to old lessons still here
public abstract List<String> getHints();
@Override
public abstract Integer getDefaultRanking();
@ -49,4 +54,11 @@ public abstract class NewLesson extends LessonAdapter {
@Override
public abstract String getId();
public final List<String> getHints(WebSession w) {
throw new IllegalStateException("Do not use");
}
}

143
webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java
View File

@ -1,143 +0,0 @@
package org.owasp.webgoat.lessons;
import org.owasp.webgoat.session.CreateDB;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.RandomLessonTracker;
import org.owasp.webgoat.session.WebSession;
import java.sql.Connection;
import java.sql.SQLException;
/**
* <p>Abstract RandomLessonAdapter class.</p>
*
* @version $Id: $Id
* @author dm
*/
public abstract class RandomLessonAdapter extends LessonAdapter
{
/**
* <p>getStages.</p>
*
* @return an array of {@link java.lang.String} objects.
*/
public abstract String[] getStages();
/**
* <p>setStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @param stage a {@link java.lang.String} object.
*/
public void setStage(WebSession s, String stage)
{
getLessonTracker(s).setStage(stage);
try
{
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);
System.out.println("Successfully refreshed the database.");
} catch (SQLException sqle)
{
System.out.println("Error refreshing the database!");
sqle.printStackTrace();
}
}
/**
* <p>getStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public String getStage(WebSession s)
{
return getLessonTracker(s).getStage();
}
/**
* <p>setStageComplete.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @param stage a {@link java.lang.String} object.
*/
public void setStageComplete(WebSession s, String stage)
{
RandomLessonTracker lt = getLessonTracker(s);
lt.setStageComplete(stage, true);
if (lt.getCompleted())
{
//s.setMessage("Congratulations, you have completed this lab");
}
else
{
s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + ".");
if (!stage.equals(lt.getStage()))
s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage());
}
try
{
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);
System.out.println("Successfully refreshed the database.");
} catch (SQLException sqle)
{
System.out.println("Error refreshing the database!");
sqle.printStackTrace();
}
}
/**
* <p>isStageComplete.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @param stage a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean isStageComplete(WebSession s, String stage)
{
return getLessonTracker(s).hasCompleted(stage);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s)
{
return (RandomLessonTracker) super.getLessonTracker(s);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
return (RandomLessonTracker) super.getLessonTracker(s, lesson);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride);
}
/** {@inheritDoc} */
@Override
public LessonTracker createLessonTracker()
{
return new RandomLessonTracker(getStages());
}
}

214
webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java
View File

@ -1,214 +0,0 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.SequentialLessonTracker;
import org.owasp.webgoat.session.WebSession;
/**
* <p>Abstract SequentialLessonAdapter class.</p>
*
* @version $Id: $Id
* @author dm
*/
public abstract class SequentialLessonAdapter extends LessonAdapter
{
/**
* <p>setStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a int.
* @param stage a int.
*/
public void setStage(WebSession s, int stage)
{
// System.out.println("Changed to stage " + stage);
getLessonTracker(s).setStage(stage);
}
/*
* By default returns 1 stage. (non-Javadoc)
*/
/**
* <p>getStageCount.</p>
*
* @return a int.
*/
public int getStageCount()
{
return 1;
}
/**
* <p>getStage.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a int.
*/
public int getStage(WebSession s)
{
int stage = getLessonTracker(s).getStage();
// System.out.println("In stage " + stage);
return stage;
}
/** {@inheritDoc} */
@Override
public SequentialLessonTracker getLessonTracker(WebSession s)
{
return (SequentialLessonTracker) super.getLessonTracker(s);
}
/** {@inheritDoc} */
@Override
public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
return (SequentialLessonTracker) super.getLessonTracker(s, lesson);
}
/** {@inheritDoc} */
@Override
public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride);
}
/** {@inheritDoc} */
@Override
public LessonTracker createLessonTracker()
{
return new SequentialLessonTracker();
}
/**
* <p>createStagedContent.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element createStagedContent(WebSession s)
{
try
{
int stage = getLessonTracker(s).getStage();
// int stage = Integer.parseInt(
// getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
switch (stage)
{
case 1:
return (doStage1(s));
case 2:
return (doStage2(s));
case 3:
return (doStage3(s));
case 4:
return (doStage4(s));
case 5:
return (doStage5(s));
case 6:
return (doStage6(s));
default:
throw new Exception("Invalid stage");
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
// System.out.println(e);
e.printStackTrace();
}
return (new StringElement(""));
}
/**
* <p>doStage1.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage1(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 1 Stub");
return ec;
}
/**
* <p>doStage2.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage2(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 2 Stub");
return ec;
}
/**
* <p>doStage3.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage3(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 3 Stub");
return ec;
}
/**
* <p>doStage4.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage4(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 4 Stub");
return ec;
}
/**
* <p>doStage5.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage5(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 5 Stub");
return ec;
}
/**
* <p>doStage6.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage6(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 6 Stub");
return ec;
}
}

159
webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java
View File

@ -1,159 +0,0 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class WelcomeScreen extends Screen
{
/**
* Constructor for the WelcomeScreen object
*
* @param s
* Description of the Parameter
*/
public WelcomeScreen(WebSession s)
{
setup(s);
}
/**
* Constructor for the WelcomeScreen object
*/
public WelcomeScreen()
{
}
/**
* <p>setup.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public void setup(WebSession s)
{
// call createContent first so messages will go somewhere
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
form.addElement(wrapForm(s));
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
layout.addElement(row);
setContent(layout);
}
/**
* <p>wrapForm.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element wrapForm(WebSession s)
{
if (s == null) { return new StringElement("Invalid Session"); }
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s);
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
container.addElement(new TR());
return (container);
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
Element b = ECSFactory.makeButton("Start the Course!");
ec.addElement(new Center(b));
return (ec);
}
/**
* Gets the instructions attribute of the WelcomeScreen object
*
* @return The instructions value
*/
protected String getInstructions()
{
String instructions = "Enter your name and learn how HTTP really works!";
return (instructions);
}
/**
* Gets the title attribute of the WelcomeScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Welcome to the Penetration Testing Course");
}
/*
* (non-Javadoc)
* @see session.Screen#getRole()
*/
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

109
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java
View File

@ -1,109 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public abstract class AdminScreen extends Screen
{
/**
* Description of the Field
*/
protected String query = null;
/**
* Constructor for the AdminScreen object
*
* @param s
* Description of the Parameter
* @param q
* Description of the Parameter
*/
public AdminScreen(WebSession s, String q)
{
setQuery(q);
// setupAdmin(s); FIXME: what was this supposed to do?
}
/**
* Constructor for the AdminScreen object
*
* @param s
* Description of the Parameter
*/
public AdminScreen(WebSession s)
{
}
/**
* Constructor for the AdminScreen object
*/
public AdminScreen()
{
}
/**
* Gets the title attribute of the AdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Admin Information");
}
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.ADMIN_ROLE;
}
/**
* Sets the query attribute of the AdminScreen object
*
* @param q
* The new query value
*/
public void setQuery(String q)
{
query = q;
}
}

162
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/MenuToLessonMapperScreen.java
View File

@ -1,162 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.WebSession;
import java.net.URL;
import static org.springframework.util.StringUtils.getFilename;
import static org.springframework.util.StringUtils.stripFilenameExtension;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class MenuToLessonMapperScreen extends LessonAdapter
{
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement("This page describes an overview of all the lessons and maps the lesson to the WebGoat-Lessons project"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(makeMenuToLessonMapping(s));
return ec;
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Lesson information");
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
public Element makeMenuToLessonMapping(WebSession s)
{
ElementContainer ec = new ElementContainer();
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
t.addElement(makeHeaderRow());
for (AbstractLesson lesson : s.getCourse().getLessons(s, AbstractLesson.USER_ROLE)) {
TR tr = new TR();
tr.addElement(new TD().addElement(lesson.getName()));
URL jarLocation = lesson.getClass().getProtectionDomain().getCodeSource().getLocation();
String projectName = removeVersion(stripFilenameExtension(getFilename(jarLocation.getFile())));
tr.addElement(new TD().addElement(projectName));
tr.addElement(new TD().addElement(lesson.getClass().getName() + ".java"));
t.addElement(tr);
}
ec.addElement(t);
return (ec);
}
//Remove version number and last '-'
private static String removeVersion(String s) {
return s.replaceAll("[^a-z\\-]", "").replaceAll("-$", "");
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
private TR makeHeaderRow()
{
TR tr = new TR();
tr.addElement(new TH("Lesson menu item"));
tr.addElement(new TH("Lesson project"));
tr.addElement(new TH("Lesson source class"));
return tr;
}
}

124
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
View File

@ -1,124 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class ProductsAdminScreen extends LessonAdapter
{
private final static String QUERY = "SELECT * FROM product_system_data";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(QUERY);
if (results != null)
{
makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the ProductsAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
/**
* Gets the role attribute of the ProductsAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the ProductsAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Product Information");
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
}

160
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
View File

@ -1,160 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class RefreshDBScreen extends LessonAdapter
{
private final static String REFRESH = "Refresh";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
boolean refresh = s.getParser().getBooleanParameter(REFRESH, false);
if (refresh)
{
refreshDB(s);
ec.addElement(new StringElement("Successfully refreshed the database."));
}
else
{
Element label = new StringElement("Refresh the database? ");
A link1 = ECSFactory.makeLink("Yes", REFRESH, true);
A link2 = ECSFactory.makeLink("No", REFRESH, false);
TD td1 = new TD().addElement(label);
TD td2 = new TD().addElement(link1);
TD td3 = new TD().addElement(link2);
TR row = new TR().addElement(td1).addElement(td2).addElement(td3);
Table t = new Table().setCellSpacing(40).setWidth("50%");
if (s.isColor())
{
t.setBorder(1);
}
t.addElement(row);
ec.addElement(t);
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the RefreshDBScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the RefreshDBScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the RefreshDBScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Refresh Database");
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
*/
public void refreshDB(WebSession s)
{
try
{
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);
System.out.println("Successfully refreshed the database.");
} catch (Exception e)
{
s.setMessage("Error refreshing database " + this.getClass().getName());
e.printStackTrace();
}
}
}

295
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
View File

@ -1,295 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.util.Iterator;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class ReportCardScreen extends LessonAdapter
{
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
String user = null;
try
{
if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
{
user = s.getParser().getRawParameter(USERNAME);
}
else
{
user = s.getUserName();
}
} catch (Exception e)
{
}
if (user == null)
{
user = s.getUserName();
}
ec.addElement(makeFeedback(s));
ec.addElement(makeReportCard(s, user));
return ec;
}
private Element makeFeedback(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement("Comments and suggestions are welcome. "
+ getWebgoatContext().getFeedbackAddressHTML() + "<br><br>"));
return ec;
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return USER_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Report Card");
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
private TR makeLessonRow(WebSession s, String user, Screen screen)
{
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
TR tr = new TR();
if (lessonTracker.getCompleted())
{
tr.setBgColor(HtmlColor.LIGHTGREEN);
}
else if (lessonTracker.getNumVisits() == 0)
{
tr.setBgColor(HtmlColor.LIGHTBLUE);
}
else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10)
{
tr.setBgColor(HtmlColor.RED);
}
else
{
tr.setBgColor(HtmlColor.YELLOW);
}
tr.addElement(new TD().addElement(screen.getTitle()));
tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N"));
tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits())));
tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel())));
return tr;
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element makeMessages(WebSession s)
{
ElementContainer ec = new ElementContainer();
return (ec);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
public Element makeReportCard(WebSession s, String user)
{
ElementContainer ec = new ElementContainer();
ec.addElement(makeUser(s, user));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
t.addElement(makeUserHeaderRow());
// These are all the user lesson
tr = new TR();
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons"));
t.addElement(tr);
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
.hasNext();)
{
Screen screen = (Screen) lessonIter.next();
t.addElement(makeLessonRow(s, user, screen));
}
// The user figured out there was a hackable admin acocunt
tr = new TR();
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens"));
t.addElement(tr);
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
.hasNext();)
{
Screen screen = (Screen) lessonIter.next();
t.addElement(makeLessonRow(s, user, screen));
}
// The user figured out how to actually hack the admin acocunt
tr = new TR();
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens"));
t.addElement(tr);
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter
.hasNext();)
{
Screen screen = (Screen) lessonIter.next();
t.addElement(makeLessonRow(s, user, screen));
}
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeUser(WebSession s, String user)
{
H2 h2 = new H2();
// FIXME: The session is the current session, not the session of the user we are reporting.
// String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ?
// " [Normal User - Hacked Admin Access]" : " [Normal User]";
String type = "";
h2.addElement(new StringElement("Results for: " + user + type));
return h2;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
private TR makeUserHeaderRow()
{
TR tr = new TR();
tr.addElement(new TH("Lesson"));
tr.addElement(new TH("Complete"));
tr.addElement(new TH("Visits"));
tr.addElement(new TH("Hints"));
return tr;
}
}

326
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
View File

@ -1,326 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.util.Enumeration;
import java.util.Iterator;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce mayhew <a href="http://code.google.com">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class SummaryReportCardScreen extends LessonAdapter
{
private int totalUsersNormalComplete = 0;
private int totalUsersAdminComplete = 0;
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
String selectedUser = null;
try
{
if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
{
Enumeration e = s.getParser().getParameterNames();
while (e.hasMoreElements())
{
String key = (String) e.nextElement();
if (key.startsWith("View_"))
{
selectedUser = key.substring("View_".length());
ReportCardScreen reportCard = new ReportCardScreen();
return reportCard.makeReportCard(s, selectedUser);
}
if (key.startsWith("Delete_"))
{
selectedUser = key.substring("Delete_".length());
deleteUser(selectedUser);
}
}
}
} catch (Exception e)
{
e.printStackTrace();
}
ec.addElement(new Center().addElement(makeSummary(s)));
ec.addElement(new P());
Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%");
if (s.isColor())
{
t.setBorder(1);
}
t.addElement(makeUserSummaryHeader());
for (Iterator<String> userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter
.hasNext();)
{
String user = userIter.next();
t.addElement(makeUserSummaryRow(s, user));
}
ec.addElement(new Center().addElement(t));
return ec;
}
/**
* <p>makeSummary.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element makeSummary(WebSession s)
{
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%");
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
// tr.addElement( new TH().addElement( "Summary").setColSpan(1));
// t.addElement( tr );
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users"));
tr.addElement(new TD().setAlign("LEFT").addElement(
Integer.toString(UserTracker.instance()
.getAllUsers(WebSession.WEBGOAT_USER).size())));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons"));
tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete)));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons"));
tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete)));
t.addElement(tr);
return t;
}
private void deleteUser(String user)
{
UserTracker.instance().deleteUser(user);
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Summary Report Card");
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element makeMessages(WebSession s)
{
ElementContainer ec = new ElementContainer();
return (ec);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeUserSummaryHeader()
{
TR tr = new TR();
tr.addElement(new TH("User Name"));
tr.addElement(new TH("Normal Complete"));
tr.addElement(new TH("Admin Complete"));
tr.addElement(new TH("View"));
tr.addElement(new TH("Delete"));
return tr;
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeUserSummaryRow(WebSession s, String user)
{
TR tr = new TR();
tr.addElement(new TD().setAlign("LEFT").addElement(user));
int lessonCount = 0;
int passedCount = 0;
boolean normalComplete = false;
boolean adminComplete = false;
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
.hasNext();)
{
lessonCount++;
Screen screen = (Screen) lessonIter.next();
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
if (lessonTracker.getCompleted())
{
passedCount++;
}
}
if (lessonCount == passedCount)
{
normalComplete = true;
totalUsersNormalComplete++;
}
String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
tr.addElement(new TD().setAlign("CENTER").addElement(text));
lessonCount = 0;
passedCount = 0;
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
.hasNext();)
{
lessonCount++;
Screen screen = (Screen) lessonIter.next();
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
if (lessonTracker.getCompleted())
{
passedCount++;
}
}
if (lessonCount == passedCount)
{
adminComplete = true;
totalUsersAdminComplete++;
}
text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
tr.addElement(new TD().setAlign("CENTER").addElement(text));
tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View")));
tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete")));
if (normalComplete && adminComplete)
{
tr.setBgColor(HtmlColor.GREEN);
}
else if (normalComplete)
{
tr.setBgColor(HtmlColor.LIGHTGREEN);
}
else
{
tr.setBgColor(HtmlColor.LIGHTBLUE);
}
return (tr);
}
/**
* <p>isEnterprise.</p>
*
* @return a boolean.
*/
public boolean isEnterprise()
{
return true;
}
}

124
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -1,124 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class UserAdminScreen extends LessonAdapter
{
private final static String QUERY = "SELECT * FROM user_system_data";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(QUERY);
if (results != null)
{
makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("User Information");
}
}

165
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java
View File

@ -1,165 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.*;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class ViewDatabase extends LessonAdapter
{
private final static String SQL = "sql";
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
ec.addElement(new StringElement("Enter a SQL statement: "));
StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, ""));
Input input = new Input(Input.TEXT, SQL, sqlStatement.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton("Go!");
ec.addElement(b);
Connection connection = DatabaseUtilities.getConnection(s);
if (sqlStatement.length() > 0)
{
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(sqlStatement.toString());
if ((results != null) && (results.first() == true))
{
makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the DatabaseScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* <p>getDefaultRanking.</p>
*
* @return a {@link java.lang.Integer} object.
*/
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* {@inheritDoc}
*
* Gets the hints attribute of the DatabaseScreen object
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("There are no hints defined");
return hints;
}
/**
* {@inheritDoc}
*
* Gets the instructions attribute of the ViewDatabase object
*/
public String getInstructions(WebSession s)
{
String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
return (instructions);
}
/**
* Gets the role attribute of the ViewDatabase object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the DatabaseScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Adhoc Query");
}
}

