dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'dougmorato-release_and_docs_wip'

Browse Source
This commit is contained in:
Nanne Baars 2015-09-18 00:25:04 +02:00
commit 0d543908f9
95 changed files with 13932 additions and 11513 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

267
pom.xml
View File

@ -1,19 +1,252 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
<name>webgoat-parent</name> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.webgoat</groupId> <modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-parent</artifactId> <groupId>org.owasp.webgoat</groupId>
<packaging>pom</packaging> <artifactId>webgoat-parent</artifactId>
<version>7.0-SNAPSHOT</version> <packaging>pom</packaging>
<!-- Shared version number properties --> <version>7.0-SNAPSHOT</version>
<properties>
<!-- If run from Bamboo this will be replaced with the bamboo build number --> <name>WebGoat Parent Pom</name>
<build.number>local</build.number> <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <inceptionYear>2006</inceptionYear>
</properties> <url>https://github.com/WebGoat/WebGoat</url>
<modules>
<module>webgoat-container</module> <organization>
<module>webgoat-classloader</module> <name>OWASP</name>
</modules> <url>https://webgoat.github.io/</url>
</organization>
<licenses>
<license>
<name>GNU General Public License, version 2</name>
<url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
</license>
</licenses>
<developers>
<developer>
<id>mayher64</id>
<name>Bruce Mayhew</name>
<email>webgoat@owasp.org</email>
<organization>OWASP</organization>
<organizationUrl>https://github.com/WebGoat/WebGoat</organizationUrl>
</developer>
<developer>
<id>nbaars</id>
<name>Nanne Baars</name>
<email>nbaars@xebia.com</email>
<organizationUrl>https://github.com/nbaars</organizationUrl>
<timezone>Europe/Amsterdam</timezone>
</developer>
<developer>
<id>misfir3</id>
<name></name>
<email></email>
</developer>
<developer>
<id>jwayman</id>
<name>Jeff Wayman</name>
<email></email>
</developer>
<developer>
<id>dcowden</id>
<name>Dave Cowden</name>
<email></email>
</developer>
<developer>
<id>lawson89</id>
<name>Richard Lawson</name>
<email></email>
</developer>
<developer>
<id>dougmorato</id>
<name>Doug Morato</name>
<email>doug.morato@owasp.org</email>
<organization>OWASP</organization>
<organizationUrl>https://github.com/dougmorato</organizationUrl>
<timezone>America/New_York</timezone>
<properties>
<picUrl>https://avatars2.githubusercontent.com/u/9654?v=3&amp;s=150</picUrl>
</properties>
</developer>
</developers>
<mailingLists>
<mailingList>
<name>OWASP WebGoat Mailing List</name>
<subscribe>https://lists.owasp.org/mailman/listinfo/owasp-webgoat</subscribe>
<unsubscribe>Owasp-webgoat-request@lists.owasp.org</unsubscribe>
<post>owasp-webgoat@lists.owasp.org</post>
<archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
</mailingList>
</mailingLists>
<scm>
<url>https://github.com/WebGoat/WebGoat</url>
<connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
<developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
</scm>
<issueManagement>
<system>Github Issues</system>
<url>https://github.com/WebGoat/WebGoat/issues</url>
</issueManagement>
<ciManagement>
<system>Travis CI</system>
<url>https://travis-ci.org/WebGoat/WebGoat</url>
</ciManagement>
<properties>
<!-- Use UTF-8 Encoding -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<!-- This build number will be ubdated by Travis-CI -->
<build.number>build</build.number>
<!-- Shared properties with plugins and version numbers across submodules-->
<activation.version>1.1</activation.version>
<axis-ant.version>1.2</axis-ant.version>
<axis-jaxrpc.version>1.2</axis-jaxrpc.version>
<axis-saaj.version>1.2</axis-saaj.version>
<axis.version>1.2</axis.version>
<build-helper-maven-plugin.version>1.7</build-helper-maven-plugin.version>
<commons-collections.version>3.1</commons-collections.version>
<commons-digester.version>1.8.1</commons-digester.version>
<commons-discovery.version>0.2</commons-discovery.version>
<commons-fileupload.version>1.2.2</commons-fileupload.version>
<commons-io.version>1.4</commons-io.version>
<commons-lang3.version>3.3.2</commons-lang3.version>
<commons-logging.version>1.1.3</commons-logging.version>
<ecs.version>1.4.2</ecs.version>
<guava.version>18.0</guava.version>
<h2.version>1.4.187</h2.version>
<hsqldb.version>1.8.0.10</hsqldb.version>
<j2h.version>1.3.1</j2h.version>
<jackson-core.version>2.0.4</jackson-core.version>
<jackson-databind.version>2.0.4</jackson-databind.version>
<javaee-api.version>6.0</javaee-api.version>
<javax.transaction-api.version>1.2</javax.transaction-api.version>
<jcl-over-slf4j.version>1.7.7</jcl-over-slf4j.version>
<jstl.version>1.2</jstl.version>
<jtds.version>1.2.2</jtds.version>
<junit.version>4.12</junit.version>
<log4j.version>1.2.17</log4j.version>
<mail.version>1.4.2</mail.version>
<maven-compiler-plugin.version>3.1</maven-compiler-plugin.version>
<maven-failsafe-plugin.version>2.18.1</maven-failsafe-plugin.version>
<maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
<maven-jar-plugin.version>2.6</maven-jar-plugin.version>
<maven-javadoc-plugin.version>2.10.3</maven-javadoc-plugin.version>
<maven-release-plugin.version>2.5.2</maven-release-plugin.version>
<maven-source-plugin.version>2.4</maven-source-plugin.version>
<maven-surefire-plugin.version>2.18.1</maven-surefire-plugin.version>
<maven-war-plugin.version>2.4</maven-war-plugin.version>
<nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
<org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<sauce_junit.version>2.1.18</sauce_junit.version>
<selenium-java.version>2.47.1</selenium-java.version>
<slf4j-api.version>1.7.7</slf4j-api.version>
<slf4j-log4j12.version>1.7.7</slf4j-log4j12.version>
<spring.security.version>3.2.4.RELEASE</spring.security.version>
<standard.version>1.1.2</standard.version>
<tiles.version>2.2.2</tiles.version>
<tomcat7-maven-plugin.version>2.2</tomcat7-maven-plugin.version>
<wsdl4j.version>1.5.1</wsdl4j.version>
<tomcat-catalina.version>7.0.63</tomcat-catalina.version>
</properties>
<modules>
<module>webgoat-container</module>
<module>webgoat-classloader</module>
</modules>
<distributionManagement>
<snapshotRepository>
<id>ossrh</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
</snapshotRepository>
</distributionManagement>
<profiles>
<profile>
<id>release</id>
<build>
<plugins>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>${nexus-staging-maven-plugin.version}</version>
<extensions>true</extensions>
<configuration>
<serverId>ossrh</serverId>
<nexusUrl>https://oss.sonatype.org/</nexusUrl>
<autoReleaseAfterClose>true</autoReleaseAfterClose>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>${maven-source-plugin.version}</version>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar-no-fork</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${maven-javadoc-plugin.version}</version>
<executions>
<execution>
<id>attach-javadocs</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>${maven-gpg-plugin.version}</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>${maven-release-plugin.version}</version>
<configuration>
<autoVersionSubmodules>true</autoVersionSubmodules>
<useReleaseProfile>false</useReleaseProfile>
<releaseProfiles>release</releaseProfiles>
<tagNameFormat>@{project.version}</tagNameFormat>
<goals>deploy</goals>
</configuration>
</plugin>
</plugins>
</build>
</project> </project>

8
webgoat-classloader/pom.xml
View File

@ -1,9 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>webgoat-classloader</name> <name>webgoat-classloader</name>
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-classloader</artifactId> <artifactId>webgoat-classloader</artifactId>
<packaging>jar</packaging> <packaging>jar</packaging>
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
@ -15,7 +18,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId> <artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version> <version>${maven-compiler-plugin.version}</version>
<configuration> <configuration>
<source>1.7</source> <source>1.7</source>
<target>1.7</target> <target>1.7</target>
@ -29,9 +32,8 @@
<dependency> <dependency>
<groupId>org.apache.tomcat</groupId> <groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-catalina</artifactId> <artifactId>tomcat-catalina</artifactId>
<version>7.0.47</version> <version>${tomcat-catalina.version}</version>
</dependency> </dependency>
</dependencies> </dependencies>
</project> </project>

15
webgoat-classloader/src/main/java/org/owasp/webgoat/classloader/PluginClassLoader.java
View File

@ -14,15 +14,30 @@ import java.util.List;
* *
* With this loader we can add jars we load during the plugin loading and the jsp will pick it up because this is * With this loader we can add jars we load during the plugin loading and the jsp will pick it up because this is
* the same classloader. * the same classloader.
*
* @version $Id: $Id
*/ */
public class PluginClassLoader extends WebappClassLoader { public class PluginClassLoader extends WebappClassLoader {
/**
* <p>Constructor for PluginClassLoader.</p>
*/
public PluginClassLoader() { public PluginClassLoader() {
} }
/**
* <p>Constructor for PluginClassLoader.</p>
*
* @param parent a {@link java.lang.ClassLoader} object.
*/
public PluginClassLoader(ClassLoader parent) { public PluginClassLoader(ClassLoader parent) {
super(parent); super(parent);
} }
/**
* <p>addURL.</p>
*
* @param urls a {@link java.util.List} object.
*/
public void addURL(List<URL> urls) { public void addURL(List<URL> urls) {
for (URL url : urls) { for (URL url : urls) {
super.addURL(url); super.addURL(url);

110
webgoat-container/pom.xml
View File

@ -1,23 +1,18 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <?xml version="1.0" encoding="UTF-8"?>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>webgoat-container</name> <name>webgoat-container</name>
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<artifactId>webgoat-container</artifactId> <artifactId>webgoat-container</artifactId>
<packaging>war</packaging> <packaging>war</packaging>
<parent> <parent>
<groupId>org.owasp.webgoat</groupId> <groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-parent</artifactId> <artifactId>webgoat-parent</artifactId>
<version>7.0-SNAPSHOT</version> <version>7.0-SNAPSHOT</version>
</parent> </parent>
<!-- Shared version number properties -->
<properties>
<org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<spring.security.version>3.2.4.RELEASE</spring.security.version>
<tiles.version>2.2.2</tiles.version>
</properties>
<profiles> <profiles>
<profile> <profile>
<id>run-integration-tests</id> <id>run-integration-tests</id>
@ -33,7 +28,7 @@
<plugin> <plugin>
<groupId>org.apache.tomcat.maven</groupId> <groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId> <artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version> <version>${tomcat7-maven-plugin.version}</version>
<configuration> <configuration>
<server>local_tomcat</server> <server>local_tomcat</server>
<url>http://localhost:8080/manager</url> <url>http://localhost:8080/manager</url>
@ -73,7 +68,7 @@
</configuration> </configuration>
</execution> </execution>
<execution> <execution>
<id>start-tomcat</id> <id>tomcat-startup</id>
<phase>pre-integration-test</phase> <phase>pre-integration-test</phase>
<goals> <goals>
<goal>run-war-only</goal> <goal>run-war-only</goal>
@ -85,7 +80,7 @@
</execution> </execution>
<!-- At post-integration-test phase, stop the embedded Tomcat server. --> <!-- At post-integration-test phase, stop the embedded Tomcat server. -->
<execution> <execution>
<id>stop-tomcat</id> <id>tomcat-shutdown</id>
<phase>post-integration-test</phase> <phase>post-integration-test</phase>
<goals> <goals>
<goal>shutdown</goal> <goal>shutdown</goal>
@ -96,7 +91,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId> <artifactId>maven-failsafe-plugin</artifactId>
<version>2.18.1</version> <version>${maven-failsafe-plugin.version}</version>
<executions> <executions>
<execution> <execution>
<goals> <goals>
@ -124,7 +119,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId> <artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version> <version>${maven-compiler-plugin.version}</version>
<configuration> <configuration>
<source>1.7</source> <source>1.7</source>
<target>1.7</target> <target>1.7</target>
@ -134,7 +129,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId> <artifactId>maven-jar-plugin</artifactId>
<version>2.6</version> <version>${maven-jar-plugin.version}</version>
<executions> <executions>
<execution> <execution>
<id>create-jar</id> <id>create-jar</id>
@ -148,7 +143,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId> <artifactId>maven-war-plugin</artifactId>
<version>2.4</version> <version>${maven-war-plugin.version}</version>
<configuration> <configuration>
<!-- archiving the classes breaks the admin screen loads in course.java <!-- archiving the classes breaks the admin screen loads in course.java
the legacy lesson loader does not look in jar files for lessons --> the legacy lesson loader does not look in jar files for lessons -->
@ -168,7 +163,7 @@
<plugin> <plugin>
<groupId>org.codehaus.mojo</groupId> <groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId> <artifactId>build-helper-maven-plugin</artifactId>
<version>1.7</version> <version>${build-helper-maven-plugin.version}</version>
<executions> <executions>
<execution> <execution>
<id>attach-artifacts</id> <id>attach-artifacts</id>
@ -189,10 +184,10 @@
<plugin> <plugin>
<groupId>org.apache.tomcat.maven</groupId> <groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId> <artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version> <version>${tomcat7-maven-plugin.version}</version>
<configuration> <configuration>
<server>local_tomcat</server> <server>local_tomcat</server>
<url>http://localhost:8080/manager</url> <url>http://localhost:8080/manager</url>
<path>/WebGoat</path> <path>/WebGoat</path>
<attachArtifactClassifier>exec</attachArtifactClassifier> <attachArtifactClassifier>exec</attachArtifactClassifier>
<contextReloadable>true</contextReloadable> <contextReloadable>true</contextReloadable>
@ -233,7 +228,7 @@
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId> <artifactId>maven-surefire-plugin</artifactId>
<version>2.18.1</version> <version>${maven-surefire-plugin.version}</version>
<configuration> <configuration>
<excludes> <excludes>
<exclude>**/*IT.java</exclude> <exclude>**/*IT.java</exclude>
@ -252,52 +247,52 @@
<dependency> <dependency>
<groupId>javax.activation</groupId> <groupId>javax.activation</groupId>
<artifactId>activation</artifactId> <artifactId>activation</artifactId>
<version>1.1</version> <version>${activation.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.h2database</groupId> <groupId>com.h2database</groupId>
<artifactId>h2</artifactId> <artifactId>h2</artifactId>
<version>1.4.187</version> <version>${h2.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis</artifactId> <artifactId>axis</artifactId>
<version>1.2</version> <version>${axis.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis-saaj</artifactId> <artifactId>axis-saaj</artifactId>
<version>1.2</version> <version>${axis-saaj.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis-jaxrpc</artifactId> <artifactId>axis-jaxrpc</artifactId>
<version>1.2</version> <version>${axis-jaxrpc.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis-ant</artifactId> <artifactId>axis-ant</artifactId>
<version>1.2</version> <version>${axis-ant.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId> <artifactId>commons-lang3</artifactId>
<version>3.3.2</version> <version>${commons-lang3.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-io</groupId> <groupId>commons-io</groupId>
<artifactId>commons-io</artifactId> <artifactId>commons-io</artifactId>
<version>1.4</version> <version>${commons-io.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-collections</groupId> <groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId> <artifactId>commons-collections</artifactId>
<version>3.1</version> <version>${commons-collections.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-digester</groupId> <groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId> <artifactId>commons-digester</artifactId>
<version>1.8.1</version> <version>${commons-digester.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>xml-apis</groupId> <groupId>xml-apis</groupId>
@ -308,62 +303,62 @@
<dependency> <dependency>
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
<version>1.1.3</version> <version>${commons-logging.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId> <artifactId>jcl-over-slf4j</artifactId>
<version>1.7.7</version> <version>${jcl-over-slf4j.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-discovery</groupId> <groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId> <artifactId>commons-discovery</artifactId>
<version>0.2</version> <version>${commons-discovery.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>javax.mail</groupId> <groupId>javax.mail</groupId>
<artifactId>mail</artifactId> <artifactId>mail</artifactId>
<version>1.4.2</version> <version>${mail.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>javax.mail</groupId> <groupId>javax.mail</groupId>
<artifactId>mailapi</artifactId> <artifactId>mailapi</artifactId>
<version>1.4.2</version> <version>${mail.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>hsqldb</groupId> <groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId> <artifactId>hsqldb</artifactId>
<version>1.8.0.10</version> <version>${hsqldb.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>wsdl4j</groupId> <groupId>wsdl4j</groupId>
<artifactId>wsdl4j</artifactId> <artifactId>wsdl4j</artifactId>
<version>1.5.1</version> <version>${wsdl4j.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>java2html</groupId> <groupId>java2html</groupId>
<artifactId>j2h</artifactId> <artifactId>j2h</artifactId>
<version>1.3.1</version> <version>${j2h.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ecs</groupId> <groupId>ecs</groupId>
<artifactId>ecs</artifactId> <artifactId>ecs</artifactId>
<version>1.4.2</version> <version>${ecs.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>javax.transaction</groupId> <groupId>javax.transaction</groupId>
<artifactId>javax.transaction-api</artifactId> <artifactId>javax.transaction-api</artifactId>
<version>1.2</version> <version>${javax.transaction-api.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>net.sourceforge.jtds</groupId> <groupId>net.sourceforge.jtds</groupId>
<artifactId>jtds</artifactId> <artifactId>jtds</artifactId>
<version>1.2.2</version> <version>${jtds.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat</groupId> <groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-catalina</artifactId> <artifactId>tomcat-catalina</artifactId>
<version>7.0.63</version> <version>${tomcat-catalina.version}</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
@ -374,7 +369,7 @@
<dependency> <dependency>
<groupId>javax</groupId> <groupId>javax</groupId>
<artifactId>javaee-api</artifactId> <artifactId>javaee-api</artifactId>
<version>6.0</version> <version>${javaee-api.version}</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
@ -388,12 +383,12 @@
<dependency> <dependency>
<groupId>com.fasterxml.jackson.core</groupId> <groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId> <artifactId>jackson-core</artifactId>
<version>2.0.4</version> <version>${jackson-core.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.fasterxml.jackson.core</groupId> <groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId> <artifactId>jackson-databind</artifactId>
<version>2.0.4</version> <version>${jackson-databind.version}</version>
</dependency> </dependency>
<!-- Spring MVC framework --> <!-- Spring MVC framework -->
@ -426,32 +421,32 @@
<dependency> <dependency>
<groupId>commons-fileupload</groupId> <groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId> <artifactId>commons-fileupload</artifactId>
<version>1.2.2</version> <version>${commons-fileupload.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.google.guava</groupId> <groupId>com.google.guava</groupId>
<artifactId>guava</artifactId> <artifactId>guava</artifactId>
<version>18.0</version> <version>${guava.version}</version>
</dependency> </dependency>
<!-- JSTL --> <!-- JSTL -->
<dependency> <dependency>
<groupId>javax.servlet</groupId> <groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId> <artifactId>jstl</artifactId>
<version>1.2</version> <version>${jstl.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>taglibs</groupId> <groupId>taglibs</groupId>
<artifactId>standard</artifactId> <artifactId>standard</artifactId>
<version>1.1.2</version> <version>${standard.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>log4j</groupId> <groupId>log4j</groupId>
<artifactId>log4j</artifactId> <artifactId>log4j</artifactId>
<version>1.2.17</version> <version>${log4j.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>javax.jms</groupId> <groupId>javax.jms</groupId>
@ -476,13 +471,13 @@
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId> <artifactId>slf4j-api</artifactId>
<version>1.7.7</version> <version>${slf4j-api.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId> <artifactId>slf4j-log4j12</artifactId>
<version>1.7.7</version> <version>${slf4j-log4j12.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<!-- ************* END spring MVC and related dependencies ************** --> <!-- ************* END spring MVC and related dependencies ************** -->
@ -490,21 +485,22 @@
<dependency> <dependency>
<groupId>junit</groupId> <groupId>junit</groupId>
<artifactId>junit</artifactId> <artifactId>junit</artifactId>
<version>4.12</version> <version>${junit.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.seleniumhq.selenium</groupId> <groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId> <artifactId>selenium-java</artifactId>
<version>2.47.1</version> <version>${selenium-java.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.saucelabs</groupId> <groupId>com.saucelabs</groupId>
<artifactId>sauce_junit</artifactId> <artifactId>sauce_junit</artifactId>
<version>2.1.18</version> <version>${sauce_junit.version}</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<!-- ************* END: Dependencies for Unit and Integration Testing ************** --> <!-- ************* END: Dependencies for Unit and Integration Testing ************** -->
<!-- ************* END: <dependencies> ************** --> <!-- ************* END: <dependencies> ************** -->
</dependencies> </dependencies>
</project> </project>

242
webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java
View File

@ -1,120 +1,122 @@
package org.owasp.webgoat; package org.owasp.webgoat;
import java.io.IOException; import java.io.IOException;
import java.util.Enumeration; import java.util.Enumeration;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> *
* @created March 13, 2007 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*/ * @since March 13, 2007
public class Catcher extends HammerHead * @version $Id: $Id
{ */
public class Catcher extends HammerHead
/** {
*
*/ /**
private static final long serialVersionUID = 7441856110845727651L; *
*/
/** private static final long serialVersionUID = 7441856110845727651L;
* Description of the Field
*/ /**
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; * Description of the Field
*/
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
public static final String PROPERTY = "PROPERTY"; /** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
public static final String EMPTY_STRING = "";
/** Constant <code>PROPERTY="PROPERTY"</code> */
/** public static final String PROPERTY = "PROPERTY";
* Description of the Method
* /** Constant <code>EMPTY_STRING=""</code> */
* @param request public static final String EMPTY_STRING = "";
* Description of the Parameter
* @param response /**
* Description of the Parameter * {@inheritDoc}
* @exception IOException *
* Description of the Exception * Description of the Method
* @exception ServletException * @exception IOException
* Description of the Exception * Description of the Exception
*/ * @exception ServletException
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException * Description of the Exception
{ */
try public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{ {
// System.out.println( "Entering doPost: " ); try
// System.out.println( " - request " + request); {
// System.out.println( " - principle: " + request.getUserPrincipal() ); // System.out.println( "Entering doPost: " );
// setCacheHeaders(response, 0); // System.out.println( " - request " + request);
WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); // System.out.println( " - principle: " + request.getUserPrincipal() );
session.update(request, response, this.getServletName()); // FIXME: Too much in this // setCacheHeaders(response, 0);
// call. WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
session.update(request, response, this.getServletName()); // FIXME: Too much in this
int scr = session.getCurrentScreen(); // call.
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); int scr = session.getCurrentScreen();
Course course = session.getCourse();
log(request, lesson.getClass().getName() + " | " + session.getParser().toString()); AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING)); log(request, lesson.getClass().getName() + " | " + session.getParser().toString());
// if the PROPERTY parameter is available - write all the parameters to the String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING));
// property file. No other control parameters are supported at this time.
if (!property.equals(EMPTY_STRING)) // if the PROPERTY parameter is available - write all the parameters to the
{ // property file. No other control parameters are supported at this time.
Enumeration e = session.getParser().getParameterNames(); if (!property.equals(EMPTY_STRING))
{
while (e.hasMoreElements()) Enumeration e = session.getParser().getParameterNames();
{
String name = (String) e.nextElement(); while (e.hasMoreElements())
String value = session.getParser().getParameterValues(name)[0]; {
lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value); String name = (String) e.nextElement();
} String value = session.getParser().getParameterValues(name)[0];
} lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value);
lesson.getLessonTracker(session).store(session, lesson); }
}
// BDM MC lesson.getLessonTracker(session).store(session, lesson);
// WEB-173 - removed for testing, as plugin architecture would not allow this
// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();} // BDM MC
// WEB-173 - removed for testing, as plugin architecture would not allow this
} catch (Throwable t) // if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();}
{
t.printStackTrace(); } catch (Throwable t)
log("ERROR: " + t); {
} t.printStackTrace();
} log("ERROR: " + t);
} }
}
}

27
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
View File

@ -55,11 +55,11 @@ import java.util.TimeZone;
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
* *
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a> * Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @since October 28, 2003
* @version $Id: $Id
*/ */
public class HammerHead extends HttpServlet { public class HammerHead extends HttpServlet {
@ -95,10 +95,9 @@ public class HammerHead extends HttpServlet {
private WebgoatContext webgoatContext = null; private WebgoatContext webgoatContext = null;
/** /**
* Description of the Method * {@inheritDoc}
* *
* @param request Description of the Parameter * Description of the Method
* @param response Description of the Parameter
* @exception IOException Description of the Exception * @exception IOException Description of the Exception
* @exception ServletException Description of the Exception * @exception ServletException Description of the Exception
*/ */
@ -108,10 +107,9 @@ public class HammerHead extends HttpServlet {
} }
/** /**
* Description of the Method * {@inheritDoc}
* *
* @param request Description of the Parameter * Description of the Method
* @param response Description of the Parameter
* @exception IOException Description of the Exception * @exception IOException Description of the Exception
* @exception ServletException Description of the Exception * @exception ServletException Description of the Exception
*/ */
@ -227,9 +225,9 @@ public class HammerHead extends HttpServlet {
} }
/** /**
* Return information about this servlet * {@inheritDoc}
* *
* @return The servletInfo value * Return information about this servlet
*/ */
@Override @Override
public String getServletInfo() { public String getServletInfo() {
@ -237,9 +235,9 @@ public class HammerHead extends HttpServlet {
} }
/** /**
* Return properties path * {@inheritDoc}
* *
* @throws javax.servlet.ServletException * Return properties path
*/ */
@Override @Override
public void init() throws ServletException { public void init() throws ServletException {
@ -371,7 +369,7 @@ public class HammerHead extends HttpServlet {
* @param response Description of the Parameter * @param response Description of the Parameter
* @param context Description of the Parameter * @param context Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
* @throws java.io.IOException * @throws java.io.IOException if any.
*/ */
protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context) protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
throws IOException { throws IOException {
@ -415,9 +413,10 @@ public class HammerHead extends HttpServlet {
* Description of the Method * Description of the Method
* *
* @param s Description of the Parameter * @param s Description of the Parameter
* @param screen * @param screen a {@link org.owasp.webgoat.session.Screen} object.
* @param response Description of the Parameter * @param response Description of the Parameter
* @exception IOException Description of the Exception * @exception IOException Description of the Exception
* @throws java.io.IOException if any.
*/ */
protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException { protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
response.setContentType("text/html"); response.setContentType("text/html");

378
webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java
View File

@ -1,185 +1,193 @@
package org.owasp.webgoat; package org.owasp.webgoat;
import java.io.IOException; import java.io.IOException;
import java.io.PrintWriter; import java.io.PrintWriter;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/** /**
* ************************************************************************************************* * *************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software * the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later * Foundation; either version 2 of the License, or (at your option) any later
* version. * version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT * This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details. * details.
* *
* You should have received a copy of the GNU General Public License along with * You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA. * Place - Suite 330, Boston, MA 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @since October 28, 2003
*/ * @version $Id: $Id
public class LessonSource extends HammerHead { */
public class LessonSource extends HammerHead {
/**
* /**
*/ *
private static final long serialVersionUID = 2588430536196446145L; */
private static final long serialVersionUID = 2588430536196446145L;
/**
* Description of the Field /**
*/ * Description of the Field
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; */
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
/** public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
* Description of the Method
* /**
* @param request Description of the Parameter * {@inheritDoc}
* @param response Description of the Parameter *
* @exception IOException Description of the Exception * Description of the Method
* @exception ServletException Description of the Exception * @exception IOException Description of the Exception
*/ * @exception ServletException Description of the Exception
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { */
String source = null; public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String source = null;
try {
// System.out.println( "Entering doPost: " ); try {
// System.out.println( " - request " + request); // System.out.println( "Entering doPost: " );
// System.out.println( " - principle: " + request.getUserPrincipal() // System.out.println( " - request " + request);
// ); // System.out.println( " - principle: " + request.getUserPrincipal()
// setCacheHeaders(response, 0); // );
WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); // setCacheHeaders(response, 0);
// FIXME: Too much in this call. WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
session.update(request, response, this.getServletName()); // FIXME: Too much in this call.
session.update(request, response, this.getServletName());
boolean showSolution = session.getParser().getBooleanParameter("solution", false);
boolean showSource = session.getParser().getBooleanParameter("source", false); boolean showSolution = session.getParser().getBooleanParameter("solution", false);
if (showSolution) { boolean showSource = session.getParser().getBooleanParameter("source", false);
if (showSolution) {
// Get the Java solution of the lesson.
source = getSolution(session); // Get the Java solution of the lesson.
source = getSolution(session);
int scr = session.getCurrentScreen();
Course course = session.getCourse(); int scr = session.getCurrentScreen();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); Course course = session.getCourse();
lesson.getLessonTracker(session).setViewedSolution(true); AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
lesson.getLessonTracker(session).setViewedSolution(true);
} else if (showSource) {
} else if (showSource) {
// Get the Java source of the lesson. FIXME: Not needed
source = getSource(session); // Get the Java source of the lesson. FIXME: Not needed
source = getSource(session);
int scr = session.getCurrentScreen();
Course course = session.getCourse(); int scr = session.getCurrentScreen();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); Course course = session.getCourse();
lesson.getLessonTracker(session).setViewedSource(true); AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
} lesson.getLessonTracker(session).setViewedSource(true);
} catch (Throwable t) { }
t.printStackTrace(); } catch (Throwable t) {
log("ERROR: " + t); t.printStackTrace();
} finally { log("ERROR: " + t);
try { } finally {
this.writeSource(source, response); try {
} catch (Throwable thr) { this.writeSource(source, response);
thr.printStackTrace(); } catch (Throwable thr) {
log(request, "Could not write error screen: " + thr.getMessage()); thr.printStackTrace();
} log(request, "Could not write error screen: " + thr.getMessage());
// System.out.println( "Leaving doPost: " ); }
// System.out.println( "Leaving doPost: " );
}
} }
}
/**
* Description of the Method /**
* * Description of the Method
* @param s Description of the Parameter *
* @return Description of the Return Value * @param s Description of the Parameter
*/ * @return Description of the Return Value
protected String getSource(WebSession s) { */
protected String getSource(WebSession s) {
String source = null;
int scr = s.getCurrentScreen(); String source = null;
Course course = s.getCourse(); int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getSource(s); if (lesson != null) {
} source = lesson.getSource(s);
} }
if (source == null) { }
return "Source code is not available. Contact " if (source == null) {
+ s.getWebgoatContext().getFeedbackAddressHTML(); return "Source code is not available. Contact "
} + s.getWebgoatContext().getFeedbackAddressHTML();
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, }
"Code Section Deliberately Omitted")); return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
} "Code Section Deliberately Omitted"));
}
protected String getSolution(WebSession s) {
/**
String source = null; * <p>getSolution.</p>
int scr = s.getCurrentScreen(); *
Course course = s.getCourse(); * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
if (s.isUser() || s.isChallenge()) { */
protected String getSolution(WebSession s) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
String source = null;
if (lesson != null) { int scr = s.getCurrentScreen();
source = lesson.getSolution(s); Course course = s.getCourse();
}
} if (s.isUser() || s.isChallenge()) {
if (source == null) {
return "Solution is not available. Contact " AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+ s.getWebgoatContext().getFeedbackAddressHTML();
} if (lesson != null) {
return (source); source = lesson.getSolution(s);
} }
}
/** if (source == null) {
* Description of the Method return "Solution is not available. Contact "
* + s.getWebgoatContext().getFeedbackAddressHTML();
* @param s Description of the Parameter }
* @param response Description of the Parameter return (source);
* @exception IOException Description of the Exception }
*/
protected void writeSource(String s, HttpServletResponse response) throws IOException { /**
response.setContentType("text/html"); * Description of the Method
*
PrintWriter out = response.getWriter(); * @param s Description of the Parameter
* @param response Description of the Parameter
if (s == null) { * @exception IOException Description of the Exception
s = new String(); * @throws java.io.IOException if any.
} */
protected void writeSource(String s, HttpServletResponse response) throws IOException {
out.print(s); response.setContentType("text/html");
out.close();
} PrintWriter out = response.getWriter();
}
if (s == null) {
s = new String();
}
out.print(s);
out.close();
}
}

19
webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java
View File

@ -12,6 +12,7 @@ import org.apache.commons.lang3.builder.ToStringBuilder;
* Singleton which is created on context startup * Singleton which is created on context startup
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
public class Application { public class Application {
@ -21,6 +22,11 @@ public class Application {
} }
/**
* <p>getInstance.</p>
*
* @return a {@link org.owasp.webgoat.application.Application} object.
*/
public static final Application getInstance() { public static final Application getInstance() {
return INSTANCE; return INSTANCE;
} }
@ -30,6 +36,8 @@ public class Application {
private String name = "WebGoat"; private String name = "WebGoat";
/** /**
* <p>Getter for the field <code>version</code>.</p>
*
* @return the version * @return the version
*/ */
public String getVersion() { public String getVersion() {
@ -37,6 +45,8 @@ public class Application {
} }
/** /**
* <p>Setter for the field <code>version</code>.</p>
*
* @param version the version to set * @param version the version to set
*/ */
public void setVersion(String version) { public void setVersion(String version) {
@ -46,6 +56,8 @@ public class Application {
} }
/** /**
* <p>Getter for the field <code>build</code>.</p>
*
* @return the build * @return the build
*/ */
public String getBuild() { public String getBuild() {
@ -53,6 +65,8 @@ public class Application {
} }
/** /**
* <p>Setter for the field <code>build</code>.</p>
*
* @param build the build to set * @param build the build to set
*/ */
public void setBuild(String build) { public void setBuild(String build) {
@ -62,6 +76,8 @@ public class Application {
} }
/** /**
* <p>Getter for the field <code>name</code>.</p>
*
* @return the name * @return the name
*/ */
public String getName() { public String getName() {
@ -69,6 +85,8 @@ public class Application {
} }
/** /**
* <p>Setter for the field <code>name</code>.</p>
*
* @param name the name to set * @param name the name to set
*/ */
public void setName(String name) { public void setName(String name) {
@ -77,6 +95,7 @@ public class Application {
} }
} }
/** {@inheritDoc} */
@Override @Override
public String toString() { public String toString() {
return new ToStringBuilder(this). return new ToStringBuilder(this).