87
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
View File

@ -1,87 +0,0 @@
package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.WelcomeScreen;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.owasp.webgoat.session.WebSession;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since October 28, 2003
* @version $Id: $Id
*/
public class WelcomeAdminScreen extends WelcomeScreen
{
/**
* Constructor for the WelcomeAdminScreen object
*
* @param s
* Description of the Parameter
*/
public WelcomeAdminScreen(WebSession s)
{
super(s);
}
/**
* Constructor for the WelcomeAdminScreen object
*/
public WelcomeAdminScreen()
{
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new Center(new H1("You are logged on as an administrator")));
ec.addElement(super.createContent(s));
return (ec);
}
/**
* Gets the title attribute of the WelcomeAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Admin Welcome");
}
}

77
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java
View File

@ -1,7 +1,6 @@
package org.owasp.webgoat.lessons.model;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.session.WebSession;
/**
@ -10,6 +9,7 @@ import org.owasp.webgoat.session.WebSession;
* @author dm
* @version $Id: $Id
*/
//// TODO: 11/5/2016 this can be removed???
public class LessonInfoModel {
private String lessonTitle;
@ -27,78 +27,11 @@ public class LessonInfoModel {
public LessonInfoModel(WebSession webSession) {
AbstractLesson lesson = webSession.getCurrentLesson();
//TODO make these first class citizens of the lesson itself; and stop passing the session all over ... and generally tighten the checks up
this.hasSource = !lesson.getSource(webSession).contains("Could not find the source file or source file does not exist");
this.hasPlan = !lesson.getSource(webSession).contains("Could not find lesson plan");
this.hasSolution = !lesson.getSolution(webSession).contains("Could not find the solution file or solution file does not exist");
this.hasSource = false;
this.hasPlan = false;
this.hasSolution = false;
this.lessonTitle = lesson.getTitle();
this.numberHints = lesson.getHintCount(webSession);
this.numberHints = lesson.getHintCount();
this.submitMethod = lesson.getSubmitMethod();
if ( this.numberHints < 1 || lesson.getHint(webSession,0).equals("Hint: There are no hints defined.")) {
this.numberHints = 0;
}
//special challenge case
if (lesson.getCategory().equals(Category.CHALLENGE)) {
this.numberHints = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)) ? lesson.getHintCount(webSession) : 0;
this.hasSource = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS));
this.hasSolution = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this to fall in line with source and solution
this.hasPlan = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this to fall in line with source and solutionn
}
}
// GETTERS
/**
* <p>Getter for the field <code>lessonTitle</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getLessonTitle() {
return lessonTitle;
}
/**
* <p>Getter for the field <code>numberHints</code>.</p>
*
* @return a int.
*/
public int getNumberHints() {
return numberHints;
}
/**
* <p>isHasSource.</p>
*
* @return a boolean.
*/
public boolean isHasSource() {
return hasSource;
}
/**
* <p>isHasSolution.</p>
*
* @return a boolean.
*/
public boolean isHasSolution() {
return hasSolution;
}
/**
* <p>isHasPlan.</p>
*
* @return a boolean.
*/
public boolean isHasPlan() {
return hasPlan;
}
/**
* <p>Getter for the field <code>submitMethod</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSubmitMethod() {
return submitMethod;
}
}

270
webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java
View File

@ -1,270 +0,0 @@
package org.owasp.webgoat.plugins;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.SimpleBeanDefinitionRegistry;
import org.springframework.context.annotation.ClassPathBeanDefinitionScanner;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.core.type.filter.AssignableTypeFilter;
import org.springframework.core.type.filter.TypeFilter;
import javax.servlet.ServletContext;
import java.io.File;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
/**
* ************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @version $Id: $Id
* @since October 28, 2003
*/
@Slf4j
public class LegacyLoader {
private final List<String> files = new LinkedList<String>();
/**
* <p>Constructor for LegacyLoader.</p>
*/
public LegacyLoader() {
}
/**
* Take an absolute file and return the filename.
* <p>
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s) {
String fileName = new File(s).getName();
if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
}
if (fileName.contains(".")) {
fileName = fileName.substring(0, fileName.indexOf("."));
}
return fileName;
}
/**
* Take a class name and return the equivalent file name
* <p>
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className) {
StringBuilder sb = new StringBuilder();
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
/**
* Takes a file name and builds the class file name
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path) {
String ext = ".class";
fileName = fileName.trim();
/**
* We do not handle directories. We do not handle files with different
* extensions
*/
if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
return null;
}
// skip over plugins and/or extracted plugins
if (fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) {
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1) {
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
} else {
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
}
return fileName;
}
/**
* Load all of the filenames into a temporary cache
*
* @param context a {@link javax.servlet.ServletContext} object.
* @param path a {@link java.lang.String} object.
*/
public void loadFiles(ServletContext context, String path) {
log.debug("Loading files into cache, path: " + path);
Resource resource = new ClassPathResource("/");
//resource.get
Set resourcePaths = null;
if (resourcePaths == null) {
log.error("Unable to load file cache for courses, this is probably a bug or configuration issue");
return;
}
Iterator itr = resourcePaths.iterator();
while (itr.hasNext()) {
String file = (String) itr.next();
if (file.length() != 1 && file.endsWith("/")) {
loadFiles(context, file);
} else {
files.add(file);
}
}
}
/**
* Instantiate all the lesson objects into a cache
*
* @param path a {@link java.lang.String} object.
* @param context a {@link javax.servlet.ServletContext} object.
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
* @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties) {
BeanDefinitionRegistry bdr = new SimpleBeanDefinitionRegistry();
ClassPathBeanDefinitionScanner s = new ClassPathBeanDefinitionScanner(bdr);
TypeFilter tf = new AssignableTypeFilter(AbstractLesson.class);
s.addIncludeFilter(tf);
s.setIncludeAnnotationConfig(false);
s.scan("org.owasp.webgoat.lessons.admin");
String[] beanDefinitionNames = bdr.getBeanDefinitionNames();
List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
for (String file : beanDefinitionNames) {
String className = bdr.getBeanDefinition(file).getBeanClassName();
try {
Class c = Class.forName(className);
Object o = c.newInstance();
if (o instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) o;
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if (lesson.getHidden() == false) {
lessons.add(lesson);
}
}
} catch (Exception e) {
// Bruce says:
// I don't think we want to log the exception here. We could
// be potentially showing a lot of exceptions that don't matter.
// We would only care if the lesson extended AbstractLesson and we
// can't tell that because it threw the exception. Catch 22
// logger.error("Error in loadLessons: ", e);
}
}
loadResources(lessons);
return lessons;
}
private String getLanguageFromFileName(String first, String absoluteFile) {
int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1);
int p2 = absoluteFile.indexOf("/", p1 + 1);
String langStr = absoluteFile.substring(p1 + 1, p2);
return langStr;
}
/**
* For each lesson, set the source file and lesson file
*
* @param lessons a {@link java.util.List} object.
*/
public void loadResources(List<AbstractLesson> lessons) {
for (AbstractLesson lesson : lessons) {
log.info("Loading resources for lesson -> " + lesson.getName());
String className = lesson.getClass().getName();
String classFile = getSourceFile(className);
log.info("Lesson classname: " + className);
log.info("Lesson java file: " + classFile);
for (String absoluteFile : files) {
String fileName = getFileName(absoluteFile);
//logger.debug("Course: looking at file: " + absoluteFile);
if (absoluteFile.endsWith(classFile)) {
log.info("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile);
}
if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) {
log.info("setting lesson plan file " + absoluteFile + " for lesson "
+ lesson.getClass().getName());
log.info("fileName: " + fileName + " == className: " + className);
String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
lesson.setLessonPlanFileName(language, absoluteFile);
}
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) {
log.info("setting lesson solution file " + absoluteFile + " for lesson "
+ lesson.getClass().getName());
log.info("fileName: " + fileName + " == className: " + className);
lesson.setLessonSolutionFileName(absoluteFile);
}
}
}
}
}

19
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -3,7 +3,7 @@ package org.owasp.webgoat.plugins;
import com.google.common.base.Optional;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.LessonEndpoint;
import org.owasp.webgoat.lessons.AssignmentEndpoint;
import org.owasp.webgoat.lessons.NewLesson;
import org.springframework.util.StringUtils;
@ -28,9 +28,8 @@ public class Plugin {
private static final String NAME_LESSON_PLANS_DIRECTORY = "lessonPlans";
private PluginClassLoader classLoader;
private Class<AbstractLesson> lesson;
private Class<NewLesson> newLesson;
private List<Class<LessonEndpoint>> lessonEndpoints = Lists.newArrayList();
private List<Class<AssignmentEndpoint>> lessonEndpoints = Lists.newArrayList();
private Map<String, File> solutionLanguageFiles = new HashMap<>();
private Map<String, File> lessonPlansLanguageFiles = new HashMap<>();
private List<File> pluginFiles = Lists.newArrayList();
@ -40,7 +39,7 @@ public class Plugin {
this.classLoader = classLoader;
}
public List<Class<LessonEndpoint>> getLessonEndpoints() {
public List<Class<AssignmentEndpoint>> getLessonEndpoints() {
return this.lessonEndpoints;
}
@ -56,15 +55,10 @@ public class Plugin {
}
private void findLesson(String name) {
//Old code remove after we migrated the lessons
String realClassName = StringUtils.trimLeadingCharacter(name, '/').replaceAll("/", ".").replaceAll(".class", "");
try {
Class clazz = classLoader.loadClass(realClassName);
if (AbstractLesson.class.isAssignableFrom(clazz)) {
this.lesson = clazz;
}
if (NewLesson.class.isAssignableFrom(clazz)) {
this.newLesson = clazz;
}
@ -80,7 +74,7 @@ public class Plugin {
try {
Class clazz = classLoader.loadClass(realClassName);
if (LessonEndpoint.class.isAssignableFrom(clazz)) {
if (AssignmentEndpoint.class.isAssignableFrom(clazz)) {
this.lessonEndpoints.add(clazz);
}
} catch (ClassNotFoundException ce) {
@ -118,14 +112,11 @@ public class Plugin {
*/
public Optional<AbstractLesson> getLesson() {
try {
if (lesson != null) {
return Optional.of(lesson.newInstance());
}
if (newLesson != null) {
return Optional.of(newLesson.newInstance());
}
} catch (IllegalAccessException | InstantiationException e) {
throw new PluginLoadingFailure("Unable to instantiate the lesson " + lesson.getName(), e);
throw new PluginLoadingFailure("Unable to instantiate the lesson " + newLesson.getName(), e);
}
return Optional.absent();
}

4
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java
View File

@ -3,8 +3,7 @@ package org.owasp.webgoat.plugins;
import com.google.common.collect.Lists;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.FileUtils;
import org.owasp.webgoat.util.LabelProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.owasp.webgoat.i18n.LabelProvider;
import org.springframework.util.ResourceUtils;
import java.io.File;
@ -43,7 +42,6 @@ public class PluginsLoader {
private final File pluginTargetDirectory;
private final PluginClassLoader classLoader;
@Autowired
public PluginsLoader(File pluginTargetDirectory, PluginClassLoader pluginClassLoader) {
this.classLoader = pluginClassLoader;
this.pluginTargetDirectory = pluginTargetDirectory;

108
webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java
View File

@ -1,108 +0,0 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import java.io.PrintWriter;
import java.io.StringWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
/**
* <p>Abstract BaseService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@RequestMapping("/service")
public abstract class BaseService {
private static final Logger logger = LoggerFactory.getLogger(BaseService.class);
/**
* <p>handleException.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param ex a {@link java.lang.Exception} object.
* @return a {@link org.owasp.webgoat.service.ExceptionInfo} object.
*/
@ExceptionHandler(Exception.class)
@ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
public @ResponseBody
ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
String url = request.getRequestURL().toString();
logger.error("Exception handler for service caught exception when processing: " + url, ex);
ExceptionInfo response = new ExceptionInfo();
response.setUrl(url);
response.setMessage(getStringStackTrace(ex));
return response;
}
/**
* <p>getWebSession.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.session.WebSession} object.
*/
public WebSession getWebSession(HttpSession session) {
WebSession ws;
Object o = session.getAttribute(WebSession.SESSION);
if (o == null) {
throw new IllegalArgumentException("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
}
if (!(o instanceof WebSession)) {
throw new IllegalArgumentException("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
}
ws = (WebSession) o;
return ws;
}
/**
* <p>getStringStackTrace.</p>
*
* @param t a {@link java.lang.Throwable} object.
* @return a {@link java.lang.String} object.
*/
public String getStringStackTrace(Throwable t){
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
t.printStackTrace(pw);
return sw.toString();
}
}

34
webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java
View File

@ -29,16 +29,13 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.model.RequestParameter;
import org.owasp.webgoat.session.WebSession;
import com.google.common.collect.Lists;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpSession;
import java.util.Collections;
import java.util.List;
/**
@ -48,7 +45,7 @@ import java.util.List;
* @version $Id: $Id
*/
@Controller
public class CookieService extends BaseService {
public class CookieService {
/**
* Returns cookies for last attack
@ -56,30 +53,11 @@ public class CookieService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/cookie.mvc", produces = "application/json")
@RequestMapping(path = "/service/cookie.mvc", produces = "application/json")
public @ResponseBody
List<Cookie> showCookies(HttpSession session) {
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
List<Cookie> showCookies() {
//// TODO: 11/6/2016 to be decided
List<Cookie> cookies = Lists.newArrayList();
return cookies;
}
/**
* Returns cookies and params for current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/cookies_widget.mvc", produces = "text/html")
public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) {
ModelAndView model = new ModelAndView();
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
List<RequestParameter> listParms = ws.getParmsOnLastRequest();
Collections.sort(listParms);
model.addObject("wgcookies", cookies);
model.addObject("wgparams", listParms);
model.setViewName("widgets/cookies_and_params");
return model;
}
}

75
webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java
View File

@ -1,75 +0,0 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.service;
/**
* <p>ExceptionInfo class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
public class ExceptionInfo {
private String url;
private String message;
/**
* <p>Getter for the field <code>url</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getUrl() {
return url;
}
/**
* <p>Setter for the field <code>url</code>.</p>
*
* @param url a {@link java.lang.String} object.
*/
public void setUrl(String url) {
this.url = url;
}
/**
* <p>Getter for the field <code>message</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getMessage() {
return message;
}
/**
* <p>Setter for the field <code>message</code>.</p>
*
* @param message a {@link java.lang.String} object.
*/
public void setMessage(String message) {
this.message = message;
}
}

86
webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
View File

@ -5,17 +5,17 @@
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.model.Hint;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
import java.util.ArrayList;
import java.util.List;
import static java.util.stream.Collectors.toList;
/**
* <p>HintService class.</p>
@ -24,73 +24,43 @@ import org.springframework.web.servlet.ModelAndView;
* @version $Id: $Id
*/
@Controller
public class HintService extends BaseService {
public class HintService {
private final WebSession webSession;
public HintService(WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns hints for current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/hint.mvc", produces = "application/json")
public @ResponseBody
List<Hint> showHint(HttpSession session) {
List<Hint> listHints = new ArrayList<Hint>();
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
if (l == null) {
return listHints;
}
List<String> hints = (l.getCategory().equals(Category.CHALLENGE)) ? null : l.getHintsPublic(ws);
if (hints == null) {
return listHints;
}
int idx = 0;
for (String h : hints) {
Hint hint = new Hint();
hint.setHint(h);
hint.setLesson(l.getName());
hint.setNumber(idx);
listHints.add(hint);
idx++;
}
return listHints;
}
/**
* <p>showHintsAsHtml.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/hint_widget.mvc", produces = "text/html")
@RequestMapping(path = "/service/hint.mvc", produces = "application/json")
public
ModelAndView showHintsAsHtml(HttpSession session) {
ModelAndView model = new ModelAndView();
@ResponseBody
List<Hint> showHint() {
List<Hint> listHints = new ArrayList<Hint>();
model.addObject("hints", listHints);
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
AbstractLesson l = webSession.getCurrentLesson();
if (l == null) {
return model;
return listHints;
}
List<String> hints;
hints = l.getHintsPublic(ws);
List<String> hints = l.getHints();
if (hints == null) {
return model;
return listHints;
}
int idx = 0;
for (String h : hints) {
return hints.stream().map(h -> createHint(h, l.getName(), idx)).collect(toList());
}
private Hint createHint(String hintText, String lesson, int idx) {
Hint hint = new Hint();
hint.setHint(h);
hint.setLesson(l.getName());
hint.setHint(hintText);
hint.setLesson(lesson);
hint.setNumber(idx);
listHints.add(hint);
idx++;
}
model.setViewName("widgets/hints");
return model;
return hint;
}
}

4
webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
View File

@ -51,9 +51,9 @@ import java.util.Map;
* @version $Id: $Id
*/
@Controller
public class LabelDebugService extends BaseService {
public class LabelDebugService {
private static final String URL_DEBUG_LABELS_MVC = "/debug/labels.mvc";
private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
private static final String KEY_ENABLED = "enabled";
private static final String KEY_SUCCESS = "success";