3
webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
View File

@ -17,9 +17,11 @@ import java.util.jar.Manifest;
* Web application lifecycle listener. * Web application lifecycle listener.
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
public class WebGoatServletListener implements ServletContextListener { public class WebGoatServletListener implements ServletContextListener {
/** {@inheritDoc} */
@Override @Override
public void contextInitialized(ServletContextEvent sce) { public void contextInitialized(ServletContextEvent sce) {
ServletContext context = sce.getServletContext(); ServletContext context = sce.getServletContext();
@ -27,6 +29,7 @@ public class WebGoatServletListener implements ServletContextListener {
setApplicationVariables(context); setApplicationVariables(context);
} }
/** {@inheritDoc} */
@Override @Override
public void contextDestroyed(ServletContextEvent sce) { public void contextDestroyed(ServletContextEvent sce) {
ServletContext context = sce.getServletContext(); ServletContext context = sce.getServletContext();

10
webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java
View File

@ -16,8 +16,10 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>About class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class About { public class About {
@ -25,6 +27,14 @@ public class About {
final Logger logger = LoggerFactory.getLogger(About.class); final Logger logger = LoggerFactory.getLogger(About.class);
private static final String WELCOMED = "welcomed"; private static final String WELCOMED = "welcomed";
/**
* <p>welcome.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param error a {@link java.lang.String} object.
* @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "about.mvc", method = RequestMethod.GET) @RequestMapping(value = "about.mvc", method = RequestMethod.GET)
public ModelAndView welcome(HttpServletRequest request, public ModelAndView welcome(HttpServletRequest request,
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,

9
webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java
View File

@ -12,12 +12,21 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>Login class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class Login { public class Login {
/**
* <p>login.</p>
*
* @param error a {@link java.lang.String} object.
* @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "login.mvc", method = RequestMethod.GET) @RequestMapping(value = "login.mvc", method = RequestMethod.GET)
public ModelAndView login( public ModelAndView login(
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,

9
webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java
View File

@ -14,14 +14,23 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>Logout class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class Logout { public class Logout {
final Logger logger = LoggerFactory.getLogger(Logout.class); final Logger logger = LoggerFactory.getLogger(Logout.class);
/**
* <p>logout.</p>
*
* @param error a {@link java.lang.String} object.
* @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "logout.mvc", method = RequestMethod.GET) @RequestMapping(value = "logout.mvc", method = RequestMethod.GET)
public ModelAndView logout( public ModelAndView logout(
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,

16
webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java
View File

@ -24,8 +24,10 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>Start class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class Start { public class Start {
@ -37,6 +39,14 @@ public class Start {
@Autowired @Autowired
private ServletContext servletContext; private ServletContext servletContext;
/**
* <p>start.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param error a {@link java.lang.String} object.
* @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST}) @RequestMapping(value = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView start(HttpServletRequest request, public ModelAndView start(HttpServletRequest request,
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,
@ -82,6 +92,12 @@ public class Start {
return role; return role;
} }
/**
* <p>checkWebSession.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a boolean.
*/
public boolean checkWebSession(HttpSession session) { public boolean checkWebSession(HttpSession session) {
Object o = session.getAttribute(WebSession.SESSION); Object o = session.getAttribute(WebSession.SESSION);
if (o == null) { if (o == null) {

10
webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
View File

@ -16,8 +16,10 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>Welcome class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class Welcome { public class Welcome {
@ -25,6 +27,14 @@ public class Welcome {
final Logger logger = LoggerFactory.getLogger(Welcome.class); final Logger logger = LoggerFactory.getLogger(Welcome.class);
private static final String WELCOMED = "welcomed"; private static final String WELCOMED = "welcomed";
/**
* <p>welcome.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param error a {@link java.lang.String} object.
* @param logout a {@link java.lang.String} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "welcome.mvc", method = RequestMethod.GET) @RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
public ModelAndView welcome(HttpServletRequest request, public ModelAndView welcome(HttpServletRequest request,
@RequestParam(value = "error", required = false) String error, @RequestParam(value = "error", required = false) String error,

1865
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View File

File diff suppressed because it is too large Load Diff

60
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -35,50 +35,72 @@ import java.util.List;
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @since October 28, 2003
* @version $Id: $Id
*/ */
public class Category implements Comparable { public class Category implements Comparable {
/** Constant <code>INTRODUCTION</code> */
public final static Category INTRODUCTION = new Category("Introduction", new Integer(5)); public final static Category INTRODUCTION = new Category("Introduction", new Integer(5));
/** Constant <code>GENERAL</code> */
public final static Category GENERAL = new Category("General", new Integer(100)); public final static Category GENERAL = new Category("General", new Integer(100));
/** Constant <code>ACCESS_CONTROL</code> */
public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200)); public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200));
/** Constant <code>AJAX_SECURITY</code> */
public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400)); public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400));
/** Constant <code>AUTHENTICATION</code> */
public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500)); public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500));
/** Constant <code>BUFFER_OVERFLOW</code> */
public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600)); public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600));
/** Constant <code>CODE_QUALITY</code> */
public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700)); public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700));
/** Constant <code>CONCURRENCY</code> */
public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800)); public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800));
/** Constant <code>XSS</code> */
public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900)); public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
/** Constant <code>ERROR_HANDLING</code> */
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000)); public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
/** Constant <code>INJECTION</code> */
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100)); public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
/** Constant <code>DOS</code> */
public final static Category DOS = new Category("Denial of Service", new Integer(1200)); public final static Category DOS = new Category("Denial of Service", new Integer(1200));
/** Constant <code>INSECURE_COMMUNICATION</code> */
public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300)); public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
/** Constant <code>INSECURE_CONFIGURATION</code> */
public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400)); public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400));
/** Constant <code>INSECURE_STORAGE</code> */
public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500)); public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500));
/** Constant <code>MALICIOUS_EXECUTION</code> */
public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600)); public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600));
/** Constant <code>PARAMETER_TAMPERING</code> */
public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700)); public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700));
/** Constant <code>SESSION_MANAGEMENT</code> */
public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800)); public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800));
/** Constant <code>WEB_SERVICES</code> */
public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900)); public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900));
/** Constant <code>ADMIN_FUNCTIONS</code> */
public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000)); public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000));
/** Constant <code>CHALLENGE</code> */
public final static Category CHALLENGE = new Category("Challenge", new Integer(3000)); public final static Category CHALLENGE = new Category("Challenge", new Integer(3000));
private static final List<Category> categories = new ArrayList<Category>(); private static final List<Category> categories = new ArrayList<Category>();
@ -111,10 +133,21 @@ public class Category implements Comparable {
categories.add(CHALLENGE); categories.add(CHALLENGE);
} }
/**
* <p>addCategory.</p>
*
* @param c a {@link org.owasp.webgoat.lessons.Category} object.
*/
public static synchronized void addCategory(Category c) { public static synchronized void addCategory(Category c) {
categories.add(c); categories.add(c);
} }
/**
* <p>Getter for the field <code>category</code>.</p>
*
* @param name a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.lessons.Category} object.
*/
public static synchronized Category getCategory(String name) { public static synchronized Category getCategory(String name) {
Iterator<Category> it = categories.iterator(); Iterator<Category> it = categories.iterator();
while (it.hasNext()) { while (it.hasNext()) {
@ -126,11 +159,18 @@ public class Category implements Comparable {
return null; return null;
} }
/**
* <p>Constructor for Category.</p>
*
* @param category a {@link java.lang.String} object.
* @param ranking a {@link java.lang.Integer} object.
*/
public Category(String category, Integer ranking) { public Category(String category, Integer ranking) {
this.category = category; this.category = category;
this.ranking = ranking; this.ranking = ranking;
} }
/** {@inheritDoc} */
@Override @Override
public int compareTo(Object obj) { public int compareTo(Object obj) {
int value = 1; int value = 1;
@ -142,23 +182,41 @@ public class Category implements Comparable {
return value; return value;
} }
/**
* <p>Getter for the field <code>ranking</code>.</p>
*
* @return a {@link java.lang.Integer} object.
*/
public Integer getRanking() { public Integer getRanking() {
return ranking; return ranking;
} }
/**
* <p>Setter for the field <code>ranking</code>.</p>
*
* @param ranking a {@link java.lang.Integer} object.
* @return a {@link java.lang.Integer} object.
*/
public Integer setRanking(Integer ranking) { public Integer setRanking(Integer ranking) {
return this.ranking = ranking; return this.ranking = ranking;
} }
/**
* <p>getName.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getName() { public String getName() {
return category; return category;
} }
/** {@inheritDoc} */
@Override @Override
public boolean equals(Object obj) { public boolean equals(Object obj) {
return (obj instanceof Category) && getName().equals(((Category) obj).getName()); return (obj instanceof Category) && getName().equals(((Category) obj).getName());
} }
/** {@inheritDoc} */
@Override @Override
public String toString() { public String toString() {
return getName(); return getName();

514
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -1,244 +1,270 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import com.google.common.base.Joiner; import com.google.common.base.Joiner;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center; import org.apache.ecs.html.Center;
import org.apache.ecs.html.H3; import org.apache.ecs.html.H3;
import org.apache.ecs.html.P; import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE; import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.FileReader; import java.io.FileReader;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
/** /**
* ************************************************************************************************* *************************************************************************************************
* <p> *
* <p> *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* utility. For details, please see http://www.owasp.org/ * please see http://www.owasp.org/
* <p> *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* <p> *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under the terms of the
* the terms of the GNU General Public License as published by the Free Software * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* Foundation; either version 2 of the License, or (at your option) any later * License, or (at your option) any later version.
* version. *
* <p> * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* This program is distributed in the hope that it will be useful, but WITHOUT * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * General Public License for more details.
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more *
* details. * You should have received a copy of the GNU General Public License along with this program; if
* <p> * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* You should have received a copy of the GNU General Public License along with * 02111-1307, USA.
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple *
* Place - Suite 330, Boston, MA 02111-1307, USA. * Getting Source ==============
* <p> *
* Getting Source ============== * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* <p> * projects.
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository *
* for free software projects. * For details, please see http://webgoat.github.io
* <p> *
* For details, please see http://webgoat.github.io * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* * @since October 28, 2003
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @version $Id: $Id
* @created October 28, 2003 */
*/ public abstract class LessonAdapter extends AbstractLesson {
public abstract class LessonAdapter extends AbstractLesson {
/**
/** * {@inheritDoc}
* Description of the Method *
* * Description of the Method
* @param s Description of the Parameter */
* @return Description of the Return Value protected Element createContent(WebSession s) {
*/ // Mark this lesson as completed.
protected Element createContent(WebSession s) { makeSuccess(s);
// Mark this lesson as completed.
makeSuccess(s); ElementContainer ec = new ElementContainer();
ElementContainer ec = new ElementContainer(); ec.addElement(new Center().addElement(new H3().addElement(new StringElement(
"Detailed Lesson Creation Instructions."))));
ec.addElement(new Center().addElement(new H3().addElement(new StringElement( ec.addElement(new P());
"Detailed Lesson Creation Instructions.")))); ec
ec.addElement(new P()); .addElement(new StringElement(
ec "Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
.addElement(new StringElement( + "In fact, most lessons can be created by following the easy to use instructions in the "
"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;" + "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+ "In fact, most lessons can be created by following the easy to use instructions in the " + "If you would prefer, send your lesson ideas to "
+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;" + getWebgoatContext().getFeedbackAddressHTML()));
+ "If you would prefer, send your lesson ideas to "
+ getWebgoatContext().getFeedbackAddressHTML())); try (InputStream is = Thread.currentThread().getContextClassLoader()
.getResourceAsStream("New Lesson Instructions.txt")) {
try (InputStream is = Thread.currentThread().getContextClassLoader() if (is != null) {
.getResourceAsStream("New Lesson Instructions.txt")) { PRE pre = new PRE();
if (is != null) { pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is)));
PRE pre = new PRE(); ec.addElement(pre);
pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is))); }
ec.addElement(pre); } catch (IOException e) {
} e.printStackTrace();
} catch (IOException e) { }
e.printStackTrace(); return (ec);
} }
return (ec);
} /**
* Gets the category attribute of the LessonAdapter object. The default
/** * category is "General" Only override this method if you wish to create a
* Gets the category attribute of the LessonAdapter object. The default * new category or if you wish this lesson to reside within a category other
* category is "General" Only override this method if you wish to create a * the "General"
* new category or if you wish this lesson to reside within a category other *
* the "General" * @return The category value
* */
* @return The category value protected Category getDefaultCategory() {
*/ return Category.GENERAL;
protected Category getDefaultCategory() { }
return Category.GENERAL;
} /**
* <p>getDefaultHidden.</p>
protected boolean getDefaultHidden() { *
return false; * @return a boolean.
} */
protected boolean getDefaultHidden() {
private final static Integer DEFAULT_RANKING = new Integer(1000); return false;
}
protected Integer getDefaultRanking() {
return DEFAULT_RANKING; private final static Integer DEFAULT_RANKING = new Integer(1000);
}
/**
/** * <p>getDefaultRanking.</p>
* Gets the hintCount attribute of the LessonAdapter object *
* * @return a {@link java.lang.Integer} object.
* @return The hintCount value */
*/ protected Integer getDefaultRanking() {
public int getHintCount(WebSession s) { return DEFAULT_RANKING;
return getHints(s).size(); }
}
/**
/** * {@inheritDoc}
* Fill in a minor hint that will help people who basically get it, but are *
* stuck on somthing silly. Hints will be returned to the user in the order * Gets the hintCount attribute of the LessonAdapter object
* they appear below. The user must click on the "next hint" button before */
* the hint will be displayed. public int getHintCount(WebSession s) {
* return getHints(s).size();
* @return The hint1 value }
*/
protected List<String> getHints(WebSession s) { /**
List<String> hints = new ArrayList<String>(); * {@inheritDoc}
hints.add("There are no hints defined."); *
return hints; * Fill in a minor hint that will help people who basically get it, but are
} * stuck on somthing silly. Hints will be returned to the user in the order
* they appear below. The user must click on the "next hint" button before
/** * the hint will be displayed.
* Gets the credits attribute of the AbstractLesson object */
* protected List<String> getHints(WebSession s) {
* @return The credits value List<String> hints = new ArrayList<String>();
* @deprecated Credits are in the about page. This method s no hints.add("There are no hints defined.");
* longer called from WebGoat return hints;
*/ }
public Element getCredits() {
return new StringElement(); /**
} * Gets the credits attribute of the AbstractLesson object
*
/** * @return The credits value
* Gets the instructions attribute of the LessonAdapter object. Instructions * @deprecated Credits are in the about page. This method s no
* will rendered as html and will appear below the control area and above * longer called from WebGoat
* the actual lesson area. Instructions should provide the user with the */
* general setup and goal of the lesson. public Element getCredits() {
* return new StringElement();
* @return The instructions value }
*/
public String getInstructions(WebSession s) { /**
StringBuffer buff = new StringBuffer(); * {@inheritDoc}
String lang = s.getCurrrentLanguage(); *
try { * Gets the instructions attribute of the LessonAdapter object. Instructions
String fileName = getLessonPlanFileName(lang); * will rendered as html and will appear below the control area and above
if (fileName != null) { * the actual lesson area. Instructions should provide the user with the
BufferedReader in = new BufferedReader(new FileReader(fileName)); * general setup and goal of the lesson.
String line = null; */
boolean startAppending = false; public String getInstructions(WebSession s) {
while ((line = in.readLine()) != null) { StringBuffer buff = new StringBuffer();
if (line.indexOf("<!-- Start Instructions -->") != -1) { String lang = s.getCurrrentLanguage();
startAppending = true; try {
continue; String fileName = getLessonPlanFileName(lang);
} if (fileName != null) {
if (line.indexOf("<!-- Stop Instructions -->") != -1) { BufferedReader in = new BufferedReader(new FileReader(fileName));
startAppending = false; String line = null;
continue; boolean startAppending = false;
} while ((line = in.readLine()) != null) {
if (startAppending) { if (line.indexOf("<!-- Start Instructions -->") != -1) {
buff.append(line + "\n"); startAppending = true;
} continue;
} }
} if (line.indexOf("<!-- Stop Instructions -->") != -1) {
} catch (Exception e) { startAppending = false;
} continue;
}
return buff.toString(); if (startAppending) {
buff.append(line + "\n");
} }
}
/** }
* Fill in a descriptive title for this lesson. The title of the lesson. } catch (Exception e) {
* This will appear above the control area at the top of the page. This }
* field will be rendered as html.
* return buff.toString();
* @return The title value
*/ }
public String getTitle() {
return "Untitled Lesson " + getScreenId(); /**
} * Fill in a descriptive title for this lesson. The title of the lesson.
* This will appear above the control area at the top of the page. This
public String getCurrentAction(WebSession s) { * field will be rendered as html.
return s.getLessonSession(this).getCurrentLessonScreen(); *
} * @return The title value
*/
public void setCurrentAction(WebSession s, String lessonScreen) { public String getTitle() {
s.getLessonSession(this).setCurrentLessonScreen(lessonScreen); return "Untitled Lesson " + getScreenId();
} }
public Object getSessionAttribute(WebSession s, String key) { /** {@inheritDoc} */
return s.getRequest().getSession().getAttribute(key); public String getCurrentAction(WebSession s) {
} return s.getLessonSession(this).getCurrentLessonScreen();
}
public void setSessionAttribute(WebSession s, String key, Object value) {
s.getRequest().getSession().setAttribute(key, value); /** {@inheritDoc} */
} public void setCurrentAction(WebSession s, String lessonScreen) {
s.getLessonSession(this).setCurrentLessonScreen(lessonScreen);
/** }
* Description of the Method
* /**
* @param s Description of the Parameter * <p>getSessionAttribute.</p>
* @return Description of the Return Value *
*/ * @param s a {@link org.owasp.webgoat.session.WebSession} object.
protected Element makeSuccess(WebSession s) { * @param key a {@link java.lang.String} object.
getLessonTracker(s).setCompleted(true); * @return a {@link java.lang.Object} object.
*/
s.setMessage(getLabelManager().get("LessonCompleted")); public Object getSessionAttribute(WebSession s, String key) {
return s.getRequest().getSession().getAttribute(key);
return (null); }
}
/**
/** * <p>setSessionAttribute.</p>
* Gets the credits attribute of the AbstractLesson object *
* * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return The credits value * @param key a {@link java.lang.String} object.
*/ * @param value a {@link java.lang.Object} object.
protected Element getCustomCredits(String text, Element e) { */
Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT"); public void setSessionAttribute(WebSession s, String key, Object value) {
TR tr = new TR(); s.getRequest().getSession().setAttribute(key, value);
tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%")); }
tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT"));
t.addElement(tr); /**
return t; * Description of the Method
} *
* @param s Description of the Parameter
} * @return Description of the Return Value
*/
protected Element makeSuccess(WebSession s) {
getLessonTracker(s).setCompleted(true);
s.setMessage(getLabelManager().get("LessonCompleted"));
return (null);
}
/**
* Gets the credits attribute of the AbstractLesson object
*
* @return The credits value
* @param text a {@link java.lang.String} object.
* @param e a {@link org.apache.ecs.Element} object.
*/
protected Element getCustomCredits(String text, Element e) {
Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT");
TR tr = new TR();
tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%"));
tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT"));
t.addElement(tr);
return t;
}
}

237
webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java
View File

@ -1,99 +1,138 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import java.sql.Connection; import java.sql.Connection;
import java.sql.SQLException; import java.sql.SQLException;
import org.owasp.webgoat.session.CreateDB; import org.owasp.webgoat.session.CreateDB;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.LessonTracker; import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.RandomLessonTracker; import org.owasp.webgoat.session.RandomLessonTracker;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
public abstract class RandomLessonAdapter extends LessonAdapter /**
{ * <p>Abstract RandomLessonAdapter class.</p>
*
public abstract String[] getStages(); * @version $Id: $Id
*/
public void setStage(WebSession s, String stage) public abstract class RandomLessonAdapter extends LessonAdapter
{ {
getLessonTracker(s).setStage(stage);
try /**
{ * <p>getStages.</p>
Connection connection = DatabaseUtilities.getConnection(s); *
* @return an array of {@link java.lang.String} objects.
CreateDB db = new CreateDB(); */
db.makeDB(connection); public abstract String[] getStages();
System.out.println("Successfully refreshed the database.");
/**
} catch (SQLException sqle) * <p>setStage.</p>
{ *
System.out.println("Error refreshing the database!"); * @param s a {@link org.owasp.webgoat.session.WebSession} object.
sqle.printStackTrace(); * @param stage a {@link java.lang.String} object.
} */
} public void setStage(WebSession s, String stage)
{
public String getStage(WebSession s) getLessonTracker(s).setStage(stage);
{ try
return getLessonTracker(s).getStage(); {
} Connection connection = DatabaseUtilities.getConnection(s);
public void setStageComplete(WebSession s, String stage) CreateDB db = new CreateDB();
{ db.makeDB(connection);
RandomLessonTracker lt = getLessonTracker(s); System.out.println("Successfully refreshed the database.");
lt.setStageComplete(stage, true);
if (lt.getCompleted()) } catch (SQLException sqle)
{ {
s.setMessage("Congratulations, you have completed this lab"); System.out.println("Error refreshing the database!");
} sqle.printStackTrace();
else }
{ }
s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + ".");
if (!stage.equals(lt.getStage())) /**
s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage()); * <p>getStage.</p>
} *
try * @param s a {@link org.owasp.webgoat.session.WebSession} object.
{ * @return a {@link java.lang.String} object.
Connection connection = DatabaseUtilities.getConnection(s); */
public String getStage(WebSession s)
CreateDB db = new CreateDB(); {
db.makeDB(connection); return getLessonTracker(s).getStage();
System.out.println("Successfully refreshed the database."); }
} catch (SQLException sqle) /**
{ * <p>setStageComplete.</p>
System.out.println("Error refreshing the database!"); *
sqle.printStackTrace(); * @param s a {@link org.owasp.webgoat.session.WebSession} object.
} * @param stage a {@link java.lang.String} object.
} */
public void setStageComplete(WebSession s, String stage)
public boolean isStageComplete(WebSession s, String stage) {
{ RandomLessonTracker lt = getLessonTracker(s);
return getLessonTracker(s).hasCompleted(stage); lt.setStageComplete(stage, true);
} if (lt.getCompleted())
{
@Override s.setMessage("Congratulations, you have completed this lab");
public RandomLessonTracker getLessonTracker(WebSession s) }
{ else
return (RandomLessonTracker) super.getLessonTracker(s); {
} s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + ".");
if (!stage.equals(lt.getStage()))
@Override s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage());
public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) }
{ try
return (RandomLessonTracker) super.getLessonTracker(s, lesson); {
} Connection connection = DatabaseUtilities.getConnection(s);
@Override CreateDB db = new CreateDB();
public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride) db.makeDB(connection);
{ System.out.println("Successfully refreshed the database.");
return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride);
} } catch (SQLException sqle)
{
@Override System.out.println("Error refreshing the database!");
public LessonTracker createLessonTracker() sqle.printStackTrace();
{ }
return new RandomLessonTracker(getStages()); }
}
/**
} * <p>isStageComplete.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param stage a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean isStageComplete(WebSession s, String stage)
{
return getLessonTracker(s).hasCompleted(stage);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s)
{
return (RandomLessonTracker) super.getLessonTracker(s);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
return (RandomLessonTracker) super.getLessonTracker(s, lesson);
}
/** {@inheritDoc} */
@Override
public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride);
}
/** {@inheritDoc} */
@Override
public LessonTracker createLessonTracker()
{
return new RandomLessonTracker(getStages());
}
}

350
webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java
View File

@ -1,138 +1,212 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.LessonTracker; import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.SequentialLessonTracker; import org.owasp.webgoat.session.SequentialLessonTracker;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
public abstract class SequentialLessonAdapter extends LessonAdapter /**
{ * <p>Abstract SequentialLessonAdapter class.</p>
*
public void setStage(WebSession s, int stage) * @version $Id: $Id
{ */
// System.out.println("Changed to stage " + stage); public abstract class SequentialLessonAdapter extends LessonAdapter
getLessonTracker(s).setStage(stage); {
}
/**
/* * <p>setStage.</p>
* By default returns 1 stage. (non-Javadoc) *
*/ * @param s a {@link org.owasp.webgoat.session.WebSession} object.
public int getStageCount() * @param stage a int.
{ */
return 1; public void setStage(WebSession s, int stage)
} {
// System.out.println("Changed to stage " + stage);
public int getStage(WebSession s) getLessonTracker(s).setStage(stage);
{ }
int stage = getLessonTracker(s).getStage();
/*
// System.out.println("In stage " + stage); * By default returns 1 stage. (non-Javadoc)
return stage; */
} /**
* <p>getStageCount.</p>
@Override *
public SequentialLessonTracker getLessonTracker(WebSession s) * @return a int.
{ */
return (SequentialLessonTracker) super.getLessonTracker(s); public int getStageCount()
} {
return 1;
@Override }
public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{ /**
return (SequentialLessonTracker) super.getLessonTracker(s, lesson); * <p>getStage.</p>
} *
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
@Override * @return a int.
public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride) */
{ public int getStage(WebSession s)
return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride); {
} int stage = getLessonTracker(s).getStage();
@Override // System.out.println("In stage " + stage);
public LessonTracker createLessonTracker() return stage;
{ }
return new SequentialLessonTracker();
} /** {@inheritDoc} */
@Override
protected Element createStagedContent(WebSession s) public SequentialLessonTracker getLessonTracker(WebSession s)
{ {
try return (SequentialLessonTracker) super.getLessonTracker(s);
{ }
int stage = getLessonTracker(s).getStage();
// int stage = Integer.parseInt( /** {@inheritDoc} */
// getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1")); @Override
public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
switch (stage) {
{ return (SequentialLessonTracker) super.getLessonTracker(s, lesson);
case 1: }
return (doStage1(s));
case 2: /** {@inheritDoc} */
return (doStage2(s)); @Override
case 3: public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride)
return (doStage3(s)); {
case 4: return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride);
return (doStage4(s)); }
case 5:
return (doStage5(s)); /** {@inheritDoc} */
case 6: @Override
return (doStage6(s)); public LessonTracker createLessonTracker()
default: {
throw new Exception("Invalid stage"); return new SequentialLessonTracker();
} }
} catch (Exception e)
{ /**
s.setMessage("Error generating " + this.getClass().getName()); * <p>createStagedContent.</p>
// System.out.println(e); *
e.printStackTrace(); * @param s a {@link org.owasp.webgoat.session.WebSession} object.
} * @return a {@link org.apache.ecs.Element} object.
*/
return (new StringElement("")); protected Element createStagedContent(WebSession s)
} {
try
protected Element doStage1(WebSession s) throws Exception {
{ int stage = getLessonTracker(s).getStage();
ElementContainer ec = new ElementContainer(); // int stage = Integer.parseInt(
ec.addElement("Stage 1 Stub"); // getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
return ec;
} switch (stage)
{
protected Element doStage2(WebSession s) throws Exception case 1:
{ return (doStage1(s));
ElementContainer ec = new ElementContainer(); case 2:
ec.addElement("Stage 2 Stub"); return (doStage2(s));
return ec; case 3:
} return (doStage3(s));
case 4:
protected Element doStage3(WebSession s) throws Exception return (doStage4(s));
{ case 5:
ElementContainer ec = new ElementContainer(); return (doStage5(s));
ec.addElement("Stage 3 Stub"); case 6:
return ec; return (doStage6(s));
} default:
throw new Exception("Invalid stage");
protected Element doStage4(WebSession s) throws Exception }
{ } catch (Exception e)
ElementContainer ec = new ElementContainer(); {
ec.addElement("Stage 4 Stub"); s.setMessage("Error generating " + this.getClass().getName());
return ec; // System.out.println(e);
} e.printStackTrace();
}
protected Element doStage5(WebSession s) throws Exception
{ return (new StringElement(""));
ElementContainer ec = new ElementContainer(); }
ec.addElement("Stage 5 Stub");
return ec; /**
} * <p>doStage1.</p>
*
protected Element doStage6(WebSession s) throws Exception * @param s a {@link org.owasp.webgoat.session.WebSession} object.
{ * @return a {@link org.apache.ecs.Element} object.
ElementContainer ec = new ElementContainer(); * @throws java.lang.Exception if any.
ec.addElement("Stage 6 Stub"); */
return ec; protected Element doStage1(WebSession s) throws Exception
} {
ElementContainer ec = new ElementContainer();
} ec.addElement("Stage 1 Stub");
return ec;
}
/**
* <p>doStage2.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage2(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 2 Stub");
return ec;
}
/**
* <p>doStage3.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage3(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 3 Stub");
return ec;
}
/**
* <p>doStage4.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage4(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 4 Stub");
return ec;
}
/**
* <p>doStage5.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage5(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 5 Stub");
return ec;
}
/**
* <p>doStage6.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
* @throws java.lang.Exception if any.
*/
protected Element doStage6(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 6 Stub");
return ec;
}
}

306
webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java
View File

@ -1,145 +1,161 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor; import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center; import org.apache.ecs.html.Center;
import org.apache.ecs.html.Form; import org.apache.ecs.html.Form;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created October 28, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since October 28, 2003
public class WelcomeScreen extends Screen * @version $Id: $Id
{ */
public class WelcomeScreen extends Screen
/** {
* Constructor for the WelcomeScreen object
* /**
* @param s * Constructor for the WelcomeScreen object
* Description of the Parameter *
*/ * @param s
public WelcomeScreen(WebSession s) * Description of the Parameter
{ */
setup(s); public WelcomeScreen(WebSession s)
} {
setup(s);
/** }
* Constructor for the WelcomeScreen object
*/ /**
public WelcomeScreen() * Constructor for the WelcomeScreen object
{ */
} public WelcomeScreen()
{
public void setup(WebSession s) }
{
// call createContent first so messages will go somewhere /**
* <p>setup.</p>
Form form = new Form("attack", Form.POST).setName("form").setEncType(""); *
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
form.addElement(wrapForm(s)); */
public void setup(WebSession s)
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form); {
TR row = new TR().addElement(lowerright); // call createContent first so messages will go somewhere
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
layout.addElement(row);
form.addElement(wrapForm(s));
setContent(layout);
} TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
protected Element wrapForm(WebSession s) Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
{
if (s == null) { return new StringElement("Invalid Session"); } layout.addElement(row);
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0); setContent(layout);
}
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s); /**
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s)))); * <p>wrapForm.</p>
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content))); *
container.addElement(new TR()); * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link org.apache.ecs.Element} object.
return (container); */
} protected Element wrapForm(WebSession s)
{
/** if (s == null) { return new StringElement("Invalid Session"); }
* Description of the Method
* Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
* @param s
* Description of the Parameter // CreateContent can generate error messages so you MUST call it before makeMessages()
* @return Description of the Return Value Element content = createContent(s);
*/ container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
protected Element createContent(WebSession s) container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
{ container.addElement(new TR());
ElementContainer ec = new ElementContainer();
Element b = ECSFactory.makeButton("Start the Course!"); return (container);
ec.addElement(new Center(b)); }
return (ec); /**
} * {@inheritDoc}
*
/** * Description of the Method
* Gets the instructions attribute of the WelcomeScreen object */
* protected Element createContent(WebSession s)
* @return The instructions value {
*/ ElementContainer ec = new ElementContainer();
protected String getInstructions() Element b = ECSFactory.makeButton("Start the Course!");
{ ec.addElement(new Center(b));
String instructions = "Enter your name and learn how HTTP really works!";
return (ec);
return (instructions); }
}
/**
/** * Gets the instructions attribute of the WelcomeScreen object
* Gets the title attribute of the WelcomeScreen object *
* * @return The instructions value
* @return The title value */
*/ protected String getInstructions()
public String getTitle() {
{ String instructions = "Enter your name and learn how HTTP really works!";
return ("Welcome to the Penetration Testing Course");
} return (instructions);
}
/*
* (non-Javadoc) /**
* @see session.Screen#getRole() * Gets the title attribute of the WelcomeScreen object
*/ *
public String getRole() * @return The title value
{ */
return AbstractLesson.USER_ROLE; public String getTitle()
} {
} return ("Welcome to the Penetration Testing Course");
}
/*
* (non-Javadoc)
* @see session.Screen#getRole()
*/
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

215
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java
View File

@ -1,104 +1,111 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Screen; import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created October 28, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since October 28, 2003
public abstract class AdminScreen extends Screen * @version $Id: $Id
{ */
public abstract class AdminScreen extends Screen
/** {
* Description of the Field
*/ /**
protected String query = null; * Description of the Field
*/
/** protected String query = null;
* Constructor for the AdminScreen object
* /**
* @param s * Constructor for the AdminScreen object
* Description of the Parameter *
* @param q * @param s
* Description of the Parameter * Description of the Parameter
*/ * @param q
public AdminScreen(WebSession s, String q) * Description of the Parameter
{ */
setQuery(q); public AdminScreen(WebSession s, String q)
{
// setupAdmin(s); FIXME: what was this supposed to do? setQuery(q);
}
// setupAdmin(s); FIXME: what was this supposed to do?
/** }
* Constructor for the AdminScreen object
* /**
* @param s * Constructor for the AdminScreen object
* Description of the Parameter *
*/ * @param s
public AdminScreen(WebSession s) * Description of the Parameter
{ */
} public AdminScreen(WebSession s)
{
/** }
* Constructor for the AdminScreen object
*/ /**
public AdminScreen() * Constructor for the AdminScreen object
{ */
} public AdminScreen()
{
/** }
* Gets the title attribute of the AdminScreen object
* /**
* @return The title value * Gets the title attribute of the AdminScreen object
*/ *
public String getTitle() * @return The title value
{ */
return ("Admin Information"); public String getTitle()
} {
return ("Admin Information");
public String getRole() }
{
return AbstractLesson.ADMIN_ROLE; /**
} * <p>getRole.</p>
*
/** * @return a {@link java.lang.String} object.
* Sets the query attribute of the AdminScreen object */
* public String getRole()
* @param q {
* The new query value return AbstractLesson.ADMIN_ROLE;
*/ }
public void setQuery(String q)
{ /**
query = q; * Sets the query attribute of the AdminScreen object
} *
} * @param q
* The new query value
*/
public void setQuery(String q)
{
query = q;
}
}

247
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
View File

@ -1,121 +1,126 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import java.sql.Connection; import java.sql.Connection;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.ResultSetMetaData; import java.sql.ResultSetMetaData;
import java.sql.Statement; import java.sql.Statement;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created October 28, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since October 28, 2003
public class ProductsAdminScreen extends LessonAdapter * @version $Id: $Id
{ */
public class ProductsAdminScreen extends LessonAdapter
private final static String QUERY = "SELECT * FROM product_system_data"; {
/** private final static String QUERY = "SELECT * FROM product_system_data";
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try try
{ {
Connection connection = DatabaseUtilities.getConnection(s); Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY); ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(QUERY); ResultSet results = statement.executeQuery(QUERY);
if (results != null) if (results != null)
{ {
makeSuccess(s); makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData(); ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
return (ec); return (ec);
} }
/** /**
* Gets the category attribute of the ProductsAdminScreen object * Gets the category attribute of the ProductsAdminScreen object
* *
* @return The category value * @return The category value
*/ */
protected Category getDefaultCategory() protected Category getDefaultCategory()
{ {
return Category.ADMIN_FUNCTIONS; return Category.ADMIN_FUNCTIONS;
} }
/** /**
* Gets the role attribute of the ProductsAdminScreen object * Gets the role attribute of the ProductsAdminScreen object
* *
* @return The role value * @return The role value
*/ */
public String getRole() public String getRole()
{ {
return HACKED_ADMIN_ROLE; return HACKED_ADMIN_ROLE;
} }
/** /**
* Gets the title attribute of the ProductsAdminScreen object * Gets the title attribute of the ProductsAdminScreen object
* *
* @return The title value * @return The title value
*/ */
public String getTitle() public String getTitle()
{ {
return ("Product Information"); return ("Product Information");
} }
private final static Integer DEFAULT_RANKING = new Integer(1000); private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking() /**
{ * <p>getDefaultRanking.</p>
return DEFAULT_RANKING; *
} * @return a {@link java.lang.Integer} object.
} */
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
}

319
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
View File

@ -1,157 +1,162 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import java.sql.Connection; import java.sql.Connection;
import org.owasp.webgoat.lessons.*; import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.A; import org.apache.ecs.html.A;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created October 28, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since October 28, 2003
public class RefreshDBScreen extends LessonAdapter * @version $Id: $Id
{ */
public class RefreshDBScreen extends LessonAdapter
private final static String REFRESH = "Refresh"; {
/** private final static String REFRESH = "Refresh";
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try try
{ {
boolean refresh = s.getParser().getBooleanParameter(REFRESH, false); boolean refresh = s.getParser().getBooleanParameter(REFRESH, false);
if (refresh) if (refresh)
{ {
refreshDB(s); refreshDB(s);
ec.addElement(new StringElement("Successfully refreshed the database.")); ec.addElement(new StringElement("Successfully refreshed the database."));
} }
else else
{ {
Element label = new StringElement("Refresh the database? "); Element label = new StringElement("Refresh the database? ");
A link1 = ECSFactory.makeLink("Yes", REFRESH, true); A link1 = ECSFactory.makeLink("Yes", REFRESH, true);
A link2 = ECSFactory.makeLink("No", REFRESH, false); A link2 = ECSFactory.makeLink("No", REFRESH, false);
TD td1 = new TD().addElement(label); TD td1 = new TD().addElement(label);
TD td2 = new TD().addElement(link1); TD td2 = new TD().addElement(link1);
TD td3 = new TD().addElement(link2); TD td3 = new TD().addElement(link2);
TR row = new TR().addElement(td1).addElement(td2).addElement(td3); TR row = new TR().addElement(td1).addElement(td2).addElement(td3);
Table t = new Table().setCellSpacing(40).setWidth("50%"); Table t = new Table().setCellSpacing(40).setWidth("50%");
if (s.isColor()) if (s.isColor())
{ {
t.setBorder(1); t.setBorder(1);
} }
t.addElement(row); t.addElement(row);
ec.addElement(t); ec.addElement(t);
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
return (ec); return (ec);
} }
/** /**
* Gets the category attribute of the RefreshDBScreen object * Gets the category attribute of the RefreshDBScreen object
* *
* @return The category value * @return The category value
*/ */
protected Category getDefaultCategory() protected Category getDefaultCategory()
{ {
return Category.ADMIN_FUNCTIONS; return Category.ADMIN_FUNCTIONS;
} }
private final static Integer DEFAULT_RANKING = new Integer(1000); private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking() /**
{ * <p>getDefaultRanking.</p>
return DEFAULT_RANKING; *
} * @return a {@link java.lang.Integer} object.
*/
/** protected Integer getDefaultRanking()
* Gets the role attribute of the RefreshDBScreen object {
* return DEFAULT_RANKING;
* @return The role value }
*/
public String getRole() /**
{ * Gets the role attribute of the RefreshDBScreen object
return ADMIN_ROLE; *
} * @return The role value
*/
/** public String getRole()
* Gets the title attribute of the RefreshDBScreen object {
* return ADMIN_ROLE;
* @return The title value }
*/
public String getTitle() /**
{ * Gets the title attribute of the RefreshDBScreen object
return ("Refresh Database"); *
} * @return The title value
*/
/** public String getTitle()
* Description of the Method {
* return ("Refresh Database");
* @param s }
* Description of the Parameter
*/ /**
public void refreshDB(WebSession s) * Description of the Method
{ *
try * @param s
{ * Description of the Parameter
Connection connection = DatabaseUtilities.getConnection(s); */
public void refreshDB(WebSession s)
CreateDB db = new CreateDB(); {
db.makeDB(connection); try
System.out.println("Successfully refreshed the database."); {
} catch (Exception e) Connection connection = DatabaseUtilities.getConnection(s);
{
s.setMessage("Error refreshing database " + this.getClass().getName()); CreateDB db = new CreateDB();
e.printStackTrace(); db.makeDB(connection);
} System.out.println("Successfully refreshed the database.");
} } catch (Exception e)
} {
s.setMessage("Error refreshing database " + this.getClass().getName());
e.printStackTrace();
}
}
}

591
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
View File

@ -1,294 +1,297 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import java.util.Iterator; import java.util.Iterator;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor; import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center; import org.apache.ecs.html.Center;
import org.apache.ecs.html.H2; import org.apache.ecs.html.H2;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH; import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker; import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen; import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> *
* @created October 28, 2003 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*/ * @since October 28, 2003
public class ReportCardScreen extends LessonAdapter * @version $Id: $Id
{ */
public class ReportCardScreen extends LessonAdapter
/** {
* Description of the Field
*/ /**
protected final static String USERNAME = "Username"; * Description of the Field
*/
/** protected final static String USERNAME = "Username";
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
String user = null; String user = null;
try try
{ {
if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN)) if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
{ {
user = s.getParser().getRawParameter(USERNAME); user = s.getParser().getRawParameter(USERNAME);
} }
else else
{ {
user = s.getUserName(); user = s.getUserName();
} }
} catch (Exception e) } catch (Exception e)
{ {
} }
if (user == null) if (user == null)
{ {
user = s.getUserName(); user = s.getUserName();
} }
ec.addElement(makeFeedback(s)); ec.addElement(makeFeedback(s));
ec.addElement(makeReportCard(s, user)); ec.addElement(makeReportCard(s, user));
return ec; return ec;
} }
private Element makeFeedback(WebSession s) private Element makeFeedback(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement("Comments and suggestions are welcome. " ec.addElement(new StringElement("Comments and suggestions are welcome. "
+ getWebgoatContext().getFeedbackAddressHTML() + "<br><br>")); + getWebgoatContext().getFeedbackAddressHTML() + "<br><br>"));
return ec; return ec;
} }
/** /**
* Gets the category attribute of the UserAdminScreen object * Gets the category attribute of the UserAdminScreen object
* *
* @return The category value * @return The category value
*/ */
protected Category getDefaultCategory() protected Category getDefaultCategory()
{ {
return Category.ADMIN_FUNCTIONS; return Category.ADMIN_FUNCTIONS;
} }
private final static Integer DEFAULT_RANKING = new Integer(1000); private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking() /**
{ * <p>getDefaultRanking.</p>
return DEFAULT_RANKING; *
} * @return a {@link java.lang.Integer} object.
*/
/** protected Integer getDefaultRanking()
* Gets the role attribute of the UserAdminScreen object {
* return DEFAULT_RANKING;
* @return The role value }
*/
public String getRole() /**
{ * Gets the role attribute of the UserAdminScreen object
return USER_ROLE; *
} * @return The role value
*/
/** public String getRole()
* Gets the title attribute of the UserAdminScreen object {
* return USER_ROLE;
* @return The title value }
*/
public String getTitle() /**
{ * Gets the title attribute of the UserAdminScreen object
return ("Report Card"); *
} * @return The title value
*/
/** public String getTitle()
* Description of the Method {
* return ("Report Card");
* @param screen }
* Description of the Parameter
* @param s /**
* Description of the Parameter * Description of the Method
* @param user *
* Description of the Parameter * @param screen
* @return Description of the Return Value * Description of the Parameter
*/ * @param s
private TR makeLessonRow(WebSession s, String user, Screen screen) * Description of the Parameter
{ * @param user
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); * Description of the Parameter
TR tr = new TR(); * @return Description of the Return Value
if (lessonTracker.getCompleted()) */
{ private TR makeLessonRow(WebSession s, String user, Screen screen)
tr.setBgColor(HtmlColor.LIGHTGREEN); {
} LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
else if (lessonTracker.getNumVisits() == 0) TR tr = new TR();
{ if (lessonTracker.getCompleted())
tr.setBgColor(HtmlColor.LIGHTBLUE); {
} tr.setBgColor(HtmlColor.LIGHTGREEN);
else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10) }
{ else if (lessonTracker.getNumVisits() == 0)
tr.setBgColor(HtmlColor.RED); {
} tr.setBgColor(HtmlColor.LIGHTBLUE);
else }
{ else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10)
tr.setBgColor(HtmlColor.YELLOW); {
} tr.setBgColor(HtmlColor.RED);
tr.addElement(new TD().addElement(screen.getTitle())); }
tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N")); else
tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits()))); {
tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel()))); tr.setBgColor(HtmlColor.YELLOW);
return tr; }
} tr.addElement(new TD().addElement(screen.getTitle()));
tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N"));
/** tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits())));
* Description of the Method tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel())));
* return tr;
* @param s }
* Description of the Parameter
* @return Description of the Return Value /**
*/ * {@inheritDoc}
protected Element makeMessages(WebSession s) *
{ * Description of the Method
ElementContainer ec = new ElementContainer(); */
protected Element makeMessages(WebSession s)
return (ec); {
} ElementContainer ec = new ElementContainer();
/** return (ec);
* Description of the Method }
*
* @param s /**
* Description of the Parameter * Description of the Method
* @param user *
* Description of the Parameter * @param s
* @return Description of the Return Value * Description of the Parameter
*/ * @param user
public Element makeReportCard(WebSession s, String user) * Description of the Parameter
{ * @return Description of the Return Value
ElementContainer ec = new ElementContainer(); */
public Element makeReportCard(WebSession s, String user)
ec.addElement(makeUser(s, user)); {
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1); ElementContainer ec = new ElementContainer();
if (s.isColor()) ec.addElement(makeUser(s, user));
{ Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
t.setBorder(1);
} if (s.isColor())
TR tr = new TR(); {
t.addElement(makeUserHeaderRow()); t.setBorder(1);
}
// These are all the user lesson TR tr = new TR();
tr = new TR(); t.addElement(makeUserHeaderRow());
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons"));
t.addElement(tr); // These are all the user lesson
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter tr = new TR();
.hasNext();) tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons"));
{ t.addElement(tr);
Screen screen = (Screen) lessonIter.next(); for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
t.addElement(makeLessonRow(s, user, screen)); .hasNext();)
} {
Screen screen = (Screen) lessonIter.next();
// The user figured out there was a hackable admin acocunt t.addElement(makeLessonRow(s, user, screen));
tr = new TR(); }
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens"));
t.addElement(tr); // The user figured out there was a hackable admin acocunt
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter tr = new TR();
.hasNext();) tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens"));
{ t.addElement(tr);
Screen screen = (Screen) lessonIter.next(); for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
t.addElement(makeLessonRow(s, user, screen)); .hasNext();)
} {
Screen screen = (Screen) lessonIter.next();
// The user figured out how to actually hack the admin acocunt t.addElement(makeLessonRow(s, user, screen));
tr = new TR(); }
tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens"));
t.addElement(tr); // The user figured out how to actually hack the admin acocunt
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter tr = new TR();
.hasNext();) tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens"));
{ t.addElement(tr);
Screen screen = (Screen) lessonIter.next(); for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter
t.addElement(makeLessonRow(s, user, screen)); .hasNext();)
} {
Screen screen = (Screen) lessonIter.next();
ec.addElement(t); t.addElement(makeLessonRow(s, user, screen));
return (ec); }
}
ec.addElement(t);
/** return (ec);
* Description of the Method }
*
* @param s /**
* Description of the Parameter * Description of the Method
* @param user *
* Description of the Parameter * @param s
* @return Description of the Return Value * Description of the Parameter
*/ * @param user
protected Element makeUser(WebSession s, String user) * Description of the Parameter
{ * @return Description of the Return Value
H2 h2 = new H2(); */
// FIXME: The session is the current session, not the session of the user we are reporting. protected Element makeUser(WebSession s, String user)
// String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? {
// " [Normal User - Hacked Admin Access]" : " [Normal User]"; H2 h2 = new H2();
String type = ""; // FIXME: The session is the current session, not the session of the user we are reporting.
h2.addElement(new StringElement("Results for: " + user + type)); // String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ?
return h2; // " [Normal User - Hacked Admin Access]" : " [Normal User]";
} String type = "";
h2.addElement(new StringElement("Results for: " + user + type));
/** return h2;
* Description of the Method }
*
* @return Description of the Return Value /**
*/ * Description of the Method
private TR makeUserHeaderRow() *
{ * @return Description of the Return Value
TR tr = new TR(); */
private TR makeUserHeaderRow()
tr.addElement(new TH("Lesson")); {
tr.addElement(new TH("Complete")); TR tr = new TR();
tr.addElement(new TH("Visits"));
tr.addElement(new TH("Hints")); tr.addElement(new TH("Lesson"));
tr.addElement(new TH("Complete"));
return tr; tr.addElement(new TH("Visits"));
} tr.addElement(new TH("Hints"));
}
return tr;
}
}

642
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
View File

@ -1,314 +1,328 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.Iterator; import java.util.Iterator;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor; import org.apache.ecs.HtmlColor;
import org.apache.ecs.html.Center; import org.apache.ecs.html.Center;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.apache.ecs.html.P; import org.apache.ecs.html.P;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH; import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker; import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen; import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Bruce mayhew <a href="http://code.google.com">WebGoat</a> *
* @created October 28, 2003 * @author Bruce mayhew <a href="http://code.google.com">WebGoat</a>
*/ * @since October 28, 2003
public class SummaryReportCardScreen extends LessonAdapter * @version $Id: $Id
{ */
public class SummaryReportCardScreen extends LessonAdapter
private int totalUsersNormalComplete = 0; {
private int totalUsersAdminComplete = 0; private int totalUsersNormalComplete = 0;
/** private int totalUsersAdminComplete = 0;
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
String selectedUser = null; String selectedUser = null;
try try
{ {
if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN)) if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
{ {
Enumeration e = s.getParser().getParameterNames(); Enumeration e = s.getParser().getParameterNames();
while (e.hasMoreElements()) while (e.hasMoreElements())
{ {
String key = (String) e.nextElement(); String key = (String) e.nextElement();
if (key.startsWith("View_")) if (key.startsWith("View_"))
{ {
selectedUser = key.substring("View_".length()); selectedUser = key.substring("View_".length());
ReportCardScreen reportCard = new ReportCardScreen(); ReportCardScreen reportCard = new ReportCardScreen();
return reportCard.makeReportCard(s, selectedUser); return reportCard.makeReportCard(s, selectedUser);
} }
if (key.startsWith("Delete_")) if (key.startsWith("Delete_"))
{ {
selectedUser = key.substring("Delete_".length()); selectedUser = key.substring("Delete_".length());
deleteUser(selectedUser); deleteUser(selectedUser);
} }
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
e.printStackTrace(); e.printStackTrace();
} }
ec.addElement(new Center().addElement(makeSummary(s))); ec.addElement(new Center().addElement(makeSummary(s)));
ec.addElement(new P()); ec.addElement(new P());
Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%"); Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%");
if (s.isColor()) if (s.isColor())
{ {
t.setBorder(1); t.setBorder(1);
} }
t.addElement(makeUserSummaryHeader()); t.addElement(makeUserSummaryHeader());
for (Iterator<String> userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter for (Iterator<String> userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter
.hasNext();) .hasNext();)
{ {
String user = userIter.next(); String user = userIter.next();
t.addElement(makeUserSummaryRow(s, user)); t.addElement(makeUserSummaryRow(s, user));
} }
ec.addElement(new Center().addElement(t)); ec.addElement(new Center().addElement(t));
return ec; return ec;
} }
protected Element makeSummary(WebSession s) /**
{ * <p>makeSummary.</p>
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%"); *
if (s.isColor()) * @param s a {@link org.owasp.webgoat.session.WebSession} object.
{ * @return a {@link org.apache.ecs.Element} object.
t.setBorder(1); */
} protected Element makeSummary(WebSession s)
TR tr = new TR(); {
// tr.addElement( new TH().addElement( "Summary").setColSpan(1)); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%");
// t.addElement( tr ); if (s.isColor())
{
tr = new TR(); t.setBorder(1);
tr.addElement(new TD().setWidth("60%").addElement("Total number of users")); }
tr.addElement(new TD().setAlign("LEFT").addElement( TR tr = new TR();
Integer.toString(UserTracker.instance() // tr.addElement( new TH().addElement( "Summary").setColSpan(1));
.getAllUsers(WebSession.WEBGOAT_USER).size()))); // t.addElement( tr );
t.addElement(tr);
tr = new TR();
tr = new TR(); tr.addElement(new TD().setWidth("60%").addElement("Total number of users"));
tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons")); tr.addElement(new TD().setAlign("LEFT").addElement(
tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete))); Integer.toString(UserTracker.instance()
t.addElement(tr); .getAllUsers(WebSession.WEBGOAT_USER).size())));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons")); tr = new TR();
tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete))); tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons"));
t.addElement(tr); tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete)));
return t; t.addElement(tr);
}
tr = new TR();
private void deleteUser(String user) tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons"));
{ tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete)));
UserTracker.instance().deleteUser(user); t.addElement(tr);
} return t;
}
/**
* Gets the category attribute of the UserAdminScreen object private void deleteUser(String user)
* {
* @return The category value UserTracker.instance().deleteUser(user);
*/ }
protected Category getDefaultCategory()
{ /**
return Category.ADMIN_FUNCTIONS; * Gets the category attribute of the UserAdminScreen object
} *
* @return The category value
private final static Integer DEFAULT_RANKING = new Integer(1000); */
protected Category getDefaultCategory()
protected Integer getDefaultRanking() {
{ return Category.ADMIN_FUNCTIONS;
return DEFAULT_RANKING; }
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
/**
* Gets the role attribute of the UserAdminScreen object /**
* * <p>getDefaultRanking.</p>
* @return The role value *
*/ * @return a {@link java.lang.Integer} object.
public String getRole() */
{ protected Integer getDefaultRanking()
return ADMIN_ROLE; {
} return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the UserAdminScreen object /**
* * Gets the role attribute of the UserAdminScreen object
* @return The title value *
*/ * @return The role value
public String getTitle() */
{ public String getRole()
return ("Summary Report Card"); {
} return ADMIN_ROLE;
}
/**
* Description of the Method /**
* * Gets the title attribute of the UserAdminScreen object
* @param s *
* Description of the Parameter * @return The title value
* @return Description of the Return Value */
*/ public String getTitle()
protected Element makeMessages(WebSession s) {
{ return ("Summary Report Card");
ElementContainer ec = new ElementContainer(); }
return (ec); /**
} * {@inheritDoc}
*
/** * Description of the Method
* Description of the Method */
* protected Element makeMessages(WebSession s)
* @return Description of the Return Value {
*/ ElementContainer ec = new ElementContainer();
protected Element makeUserSummaryHeader()
{ return (ec);
TR tr = new TR(); }
tr.addElement(new TH("User Name")); /**
tr.addElement(new TH("Normal Complete")); * Description of the Method
tr.addElement(new TH("Admin Complete")); *
tr.addElement(new TH("View")); * @return Description of the Return Value
tr.addElement(new TH("Delete")); */
protected Element makeUserSummaryHeader()
return tr; {
} TR tr = new TR();
/** tr.addElement(new TH("User Name"));
* Description of the Method tr.addElement(new TH("Normal Complete"));
* tr.addElement(new TH("Admin Complete"));
* @param s tr.addElement(new TH("View"));
* Description of the Parameter tr.addElement(new TH("Delete"));
* @param user
* Description of the Parameter return tr;
* @return Description of the Return Value }
*/
protected Element makeUserSummaryRow(WebSession s, String user) /**
{ * Description of the Method
TR tr = new TR(); *
* @param s
tr.addElement(new TD().setAlign("LEFT").addElement(user)); * Description of the Parameter
int lessonCount = 0; * @param user
int passedCount = 0; * Description of the Parameter
boolean normalComplete = false; * @return Description of the Return Value
boolean adminComplete = false; */
protected Element makeUserSummaryRow(WebSession s, String user)
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter {
.hasNext();) TR tr = new TR();
{
lessonCount++; tr.addElement(new TD().setAlign("LEFT").addElement(user));
Screen screen = (Screen) lessonIter.next(); int lessonCount = 0;
int passedCount = 0;
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); boolean normalComplete = false;
if (lessonTracker.getCompleted()) boolean adminComplete = false;
{
passedCount++; for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
} .hasNext();)
} {
if (lessonCount == passedCount) lessonCount++;
{ Screen screen = (Screen) lessonIter.next();
normalComplete = true;
totalUsersNormalComplete++; LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
} if (lessonTracker.getCompleted())
String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount); {
tr.addElement(new TD().setAlign("CENTER").addElement(text)); passedCount++;
}
lessonCount = 0; }
passedCount = 0; if (lessonCount == passedCount)
for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter {
.hasNext();) normalComplete = true;
{ totalUsersNormalComplete++;
lessonCount++; }
Screen screen = (Screen) lessonIter.next(); String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
tr.addElement(new TD().setAlign("CENTER").addElement(text));
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
if (lessonTracker.getCompleted()) lessonCount = 0;
{ passedCount = 0;
passedCount++; for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
} .hasNext();)
} {
if (lessonCount == passedCount) lessonCount++;
{ Screen screen = (Screen) lessonIter.next();
adminComplete = true;
totalUsersAdminComplete++; LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
} if (lessonTracker.getCompleted())
text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount); {
tr.addElement(new TD().setAlign("CENTER").addElement(text)); passedCount++;
}
tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View"))); }
tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete"))); if (lessonCount == passedCount)
{
if (normalComplete && adminComplete) adminComplete = true;
{ totalUsersAdminComplete++;
tr.setBgColor(HtmlColor.GREEN); }
} text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
else if (normalComplete) tr.addElement(new TD().setAlign("CENTER").addElement(text));
{
tr.setBgColor(HtmlColor.LIGHTGREEN); tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View")));
} tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete")));
else
{ if (normalComplete && adminComplete)
tr.setBgColor(HtmlColor.LIGHTBLUE); {
} tr.setBgColor(HtmlColor.GREEN);
}
return (tr); else if (normalComplete)
} {
tr.setBgColor(HtmlColor.LIGHTGREEN);
public boolean isEnterprise() }
{ else
return true; {
} tr.setBgColor(HtmlColor.LIGHTBLUE);
} }
return (tr);
}
/**
* <p>isEnterprise.</p>
*
* @return a boolean.
*/
public boolean isEnterprise()
{
return true;
}
}

247
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -1,121 +1,126 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import java.sql.Connection; import java.sql.Connection;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.ResultSetMetaData; import java.sql.ResultSetMetaData;
import java.sql.Statement; import java.sql.Statement;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> *
* @created October 28, 2003 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*/ * @since October 28, 2003
public class UserAdminScreen extends LessonAdapter * @version $Id: $Id
{ */
public class UserAdminScreen extends LessonAdapter
private final static String QUERY = "SELECT * FROM user_system_data"; {
/** private final static String QUERY = "SELECT * FROM user_system_data";
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try try
{ {
Connection connection = DatabaseUtilities.getConnection(s); Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY); ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(QUERY); ResultSet results = statement.executeQuery(QUERY);
if (results != null) if (results != null)
{ {
makeSuccess(s); makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData(); ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
return (ec); return (ec);
} }
/** /**
* Gets the category attribute of the UserAdminScreen object * Gets the category attribute of the UserAdminScreen object
* *
* @return The category value * @return The category value
*/ */
protected Category getDefaultCategory() protected Category getDefaultCategory()
{ {
return Category.ADMIN_FUNCTIONS; return Category.ADMIN_FUNCTIONS;
} }
private final static Integer DEFAULT_RANKING = new Integer(1000); private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking() /**
{ * <p>getDefaultRanking.</p>
return DEFAULT_RANKING; *
} * @return a {@link java.lang.Integer} object.
*/
/** protected Integer getDefaultRanking()
* Gets the role attribute of the UserAdminScreen object {
* return DEFAULT_RANKING;
* @return The role value }
*/
public String getRole() /**
{ * Gets the role attribute of the UserAdminScreen object
return HACKED_ADMIN_ROLE; *
} * @return The role value
*/
/** public String getRole()
* Gets the title attribute of the UserAdminScreen object {
* return HACKED_ADMIN_ROLE;
* @return The title value }
*/
public String getTitle() /**
{ * Gets the title attribute of the UserAdminScreen object
return ("User Information"); *
} * @return The title value
} */
public String getTitle()
{
return ("User Information");
}
}

329
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java
View File

@ -1,162 +1,167 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import java.sql.Connection; import java.sql.Connection;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.ResultSetMetaData; import java.sql.ResultSetMetaData;
import java.sql.Statement; import java.sql.Statement;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.owasp.webgoat.lessons.*; import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created October 28, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since October 28, 2003
public class ViewDatabase extends LessonAdapter * @version $Id: $Id
{ */
public class ViewDatabase extends LessonAdapter
private final static String SQL = "sql"; {
/** private final static String SQL = "sql";
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try try
{ {
ec.addElement(new StringElement("Enter a SQL statement: ")); ec.addElement(new StringElement("Enter a SQL statement: "));
StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, "")); StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, ""));
Input input = new Input(Input.TEXT, SQL, sqlStatement.toString()); Input input = new Input(Input.TEXT, SQL, sqlStatement.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton("Go!"); Element b = ECSFactory.makeButton("Go!");
ec.addElement(b); ec.addElement(b);
Connection connection = DatabaseUtilities.getConnection(s); Connection connection = DatabaseUtilities.getConnection(s);
if (sqlStatement.length() > 0) if (sqlStatement.length() > 0)
{ {
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY); ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(sqlStatement.toString()); ResultSet results = statement.executeQuery(sqlStatement.toString());
if ((results != null) && (results.first() == true)) if ((results != null) && (results.first() == true))
{ {
makeSuccess(s); makeSuccess(s);
ResultSetMetaData resultsMetaData = results.getMetaData(); ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
return (ec); return (ec);
} }
/** /**
* Gets the category attribute of the DatabaseScreen object * Gets the category attribute of the DatabaseScreen object
* *
* @return The category value * @return The category value
*/ */
protected Category getDefaultCategory() protected Category getDefaultCategory()
{ {
return Category.ADMIN_FUNCTIONS; return Category.ADMIN_FUNCTIONS;
} }
private final static Integer DEFAULT_RANKING = new Integer(1000); private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking() /**
{ * <p>getDefaultRanking.</p>
return DEFAULT_RANKING; *
} * @return a {@link java.lang.Integer} object.
*/
/** protected Integer getDefaultRanking()
* Gets the hints attribute of the DatabaseScreen object {
* return DEFAULT_RANKING;
* @return The hints value }
*/
protected List<String> getHints(WebSession s) /**
{ * {@inheritDoc}
List<String> hints = new ArrayList<String>(); *
hints.add("There are no hints defined"); * Gets the hints attribute of the DatabaseScreen object
*/
return hints; protected List<String> getHints(WebSession s)
} {
List<String> hints = new ArrayList<String>();
/** hints.add("There are no hints defined");
* Gets the instructions attribute of the ViewDatabase object
* return hints;
* @return The instructions value }
*/
public String getInstructions(WebSession s) /**
{ * {@inheritDoc}
String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read."; *
* Gets the instructions attribute of the ViewDatabase object
return (instructions); */
} public String getInstructions(WebSession s)
{
/** String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
* Gets the role attribute of the ViewDatabase object
* return (instructions);
* @return The role value }
*/
public String getRole() /**
{ * Gets the role attribute of the ViewDatabase object
return HACKED_ADMIN_ROLE; *
} * @return The role value
*/
/** public String getRole()
* Gets the title attribute of the DatabaseScreen object {
* return HACKED_ADMIN_ROLE;
* @return The title value }
*/
public String getTitle() /**
{ * Gets the title attribute of the DatabaseScreen object
return ("Adhoc Query"); *
} * @return The title value
} */
public String getTitle()
{
return ("Adhoc Query");
}
}

178
webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
View File

@ -1,89 +1,89 @@
package org.owasp.webgoat.lessons.admin; package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.WelcomeScreen; import org.owasp.webgoat.lessons.WelcomeScreen;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.Center; import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1; import org.apache.ecs.html.H1;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created October 28, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since October 28, 2003
public class WelcomeAdminScreen extends WelcomeScreen * @version $Id: $Id
{ */
public class WelcomeAdminScreen extends WelcomeScreen
/** {
* Constructor for the WelcomeAdminScreen object
* /**
* @param s * Constructor for the WelcomeAdminScreen object
* Description of the Parameter *
*/ * @param s
public WelcomeAdminScreen(WebSession s) * Description of the Parameter
{ */
super(s); public WelcomeAdminScreen(WebSession s)
} {
super(s);
/** }
* Constructor for the WelcomeAdminScreen object
*/ /**
public WelcomeAdminScreen() * Constructor for the WelcomeAdminScreen object
{ */
} public WelcomeAdminScreen()
{
/** }
* Description of the Method
* /**
* @param s * {@inheritDoc}
* Description of the Parameter *
* @return Description of the Return Value * Description of the Method
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new Center(new H1("You are logged on as an administrator"))); ec.addElement(new Center(new H1("You are logged on as an administrator")));
ec.addElement(super.createContent(s)); ec.addElement(super.createContent(s));
return (ec); return (ec);
} }
/** /**
* Gets the title attribute of the WelcomeAdminScreen object * Gets the title attribute of the WelcomeAdminScreen object
* *
* @return The title value * @return The title value
*/ */
public String getTitle() public String getTitle()
{ {
return ("Admin Welcome"); return ("Admin Welcome");
} }
} }

14
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/Hint.java
View File

@ -28,8 +28,10 @@
package org.owasp.webgoat.lessons.model; package org.owasp.webgoat.lessons.model;
/** /**
* <p>Hint class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
public class Hint { public class Hint {
@ -38,6 +40,8 @@ public class Hint {
private int number; private int number;
/** /**
* <p>Getter for the field <code>hint</code>.</p>
*
* @return the hint * @return the hint
*/ */
public String getHint() { public String getHint() {
@ -45,6 +49,8 @@ public class Hint {
} }
/** /**
* <p>Setter for the field <code>hint</code>.</p>
*
* @param hint the hint to set * @param hint the hint to set
*/ */
public void setHint(String hint) { public void setHint(String hint) {
@ -52,6 +58,8 @@ public class Hint {
} }
/** /**
* <p>Getter for the field <code>lesson</code>.</p>
*
* @return the lesson * @return the lesson
*/ */
public String getLesson() { public String getLesson() {
@ -59,6 +67,8 @@ public class Hint {
} }
/** /**
* <p>Setter for the field <code>lesson</code>.</p>
*
* @param lesson the lesson to set * @param lesson the lesson to set
*/ */
public void setLesson(String lesson) { public void setLesson(String lesson) {
@ -66,6 +76,8 @@ public class Hint {
} }
/** /**
* <p>Getter for the field <code>number</code>.</p>
*
* @return the number * @return the number
*/ */
public int getNumber() { public int getNumber() {
@ -73,6 +85,8 @@ public class Hint {
} }
/** /**
* <p>Setter for the field <code>number</code>.</p>
*
* @param number the number to set * @param number the number to set
*/ */
public void setNumber(int number) { public void setNumber(int number) {

107
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java
View File

@ -1,48 +1,59 @@
/*************************************************************************************************** /***************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details. * General Public License for more details.
* *
* You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects. * projects.
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
*/ */
package org.owasp.webgoat.lessons.model; package org.owasp.webgoat.lessons.model;
/** /**
* Model component for the Http Basics lesson. Using a model * Model component for the Http Basics lesson. Using a model
* for that simple lesson is architectural overkill. We do it anyway * for that simple lesson is architectural overkill. We do it anyway
* for illustrative purposes - to demonstrate the pattern that we will * for illustrative purposes - to demonstrate the pattern that we will
* use for more complex lessons. * use for more complex lessons.
* *
*/ * @version $Id: $Id
public class HttpBasicsModel { */
public class HttpBasicsModel {
private String personName;
private String personName;
public String getPersonName() {
return personName; /**
} * <p>Getter for the field <code>personName</code>.</p>
*
public void setPersonName(String personName) { * @return a {@link java.lang.String} object.
this.personName = personName; */
} public String getPersonName() {
} return personName;
}
/**
* <p>Setter for the field <code>personName</code>.</p>
*
* @param personName a {@link java.lang.String} object.
*/
public void setPersonName(String personName) {
this.personName = personName;
}
}

36
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java
View File

@ -34,8 +34,10 @@ import java.util.ArrayList;
import java.util.List; import java.util.List;
/** /**
* <p>LessonMenuItem class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
public class LessonMenuItem { public class LessonMenuItem {
@ -48,6 +50,8 @@ public class LessonMenuItem {
private boolean showHints = true; private boolean showHints = true;
/** /**
* <p>Getter for the field <code>name</code>.</p>
*
* @return the name * @return the name
*/ */
public String getName() { public String getName() {
@ -55,6 +59,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>name</code>.</p>
*
* @param name the name to set * @param name the name to set
*/ */
public void setName(String name) { public void setName(String name) {
@ -62,6 +68,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Getter for the field <code>children</code>.</p>
*
* @return the children * @return the children
*/ */
public List<LessonMenuItem> getChildren() { public List<LessonMenuItem> getChildren() {
@ -69,6 +77,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>children</code>.</p>
*
* @param children the children to set * @param children the children to set
*/ */
public void setChildren(List<LessonMenuItem> children) { public void setChildren(List<LessonMenuItem> children) {
@ -76,6 +86,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Getter for the field <code>type</code>.</p>
*
* @return the type * @return the type
*/ */
public LessonMenuItemType getType() { public LessonMenuItemType getType() {
@ -83,16 +95,24 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>type</code>.</p>
*
* @param type the type to set * @param type the type to set
*/ */
public void setType(LessonMenuItemType type) { public void setType(LessonMenuItemType type) {
this.type = type; this.type = type;
} }
/**
* <p>addChild.</p>
*
* @param child a {@link org.owasp.webgoat.lessons.model.LessonMenuItem} object.
*/
public void addChild(LessonMenuItem child) { public void addChild(LessonMenuItem child) {
children.add(child); children.add(child);
} }
/** {@inheritDoc} */
@Override @Override
public String toString() { public String toString() {
StringBuilder bldr = new StringBuilder(); StringBuilder bldr = new StringBuilder();
@ -102,6 +122,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>isComplete.</p>
*
* @return the complete * @return the complete
*/ */
public boolean isComplete() { public boolean isComplete() {
@ -109,6 +131,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>complete</code>.</p>
*
* @param complete the complete to set * @param complete the complete to set
*/ */
public void setComplete(boolean complete) { public void setComplete(boolean complete) {
@ -116,6 +140,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Getter for the field <code>link</code>.</p>
*
* @return the link * @return the link
*/ */
public String getLink() { public String getLink() {
@ -123,6 +149,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>link</code>.</p>
*
* @param link the link to set * @param link the link to set
*/ */
public void setLink(String link) { public void setLink(String link) {
@ -130,6 +158,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>isShowSource.</p>
*
* @return the showSource * @return the showSource
*/ */
public boolean isShowSource() { public boolean isShowSource() {
@ -137,6 +167,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>showSource</code>.</p>
*
* @param showSource the showSource to set * @param showSource the showSource to set
*/ */
public void setShowSource(boolean showSource) { public void setShowSource(boolean showSource) {
@ -144,6 +176,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>isShowHints.</p>
*
* @return the showHints * @return the showHints
*/ */
public boolean isShowHints() { public boolean isShowHints() {
@ -151,6 +185,8 @@ public class LessonMenuItem {
} }
/** /**
* <p>Setter for the field <code>showHints</code>.</p>
*
* @param showHints the showHints to set * @param showHints the showHints to set
*/ */
public void setShowHints(boolean showHints) { public void setShowHints(boolean showHints) {

2
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java
View File

@ -29,8 +29,10 @@
package org.owasp.webgoat.lessons.model; package org.owasp.webgoat.lessons.model;
/** /**
* <p>LessonMenuItemType class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
public enum LessonMenuItemType { public enum LessonMenuItemType {
CATEGORY, CATEGORY,

145
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/RequestParameter.java
View File