47
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
View File

@ -1,19 +1,10 @@
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.LessonInfoModel;
import org.owasp.webgoat.lessons.model.LessonMenuItem;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import javax.servlet.http.HttpSession;
@Controller
/**
@ -22,45 +13,23 @@ import javax.servlet.http.HttpSession;
* @author dm
* @version $Id: $Id
*/
public class LessonInfoService extends BaseService {
public class LessonInfoService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private final WebSession webSession;
public LessonInfoService(WebSession webSession) {
this.webSession = webSession;
}
/**
* <p>getLessonInfo.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
*/
@RequestMapping(path = "/lessoninfo.mvc", produces = "application/json")
@RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
public @ResponseBody
LessonInfoModel getLessonInfo(HttpSession session) {
WebSession webSession = getWebSession(session);
LessonInfoModel getLessonInfo() {
return new LessonInfoModel(webSession);
}
/**
* <p>handleException.</p>
*
* @param ex a {@link java.lang.Exception} object.
* @return a {@link java.lang.String} object.
*/
@ExceptionHandler(Exception.class)
@ResponseBody
@ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR)
public String handleException(Exception ex) {
return "An error occurred retrieving the LessonInfoModel:" + ex.getMessage();
}
/**
* <p>getLessonInfoModel.</p>
*
* @param webSession a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
*/
protected LessonInfoModel getLessonInfoModel(WebSession webSession) {
return new LessonInfoModel(webSession);
}
}

75
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -1,50 +1,49 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at
* https://github.com/WebGoat/WebGoat, a repository for free software projects.
*
*/
package org.owasp.webgoat.service;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.lessons.model.LessonMenuItem;
import org.owasp.webgoat.lessons.model.LessonMenuItemType;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
/**
* <p>LessonMenuService class.</p>
@ -53,23 +52,23 @@ import java.util.List;
* @version $Id: $Id
*/
@Controller
public class LessonMenuService extends BaseService {
@AllArgsConstructor
public class LessonMenuService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private final Course course;
private final UserTracker userTracker;
private final WebSession webSession;
/**
* Returns the lesson menu which is used to build the left nav
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/lessonmenu.mvc", produces = "application/json")
public @ResponseBody
List<LessonMenuItem> showLeftNav(HttpSession session) {
@RequestMapping(path = "/service/lessonmenu.mvc", produces = "application/json")
public
@ResponseBody
List<LessonMenuItem> showLeftNav() {
List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();
WebSession ws = getWebSession(session);
// Get the categories, these are the main menu items
Course course = ws.getCourse();
List<Category> categories = course.getCategories();
for (Category category : categories) {
@ -77,41 +76,15 @@ public class LessonMenuService extends BaseService {
categoryItem.setName(category.getName());
categoryItem.setType(LessonMenuItemType.CATEGORY);
// check for any lessons for this category
List<AbstractLesson> lessons = ws.getLessons(category);
String role = ws.getRole();
logger.info("Role: " + role);
List<AbstractLesson> lessons = course.getLessons(category);
for (AbstractLesson lesson : lessons) {
LessonMenuItem lessonItem = new LessonMenuItem();
lessonItem.setName(lesson.getTitle());
lessonItem.setLink(lesson.getLink());
lessonItem.setType(LessonMenuItemType.LESSON);
if (lesson.isCompleted(ws)) {
lessonItem.setComplete(true);
}
Optional<LessonTracker> lessonTracker = userTracker.getLessonTracker(lesson);
lessonItem.setComplete(lessonTracker.isPresent() ? lessonTracker.get().getCompleted() : false);
categoryItem.addChild(lessonItem);
// Does the lesson have stages
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null) {
String lessonLink = lesson.getLink();
int stageIdx = 1;
for (String stage : stages) {
LessonMenuItem stageItem = new LessonMenuItem();
stageItem.setName("Stage " + stageIdx + ": " + stage);
// build the link for the stage
String stageLink = lessonLink + "/" + stageIdx;
stageItem.setLink(stageLink);
stageItem.setType(LessonMenuItemType.STAGE);
if (rla.isStageComplete(ws, stage)) {
stageItem.setComplete(true);
}
lessonItem.addChild(stageItem);
stageIdx++;
}
}
}
}
menu.add(categoryItem);
}

39
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
View File

@ -29,15 +29,11 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>LessonPlanService class.</p>
*
@ -45,42 +41,33 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class LessonPlanService extends BaseService {
//TODO remove
public class LessonPlanService {
private final WebSession webSession;
public LessonPlanService(WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns source for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/lessonplan.mvc", produces = "application/html")
@RequestMapping(path = "/service/lessonplan.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
String plan = getPlan(ws);
String showPlan() {
String plan = getPlan();
return plan;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getPlan(WebSession s) {
String plan = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
plan = lesson.getLessonPlan(s);
}
}
if (plan == null) {
plan = "Plan is not available for this lesson.";
}
return plan;
protected String getPlan() {
return "Plan is not available for this lesson.";
}
}

38
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
View File

@ -1,51 +1,41 @@
package org.owasp.webgoat.service;
import com.google.common.collect.Maps;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.i18n.LabelManager;
import org.owasp.webgoat.lessons.model.LessonInfoModel;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.LabelManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.UserTracker;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.Map;
@Controller
/**
* <p>LessonProgressService class.</p>
*
* @author webgoat
*/
public class LessonProgressService extends BaseService {
@Controller
@AllArgsConstructor
public class LessonProgressService {
private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
private LabelManager labelManager;
@Autowired
public LessonProgressService(final LabelManager labelManager) {
this.labelManager = labelManager;
}
private UserTracker userTracker;
/**
* <p>LessonProgressService.</p>
*
* @param session a {@link HttpSession} object.
* @return a {@link LessonInfoModel} object.
*/
@RequestMapping(value = "/lessonprogress.mvc", produces = "application/json")
@RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
@ResponseBody
public Map getLessonInfo(HttpSession session) {
WebSession webSession = getWebSession(session);
AbstractLesson lesson = webSession.getCurrentLesson();
boolean lessonCompleted = lesson.isCompleted(webSession);
String successMessage = lesson instanceof RandomLessonAdapter ? "Congratulations, you have completed this lab" : labelManager
.get("LessonCompleted");
public Map getLessonInfo() {
LessonTracker lessonTracker = userTracker.getCurrentLessonTracker();
boolean lessonCompleted = lessonTracker.getCompleted();
String successMessage = labelManager.get("LessonCompleted");
Map json = Maps.newHashMap();
json.put("lessonCompleted", lessonCompleted);
json.put("successMessage", successMessage);

40
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
View File

@ -1,46 +1,38 @@
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
/**
* <p>LessonTitleService class.</p>
*
* @version $Id: $Id
* @author dm
* @version $Id: $Id
*/
public class LessonTitleService extends BaseService {
@Controller
public class LessonTitleService {
private final WebSession webSession;
public LessonTitleService(final WebSession webSession) {
this.webSession = webSession;
}
/**
* Returns the title for the current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/lessontitle.mvc", produces = "application/html")
public @ResponseBody
String showPlan(HttpSession session) {
WebSession ws = getWebSession(session);
return getLessonTitle(ws);
}
private String getLessonTitle(WebSession s) {
String title = "";
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
title = lesson != null ? lesson.getTitle() : "";
}
return title;
@RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
public
@ResponseBody
String showPlan() {
AbstractLesson lesson = webSession.getCurrentLesson();
return lesson != null ? lesson.getTitle() : "";
}
}

22
webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java
View File

@ -29,18 +29,16 @@
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpSession;
import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.model.RequestParameter;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
import java.util.Collections;
import java.util.List;
/**
* <p>ParameterService class.</p>
*
@ -48,9 +46,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class ParameterService extends BaseService {
final Logger logger = LoggerFactory.getLogger(ParameterService.class);
public class ParameterService {
/**
* Returns request parameters for last attack
@ -58,11 +54,11 @@ public class ParameterService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.util.List} object.
*/
@RequestMapping(path = "/parameter.mvc", produces = "application/json")
@RequestMapping(path = "/service/parameter.mvc", produces = "application/json")
public @ResponseBody
List<RequestParameter> showParameters(HttpSession session) {
WebSession ws = getWebSession(session);
List<RequestParameter> listParms = ws.getParmsOnLastRequest();
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
List<RequestParameter> listParms = Lists.newArrayList();
Collections.sort(listParms);
return listParms;
}

25
webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
View File

@ -29,9 +29,6 @@
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@ -50,9 +47,7 @@ import java.util.Map;
* @version $Id: $Id
*/
@Controller
public class PluginReloadService extends BaseService {
private static final Logger logger = LoggerFactory.getLogger(PluginReloadService.class);
public class PluginReloadService {
/**
* Reload all the plugins
@ -60,17 +55,17 @@ public class PluginReloadService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.http.ResponseEntity} object.
*/
@RequestMapping(path = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = "/service/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
ResponseEntity<Map<String, Object>> reloadPlugins(HttpSession session) {
WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
logger.debug("Loading plugins into cache");
String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
String targetPath = session.getServletContext().getRealPath("plugin_extracted");
//TODO fix me
//new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
//webSession.getCourse().loadLessonFromPlugin();
// WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
//
// logger.debug("Loading plugins into cache");
// String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
// String targetPath = session.getServletContext().getRealPath("plugin_extracted");
// //TODO fix me
// //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
// //webSession.getCourse().createLessonsFromPlugins();
Map<String, Object> result = new HashMap<String, Object>();
result.put("success", true);

44
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -1,32 +1,31 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import lombok.AllArgsConstructor;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@ -39,22 +38,25 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class RestartLessonService extends BaseService {
@AllArgsConstructor
public class RestartLessonService {
private final WebSession webSession;
private final UserTracker userTracker;
/**
* Returns current lesson
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/restartlesson.mvc", produces = "text/text")
public @ResponseBody
String restartLesson(HttpSession session) {
WebSession ws = getWebSession(session);
int currentScreen = ws.getCurrentScreen();
if(currentScreen > 0){
ws.restartLesson(currentScreen);
}
return ws.getCurrentLesson().getLink();
@RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
public
@ResponseBody
String restartLesson() {
AbstractLesson al = webSession.getCurrentLesson();
System.out.println("Restarting lesson: " + al);
userTracker.getCurrentLessonTracker().setCompleted(false);
return webSession.getCurrentLesson().getLink();
}
}

15
webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
View File

@ -5,16 +5,17 @@
*/
package org.owasp.webgoat.service;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* <p>SessionService class.</p>
@ -23,7 +24,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
* @version $Id: $Id
*/
@Controller
public class SessionService extends BaseService {
public class SessionService {
/**
* Returns hints for current lesson
@ -32,7 +33,7 @@ public class SessionService extends BaseService {
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/session.mvc", produces = "application/json")
@RequestMapping(path = "/service/session.mvc", produces = "application/json")
public @ResponseBody
String showSession(HttpServletRequest request, HttpSession session) {
StringBuilder sb = new StringBuilder();

54
webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
View File

@ -1,43 +1,37 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>SolutionService class.</p>
*
@ -45,42 +39,28 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class SolutionService extends BaseService {
public class SolutionService {
/**
* Returns solution for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/solution.mvc", produces = "text/html")
public @ResponseBody
String showSolution(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSolution(ws);
@RequestMapping(path = "/service/solution.mvc", produces = "text/html")
public
@ResponseBody
String showSolution() {
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSolution();
return source;
}
/**
* <p>getSolution.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
protected String getSolution(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getSolution(s);
}
}
if (source == null) {
return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddressHTML();
}
return source;
protected String getSolution() {
return "Solution is not available";
}
}

49
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -1,38 +1,34 @@
/**
* *************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
*/
package org.owasp.webgoat.service;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@ -46,7 +42,8 @@ import javax.servlet.http.HttpSession;
* @version $Id: $Id
*/
@Controller
public class SourceService extends BaseService {
//TODO REMOVE!
public class SourceService {
/**
* Description of the Field
@ -62,11 +59,12 @@ public class SourceService extends BaseService {
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/source.mvc", produces = "application/text")
public @ResponseBody
@RequestMapping(path = "/service/source.mvc", produces = "application/text")
public
@ResponseBody
String showSource(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSource(ws);
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSource();
if (source == null) {
source = "No source listing found";
}
@ -76,24 +74,9 @@ public class SourceService extends BaseService {
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getRawSource(s);
}
}
if (source == null) {
protected String getSource() {
return "Source code is not available for this lesson.";
}
return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted");
}
}

73
webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java
View File

@ -1,73 +0,0 @@
package org.owasp.webgoat.session;
import java.util.Hashtable;
import java.util.Map;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* * @version $Id: $Id
*
* @author dm
* @version $Id: $Id
*/
public class Authorization
{
Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
/**
* <p>Constructor for Authorization.</p>
*/
public Authorization()
{
}
/**
* <p>setPermission.</p>
*
* @param userId a int.
* @param functionId a int.
*/
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
/**
* <p>isAllowed.</p>
*
* @param userId a int.
* @param functionId a int.
* @return a boolean.
*/
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}

297
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -1,156 +1,58 @@
package org.owasp.webgoat.session;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.plugins.LegacyLoader;
import org.owasp.webgoat.lessons.NewLesson;
import org.owasp.webgoat.plugins.Plugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext;
import java.io.File;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import static java.util.stream.Collectors.toList;
/**
* ************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
* @since October 28, 2003
*/
@Slf4j
public class Course {
final Logger logger = LoggerFactory.getLogger(Course.class);
private List<AbstractLesson> lessons = new LinkedList<>();
private WebgoatProperties properties = null;
private WebgoatContext webgoatContext;
/**
* <p>Constructor for Course.</p>
*/
public Course(WebgoatProperties properties) {
this.properties = properties;
}
/**
* Take an absolute file and return the filename.
*
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s) {
String fileName = new File(s).getName();
if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
}
if (fileName.contains(".")) {
fileName = fileName.substring(0, fileName.indexOf("."));
}
return fileName;
}
/**
* Take a class name and return the equivalent file name
*
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className) {
StringBuilder sb = new StringBuilder();
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
/**
* Takes a file name and builds the class file name
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path) {
String ext = ".class";
fileName = fileName.trim();
/**
* We do not handle directories. We do not handle files with different
* extensions
*/
if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1) {
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
} else {
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
}
return fileName;
}
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories() {
List<Category> categories = new ArrayList<Category>();
for (AbstractLesson lesson : lessons) {
if (!categories.contains(lesson.getCategory())) {
categories.add(lesson.getCategory());
}
}
Collections.sort(categories);
return categories;
public List<Category> getCategories() {
return lessons.parallelStream().map(l -> l.getCategory()).distinct().sorted().collect(toList());
}
/**
@ -159,148 +61,28 @@ public class Course {
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson() {
List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is normally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0));
}
/**
* Gets the lesson attribute of the Course object
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonId Description of the Parameter
* @param roles a {@link java.util.List} object.
* @return The lesson value
*/
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles) {
if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
// System.out.println("getLesson() with roles: " + roles);
Iterator<AbstractLesson> iter = lessons.iterator();
while (iter.hasNext()) {
AbstractLesson lesson = iter.next();
if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) {
return lesson;
}
}
return null;
}
/**
* <p>getLesson.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonId a int.
* @param role a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
*/
public AbstractLesson getLesson(WebSession s, int lessonId, String role) {
List<String> roles = new ArrayList<String>();
roles.add(role);
return getLesson(s, lessonId, roles);
return getLessons(getCategories().get(0)).get(0);
}
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> getLessons(WebSession s, String role) {
List<String> roles = new ArrayList<String>();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param roles a {@link java.util.List} object.
* @return The lessons value
*/
public List<AbstractLesson> getLessons(WebSession s, List<String> roles) {
if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext()) {
lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category Description of the Parameter
* @param roles Description of the Parameter
* @return The lessons value
*/
private List<AbstractLesson> getLessons(Category category, List roles) {
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
for (AbstractLesson lesson : lessons) {
if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) {
lessonList.add(lesson);
}
}
Collections.sort(lessonList);
return lessonList;
public List<AbstractLesson> getLessons() {
return this.lessons;
}
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
public List getLessons(WebSession s, Category category, String role) {
List<String> roles = new ArrayList<String>();
roles.add(role);
return getLessons(s, category, roles);
}
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @param roles a {@link java.util.List} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles) {
if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* <p>getLesson.</p>
*
* @param lessonId a int.
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
*/
public AbstractLesson getLesson(int lessonId) {
for (AbstractLesson l : lessons) {
if (l.getScreenId() == lessonId) {
return l;
}
}
return null;
public List<AbstractLesson> getLessons(Category category) {
return this.lessons.stream().filter(l -> l.getCategory() == category).collect(toList());
}
public void setLessons(List<AbstractLesson> lessons) {
@ -308,44 +90,17 @@ public class Course {
}
/**
* <p>loadLessonFromPlugin.</p>
* <p>createLessonsFromPlugins.</p>
*/
public void loadLessonFromPlugin(List<Plugin> plugins) {
public void createLessonsFromPlugins(List<Plugin> plugins) {
for (Plugin plugin : plugins) {
try {
AbstractLesson lesson = plugin.getLesson().get();
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if (!lesson.getHidden()) {
NewLesson lesson = (NewLesson) plugin.getLesson().get();
lesson.setTotalNumberOfAssignments(plugin.getLessonEndpoints().size());
lessons.add(lesson);
}
for(Map.Entry<String, File> lessonPlan : plugin.getLessonPlans().entrySet()) {
lesson.setLessonPlanFileName(lessonPlan.getKey(), lessonPlan.getValue().toString());
}
if (plugin.getLessonSolution("en").isPresent()) {
lesson.setLessonSolutionFileName(plugin.getLessonSolution("en").get().toString());
}
if (plugin.getLessonSource().isPresent()) {
lesson.setSourceFileName(plugin.getLessonSource().get().toString());
}
} catch (Exception e) {
logger.error("Error in loadLessons: ", e);
log.error("Error in loadLessons: ", e);
}
}
}
/**
* Description of the Method
*
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
* @param path Description of the Parameter
* @param context Description of the Parameter
*/
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
logger.info("Loading courses: " + path);
this.webgoatContext = webgoatContext;
LegacyLoader loader = new LegacyLoader();
lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties));
}
}