@ -1,66 +1,79 @@
/** /**
* ************************************************************************************************* * *************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software * the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later * Foundation; either version 2 of the License, or (at your option) any later
* version. * version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT * This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details. * details.
* *
* You should have received a copy of the GNU General Public License along with * You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA. * Place - Suite 330, Boston, MA 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
*/ */
package org.owasp.webgoat.lessons.model; package org.owasp.webgoat.lessons.model;
/** /**
* * <p>RequestParameter class.</p>
* @author rlawson *
*/ * @author rlawson
public class RequestParameter implements Comparable<RequestParameter> { * @version $Id: $Id
*/
private final String name; public class RequestParameter implements Comparable<RequestParameter> {
private final String value;
private final String name;
public RequestParameter(String name, String value) { private final String value;
this.name = name;
this.value = value; /**
} * <p>Constructor for RequestParameter.</p>
*
/** * @param name a {@link java.lang.String} object.
* @return the name * @param value a {@link java.lang.String} object.
*/ */
public String getName() { public RequestParameter(String name, String value) {
return name; this.name = name;
} this.value = value;
}
/**
* @return the values /**
*/ * <p>Getter for the field <code>name</code>.</p>
public String getValue() { *
return value; * @return the name
} */
public String getName() {
@Override return name;
public int compareTo(RequestParameter o) { }
return this.name.compareTo(o.getName());
} /**
* <p>Getter for the field <code>value</code>.</p>
} *
* @return the values
*/
public String getValue() {
return value;
}
/** {@inheritDoc} */
@Override
public int compareTo(RequestParameter o) {
return this.name.compareTo(o.getName());
}
}

68
webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java
View File

@ -1,31 +1,37 @@
/* /*
* To change this license header, choose License Headers in Project Properties. * To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates * To change this template file, choose Tools | Templates
* and open the template in the editor. * and open the template in the editor.
*/ */
package org.owasp.webgoat.lessons.model; package org.owasp.webgoat.lessons.model;
/** /**
* * <p>SourceListing class.</p>
* @author rlawson *
*/ * @author rlawson
public class SourceListing { * @version $Id: $Id
*/
private String source; public class SourceListing {
/** private String source;
* @return the source
*/ /**
public String getSource() { * <p>Getter for the field <code>source</code>.</p>
return source; *
} * @return the source
*/
/** public String getSource() {
* @param source the source to set return source;
*/ }
public void setSource(String source) {
this.source = source; /**
} * <p>Setter for the field <code>source</code>.</p>
*
} * @param source the source to set
*/
public void setSource(String source) {
this.source = source;
}
}

518
webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java
View File

@ -1,256 +1,262 @@
package org.owasp.webgoat.plugins; package org.owasp.webgoat.plugins;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.WebgoatContext; import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties; import org.owasp.webgoat.session.WebgoatProperties;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import java.io.File; import java.io.File;
import java.util.Iterator; import java.util.Iterator;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
/** /**
* ************************************************************************************************* *************************************************************************************************
* <p/> *
* <p/> *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* utility. For details, please see http://www.owasp.org/ * please see http://www.owasp.org/
* <p/> *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* <p/> *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under the terms of the
* the terms of the GNU General Public License as published by the Free Software * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* Foundation; either version 2 of the License, or (at your option) any later * License, or (at your option) any later version.
* version. *
* <p/> * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* This program is distributed in the hope that it will be useful, but WITHOUT * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * General Public License for more details.
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more *
* details. * You should have received a copy of the GNU General Public License along with this program; if
* <p/> * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* You should have received a copy of the GNU General Public License along with * 02111-1307, USA.
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple *
* Place - Suite 330, Boston, MA 02111-1307, USA. * Getting Source ==============
* <p/> *
* Getting Source ============== * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* <p/> * projects.
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository *
* for free software projects. * For details, please see http://webgoat.github.io
* <p/> *
* For details, please see http://webgoat.github.io * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* * @since October 28, 2003
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @version $Id: $Id
* @created October 28, 2003 */
*/ public class LegacyLoader {
public class LegacyLoader {
final Logger logger = LoggerFactory.getLogger(LegacyLoader.class);
final Logger logger = LoggerFactory.getLogger(LegacyLoader.class);
private final List<String> files = new LinkedList<String>();
private final List<String> files = new LinkedList<String>();
/**
public LegacyLoader() { * <p>Constructor for LegacyLoader.</p>
} */
public LegacyLoader() {
/** }
* Take an absolute file and return the filename.
* <p/> /**
* Ex. /etc/password becomes password * Take an absolute file and return the filename.
* *
* @param s * Ex. /etc/password becomes password
* @return the file name *
*/ * @param s
private static String getFileName(String s) { * @return the file name
String fileName = new File(s).getName(); */
private static String getFileName(String s) {
if (fileName.contains("/")) { String fileName = new File(s).getName();
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
} if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
if (fileName.contains(".")) { }
fileName = fileName.substring(0, fileName.indexOf("."));
} if (fileName.contains(".")) {
fileName = fileName.substring(0, fileName.indexOf("."));
return fileName; }
}
return fileName;
/** }
* Take a class name and return the equivalent file name
* <p/> /**
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java * Take a class name and return the equivalent file name
* *
* @param className * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
* @return *
*/ * @param className
private static String getSourceFile(String className) { * @return
StringBuilder sb = new StringBuilder(); */
private static String getSourceFile(String className) {
sb.append(className.replace(".", "/")); StringBuilder sb = new StringBuilder();
sb.append(".java");
sb.append(className.replace(".", "/"));
return sb.toString(); sb.append(".java");
}
return sb.toString();
/** }
* Takes a file name and builds the class file name
* /**
* @param fileName Description of the Parameter * Takes a file name and builds the class file name
* @param path Description of the Parameter *
* @return Description of the Return Value * @param fileName Description of the Parameter
*/ * @param path Description of the Parameter
private static String getClassFile(String fileName, String path) { * @return Description of the Return Value
String ext = ".class"; */
fileName = fileName.trim(); private static String getClassFile(String fileName, String path) {
String ext = ".class";
/** fileName = fileName.trim();
* We do not handle directories. We do not handle files with different
* extensions /**
*/ * We do not handle directories. We do not handle files with different
if (fileName.endsWith("/") || !fileName.endsWith(ext)) { * extensions
return null; */
} if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
return null;
// skip over plugins and/or extracted plugins }
if ( fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) {
return null; // skip over plugins and/or extracted plugins
} if ( fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) {
return null;
// if the file is in /WEB-INF/classes strip the dir info off }
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1) { // if the file is in /WEB-INF/classes strip the dir info off
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length()); int index = fileName.indexOf("/WEB-INF/classes/");
fileName = fileName.replace('/', '.'); if (index != -1) {
fileName = fileName.replace('\\', '.'); fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
} else { fileName = fileName.replace('/', '.');
// Strip off the leading path info fileName = fileName.replace('\\', '.');
fileName = fileName.substring(path.length(), fileName.length() - ext.length()); } else {
} // Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
return fileName; }
}
return fileName;
}
/**
* Load all of the filenames into a temporary cache
* /**
* @param context * Load all of the filenames into a temporary cache
* @param path *
*/ * @param context a {@link javax.servlet.ServletContext} object.
public void loadFiles(ServletContext context, String path) { * @param path a {@link java.lang.String} object.
logger.debug("Loading files into cache, path: " + path); */
Set resourcePaths = context.getResourcePaths(path); public void loadFiles(ServletContext context, String path) {
if (resourcePaths == null) { logger.debug("Loading files into cache, path: " + path);
logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue"); Set resourcePaths = context.getResourcePaths(path);
return; if (resourcePaths == null) {
} logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue");
Iterator itr = resourcePaths.iterator(); return;
}
while (itr.hasNext()) { Iterator itr = resourcePaths.iterator();
String file = (String) itr.next();
while (itr.hasNext()) {
if (file.length() != 1 && file.endsWith("/")) { String file = (String) itr.next();
loadFiles(context, file);
} else { if (file.length() != 1 && file.endsWith("/")) {
files.add(file); loadFiles(context, file);
} } else {
} files.add(file);
} }
}
/** }
* Instantiate all the lesson objects into a cache
* /**
* @param path * Instantiate all the lesson objects into a cache
* @param context *
*/ * @param path a {@link java.lang.String} object.
public List<AbstractLesson> loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties ) { * @param context a {@link javax.servlet.ServletContext} object.
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
loadFiles(context, path); * @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object.
* @return a {@link java.util.List} object.
List<AbstractLesson> lessons = new LinkedList<AbstractLesson>(); */
public List<AbstractLesson> loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties ) {
for (String file : files) {
String className = getClassFile(file, path); loadFiles(context, path);
if (className != null && !className.endsWith("_i") && className.startsWith("org.owasp.webgoat.lessons.admin")) { List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
try {
Class c = Class.forName(className); for (String file : files) {
Object o = c.newInstance(); String className = getClassFile(file, path);
if (o instanceof AbstractLesson) { if (className != null && !className.endsWith("_i") && className.startsWith("org.owasp.webgoat.lessons.admin")) {
AbstractLesson lesson = (AbstractLesson) o; try {
lesson.setWebgoatContext(webgoatContext); Class c = Class.forName(className);
Object o = c.newInstance();
lesson.update(properties);
if (o instanceof AbstractLesson) {
if (lesson.getHidden() == false) { AbstractLesson lesson = (AbstractLesson) o;
lessons.add(lesson); lesson.setWebgoatContext(webgoatContext);
}
} lesson.update(properties);
} catch (Exception e) {
// Bruce says: if (lesson.getHidden() == false) {
// I don't think we want to log the exception here. We could lessons.add(lesson);
// be potentially showing a lot of exceptions that don't matter. }
// We would only care if the lesson extended AbstractLesson and we }
// can't tell that because it threw the exception. Catch 22 } catch (Exception e) {
// logger.error("Error in loadLessons: ", e); // Bruce says:
} // I don't think we want to log the exception here. We could
} // be potentially showing a lot of exceptions that don't matter.
} // We would only care if the lesson extended AbstractLesson and we
loadResources(lessons); // can't tell that because it threw the exception. Catch 22
return lessons; // logger.error("Error in loadLessons: ", e);
} }
}
private String getLanguageFromFileName(String first, String absoluteFile) { }
int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1); loadResources(lessons);
int p2 = absoluteFile.indexOf("/", p1 + 1); return lessons;
String langStr = absoluteFile.substring(p1 + 1, p2); }
return langStr; private String getLanguageFromFileName(String first, String absoluteFile) {
} int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1);
int p2 = absoluteFile.indexOf("/", p1 + 1);
/** String langStr = absoluteFile.substring(p1 + 1, p2);
* For each lesson, set the source file and lesson file
* @param lessons return langStr;
*/ }
public void loadResources(List<AbstractLesson> lessons ) {
for (AbstractLesson lesson : lessons) { /**
logger.info("Loading resources for lesson -> " + lesson.getName()); * For each lesson, set the source file and lesson file
String className = lesson.getClass().getName(); *
String classFile = getSourceFile(className); * @param lessons a {@link java.util.List} object.
logger.info("Lesson classname: " + className); */
logger.info("Lesson java file: " + classFile); public void loadResources(List<AbstractLesson> lessons ) {
for (AbstractLesson lesson : lessons) {
for (String absoluteFile : files) { logger.info("Loading resources for lesson -> " + lesson.getName());
String fileName = getFileName(absoluteFile); String className = lesson.getClass().getName();
//logger.debug("Course: looking at file: " + absoluteFile); String classFile = getSourceFile(className);
logger.info("Lesson classname: " + className);
if (absoluteFile.endsWith(classFile)) { logger.info("Lesson java file: " + classFile);
logger.info("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile); for (String absoluteFile : files) {
} String fileName = getFileName(absoluteFile);
//logger.debug("Course: looking at file: " + absoluteFile);
if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) { if (absoluteFile.endsWith(classFile)) {
logger.info("setting lesson plan file " + absoluteFile + " for lesson " logger.info("Set source file for " + classFile);
+ lesson.getClass().getName()); lesson.setSourceFileName(absoluteFile);
logger.info("fileName: " + fileName + " == className: " + className); }
String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
lesson.setLessonPlanFileName(language, absoluteFile); if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
} && className.endsWith(fileName)) {
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") logger.info("setting lesson plan file " + absoluteFile + " for lesson "
&& className.endsWith(fileName)) { + lesson.getClass().getName());
logger.info("setting lesson solution file " + absoluteFile + " for lesson " logger.info("fileName: " + fileName + " == className: " + className);
+ lesson.getClass().getName()); String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
logger.info("fileName: " + fileName + " == className: " + className); lesson.setLessonPlanFileName(language, absoluteFile);
lesson.setLessonSolutionFileName(absoluteFile); }
} if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
} && className.endsWith(fileName)) {
} logger.info("setting lesson solution file " + absoluteFile + " for lesson "
} + lesson.getClass().getName());
logger.info("fileName: " + fileName + " == className: " + className);
lesson.setLessonSolutionFileName(absoluteFile);
} }
}
}
}
}

55
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -20,6 +20,11 @@ import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith;
import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName; import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName;
import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles; import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles;
/**
* <p>Plugin class.</p>
*
* @version $Id: $Id
*/
public class Plugin { public class Plugin {
private static final String NAME_LESSON_SOLUTION_DIRECTORY = "lessonSolutions"; private static final String NAME_LESSON_SOLUTION_DIRECTORY = "lessonSolutions";
@ -32,12 +37,23 @@ public class Plugin {
private List<File> pluginFiles = Lists.newArrayList(); private List<File> pluginFiles = Lists.newArrayList();
private File lessonSourceFile; private File lessonSourceFile;
/**
* <p>Constructor for Plugin.</p>
*
* @param pluginDirectory a {@link java.nio.file.Path} object.
*/
public Plugin(Path pluginDirectory) { public Plugin(Path pluginDirectory) {
Preconditions.checkNotNull(pluginDirectory, "plugin directory cannot be null"); Preconditions.checkNotNull(pluginDirectory, "plugin directory cannot be null");
Preconditions.checkArgument(Files.exists(pluginDirectory), "directory %s does not exists", pluginDirectory); Preconditions.checkArgument(Files.exists(pluginDirectory), "directory %s does not exists", pluginDirectory);
this.pluginDirectory = pluginDirectory; this.pluginDirectory = pluginDirectory;
} }
/**
* <p>Constructor for Plugin.</p>
*
* @param pluginDirectory a {@link java.nio.file.Path} object.
* @param classes a {@link java.util.List} object.
*/
public Plugin(Path pluginDirectory, List<String> classes) { public Plugin(Path pluginDirectory, List<String> classes) {
this(pluginDirectory); this(pluginDirectory);
findLesson(classes); findLesson(classes);
@ -65,6 +81,11 @@ public class Plugin {
} }
} }
/**
* <p>loadProperties.</p>
*
* @param properties a {@link java.util.List} object.
*/
public void loadProperties(List<Path> properties) { public void loadProperties(List<Path> properties) {
for (Path propertyFile : properties) { for (Path propertyFile : properties) {
LabelProvider.updatePluginResources(propertyFile); LabelProvider.updatePluginResources(propertyFile);
@ -72,6 +93,12 @@ public class Plugin {
} }
} }
/**
* <p>loadFiles.</p>
*
* @param files a {@link java.util.List} object.
* @param reload a boolean.
*/
public void loadFiles(List<Path> files, boolean reload) { public void loadFiles(List<Path> files, boolean reload) {
for (Path file : files) { for (Path file : files) {
if (fileEndsWith(file, ".html") && hasParentDirectoryWithName(file, NAME_LESSON_SOLUTION_DIRECTORY)) { if (fileEndsWith(file, ".html") && hasParentDirectoryWithName(file, NAME_LESSON_SOLUTION_DIRECTORY)) {
@ -90,6 +117,11 @@ public class Plugin {
} }
} }
/**
* <p>rewritePaths.</p>
*
* @param pluginTarget a {@link java.nio.file.Path} object.
*/
public void rewritePaths(Path pluginTarget) { public void rewritePaths(Path pluginTarget) {
try { try {
replaceInFiles(this.lesson.getSimpleName() + "_files", replaceInFiles(this.lesson.getSimpleName() + "_files",
@ -125,6 +157,8 @@ public class Plugin {
/** /**
* Lesson is optional, it is also possible that the supplied jar contains only helper classes. * Lesson is optional, it is also possible that the supplied jar contains only helper classes.
*
* @return a {@link com.google.common.base.Optional} object.
*/ */
public Optional<AbstractLesson> getLesson() { public Optional<AbstractLesson> getLesson() {
try { try {
@ -137,18 +171,39 @@ public class Plugin {
return Optional.absent(); return Optional.absent();
} }
/**
* <p>getLessonSolution.</p>
*
* @param language a {@link java.lang.String} object.
* @return a {@link com.google.common.base.Optional} object.
*/
public Optional<File> getLessonSolution(String language) { public Optional<File> getLessonSolution(String language) {
return Optional.fromNullable(this.solutionLanguageFiles.get(language)); return Optional.fromNullable(this.solutionLanguageFiles.get(language));
} }
/**
* <p>getLessonSolutions.</p>
*
* @return a {@link java.util.Map} object.
*/
public Map<String, File> getLessonSolutions() { public Map<String, File> getLessonSolutions() {
return this.solutionLanguageFiles; return this.solutionLanguageFiles;
} }
/**
* <p>getLessonSource.</p>
*
* @return a {@link com.google.common.base.Optional} object.
*/
public Optional<File> getLessonSource() { public Optional<File> getLessonSource() {
return Optional.fromNullable(lessonSourceFile); return Optional.fromNullable(lessonSourceFile);
} }
/**
* <p>getLessonPlans.</p>
*
* @return a {@link java.util.Map} object.
*/
public Map<String, File> getLessonPlans() { public Map<String, File> getLessonPlans() {
return this.lessonPlansLanguageFiles; return this.lessonPlansLanguageFiles;
} }

7
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginBackgroundLoader.java
View File

@ -9,10 +9,16 @@ import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@WebListener @WebListener
/**
* <p>PluginBackgroundLoader class.</p>
*
* @version $Id: $Id
*/
public class PluginBackgroundLoader implements ServletContextListener { public class PluginBackgroundLoader implements ServletContextListener {
private ScheduledExecutorService scheduler; private ScheduledExecutorService scheduler;
/** {@inheritDoc} */
@Override @Override
public void contextInitialized(ServletContextEvent event) { public void contextInitialized(ServletContextEvent event) {
String pluginPath = event.getServletContext().getRealPath("plugin_lessons"); String pluginPath = event.getServletContext().getRealPath("plugin_lessons");
@ -22,6 +28,7 @@ public class PluginBackgroundLoader implements ServletContextListener {
scheduler.scheduleAtFixedRate(new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)), 0, 5, TimeUnit.MINUTES); scheduler.scheduleAtFixedRate(new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)), 0, 5, TimeUnit.MINUTES);
} }
/** {@inheritDoc} */
@Override @Override
public void contextDestroyed(ServletContextEvent event) { public void contextDestroyed(ServletContextEvent event) {
scheduler.shutdownNow(); scheduler.shutdownNow();

27
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java
View File

@ -25,6 +25,8 @@ import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithNa
/** /**
* Extract the jar file and place them in the system temp directory in the folder webgoat and collect the files * Extract the jar file and place them in the system temp directory in the folder webgoat and collect the files
* and classes. * and classes.
*
* @version $Id: $Id
*/ */
public class PluginExtractor { public class PluginExtractor {
@ -34,10 +36,20 @@ public class PluginExtractor {
private final List<Path> files = new ArrayList<>(); private final List<Path> files = new ArrayList<>();
private final List<Path> properties = new ArrayList<>(); private final List<Path> properties = new ArrayList<>();
/**
* <p>Constructor for PluginExtractor.</p>
*
* @param pluginArchive a {@link java.nio.file.Path} object.
*/
public PluginExtractor(Path pluginArchive) { public PluginExtractor(Path pluginArchive) {
this.pluginArchive = pluginArchive; this.pluginArchive = pluginArchive;
} }
/**
* <p>extract.</p>
*
* @param target a {@link java.nio.file.Path} object.
*/
public void extract(final Path target) { public void extract(final Path target) {
try (FileSystem zip = createZipFileSystem()) { try (FileSystem zip = createZipFileSystem()) {
final Path root = zip.getPath("/"); final Path root = zip.getPath("/");
@ -63,14 +75,29 @@ public class PluginExtractor {
} }
} }
/**
* <p>Getter for the field <code>classes</code>.</p>
*
* @return a {@link java.util.List} object.
*/
public List<String> getClasses() { public List<String> getClasses() {
return this.classes; return this.classes;
} }
/**
* <p>Getter for the field <code>files</code>.</p>
*
* @return a {@link java.util.List} object.
*/
public List<Path> getFiles() { public List<Path> getFiles() {
return this.files; return this.files;
} }
/**
* <p>Getter for the field <code>properties</code>.</p>
*
* @return a {@link java.util.List} object.
*/
public List<Path> getProperties() { public List<Path> getProperties() {
return this.properties; return this.properties;
} }

64
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java
View File

@ -14,12 +14,31 @@ import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
/**
* <p>PluginFileUtils class.</p>
*
* @version $Id: $Id
*/
public class PluginFileUtils { public class PluginFileUtils {
/**
* <p>fileEndsWith.</p>
*
* @param p a {@link java.nio.file.Path} object.
* @param s a {@link java.lang.String} object.
* @return a boolean.
*/
public static boolean fileEndsWith(Path p, String s) { public static boolean fileEndsWith(Path p, String s) {
return p.getFileName().toString().endsWith(s); return p.getFileName().toString().endsWith(s);
} }
/**
* <p>fileEndsWith.</p>
*
* @param p a {@link java.nio.file.Path} object.
* @param suffixes a {@link java.lang.String} object.
* @return a boolean.
*/
public static boolean fileEndsWith(Path p, String... suffixes) { public static boolean fileEndsWith(Path p, String... suffixes) {
for (String suffix : suffixes) { for (String suffix : suffixes) {
if (fileEndsWith(p, suffix)) { if (fileEndsWith(p, suffix)) {
@ -29,6 +48,13 @@ public class PluginFileUtils {
return false; return false;
} }
/**
* <p>hasParentDirectoryWithName.</p>
*
* @param p a {@link java.nio.file.Path} object.
* @param s a {@link java.lang.String} object.
* @return a boolean.
*/
public static boolean hasParentDirectoryWithName(Path p, String s) { public static boolean hasParentDirectoryWithName(Path p, String s) {
if (p == null || p.getParent() == null || p.getParent().equals(p.getRoot())) { if (p == null || p.getParent() == null || p.getParent().equals(p.getRoot())) {
return false; return false;
@ -39,6 +65,13 @@ public class PluginFileUtils {
return hasParentDirectoryWithName(p.getParent(), s); return hasParentDirectoryWithName(p.getParent(), s);
} }
/**
* <p>createDirsIfNotExists.</p>
*
* @param p a {@link java.nio.file.Path} object.
* @return a {@link java.nio.file.Path} object.
* @throws java.io.IOException if any.
*/
public static Path createDirsIfNotExists(Path p) throws IOException { public static Path createDirsIfNotExists(Path p) throws IOException {
if (Files.notExists(p)) { if (Files.notExists(p)) {
Files.createDirectories(p); Files.createDirectories(p);
@ -46,6 +79,13 @@ public class PluginFileUtils {
return p; return p;
} }
/**
* <p>getFilesInDirectory.</p>
*
* @param directory a {@link java.nio.file.Path} object.
* @return a {@link java.util.List} object.
* @throws java.io.IOException if any.
*/
public static List<Path> getFilesInDirectory(Path directory) throws IOException { public static List<Path> getFilesInDirectory(Path directory) throws IOException {
List<Path> files = new ArrayList<>(); List<Path> files = new ArrayList<>();
DirectoryStream<Path> dirStream; DirectoryStream<Path> dirStream;
@ -57,6 +97,14 @@ public class PluginFileUtils {
return files; return files;
} }
/**
* <p>replaceInFiles.</p>
*
* @param replace a {@link java.lang.String} object.
* @param with a {@link java.lang.String} object.
* @param files a {@link java.util.Collection} object.
* @throws java.io.IOException if any.
*/
public static void replaceInFiles(String replace, String with, Collection<File> files) throws IOException { public static void replaceInFiles(String replace, String with, Collection<File> files) throws IOException {
Preconditions.checkNotNull(replace); Preconditions.checkNotNull(replace);
Preconditions.checkNotNull(with); Preconditions.checkNotNull(with);
@ -67,6 +115,14 @@ public class PluginFileUtils {
} }
} }
/**
* <p>replaceInFile.</p>
*
* @param replace a {@link java.lang.String} object.
* @param with a {@link java.lang.String} object.
* @param file a {@link java.nio.file.Path} object.
* @throws java.io.IOException if any.
*/
public static void replaceInFile(String replace, String with, Path file) throws IOException { public static void replaceInFile(String replace, String with, Path file) throws IOException {
Preconditions.checkNotNull(replace); Preconditions.checkNotNull(replace);
Preconditions.checkNotNull(with); Preconditions.checkNotNull(with);
@ -78,6 +134,14 @@ public class PluginFileUtils {
Files.write(file, fileAsString.getBytes()); Files.write(file, fileAsString.getBytes());
} }
/**
* <p>writeFile.</p>
*
* @param targetFile a {@link java.nio.file.Path} object.
* @param bytes an array of byte.
* @param options a {@link java.nio.file.OpenOption} object.
* @throws java.io.IOException if any.
*/
public static void writeFile(Path targetFile, byte[] bytes, OpenOption... options) throws IOException { public static void writeFile(Path targetFile, byte[] bytes, OpenOption... options) throws IOException {
createDirsIfNotExists(targetFile.getParent()); createDirsIfNotExists(targetFile.getParent());
if (!Files.exists(targetFile)) { if (!Files.exists(targetFile)) {

11
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java
View File

@ -1,7 +1,18 @@
package org.owasp.webgoat.plugins; package org.owasp.webgoat.plugins;
/**
* <p>PluginLoadingFailure class.</p>
*
* @version $Id: $Id
*/
public class PluginLoadingFailure extends RuntimeException { public class PluginLoadingFailure extends RuntimeException {
/**
* <p>Constructor for PluginLoadingFailure.</p>
*
* @param message a {@link java.lang.String} object.
* @param e a {@link java.lang.Exception} object.
*/
public PluginLoadingFailure(String message, Exception e) { public PluginLoadingFailure(String message, Exception e) {
super(message, e); super(message, e);
} }

19
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java
View File

@ -22,14 +22,26 @@ import java.util.concurrent.ExecutorCompletionService;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors; import java.util.concurrent.Executors;
/**
* <p>PluginsLoader class.</p>
*
* @version $Id: $Id
*/
public class PluginsLoader implements Runnable { public class PluginsLoader implements Runnable {
/** Constant <code>WEBGOAT_PLUGIN_EXTENSION="jar"</code> */
protected static final String WEBGOAT_PLUGIN_EXTENSION = "jar"; protected static final String WEBGOAT_PLUGIN_EXTENSION = "jar";
private final Logger logger = LoggerFactory.getLogger(this.getClass()); private final Logger logger = LoggerFactory.getLogger(this.getClass());
private final Path pluginSource; private final Path pluginSource;
private Path pluginTarget; private Path pluginTarget;
/**
* <p>Constructor for PluginsLoader.</p>
*
* @param pluginSource a {@link java.nio.file.Path} object.
* @param pluginTarget a {@link java.nio.file.Path} object.
*/
public PluginsLoader(Path pluginSource, Path pluginTarget) { public PluginsLoader(Path pluginSource, Path pluginTarget) {
Preconditions.checkNotNull(pluginSource, "plugin source cannot be null"); Preconditions.checkNotNull(pluginSource, "plugin source cannot be null");
Preconditions.checkNotNull(pluginTarget, "plugin target cannot be null"); Preconditions.checkNotNull(pluginTarget, "plugin target cannot be null");
@ -38,6 +50,12 @@ public class PluginsLoader implements Runnable {
this.pluginTarget = pluginTarget; this.pluginTarget = pluginTarget;
} }
/**
* <p>loadPlugins.</p>
*
* @param reload a boolean.
* @return a {@link java.util.List} object.
*/
public List<Plugin> loadPlugins(final boolean reload) { public List<Plugin> loadPlugins(final boolean reload) {
final PluginClassLoader cl = (PluginClassLoader) Thread.currentThread().getContextClassLoader(); final PluginClassLoader cl = (PluginClassLoader) Thread.currentThread().getContextClassLoader();
List<Plugin> plugins = Lists.newArrayList(); List<Plugin> plugins = Lists.newArrayList();
@ -109,6 +127,7 @@ public class PluginsLoader implements Runnable {
return extractorCallables; return extractorCallables;
} }
/** {@inheritDoc} */
@Override @Override
public void run() { public void run() {
loadPlugins(true); loadPlugins(true);

6
webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java
View File

@ -37,8 +37,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>ApplicationService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class ApplicationService extends BaseService { public class ApplicationService extends BaseService {
@ -46,8 +48,8 @@ public class ApplicationService extends BaseService {
/** /**
* Returns global application info * Returns global application info
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link org.owasp.webgoat.application.Application} object.
*/ */
@RequestMapping(value = "/application.mvc", produces = "application/json") @RequestMapping(value = "/application.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody

21
webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java
View File

@ -44,14 +44,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.ResponseStatus;
/** /**
* <p>Abstract BaseService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@RequestMapping("/service") @RequestMapping("/service")
public abstract class BaseService { public abstract class BaseService {
private static final Logger logger = LoggerFactory.getLogger(BaseService.class); private static final Logger logger = LoggerFactory.getLogger(BaseService.class);
/**
* <p>handleException.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @param ex a {@link java.lang.Exception} object.
* @return a {@link org.owasp.webgoat.service.ExceptionInfo} object.
*/
@ExceptionHandler(Exception.class) @ExceptionHandler(Exception.class)
@ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT) @ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
public @ResponseBody public @ResponseBody
@ -66,6 +75,12 @@ public abstract class BaseService {
return response; return response;
} }
/**
* <p>getWebSession.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.owasp.webgoat.session.WebSession} object.
*/
public WebSession getWebSession(HttpSession session) { public WebSession getWebSession(HttpSession session) {
WebSession ws; WebSession ws;
Object o = session.getAttribute(WebSession.SESSION); Object o = session.getAttribute(WebSession.SESSION);
@ -79,6 +94,12 @@ public abstract class BaseService {
return ws; return ws;
} }
/**
* <p>getStringStackTrace.</p>
*
* @param t a {@link java.lang.Throwable} object.
* @return a {@link java.lang.String} object.
*/
public String getStringStackTrace(Throwable t){ public String getStringStackTrace(Throwable t){
StringWriter sw = new StringWriter(); StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw); PrintWriter pw = new PrintWriter(sw);

10
webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java
View File

@ -42,8 +42,10 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>CookieService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class CookieService extends BaseService { public class CookieService extends BaseService {
@ -51,8 +53,8 @@ public class CookieService extends BaseService {
/** /**
* Returns cookies for last attack * Returns cookies for last attack
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.util.List} object.
*/ */
@RequestMapping(value = "/cookie.mvc", produces = "application/json") @RequestMapping(value = "/cookie.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody
@ -65,8 +67,8 @@ public class CookieService extends BaseService {
/** /**
* Returns cookies and params for current lesson * Returns cookies and params for current lesson
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/ */
@RequestMapping(value = "/cookies_widget.mvc", produces = "text/html") @RequestMapping(value = "/cookies_widget.mvc", produces = "text/html")
public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) { public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) {

7
webgoat-container/src/main/java/org/owasp/webgoat/service/DummyService.java
View File

@ -34,12 +34,19 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>DummyService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class DummyService extends BaseService{ public class DummyService extends BaseService{
/**
* <p>firstNames.</p>
*
* @return a {@link java.util.List} object.
*/
@RequestMapping(value = "/first.mvc", produces = "application/json") @RequestMapping(value = "/first.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody
List<String> firstNames() { List<String> firstNames() {

130
webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java
View File

@ -1,54 +1,76 @@
/*************************************************************************************************** /***************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/ * please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version. * License, or (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details. * General Public License for more details.
* *
* You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects. * projects.
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
*/ */
package org.owasp.webgoat.service; package org.owasp.webgoat.service;
/** /**
* * <p>ExceptionInfo class.</p>
* @author rlawson *
*/ * @author rlawson
public class ExceptionInfo { * @version $Id: $Id
*/
private String url; public class ExceptionInfo {
private String message;
private String url;
public String getUrl() { private String message;
return url;
} /**
* <p>Getter for the field <code>url</code>.</p>
public void setUrl(String url) { *
this.url = url; * @return a {@link java.lang.String} object.
} */
public String getUrl() {
public String getMessage() { return url;
return message; }
}
/**
public void setMessage(String message) { * <p>Setter for the field <code>url</code>.</p>
this.message = message; *
} * @param url a {@link java.lang.String} object.
} */
public void setUrl(String url) {
this.url = url;
}
/**
* <p>Getter for the field <code>message</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getMessage() {
return message;
}
/**
* <p>Setter for the field <code>message</code>.</p>
*
* @param message a {@link java.lang.String} object.
*/
public void setMessage(String message) {
this.message = message;
}
}

12
webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
View File

@ -17,8 +17,10 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
/** /**
* <p>HintService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class HintService extends BaseService { public class HintService extends BaseService {
@ -26,8 +28,8 @@ public class HintService extends BaseService {
/** /**
* Returns hints for current lesson * Returns hints for current lesson
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.util.List} object.
*/ */
@RequestMapping(value = "/hint.mvc", produces = "application/json") @RequestMapping(value = "/hint.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody
@ -55,6 +57,12 @@ public class HintService extends BaseService {
return listHints; return listHints;
} }
/**
* <p>showHintsAsHtml.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(value = "/hint_widget.mvc", produces = "text/html") @RequestMapping(value = "/hint_widget.mvc", produces = "text/html")
public public
ModelAndView showHintsAsHtml(HttpSession session) { ModelAndView showHintsAsHtml(HttpSession session) {

6
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -47,8 +47,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>LessonMenuService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class LessonMenuService extends BaseService { public class LessonMenuService extends BaseService {
@ -58,8 +60,8 @@ public class LessonMenuService extends BaseService {
/** /**
* Returns the lesson menu which is used to build the left nav * Returns the lesson menu which is used to build the left nav
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.util.List} object.
*/ */
@RequestMapping(value = "/lessonmenu.mvc", produces = "application/json") @RequestMapping(value = "/lessonmenu.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody

6
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
View File

@ -42,8 +42,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>LessonPlanService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class LessonPlanService extends BaseService { public class LessonPlanService extends BaseService {
@ -51,8 +53,8 @@ public class LessonPlanService extends BaseService {
/** /**
* Returns source for current attack * Returns source for current attack
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.lang.String} object.
*/ */
@RequestMapping(value = "/lessonplan.mvc", produces = "application/html") @RequestMapping(value = "/lessonplan.mvc", produces = "application/html")
public @ResponseBody public @ResponseBody

11
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
View File

@ -10,13 +10,18 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
@Controller @Controller
/**
* <p>LessonTitleService class.</p>
*
* @version $Id: $Id
*/
public class LessonTitleService extends BaseService { public class LessonTitleService extends BaseService {
/** /**
* Returns the title for the current attack * Returns the title for the current attack
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.lang.String} object.
*/ */
@RequestMapping(value = "/lessontitle.mvc", produces = "application/html") @RequestMapping(value = "/lessontitle.mvc", produces = "application/html")
public @ResponseBody public @ResponseBody

6
webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java
View File

@ -43,8 +43,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>ParameterService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class ParameterService extends BaseService { public class ParameterService extends BaseService {
@ -54,8 +56,8 @@ public class ParameterService extends BaseService {
/** /**
* Returns request parameters for last attack * Returns request parameters for last attack
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.util.List} object.
*/ */
@RequestMapping(value = "/parameter.mvc", produces = "application/json") @RequestMapping(value = "/parameter.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody

6
webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
View File

@ -34,8 +34,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>RestartLessonService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class RestartLessonService extends BaseService { public class RestartLessonService extends BaseService {
@ -43,8 +45,8 @@ public class RestartLessonService extends BaseService {
/** /**
* Returns current lesson * Returns current lesson
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.lang.String} object.
*/ */
@RequestMapping(value = "/restartlesson.mvc", produces = "text/text") @RequestMapping(value = "/restartlesson.mvc", produces = "text/text")
public @ResponseBody public @ResponseBody

7
webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
View File

@ -17,8 +17,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>SessionService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class SessionService extends BaseService { public class SessionService extends BaseService {
@ -26,8 +28,9 @@ public class SessionService extends BaseService {
/** /**
* Returns hints for current lesson * Returns hints for current lesson
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link java.lang.String} object.
*/ */
@RequestMapping(value = "/session.mvc", produces = "application/json") @RequestMapping(value = "/session.mvc", produces = "application/json")
public @ResponseBody public @ResponseBody

12
webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
View File

@ -39,8 +39,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
/** /**
* <p>SolutionService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class SolutionService extends BaseService { public class SolutionService extends BaseService {
@ -48,8 +50,8 @@ public class SolutionService extends BaseService {
/** /**
* Returns solution for current attack * Returns solution for current attack
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.lang.String} object.
*/ */
@RequestMapping(value = "/solution.mvc", produces = "text/html") @RequestMapping(value = "/solution.mvc", produces = "text/html")
public @ResponseBody public @ResponseBody
@ -59,6 +61,12 @@ public class SolutionService extends BaseService {
return source; return source;
} }
/**
* <p>getSolution.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @return a {@link java.lang.String} object.
*/
protected String getSolution(WebSession s) { protected String getSolution(WebSession s) {
String source = null; String source = null;

6
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -44,8 +44,10 @@ import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
/** /**
* <p>SourceService class.</p>
* *
* @author rlawson * @author rlawson
* @version $Id: $Id
*/ */
@Controller @Controller
public class SourceService extends BaseService { public class SourceService extends BaseService {
@ -53,8 +55,8 @@ public class SourceService extends BaseService {
/** /**
* Returns source for current attack * Returns source for current attack
* *
* @param session * @param session a {@link javax.servlet.http.HttpSession} object.
* @return * @return a {@link java.lang.String} object.
*/ */
@RequestMapping(value = "/source.mvc", produces = "application/text") @RequestMapping(value = "/source.mvc", produces = "application/text")
public @ResponseBody public @ResponseBody

73
webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java
View File

@ -1 +1,72 @@
package org.owasp.webgoat.servlets; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * ************************************************************************************************* * * * This file is part of WebGoat, an Open Web Application Security Project * utility. For details, please see http://www.owasp.org/ * * Copyright (c) 2002 - 20014 Bruce Mayhew * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) any later * version. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place - Suite 330, Boston, MA 02111-1307, USA. * * Getting Source ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * for free software projects. * * For details, please see http://webgoat.github.io */ public class Controller extends HttpServlet { private static final long serialVersionUID = 1L; protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String userAgent = request.getHeader("user-agent"); String clientBrowser = "Not known!"; if (userAgent != null) { clientBrowser = userAgent; } request.setAttribute("client.browser", clientBrowser); request.getRequestDispatcher("/view.jsp").forward(request, response); } } package org.owasp.webgoat.servlets;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @version $Id: $Id
*/
public class Controller extends HttpServlet {
private static final long serialVersionUID = 1L;
/** {@inheritDoc} */
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
/** {@inheritDoc} */
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
String userAgent = request.getHeader("user-agent");
String clientBrowser = "Not known!";
if (userAgent != null) {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
request.getRequestDispatcher("/view.jsp").forward(request, response);
}
}

125
webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java
View File

@ -1,53 +1,72 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.util.Hashtable; import java.util.Hashtable;
import java.util.Map; import java.util.Map;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class Authorization *
{ * * @version $Id: $Id
*/
Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>(); public class Authorization
{
public Authorization()
{ Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
}
/**
public void setPermission(int userId, int functionId) * <p>Constructor for Authorization.</p>
{ */
permissions.put(new Integer(userId), new Integer(functionId)); public Authorization()
} {
}
public boolean isAllowed(int userId, int functionId)
{ /**
return (permissions.get(new Integer(userId)) != null); * <p>setPermission.</p>
} *
} * @param userId a int.
* @param functionId a int.
*/
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
/**
* <p>isAllowed.</p>
*
* @param userId a int.
* @param functionId a int.
* @return a boolean.
*/
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}

105
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -30,37 +30,36 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
/** /**
* ************************************************************************************************* *************************************************************************************************
* <p/> *
* <p/> *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* utility. For details, please see http://www.owasp.org/ * please see http://www.owasp.org/
* <p/> *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* <p/> *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under the terms of the
* the terms of the GNU General Public License as published by the Free Software * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* Foundation; either version 2 of the License, or (at your option) any later * License, or (at your option) any later version.
* version. *
* <p/> * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* This program is distributed in the hope that it will be useful, but WITHOUT * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * General Public License for more details.
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more *
* details. * You should have received a copy of the GNU General Public License along with this program; if
* <p/> * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* You should have received a copy of the GNU General Public License along with * 02111-1307, USA.
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple *
* Place - Suite 330, Boston, MA 02111-1307, USA.
* <p/>
* Getting Source ============== * Getting Source ==============
* <p/> *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* for free software projects. * projects.
* <p/> *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @since October 28, 2003
* @version $Id: $Id
*/ */
public class Course { public class Course {
@ -76,6 +75,9 @@ public class Course {
private WebgoatContext webgoatContext; private WebgoatContext webgoatContext;
/**
* <p>Constructor for Course.</p>
*/
public Course() { public Course() {
try { try {
properties = new WebgoatProperties(PROPERTIES_FILENAME); properties = new WebgoatProperties(PROPERTIES_FILENAME);
@ -86,7 +88,7 @@ public class Course {
/** /**
* Take an absolute file and return the filename. * Take an absolute file and return the filename.
* <p/> *
* Ex. /etc/password becomes password * Ex. /etc/password becomes password
* *
* @param s * @param s
@ -108,7 +110,7 @@ public class Course {
/** /**
* Take a class name and return the equivalent file name * Take a class name and return the equivalent file name
* <p/> *
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
* *
* @param className * @param className
@ -190,9 +192,9 @@ public class Course {
/** /**
* Gets the lesson attribute of the Course object * Gets the lesson attribute of the Course object
* *
* @param s * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonId Description of the Parameter * @param lessonId Description of the Parameter
* @param roles * @param roles a {@link java.util.List} object.
* @return The lesson value * @return The lesson value
*/ */
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles) { public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles) {
@ -214,12 +216,27 @@ public class Course {
return null; return null;
} }
/**
* <p>getLesson.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lessonId a int.
* @param role a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
*/
public AbstractLesson getLesson(WebSession s, int lessonId, String role) { public AbstractLesson getLesson(WebSession s, int lessonId, String role) {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(role); roles.add(role);
return getLesson(s, lessonId, roles); return getLesson(s, lessonId, roles);
} }
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
public List getLessons(WebSession s, String role) { public List getLessons(WebSession s, String role) {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(role); roles.add(role);
@ -229,8 +246,8 @@ public class Course {
/** /**
* Gets the lessons attribute of the Course object * Gets the lessons attribute of the Course object
* *
* @param s * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param roles * @param roles a {@link java.util.List} object.
* @return The lessons value * @return The lessons value
*/ */
public List<AbstractLesson> getLessons(WebSession s, List<String> roles) { public List<AbstractLesson> getLessons(WebSession s, List<String> roles) {
@ -266,12 +283,28 @@ public class Course {
return lessonList; return lessonList;
} }
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @param role a {@link java.lang.String} object.
* @return a {@link java.util.List} object.
*/
public List getLessons(WebSession s, Category category, String role) { public List getLessons(WebSession s, Category category, String role) {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(role); roles.add(role);
return getLessons(s, category, roles); return getLessons(s, category, roles);
} }
/**
* <p>Getter for the field <code>lessons</code>.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param category a {@link org.owasp.webgoat.lessons.Category} object.
* @param roles a {@link java.util.List} object.
* @return a {@link java.util.List} object.
*/
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles) { public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles) {
if (s.isHackedAdmin()) { if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE); roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
@ -279,6 +312,12 @@ public class Course {
return getLessons(category, roles); return getLessons(category, roles);
} }
/**
* <p>getLesson.</p>
*
* @param lessonId a int.
* @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
*/
public AbstractLesson getLesson(int lessonId) { public AbstractLesson getLesson(int lessonId) {
for (AbstractLesson l : lessons) { for (AbstractLesson l : lessons) {
if (l.getScreenId() == lessonId) { if (l.getScreenId() == lessonId) {
@ -326,7 +365,7 @@ public class Course {
/** /**
* Description of the Method * Description of the Method
* *
* @param webgoatContext * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
* @param path Description of the Parameter * @param path Description of the Parameter
* @param context Description of the Parameter * @param context Description of the Parameter
*/ */

2078
webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
View File

File diff suppressed because it is too large Load Diff

370
webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
View File

@ -1,173 +1,197 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.IOException; import java.io.IOException;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.ResultSetMetaData; import java.sql.ResultSetMetaData;
import java.sql.SQLException; import java.sql.SQLException;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.apache.ecs.MultiPartElement; import org.apache.ecs.MultiPartElement;
import org.apache.ecs.html.B; import org.apache.ecs.html.B;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
*/ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
public class DatabaseUtilities * @version $Id: $Id
{ */
public class DatabaseUtilities
private static Map<String, Connection> connections = new HashMap<String, Connection>(); {
private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
private static Map<String, Connection> connections = new HashMap<String, Connection>();
public static Connection getConnection(WebSession s) throws SQLException private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
{
return getConnection(s.getUserName(), s.getWebgoatContext()); /**
} * <p>getConnection.</p>
*
public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException * @param s a {@link org.owasp.webgoat.session.WebSession} object.
{ * @return a {@link java.sql.Connection} object.
Connection conn = connections.get(user); * @throws java.sql.SQLException if any.
if (conn != null && !conn.isClosed()) return conn; */
conn = makeConnection(user, context); public static Connection getConnection(WebSession s) throws SQLException
connections.put(user, conn); {
return getConnection(s.getUserName(), s.getWebgoatContext());
if (dbBuilt.get(user) == null) }
{
new CreateDB().makeDB(conn); /**
dbBuilt.put(user, Boolean.TRUE); * <p>getConnection.</p>
} *
* @param user a {@link java.lang.String} object.
return conn; * @param context a {@link org.owasp.webgoat.session.WebgoatContext} object.
} * @return a {@link java.sql.Connection} object.
* @throws java.sql.SQLException if any.
public static synchronized void returnConnection(String user) */
{ public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException
try {
{ Connection conn = connections.get(user);
Connection connection = connections.get(user); if (conn != null && !conn.isClosed()) return conn;
if (connection == null || connection.isClosed()) return; conn = makeConnection(user, context);
connections.put(user, conn);
if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close();
} catch (SQLException sqle) if (dbBuilt.get(user) == null)
{ {
sqle.printStackTrace(); new CreateDB().makeDB(conn);
} dbBuilt.put(user, Boolean.TRUE);
} }
private static Connection makeConnection(String user, WebgoatContext context) throws SQLException return conn;
{ }
try
{ /**
Class.forName(context.getDatabaseDriver()); * <p>returnConnection.</p>
*
if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context); * @param user a {@link java.lang.String} object.
*/
String userPrefix = context.getDatabaseUser(); public static synchronized void returnConnection(String user)
String password = context.getDatabasePassword(); {
String url = context.getDatabaseConnectionString(); try
return DriverManager.getConnection(url, userPrefix + "_" + user, password); {
} catch (ClassNotFoundException cnfe) Connection connection = connections.get(user);
{ if (connection == null || connection.isClosed()) return;
cnfe.printStackTrace();
throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage()); if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close();
} } catch (SQLException sqle)
} {
sqle.printStackTrace();
private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException, }
SQLException }
{
String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user); private static Connection makeConnection(String user, WebgoatContext context) throws SQLException
return DriverManager.getConnection(url, "sa", ""); {
} try
{
/** Class.forName(context.getDatabaseDriver());
* Description of the Method
* if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context);
* @param results
* Description of the Parameter String userPrefix = context.getDatabaseUser();
* @param resultsMetaData String password = context.getDatabasePassword();
* Description of the Parameter String url = context.getDatabaseConnectionString();
* return DriverManager.getConnection(url, userPrefix + "_" + user, password);
* @return Description of the Return Value } catch (ClassNotFoundException cnfe)
* {
* @exception IOException cnfe.printStackTrace();
* Description of the Exception throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage());
* @exception SQLException }
* Description of the Exception }
*/
public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException, private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException,
SQLException SQLException
{ {
int numColumns = resultsMetaData.getColumnCount(); String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
results.beforeFirst(); return DriverManager.getConnection(url, "sa", "");
}
if (results.next())
{ /**
Table t = new Table(1); // 1 = with border * Description of the Method
t.setCellPadding(1); *
* @param results
TR tr = new TR(); * Description of the Parameter
* @param resultsMetaData
for (int i = 1; i < (numColumns + 1); i++) * Description of the Parameter
{ * @param resultsMetaData
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i)))); * Description of the Parameter
} * @return Description of the Return Value
* @exception IOException
t.addElement(tr); * Description of the Exception
results.beforeFirst(); * @exception SQLException
* Description of the Exception
while (results.next()) * @throws java.io.IOException if any.
{ * @throws java.sql.SQLException if any.
TR row = new TR(); */
public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
for (int i = 1; i < (numColumns + 1); i++) SQLException
{ {
String str = results.getString(i); int numColumns = resultsMetaData.getColumnCount();
if (str == null) str = ""; results.beforeFirst();
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
} if (results.next())
{
t.addElement(row); Table t = new Table(1); // 1 = with border
} t.setCellPadding(1);
return (t); TR tr = new TR();
}
else for (int i = 1; i < (numColumns + 1); i++)
{ {
return (new B("Query Successful; however no data was returned from this query.")); tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
} }
}
t.addElement(tr);
} results.beforeFirst();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
String str = results.getString(i);
if (str == null) str = "";
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
}
t.addElement(row);
}
return (t);
}
else
{
return (new B("Query Successful; however no data was returned from this query."));
}
}
}

1486
webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java
View File

File diff suppressed because it is too large Load Diff

646
webgoat-container/src/main/java/org/owasp/webgoat/session/Employee.java
View File

@ -1,241 +1,405 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.Serializable; import java.io.Serializable;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class Employee implements Serializable *
{ * @version $Id: $Id
*/
/** public class Employee implements Serializable
* {
*/
private static final long serialVersionUID = -1901957360367218399L; /**
*
public final static String EMPLOYEE_ROLE = "employee"; */
private static final long serialVersionUID = -1901957360367218399L;
public final static String MANAGER_ROLE = "manager";
/** Constant <code>EMPLOYEE_ROLE="employee"</code> */
public final static String HR_ROLE = "hr"; public final static String EMPLOYEE_ROLE = "employee";
private int id; /** Constant <code>MANAGER_ROLE="manager"</code> */
public final static String MANAGER_ROLE = "manager";
private String firstName;
/** Constant <code>HR_ROLE="hr"</code> */
private String lastName; public final static String HR_ROLE = "hr";
private String title; private int id;
private String ssn; private String firstName;
private String phone; private String lastName;
private String address1; private String title;
private String address2; private String ssn;
private int manager; private String phone;
private String startDate; private String address1;
private int salary; private String address2;
private String ccn; private int manager;
private int ccnLimit; private String startDate;
private String disciplinaryActionDate; private int salary;
private String disciplinaryActionNotes; private String ccn;
private String personalDescription; private int ccnLimit;
// FIXME: To be deleted private String disciplinaryActionDate;
public Employee()
{ private String disciplinaryActionNotes;
}
private String personalDescription;
public Employee(int id, String firstName, String lastName, String ssn, String title, String phone, String address1,
String address2, int manager, String startDate, int salary, String ccn, int ccnLimit, // FIXME: To be deleted
String disciplinaryActionDate, String disciplinaryActionNotes, String personalDescription) /**
{ * <p>Constructor for Employee.</p>
this.id = id; */
this.firstName = firstName; public Employee()
this.lastName = lastName; {
this.ssn = ssn; }
this.title = title;
this.phone = phone; /**
this.address1 = address1; * <p>Constructor for Employee.</p>
this.address2 = address2; *
this.manager = manager; * @param id a int.
this.startDate = startDate; * @param firstName a {@link java.lang.String} object.
this.salary = salary; * @param lastName a {@link java.lang.String} object.
this.ccn = ccn; * @param ssn a {@link java.lang.String} object.
this.ccnLimit = ccnLimit; * @param title a {@link java.lang.String} object.
this.disciplinaryActionDate = disciplinaryActionDate; * @param phone a {@link java.lang.String} object.
this.disciplinaryActionNotes = disciplinaryActionNotes; * @param address1 a {@link java.lang.String} object.
this.personalDescription = personalDescription; * @param address2 a {@link java.lang.String} object.
} * @param manager a int.
* @param startDate a {@link java.lang.String} object.
public String getAddress1() * @param salary a int.
{ * @param ccn a {@link java.lang.String} object.
return address1; * @param ccnLimit a int.
} * @param disciplinaryActionDate a {@link java.lang.String} object.
* @param disciplinaryActionNotes a {@link java.lang.String} object.
public void setAddress1(String address1) * @param personalDescription a {@link java.lang.String} object.
{ */
this.address1 = address1; public Employee(int id, String firstName, String lastName, String ssn, String title, String phone, String address1,
} String address2, int manager, String startDate, int salary, String ccn, int ccnLimit,
String disciplinaryActionDate, String disciplinaryActionNotes, String personalDescription)
public String getAddress2() {
{ this.id = id;
return address2; this.firstName = firstName;
} this.lastName = lastName;
this.ssn = ssn;
public void setAddress2(String address2) this.title = title;
{ this.phone = phone;
this.address2 = address2; this.address1 = address1;
} this.address2 = address2;
this.manager = manager;
public String getCcn() this.startDate = startDate;
{ this.salary = salary;
return ccn; this.ccn = ccn;
} this.ccnLimit = ccnLimit;
this.disciplinaryActionDate = disciplinaryActionDate;
public void setCcn(String ccn) this.disciplinaryActionNotes = disciplinaryActionNotes;
{ this.personalDescription = personalDescription;
this.ccn = ccn; }
}
/**
public int getCcnLimit() * <p>Getter for the field <code>address1</code>.</p>
{ *
return ccnLimit; * @return a {@link java.lang.String} object.
} */
public String getAddress1()
public void setCcnLimit(int ccnLimit) {
{ return address1;
this.ccnLimit = ccnLimit; }
}
/**
public String getFirstName() * <p>Setter for the field <code>address1</code>.</p>
{ *
return firstName; * @param address1 a {@link java.lang.String} object.
} */
public void setAddress1(String address1)
public void setFirstName(String firstName) {
{ this.address1 = address1;
this.firstName = firstName; }
}
/**
public String getLastName() * <p>Getter for the field <code>address2</code>.</p>
{ *
return lastName; * @return a {@link java.lang.String} object.
} */
public String getAddress2()
public void setLastName(String lastName) {
{ return address2;
this.lastName = lastName; }
}
/**
public String getPhoneNumber() * <p>Setter for the field <code>address2</code>.</p>
{ *
return phone; * @param address2 a {@link java.lang.String} object.
} */
public void setAddress2(String address2)
public void setPhoneNumber(String phone) {
{ this.address2 = address2;
this.phone = phone; }
}
/**
public int getSalary() * <p>Getter for the field <code>ccn</code>.</p>
{ *
return salary; * @return a {@link java.lang.String} object.
} */
public String getCcn()
public void setSalary(int salary) {
{ return ccn;
this.salary = salary; }
}
/**
public String getSsn() * <p>Setter for the field <code>ccn</code>.</p>
{ *
return ssn; * @param ccn a {@link java.lang.String} object.
} */
public void setCcn(String ccn)
public void setSsn(String ssn) {
{ this.ccn = ccn;
this.ssn = ssn; }
}
/**
public String getStartDate() * <p>Getter for the field <code>ccnLimit</code>.</p>
{ *
return startDate; * @return a int.
} */
public int getCcnLimit()
public void setStartDate(String startDate) {
{ return ccnLimit;
this.startDate = startDate; }
}
/**
public int getId() * <p>Setter for the field <code>ccnLimit</code>.</p>
{ *
return id; * @param ccnLimit a int.
} */
public void setCcnLimit(int ccnLimit)
public void setId(int id) {
{ this.ccnLimit = ccnLimit;
this.id = id; }
}
/**
public String getTitle() * <p>Getter for the field <code>firstName</code>.</p>
{ *
return this.title; * @return a {@link java.lang.String} object.
} */
public String getFirstName()
public int getManager() {
{ return firstName;
return this.manager; }
}
/**
public String getDisciplinaryActionDate() * <p>Setter for the field <code>firstName</code>.</p>
{ *
return this.disciplinaryActionDate; * @param firstName a {@link java.lang.String} object.
} */
public void setFirstName(String firstName)
public String getDisciplinaryActionNotes() {
{ this.firstName = firstName;
return this.disciplinaryActionNotes; }
}
/**
public String getPersonalDescription() * <p>Getter for the field <code>lastName</code>.</p>
{ *
return this.personalDescription; * @return a {@link java.lang.String} object.
} */
} public String getLastName()
{
return lastName;
}
/**
* <p>Setter for the field <code>lastName</code>.</p>
*
* @param lastName a {@link java.lang.String} object.
*/
public void setLastName(String lastName)
{
this.lastName = lastName;
}
/**
* <p>getPhoneNumber.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getPhoneNumber()
{
return phone;
}
/**
* <p>setPhoneNumber.</p>
*
* @param phone a {@link java.lang.String} object.
*/
public void setPhoneNumber(String phone)
{
this.phone = phone;
}
/**
* <p>Getter for the field <code>salary</code>.</p>
*
* @return a int.
*/
public int getSalary()
{
return salary;
}
/**
* <p>Setter for the field <code>salary</code>.</p>
*
* @param salary a int.
*/
public void setSalary(int salary)
{
this.salary = salary;
}
/**
* <p>Getter for the field <code>ssn</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSsn()
{
return ssn;
}
/**
* <p>Setter for the field <code>ssn</code>.</p>
*
* @param ssn a {@link java.lang.String} object.
*/
public void setSsn(String ssn)
{
this.ssn = ssn;
}
/**
* <p>Getter for the field <code>startDate</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getStartDate()
{
return startDate;
}
/**
* <p>Setter for the field <code>startDate</code>.</p>
*
* @param startDate a {@link java.lang.String} object.
*/
public void setStartDate(String startDate)
{
this.startDate = startDate;
}
/**
* <p>Getter for the field <code>id</code>.</p>
*
* @return a int.
*/
public int getId()
{
return id;
}
/**
* <p>Setter for the field <code>id</code>.</p>
*
* @param id a int.
*/
public void setId(int id)
{
this.id = id;
}
/**
* <p>Getter for the field <code>title</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getTitle()
{
return this.title;
}
/**
* <p>Getter for the field <code>manager</code>.</p>
*
* @return a int.
*/
public int getManager()
{
return this.manager;
}
/**
* <p>Getter for the field <code>disciplinaryActionDate</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getDisciplinaryActionDate()
{
return this.disciplinaryActionDate;
}
/**
* <p>Getter for the field <code>disciplinaryActionNotes</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getDisciplinaryActionNotes()
{
return this.disciplinaryActionNotes;
}
/**
* <p>Getter for the field <code>personalDescription</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getPersonalDescription()
{
return this.personalDescription;
}
}

202
webgoat-container/src/main/java/org/owasp/webgoat/session/EmployeeStub.java
View File

@ -1,82 +1,120 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.Serializable; import java.io.Serializable;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class EmployeeStub implements Serializable *
{ * @version $Id: $Id
*/
/** public class EmployeeStub implements Serializable
* {
*/
private static final long serialVersionUID = -7109162877797765632L; /**
*
private int id; */
private static final long serialVersionUID = -7109162877797765632L;
private String firstName;
private int id;
private String lastName;
private String firstName;
private String role;
private String lastName;
public EmployeeStub(int id, String firstName, String lastName)
{ private String role;
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
} /**
* <p>Constructor for EmployeeStub.</p>
public EmployeeStub(int id, String firstName, String lastName, String role) *
{ * @param id a int.
this.id = id; * @param firstName a {@link java.lang.String} object.
this.firstName = firstName; * @param lastName a {@link java.lang.String} object.
this.lastName = lastName; */
this.role = role; public EmployeeStub(int id, String firstName, String lastName)
} {
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
public String getFirstName() }
{
return firstName; /**
} * <p>Constructor for EmployeeStub.</p>
*
public int getId() * @param id a int.
{ * @param firstName a {@link java.lang.String} object.
return id; * @param lastName a {@link java.lang.String} object.
} * @param role a {@link java.lang.String} object.
*/
public String getLastName() public EmployeeStub(int id, String firstName, String lastName, String role)
{ {
return lastName; this.id = id;
} this.firstName = firstName;
this.lastName = lastName;
public String getRole() this.role = role;
{ }
return role;
} /**
} * <p>Getter for the field <code>firstName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getFirstName()
{
return firstName;
}
/**
* <p>Getter for the field <code>id</code>.</p>
*
* @return a int.
*/
public int getId()
{
return id;
}
/**
* <p>Getter for the field <code>lastName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getLastName()
{
return lastName;
}
/**
* <p>Getter for the field <code>role</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return role;
}
}

549
webgoat-container/src/main/java/org/owasp/webgoat/session/ErrorScreen.java
View File

@ -1,264 +1,285 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor; import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.Div; import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form; import org.apache.ecs.html.Form;
import org.apache.ecs.html.H2; import org.apache.ecs.html.H2;
import org.apache.ecs.html.Small; import org.apache.ecs.html.Small;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created November 4, 2003 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since November 4, 2003
public class ErrorScreen extends Screen * @version $Id: $Id
{ */
/** public class ErrorScreen extends Screen
* Description of the Field {
*/ /**
protected Throwable error; * Description of the Field
*/
/** protected Throwable error;
* Description of the Field
*/ /**
protected String message; * Description of the Field
*/
/** protected String message;
* Constructor for the ErrorScreen object
* /**
* @param s * Constructor for the ErrorScreen object
* Description of the Parameter *
* @param t * @param s
* Description of the Parameter * Description of the Parameter
*/ * @param t
public ErrorScreen(WebSession s, Throwable t) * Description of the Parameter
{ */
this.error = t; public ErrorScreen(WebSession s, Throwable t)
fixCurrentScreen(s); {
setup(s); this.error = t;
} fixCurrentScreen(s);
setup(s);
/** }
* Constructor for the ErrorScreen object
* /**
* @param s * Constructor for the ErrorScreen object
* Description of the Parameter *
* @param msg * @param s
* Description of the Parameter * Description of the Parameter
*/ * @param msg
public ErrorScreen(WebSession s, String msg) * Description of the Parameter
{ */
this.message = msg; public ErrorScreen(WebSession s, String msg)
fixCurrentScreen(s); {
setup(s); this.message = msg;
} fixCurrentScreen(s);
setup(s);
public void fixCurrentScreen(WebSession s) }
{
// So the user can't get stuck on the error screen, reset the /**
// current screen to something known * <p>fixCurrentScreen.</p>
if (s != null) *
{ * @param s a {@link org.owasp.webgoat.session.WebSession} object.
try */
{ public void fixCurrentScreen(WebSession s)
s.setCurrentScreen(s.getCourse().getFirstLesson().getScreenId()); {
} catch (Throwable t) // So the user can't get stuck on the error screen, reset the
{ // current screen to something known
s.setCurrentScreen(WebSession.WELCOME); if (s != null)
} {
} try
} {
s.setCurrentScreen(s.getCourse().getFirstLesson().getScreenId());
public void setup(WebSession s) } catch (Throwable t)
{ {
// call createContent first so messages will go somewhere s.setCurrentScreen(WebSession.WELCOME);
}
Form form = new Form("attack", Form.POST).setName("form").setEncType(""); }
}
form.addElement(wrapForm(s));
/**
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form); * <p>setup.</p>
TR row = new TR().addElement(lowerright); *
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0); * @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
layout.addElement(row); public void setup(WebSession s)
{
setContent(layout); // call createContent first so messages will go somewhere
}
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
protected Element wrapForm(WebSession s)
{ form.addElement(wrapForm(s));
if (s == null) { return new StringElement("Invalid Session"); }
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0); TR row = new TR().addElement(lowerright);
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s); layout.addElement(row);
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content))); setContent(layout);
container.addElement(new TR()); }
return (container); /**
} * <p>wrapForm.</p>
*
/** * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* Description of the Method * @return a {@link org.apache.ecs.Element} object.
* */
* @param s protected Element wrapForm(WebSession s)
* Description of the Parameter {
* @return Description of the Return Value if (s == null) { return new StringElement("Invalid Session"); }
*/
protected Element createContent(WebSession s) Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
{
System.out.println("errorscreen createContent Error:" + this.error + " message:" + this.message); // CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s);
Element content; container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
if (this.error != null) container.addElement(new TR());
{
content = createContent(this.error); return (container);
} }
else if (this.message != null)
{ /**
content = createContent(this.message); * {@inheritDoc}
} *
else * Description of the Method
{ */
content = new StringElement("An unknown error occurred."); protected Element createContent(WebSession s)
} {
System.out.println("errorscreen createContent Error:" + this.error + " message:" + this.message);
return content;
} Element content;
/** if (this.error != null)
* Description of the Method {
* content = createContent(this.error);
* @param s }
* Description of the Parameter else if (this.message != null)
* @return Description of the Return Value {
*/ content = createContent(this.message);
protected Element createContent(String s) }
{ else
StringElement list = new StringElement(s); {
content = new StringElement("An unknown error occurred.");
return (list); }
}
return content;
/** }
* Description of the Method
* /**
* @param t * Description of the Method
* Description of the Parameter *
* @return Description of the Return Value * @param s
*/ * Description of the Parameter
protected Element createContent(Throwable t) * @return Description of the Return Value
{ */
StringElement list = new StringElement(); protected Element createContent(String s)
list.addElement(new H2().addElement(new StringElement("Error Message: " + t.getMessage()))); {
list.addElement(formatStackTrace(t)); StringElement list = new StringElement(s);
if (t instanceof ServletException) return (list);
{ }
Throwable root = ((ServletException) t).getRootCause();
/**
if (root != null) * Description of the Method
{ *
list.addElement(new H2().addElement(new StringElement("Root Message: " + root.getMessage()))); * @param t
list.addElement(formatStackTrace(root)); * Description of the Parameter
} * @return Description of the Return Value
} */
protected Element createContent(Throwable t)
return (new Small().addElement(list)); {
} StringElement list = new StringElement();
list.addElement(new H2().addElement(new StringElement("Error Message: " + t.getMessage())));
/** list.addElement(formatStackTrace(t));
* Description of the Method
* if (t instanceof ServletException)
* @param t {
* Description of the Parameter Throwable root = ((ServletException) t).getRootCause();
* @return Description of the Return Value
*/ if (root != null)
public static Element formatStackTrace(Throwable t) {
{ list.addElement(new H2().addElement(new StringElement("Root Message: " + root.getMessage())));
String trace = getStackTrace(t); list.addElement(formatStackTrace(root));
StringElement list = new StringElement(); }
StringTokenizer st = new StringTokenizer(trace, "\r\n\t"); }
while (st.hasMoreTokens()) return (new Small().addElement(list));
{ }
String line = st.nextToken();
list.addElement(new Div(line)); /**
} * Description of the Method
*
return (list); * @param t
} * Description of the Parameter
* @return Description of the Return Value
/** */
* Gets the stackTrace attribute of the ErrorScreen class public static Element formatStackTrace(Throwable t)
* {
* @param t String trace = getStackTrace(t);
* Description of the Parameter StringElement list = new StringElement();
* @return The stackTrace value StringTokenizer st = new StringTokenizer(trace, "\r\n\t");
*/
public static String getStackTrace(Throwable t) while (st.hasMoreTokens())
{ {
ByteArrayOutputStream bytes = new ByteArrayOutputStream(); String line = st.nextToken();
PrintWriter writer = new PrintWriter(bytes, true); list.addElement(new Div(line));
t.printStackTrace(writer); }
return (bytes.toString()); return (list);
} }
/** /**
* Gets the title attribute of the ErrorScreen object * Gets the stackTrace attribute of the ErrorScreen class
* *
* @return The title value * @param t
*/ * Description of the Parameter
public String getTitle() * @return The stackTrace value
{ */
return ("Error"); public static String getStackTrace(Throwable t)
} {
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
public String getRole() PrintWriter writer = new PrintWriter(bytes, true);
{ t.printStackTrace(writer);
return AbstractLesson.USER_ROLE;
} return (bytes.toString());
} }
/**
* Gets the title attribute of the ErrorScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Error");
}
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

148
webgoat-container/src/main/java/org/owasp/webgoat/session/LessonSession.java
View File

@ -1,63 +1,85 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* Represents a virtual session for a lesson. Lesson-specific session data may be stored here. *
* * Represents a virtual session for a lesson. Lesson-specific session data may be stored here.
* @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a> *
* @created January 19, 2006 * @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/ * @since January 19, 2006
public class LessonSession * @version $Id: $Id
{ */
public class LessonSession
private boolean isAuthenticated = false; {
private String currentLessonScreen; private boolean isAuthenticated = false;
public void setAuthenticated(boolean isAuthenticated) private String currentLessonScreen;
{
this.isAuthenticated = isAuthenticated; /**
} * <p>setAuthenticated.</p>
*
public boolean isAuthenticated() * @param isAuthenticated a boolean.
{ */
return this.isAuthenticated; public void setAuthenticated(boolean isAuthenticated)
} {
this.isAuthenticated = isAuthenticated;
public void setCurrentLessonScreen(String currentLessonScreen) }
{
this.currentLessonScreen = currentLessonScreen; /**
} * <p>isAuthenticated.</p>
*
public String getCurrentLessonScreen() * @return a boolean.
{ */
return this.currentLessonScreen; public boolean isAuthenticated()
} {
return this.isAuthenticated;
} }
/**
* <p>Setter for the field <code>currentLessonScreen</code>.</p>
*
* @param currentLessonScreen a {@link java.lang.String} object.
*/
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
/**
* <p>Getter for the field <code>currentLessonScreen</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
}

831
webgoat-container/src/main/java/org/owasp/webgoat/session/LessonTracker.java
View File

@ -1,404 +1,427 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.util.Properties; import java.util.Properties;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> *
* @created October 29, 2003 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*/ * @since October 29, 2003
public class LessonTracker * @version $Id: $Id
{ */
public class LessonTracker
private boolean completed = false; {
private int maxHintLevel = 0; private boolean completed = false;
private int numVisits = 0; private int maxHintLevel = 0;
private boolean viewedCookies = false; private int numVisits = 0;
private boolean viewedHtml = false; private boolean viewedCookies = false;
private boolean viewedLessonPlan = false; private boolean viewedHtml = false;
private boolean viewedParameters = false; private boolean viewedLessonPlan = false;
private boolean viewedSource = false; private boolean viewedParameters = false;
private boolean viewedSolution = false; private boolean viewedSource = false;
Properties lessonProperties = new Properties(); private boolean viewedSolution = false;
/** Properties lessonProperties = new Properties();
* Gets the completed attribute of the LessonTracker object
* /**
* @return The completed value * Gets the completed attribute of the LessonTracker object
*/ *
public boolean getCompleted() * @return The completed value
{ */
return completed; public boolean getCompleted()
} {
return completed;
/** }
* Gets the maxHintLevel attribute of the LessonTracker object
* /**
* @return The maxHintLevel value * Gets the maxHintLevel attribute of the LessonTracker object
*/ *
public int getMaxHintLevel() * @return The maxHintLevel value
{ */
return maxHintLevel; public int getMaxHintLevel()
} {
return maxHintLevel;
/** }
* Gets the numVisits attribute of the LessonTracker object
* /**
* @return The numVisits value * Gets the numVisits attribute of the LessonTracker object
*/ *
public int getNumVisits() * @return The numVisits value
{ */
return numVisits; public int getNumVisits()
} {
return numVisits;
/** }
* Gets the viewedCookies attribute of the LessonTracker object
* /**
* @return The viewedCookies value * Gets the viewedCookies attribute of the LessonTracker object
*/ *
public boolean getViewedCookies() * @return The viewedCookies value
{ */
return viewedCookies; public boolean getViewedCookies()
} {
return viewedCookies;
/** }
* Gets the viewedHtml attribute of the LessonTracker object
* /**
* @return The viewedHtml value * Gets the viewedHtml attribute of the LessonTracker object
*/ *
public boolean getViewedHtml() * @return The viewedHtml value
{ */
return viewedHtml; public boolean getViewedHtml()
} {
return viewedHtml;
/** }
* Gets the viewedLessonPlan attribute of the LessonTracker object
* /**
* @return The viewedLessonPlan value * Gets the viewedLessonPlan attribute of the LessonTracker object
*/ *
public boolean getViewedLessonPlan() * @return The viewedLessonPlan value
{ */
return viewedLessonPlan; public boolean getViewedLessonPlan()
} {
return viewedLessonPlan;
/** }
* Gets the viewedParameters attribute of the LessonTracker object
* /**
* @return The viewedParameters value * Gets the viewedParameters attribute of the LessonTracker object
*/ *
public boolean getViewedParameters() * @return The viewedParameters value
{ */
return viewedParameters; public boolean getViewedParameters()
} {
return viewedParameters;
/** }
* Gets the viewedSource attribute of the LessonTracker object
* /**
* @return The viewedSource value * Gets the viewedSource attribute of the LessonTracker object
*/ *
public boolean getViewedSource() * @return The viewedSource value
{ */
return viewedSource; public boolean getViewedSource()
} {
return viewedSource;
public boolean getViewedSolution() }
{
return viewedSource; /**
} * <p>Getter for the field <code>viewedSolution</code>.</p>
*
/** * @return a boolean.
* Description of the Method */
*/ public boolean getViewedSolution()
public void incrementNumVisits() {
{ return viewedSource;
numVisits++; }
}
/**
/** * Description of the Method
* Sets the properties attribute of the LessonTracker object */
* public void incrementNumVisits()
* @param props {
* The new properties value numVisits++;
*/ }
protected void setProperties(Properties props, Screen screen)
{ /**
completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue(); * Sets the properties attribute of the LessonTracker object
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0")); *
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0")); * @param props
viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies", "false")).booleanValue(); * The new properties value
viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml", "false")).booleanValue(); * @param screen a {@link org.owasp.webgoat.session.Screen} object.
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue(); */
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue(); protected void setProperties(Properties props, Screen screen)
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue(); {
} completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0"));
public static String getUserDir(WebSession s) numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0"));
{ viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies", "false")).booleanValue();
return s.getContext().getRealPath("users") + "/"; viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml", "false")).booleanValue();
} viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue();
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue();
private static String getTrackerFile(WebSession s, String user, Screen screen) viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue();
{ }
return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
} /**
* <p>getUserDir.</p>
/** *
* Description of the Method * @param s a {@link org.owasp.webgoat.session.WebSession} object.
* * @return a {@link java.lang.String} object.
* @param screen */
* Description of the Parameter public static String getUserDir(WebSession s)
* @param s {
* Description of the Parameter return s.getContext().getRealPath("users") + "/";
* @return Description of the Return Value }
*/
public static LessonTracker load(WebSession s, String user, Screen screen) private static String getTrackerFile(WebSession s, String user, Screen screen)
{ {
FileInputStream in = null; return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
try }
{
String fileName = getTrackerFile(s, user, screen); /**
if (fileName != null) * Description of the Method
{ *
Properties tempProps = new Properties(); * @param screen
// System.out.println("Loading lesson state from: " + fileName); * Description of the Parameter
in = new FileInputStream(fileName); * @param screen
tempProps.load(in); * Description of the Parameter
// allow the screen to use any custom properties it may have set * @param s
LessonTracker tempLessonTracker = screen.createLessonTracker(tempProps); * Description of the Parameter
tempLessonTracker.setProperties(tempProps, screen); * @return Description of the Return Value
return tempLessonTracker; * @param user a {@link java.lang.String} object.
} */
} catch (FileNotFoundException e) public static LessonTracker load(WebSession s, String user, Screen screen)
{ {
// Normal if the lesson has not been accessed yet. FileInputStream in = null;
} catch (Exception e) try
{ {
System.out.println("Failed to load lesson state for " + screen); String fileName = getTrackerFile(s, user, screen);
e.printStackTrace(); if (fileName != null)
} finally {
{ Properties tempProps = new Properties();
try // System.out.println("Loading lesson state from: " + fileName);
{ in = new FileInputStream(fileName);
in.close(); tempProps.load(in);
} catch (Exception e) // allow the screen to use any custom properties it may have set
{ LessonTracker tempLessonTracker = screen.createLessonTracker(tempProps);
} tempLessonTracker.setProperties(tempProps, screen);
} return tempLessonTracker;
}
return screen.createLessonTracker(); } catch (FileNotFoundException e)
} {
// Normal if the lesson has not been accessed yet.
/** } catch (Exception e)
* Sets the completed attribute of the LessonTracker object {
* System.out.println("Failed to load lesson state for " + screen);
* @param completed e.printStackTrace();
* The new completed value } finally
*/ {
public void setCompleted(boolean completed) try
{ {
this.completed = completed; in.close();
} } catch (Exception e)
{
/** }
* Sets the maxHintLevel attribute of the LessonTracker object }
*
* @param maxHintLevel return screen.createLessonTracker();
* The new maxHintLevel value }
*/
public void setMaxHintLevel(int maxHintLevel) /**
{ * Sets the completed attribute of the LessonTracker object
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel); *
} * @param completed
* The new completed value
/** */
* Sets the viewedCookies attribute of the LessonTracker object public void setCompleted(boolean completed)
* {
* @param viewedCookies this.completed = completed;
* The new viewedCookies value }
*/
public void setViewedCookies(boolean viewedCookies) /**
{ * Sets the maxHintLevel attribute of the LessonTracker object
this.viewedCookies = viewedCookies; *
} * @param maxHintLevel
* The new maxHintLevel value
/** */
* Sets the viewedHtml attribute of the LessonTracker object public void setMaxHintLevel(int maxHintLevel)
* {
* @param viewedHtml this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
* The new viewedHtml value }
*/
public void setViewedHtml(boolean viewedHtml) /**
{ * Sets the viewedCookies attribute of the LessonTracker object
this.viewedHtml = viewedHtml; *
} * @param viewedCookies
* The new viewedCookies value
/** */
* Sets the viewedLessonPlan attribute of the LessonTracker object public void setViewedCookies(boolean viewedCookies)
* {
* @param viewedLessonPlan this.viewedCookies = viewedCookies;
* The new viewedLessonPlan value }
*/
public void setViewedLessonPlan(boolean viewedLessonPlan) /**
{ * Sets the viewedHtml attribute of the LessonTracker object
this.viewedLessonPlan = viewedLessonPlan; *
} * @param viewedHtml
* The new viewedHtml value
/** */
* Sets the viewedParameters attribute of the LessonTracker object public void setViewedHtml(boolean viewedHtml)
* {
* @param viewedParameters this.viewedHtml = viewedHtml;
* The new viewedParameters value }
*/
public void setViewedParameters(boolean viewedParameters) /**
{ * Sets the viewedLessonPlan attribute of the LessonTracker object
this.viewedParameters = viewedParameters; *
} * @param viewedLessonPlan
* The new viewedLessonPlan value
/** */
* Sets the viewedSource attribute of the LessonTracker object public void setViewedLessonPlan(boolean viewedLessonPlan)
* {
* @param viewedSource this.viewedLessonPlan = viewedLessonPlan;
* The new viewedSource value }
*/
public void setViewedSource(boolean viewedSource) /**
{ * Sets the viewedParameters attribute of the LessonTracker object
this.viewedSource = viewedSource; *
} * @param viewedParameters
* The new viewedParameters value
/** */
* Sets the viewedSource attribute of the LessonTracker object public void setViewedParameters(boolean viewedParameters)
* {
* @param viewedSource this.viewedParameters = viewedParameters;
* The new viewedSource value }
*/
public void setViewedSolution(boolean viewedSolution) /**
{ * Sets the viewedSource attribute of the LessonTracker object
this.viewedSolution = viewedSolution; *
} * @param viewedSource
* The new viewedSource value
/** */
* Allows the storing of properties for the logged in and a screen. public void setViewedSource(boolean viewedSource)
* {
* @param s this.viewedSource = viewedSource;
* Description of the Parameter }
*/
public void store(WebSession s, Screen screen) /**
{ * Sets the viewedSource attribute of the LessonTracker object
store(s, screen, s.getUserName()); *
} * @param viewedSolution a boolean.
*/
/** public void setViewedSolution(boolean viewedSolution)
* Allows the storing of properties for a user and a screen. {
* this.viewedSolution = viewedSolution;
* @param s }
* Description of the Parameter
*/ /**
public void store(WebSession s, Screen screen, String user) * Allows the storing of properties for the logged in and a screen.
{ *
FileOutputStream out = null; * @param s
String fileName = getTrackerFile(s, user, screen); * Description of the Parameter
// System.out.println( "Storing data to" + fileName ); * @param screen a {@link org.owasp.webgoat.session.Screen} object.
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed)); */
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel", Integer.toString(maxHintLevel)); public void store(WebSession s, Screen screen)
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer.toString(numVisits)); {
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies", Boolean.toString(viewedCookies)); store(s, screen, s.getUserName());
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean.toString(viewedHtml)); }
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters)); /**
lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource)); * Allows the storing of properties for a user and a screen.
try *
{ * @param s
out = new FileOutputStream(fileName); * Description of the Parameter
lessonProperties.store(out, s.getUserName()); * @param screen a {@link org.owasp.webgoat.session.Screen} object.
} catch (Exception e) * @param user a {@link java.lang.String} object.
{ */
// what do we want to do, I think nothing. public void store(WebSession s, Screen screen, String user)
System.out.println("Warning User data for " + s.getUserName() + " will not persist"); {
} finally FileOutputStream out = null;
{ String fileName = getTrackerFile(s, user, screen);
try // System.out.println( "Storing data to" + fileName );
{ lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed));
out.close(); lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel", Integer.toString(maxHintLevel));
} catch (Exception e) lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer.toString(numVisits));
{ lessonProperties.setProperty(screen.getTitle() + ".viewedCookies", Boolean.toString(viewedCookies));
} lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean.toString(viewedHtml));
} lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters));
} lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource));
try
/** {
* Description of the Method out = new FileOutputStream(fileName);
* lessonProperties.store(out, s.getUserName());
* @return Description of the Return Value } catch (Exception e)
*/ {
public String toString() // what do we want to do, I think nothing.
{ System.out.println("Warning User data for " + s.getUserName() + " will not persist");
StringBuffer buff = new StringBuffer(); } finally
buff.append("LessonTracker:" + "\n"); {
buff.append(" - completed:.......... " + completed + "\n"); try
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n"); {
buff.append(" - numVisits:.......... " + numVisits + "\n"); out.close();
buff.append(" - viewedCookies:...... " + viewedCookies + "\n"); } catch (Exception e)
buff.append(" - viewedHtml:......... " + viewedHtml + "\n"); {
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n"); }
buff.append(" - viewedParameters:... " + viewedParameters + "\n"); }
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
return buff.toString(); }
}
/**
/** * Description of the Method
* @return Returns the lessonProperties. *
*/ * @return Description of the Return Value
public Properties getLessonProperties() */
{ public String toString()
return lessonProperties; {
} StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
/** buff.append(" - completed:.......... " + completed + "\n");
* @param lessonProperties buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
* The lessonProperties to set. buff.append(" - numVisits:.......... " + numVisits + "\n");
*/ buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
public void setLessonProperties(Properties lessonProperties) buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
{ buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
this.lessonProperties = lessonProperties; buff.append(" - viewedParameters:... " + viewedParameters + "\n");
} buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
} return buff.toString();
}
/**
* <p>Getter for the field <code>lessonProperties</code>.</p>
*
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* <p>Setter for the field <code>lessonProperties</code>.</p>
*
* @param lessonProperties
* The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
}

193
webgoat-container/src/main/java/org/owasp/webgoat/session/Parameter.java
View File

@ -1,81 +1,112 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class Parameter implements Comparable *
{ * @version $Id: $Id
*/
String name; public class Parameter implements Comparable
{
String value;
String name;
public Parameter(String name, String value)
{ String value;
this.name = name;
this.value = value; /**
} * <p>Constructor for Parameter.</p>
*
public String getName() * @param name a {@link java.lang.String} object.
{ * @param value a {@link java.lang.String} object.
return name; */
} public Parameter(String name, String value)
{
public String getValue() this.name = name;
{ this.value = value;
return value; }
}
/**
// @Override * <p>Getter for the field <code>name</code>.</p>
public boolean equals(Object obj) *
{ * @return a {@link java.lang.String} object.
if (obj instanceof Parameter) */
{ public String getName()
Parameter other = (Parameter) obj; {
return (name.equals(other.getName()) && value.equals(other.getValue())); return name;
} }
return false;
} /**
* <p>Getter for the field <code>value</code>.</p>
// @Override *
public int hashCode() * @return a {@link java.lang.String} object.
{ */
return toString().hashCode(); public String getValue()
} {
return value;
// @Override }
public String toString()
{ // @Override
return (name + "=" + value); /** {@inheritDoc} */
} public boolean equals(Object obj)
{
public int compareTo(Object o) if (obj instanceof Parameter)
{ {
return toString().compareTo(o.toString()); Parameter other = (Parameter) obj;
} return (name.equals(other.getName()) && value.equals(other.getValue()));
} }
return false;
}
// @Override
/**
* <p>hashCode.</p>
*
* @return a int.
*/
public int hashCode()
{
return toString().hashCode();
}
// @Override
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
return (name + "=" + value);
}
/** {@inheritDoc} */
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
}

120
webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterNotFoundException.java
View File

@ -1,59 +1,61 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
*/ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
public class ParameterNotFoundException extends Exception * @version $Id: $Id
{ */
public class ParameterNotFoundException extends Exception
/** {
*
*/ /**
private static final long serialVersionUID = 3286112913299408382L; *
*/
/** private static final long serialVersionUID = 3286112913299408382L;
* Constructs a new ParameterNotFoundException with no detail message.
*/ /**
public ParameterNotFoundException() * Constructs a new ParameterNotFoundException with no detail message.
{ */
super(); public ParameterNotFoundException()
} {
super();
/** }
* Constructs a new ParameterNotFoundException with the specified detail message.
* /**
* @param s * Constructs a new ParameterNotFoundException with the specified detail message.
* the detail message *
*/ * @param s
public ParameterNotFoundException(String s) * the detail message
{ */
super(s); public ParameterNotFoundException(String s)
} {
} super(s);
}
}

1884
webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterParser.java
View File

File diff suppressed because it is too large Load Diff

281
webgoat-container/src/main/java/org/owasp/webgoat/session/RandomLessonTracker.java
View File

@ -1,117 +1,164 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Properties; import java.util.Properties;
public class RandomLessonTracker extends LessonTracker /**
{ * <p>RandomLessonTracker class.</p>
*
private String[] stages; * @version $Id: $Id
*/
private String stage; public class RandomLessonTracker extends LessonTracker
{
private Map<String, Boolean> completed = new HashMap<String, Boolean>();
private String[] stages;
public RandomLessonTracker(String[] stages)
{ private String stage;
if (stages == null) stages = new String[0];
this.stages = stages; private Map<String, Boolean> completed = new HashMap<String, Boolean>();
}
/**
public void setStage(String stage) * <p>Constructor for RandomLessonTracker.</p>
{ *
this.stage = stage; * @param stages an array of {@link java.lang.String} objects.
} */
public RandomLessonTracker(String[] stages)
public String getStage() {
{ if (stages == null) stages = new String[0];
if (this.stage == null && stages.length > 0) return stages[0]; this.stages = stages;
return this.stage; }
}
/**
public void setStageComplete(String stage, boolean complete) * <p>Setter for the field <code>stage</code>.</p>
{ *
completed.put(stage, Boolean.valueOf(complete)); * @param stage a {@link java.lang.String} object.
if (!complete) return; */
int i = getStageNumber(stage); public void setStage(String stage)
if (i < stages.length - 1) setStage(stages[i + 1]); {
} this.stage = stage;
}
public int getStageNumber(String stage)
{ /**
for (int i = 0; i < stages.length; i++) * <p>Getter for the field <code>stage</code>.</p>
if (stages[i].equals(stage)) return i; *
return -1; * @return a {@link java.lang.String} object.
} */
public String getStage()
public boolean hasCompleted(String stage) {
{ if (this.stage == null && stages.length > 0) return stages[0];
Boolean complete = completed.get(stage); return this.stage;
return complete == null ? false : complete.booleanValue(); }
}
/**
@Override * <p>setStageComplete.</p>
public boolean getCompleted() *
{ * @param stage a {@link java.lang.String} object.
for (int i = 0; i < stages.length; i++) * @param complete a boolean.
if (!hasCompleted(stages[i])) return false; */
return true; public void setStageComplete(String stage, boolean complete)
} {
completed.put(stage, Boolean.valueOf(complete));
@Override if (!complete) return;
public void setCompleted(boolean complete) int i = getStageNumber(stage);
{ if (i < stages.length - 1) setStage(stages[i + 1]);
if (complete == true) throw new UnsupportedOperationException("Use individual stage completion instead"); }
for (int i = 0; i < stages.length; i++)
setStageComplete(stages[i], false); /**
setStage(stages[0]); * <p>getStageNumber.</p>
} *
* @param stage a {@link java.lang.String} object.
protected void setProperties(Properties props, Screen screen) * @return a int.
{ */
super.setProperties(props, screen); public int getStageNumber(String stage)
for (int i = 0; i < stages.length; i++) {
{ for (int i = 0; i < stages.length; i++)
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed"); if (stages[i].equals(stage)) return i;
if (p != null) return -1;
{ }
setStageComplete(stages[i], Boolean.valueOf(p));
} /**
} * <p>hasCompleted.</p>
setStage(props.getProperty(screen.getTitle() + ".stage")); *
} * @param stage a {@link java.lang.String} object.
* @return a boolean.
public void store(WebSession s, Screen screen, String user) */
{ public boolean hasCompleted(String stage)
for (int i = 0; i < stages.length; i++) {
{ Boolean complete = completed.get(stage);
if (hasCompleted(stages[i])) return complete == null ? false : complete.booleanValue();
{ }
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString()); /** {@inheritDoc} */
} @Override
else public boolean getCompleted()
{ {
lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed"); for (int i = 0; i < stages.length; i++)
} if (!hasCompleted(stages[i])) return false;
} return true;
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage()); }
super.store(s, screen, user);
} /** {@inheritDoc} */
@Override
public String toString() public void setCompleted(boolean complete)
{ {
StringBuffer buff = new StringBuffer(); if (complete == true) throw new UnsupportedOperationException("Use individual stage completion instead");
buff.append(super.toString()); for (int i = 0; i < stages.length; i++)
for (int i = 0; i < stages.length; i++) setStageComplete(stages[i], false);
{ setStage(stages[0]);
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n"); }
}
buff.append(" - currentStage:....... " + getStage() + "\n"); /** {@inheritDoc} */
return buff.toString(); protected void setProperties(Properties props, Screen screen)
} {
super.setProperties(props, screen);
} for (int i = 0; i < stages.length; i++)
{
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
if (p != null)
{
setStageComplete(stages[i], Boolean.valueOf(p));
}
}
setStage(props.getProperty(screen.getTitle() + ".stage"));
}
/** {@inheritDoc} */
public void store(WebSession s, Screen screen, String user)
{
for (int i = 0; i < stages.length; i++)
{
if (hasCompleted(stages[i]))
{
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString());
}
else
{
lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed");
}
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);
}
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append(super.toString());
for (int i = 0; i < stages.length; i++)
{
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
}
buff.append(" - currentStage:....... " + getStage() + "\n");
return buff.toString();
}
}

17
webgoat-container/src/main/java/org/owasp/webgoat/session/Role.java
View File

@ -1,13 +1,28 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/**
* <p>Role class.</p>
*
* @version $Id: $Id
*/
public class Role { public class Role {
private String rolename; private String rolename;
/**
* <p>Constructor for Role.</p>
*
* @param rolename a {@link java.lang.String} object.
*/
public Role(String rolename) { public Role(String rolename) {
this.rolename = rolename; this.rolename = rolename;
} }
/**
* <p>Getter for the field <code>rolename</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getRolename() { public String getRolename() {
return this.rolename; return this.rolename;
} }
} }

45
webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java
View File

@ -42,7 +42,8 @@ import org.owasp.webgoat.lessons.AbstractLesson;
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a> * Security</a>
* @created October 28, 2003 * @since October 28, 2003
* @version $Id: $Id
*/ */
public abstract class Screen { public abstract class Screen {
@ -69,6 +70,11 @@ public abstract class Screen {
// will be stored in the internal database. The user will be able to hack // will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to // into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on. // see the admin screens, once they figure out how to turn the admin switch on.
/**
* <p>getRole.</p>
*
* @return a {@link java.lang.String} object.
*/
public abstract String getRole(); public abstract String getRole();
/** /**
@ -106,19 +112,33 @@ public abstract class Screen {
/** /**
* Gets the lessonTracker attribute of the AbstractLesson object * Gets the lessonTracker attribute of the AbstractLesson object
* *
* @param userName Description of the Parameter
* @return The lessonTracker value * @return The lessonTracker value
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/ */
public LessonTracker getLessonTracker(WebSession s) { public LessonTracker getLessonTracker(WebSession s) {
UserTracker userTracker = UserTracker.instance(); UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this); return userTracker.getLessonTracker(s, this);
} }
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param userNameOverride a {@link java.lang.String} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, String userNameOverride) { public LessonTracker getLessonTracker(WebSession s, String userNameOverride) {
UserTracker userTracker = UserTracker.instance(); UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this); return userTracker.getLessonTracker(s, userNameOverride, this);
} }
/**
* <p>getLessonTracker.</p>
*
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
* @param lesson a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
* @return a {@link org.owasp.webgoat.session.LessonTracker} object.
*/
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) { public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
UserTracker userTracker = UserTracker.instance(); UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson); return userTracker.getLessonTracker(s, lesson);
@ -131,6 +151,11 @@ public abstract class Screen {
*/ */
public abstract String getTitle(); public abstract String getTitle();
/**
* <p>Setter for the field <code>content</code>.</p>
*
* @param content a {@link org.apache.ecs.Element} object.
*/
protected void setContent(Element content) { protected void setContent(Element content) {
this.content = content; this.content = content;
} }
@ -145,10 +170,20 @@ public abstract class Screen {
return new A("http://www.aspectsecurity.com/webgoat.html", logo); return new A("http://www.aspectsecurity.com/webgoat.html", logo);
} }
/**
* <p>getSponsor.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSponsor() { public String getSponsor() {
return "Aspect Security"; return "Aspect Security";
} }
/**
* <p>getSponsorLogoResource.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getSponsorLogoResource() { public String getSponsorLogoResource() {
return "images/aspectlogo-horizontal-small.jpg"; return "images/aspectlogo-horizontal-small.jpg";
} }
@ -178,6 +213,7 @@ public abstract class Screen {
/** /**
* Returns the content length of the the html. * Returns the content length of the the html.
* *
* @return a int.
*/ */
public int getContentLength() { public int getContentLength() {
return getContent().length(); return getContent().length();
@ -197,6 +233,11 @@ public abstract class Screen {
} }
// hook all the links // hook all the links
/**
* <p>Getter for the field <code>content</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getContent() { public String getContent() {
//String makeAllAjax = "<script>goat.utils.makeFormsAjax();goat.utils.ajaxifyAttackHref();</script>"; //String makeAllAjax = "<script>goat.utils.makeFormsAjax();goat.utils.ajaxifyAttackHref();</script>";
// need to do this here as some of the lessons render forms after submission of an ajax form // need to do this here as some of the lessons render forms after submission of an ajax form

98
webgoat-container/src/main/java/org/owasp/webgoat/session/SequentialLessonTracker.java
View File

@ -1,38 +1,60 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.util.Properties; import java.util.Properties;
public class SequentialLessonTracker extends LessonTracker /**
{ * <p>SequentialLessonTracker class.</p>
*
private int currentStage = 1; * @version $Id: $Id
*/
public int getStage() public class SequentialLessonTracker extends LessonTracker
{ {
return currentStage;
} private int currentStage = 1;
public void setStage(int stage) /**
{ * <p>getStage.</p>
currentStage = stage; *
} * @return a int.
*/
protected void setProperties(Properties props, Screen screen) public int getStage()
{ {
super.setProperties(props, screen); return currentStage;
currentStage = Integer.parseInt(props.getProperty(screen.getTitle() + ".currentStage")); }
}
/**
public void store(WebSession s, Screen screen, String user) * <p>setStage.</p>
{ *
lessonProperties.setProperty(screen.getTitle() + ".currentStage", Integer.toString(currentStage)); * @param stage a int.
super.store(s, screen, user); */
} public void setStage(int stage)
{
public String toString() currentStage = stage;
{ }
return super.toString() + " - currentStage:....... " + currentStage + "\n";
} /** {@inheritDoc} */
} protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle() + ".currentStage"));
}
/** {@inheritDoc} */
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage", Integer.toString(currentStage));
super.store(s, screen, user);
}
/**
* <p>toString.</p>
*
* @return a {@link java.lang.String} object.
*/
public String toString()
{
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
}

81
webgoat-container/src/main/java/org/owasp/webgoat/session/UnauthenticatedException.java
View File

@ -1,39 +1,42 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class UnauthenticatedException extends Exception *
{ * @version $Id: $Id
*/
/** public class UnauthenticatedException extends Exception
* {
*/
private static final long serialVersionUID = 97865025446819061L; /**
*
} */
private static final long serialVersionUID = 97865025446819061L;
}

81
webgoat-container/src/main/java/org/owasp/webgoat/session/UnauthorizedException.java
View File

@ -1,39 +1,42 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class UnauthorizedException extends Exception *
{ * @version $Id: $Id
*/
/** public class UnauthorizedException extends Exception
* {
*/
private static final long serialVersionUID = 5245519486798464814L; /**
*
} */
private static final long serialVersionUID = 5245519486798464814L;
}

27
webgoat-container/src/main/java/org/owasp/webgoat/session/User.java
View File

@ -3,24 +3,49 @@ package org.owasp.webgoat.session;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Iterator; import java.util.Iterator;
/**
* <p>User class.</p>
*
* @version $Id: $Id
*/
public class User { public class User {
private String username; private String username;
private ArrayList<Role> roles; private ArrayList<Role> roles;
/**
* <p>Constructor for User.</p>
*
* @param username a {@link java.lang.String} object.
*/
public User(String username) { public User(String username) {
this.username = username; this.username = username;
this.roles = new ArrayList<Role>(); this.roles = new ArrayList<Role>();
} }
/**
* <p>Getter for the field <code>username</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getUsername() { public String getUsername() {
return username; return username;
} }
/**
* <p>Getter for the field <code>roles</code>.</p>
*
* @return a {@link java.util.Iterator} object.
*/
public Iterator<Role> getRoles() { public Iterator<Role> getRoles() {
return roles.iterator(); return roles.iterator();
} }
/**
* <p>addRole.</p>
*
* @param rolename a {@link java.lang.String} object.
*/
public void addRole(String rolename) { public void addRole(String rolename) {
roles.add(new Role(rolename)); roles.add(new Role(rolename));
} }
} }

45
webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java
View File

@ -23,6 +23,9 @@ class UserDatabase {
private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);"; private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);";
private final String DELETE_USER = "DELETE FROM users WHERE username = ?;"; private final String DELETE_USER = "DELETE FROM users WHERE username = ?;";
/**
* <p>Constructor for UserDatabase.</p>
*/
public UserDatabase() { public UserDatabase() {
createDefaultTables(); createDefaultTables();
if (getTableCount("users") <= 0) { if (getTableCount("users") <= 0) {
@ -36,6 +39,11 @@ class UserDatabase {
} }
} }
/**
* <p>open.</p>
*
* @return a boolean.
*/
public boolean open() { public boolean open() {
try { try {
if (userDB == null || userDB.isClosed()) { if (userDB == null || userDB.isClosed()) {
@ -52,6 +60,11 @@ class UserDatabase {
return true; return true;
} }
/**
* <p>close.</p>
*
* @return a boolean.
*/
public boolean close() { public boolean close() {
try { try {
if (userDB != null && !userDB.isClosed()) if (userDB != null && !userDB.isClosed())
@ -63,6 +76,12 @@ class UserDatabase {
return true; return true;
} }
/**
* <p>getTableCount.</p>
*
* @param tableName a {@link java.lang.String} object.
* @return a int.
*/
public int getTableCount(String tableName) { public int getTableCount(String tableName) {
int count = 0; int count = 0;
try { try {
@ -82,6 +101,11 @@ class UserDatabase {
return count; return count;
} }
/**
* <p>getUsers.</p>
*
* @return a {@link java.util.Iterator} object.
*/
public Iterator<User> getUsers() { public Iterator<User> getUsers() {
ArrayList<User> users = new ArrayList<User>(); ArrayList<User> users = new ArrayList<User>();
User currentUser; User currentUser;
@ -113,6 +137,13 @@ class UserDatabase {
return users.iterator(); return users.iterator();
} }
/**
* <p>addRoleToUser.</p>
*
* @param username a {@link java.lang.String} object.
* @param rolename a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean addRoleToUser(String username, String rolename) { public boolean addRoleToUser(String username, String rolename) {
try { try {
open(); open();
@ -129,10 +160,22 @@ class UserDatabase {
return true; return true;
} }
/**
* <p>removeUser.</p>
*
* @param user a {@link org.owasp.webgoat.session.User} object.
* @return a boolean.
*/
public boolean removeUser(User user) { public boolean removeUser(User user) {
return removeUser(user.getUsername()); return removeUser(user.getUsername());
} }
/**
* <p>removeUser.</p>
*
* @param username a {@link java.lang.String} object.
* @return a boolean.
*/
public boolean removeUser(String username) { public boolean removeUser(String username) {
try { try {
open(); open();
@ -211,4 +254,4 @@ class UserDatabase {
addRoleToUser("basic", "webgoat_basic"); addRoleToUser("basic", "webgoat_basic");
addRoleToUser("guest", "webgoat_user"); addRoleToUser("guest", "webgoat_user");
} }
} }

558
webgoat-container/src/main/java/org/owasp/webgoat/session/UserTracker.java
View File

@ -1,269 +1,289 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator; import java.util.Iterator;
import java.util.Map; import java.util.Map;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> *
* @created October 29, 2003 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*/ * @since October 29, 2003
* @version $Id: $Id
public class UserTracker */
{ public class UserTracker
{
private static UserTracker instance;
private static UserTracker instance;
// FIXME: persist this somehow!
// FIXME: persist this somehow!
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
private static UserDatabase usersDB = new UserDatabase();
private static UserDatabase usersDB = new UserDatabase();
/**
* Constructor for the UserTracker object /**
*/ * Constructor for the UserTracker object
private UserTracker() */
{ private UserTracker()
} {
}
/**
* Gets the completed attribute of the UserTracker object /**
* * Gets the completed attribute of the UserTracker object
* @param userName *
* Description of the Parameter * @param userName
* @return The completed value * Description of the Parameter
*/ * @return The completed value
public int getCompleted(String userName) */
{ public int getCompleted(String userName)
{
HashMap usermap = getUserMap(userName);
HashMap usermap = getUserMap(userName);
Iterator i = usermap.entrySet().iterator();
Iterator i = usermap.entrySet().iterator();
int count = 0;
int count = 0;
while (i.hasNext())
{ while (i.hasNext())
{
Map.Entry entry = (Map.Entry) i.next();
Map.Entry entry = (Map.Entry) i.next();
int value = ((Integer) entry.getValue()).intValue();
int value = ((Integer) entry.getValue()).intValue();
if (value > 5)
{ if (value > 5)
count++; {
} count++;
}
}
}
return count;
} return count;
}
/**
* Gets the users attribute of the UserTracker object /**
* * Gets the users attribute of the UserTracker object
* @return The users value *
*/ * @return The users value
public Collection getUsers() */
{ public Collection getUsers()
return storage.keySet(); {
} return storage.keySet();
}
public Collection<String> getAllUsers(String roleName)
{ /**
synchronized (usersDB) * <p>getAllUsers.</p>
{ *
Collection<String> allUsers = new ArrayList<String>(); * @param roleName a {@link java.lang.String} object.
try * @return a {@link java.util.Collection} object.
{ */
usersDB.open(); public Collection<String> getAllUsers(String roleName)
Iterator users = usersDB.getUsers(); {
while (users.hasNext()) synchronized (usersDB)
{ {
User user = (User) users.next(); Collection<String> allUsers = new ArrayList<String>();
Iterator roles = user.getRoles(); try
while (roles.hasNext()) {
{ usersDB.open();
Role role = (Role) roles.next(); Iterator users = usersDB.getUsers();
if (role.getRolename().trim().equals(roleName)) while (users.hasNext())
{ {
allUsers.add(user.getUsername()); User user = (User) users.next();
} Iterator roles = user.getRoles();
} while (roles.hasNext())
} {
usersDB.close(); Role role = (Role) roles.next();
} catch (Exception e) if (role.getRolename().trim().equals(roleName))
{ {
} allUsers.add(user.getUsername());
return allUsers; }
} }
} }
usersDB.close();
public void deleteUser(String user) } catch (Exception e)
{ {
synchronized (usersDB) }
{ return allUsers;
try }
{ }
usersDB.open();
Iterator users = usersDB.getUsers(); /**
while (users.hasNext()) * <p>deleteUser.</p>
{ *
User tomcatUser = (User) users.next(); * @param user a {@link java.lang.String} object.
if (tomcatUser.getUsername().equals(user)) */
{ public void deleteUser(String user)
usersDB.removeUser(tomcatUser); {
// FIXME: delete all the lesson tracking property files synchronized (usersDB)
break; {
} try
} {
usersDB.close(); usersDB.open();
Iterator users = usersDB.getUsers();
} catch (Exception e) while (users.hasNext())
{ {
} User tomcatUser = (User) users.next();
} if (tomcatUser.getUsername().equals(user))
} {
usersDB.removeUser(tomcatUser);
/** // FIXME: delete all the lesson tracking property files
* Gets the lessonTracker attribute of the UserTracker object break;
* }
* @param screen }
* Description of the Parameter usersDB.close();
* @param userName
* Description of the Parameter } catch (Exception e)
* @return The lessonTracker value {
*/ }
public LessonTracker getLessonTracker(WebSession s, Screen screen) }
{ }
return getLessonTracker(s, s.getUserName(), screen);
} /**
* Gets the lessonTracker attribute of the UserTracker object
public LessonTracker getLessonTracker(WebSession s, String user, Screen screen) *
{ * @param screen
HashMap<String, LessonTracker> usermap = getUserMap(user); * Description of the Parameter
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle()); * @return The lessonTracker value
if (tracker == null) * @param s a {@link org.owasp.webgoat.session.WebSession} object.
{ */
// Creates a new lesson tracker, if one does not exist on disk. public LessonTracker getLessonTracker(WebSession s, Screen screen)
tracker = LessonTracker.load(s, user, screen); {
usermap.put(screen.getTitle(), tracker); return getLessonTracker(s, s.getUserName(), screen);
} }
// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
// tracker.hashCode() + " for " + screen ); /**
return tracker; * <p>getLessonTracker.</p>
} *
* @param s a {@link org.owasp.webgoat.session.WebSession} object.
/** * @param user a {@link java.lang.String} object.
* Gets the status attribute of the UserTracker object * @param screen a {@link org.owasp.webgoat.session.Screen} object.
* * @return a {@link org.owasp.webgoat.session.LessonTracker} object.
* @param screen */
* Description of the Parameter public LessonTracker getLessonTracker(WebSession s, String user, Screen screen)
* @param userName {
* Description of the Parameter HashMap<String, LessonTracker> usermap = getUserMap(user);
* @return The status value LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
*/ if (tracker == null)
public String getStatus(WebSession s, Screen screen) {
{ // Creates a new lesson tracker, if one does not exist on disk.
return ("User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker( tracker = LessonTracker.load(s, user, screen);
s, usermap.put(screen.getTitle(), tracker);
screen) }
.hashCode()); // System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
} // tracker.hashCode() + " for " + screen );
return tracker;
/** }
* Gets the userMap attribute of the UserTracker object
* /**
* @param userName * Gets the status attribute of the UserTracker object
* Description of the Parameter *
* @return The userMap value * @param screen
*/ * Description of the Parameter
private HashMap<String, LessonTracker> getUserMap(String userName) * @return The status value
{ * @param s a {@link org.owasp.webgoat.session.WebSession} object.
*/
HashMap<String, LessonTracker> usermap = storage.get(userName); public String getStatus(WebSession s, Screen screen)
{
if (usermap == null) return ("User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker(
{ s,
screen)
usermap = new HashMap<String, LessonTracker>(); .hashCode());
}
storage.put(userName, usermap);
/**
} * Gets the userMap attribute of the UserTracker object
*
return (usermap); * @param userName
} * Description of the Parameter
* @return The userMap value
/** */
* Description of the Method private HashMap<String, LessonTracker> getUserMap(String userName)
* {
* @return Description of the Return Value
*/ HashMap<String, LessonTracker> usermap = storage.get(userName);
public static synchronized UserTracker instance()
{ if (usermap == null)
{
if (instance == null)
{ usermap = new HashMap<String, LessonTracker>();
instance = new UserTracker(); storage.put(userName, usermap);
} }
return instance; return (usermap);
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param screen * @return Description of the Return Value
* Description of the Parameter */
* @param s public static synchronized UserTracker instance()
* Description of the Parameter {
*/
public void update(WebSession s, Screen screen) if (instance == null)
{ {
LessonTracker tracker = getLessonTracker(s, screen); instance = new UserTracker();
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + }
// " LTH " + tracker.hashCode() );
tracker.store(s, screen); return instance;
}
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker); /**
* Description of the Method
} *
* @param screen
} * Description of the Parameter
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
LessonTracker tracker = getLessonTracker(s, screen);
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen +
// " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
}
}