23
webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
View File

@ -4,7 +4,6 @@ package org.owasp.webgoat.session;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
import org.owasp.webgoat.lessons.AbstractLesson;
/**
@ -759,16 +758,16 @@ public class CreateDB
String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')";
String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')";
// Add a permission for the webgoat role to see the source.
// The challenge(s) will change the default role to "challenge"
String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
+ "')";
String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
+ "')";
// // Add a permission for the webgoat role to see the source.
// // The challenge(s) will change the default role to "challenge"
// String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
// + "')";
// String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
// + "')";
// Add a permission for the webgoat role to see the solution.
// The challenge(s) will change the default role to "challenge"
String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
+ "')";
// String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
// + "')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
@ -803,9 +802,9 @@ public class CreateDB
statement.executeUpdate(insertData25);
statement.executeUpdate(insertData25_1);
statement.executeUpdate(insertData25_2);
statement.executeUpdate(insertData26);
statement.executeUpdate(insertData27);
statement.executeUpdate(insertData28);
//statement.executeUpdate(insertData26);
//statement.executeUpdate(insertData27);
//statement.executeUpdate(insertData28);
}
private void createOwnershipTable(Connection connection) throws SQLException

77
webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
View File

@ -1,17 +1,8 @@
package org.owasp.webgoat.session;
import org.apache.ecs.MultiPartElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
@ -133,72 +124,4 @@ public class DatabaseUtilities
return DriverManager.getConnection(url, "sa", "");
}
/**
* Description of the Method
*
* @param results
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
* @return Description of the Return Value
* @exception IOException
* Description of the Exception
* @exception SQLException
* Description of the Exception
* @throws java.io.IOException if any.
* @throws java.sql.SQLException if any.
*/
public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
SQLException
{
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
if (results.next())
{
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
TR tr = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
t.addElement(tr);
results.beforeFirst();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
String str = results.getString(i);
if (str == null) str = "";
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
}
t.addElement(row);
}
return (t);
}
else
{
return (new B("Query Successful; however no data was returned from this query."));
}
}
}

754
webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java
View File

@ -1,754 +0,0 @@
package org.owasp.webgoat.session;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import java.util.Vector;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Label;
import org.apache.ecs.html.Option;
import org.apache.ecs.html.P;
import org.apache.ecs.html.Select;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.U;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams (jeff.williams@aspectsecurity.com)
* @since October 29, 2003
* @version $Id: $Id
*/
public class ECSFactory
{
/**
* Description of the Field
*/
public final static String ON = "On";
/**
* Description of the Field
*/
public final static String PASSWORD = "Password";
/**
* Don't let anyone instantiate this class
*/
private ECSFactory()
{
}
/**
* Description of the Method
*
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeBox(String name, String value)
{
Input i = new Input(Input.CHECKBOX, name, ON);
i.setChecked(value.equals(ON));
return (i);
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeButton(String text)
{
Input b = new Input();
b.setType(Input.SUBMIT);
b.setValue(text);
b.setName(Input.SUBMIT);
return (b);
}
/**
* <p>makeButton.</p>
*
* @param text a {@link java.lang.String} object.
* @param onClickFunction a {@link java.lang.String} object.
* @return a {@link org.apache.ecs.Element} object.
*/
public static Element makeButton(String text, String onClickFunction)
{
Input b = (Input) makeButton(text);
b.setOnClick(onClickFunction);
return (b);
}
/**
* Description of the Method
*
* @param labeltext
* Description of the Parameter
* @param value
* Description of the Parameter
* @param e
* Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeField(String labeltext, String value, Element e)
{
TD left = new TD().setAlign("right");
Label label = new Label().addElement(labeltext);
left.addElement(label);
TD right = new TD().setAlign("left");
right.addElement(e);
TR row = new TR();
row.addElement(left);
row.addElement(right);
return (row);
}
/**
* Description of the Method
*
* @param labeltext
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @param size
* Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeField(String labeltext, String name, String value, int size)
{
Input field = new Input().setName(name).setValue(value).setSize(size).setMaxlength(size);
// double check in case someone means to make a * starred out password field
if (name.equals(PASSWORD))
{
field.setType(Input.PASSWORD);
}
return (makeField(labeltext, value, field));
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param type
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @param alignment
* Description of the Parameter
* @param selected
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name, boolean value, boolean selected,
String alignment)
{
return makeInput(label, type, name, new Boolean(value).toString(), selected, alignment);
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param type
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name, String value)
{
return makeInput(label, type, name, value, new Boolean(value).booleanValue(), "RIGHT");
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param type
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @param alignment
* Description of the Parameter
* @param selected
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name, String value, boolean selected,
String alignment)
{
ElementContainer ec = new ElementContainer();
if (!alignment.equalsIgnoreCase("LEFT"))
{
ec.addElement(new StringElement(label));
}
Input input = new Input(type, name, value);
ec.addElement(input);
if (alignment.equalsIgnoreCase("LEFT"))
{
ec.addElement(new StringElement(label));
}
if (type.equalsIgnoreCase("CHECKBOX"))
{
input.setChecked(selected);
}
return (ec);
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, String value)
{
String href = "attack?" + name;
if (value.length() > 0)
{
href = href + "=" + value;
}
A a = new A(href);
a.addElement(new U().addElement(text));
a.addAttribute("style", "cursor:hand");
return (a);
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, int value)
{
return (makeLink(text, name, Integer.toString(value)));
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param name
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, boolean value)
{
return (makeLink(text, name, new Boolean(value).toString()));
}
/**
* Description of the Method
*
* @param text
* Description of the Parameter
* @param clickAction
* Description of the Parameter
* @param type
* Description of the Parameter
* @return Description of the Return Value
*/
public static Input makeOnClickInput(String text, String clickAction, String type)
{
Input b = new Input();
b.setType(type);
b.setValue(text);
b.setOnClick(clickAction);
return (b);
}
/**
* Description of the Method
*
* @param labeltext
* Description of the Parameter
* @param value
* Description of the Parameter
* @param e
* Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeOption(String labeltext, String value, Element e)
{
TD left = new TD().setAlign("left").setWidth("10%");
left.addElement(e);
TD right = new TD().setAlign("right");
Label label = new Label().addElement(labeltext);
right.addElement(label);
TR row = new TR();
row.addElement(right);
row.addElement(left);
return (row);
}
/**
* Description of the Method
*
* @param label
* Description of the Parameter
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
public static Option makeOption(String label, boolean value)
{
Option option = new Option(label, new Boolean(value).toString());
option.setSelected(value);
return option;
}
/**
* Description of the Method
*
* @param line
* Description of the Parameter
* @return Description of the Return Value
*/
private static org.apache.ecs.html.Option makeOption(String line)
{
StringTokenizer st = new StringTokenizer(line, "|");
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option();
String token = "";
if (st.hasMoreTokens())
{
token = st.nextToken();
}
o.addElement(token);
return (o);
}
/**
* Description of the Method
*
* @param name
* Description of the Parameter
* @param options
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makePulldown(String name, List<String> options)
{
Select s = new Select(name);
s.addElement(options.toArray(new String[options.size()]));
return (s);
}
/**
* Description of the Method
*
* @param results
* Description of the Parameter
* @return Description of the Return Value
* @param name a {@link java.lang.String} object.
*/
public static Element makePulldown(String name, String results)
{
Select select = new Select(name);
StringTokenizer st = new StringTokenizer(results, "\n");
if (!st.hasMoreTokens()) {
return (new StringElement("")); }
while (st.hasMoreTokens())
{
String line = st.nextToken();
select.addElement(makeOption(line));
}
select.addElement("-------------------------");
return (select);
}
/**
* Description of the Method
*
* @param name
* Description of the Parameter
* @param list
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param rowsShowing
* Description of the Parameter
* @return Description of the Return Value
*/
public static Select makePulldown(String name, Object[] list, String selected, int rowsShowing)
{
Select select = new Select(name);
for (int loop = 0; loop < list.length; loop++)
{
String value = list[loop].toString();
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value, value, value);
if (value.equals(selected))
{
o.setSelected(true);
}
select.addElement(o);
}
select.setSize(rowsShowing);
return select;
}
/**
* Default size of 1 for rows showing in select box.
*
* @param diffNames
* Description of the Parameter
* @param select
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param name
* Description of the Parameter
* @param options
* Description of the Parameter
* @param list
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeSelect(boolean diffNames, Select select, String name, Vector<Option> options,
String[] list, String selected)
{
return makeSelect(diffNames, select, name, options, list, selected, 1);
}
/**
* Description of the Method
*
* @param diffNames
* Description of the Parameter
* @param select
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param name
* Description of the Parameter
* @param options
* Description of the Parameter
* @param list
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param selected
* Description of the Parameter
* @param rowsShowing
* Description of the Parameter
* @return Description of the Return Value
*/
public static Select makeSelect(boolean diffNames, Select select, String name, Vector<Option> options,
String[] list, String selected, int rowsShowing)
{
if (select == null)
{
select = new Select(name);
if (diffNames)
{
for (int loop = 0; loop < list.length; loop += 2)
{
String value = list[loop];
String label = list[loop + 1];
Option o = new Option(value);
if (loop == 0)
{
o.setSelected(true);
}
options.addElement(o);// add to Vector containing all options
select.addElement(o);
select.addElement(label);
}
}
else
{
for (int loop = 0; loop < list.length; loop++)
{
String value = list[loop];
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value);
if (loop == 0)
{
o.setSelected(true);
}
options.addElement(o);// add to Vector containing all options
select.addElement(o);
select.addElement(value);
}
}
}
// find selected option and set selected
Iterator i = options.iterator();
while (i.hasNext())
{
org.apache.ecs.html.Option o = (org.apache.ecs.html.Option) i.next();
if (selected.equalsIgnoreCase(o.getAttribute("value")))
{
o.setSelected(true);
}
}
select.setSize(rowsShowing);
return (select);
}
/**
* Description of the Method
*
* @param title
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeTallHeader(String title)
{
StringBuffer buff = new StringBuffer();
for (int i = 0; i < title.length(); i++)
{
buff.append(title.charAt(i));
buff.append("<BR>");
}
return new TH(buff.toString());
}
/**
* Description of the Method
*
* @param title
* Description of the Parameter
* @param text
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeTextArea(String title, String text)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new BR());
ec.addElement(new H3().addElement(title));
ec.addElement(new P());
ec.addElement("<CENTER><TEXTAREA ROWS=10 COLS=90 READONLY>" + text + "</TEXTAREA></CENTER>");
ec.addElement(new BR());
ec.addElement(new BR());
return (ec);
}
}

283
webgoat-container/src/main/java/org/owasp/webgoat/session/ErrorScreen.java
View File

@ -1,283 +0,0 @@
package org.owasp.webgoat.session;
import java.io.ByteArrayOutputStream;
import java.io.PrintWriter;
import java.util.StringTokenizer;
import javax.servlet.ServletException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.Small;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since November 4, 2003
* @version $Id: $Id
*/
public class ErrorScreen extends Screen
{
/**
* Description of the Field
*/
protected Throwable error;
/**
* Description of the Field
*/
protected String message;
/**
* Constructor for the ErrorScreen object
*
* @param s
* Description of the Parameter
* @param t
* Description of the Parameter
*/
public ErrorScreen(WebSession s, Throwable t)
{
this.error = t;
fixCurrentScreen(s);
setup(s);
}
/**
* Constructor for the ErrorScreen object
*
* @param s
* Description of the Parameter
* @param msg
* Description of the Parameter
*/
public ErrorScreen(WebSession s, String msg)
{
this.message = msg;
fixCurrentScreen(s);
setup(s);
}
/**
* <p>fixCurrentScreen.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public void fixCurrentScreen(WebSession s)
{
// So the user can't get stuck on the error screen, reset the
// current screen to something known
if (s != null)
{
try
{
s.setCurrentScreen(s.getCourse().getFirstLesson().getScreenId());
} catch (Throwable t)
{
s.setCurrentScreen(WebSession.WELCOME);
}
}
}
/**
* <p>setup.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public void setup(WebSession s)
{
// call createContent first so messages will go somewhere
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
form.addElement(wrapForm(s));
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
layout.addElement(row);
setContent(layout);
}
/**
* <p>wrapForm.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
*/
protected Element wrapForm(WebSession s)
{
if (s == null) { return new StringElement("Invalid Session"); }
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s);
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
container.addElement(new TR());
return (container);
}
/**
* {@inheritDoc}
*
* Description of the Method
*/
protected Element createContent(WebSession s)
{
System.out.println("errorscreen createContent Error:" + this.error + " message:" + this.message);
Element content;
if (this.error != null)
{
content = createContent(this.error);
}
else if (this.message != null)
{
content = createContent(this.message);
}
else
{
content = new StringElement("An unknown error occurred.");
}
return content;
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(String s)
{
StringElement list = new StringElement(s);
return (list);
}
/**
* Description of the Method
*
* @param t
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(Throwable t)
{
StringElement list = new StringElement();
list.addElement(new H2().addElement(new StringElement("Error Message: " + t.getMessage())));
list.addElement(formatStackTrace(t));
if (t instanceof ServletException)
{
Throwable root = ((ServletException) t).getRootCause();
if (root != null)
{
list.addElement(new H2().addElement(new StringElement("Root Message: " + root.getMessage())));
list.addElement(formatStackTrace(root));
}
}
return (new Small().addElement(list));
}
/**
* Description of the Method
*
* @param t
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element formatStackTrace(Throwable t)
{
String trace = getStackTrace(t);
StringElement list = new StringElement();
StringTokenizer st = new StringTokenizer(trace, "\r\n\t");
while (st.hasMoreTokens())
{
String line = st.nextToken();
list.addElement(new Div(line));
}
return (list);
}
/**
* Gets the stackTrace attribute of the ErrorScreen class
*
* @param t
* Description of the Parameter
* @return The stackTrace value
*/
public static String getStackTrace(Throwable t)
{
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
PrintWriter writer = new PrintWriter(bytes, true);
t.printStackTrace(writer);
return (bytes.toString());
}
/**
* Gets the title attribute of the ErrorScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Error");
}
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

83
webgoat-container/src/main/java/org/owasp/webgoat/session/LessonSession.java
View File

@ -1,83 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* Represents a virtual session for a lesson. Lesson-specific session data may be stored here.
*
* @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @since January 19, 2006
* @version $Id: $Id
*/
public class LessonSession
{
private boolean isAuthenticated = false;
private String currentLessonScreen;
/**
* <p>setAuthenticated.</p>
*
* @param isAuthenticated a boolean.
*/
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
/**
* <p>isAuthenticated.</p>
*
* @return a boolean.
*/
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
/**
* <p>Setter for the field <code>currentLessonScreen</code>.</p>
*
* @param currentLessonScreen a {@link java.lang.String} object.
*/
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
/**
* <p>Getter for the field <code>currentLessonScreen</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
}

268
webgoat-container/src/main/java/org/owasp/webgoat/session/LessonTracker.java
View File

@ -1,44 +1,47 @@
package org.owasp.webgoat.session;
import lombok.extern.slf4j.Slf4j;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.Properties;
/**
* ************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 29, 2003
* @version $Id: $Id
* @since October 29, 2003
*/
public class LessonTracker
{
@Slf4j
public class LessonTracker {
private boolean completed = false;
@ -60,13 +63,18 @@ public class LessonTracker
Properties lessonProperties = new Properties();
private int totalNumberOfAssignments = 0;
public void setTotalNumberOfAssignments(int totalNumberOfAssignments) {
this.totalNumberOfAssignments = totalNumberOfAssignments;
}
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
{
public boolean getCompleted() {
return completed;
}
@ -75,8 +83,7 @@ public class LessonTracker
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
public int getMaxHintLevel() {
return maxHintLevel;
}
@ -85,8 +92,7 @@ public class LessonTracker
*
* @return The numVisits value
*/
public int getNumVisits()
{
public int getNumVisits() {
return numVisits;
}
@ -95,8 +101,7 @@ public class LessonTracker
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
public boolean getViewedCookies() {
return viewedCookies;
}
@ -105,8 +110,7 @@ public class LessonTracker
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
public boolean getViewedHtml() {
return viewedHtml;
}
@ -115,8 +119,7 @@ public class LessonTracker
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
public boolean getViewedLessonPlan() {
return viewedLessonPlan;
}
@ -125,8 +128,7 @@ public class LessonTracker
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
public boolean getViewedParameters() {
return viewedParameters;
}
@ -135,8 +137,7 @@ public class LessonTracker
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
public boolean getViewedSource() {
return viewedSource;
}
@ -145,28 +146,25 @@ public class LessonTracker
*
* @return a boolean.
*/
public boolean getViewedSolution()
{
public boolean getViewedSolution() {
return viewedSource;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
public void incrementNumVisits() {
numVisits++;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props
* The new properties value
* @param props The new properties value
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
*/
protected void setProperties(Properties props, Screen screen)
{
protected void setProperties(Properties props, Screen screen) {
completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0"));
@ -175,6 +173,7 @@ public class LessonTracker
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue();
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue();
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue();
totalNumberOfAssignments = Integer.parseInt(props.getProperty(screen.getTitle() + ".totalNumberOfAssignments", "0"));
}
/**
@ -183,185 +182,95 @@ public class LessonTracker
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
public static String getUserDir(WebSession s)
{
return s.getContext().getRealPath("users") + "/";
public static String getUserDir(WebSession s) {
return "";
}
private static String getTrackerFile(WebSession s, String user, Screen screen)
{
private static String getTrackerFile(WebSession s, String user, Screen screen) {
return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @param user a {@link java.lang.String} object.
* @return Description of the Return Value
*/
public static LessonTracker load(WebSession s, String user, Screen screen)
{
public static LessonTracker load(WebSession s, String user, Screen screen) {
FileInputStream in = null;
try
{
try {
String fileName = getTrackerFile(s, user, screen);
if (fileName != null)
{
if (fileName != null) {
Properties tempProps = new Properties();
// System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen.createLessonTracker(tempProps);
LessonTracker tempLessonTracker = new LessonTracker();
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
} catch (FileNotFoundException e)
{
} catch (FileNotFoundException e) {
// Normal if the lesson has not been accessed yet.
} catch (Exception e)
{
} catch (Exception e) {
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
} finally
{
try
{
} finally {
try {
in.close();
} catch (Exception e)
{
} catch (Exception e) {
}
}
return screen.createLessonTracker();
return new LessonTracker();
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed
* The new completed value
* @param completed The new completed value
*/
public void setCompleted(boolean completed)
{
public void setCompleted(boolean completed) {
this.completed = completed;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel
* The new maxHintLevel value
* @param maxHintLevel The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel)
{
public void setMaxHintLevel(int maxHintLevel) {
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies
* The new viewedCookies value
*/
public void setViewedCookies(boolean viewedCookies)
{
this.viewedCookies = viewedCookies;
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml
* The new viewedHtml value
*/
public void setViewedHtml(boolean viewedHtml)
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan
* The new viewedLessonPlan value
*/
public void setViewedLessonPlan(boolean viewedLessonPlan)
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters
* The new viewedParameters value
*/
public void setViewedParameters(boolean viewedParameters)
{
this.viewedParameters = viewedParameters;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource
* The new viewedSource value
*/
public void setViewedSource(boolean viewedSource)
{
this.viewedSource = viewedSource;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSolution a boolean.
*/
public void setViewedSolution(boolean viewedSolution)
{
this.viewedSolution = viewedSolution;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s
* Description of the Parameter
* @param s Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
*/
public void store(WebSession s, Screen screen)
{
public void store(WebSession s, Screen screen) {
store(s, screen, s.getUserName());
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s
* Description of the Parameter
* @param s Description of the Parameter
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param user a {@link java.lang.String} object.
*/
public void store(WebSession s, Screen screen, String user)
{
FileOutputStream out = null;
public void store(WebSession s, Screen screen, String user) {
String fileName = getTrackerFile(s, user, screen);
// System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed));
@ -372,43 +281,31 @@ public class LessonTracker
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource));
try
{
out = new FileOutputStream(fileName);
lessonProperties.setProperty(screen.getTitle() + ".totalNumberOfAssignments", Integer.toString(totalNumberOfAssignments));
try (FileOutputStream out = new FileOutputStream(fileName)) {
lessonProperties.store(out, s.getUserName());
} catch (Exception e)
{
// what do we want to do, I think nothing.
System.out.println("Warning User data for " + s.getUserName() + " will not persist");
} finally
{
try
{
out.close();
} catch (Exception e)
{
} catch (IOException e) {
log.warn("Warning User data for {} will not persist", s.getUserName());
}
}
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
public String toString() {
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:... " + viewedParameters + "\n");
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
buff.append(" - completed:................. " + completed + "\n");
buff.append(" - maxHintLevel:.............. " + maxHintLevel + "\n");
buff.append(" - numVisits:................. " + numVisits + "\n");
buff.append(" - viewedCookies:............. " + viewedCookies + "\n");
buff.append(" - viewedHtml:................ " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:.......... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:.......... " + viewedParameters + "\n");
buff.append(" - viewedSource:.............. " + viewedSource + "\n" + "\n");
buff.append(" - totalNumberOfAssignments:.. " + viewedSource + "\n" + "\n");
return buff.toString();
}
@ -417,19 +314,16 @@ public class LessonTracker
*
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
public Properties getLessonProperties() {
return lessonProperties;
}
/**
* <p>Setter for the field <code>lessonProperties</code>.</p>
*
* @param lessonProperties
* The lessonProperties to set.
* @param lessonProperties The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
public void setLessonProperties(Properties lessonProperties) {
this.lessonProperties = lessonProperties;
}
}

111
webgoat-container/src/main/java/org/owasp/webgoat/session/Parameter.java
View File

@ -1,111 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class Parameter implements Comparable
{
String name;
String value;
/**
* <p>Constructor for Parameter.</p>
*
* @param name a {@link java.lang.String} object.
* @param value a {@link java.lang.String} object.
*/
public Parameter(String name, String value)
{
this.name = name;
this.value = value;
}
/**
* <p>Getter for the field <code>name</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getName()
{
return name;
}
/**
* <p>Getter for the field <code>value</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getValue()
{
return value;
}
// @Override
/** {@inheritDoc} */
public boolean equals(Object obj)
{
if (obj instanceof Parameter)
{
Parameter other = (Parameter) obj;
return (name.equals(other.getName()) && value.equals(other.getValue()));
}
return false;
}
// @Override
/**
* <p>hashCode.</p>
*
* @return a int.
*/
public int hashCode()
{
return toString().hashCode();
}
// @Override
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
return (name + "=" + value);
}
/** {@inheritDoc} */
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
}

59
webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterNotFoundException.java
View File

@ -1,59 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @version $Id: $Id
*/
public class ParameterNotFoundException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 3286112913299408382L;
/**
* Constructs a new ParameterNotFoundException with no detail message.
*/
public ParameterNotFoundException()
{
super();
}
/**
* Constructs a new ParameterNotFoundException with the specified detail message.
*
* @param s
* the detail message
*/
public ParameterNotFoundException(String s)
{
super(s);
}
}

1010
webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterParser.java
View File

File diff suppressed because it is too large Load Diff

165
webgoat-container/src/main/java/org/owasp/webgoat/session/RandomLessonTracker.java
View File

@ -1,165 +0,0 @@
package org.owasp.webgoat.session;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
/**
* <p>RandomLessonTracker class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class RandomLessonTracker extends LessonTracker
{
private String[] stages;
private String stage;
private Map<String, Boolean> completed = new HashMap<String, Boolean>();
/**
* <p>Constructor for RandomLessonTracker.</p>
*
* @param stages an array of {@link java.lang.String} objects.
*/
public RandomLessonTracker(String[] stages)
{
if (stages == null) stages = new String[0];
this.stages = stages;
}
/**
* <p>Setter for the field <code>stage</code>.</p>
*
* @param stage a {@link java.lang.String} object.
*/
public void setStage(String stage)
{
this.stage = stage;
}
/**
* <p>Getter for the field <code>stage</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getStage()
{
if (this.stage == null && stages.length > 0) return stages[0];
return this.stage;
}
/**
* <p>setStageComplete.</p>
*
* @param stage a {@link java.lang.String} object.
* @param complete a boolean.
*/
public void setStageComplete(String stage, boolean complete)
{
completed.put(stage, Boolean.valueOf(complete));
if (!complete) return;
int i = getStageNumber(stage);
if (i < stages.length - 1) setStage(stages[i + 1]);
}
/**
* <p>getStageNumber.</p>
*
* @param stage a {@link java.lang.String} object.
* @return a int.
*/
public int getStageNumber(String stage)
{
for (int i = 0; i < stages.length; i++)
if (stages[i].equals(stage)) return i;
return -1;
}
/**
* <p>hasCompleted.</p>
*
* @param stage a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean hasCompleted(String stage)
{
Boolean complete = completed.get(stage);
return complete == null ? false : complete.booleanValue();
}
/** {@inheritDoc} */
@Override
public boolean getCompleted()
{
for (int i = 0; i < stages.length; i++)
if (!hasCompleted(stages[i])) return false;
return true;
}
/** {@inheritDoc} */
@Override
public void setCompleted(boolean complete)
{
if (complete == true) throw new UnsupportedOperationException("Use individual stage completion instead");
for (int i = 0; i < stages.length; i++)
setStageComplete(stages[i], false);
setStage(stages[0]);
}
/** {@inheritDoc} */
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
for (int i = 0; i < stages.length; i++)
{
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
if (p != null)
{
setStageComplete(stages[i], Boolean.valueOf(p));
}
}
setStage(props.getProperty(screen.getTitle() + ".stage"));
}
/** {@inheritDoc} */
public void store(WebSession s, Screen screen, String user)
{
for (int i = 0; i < stages.length; i++)
{
if (hasCompleted(stages[i]))
{
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString());
}
else
{
lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed");
}
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);
}
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append(super.toString());
for (int i = 0; i < stages.length; i++)
{
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
}
buff.append(" - currentStage:....... " + getStage() + "\n");
return buff.toString();
}
}

29
webgoat-container/src/main/java/org/owasp/webgoat/session/Role.java
View File

@ -1,29 +0,0 @@
package org.owasp.webgoat.session;
/**
* <p>Role class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class Role {
private String rolename;
/**
* <p>Constructor for Role.</p>
*
* @param rolename a {@link java.lang.String} object.
*/
public Role(String rolename) {
this.rolename = rolename;
}
/**
* <p>Getter for the field <code>rolename</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRolename() {
return this.rolename;
}
}

263
webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java
View File

@ -1,15 +1,5 @@
package org.owasp.webgoat.session;
import java.io.PrintWriter;
import java.util.Properties;
import org.apache.ecs.Element;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.Font;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.AbstractLesson;
/**
* *************************************************************************************************
*
@ -45,102 +35,12 @@ import org.owasp.webgoat.lessons.AbstractLesson;
*/
public abstract class Screen {
/**
* Description of the Field
*/
public static int MAIN_SIZE = 375;
// private Head head;
private Element content;
final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg").setAlt("Aspect Security").setBorder(0)
.setHspace(0).setVspace(0);
/**
* Constructor for the Screen object
*/
public Screen() {
}
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public abstract String getRole();
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent(WebSession s);
/**
* Creates a new lessonTracker object.
*
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker(Properties props) {
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
return createLessonTracker();
}
/**
* This allows the screens to provide a custom LessonTracker object if
* needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker() {
return new LessonTracker();
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @return The lessonTracker value
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public LessonTracker getLessonTracker(WebSession s) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param userNameOverride a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, String userNameOverride) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lesson a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
/**
* Fill in a descriptive title for this lesson
@ -149,168 +49,5 @@ public abstract class Screen {
*/
public abstract String getTitle();
/**
* <p>Setter for the field <code>content</code>.</p>
*
* @param content a {@link org.apache.ecs.Element} object.
*/
protected void setContent(Element content) {
this.content = content;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeLogo() {
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
/**
* <p>getSponsor.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSponsor() {
return "Aspect Security";
}
/**
* <p>getSponsorLogoResource.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSponsorLogoResource() {
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s) {
if (s == null) {
return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED);
String message = s.getMessage();
f.addElement(message);
return (f);
}
/**
* Returns the content length of the the html.
*
* @return a int.
*/
public int getContentLength() {
return getContent().length();
}
/**
* Description of the Method
*
* @param out Description of the Parameter
*/
public void output(PrintWriter out) {
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(getContent());
}
// hook all the links
/**
* <p>Getter for the field <code>content</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getContent() {
//String makeAllAjax = "<script>goat.utils.makeFormsAjax();goat.utils.ajaxifyAttackHref();</script>";
// need to do this here as some of the lessons render forms after submission of an ajax form
return (content == null) ? "" : content.toString();// + makeAllAjax;
}
/**
* Description of the Method
*
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x) {
StringBuilder sb = new StringBuilder();
if (x < 10) {
sb.append(" ");
}
if (x < 100) {
sb.append(" ");
}
sb.append(x);
return (sb.toString());
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token) {
int mci = 0;
/*
* meta char array FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for
* the html to be automatically wrapped in client browser. It is better to add line length
* checking and only do "&nbsp" conversion in lines that won't exceed screen size, say less
* than 80 characters.
*/
String[] metaChar = {"&", "<", ">", "\"", "\t", System.getProperty("line.separator")};
String[] htmlCode = {"&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>"};
String replacedString = token;
for (; mci < metaChar.length; mci += 1) {
replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]);
}
return (replacedString);
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token) {
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
// protected abstract Element wrapForm( WebSession s );
}

61
webgoat-container/src/main/java/org/owasp/webgoat/session/SequentialLessonTracker.java
View File

@ -1,61 +0,0 @@
package org.owasp.webgoat.session;
import java.util.Properties;
/**
* <p>SequentialLessonTracker class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class SequentialLessonTracker extends LessonTracker
{
private int currentStage = 1;
/**
* <p>getStage.</p>
*
* @return a int.
*/
public int getStage()
{
return currentStage;
}
/**
* <p>setStage.</p>
*
* @param stage a int.
*/
public void setStage(int stage)
{
currentStage = stage;
}
/** {@inheritDoc} */
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle() + ".currentStage"));
}
/** {@inheritDoc} */
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage", Integer.toString(currentStage));
super.store(s, screen, user);
}
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
}

41
webgoat-container/src/main/java/org/owasp/webgoat/session/UnauthenticatedException.java
View File

@ -1,41 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class UnauthenticatedException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 97865025446819061L;
}

41
webgoat-container/src/main/java/org/owasp/webgoat/session/UnauthorizedException.java
View File

@ -1,41 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class UnauthorizedException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 5245519486798464814L;
}

52
webgoat-container/src/main/java/org/owasp/webgoat/session/User.java
View File

@ -1,52 +0,0 @@
package org.owasp.webgoat.session;
import java.util.ArrayList;
import java.util.Iterator;
/**
* <p>User class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class User {
private String username;
private ArrayList<Role> roles;
/**
* <p>Constructor for User.</p>
*
* @param username a {@link java.lang.String} object.
*/
public User(String username) {
this.username = username;
this.roles = new ArrayList<Role>();
}
/**
* <p>Getter for the field <code>username</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getUsername() {
return username;
}
/**
* <p>Getter for the field <code>roles</code>.</p>
*
* @return a {@link java.util.Iterator} object.
*/
public Iterator<Role> getRoles() {
return roles.iterator();
}
/**
* <p>addRole.</p>
*
* @param rolename a {@link java.lang.String} object.
*/
public void addRole(String rolename) {
roles.add(new Role(rolename));
}
}

88
webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java
View File

@ -1,9 +1,12 @@
package org.owasp.webgoat.session;
import java.sql.*;
import java.util.ArrayList;
import java.util.Iterator;
import java.io.File;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
class UserDatabase {
private Connection userDB;
@ -20,9 +23,6 @@ class UserDatabase {
private final String QUERY_ALL_ROLES_FOR_USERNAME = "SELECT rolename FROM roles, user_roles, users WHERE roles.id = user_roles.role_id AND user_roles.user_id = users.id AND users.username = ?;";
private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM table;";
private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);";
private final String DELETE_USER = "DELETE FROM users WHERE username = ?;";
/**
* <p>Constructor for UserDatabase.</p>
*/
@ -101,42 +101,6 @@ class UserDatabase {
return count;
}
/**
* <p>getUsers.</p>
*
* @return a {@link java.util.Iterator} object.
*/
public Iterator<User> getUsers() {
ArrayList<User> users = new ArrayList<User>();
User currentUser;
ResultSet userResults, roleResults;
try {
open();
Statement statement = userDB.createStatement();
PreparedStatement rolesForUsers = userDB.prepareStatement(QUERY_ALL_ROLES_FOR_USERNAME);
userResults = statement.executeQuery(QUERY_ALL_USERS);
while (userResults.next()) {
currentUser = new User(userResults.getString("username"));
rolesForUsers.setString(1, currentUser.getUsername());
roleResults = rolesForUsers.executeQuery();
while (roleResults.next()) {
currentUser.addRole(roleResults.getString("rolename"));
}
roleResults.close();
}
rolesForUsers.close();
userResults.close();
close();
} catch (SQLException e) {
e.printStackTrace();
users = new ArrayList<User>();
}
return users.iterator();
}
/**
* <p>addRoleToUser.</p>
*
@ -160,46 +124,6 @@ class UserDatabase {
return true;
}
/**
* <p>removeUser.</p>
*
* @param user a {@link org.owasp.webgoat.session.User} object.
* @return a boolean.
*/
public boolean removeUser(User user) {
return removeUser(user.getUsername());
}
/**
* <p>removeUser.</p>
*
* @param username a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean removeUser(String username) {
try {
open();
PreparedStatement deleteUserRoles = userDB.prepareStatement(DELETE_ALL_ROLES_FOR_USER);
PreparedStatement deleteUser = userDB.prepareStatement(DELETE_USER);
deleteUserRoles.setString(1, username);
deleteUser.setString(1, username);
deleteUserRoles.execute();
deleteUser.execute();
deleteUserRoles.close();
deleteUser.close();
close();
} catch (SQLException e) {
e.printStackTrace();
return false;
}
return true;
}
/*
* Methods to initialise the default state of the database.
*/