107
webgoat-container/src/main/java/org/owasp/webgoat/session/ValidationException.java
View File

@ -1,48 +1,59 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class ValidationException extends Exception *
{ * @version $Id: $Id
*/
/** public class ValidationException extends Exception
* {
*/
private static final long serialVersionUID = -8358754606830400708L; /**
*
public ValidationException() */
{ private static final long serialVersionUID = -8358754606830400708L;
super();
} /**
* <p>Constructor for ValidationException.</p>
public ValidationException(String message) */
{ public ValidationException()
super(message); {
} super();
} }
/**
* <p>Constructor for ValidationException.</p>
*
* @param message a {@link java.lang.String} object.
*/
public ValidationException(String message)
{
super(message);
}
}

2319
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

File diff suppressed because it is too large Load Diff

528
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -1,218 +1,310 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
public class WebgoatContext { /**
* <p>WebgoatContext class.</p>
final Logger logger = LoggerFactory.getLogger(WebgoatContext.class); *
* @version $Id: $Id
public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString"; */
public class WebgoatContext {
public final static String DATABASE_DRIVER = "DatabaseDriver";
final Logger logger = LoggerFactory.getLogger(WebgoatContext.class);
public final static String DATABASE_USER = "DatabaseUser";
/** Constant <code>DATABASE_CONNECTION_STRING="DatabaseConnectionString"</code> */
public final static String DATABASE_PASSWORD = "DatabasePassword"; public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
public final static String ENTERPRISE = "Enterprise"; /** Constant <code>DATABASE_DRIVER="DatabaseDriver"</code> */
public final static String DATABASE_DRIVER = "DatabaseDriver";
public final static String CODING_EXERCISES = "CodingExercises";
/** Constant <code>DATABASE_USER="DatabaseUser"</code> */
public final static String SHOWCOOKIES = "ShowCookies"; public final static String DATABASE_USER = "DatabaseUser";
public final static String SHOWPARAMS = "ShowParams"; /** Constant <code>DATABASE_PASSWORD="DatabasePassword"</code> */
public final static String DATABASE_PASSWORD = "DatabasePassword";
public final static String SHOWREQUEST = "ShowRequest";
/** Constant <code>ENTERPRISE="Enterprise"</code> */
public final static String SHOWSOURCE = "ShowSource"; public final static String ENTERPRISE = "Enterprise";
public final static String SHOWSOLUTION = "ShowSolution"; /** Constant <code>CODING_EXERCISES="CodingExercises"</code> */
public final static String CODING_EXERCISES = "CodingExercises";
public final static String SHOWHINTS = "ShowHints";
/** Constant <code>SHOWCOOKIES="ShowCookies"</code> */
public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands"; public final static String SHOWCOOKIES = "ShowCookies";
public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML"; /** Constant <code>SHOWPARAMS="ShowParams"</code> */
public final static String SHOWPARAMS = "ShowParams";
public final static String FEEDBACK_ADDRESS = "email";
/** Constant <code>SHOWREQUEST="ShowRequest"</code> */
public final static String DEBUG = "debug"; public final static String SHOWREQUEST = "ShowRequest";
public final static String DEFAULTLANGUAGE = "DefaultLanguage"; /** Constant <code>SHOWSOURCE="ShowSource"</code> */
public final static String SHOWSOURCE = "ShowSource";
private String databaseConnectionString;
/** Constant <code>SHOWSOLUTION="ShowSolution"</code> */
private String realConnectionString = null; public final static String SHOWSOLUTION = "ShowSolution";
private String databaseDriver; /** Constant <code>SHOWHINTS="ShowHints"</code> */
public final static String SHOWHINTS = "ShowHints";
private String databaseUser;
/** Constant <code>DEFUSEOSCOMMANDS="DefuseOSCommands"</code> */
private String databasePassword; public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
private boolean showCookies = false; /** Constant <code>FEEDBACK_ADDRESS_HTML="FeedbackAddressHTML"</code> */
public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML";
private boolean showParams = false;
/** Constant <code>FEEDBACK_ADDRESS="email"</code> */
private boolean showRequest = false; public final static String FEEDBACK_ADDRESS = "email";
private boolean showSource = false; /** Constant <code>DEBUG="debug"</code> */
public final static String DEBUG = "debug";
private boolean showSolution = false;
/** Constant <code>DEFAULTLANGUAGE="DefaultLanguage"</code> */
private boolean defuseOSCommands = false; public final static String DEFAULTLANGUAGE = "DefaultLanguage";
private boolean enterprise = false; private String databaseConnectionString;
private boolean codingExercises = false; private String realConnectionString = null;
private String feedbackAddress = "webgoat@owasp.org"; private String databaseDriver;
private String feedbackAddressHTML = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>"; private String databaseUser;
private boolean isDebug = false; private String databasePassword;
private String servletName; private boolean showCookies = false;
private HttpServlet servlet; private boolean showParams = false;
private String defaultLanguage; private boolean showRequest = false;
private java.nio.file.Path pluginDirectory; private boolean showSource = false;
public WebgoatContext(HttpServlet servlet) { private boolean showSolution = false;
this.servlet = servlet;
databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING); private boolean defuseOSCommands = false;
databaseDriver = getParameter(servlet, DATABASE_DRIVER);
databaseUser = getParameter(servlet, DATABASE_USER); private boolean enterprise = false;
databasePassword = getParameter(servlet, DATABASE_PASSWORD);
private boolean codingExercises = false;
// initialize from web.xml
showParams = "true".equals(getParameter(servlet, SHOWPARAMS)); private String feedbackAddress = "webgoat@owasp.org";
showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
showSource = "true".equals(getParameter(servlet, SHOWSOURCE)); private String feedbackAddressHTML = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS)); private boolean isDebug = false;
enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES)); private String servletName;
feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
FEEDBACK_ADDRESS_HTML) private HttpServlet servlet;
: feedbackAddressHTML;
feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS) private String defaultLanguage;
: feedbackAddress;
showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); private java.nio.file.Path pluginDirectory;
isDebug = "true".equals(getParameter(servlet, DEBUG));
servletName = servlet.getServletName(); /**
defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("en"); * <p>Constructor for WebgoatContext.</p>
} *
* @param servlet a {@link javax.servlet.http.HttpServlet} object.
private String getParameter(HttpServlet servlet, String key) { */
String value = System.getenv().get(key); public WebgoatContext(HttpServlet servlet) {
if (value == null) { this.servlet = servlet;
value = servlet.getInitParameter(key); databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
} databaseDriver = getParameter(servlet, DATABASE_DRIVER);
return value; databaseUser = getParameter(servlet, DATABASE_USER);
} databasePassword = getParameter(servlet, DATABASE_PASSWORD);
/** // initialize from web.xml
* returns the connection string with the real path to the database showParams = "true".equals(getParameter(servlet, SHOWPARAMS));
* directory inserted at the word PATH showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
* showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
* @return The databaseConnectionString value showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
*/ defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
public String getDatabaseConnectionString() { enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
if (realConnectionString == null) { codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
try { feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/'); FEEDBACK_ADDRESS_HTML)
System.out.println("PATH: " + path); : feedbackAddressHTML;
realConnectionString = databaseConnectionString.replaceAll("PATH", path); feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
System.out.println("Database Connection String: " + realConnectionString); : feedbackAddress;
} catch (Exception e) { showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
logger.error("Couldn't open database: check web.xml database parameters", e); isDebug = "true".equals(getParameter(servlet, DEBUG));
} servletName = servlet.getServletName();
} defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("en");
return realConnectionString; }
}
private String getParameter(HttpServlet servlet, String key) {
/** String value = System.getenv().get(key);
* Gets the databaseDriver attribute of the WebSession object if (value == null) {
* value = servlet.getInitParameter(key);
* @return The databaseDriver value }
*/ return value;
public String getDatabaseDriver() { }
return (databaseDriver);
} /**
* returns the connection string with the real path to the database
/** * directory inserted at the word PATH
* Gets the databaseUser attribute of the WebSession object *
* * @return The databaseConnectionString value
* @return The databaseUser value */
*/ public String getDatabaseConnectionString() {
public String getDatabaseUser() { if (realConnectionString == null) {
return (databaseUser); try {
} String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
System.out.println("PATH: " + path);
/** realConnectionString = databaseConnectionString.replaceAll("PATH", path);
* Gets the databasePassword attribute of the WebSession object System.out.println("Database Connection String: " + realConnectionString);
* } catch (Exception e) {
* @return The databasePassword value logger.error("Couldn't open database: check web.xml database parameters", e);
*/ }
public String getDatabasePassword() { }
return (databasePassword); return realConnectionString;
} }
public boolean isDefuseOSCommands() { /**
return defuseOSCommands; * Gets the databaseDriver attribute of the WebSession object
} *
* @return The databaseDriver value
public boolean isEnterprise() { */
return enterprise; public String getDatabaseDriver() {
} return (databaseDriver);
}
public boolean isCodingExercises() {
return codingExercises; /**
} * Gets the databaseUser attribute of the WebSession object
*
public String getFeedbackAddress() { * @return The databaseUser value
return feedbackAddress; */
} public String getDatabaseUser() {
return (databaseUser);
public String getFeedbackAddressHTML() { }
return feedbackAddressHTML;
} /**
* Gets the databasePassword attribute of the WebSession object
public boolean isDebug() { *
return isDebug; * @return The databasePassword value
} */
public String getDatabasePassword() {
public String getServletName() { return (databasePassword);
return servletName; }
}
/**
public boolean isShowCookies() { * <p>isDefuseOSCommands.</p>
return showCookies; *
} * @return a boolean.
*/
public boolean isShowParams() { public boolean isDefuseOSCommands() {
return showParams; return defuseOSCommands;
} }
public boolean isShowRequest() { /**
return showRequest; * <p>isEnterprise.</p>
} *
* @return a boolean.
public boolean isShowSource() { */
return showSource; public boolean isEnterprise() {
} return enterprise;
}
public boolean isShowSolution() {
return showSolution; /**
} * <p>isCodingExercises.</p>
*
public String getDefaultLanguage() { * @return a boolean.
return defaultLanguage; */
} public boolean isCodingExercises() {
} return codingExercises;
}
/**
* <p>Getter for the field <code>feedbackAddress</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getFeedbackAddress() {
return feedbackAddress;
}
/**
* <p>Getter for the field <code>feedbackAddressHTML</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getFeedbackAddressHTML() {
return feedbackAddressHTML;
}
/**
* <p>isDebug.</p>
*
* @return a boolean.
*/
public boolean isDebug() {
return isDebug;
}
/**
* <p>Getter for the field <code>servletName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getServletName() {
return servletName;
}
/**
* <p>isShowCookies.</p>
*
* @return a boolean.
*/
public boolean isShowCookies() {
return showCookies;
}
/**
* <p>isShowParams.</p>
*
* @return a boolean.
*/
public boolean isShowParams() {
return showParams;
}
/**
* <p>isShowRequest.</p>
*
* @return a boolean.
*/
public boolean isShowRequest() {
return showRequest;
}
/**
* <p>isShowSource.</p>
*
* @return a boolean.
*/
public boolean isShowSource() {
return showSource;
}
/**
* <p>isShowSolution.</p>
*
* @return a boolean.
*/
public boolean isShowSolution() {
return showSolution;
}
/**
* <p>Getter for the field <code>defaultLanguage</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getDefaultLanguage() {
return defaultLanguage;
}
}

265
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatProperties.java
View File

@ -1,119 +1,146 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.IOException; import java.io.IOException;
import java.util.Properties; import java.util.Properties;
import org.owasp.webgoat.HammerHead; import org.owasp.webgoat.HammerHead;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
/** /**
* ************************************************************************************************* * *************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software * the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later * Foundation; either version 2 of the License, or (at your option) any later
* version. * version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT * This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details. * details.
* *
* You should have received a copy of the GNU General Public License along with * You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA. * Place - Suite 330, Boston, MA 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
*/ *
public class WebgoatProperties extends Properties { * @version $Id: $Id
*/
/** public class WebgoatProperties extends Properties {
*
*/ /**
private static final long serialVersionUID = 4351681705558227918L; *
final Logger logger = LoggerFactory.getLogger(WebgoatProperties.class); */
private static final long serialVersionUID = 4351681705558227918L;
public WebgoatProperties(String propertiesFileName) throws IOException { final Logger logger = LoggerFactory.getLogger(WebgoatProperties.class);
if (propertiesFileName == null) {
throw new IOException("Path to webgoat.properties is null, initialization must have failed"); /**
} * <p>Constructor for WebgoatProperties.</p>
File propertiesFile = new File(propertiesFileName); *
if (propertiesFile.exists() == false) { * @param propertiesFileName a {@link java.lang.String} object.
throw new IOException("Unable to locate webgoat.properties at: " + propertiesFileName); * @throws java.io.IOException if any.
} */
FileInputStream in = new FileInputStream(propertiesFile); public WebgoatProperties(String propertiesFileName) throws IOException {
load(in); if (propertiesFileName == null) {
} throw new IOException("Path to webgoat.properties is null, initialization must have failed");
}
public int getIntProperty(String key, int defaultValue) { File propertiesFile = new File(propertiesFileName);
int value = defaultValue; if (propertiesFile.exists() == false) {
throw new IOException("Unable to locate webgoat.properties at: " + propertiesFileName);
String s = getProperty(key); }
if (s != null) { FileInputStream in = new FileInputStream(propertiesFile);
value = Integer.parseInt(s); load(in);
} }
return value; /**
} * <p>getIntProperty.</p>
*
public boolean getBooleanProperty(String key, boolean defaultValue) { * @param key a {@link java.lang.String} object.
boolean value = defaultValue; * @param defaultValue a int.
key = this.trimLesson(key); * @return a int.
*/
String s = getProperty(key); public int getIntProperty(String key, int defaultValue) {
if (s != null) { int value = defaultValue;
if (s.equalsIgnoreCase("true")) {
value = true; String s = getProperty(key);
} else if (s.equalsIgnoreCase("yes")) { if (s != null) {
value = true; value = Integer.parseInt(s);
} else if (s.equalsIgnoreCase("on")) { }
value = true;
} else if (s.equalsIgnoreCase("false")) { return value;
value = false; }
} else if (s.equalsIgnoreCase("no")) {
value = false; /**
} else if (s.equalsIgnoreCase("off")) { * <p>getBooleanProperty.</p>
value = false; *
} * @param key a {@link java.lang.String} object.
} * @param defaultValue a boolean.
* @return a boolean.
return value; */
} public boolean getBooleanProperty(String key, boolean defaultValue) {
boolean value = defaultValue;
private String trimLesson(String lesson) { key = this.trimLesson(key);
String result = "";
String s = getProperty(key);
if (lesson.startsWith("org.owasp.webgoat.lessons.")) { if (s != null) {
result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length()); if (s.equalsIgnoreCase("true")) {
} else { value = true;
result = lesson; } else if (s.equalsIgnoreCase("yes")) {
} value = true;
} else if (s.equalsIgnoreCase("on")) {
return result; value = true;
} } else if (s.equalsIgnoreCase("false")) {
value = false;
public static void main(String[] args) { } else if (s.equalsIgnoreCase("no")) {
WebgoatProperties properties = null; value = false;
try { } else if (s.equalsIgnoreCase("off")) {
properties = new WebgoatProperties("C:\\webgoat.properties"); value = false;
} catch (IOException e) { }
System.out.println("Error loading properties"); }
e.printStackTrace();
} return value;
System.out.println(properties.getProperty("CommandInjection.category")); }
}
private String trimLesson(String lesson) {
} String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons.")) {
result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length());
} else {
result = lesson;
}
return result;
}
/**
* <p>main.</p>
*
* @param args an array of {@link java.lang.String} objects.
*/
public static void main(String[] args) {
WebgoatProperties properties = null;
try {
properties = new WebgoatProperties("C:\\webgoat.properties");
} catch (IOException e) {
System.out.println("Error loading properties");
e.printStackTrace();
}
System.out.println(properties.getProperty("CommandInjection.category"));
}
}

131
webgoat-container/src/main/java/org/owasp/webgoat/util/BeanProvider.java
View File

@ -1,63 +1,68 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import org.springframework.beans.BeansException; import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware; import org.springframework.context.ApplicationContextAware;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for *
* free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* * free software projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
@Component *
public class BeanProvider implements ApplicationContextAware * @version $Id: $Id
{ */
private static ApplicationContext ctx; @Component
public class BeanProvider implements ApplicationContextAware
@Override {
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException private static ApplicationContext ctx;
{
ctx = applicationContext; /** {@inheritDoc} */
@Override
} public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
/** ctx = applicationContext;
* Get access to managed beans from id.
* }
* @param beanName
* the id of the searched bean /**
* @param beanClass * Get access to managed beans from id.
* the type of tye searched bean *
* @return * @param beanName
*/ * the id of the searched bean
@SuppressWarnings("unchecked") * @param beanClass
public static <T> T getBean(final String beanName, final Class<T> beanClass) * the type of tye searched bean
{ * @param <T> a T object.
return (T) ctx.getBean(beanName); * @return a T object.
} */
} @SuppressWarnings("unchecked")
public static <T> T getBean(final String beanName, final Class<T> beanClass)
{
return (T) ctx.getBean(beanName);
}
}

1056
webgoat-container/src/main/java/org/owasp/webgoat/util/Exec.java
View File

File diff suppressed because it is too large Load Diff

708
webgoat-container/src/main/java/org/owasp/webgoat/util/ExecResults.java
View File

@ -1,353 +1,355 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
*/ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
public class ExecResults * @version $Id: $Id
{ */
public class ExecResults
/** {
* Description of the Field
*/ /**
public final static int BADRETURNCODE = 2; * Description of the Field
*/
/** public final static int BADRETURNCODE = 2;
* Description of the Field
*/ /**
public final static int THROWABLE = 1; * Description of the Field
*/
private String myCommand; public final static int THROWABLE = 1;
private boolean myError = false; private String myCommand;
private int myErrorType = 0; private boolean myError = false;
private String myErrors = null; private int myErrorType = 0;
private String myInput; private String myErrors = null;
private boolean myInterrupted = false; private String myInput;
private String myOutput = null; private boolean myInterrupted = false;
private int myReturnCode = 0; private String myOutput = null;
private int mySuccessCode; private int myReturnCode = 0;
private Throwable myThrowable = null; private int mySuccessCode;
private int myTimeout; private Throwable myThrowable = null;
/** private int myTimeout;
* Constructor for the ExecResults object
* /**
* @param command * Constructor for the ExecResults object
* Description of the Parameter *
* @param input * @param command
* Description of the Parameter * Description of the Parameter
* @param successCode * @param input
* Description of the Parameter * Description of the Parameter
* @param timeout * @param successCode
* Description of the Parameter * Description of the Parameter
*/ * @param timeout
public ExecResults(String command, String input, int successCode, int timeout) * Description of the Parameter
{ */
myCommand = command.trim(); public ExecResults(String command, String input, int successCode, int timeout)
myInput = input.trim(); {
mySuccessCode = successCode; myCommand = command.trim();
myTimeout = timeout; myInput = input.trim();
} mySuccessCode = successCode;
myTimeout = timeout;
/** }
* Description of the Method
* /**
* @param haystack * Description of the Method
* Description of the Parameter *
* @param needle * @param haystack
* Description of the Parameter * Description of the Parameter
* @param fromIndex * @param needle
* Description of the Parameter * Description of the Parameter
* @return Description of the Return Value * @param fromIndex
*/ * Description of the Parameter
private boolean contains(String haystack, String needle, int fromIndex) * @return Description of the Return Value
{ */
return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1); private boolean contains(String haystack, String needle, int fromIndex)
} {
return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1);
/** }
* Description of the Method
* /**
* @param value * Description of the Method
* Description of the Parameter *
* @return Description of the Return Value * @param value
*/ * Description of the Parameter
public boolean errorsContains(String value) * @return Description of the Return Value
{ */
return (errorsContains(value, 0)); public boolean errorsContains(String value)
} {
return (errorsContains(value, 0));
/** }
* Description of the Method
* /**
* @param value * Description of the Method
* Description of the Parameter *
* @param fromIndex * @param value
* Description of the Parameter * Description of the Parameter
* @return Description of the Return Value * @param fromIndex
*/ * Description of the Parameter
public boolean errorsContains(String value, int fromIndex) * @return Description of the Return Value
{ */
return (contains(myErrors, value, fromIndex)); public boolean errorsContains(String value, int fromIndex)
} {
return (contains(myErrors, value, fromIndex));
/** }
* Gets the error attribute of the ExecResults object
* /**
* @return The error value * Gets the error attribute of the ExecResults object
*/ *
public boolean getError() * @return The error value
{ */
return (myError); public boolean getError()
} {
return (myError);
/** }
* Gets the errorMessage attribute of the ExecResults object
* /**
* @return The errorMessage value * Gets the errorMessage attribute of the ExecResults object
*/ *
public String getErrorMessage() * @return The errorMessage value
{ */
switch (getErrorType()) public String getErrorMessage()
{ {
case THROWABLE: switch (getErrorType())
return ("Exception: " + myThrowable.getMessage()); {
case THROWABLE:
case BADRETURNCODE: return ("Exception: " + myThrowable.getMessage());
return ("Bad return code (expected " + mySuccessCode + ")");
case BADRETURNCODE:
default: return ("Bad return code (expected " + mySuccessCode + ")");
return ("Unknown error");
} default:
} return ("Unknown error");
}
/** }
* Gets the errorType attribute of the ExecResults object
* /**
* @return The errorType value * Gets the errorType attribute of the ExecResults object
*/ *
public int getErrorType() * @return The errorType value
{ */
return (myErrorType); public int getErrorType()
} {
return (myErrorType);
/** }
* Gets the errors attribute of the ExecResults object
* /**
* @return The errors value * Gets the errors attribute of the ExecResults object
*/ *
public String getErrors() * @return The errors value
{ */
return (myErrors); public String getErrors()
} {
return (myErrors);
/** }
* Gets the interrupted attribute of the ExecResults object
* /**
* @return The interrupted value * Gets the interrupted attribute of the ExecResults object
*/ *
public boolean getInterrupted() * @return The interrupted value
{ */
return (myInterrupted); public boolean getInterrupted()
} {
return (myInterrupted);
/** }
* Gets the output attribute of the ExecResults object
* /**
* @return The output value * Gets the output attribute of the ExecResults object
*/ *
public String getOutput() * @return The output value
{ */
return (myOutput); public String getOutput()
} {
return (myOutput);
/** }
* Gets the returnCode attribute of the ExecResults object
* /**
* @return The returnCode value * Gets the returnCode attribute of the ExecResults object
*/ *
public int getReturnCode() * @return The returnCode value
{ */
return (myReturnCode); public int getReturnCode()
} {
return (myReturnCode);
/** }
* Gets the throwable attribute of the ExecResults object
* /**
* @return The throwable value * Gets the throwable attribute of the ExecResults object
*/ *
public Throwable getThrowable() * @return The throwable value
{ */
return (myThrowable); public Throwable getThrowable()
} {
return (myThrowable);
/** }
* Description of the Method
* /**
* @param value * Description of the Method
* Description of the Parameter *
* @return Description of the Return Value * @param value
*/ * Description of the Parameter
public boolean outputContains(String value) * @return Description of the Return Value
{ */
return (outputContains(value, 0)); public boolean outputContains(String value)
} {
return (outputContains(value, 0));
/** }
* Description of the Method
* /**
* @param value * Description of the Method
* Description of the Parameter *
* @param fromIndex * @param value
* Description of the Parameter * Description of the Parameter
* @return Description of the Return Value * @param fromIndex
*/ * Description of the Parameter
public boolean outputContains(String value, int fromIndex) * @return Description of the Return Value
{ */
return (contains(myOutput, value, fromIndex)); public boolean outputContains(String value, int fromIndex)
} {
return (contains(myOutput, value, fromIndex));
/** }
* Sets the error attribute of the ExecResults object
* /**
* @param value * Sets the error attribute of the ExecResults object
* The new error value *
*/ * @param value
public void setError(int value) * The new error value
{ */
myError = true; public void setError(int value)
myErrorType = value; {
} myError = true;
myErrorType = value;
/** }
* Sets the errors attribute of the ExecResults object
* /**
* @param errors * Sets the errors attribute of the ExecResults object
* The new errors value *
*/ * @param errors
public void setErrors(String errors) * The new errors value
{ */
myErrors = errors.trim(); public void setErrors(String errors)
} {
myErrors = errors.trim();
/** }
* Sets the interrupted attribute of the ExecResults object
*/ /**
public void setInterrupted() * Sets the interrupted attribute of the ExecResults object
{ */
myInterrupted = true; public void setInterrupted()
} {
myInterrupted = true;
/** }
* Sets the output attribute of the ExecResults object
* /**
* @param value * Sets the output attribute of the ExecResults object
* The new output value *
*/ * @param value
public void setOutput(String value) * The new output value
{ */
myOutput = value.trim(); public void setOutput(String value)
} {
myOutput = value.trim();
/** }
* Sets the returnCode attribute of the ExecResults object
* /**
* @param value * Sets the returnCode attribute of the ExecResults object
* The new returnCode value *
*/ * @param value
public void setReturnCode(int value) * The new returnCode value
{ */
myReturnCode = value; public void setReturnCode(int value)
} {
myReturnCode = value;
/** }
* Sets the throwable attribute of the ExecResults object
* /**
* @param value * Sets the throwable attribute of the ExecResults object
* The new throwable value *
*/ * @param value
public void setThrowable(Throwable value) * The new throwable value
{ */
setError(THROWABLE); public void setThrowable(Throwable value)
myThrowable = value; {
} setError(THROWABLE);
myThrowable = value;
/** }
* Description of the Method
* /**
* @return Description of the Return Value * Description of the Method
*/ *
public String toString() * @return Description of the Return Value
{ */
String sep = System.getProperty("line.separator"); public String toString()
StringBuffer value = new StringBuffer(); {
value.append("ExecResults for \'" + myCommand + "\'" + sep); String sep = System.getProperty("line.separator");
StringBuffer value = new StringBuffer();
if ((myInput != null) && !myInput.equals("")) value.append("ExecResults for \'" + myCommand + "\'" + sep);
{
value.append(sep + "Input..." + sep + myInput + sep); if ((myInput != null) && !myInput.equals(""))
} {
value.append(sep + "Input..." + sep + myInput + sep);
if ((myOutput != null) && !myOutput.equals("")) }
{
value.append(sep + "Output..." + sep + myOutput + sep); if ((myOutput != null) && !myOutput.equals(""))
} {
value.append(sep + "Output..." + sep + myOutput + sep);
if ((myErrors != null) && !myErrors.equals("")) }
{
value.append(sep + "Errors..." + sep + myErrors + sep); if ((myErrors != null) && !myErrors.equals(""))
} {
value.append(sep + "Errors..." + sep + myErrors + sep);
value.append(sep); }
if (myInterrupted) value.append(sep);
{
value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep); if (myInterrupted)
} {
value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep);
value.append("Returncode: " + myReturnCode + sep); }
if (myError) value.append("Returncode: " + myReturnCode + sep);
{
value.append(getErrorMessage() + sep); if (myError)
} {
value.append(getErrorMessage() + sep);
return (value.toString()); }
}
} return (value.toString());
}
}

120
webgoat-container/src/main/java/org/owasp/webgoat/util/ExecutionException.java
View File

@ -1,59 +1,61 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> *
*/ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
public class ExecutionException extends Exception * @version $Id: $Id
{ */
public class ExecutionException extends Exception
/** {
*
*/ /**
private static final long serialVersionUID = 7282947463831152092L; *
*/
/** private static final long serialVersionUID = 7282947463831152092L;
* Constructor for the ExecutionException object
*/ /**
public ExecutionException() * Constructor for the ExecutionException object
{ */
super(); public ExecutionException()
} {
super();
/** }
* Constructor for the ExecutionException object
* /**
* @param msg * Constructor for the ExecutionException object
* Description of the Parameter *
*/ * @param msg
public ExecutionException(String msg) * Description of the Parameter
{ */
super(msg); public ExecutionException(String msg)
} {
} super(msg);
}
}

455
webgoat-container/src/main/java/org/owasp/webgoat/util/HtmlEncoder.java
View File