278
webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java
View File

@ -1,244 +1,100 @@
package org.owasp.webgoat.session;
import java.util.ArrayList;
import java.util.Collection;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
/**
* ************************************************************************************************
*
*
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* <p>
* Getting Source ==============
*
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 29, 2003
* @version $Id: $Id
* @since October 29, 2003
*/
public class UserTracker
{
@Component
public class UserTracker {
private static UserTracker instance;
private static Map<String, HashMap<String, LessonTracker>> storage = new HashMap<>();
private final String webgoatHome;
private final WebSession webSession;
// FIXME: persist this somehow!
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
private static UserDatabase usersDB = new UserDatabase();
/**
* Constructor for the UserTracker object
*/
private UserTracker()
{
public UserTracker(@Value("${webgoat.user.directory}") final String webgoatHome, final WebSession webSession) {
this.webgoatHome = webgoatHome;
this.webSession = webSession;
}
/**
* Gets the completed attribute of the UserTracker object
* <p>getCurrentLessonTracker.</p>
*
* @param userName
* Description of the Parameter
* @return The completed value
*/
public int getCompleted(String userName)
{
HashMap usermap = getUserMap(userName);
Iterator i = usermap.entrySet().iterator();
int count = 0;
while (i.hasNext())
{
Map.Entry entry = (Map.Entry) i.next();
int value = ((Integer) entry.getValue()).intValue();
if (value > 5)
{
count++;
}
}
return count;
}
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
{
return storage.keySet();
}
/**
* <p>getAllUsers.</p>
*
* @param roleName a {@link java.lang.String} object.
* @return a {@link java.util.Collection} object.
*/
public Collection<String> getAllUsers(String roleName)
{
synchronized (usersDB)
{
Collection<String> allUsers = new ArrayList<String>();
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User user = (User) users.next();
Iterator roles = user.getRoles();
while (roles.hasNext())
{
Role role = (Role) roles.next();
if (role.getRolename().trim().equals(roleName))
{
allUsers.add(user.getUsername());
}
}
}
usersDB.close();
} catch (Exception e)
{
}
return allUsers;
}
}
/**
* <p>deleteUser.</p>
*
* @param user a {@link java.lang.String} object.
*/
public void deleteUser(String user)
{
synchronized (usersDB)
{
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User tomcatUser = (User) users.next();
if (tomcatUser.getUsername().equals(user))
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
}
usersDB.close();
} catch (Exception e)
{
}
}
}
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen
* Description of the Parameter
* @return The lessonTracker value
* @param screen
* Description of the Parameter
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
public LessonTracker getLessonTracker(WebSession s, Screen screen)
{
return getLessonTracker(s, s.getUserName(), screen);
}
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param user a {@link java.lang.String} object.
* @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, String user, Screen screen)
{
HashMap<String, LessonTracker> usermap = getUserMap(user);
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
if (tracker == null)
{
public LessonTracker getCurrentLessonTracker() {
String lessonTitle = webSession.getCurrentLesson().getTitle();
String username = webSession.getUserName();
HashMap<String, LessonTracker> usermap = getUserMap(username);
LessonTracker tracker = usermap.get(lessonTitle);
if (tracker == null) {
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(s, user, screen);
usermap.put(screen.getTitle(), tracker);
tracker = LessonTracker.load(webSession, username, webSession.getCurrentLesson());
usermap.put(lessonTitle, tracker);
}
// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
// tracker.hashCode() + " for " + screen );
return tracker;
}
/**
* Gets the status attribute of the UserTracker object
* Returns the lesson tracker for a specific lesson if available.
*
* @param screen
* Description of the Parameter
* @return The status value
* @param screen
* Description of the Parameter
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lesson the lesson
* @return the optional lesson tracker
*/
public String getStatus(WebSession s, Screen screen)
{
return ("User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker(
s,
screen)
.hashCode());
public Optional<LessonTracker> getLessonTracker(AbstractLesson lesson) {
String username = webSession.getUserName();
return Optional.ofNullable(getUserMap(username).getOrDefault(lesson.getTitle(), null));
}
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName
* Description of the Parameter
* @param userName Description of the Parameter
* @return The userMap value
*/
private HashMap<String, LessonTracker> getUserMap(String userName)
{
private HashMap<String, LessonTracker> getUserMap(String userName) {
HashMap<String, LessonTracker> usermap = storage.get(userName);
if (usermap == null)
{
if (usermap == null) {
usermap = new HashMap<String, LessonTracker>();
usermap = new HashMap<>();
storage.put(userName, usermap);
@ -247,54 +103,4 @@ public class UserTracker
return (usermap);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
{
if (instance == null)
{
instance = new UserTracker();
}
return instance;
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
LessonTracker tracker = getLessonTracker(s, screen);
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen +
// " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
}
}

58
webgoat-container/src/main/java/org/owasp/webgoat/session/ValidationException.java
View File

@ -1,58 +0,0 @@
package org.owasp.webgoat.session;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class ValidationException extends Exception
{
/**
*
*/
private static final long serialVersionUID = -8358754606830400708L;
/**
* <p>Constructor for ValidationException.</p>
*/
public ValidationException()
{
super();
}
/**
* <p>Constructor for ValidationException.</p>
*
* @param message a {@link java.lang.String} object.
*/
public ValidationException(String message)
{
super(message);
}
}

1251
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

File diff suppressed because it is too large Load Diff

113
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatProperties.java
View File

@ -1,113 +0,0 @@
package org.owasp.webgoat.session;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @version $Id: $Id
* @author dm
*/
@Component
public class WebgoatProperties {
@Autowired
private Environment env;
/**
*
*/
private static final long serialVersionUID = 4351681705558227918L;
final Logger logger = LoggerFactory.getLogger(WebgoatProperties.class);
/**
* <p>getIntProperty.</p>
*
* @param key a {@link java.lang.String} object.
* @param defaultValue a int.
* @return a int.
*/
public int getIntProperty(String key, int defaultValue) {
int value = defaultValue;
String s = env.getProperty(key);
if (s != null) {
value = Integer.parseInt(s);
}
return value;
}
/**
* <p>getBooleanProperty.</p>
*
* @param key a {@link java.lang.String} object.
* @param defaultValue a boolean.
* @return a boolean.
*/
public boolean getBooleanProperty(String key, boolean defaultValue) {
boolean value = defaultValue;
key = this.trimLesson(key);
String s = env.getProperty(key);
if (s != null) {
if (s.equalsIgnoreCase("true")) {
value = true;
} else if (s.equalsIgnoreCase("yes")) {
value = true;
} else if (s.equalsIgnoreCase("on")) {
value = true;
} else if (s.equalsIgnoreCase("false")) {
value = false;
} else if (s.equalsIgnoreCase("no")) {
value = false;
} else if (s.equalsIgnoreCase("off")) {
value = false;
}
}
return value;
}
private String trimLesson(String lesson) {
String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons.")) {
result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length());
} else {
result = lesson;
}
return result;
}
}

67
webgoat-container/src/main/java/org/owasp/webgoat/util/BeanProvider.java
View File

@ -1,67 +0,0 @@
package org.owasp.webgoat.util;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.stereotype.Component;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* @version $Id: $Id
* @author dm
*/
@Component
public class BeanProvider implements ApplicationContextAware
{
private static ApplicationContext ctx;
/** {@inheritDoc} */
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
ctx = applicationContext;
}
/**
* Get access to managed beans from id.
*
* @param beanName
* the id of the searched bean
* @param beanClass
* the type of tye searched bean
* @param <T> a T object.
* @return a T object.
*/
@SuppressWarnings("unchecked")
public static <T> T getBean(final String beanName, final Class<T> beanClass)
{
return (T) ctx.getBean(beanName);
}
}

228
webgoat-container/src/main/java/org/owasp/webgoat/util/HtmlEncoder.java
View File

@ -1,228 +0,0 @@
package org.owasp.webgoat.util;
import java.util.HashMap;
import java.util.Map;
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @version $Id: $Id
* @author dm
*/
public class HtmlEncoder
{
static Map<String, Integer> e2i = new HashMap<String, Integer>();
static Map<Integer, String> i2e = new HashMap<Integer, String>();
// html entity list
private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote
{ "amp", new Integer(38) }, // - ampersand
{ "lt", new Integer(60) }, // - less-than
{ "gt", new Integer(62) }, // - greater-than
{ "nbsp", new Integer(160) }, // non-breaking space
{ "copy", new Integer(169) }, // - copyright
{ "reg", new Integer(174) }, // - registered trademark
{ "Agrave", new Integer(192) }, // - uppercase A, grave accent
{ "Aacute", new Integer(193) }, // - uppercase A, acute accent
{ "Acirc", new Integer(194) }, // - uppercase A, circumflex accent
{ "Atilde", new Integer(195) }, // - uppercase A, tilde
{ "Auml", new Integer(196) }, // - uppercase A, umlaut
{ "Aring", new Integer(197) }, // - uppercase A, ring
{ "AElig", new Integer(198) }, // - uppercase AE
{ "Ccedil", new Integer(199) }, // - uppercase C, cedilla
{ "Egrave", new Integer(200) }, // - uppercase E, grave accent
{ "Eacute", new Integer(201) }, // - uppercase E, acute accent
{ "Ecirc", new Integer(202) }, // - uppercase E, circumflex accent
{ "Euml", new Integer(203) }, // - uppercase E, umlaut
{ "Igrave", new Integer(204) }, // - uppercase I, grave accent
{ "Iacute", new Integer(205) }, // - uppercase I, acute accent
{ "Icirc", new Integer(206) }, // - uppercase I, circumflex accent
{ "Iuml", new Integer(207) }, // - uppercase I, umlaut
{ "ETH", new Integer(208) }, // - uppercase Eth, Icelandic
{ "Ntilde", new Integer(209) }, // - uppercase N, tilde
{ "Ograve", new Integer(210) }, // - uppercase O, grave accent
{ "Oacute", new Integer(211) }, // - uppercase O, acute accent
{ "Ocirc", new Integer(212) }, // - uppercase O, circumflex accent
{ "Otilde", new Integer(213) }, // - uppercase O, tilde
{ "Ouml", new Integer(214) }, // - uppercase O, umlaut
{ "Oslash", new Integer(216) }, // - uppercase O, slash
{ "Ugrave", new Integer(217) }, // - uppercase U, grave accent
{ "Uacute", new Integer(218) }, // - uppercase U, acute accent
{ "Ucirc", new Integer(219) }, // - uppercase U, circumflex accent
{ "Uuml", new Integer(220) }, // - uppercase U, umlaut
{ "Yacute", new Integer(221) }, // - uppercase Y, acute accent
{ "THORN", new Integer(222) }, // - uppercase THORN, Icelandic
{ "szlig", new Integer(223) }, // - lowercase sharps, German
{ "agrave", new Integer(224) }, // - lowercase a, grave accent
{ "aacute", new Integer(225) }, // - lowercase a, acute accent
{ "acirc", new Integer(226) }, // - lowercase a, circumflex accent
{ "atilde", new Integer(227) }, // - lowercase a, tilde
{ "auml", new Integer(228) }, // - lowercase a, umlaut
{ "aring", new Integer(229) }, // - lowercase a, ring
{ "aelig", new Integer(230) }, // - lowercase ae
{ "ccedil", new Integer(231) }, // - lowercase c, cedilla
{ "egrave", new Integer(232) }, // - lowercase e, grave accent
{ "eacute", new Integer(233) }, // - lowercase e, acute accent
{ "ecirc", new Integer(234) }, // - lowercase e, circumflex accent
{ "euml", new Integer(235) }, // - lowercase e, umlaut
{ "igrave", new Integer(236) }, // - lowercase i, grave accent
{ "iacute", new Integer(237) }, // - lowercase i, acute accent
{ "icirc", new Integer(238) }, // - lowercase i, circumflex accent
{ "iuml", new Integer(239) }, // - lowercase i, umlaut
{ "igrave", new Integer(236) }, // - lowercase i, grave accent
{ "iacute", new Integer(237) }, // - lowercase i, acute accent
{ "icirc", new Integer(238) }, // - lowercase i, circumflex accent
{ "iuml", new Integer(239) }, // - lowercase i, umlaut
{ "eth", new Integer(240) }, // - lowercase eth, Icelandic
{ "ntilde", new Integer(241) }, // - lowercase n, tilde
{ "ograve", new Integer(242) }, // - lowercase o, grave accent
{ "oacute", new Integer(243) }, // - lowercase o, acute accent
{ "ocirc", new Integer(244) }, // - lowercase o, circumflex accent
{ "otilde", new Integer(245) }, // - lowercase o, tilde
{ "ouml", new Integer(246) }, // - lowercase o, umlaut
{ "oslash", new Integer(248) }, // - lowercase o, slash
{ "ugrave", new Integer(249) }, // - lowercase u, grave accent
{ "uacute", new Integer(250) }, // - lowercase u, acute accent
{ "ucirc", new Integer(251) }, // - lowercase u, circumflex accent
{ "uuml", new Integer(252) }, // - lowercase u, umlaut
{ "yacute", new Integer(253) }, // - lowercase y, acute accent
{ "thorn", new Integer(254) }, // - lowercase thorn, Icelandic
{ "yuml", new Integer(255) }, // - lowercase y, umlaut
{ "euro", new Integer(8364) },// Euro symbol
};
/**
* Initialises the mappings between entities and characters
*/
static {
for (int i = 0; i < entities.length; i++)
e2i.put((String) entities[i][0], (Integer) entities[i][1]);
for (int i = 0; i < entities.length; i++)
i2e.put((Integer) entities[i][1], (String) entities[i][0]);
}
/**
* Turns funky characters into HTML entity equivalents
*
* e.g. {@code "bread" & "butter"} = {@code &amp;quot;bread&amp;quot; &amp;amp;
* &amp;quot;butter&amp;quot;}. Update: supports nearly all HTML entities, including funky
* accents. See the source code for more detail. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1
* Description of the Parameter
* @return Description of the Return Value
*/
public static String encode(String s1)
{
StringBuffer buf = new StringBuffer();
int i;
for (i = 0; i < s1.length(); ++i)
{
char ch = s1.charAt(i);
String entity = i2e.get(new Integer((int) ch));
if (entity == null)
{
if (((int) ch) > 128)
{
buf.append("&#" + ((int) ch) + ";");
}
else
{
buf.append(ch);
}
}
else
{
buf.append("&" + entity + ";");
}
}
return buf.toString();
}
/**
* Given a string containing entity escapes, returns a string containing the actual Unicode
* characters corresponding to the escapes. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1
* Description of the Parameter
* @return Description of the Return Value
*/
public static String decode(String s1)
{
StringBuffer buf = new StringBuffer();
int i;
for (i = 0; i < s1.length(); ++i)
{
char ch = s1.charAt(i);
if (ch == '&')
{
int semi = s1.indexOf(';', i + 1);
if (semi == -1)
{
buf.append(ch);
continue;
}
String entity = s1.substring(i + 1, semi);
Integer iso;
if (entity.charAt(0) == '#')
{
iso = new Integer(entity.substring(1));
}
else
{
iso = e2i.get(entity);
}
if (iso == null)
{
buf.append("&" + entity + ";");
}
else
{
buf.append((char) (iso.intValue()));
}
i = semi;
}
else
{
buf.append(ch);
}
}
return buf.toString();
}
}

95
webgoat-container/src/main/java/org/owasp/webgoat/util/WebGoatI18N.java
View File

@ -1,95 +0,0 @@
package org.owasp.webgoat.util;
import org.owasp.webgoat.session.WebgoatContext;
import java.util.HashMap;
import java.util.Locale;
import java.util.ResourceBundle;
@Deprecated
/**
* <p>WebGoatI18N class.</p>
*
* @version $Id: $Id
* @author dm
*/
public class WebGoatI18N
{
private static HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>();
private static Locale currentLocale;
private static WebGoatResourceBundleController localeController;
/**
* <p>Constructor for WebGoatI18N.</p>
*
* @param context a {@link org.owasp.webgoat.session.WebgoatContext} object.
*/
public WebGoatI18N(WebgoatContext context)
{
currentLocale = new Locale(context.getDefaultLanguage());
localeController = new WebGoatResourceBundleController(currentLocale);
}
/**
* <p>loadLanguage.</p>
*
* @param language a {@link java.lang.String} object.
*/
@Deprecated
public static void loadLanguage(String language)
{
// Do nothing
}
/**
* <p>Setter for the field <code>currentLocale</code>.</p>
*
* @param locale a {@link java.util.Locale} object.
*/
public static void setCurrentLocale(Locale locale)
{
if (!currentLocale.equals(locale))
{
if (!labels.containsKey(locale))
{
ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, localeController);
labels.put(locale, resBundle);
}
WebGoatI18N.currentLocale = locale;
}
}
/**
* <p>get.</p>
*
* @param strName a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public static String get(String strName)
{
return labels.get(WebGoatI18N.currentLocale).getString(strName);
}
private static class WebGoatResourceBundleController extends ResourceBundle.Control
{
private Locale fallbackLocale;
public WebGoatResourceBundleController(Locale l)
{
fallbackLocale = l;
}
@Override
public Locale getFallbackLocale(String baseName, Locale locale)
{
if(! fallbackLocale.equals(locale)) {
return fallbackLocale;
}
return Locale.ROOT;
}
}
}

1
webgoat-container/src/main/old/META-INF/MANIFEST.MF
View File

@ -1 +0,0 @@
Manifest-Version: 1.0

4
webgoat-container/src/main/old/META-INF/context.xml
View File

@ -1,4 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/WebGoat">
</Context>

2
webgoat-container/src/main/old/WEB-INF/context.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/WebGoat"/>

68
webgoat-container/src/main/old/WEB-INF/mvc-dispatcher-servlet.xmlold
View File

@ -1,68 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.2.xsd">
<context:component-scan base-package="org.owasp.webgoat" />
<!--
put custom validators here. E.g.:
<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-->
<!-- Activates various annotations to be detected in bean classes -->
<context:annotation-config />
<!-- Configures the annotation-driven Spring MVC Controller programming model. -->
<mvc:annotation-driven />
<!-- Import Tiles-related configuration -->
<!--import resource="tiles-context.xml" /-->
<!-- Declare a view resolver -->
<!-- Take note of the order. Since we're using TilesViewResolver as well
We need to define which ViewResolver is called first.
We chose this InternalResourceViewResolver to be at the bottom order -->
<bean
id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/pages/"
p:suffix=".jsp"
p:order="1"/>
<bean id="labelDebugger" class="org.owasp.webgoat.session.LabelDebugger" scope="session">
<aop:scoped-proxy/>
</bean>
<mvc:interceptors>
<bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0" />
<property name="useExpiresHeader" value="true" />
<property name="useCacheControlHeader" value="true" />
<property name="useCacheControlNoStore" value="true" />
</bean>
</mvc:interceptors>
<!-- Register the Customer.properties
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="org/owasp/webgoat/properties/Customer" />
</bean>
-->
</beans>

113
webgoat-container/src/main/old/WEB-INF/pages/about.jsp
View File

@ -1,113 +0,0 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<!-- This modal content is included into the main_new.jsp -->
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3>
</div>
<div class="modal-body modal-scroll">
<p>Thanks for hacking The Goat!</p>
<p>WebGoat is a demonstration of common web application flaws. The
associated exercises are intended to provide hands-on experience with
techniques aimed at demonstrating and testing application penetration.
</p>
<p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p>
<p>
Version: ${version},&nbsp;Build: ${build}
</p>
<div class="row">
<div class="col-md-6">
<p>Contact us:
<ul>
<li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: ${contactEmail}</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>WebGoat Authors
<ul>
<li>Bruce Mayhew (Author and Project Lead)</li>
<li>Jeff Williams (Author and Original Idea)</li>
<li>Nanne Baars (Plugin Architecture)</li>
<li>Richard Lawson (Architect)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>Active Contributors
<ul>
<li>Nanne Baars (Developer)</li>
<li>Jason White (Developer)</li>
<li>Doug Morato (Developer and CI)</li>
<li>Jeff Wayman (Docs)</li>
<li>Bruce Mayhew (Developer)</li>
<li>Michael Dever (Developer)</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>WebGoat Design Team (Active)
<ul>
<li>Nanne Baars (Plugin Architecture)</li>
<li>Bruce Mayhew (Goat Herder)</li>
<li>Jeff Wayman (Website and Docs)</li>
<li>Jason White (User Interface)</li>
</ul>
</p><br/>
<p>Corporate Sponsorship - Companies that have donated significant time to WebGoat development
<ul>
<li>Aspect Security</li>
<li>Ounce Labs</li>
</ul>
</p><br/>
<p>Did we miss you? Our sincere apologies, as we know there have
been many contributors over the years. If your name does not
appear in any of the lists above, please send us a note. We'll
get you added with no further sacrifices required.</p>
</div>
<div class="col-md-6">
<p>Past Contributors
<ul>
<li>Dave Cowden (Everything)</li>
<li>Richard Lawson (Service Layer)</li>
<li>Keith Gasser (Survey/Security)</li>
<li>Devin Mayhew (Setup/Admin)</li>
<li>Li Simon (Developer)</li>
<li>Ali Looney (UI Design)</li>
<li>David Anderson (Developer/Design)</li>
<li>Christopher Blum (Lessons)</li>
<li>Laurence Casey (Graphics)</li>
<li>Brian Ciomei (Bug fixes)</li>
<li>Rogan Dawes (Lessons)</li>
<li>Erwin Geirnaert (Solutions)</li>
<li>Aung Knant (Documentation)</li>
<li>Ryan Knell (Lessons)</li>
<li>Christine Koppeit (Build)</li>
<li>Sherif Kousa (Lessons/Documentation)</li>
<li>Reto Lippuner (Lessons)</li>
<li>PartNet (Lessons)</li>
<li>Yiannis Pavlosoglou (Lessons)</li>
<li>Eric Sheridan (Lessons)</li>
<li>Alex Smolen (Lessons)</li>
<li>Chuck Willis (Lessons)</li>
<li>Marcel Wirth (Lessons)</li>
</ul>
</p>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div>

82
webgoat-container/src/main/old/WEB-INF/pages/login.jsp
View File

@ -1,82 +0,0 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" href="/images/favicon.ico" type="image/x-icon"/>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="/plugins/bootstrap/css/bootstrap.min.css"/>
<!-- Fonts from Font Awsome -->
<link rel="stylesheet" href="/css/font-awesome.min.css"/>
<!-- CSS Animate -->
<link rel="stylesheet" href="/css/animate.css"/>
<!-- Custom styles for this theme -->
<link rel="stylesheet" href="/css/main.css"/>
<!-- end of CSS -->
</head>
<body onload='document.loginForm.username.focus();'>
<section id="container" ng-controller="goatLesson">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
</div><!--toggle navigation end-->
<div class="lessonTitle" >
</div><!--lesson title end-->
</header>
<section class="main-content-wrapper">
<section id="main-content" >
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<br/><br/>
<form role="form" name='loginForm' action="<c:url value='j_spring_security_check' />" method='POST' style="width: 400px;">
<div class="form-group">
<label for="exampleInputEmail1">Username</label>
<input type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'>
</div>
<div class="form-group">
<label for="exampleInputPassword1">Password</label>
<input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password" name='password'>
</div>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<button class="btn btn-large btn-primary" type="submit">Sign in</button>
</form>
<br/><br/>
<h4>The following accounts are built into Webgoat</h4>
<table class="table table-bordered" style="width:400px;">
<thead>
<tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr>
</thead>
<tbody>
<tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr>
<tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr>
</tbody>
</table>
<br/><br/>
</section>
</section>
</section>
</body>
</html>

68
webgoat-container/src/main/old/WEB-INF/pages/logout.jsp
View File

@ -1,68 +0,0 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Logout Page</title>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon"/>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="plugins/bootstrap/css/bootstrap.min.css"/>
<!-- Fonts from Font Awsome -->
<link rel="stylesheet" href="css/font-awesome.min.css"/>
<!-- CSS Animate -->
<link rel="stylesheet" href="css/animate.css"/>
<!-- Custom styles for this theme -->
<link rel="stylesheet" href="css/main.css"/>
<!-- end of CSS -->
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<section id="container" ng-controller="goatLesson">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
</div><!--toggle navigation end-->
<div class="lessonTitle" >
<h1 id="lessonTitle">Logout</h1>
</div><!--lesson title end-->
</header>
<section class="main-content-wrapper">
<section id="main-content" >
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<br/><br/>
<div class="alert alert-success" role="alert" style="width: 400px;">
You have logged out successfully
</div>
<hr/>
<h4>Click here if you would like to log back in: <a href="<c:url value="login.mvc" />" > Login</a></h4>
</section>
</section>
</section>
</body>
</html>

207
webgoat-container/src/main/old/WEB-INF/pages/main_new.jsp
View File

@ -1,207 +0,0 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Expires" CONTENT="0">
<meta http-equiv="Pragma" CONTENT="no-cache">
<meta http-equiv="Cache-Control" CONTENT="no-cache">
<meta http-equiv="Cache-Control" CONTENT="no-store">
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon"/>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="plugins/bootstrap/css/bootstrap.min.css"/>
<!-- Fonts from Font Awsome -->
<link rel="stylesheet" href="css/font-awesome.min.css"/>
<!-- CSS Animate -->
<link rel="stylesheet" href="css/animate.css"/>
<!-- Custom styles for this theme -->
<link rel="stylesheet" href="css/main.css"/>
<!-- end of CSS -->
<!-- JS -->
<script src="js/modernizr-2.6.2.min.js"></script>
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="js/html5shiv.js"></script>
<script src="js/respond.min.js"></script>
<![endif]-->
<!-- Require.js used to load js asynchronously -->
<script src="js/libs/require.min.js" data-main="js/main.js"></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat</title>
</head>
<body>
<section id="container">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/welcome.mvc" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
<button type="button" class="btn btn-default" id="toggle-menu" data-toggle="tooltip" data-placement="right" title="Toggle Navigation">
<i class="fa fa-bars"></i>
</button>
</div><!--toggle navigation end-->
<div id="lesson-title-wrapper" >
</div><!--lesson title end-->
<div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
<div class="dropdown" style="display:inline">
<button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="user-menu" >
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left">
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation"><a role="menuitem" tabindex="-1" href="#developer-controls">Show developer controls</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">${version}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build: ${build}</a></li>
</ul>
</div>
<button type="button" id="about-button" class="btn btn-default right_nav_button" title="About WebGoat" data-toggle="modal" data-target="#about-modal">
<i class="fa fa-info"></i>
</button>
<a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
<button type="button" class="btn btn-default right_nav_button"data-toggle="tooltip" title="Contact Us">
<i class="fa fa-envelope"></i>
</button>
</a>
</div>
</header>
<aside class="sidebar" >
<div id="menu-container"></div>
</aside>
<!--sidebar left end-->
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content" > <!--ng-controller="goatLesson"-->
<div class="row">
<div class="col-md-8">
<div class="col-md-12" align="left">
<div class="panel" id="help-controls">
<button class="btn btn-primary btn-xs help-button" id="show-source-button">Show Source</button>
<button class="btn btn-primary btn-xs help-button" id="show-solution-button">Show Solution</button>
<button class="btn btn-primary btn-xs help-button" id="show-plan-button">Show Plan</button>
<button class="btn btn-primary btn-xs help-button" id="show-hints-button">Show Hints</button>
<button class="btn btn-xs help-button" id="restart-lesson-button">Restart Lesson</button>
</div>
<div class="lesson-hint" id="lesson-hint-container">
<h4>Hints</h4>
<div class="panel" >
<div class="panel-body" id="lesson-hint">
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-left" id="show-prev-hint"></span>
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-right" id="show-next-hint"></span>
<br/>
<span id="lesson-hint-content"></span>
</div>
</div>
</div>
</div>
<div class="col-md-12" align="left">
<div id="lesson-progress" class="info"></div>
<div id="lesson-content-wrapper" class="panel">
</div>
</div>
</div><!--col-md-8 end-->
<div class="col-md-4">
<div class="col-md-12">
<div class="panel">
<div class="panel-body">
<div align="left">
<h3>Cookies / Parameters</h3>
</div>
<hr />
<div id="cookies-and-params">
<div id="cookies-view">
<h4>Cookies</h4>
</div>
<div id="params-view"> <!--class="paramsView"-->
<h4>Params</h4>
</div>
</div>
<div id="developer-control-container">
<div align="left">
<h3>Developer controls</h3>
</div>
<hr />
<div id="developer-controls">
</div>
</div>
</div>
</div>
</div>
</div><!--col-md-4 end-->
</div>
<div id="lesson-helps-wrapper" class="panel">
<div class="lesson-help" id="lesson-plan-row">
<div class="col-md-12">
<h4>Lesson Plan</h4>
<div class="panel" >
<div class="panel-body" id="lesson-plan-content">
<!-- allowing jQuery to handle this one -->
</div>
</div>
</div>
</div>
<div class="lesson-help" id="lesson-solution-row">
<div class="col-md-12">
<h4>Lesson Solution</h4>
<div class="panel">
<div class="panel-body" id="lesson-solution-content">
</div>
</div>
</div>
</div>
<div class="lesson-help" id="lesson-source-row">
<div class="col-md-12">
<h4>Lesson Source Code</h4>
<div class="panel">
<div class="panel-body" id="lesson-source-content">
</div>
</div>
</div>
</div>
</div>
</section>
</section>
</section>
<!-- About WebGoat Modal -->
<div class="modal" id="about-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<jsp:include page="../pages/about.jsp"/>
</div>
</div>
</div>
</body>
</html>

39
webgoat-container/src/main/old/WEB-INF/pages/widgets/cookies_and_params.jsp
View File

@ -1,39 +0,0 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%--
Document : hints
Created on : Aug 27, 2014, 3:41:46 PM
Author : rlawson
--%>
<%@page contentType="text/html" pageEncoding="windows-1252"%>
<div class="col-md-6">
<table class="table table-condensed table-striped">
<caption><span class="label label-default">Parameters</span></caption>
<thead>
<tr><th>Name</th><th>Value</th></tr>
</thead>
<tbody>
<c:forEach var="wgparam" items="${wgparams}" varStatus="status">
<tr><td><span class="label label-info">${wgparam.name}</span></td><td>${wgparam.value}</td></tr>
</c:forEach>
</tbody>
</table>
</div>
<div class="col-md-6">
<table class="table table-condensed table-striped">
<caption><span class="label label-default">Cookies</span></caption>
<thead>
<tr><th>Name</th><th>Value</th></tr>
</thead>
<tbody>
<c:forEach var="wgcookie" items="${wgcookies}" varStatus="status">
<tr><td><span class="label label-info">${wgcookie.name}</span></td><td>${wgcookie.value}</td></tr>
</c:forEach>
</tbody>
</table>
</div>

27
webgoat-container/src/main/old/WEB-INF/pages/widgets/hints.jsp
View File

@ -1,27 +0,0 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%--
Document : hints
Created on : Aug 27, 2014, 3:41:46 PM
Author : rlawson
--%>
<%@page contentType="text/html" pageEncoding="windows-1252"%>
<div class="panel-group" id="accordion">
<c:forEach var="hint" items="${hints}" varStatus="status">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#accordion" href="#collapse_${hint.number}">
Hint-${hint.number}
</a>
</h3>
</div>
<div id="collapse_${hint.number}" class="panel-collapse collapse">
<div class="panel-body">
${hint.hint}
</div>
</div>
</div>
</c:forEach>
</div>

69
webgoat-container/src/main/old/WEB-INF/server-config.wsdd
View File

@ -1,69 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<!--
<parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/>
-->
<parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="true"/>
<parameter name="sendXMLDeclaration" value="true"/>
<!--
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
-->
<parameter name="sendXsiTypes" value="true"/>
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
<handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<service name="WSDLScanning" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WSDLScanning"/>
</service>
<service name="SoapRequest" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.SoapRequest"/>
</service>
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService"/>
<parameter name="enableRemoteAdmin" value="false"/>
<parameter name="className" value="org.apache.axis.utils.Admin"/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion"/>
<parameter name="className" value="org.apache.axis.Version"/>
</service>
<service name="WsSqlInjection" provider="java:RPC">
<parameter name="allowedMethods" value="getCreditCard"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WsSqlInjection"/>
</service>
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>

52
webgoat-container/src/main/old/WEB-INF/spring-security.xmlold
View File

@ -1,52 +0,0 @@
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security pre-post-annotations="enabled" />
<!--
PCS 8/27/2012
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
-->
<http pattern="/css/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/js/**" security="none"/>
<http pattern="/fonts/**" security="none"/>
<http pattern="/plugins/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/login.mvc" access="permitAll" />
<intercept-url pattern="/logout.mvc" access="permitAll" />
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_WEBGOAT_USER','ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
<form-login
login-page="/login.mvc"
default-target-url="/welcome.mvc"
authentication-failure-url="/login.mvc?error"
username-parameter="username"
password-parameter="password"
always-use-default-target="true"/>
<logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
<!-- enable csrf protection -->
<!--csrf/-->
</http>
<!-- Authentication Manager -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP -->
<user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
<user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
<user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

286
webgoat-container/src/main/old/WEB-INF/web.xmlold
View File

@ -1,286 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- General description of your web application -->
<display-name>WebGoat</display-name>
<description>
This web application is designed to demonstrate web
application security flaws for the purpose of educating
developers and security professionals about web
application security problems. Please contact Bruce Mayhew
(webgoat@owasp.org) if you have any questions.
</description>
<!-- Context initialization parameters that define shared
String constants used within your application, which
can be customized by the system administrator who is
installing your application. The values actually
assigned to these parameters can be retrieved in a
servlet or JSP page by calling:
String value =
getServletContext().getInitParameter("name");
where "name" matches the <param-name> element of
one of these initialization parameters.
You can define any number of context initialization
parameters, including zero.
-->
<context-param>
<description>
The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
<param-name>email</param-name>
<param-value>webgoat@owasp.org</param-value>
</context-param>
<context-param>
<description>
The EMAIL address of the webgoat email list
</description>
<param-name>emaillist</param-name>
<param-value>owasp-webgoat@lists.owasp.org</param-value>
</context-param>
<!-- spring MVC -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Servlet definitions for the servlets that make up
your web application, including initialization
parameters. With Tomcat, you can also send requests
to servlets not listed here with a request like this:
http://localhost:8080/{context-path}/servlet/{classname}
but this usage is not guaranteed to be portable. It also
makes relative references to images and other resources
required by your servlet more complicated, so defining
all of your servlets (and defining a mapping to them with
a servlet-mapping element) is recommended.
Servlet initialization parameters can be retrieved in a
servlet or JSP page by calling:
String value =
getServletConfig().getInitParameter("name");
where "name" matches the <param-name> element of
one of these initialization parameters.
You can define any number of servlets, including zero.
-->
<servlet>
<display-name>Apache-Axis Servlet</display-name>
<servlet-name>AxisServlet</servlet-name>
<servlet-class>
org.apache.axis.transport.http.AxisServlet
</servlet-class>
</servlet>
<servlet>
<display-name>Axis Admin Servlet</display-name>
<servlet-name>AdminServlet</servlet-name>
<servlet-class>
org.apache.axis.transport.http.AdminServlet
</servlet-class>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<display-name>SOAPMonitorService</display-name>
<servlet-name>SOAPMonitorService</servlet-name>
<servlet-class>
org.apache.axis.monitor.SOAPMonitorService
</servlet-class>
<init-param>
<param-name>SOAPMonitorPort</param-name>
<param-value>5001</param-value>
</init-param>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<description>
This servlet plays the "controller" role in the MVC architecture
used in this application.
The initialization parameter namess for this servlet are the
"servlet path" that will be received by this servlet (after the
filename extension is removed). The corresponding value is the
name of the action class that will be used to process this request.
</description>
<servlet-name>WebGoat</servlet-name>
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<init-param>
<description>The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
<param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>CookieDebug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>DefuseOSCommands</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>Enterprise</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>CodingExercises</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For
example, replace "<" with "&lt;" and ">" with "&gt;". -->
<param-name>FeedbackAddress</param-name>
<param-value>
&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
</param-value>
</init-param>
<init-param>
<param-name>DatabaseDriver</param-name>
<param-value>
org.hsqldb.jdbcDriver
</param-value>
</init-param>
<init-param>
<param-name>DatabaseConnectionString</param-name>
<!--
The string "${USER}" in the connection string will be replaced by the active username
when making a connection.
-->
<param-value>jdbc:hsqldb:mem:${USER}</param-value>
</init-param>
<!--
<init-param>
<param-name>DefaultLanguage</param-name>
<param-value>en</param-value>
</init-param>
-->
<!-- Load this servlet at server startup time -->
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<description>
This servlet returns the Java source of the current lesson.
</description>
<servlet-name>LessonSource</servlet-name>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet>
<servlet>
<description>
This servlet catches any posts and marks the appropriate lesson property.
</description>
<servlet-name>Catcher</servlet-name>
<servlet-class>org.owasp.webgoat.Catcher</servlet-class>
</servlet>
<!-- spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.mvc</url-pattern>
</servlet-mapping>
<listener>
<description>Spring context init</description>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<description>Spring context init</description>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
<description>WebGoat application init</description>
<listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class>
</listener>
<!-- end spring MVC -->
<!-- spring security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- end spring security -->
<!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the
servlet descriptions above. Thus, a request URI like:
http://localhost:8080/{contextpath}/graph
will be mapped to the "graph" servlet, while a request like:
http://localhost:8080/{contextpath}/saveCustomer.mvc
will be mapped to the "controller" servlet.
You may define any number of servlet mappings, including zero.
It is also legal to define more than one mapping for the same
servlet, if you wish to.
-->
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping>
<!-- uncomment this if you want the admin servlet -->
<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WebGoat</servlet-name>
<url-pattern>/attack</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LessonSource</servlet-name>
<url-pattern>/source</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Catcher</servlet-name>
<url-pattern>/catcher</url-pattern>
</servlet-mapping>
<!-- Define the default session timeout for your application,
in minutes. From a servlet or JSP page, you can modify
the timeout for a particular session dynamically by using
HttpSession.getMaxInactiveInterval(). -->
<session-config>
<!-- 2 days -->
<session-timeout>2880</session-timeout>
</session-config>
<mime-mapping>
<extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