@ -1,225 +1,230 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public class HtmlEncoder *
{ * @version $Id: $Id
*/
static Map<String, Integer> e2i = new HashMap<String, Integer>(); public class HtmlEncoder
{
static Map<Integer, String> i2e = new HashMap<Integer, String>();
static Map<String, Integer> e2i = new HashMap<String, Integer>();
// html entity list
private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote static Map<Integer, String> i2e = new HashMap<Integer, String>();
{ "amp", new Integer(38) }, // & - ampersand
{ "lt", new Integer(60) }, // < - less-than // html entity list
{ "gt", new Integer(62) }, // > - greater-than private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote
{ "nbsp", new Integer(160) }, // non-breaking space { "amp", new Integer(38) }, // - ampersand
{ "copy", new Integer(169) }, // © - copyright { "lt", new Integer(60) }, // - less-than
{ "reg", new Integer(174) }, // ® - registered trademark { "gt", new Integer(62) }, // - greater-than
{ "Agrave", new Integer(192) }, // À - uppercase A, grave accent { "nbsp", new Integer(160) }, // non-breaking space
{ "Aacute", new Integer(193) }, // Á - uppercase A, acute accent { "copy", new Integer(169) }, // - copyright
{ "Acirc", new Integer(194) }, // Â - uppercase A, circumflex accent { "reg", new Integer(174) }, // - registered trademark
{ "Atilde", new Integer(195) }, // Ã - uppercase A, tilde { "Agrave", new Integer(192) }, // - uppercase A, grave accent
{ "Auml", new Integer(196) }, // Ä - uppercase A, umlaut { "Aacute", new Integer(193) }, // - uppercase A, acute accent
{ "Aring", new Integer(197) }, // Å - uppercase A, ring { "Acirc", new Integer(194) }, // - uppercase A, circumflex accent
{ "AElig", new Integer(198) }, // Æ - uppercase AE { "Atilde", new Integer(195) }, // - uppercase A, tilde
{ "Ccedil", new Integer(199) }, // Ç - uppercase C, cedilla { "Auml", new Integer(196) }, // - uppercase A, umlaut
{ "Egrave", new Integer(200) }, // È - uppercase E, grave accent { "Aring", new Integer(197) }, // - uppercase A, ring
{ "Eacute", new Integer(201) }, // É - uppercase E, acute accent { "AElig", new Integer(198) }, // - uppercase AE
{ "Ecirc", new Integer(202) }, // Ê - uppercase E, circumflex accent { "Ccedil", new Integer(199) }, // - uppercase C, cedilla
{ "Euml", new Integer(203) }, // Ë - uppercase E, umlaut { "Egrave", new Integer(200) }, // - uppercase E, grave accent
{ "Igrave", new Integer(204) }, // Ì - uppercase I, grave accent { "Eacute", new Integer(201) }, // - uppercase E, acute accent
{ "Iacute", new Integer(205) }, // Í - uppercase I, acute accent { "Ecirc", new Integer(202) }, // - uppercase E, circumflex accent
{ "Icirc", new Integer(206) }, // Î - uppercase I, circumflex accent { "Euml", new Integer(203) }, // - uppercase E, umlaut
{ "Iuml", new Integer(207) }, // Ï - uppercase I, umlaut { "Igrave", new Integer(204) }, // - uppercase I, grave accent
{ "ETH", new Integer(208) }, // Ð - uppercase Eth, Icelandic { "Iacute", new Integer(205) }, // - uppercase I, acute accent
{ "Ntilde", new Integer(209) }, // Ñ - uppercase N, tilde { "Icirc", new Integer(206) }, // - uppercase I, circumflex accent
{ "Ograve", new Integer(210) }, // Ò - uppercase O, grave accent { "Iuml", new Integer(207) }, // - uppercase I, umlaut
{ "Oacute", new Integer(211) }, // Ó - uppercase O, acute accent { "ETH", new Integer(208) }, // - uppercase Eth, Icelandic
{ "Ocirc", new Integer(212) }, // Ô - uppercase O, circumflex accent { "Ntilde", new Integer(209) }, // - uppercase N, tilde
{ "Otilde", new Integer(213) }, // Õ - uppercase O, tilde { "Ograve", new Integer(210) }, // - uppercase O, grave accent
{ "Ouml", new Integer(214) }, // Ö - uppercase O, umlaut { "Oacute", new Integer(211) }, // - uppercase O, acute accent
{ "Oslash", new Integer(216) }, // Ø - uppercase O, slash { "Ocirc", new Integer(212) }, // - uppercase O, circumflex accent
{ "Ugrave", new Integer(217) }, // Ù - uppercase U, grave accent { "Otilde", new Integer(213) }, // - uppercase O, tilde
{ "Uacute", new Integer(218) }, // Ú - uppercase U, acute accent { "Ouml", new Integer(214) }, // - uppercase O, umlaut
{ "Ucirc", new Integer(219) }, // Û - uppercase U, circumflex accent { "Oslash", new Integer(216) }, // - uppercase O, slash
{ "Uuml", new Integer(220) }, // Ü - uppercase U, umlaut { "Ugrave", new Integer(217) }, // - uppercase U, grave accent
{ "Yacute", new Integer(221) }, // Ý - uppercase Y, acute accent { "Uacute", new Integer(218) }, // - uppercase U, acute accent
{ "THORN", new Integer(222) }, // Þ - uppercase THORN, Icelandic { "Ucirc", new Integer(219) }, // - uppercase U, circumflex accent
{ "szlig", new Integer(223) }, // ß - lowercase sharps, German { "Uuml", new Integer(220) }, // - uppercase U, umlaut
{ "agrave", new Integer(224) }, // à - lowercase a, grave accent { "Yacute", new Integer(221) }, // - uppercase Y, acute accent
{ "aacute", new Integer(225) }, // á - lowercase a, acute accent { "THORN", new Integer(222) }, // - uppercase THORN, Icelandic
{ "acirc", new Integer(226) }, // â - lowercase a, circumflex accent { "szlig", new Integer(223) }, // - lowercase sharps, German
{ "atilde", new Integer(227) }, // ã - lowercase a, tilde { "agrave", new Integer(224) }, // - lowercase a, grave accent
{ "auml", new Integer(228) }, // ä - lowercase a, umlaut { "aacute", new Integer(225) }, // - lowercase a, acute accent
{ "aring", new Integer(229) }, // å - lowercase a, ring { "acirc", new Integer(226) }, // - lowercase a, circumflex accent
{ "aelig", new Integer(230) }, // æ - lowercase ae { "atilde", new Integer(227) }, // - lowercase a, tilde
{ "ccedil", new Integer(231) }, // ç - lowercase c, cedilla { "auml", new Integer(228) }, // - lowercase a, umlaut
{ "egrave", new Integer(232) }, // è - lowercase e, grave accent { "aring", new Integer(229) }, // - lowercase a, ring
{ "eacute", new Integer(233) }, // é - lowercase e, acute accent { "aelig", new Integer(230) }, // - lowercase ae
{ "ecirc", new Integer(234) }, // ê - lowercase e, circumflex accent { "ccedil", new Integer(231) }, // - lowercase c, cedilla
{ "euml", new Integer(235) }, // ë - lowercase e, umlaut { "egrave", new Integer(232) }, // - lowercase e, grave accent
{ "igrave", new Integer(236) }, // ì - lowercase i, grave accent { "eacute", new Integer(233) }, // - lowercase e, acute accent
{ "iacute", new Integer(237) }, // í - lowercase i, acute accent { "ecirc", new Integer(234) }, // - lowercase e, circumflex accent
{ "icirc", new Integer(238) }, // î - lowercase i, circumflex accent { "euml", new Integer(235) }, // - lowercase e, umlaut
{ "iuml", new Integer(239) }, // ï - lowercase i, umlaut { "igrave", new Integer(236) }, // - lowercase i, grave accent
{ "igrave", new Integer(236) }, // ì - lowercase i, grave accent { "iacute", new Integer(237) }, // - lowercase i, acute accent
{ "iacute", new Integer(237) }, // í - lowercase i, acute accent { "icirc", new Integer(238) }, // - lowercase i, circumflex accent
{ "icirc", new Integer(238) }, // î - lowercase i, circumflex accent { "iuml", new Integer(239) }, // - lowercase i, umlaut
{ "iuml", new Integer(239) }, // ï - lowercase i, umlaut { "igrave", new Integer(236) }, // - lowercase i, grave accent
{ "eth", new Integer(240) }, // ð - lowercase eth, Icelandic { "iacute", new Integer(237) }, // - lowercase i, acute accent
{ "ntilde", new Integer(241) }, // ñ - lowercase n, tilde { "icirc", new Integer(238) }, // - lowercase i, circumflex accent
{ "ograve", new Integer(242) }, // ò - lowercase o, grave accent { "iuml", new Integer(239) }, // - lowercase i, umlaut
{ "oacute", new Integer(243) }, // ó - lowercase o, acute accent { "eth", new Integer(240) }, // - lowercase eth, Icelandic
{ "ocirc", new Integer(244) }, // ô - lowercase o, circumflex accent { "ntilde", new Integer(241) }, // - lowercase n, tilde
{ "otilde", new Integer(245) }, // õ - lowercase o, tilde { "ograve", new Integer(242) }, // - lowercase o, grave accent
{ "ouml", new Integer(246) }, // ö - lowercase o, umlaut { "oacute", new Integer(243) }, // - lowercase o, acute accent
{ "oslash", new Integer(248) }, // ø - lowercase o, slash { "ocirc", new Integer(244) }, // - lowercase o, circumflex accent
{ "ugrave", new Integer(249) }, // ù - lowercase u, grave accent { "otilde", new Integer(245) }, // - lowercase o, tilde
{ "uacute", new Integer(250) }, // ú - lowercase u, acute accent { "ouml", new Integer(246) }, // - lowercase o, umlaut
{ "ucirc", new Integer(251) }, // û - lowercase u, circumflex accent { "oslash", new Integer(248) }, // - lowercase o, slash
{ "uuml", new Integer(252) }, // ü - lowercase u, umlaut { "ugrave", new Integer(249) }, // - lowercase u, grave accent
{ "yacute", new Integer(253) }, // ý - lowercase y, acute accent { "uacute", new Integer(250) }, // - lowercase u, acute accent
{ "thorn", new Integer(254) }, // þ - lowercase thorn, Icelandic { "ucirc", new Integer(251) }, // - lowercase u, circumflex accent
{ "yuml", new Integer(255) }, // ÿ - lowercase y, umlaut { "uuml", new Integer(252) }, // - lowercase u, umlaut
{ "euro", new Integer(8364) },// Euro symbol { "yacute", new Integer(253) }, // - lowercase y, acute accent
}; { "thorn", new Integer(254) }, // - lowercase thorn, Icelandic
{ "yuml", new Integer(255) }, // - lowercase y, umlaut
public HtmlEncoder() { "euro", new Integer(8364) },// Euro symbol
{ };
for (int i = 0; i < entities.length; i++)
e2i.put((String) entities[i][0], (Integer) entities[i][1]); /**
for (int i = 0; i < entities.length; i++) * <p>Constructor for HtmlEncoder.</p>
i2e.put((Integer) entities[i][1], (String) entities[i][0]); */
} public HtmlEncoder()
{
/** for (int i = 0; i < entities.length; i++)
* Turns funky characters into HTML entity equivalents e2i.put((String) entities[i][0], (Integer) entities[i][1]);
* <p> for (int i = 0; i < entities.length; i++)
* i2e.put((Integer) entities[i][1], (String) entities[i][0]);
* e.g. <tt>"bread" & "butter"</tt> => <tt>&amp;quot;bread&amp;quot; &amp;amp; }
* &amp;quot;butter&amp;quot;</tt> . Update: supports nearly all HTML entities, including funky
* accents. See the source code for more detail. Adapted from /**
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java. * Turns funky characters into HTML entity equivalents
* *
* @param s1 * e.g. {@code "bread" & "butter"} = {@code &amp;quot;bread&amp;quot; &amp;amp;
* Description of the Parameter * &amp;quot;butter&amp;quot;}. Update: supports nearly all HTML entities, including funky
* @return Description of the Return Value * accents. See the source code for more detail. Adapted from
*/ * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
public static String encode(String s1) *
{ * @param s1
StringBuffer buf = new StringBuffer(); * Description of the Parameter
* @return Description of the Return Value
int i; */
for (i = 0; i < s1.length(); ++i) public static String encode(String s1)
{ {
char ch = s1.charAt(i); StringBuffer buf = new StringBuffer();
String entity = i2e.get(new Integer((int) ch)); int i;
for (i = 0; i < s1.length(); ++i)
if (entity == null) {
{ char ch = s1.charAt(i);
if (((int) ch) > 128)
{ String entity = i2e.get(new Integer((int) ch));
buf.append("&#" + ((int) ch) + ";");
} if (entity == null)
else {
{ if (((int) ch) > 128)
buf.append(ch); {
} buf.append("&#" + ((int) ch) + ";");
} }
else else
{ {
buf.append("&" + entity + ";"); buf.append(ch);
} }
} }
else
return buf.toString(); {
} buf.append("&" + entity + ";");
}
/** }
* Given a string containing entity escapes, returns a string containing the actual Unicode
* characters corresponding to the escapes. Adapted from return buf.toString();
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java. }
*
* @param s1 /**
* Description of the Parameter * Given a string containing entity escapes, returns a string containing the actual Unicode
* @return Description of the Return Value * characters corresponding to the escapes. Adapted from
*/ * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
public static String decode(String s1) *
{ * @param s1
StringBuffer buf = new StringBuffer(); * Description of the Parameter
* @return Description of the Return Value
int i; */
for (i = 0; i < s1.length(); ++i) public static String decode(String s1)
{ {
char ch = s1.charAt(i); StringBuffer buf = new StringBuffer();
if (ch == '&') int i;
{ for (i = 0; i < s1.length(); ++i)
int semi = s1.indexOf(';', i + 1); {
if (semi == -1) char ch = s1.charAt(i);
{
buf.append(ch); if (ch == '&')
continue; {
} int semi = s1.indexOf(';', i + 1);
String entity = s1.substring(i + 1, semi); if (semi == -1)
Integer iso; {
if (entity.charAt(0) == '#') buf.append(ch);
{ continue;
iso = new Integer(entity.substring(1)); }
} String entity = s1.substring(i + 1, semi);
else Integer iso;
{ if (entity.charAt(0) == '#')
iso = e2i.get(entity); {
} iso = new Integer(entity.substring(1));
if (iso == null) }
{ else
buf.append("&" + entity + ";"); {
} iso = e2i.get(entity);
else }
{ if (iso == null)
buf.append((char) (iso.intValue())); {
} buf.append("&" + entity + ";");
i = semi; }
} else
else {
{ buf.append((char) (iso.intValue()));
buf.append(ch); }
} i = semi;
} }
else
return buf.toString(); {
} buf.append(ch);
} }
}
return buf.toString();
}
}

292
webgoat-container/src/main/java/org/owasp/webgoat/util/Interceptor.java
View File

@ -1,143 +1,149 @@
/** /**
* *
*/ */
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import java.io.IOException; import java.io.IOException;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.net.Socket; import java.net.Socket;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.FilterConfig; import javax.servlet.FilterConfig;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.ServletRequest; import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse; import javax.servlet.ServletResponse;
import javax.servlet.RequestDispatcher; import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author sherif koussa - Macadamian Technologies *
* * @author sherif koussa - Macadamian Technologies
*/ * @version $Id: $Id
public class Interceptor implements Filter */
{ public class Interceptor implements Filter
{
private static final String OSG_SERVER_NAME = "OSGServerName";
private static final String OSG_SERVER_NAME = "OSGServerName";
private static final String OSG_SERVER_PORT = "OSGServerPort";
private static final String OSG_SERVER_PORT = "OSGServerPort";
/*
* (non-Javadoc) /*
* @see javax.servlet.Filter#destroy() * (non-Javadoc)
*/ * @see javax.servlet.Filter#destroy()
public void destroy() */
{ /**
// TODO Auto-generated method stub * <p>destroy.</p>
*/
} public void destroy()
{
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, // TODO Auto-generated method stub
ServletException
{ }
HttpServletRequest req = (HttpServletRequest) request; /** {@inheritDoc} */
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
Socket osgSocket = null; ServletException
PrintWriter out = null; {
BufferedReader in = null;
String osgServerName = req.getSession().getServletContext().getInitParameter(OSG_SERVER_NAME); HttpServletRequest req = (HttpServletRequest) request;
String osgServerPort = req.getSession().getServletContext().getInitParameter(OSG_SERVER_PORT);
Socket osgSocket = null;
try PrintWriter out = null;
{ BufferedReader in = null;
// If these parameters are not defined then no communication will happen with OSG String osgServerName = req.getSession().getServletContext().getInitParameter(OSG_SERVER_NAME);
if (osgServerName != null && osgServerName.length() != 0 && osgServerPort != null String osgServerPort = req.getSession().getServletContext().getInitParameter(OSG_SERVER_PORT);
&& osgServerPort.length() != 0)
{ try
osgSocket = new Socket(osgServerName, Integer.parseInt(osgServerPort)); {
if (osgSocket != null) // If these parameters are not defined then no communication will happen with OSG
{ if (osgServerName != null && osgServerName.length() != 0 && osgServerPort != null
out = new PrintWriter(osgSocket.getOutputStream(), true); && osgServerPort.length() != 0)
in = new BufferedReader(new InputStreamReader(osgSocket.getInputStream())); {
// String message = osgSocket = new Socket(osgServerName, Integer.parseInt(osgServerPort));
// "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx"; if (osgSocket != null)
// out.println(message); {
out = new PrintWriter(osgSocket.getOutputStream(), true);
// System.out.println(in.readLine()); in = new BufferedReader(new InputStreamReader(osgSocket.getInputStream()));
} // String message =
} // "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx";
// out.println(message);
} catch (UnknownHostException e)
{ // System.out.println(in.readLine());
e.printStackTrace(); }
}
} catch (IOException e)
{ } catch (UnknownHostException e)
e.printStackTrace(); {
} finally e.printStackTrace();
{
if (out != null) } catch (IOException e)
{ {
out.close(); e.printStackTrace();
} } finally
if (in != null) {
{ if (out != null)
in.close(); {
} out.close();
if (osgSocket != null) }
{ if (in != null)
osgSocket.close(); {
} in.close();
} }
if (osgSocket != null)
String url = req.getRequestURL().toString(); {
osgSocket.close();
RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf(req.getContextPath() + "/") }
+ req.getContextPath().length())); }
disp.forward(request, response); String url = req.getRequestURL().toString();
} RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf(req.getContextPath() + "/")
+ req.getContextPath().length()));
/*
* (non-Javadoc) disp.forward(request, response);
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/ }
public void init(FilterConfig arg0) throws ServletException
{ /*
// TODO Auto-generated method stub * (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
} */
/** {@inheritDoc} */
} public void init(FilterConfig arg0) throws ServletException
{
// TODO Auto-generated method stub
}
}

96
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java
View File

@ -1,41 +1,55 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import java.util.Locale; import java.util.Locale;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for *
* free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* * free software projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
public interface LabelManager *
{ * @version $Id: $Id
*/
public void setLocale(Locale locale); public interface LabelManager
{
public String get(String labelKey);
/**
} * <p>setLocale.</p>
*
* @param locale a {@link java.util.Locale} object.
*/
public void setLocale(Locale locale);
/**
* <p>get.</p>
*
* @param labelKey a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public String get(String labelKey);
}

149
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java
View File

@ -1,68 +1,81 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import java.io.Serializable; import java.io.Serializable;
import java.util.Locale; import java.util.Locale;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for *
* free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* * free software projects.
* For details, please see http://webgoat.github.io *
*/ * For details, please see http://webgoat.github.io
@Component("labelManager") *
public class LabelManagerImpl implements LabelManager, Serializable * @version $Id: $Id
{ */
private static final long serialVersionUID = 1L; @Component("labelManager")
public class LabelManagerImpl implements LabelManager, Serializable
@Autowired {
private transient LabelProvider labelProvider; private static final long serialVersionUID = 1L;
/** Locale mapped with current session. */ @Autowired
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE); private transient LabelProvider labelProvider;
protected LabelManagerImpl() {} /** Locale mapped with current session. */
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
protected LabelManagerImpl(LabelProvider labelProvider) {
this.labelProvider = labelProvider; /**
} * <p>Constructor for LabelManagerImpl.</p>
*/
public void setLocale(Locale locale) protected LabelManagerImpl() {}
{
if (locale != null) /**
{ * <p>Constructor for LabelManagerImpl.</p>
this.locale = locale; *
} * @param labelProvider a {@link org.owasp.webgoat.util.LabelProvider} object.
} */
protected LabelManagerImpl(LabelProvider labelProvider) {
public String get(String labelKey) this.labelProvider = labelProvider;
{ }
return labelProvider.get(locale, labelKey);
} /** {@inheritDoc} */
public void setLocale(Locale locale)
} {
if (locale != null)
{
this.locale = locale;
}
}
/** {@inheritDoc} */
public String get(String labelKey)
{
return labelProvider.get(locale, labelKey);
}
}

223
webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java
View File

@ -1,100 +1,123 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.core.io.Resource; import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader; import org.springframework.core.io.ResourceLoader;
import org.springframework.core.io.UrlResource; import org.springframework.core.io.UrlResource;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.util.DefaultPropertiesPersister; import org.springframework.util.DefaultPropertiesPersister;
import javax.inject.Singleton; import javax.inject.Singleton;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.Locale; import java.util.Locale;
/** /**
* ************************************************************************************************ * *************************************************************************************************
* <p> *
* <p> *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* <p> *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* <p> *
* This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* <p> * version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT
* General Public License for more details. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* <p> * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* You should have received a copy of the GNU General Public License along with this program; if * details.
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA *
* 02111-1307, USA. * You should have received a copy of the GNU General Public License along with
* <p> * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Getting Source ============== * Place - Suite 330, Boston, MA 02111-1307, USA.
* <p> *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for * Getting Source ==============
* free software projects. *
* <p> * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* For details, please see http://webgoat.github.io * for free software projects.
*/ *
@Component * For details, please see http://webgoat.github.io
@Singleton *
public class LabelProvider { * @version $Id: $Id
public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage(); */
@Component
private static final List<Locale> SUPPORTED = Arrays.asList(Locale.GERMAN, Locale.FRENCH, Locale.ENGLISH, @Singleton
Locale.forLanguageTag("ru")); public class LabelProvider {
private final ReloadableResourceBundleMessageSource labels = new ReloadableResourceBundleMessageSource(); /** Constant <code>DEFAULT_LANGUAGE="Locale.ENGLISH.getLanguage()"</code> */
private static final ReloadableResourceBundleMessageSource pluginLabels = new ReloadableResourceBundleMessageSource(); public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();
public LabelProvider() { private static final List<Locale> SUPPORTED = Arrays.asList(Locale.GERMAN, Locale.FRENCH, Locale.ENGLISH,
labels.setBasename("classpath:/i18n/WebGoatLabels"); Locale.forLanguageTag("ru"));
labels.setFallbackToSystemLocale(false); private final ReloadableResourceBundleMessageSource labels = new ReloadableResourceBundleMessageSource();
labels.setUseCodeAsDefaultMessage(true); private static final ReloadableResourceBundleMessageSource pluginLabels = new ReloadableResourceBundleMessageSource();
pluginLabels.setParentMessageSource(labels);
pluginLabels.setPropertiesPersister(new DefaultPropertiesPersister() { /**
* <p>Constructor for LabelProvider.</p>
}); */
} public LabelProvider() {
labels.setBasename("classpath:/i18n/WebGoatLabels");
public static void updatePluginResources(final Path propertyFile) { labels.setFallbackToSystemLocale(false);
pluginLabels.setBasename("WebGoatLabels"); labels.setUseCodeAsDefaultMessage(true);
pluginLabels.setFallbackToSystemLocale(false); pluginLabels.setParentMessageSource(labels);
pluginLabels.setUseCodeAsDefaultMessage(true); pluginLabels.setPropertiesPersister(new DefaultPropertiesPersister() {
pluginLabels.setResourceLoader(new ResourceLoader() {
@Override });
public Resource getResource(String location) { }
try {
return new UrlResource(propertyFile.toUri()); /**
} catch (MalformedURLException e) { * <p>updatePluginResources.</p>
throw new RuntimeException(e); *
} * @param propertyFile a {@link java.nio.file.Path} object.
} */
public static void updatePluginResources(final Path propertyFile) {
@Override pluginLabels.setBasename("WebGoatLabels");
public ClassLoader getClassLoader() { pluginLabels.setFallbackToSystemLocale(false);
return Thread.currentThread().getContextClassLoader(); pluginLabels.setUseCodeAsDefaultMessage(true);
} pluginLabels.setResourceLoader(new ResourceLoader() {
}); @Override
} public Resource getResource(String location) {
try {
public static void refresh() { return new UrlResource(propertyFile.toUri());
pluginLabels.clearCache(); } catch (MalformedURLException e) {
} throw new RuntimeException(e);
}
public String get(Locale locale, String strName) { }
return pluginLabels.getMessage(strName, null, useLocaleOrFallbackToEnglish(locale));
} @Override
public ClassLoader getClassLoader() {
private Locale useLocaleOrFallbackToEnglish(Locale locale) { return Thread.currentThread().getContextClassLoader();
return SUPPORTED.contains(locale) ? Locale.ENGLISH : locale; }
} });
}
}
/**
* <p>refresh.</p>
*/
public static void refresh() {
pluginLabels.clearCache();
}
/**
* <p>get.</p>
*
* @param locale a {@link java.util.Locale} object.
* @param strName a {@link java.lang.String} object.
* @return a {@link java.lang.String} object.
*/
public String get(Locale locale, String strName) {
return pluginLabels.getMessage(strName, null, useLocaleOrFallbackToEnglish(locale));
}
private Locale useLocaleOrFallbackToEnglish(Locale locale) {
return SUPPORTED.contains(locale) ? Locale.ENGLISH : locale;
}
}

208
webgoat-container/src/main/java/org/owasp/webgoat/util/ThreadWatcher.java
View File

@ -1,103 +1,105 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import java.util.BitSet; import java.util.BitSet;
/*************************************************************************************************** /**
* *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* * please see http://www.owasp.org/
* Copyright (c) 2002 - 20014 Bruce Mayhew *
* * Copyright (c) 2002 - 20014 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under the terms of the
* License, or (at your option) any later version. * GNU General Public License as published by the Free Software Foundation; either version 2 of the
* * License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without *
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* General Public License for more details. * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* * General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program; if *
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * You should have received a copy of the GNU General Public License along with this program; if
* 02111-1307, USA. * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* * 02111-1307, USA.
* Getting Source ============== *
* * Getting Source ==============
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software *
* projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* * projects.
* For details, please see http://webgoat.github.io *
* * For details, please see http://webgoat.github.io
* @author jwilliams@aspectsecurity.com *
* @created November 6, 2002 * @author jwilliams@aspectsecurity.com
*/ * @since November 6, 2002
public class ThreadWatcher implements Runnable * @version $Id: $Id
{ */
public class ThreadWatcher implements Runnable
// time to live in milliseconds {
private BitSet myInterrupted;
// time to live in milliseconds
private Process myProcess; private BitSet myInterrupted;
private int myTimeout; private Process myProcess;
/** private int myTimeout;
* Constructor for the ThreadWatcher object
* /**
* @param p * Constructor for the ThreadWatcher object
* Description of the Parameter *
* @param interrupted * @param p
* Description of the Parameter * Description of the Parameter
* @param timeout * @param interrupted
* Description of the Parameter * Description of the Parameter
*/ * @param timeout
public ThreadWatcher(Process p, BitSet interrupted, int timeout) * Description of the Parameter
{ */
myProcess = p; public ThreadWatcher(Process p, BitSet interrupted, int timeout)
{
// thread used by whoever constructed this watcher myProcess = p;
myTimeout = timeout;
myInterrupted = interrupted; // thread used by whoever constructed this watcher
} myTimeout = timeout;
myInterrupted = interrupted;
/* }
* Interrupt the thread by marking the interrupted bit and killing the process
*/ /*
* Interrupt the thread by marking the interrupted bit and killing the process
/** */
* Description of the Method
*/ /**
public void interrupt() * Description of the Method
{ */
myInterrupted.set(0); public void interrupt()
{
// set interrupted bit (bit 0 of the bitset) to 1 myInterrupted.set(0);
myProcess.destroy();
// set interrupted bit (bit 0 of the bitset) to 1
/* myProcess.destroy();
* try { myProcess.getInputStream().close(); } catch( IOException e1 ) { / do nothing --
* input streams are probably already closed } try { myProcess.getErrorStream().close(); } /*
* catch( IOException e2 ) { / do nothing -- input streams are probably already closed } * try { myProcess.getInputStream().close(); } catch( IOException e1 ) { / do nothing --
* myThread.interrupt(); * input streams are probably already closed } try { myProcess.getErrorStream().close(); }
*/ * catch( IOException e2 ) { / do nothing -- input streams are probably already closed }
} * myThread.interrupt();
*/
/** }
* Main processing method for the ThreadWatcher object
*/ /**
public void run() * Main processing method for the ThreadWatcher object
{ */
try public void run()
{ {
Thread.sleep(myTimeout); try
} catch (InterruptedException e) {
{ Thread.sleep(myTimeout);
// do nothing -- if watcher is interrupted, so is thread } catch (InterruptedException e)
} {
// do nothing -- if watcher is interrupted, so is thread
interrupt(); }
}
} interrupt();
}
}

158
webgoat-container/src/main/java/org/owasp/webgoat/util/WebGoatI18N.java
View File

@ -1,66 +1,92 @@
package org.owasp.webgoat.util; package org.owasp.webgoat.util;
import java.util.HashMap; import java.util.HashMap;
import java.util.Locale; import java.util.Locale;
import java.util.ResourceBundle; import java.util.ResourceBundle;
import org.owasp.webgoat.session.WebgoatContext; import org.owasp.webgoat.session.WebgoatContext;
@Deprecated @Deprecated
public class WebGoatI18N /**
{ * <p>WebGoatI18N class.</p>
*
private static HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>(); * @version $Id: $Id
private static Locale currentLocale; */
private static WebGoatResourceBundleController localeController; public class WebGoatI18N
{
public WebGoatI18N(WebgoatContext context)
{ private static HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>();
currentLocale = new Locale(context.getDefaultLanguage()); private static Locale currentLocale;
localeController = new WebGoatResourceBundleController(currentLocale); private static WebGoatResourceBundleController localeController;
}
/**
@Deprecated * <p>Constructor for WebGoatI18N.</p>
public static void loadLanguage(String language) *
{ * @param context a {@link org.owasp.webgoat.session.WebgoatContext} object.
// Do nothing */
} public WebGoatI18N(WebgoatContext context)
{
public static void setCurrentLocale(Locale locale) currentLocale = new Locale(context.getDefaultLanguage());
{ localeController = new WebGoatResourceBundleController(currentLocale);
if (!currentLocale.equals(locale)) }
{
if (!labels.containsKey(locale)) /**
{ * <p>loadLanguage.</p>
ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, localeController); *
labels.put(locale, resBundle); * @param language a {@link java.lang.String} object.
} */
WebGoatI18N.currentLocale = locale; @Deprecated
} public static void loadLanguage(String language)
} {
// Do nothing
public static String get(String strName) }
{
return labels.get(WebGoatI18N.currentLocale).getString(strName); /**
} * <p>Setter for the field <code>currentLocale</code>.</p>
*
private static class WebGoatResourceBundleController extends ResourceBundle.Control * @param locale a {@link java.util.Locale} object.
{ */
private Locale fallbackLocale; public static void setCurrentLocale(Locale locale)
{
public WebGoatResourceBundleController(Locale l) if (!currentLocale.equals(locale))
{ {
fallbackLocale = l; if (!labels.containsKey(locale))
} {
ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, localeController);
@Override labels.put(locale, resBundle);
public Locale getFallbackLocale(String baseName, Locale locale) }
{ WebGoatI18N.currentLocale = locale;
if(! fallbackLocale.equals(locale)) { }
return fallbackLocale; }
}
return Locale.ROOT; /**
} * <p>get.</p>
} *
* @param strName a {@link java.lang.String} object.
} * @return a {@link java.lang.String} object.
*/
public static String get(String strName)
{
return labels.get(WebGoatI18N.currentLocale).getString(strName);
}
private static class WebGoatResourceBundleController extends ResourceBundle.Control
{
private Locale fallbackLocale;
public WebGoatResourceBundleController(Locale l)
{
fallbackLocale = l;
}
@Override
public Locale getFallbackLocale(String baseName, Locale locale)
{
if(! fallbackLocale.equals(locale)) {
return fallbackLocale;
}
return Locale.ROOT;
}
}
}

7
webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties Normal file
View File

@ -0,0 +1,7 @@
#General
LessonCompleted=Congratulations. You have successfully completed this lesson.
RestartLesson=Restart this Lesson
SolutionVideos=Solution Videos
ErrorGenerating=Error generating
InvalidData=Invalid Data
Go!=Go!

38
webgoat-container/src/test/java/org/owasp/webgoat/plugins/WebGoatIT.java
View File

@ -55,10 +55,11 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
@Rule @Rule
public SauceOnDemandTestWatcher resultReportingTestWatcher = new SauceOnDemandTestWatcher(this, authentication); public SauceOnDemandTestWatcher resultReportingTestWatcher = new SauceOnDemandTestWatcher(this, authentication);
@Rule public TestName name = new TestName() { @Rule
public TestName name = new TestName() {
public String getMethodName() { public String getMethodName() {
return String.format("%s : (%s %s %s)", super.getMethodName(), os, browser, version); return String.format("%s : (%s %s %s)", super.getMethodName(), os, browser, version);
}; }
}; };
/** /**
@ -120,8 +121,8 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
public static LinkedList browsersStrings() { public static LinkedList browsersStrings() {
LinkedList browsers = new LinkedList(); LinkedList browsers = new LinkedList();
// windows 7, Chrome 41 // windows 7, Chrome 45
browsers.add(new String[]{"Windows 7", "41", "chrome", null, null}); browsers.add(new String[]{"Windows 7", "45", "chrome", null, null});
// windows 7, IE 9 // windows 7, IE 9
//browsers.add(new String[]{"Windows 7", "9", "internet explorer", null, null}); //browsers.add(new String[]{"Windows 7", "9", "internet explorer", null, null});
@ -132,14 +133,20 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
// windows 8.1, IE 11 // windows 8.1, IE 11
//browsers.add(new String[]{"Windows 8.1", "11", "internet explorer", null, null}); //browsers.add(new String[]{"Windows 8.1", "11", "internet explorer", null, null});
// windows 10, Microsoft Edge Browser
//browsers.add(new String[]{"Windows 10", "20.10240", "microsoftedge", null, null});
// OS X 10.9, Safari 7 // OS X 10.9, Safari 7
//browsers.add(new String[]{"OSX 10.9", "7", "safari", null, null}); //browsers.add(new String[]{"OSX 10.9", "7", "safari", null, null});
// OS X 10.10, Safari 7 // OS X 10.10, Safari
//browsers.add(new String[]{"OSX 10.10", "8", "safari", null, null}); //browsers.add(new String[]{"OSX 10.10", "8", "safari", null, null});
// OS X 10.11, Safari
//browsers.add(new String[]{"OSX 10.11", "8.1", "safari", null, null});
// Linux, Firefox 37 // Linux, Firefox 37
//browsers.add(new String[]{"Linux", "37", "firefox", null, null}); browsers.add(new String[]{"Linux", "37", "firefox", null, null});
return browsers; return browsers;
} }
@ -160,6 +167,11 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
if (deviceName != null) capabilities.setCapability("deviceName", deviceName); if (deviceName != null) capabilities.setCapability("deviceName", deviceName);
if (deviceOrientation != null) capabilities.setCapability("device-orientation", deviceOrientation); if (deviceOrientation != null) capabilities.setCapability("device-orientation", deviceOrientation);
// Additional settings to help debugging and improve job perf
capabilities.setCapability("public", "share");
capabilities.setCapability("wwebdriverRemoteQuietExceptions", false);
capabilities.setCapability("captureHtml", true);
if ( System.getenv("CI") != null && System.getenv("TRAVIS").equals("true")) { if ( System.getenv("CI") != null && System.getenv("TRAVIS").equals("true")) {
capabilities.setCapability("tunnelIdentifier", System.getenv("TRAVIS_JOB_NUMBER")); capabilities.setCapability("tunnelIdentifier", System.getenv("TRAVIS_JOB_NUMBER"));
capabilities.setCapability("tags", System.getenv("TRAVIS_PULL_REQUEST")); capabilities.setCapability("tags", System.getenv("TRAVIS_PULL_REQUEST"));
@ -184,17 +196,18 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
public void doLoginWebgoatUser() { public void doLoginWebgoatUser() {
driver.get(baseWebGoatUrl + "/login.mvc"); driver.get(baseWebGoatUrl + "/login.mvc");
driver.navigate().refresh();
WebDriverWait wait = new WebDriverWait(driver, 10); // wait for a maximum of 5 seconds WebDriverWait wait = new WebDriverWait(driver, 15); // wait for a maximum of 15 seconds
wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputEmail1"))); wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputEmail1")));
wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputPassword1"))); wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputPassword1")));
WebElement usernameElement = driver.findElement(By.name("username")); WebElement usernameElement = driver.findElement(By.name("username"));
WebElement passwordElement = driver.findElement(By.name("password")); WebElement passwordElement = driver.findElement(By.name("password"));
usernameElement.sendKeys(loginUser); usernameElement.sendKeys(loginUser);
passwordElement.sendKeys(loginPassword); passwordElement.sendKeys(loginPassword);
passwordElement.submit(); passwordElement.submit();
driver.get(baseWebGoatUrl + "/start.mvc");
} }
/** /**
@ -204,7 +217,7 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
@Test @Test
public void verifyWebGoatLoginPage() throws Exception { public void verifyWebGoatLoginPage() throws Exception {
driver.get(baseWebGoatUrl + "/login.mvc"); driver.get(baseWebGoatUrl + "/login.mvc");
WebDriverWait wait = new WebDriverWait(driver, 10); // wait for a maximum of 5 seconds WebDriverWait wait = new WebDriverWait(driver, 15); // wait for a maximum of 15 seconds
wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputEmail1"))); wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputEmail1")));
wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputPassword1"))); wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputPassword1")));
@ -222,7 +235,7 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
driver.get(baseWebGoatUrl + "/start.mvc"); driver.get(baseWebGoatUrl + "/start.mvc");
WebDriverWait wait = new WebDriverWait(driver, 10); // wait for a maximum of 5 seconds WebDriverWait wait = new WebDriverWait(driver, 15); // wait for a maximum of 15 seconds
wait.until(ExpectedConditions.presenceOfElementLocated(By.name("username"))); wait.until(ExpectedConditions.presenceOfElementLocated(By.name("username")));
wait.until(ExpectedConditions.presenceOfElementLocated(By.name("password"))); wait.until(ExpectedConditions.presenceOfElementLocated(By.name("password")));
} }
@ -232,7 +245,10 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
doLoginWebgoatUser(); doLoginWebgoatUser();
assertTrue("user: webgoat is not in the page source", driver.getPageSource().contains("User: webgoat")); driver.get(baseWebGoatUrl + "/start.mvc");
String pageSource = driver.getPageSource();
assertTrue("user: webgoat is not in the page source", pageSource.contains("Role: webgoat_admin"));
WebElement cookieParameters = driver.findElement(By.id("cookies-and-params")); WebElement cookieParameters = driver.findElement(By.id("cookies-and-params"));
assertNotNull("element id=cookieParameters should be displayed to user upon successful login", cookieParameters); assertNotNull("element id=cookieParameters should be displayed to user upon successful login", cookieParameters);
} }