60
webgoat-container/src/main/old/WEB-INF/webgoat-class.properties
View File

@ -1,60 +0,0 @@
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
lesson.RoleBasedAccessControl.hidden=true
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
lesson.CrossSiteScripting.hidden=true
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
lesson.SQLInjection.hidden=true
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true

57
webgoat-container/src/main/old/WEB-INF/webgoat-lab.properties
View File

@ -1,57 +0,0 @@
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true

2
webgoat-container/src/main/old/WEB-INF/webgoat-owasp.properties
View File

@ -1,2 +0,0 @@
#lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true

132
webgoat-container/src/main/old/WEB-INF/webgoat_oracle.sql
View File

@ -1,132 +0,0 @@
DROP USER webgoat_guest CASCADE;
CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users;
GRANT CONNECT, RESOURCE TO webgoat_guest;
GRANT CREATE PROCEDURE TO webgoat_guest;
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
exit;

226
webgoat-container/src/main/old/WEB-INF/webgoat_sqlserver.sql
View File

@ -1,226 +0,0 @@
EXEC sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
USE master;
go
DROP LOGIN webgoat_guest;
go
DROP database webgoat;
go
CREATE database webgoat;
go
USE webgoat;
go
CREATE SCHEMA webgoat_guest;
go
CREATE LOGIN webgoat_guest with password = '_webgoat';
go
CREATE USER webgoat_guest with default_schema = webgoat_guest;
go
GRANT CONTROL TO webgoat_guest;
go
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE'
)
BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.RegexMatch
END
GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX),
@pattern NVARCHAR(MAX)
) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO

365
webgoat-container/src/main/old/database/database.prp
View File

@ -1,365 +0,0 @@
!---------------------------------------------------------------------
!
! BASIC PROPERTIES
!
!---------------------------------------------------------------------
!
! Path where index tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath.
!
indexPath=./indexes
!
! Path where system tables are held. Can be absolute or relative to
! the properties file. Defaults to tablePath.
!
systemPath=./system
!
! Path where database tables are held. Can be absolute or relative
! to the properties file. Defaults to "current" directory.
!
tablePath=./tables
!
! Path where results set tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath.
!
tmpPath=./tmp
!
! Non-zero means paths are relative to the properties file.
! Default is absolute paths for files.
!
relativeToProperties=1
!
! Alternative partitions can be defined so that tables can be placed
! in multiple locations. Each partition is numbered: 1, 2, 3,... Tables
! can be created on partitions using the syntax
!
! CREATE TABLE <name> ON PARTITION <number>...
!
! The partition count has to be supplied.
!
!partitionCount=2
!
! The locations of each partition must be supplied. These are always
! absolute path names.
!
!partition1=d:/petes
!partition2=c:/temp
!---------------------------------------------------------------------
!
! TUNING PROPERTIES
!
!---------------------------------------------------------------------
!
! The amount of each column to cache, expressed either as an absolute
! number of rows or as a percentage figure. Defaults to 256 or 10 respectively.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
cacheAmount=512
!
! CACHE_ROWS Must be one of CACHE_ROWS or CACHE_PERCENT. Determines whether
! to cache columns in tables based on an absolute number of rows, or the
! percentage number of rows in the table.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
cacheCondition=CACHE_ROWS
!
! The amount of the system tables to be cached. Defaults to 100.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!systemCacheSize=10
!
! Similar to cacheCondition, but applies only to the system tables.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!systemCacheCondition=CACHE_ROWS
!
! The percentage cache hit improvement required in order to move the
! cache to a new location in a column.
!
! (Currently not implemented).
!
cacheResetPercent=10
!
! Non-zero means that database changes do not get written to the
! database immediately. See tuning.html.
!
fastUpdate=0
!
! Percentage of free space in an index that must be present before
! the index reorganises itself. High values means frequent index
! reorganisation. Low values means slow index inserts.
!
indexLoad=5
!
! The number of cache misses to include in calculations of the next
! base for the cache.
!
! (Currently not implemented).
!
missesInCacheStats=100
!
! Non-zero means that results sets get instantiated on disk. By default
! InstantDB holds results sets emtirely in memory (apart from Binary
! columns). For large results sets this can be a problem. This property
! forces all results sets to be held on disk.
!
resultsOnDisk=0
!
! Similar to cacheCondition but applies only to disk based
! results sets. Default is CACHE_ROWS.
!
resultsSetCache=CACHE_ROWS
!
! Similar to cacheAmount but applies only to disk based
! results sets. Default is 100.
!
resultsSetCacheAmount=100
!
! Number of rows to read into the disk read ahead buffer.
! Recommended to be set somewhere around 128 to 256.
! Default is 20.
!
rowCacheSize=128
!
! The read ahead buffer is effective at speeding up full
! table scans. However for indexed lookups or multiple
! simultaneous scans it is better to read a single row at
! a time. Each table holds a small number of single row
! buffers to improve such operations. Default is 8.
!
!singleRowCount=4
!
! Sometimes the look ahead buffer can be held by a single
! thread even though it is not retrieveing many values from it.
! If too many lookups retrieve data from the single row
! buffers then it is better to flush the look ahead buffer and
! make it available for re-use. Default is 128.
!
!flushAfterCacheMisses=64
!
! Number of rows to read ahead for system tables. By default
! system tables cache everything, so it is wasteful to have large
! read ahead buffers since they will very rarely be used. This
! allows the size of the system read ahead buffers to be reduced
! if necessary. Defaults to rowCacheSize.
!
!systemRows=20
!
! The control column in all tables normally has a large cache
! since this speeds up all operation on that table. This can be
! varied to either improve performance or to reduce space.
! default is 8192.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!controlColCacheSize=512
!
! By default, InstantDB only does a cursory search for deleted rows during
! UPDATE statements. Setting searchDeletes=1 causes more detailed searches
! for deleted rows. This slows down UPDATE executions, but reults in more
! compact tables. Default is 0.
!
searchDeletes=0
!
! The interval, in milliseconds, between checks for statement execution
! timeouts. Default is 5000.
!
!timerCheck=5000
!
! The number of statements between checks on available memory. If set
! to 100 (say), then every 100 statements, InstantDB will check to
! see how much memory is still free. If too little is avilable (see
! below) then java.lang.System.gc() is called.
!
! If set to zero (the default) then no memory checking takes place.
!
!garbageCollectStatements=100
!
! If InstantDB is performing period memory checks (see above) then
! this is the value in percent of available memory that must be
! used before System.gc() gets called.
!
!garbageCollectPercent=70
!---------------------------------------------------------------------
!
! LOGGING AND DEBUGGING PROPERTIES
!
!---------------------------------------------------------------------
!
! Non-zero means include SQL statements in the export file.
!
exportSQL=0
!
! Non-zero means trace output also directed to console.
! Defaults to 0.
!
traceConsole=1
!
! Relative or absolute path where exporting and tracing goes.
!
! NOTE - A relative path is relative to the current Java
! runtime directory. It is *not* relative to this properties
! file. This is regardless of the relativeToProperties
! setting above.
!
traceFile=./trace.log
!
! Bitmap of various items that can be traced. See debug.html.
! Defaults to 0.
!
traceLevel=2
!---------------------------------------------------------------------
!
! TRANSACTION AND RECOVERY PROPERTIES
!
!---------------------------------------------------------------------
!
! 0 means do not perform recovery on startup.
! 1 means perform automatic recovery
! 2 (default) means prompt the user using standard in
!
recoveryPolicy=1
!
! Sets the level of transaction journalling. See trans.html.
! Defaults to 1.
!
! 0 - No journalling takes place.
! 1 - Normal journalling (default).
! 2 - Full journalling.
!
transLevel=1
!
! When doing an import, defines the number of rows imported
! before the transaction is committed. Recommended value 8192.
! defaults to 100.
!
transImports=100
!
! Sets the default transaction isolation level. This is a complex
! topic, but basically, the higher the level, the more locking
! goes on. The allowed values are:
!
! TRANSACTION_READ_UNCOMMITTED = 1
! TRANSACTION_READ_COMMITTED = 2
! TRANSACTION_REPEATABLE_READ = 4
! TRANSACTION_SERIALIZABLE = 8 (default)
!
! SERIALIZABLE means that InstantDB takes exclusive access to all
! tables in a transaction until the transaction completes. Even if
! the transaction only performs reads.
!
! REPEATABLE_READ transactions takes read locks for SELECTs and
! write locks for everything else. All locks released on transaction
! completion.
!
! READ_COMMITTED transactions are the same as REPEATABLE_READ
! except that read locks get freed on statement completion.
!
! READ_UNCOMMITTED transactions do not take read locks. A result
! set can include data being modified by another transaction.
!
!defaultIsolationLevel=2
!---------------------------------------------------------------------
!
! DATE, TIME AND CURRENCY PROPERTIES
!
!---------------------------------------------------------------------
!
! Number of digits after decimal point in currency outputs. Defaults to 2.
!
currencyDecimal=2
!
! Currency symbol used in currency outputs. Defaults to $.
!
currencySymbol=$
!
! Default format for date columns. Defaults to "yyyy-mm-dd".
!
!dateFormat=yyyy-mm-dd
!
! Default format for timestamp columns. Defaults to "yyyy-mm-dd hh:nn:ss.lll".
!
!dateTimeFormat=yyyy-mm-dd hh:nn:ss.lll
!
! Default format for time columns. Defaults to "hh:nn:ss.lll".
!
!timeFormat=hh:nn:ss.lll
!
! If set, then all two digit dates less than its value are interpreted
! as 21st century dates.
!
!milleniumBoundary=50
!
! Set to 1 causes the date string "now" to store a full timestamp.
! Default is to store only the date for fields with now hour in the
! format string.
!
nowMeansTime=0
!---------------------------------------------------------------------
!
! STRING HANDLING PROPERTIES
!
!---------------------------------------------------------------------
!
! If set to 1 then String hashes use the JDK Object.hashCode() function.
! By default, uses InstantDB's String hashing.
!
altStringHashing=0
!
! Set to 1 to cause LIKE clauses to always perform case insensitive
! comparisons.
!
likeIgnoreCase=0
!
! Same as SET LITERAL STRICT_ON. Prevents string literals being interpreted
! as column names or numbers. Default is 0.
!
strictLiterals=0
!
! Set this value to 1 (one) if you would like PreparedStatement.setString()
! to ignore "\" (backslash) characters when proceesing string constants.
! When set, InstantDB will not attempt to interpret \ as the start of an
! escape sequence. Default is 0.
!
!prepareIgnoresEscapes=1
!---------------------------------------------------------------------
!
! MISCELLANEOUS PROPERTIES
!
!---------------------------------------------------------------------
!
! Allows selected InstantDB keywords to be un-reserved.
! e.g. ignoreKeywords=url,quote would allow the keywords
! url and quote to be used as table or column names.
!
! This faciliy is provided for compatatbility reasons only.
! It's use is not recommended AND IS NOT SUPPORTED.
!
!ignoreKeywords
!
! Non-zero means database is opened in read only mode.
!
readOnly=0

3
webgoat-container/src/main/old/index.jsp
View File

@ -1,3 +0,0 @@
<%@ page session="false" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<c:redirect url="/login.mvc"/>

46
webgoat-container/src/main/old/lesson_content.jsp
View File

@ -1,46 +0,0 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
Course course = webSession.getCourse();
AbstractLesson currentLesson = webSession.getCurrentLesson();
%>
<!-- HTML fragment correpsonding to the lesson content -->
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<div id="lessonContent">
<%
AbstractLesson lesson = webSession.getCurrentLesson();
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
<%
}
%>
<%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%
if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<%
} else {
%>
<div id="lessonContent"><%=currentLesson.getContent()%></div>
<%
}
%>

19
webgoat-container/src/main/old/lessons/ConfManagement/config.jsp
View File

@ -1,19 +0,0 @@
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Configuration Page</title>
</head>
<body>
<% response.sendRedirect(webSession.getCurrentLesson().getLink() +
"&succeeded=yes");
%>
<!-- http://localhost:8080/WebGoat/start.mvc#attack/12/1400&succeeded=yes -->
</body>
</html>

292
webgoat-container/src/main/old/main.jsp
View File

@ -1,292 +0,0 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %>
<%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
Course course = webSession.getCourse();
AbstractLesson currentLesson = webSession.getCurrentLesson();
LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title><%=currentLesson.getTitle()%></title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
</head>
<%
final String menuPrefix = WebSession.MENU;
final String submenuPrefix = "submenu";
final String mbutPrefix = "mbut";
String printHint = "";
String printParameters = "";
String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories();
StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator();
while (iter1.hasNext()) {
Category category = (Category) iter1.next();
buildList.append("'");
buildList.append(menuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(submenuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(mbutPrefix);
buildList.append(category.getRanking());
buildList.append("'");
if (iter1.hasNext()) {
buildList.append(",");
}
}%>
<body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
trigMM1url('<%= menuPrefix%>', 1);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();">
<div id="wrap">
<%
int topCord = 140;
int zIndex = 105;
Iterator iter2 = categories.iterator();
while (iter2.hasNext()) {
Category category = (Category) iter2.next();
%>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
return false" onfocus="if (this.blur)
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<%
topCord = topCord + 30;
zIndex = zIndex + 1;
}
int topSubMenu = 72;
Iterator iter3 = categories.iterator();
while (iter3.hasNext()) {
Category category = (Category) iter3.next();
List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator();
%>
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1;
while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next();
%><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
</tr>
<% if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null)
for (int i = 0; i < stages.length; i++) {
%>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "/" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a>
</td></tr>
<%
}
}
%>
<%
}
%>
</table>
</div><%
}%>
<div id="top"></div>
<div id="topLeft">
<div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0) {
%>
<form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1"
onChange="changeLanguage();">
<%
for (String lang : currentLesson.getAvailableLanguages()) {
%>
<option value="<%=lang%>"
<% if (webSession.getCurrrentLanguage().equals(lang)) {
out.println("selected");
}%>><%=lang%>
</option>
<%
}
%>
</select></form>
<%
} else {
%>
Internationalization is not available for this lesson
<%
}
%>
</div></div>
<div align="right" id="topRight">
<a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img
src="images/buttons/help.jpg" alt="Help" name="help" width="22"
height="22" border="0" id="help" /></a>
</div>
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<div id="hMenuBar">
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)"
onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)"
onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a>
<%}%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)"
onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)"
onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
</a>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)"
onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a>
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
%>
<a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
</a>
<%}%>
</div>
<div id="twoCol">
<div id="menuSpacer"></div>
<div id="lessonAreaTop">
<%
if (currentLesson != null) {
%>
<div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=labelManager.get("SolutionVideos")%></a></div>
<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=labelManager.get("RestartLesson")%></a></div>
</div>
<%
}
%>
</div>
<div id="lessonArea">
<%
if (webSession.getHint() != null) {
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
out.println(printHint);
}
if (webSession.getParams() != null) {
Iterator i = webSession.getParams().iterator();
while (i.hasNext()) {
Parameter p = (Parameter) i.next();
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
out.println(printParameters);
}
}
if (webSession.getCookies() != null) {
Iterator i = webSession.getCookies().iterator();
while (i.hasNext()) {
Cookie c = (Cookie) i.next();
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
out.println(printCookies);
}
}%>
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%>
<br/>
<br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a>
</div>
<div id="lessonContent">
<%
AbstractLesson lesson = webSession.getCurrentLesson();
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
<%
}
%>
<%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%
if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<%
} else {
%>
<div id="lessonContent"><%=currentLesson.getContent()%></div>
<%
}
%>
</div>
</div>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> |
<a href="reportBug.jsp">Report Bug</a>
</div>
</div>
</div>
</body>
</html>

1
webgoat-container/src/main/old/plugin_lessons/ReadMe.txt
View File

@ -1 +0,0 @@
Lesson plugins stored under this directory.

BIN
webgoat-container/src/main/old/plugin_lessons/command-injection-1.0.jar
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/common-1.0.jar
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/cross-site-scripting-1.0.jar
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More