diff --git a/java/org/owasp/webgoat/HammerHead.java b/java/org/owasp/webgoat/HammerHead.java
index e302c34c3..40f263244 100644
--- a/java/org/owasp/webgoat/HammerHead.java
+++ b/java/org/owasp/webgoat/HammerHead.java
@@ -1,482 +1,430 @@
-
-package org.owasp.webgoat;
-
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.Locale;
-import java.util.TimeZone;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.WelcomeScreen;
-import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.ErrorScreen;
-import org.owasp.webgoat.session.Screen;
-import org.owasp.webgoat.session.UserTracker;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.session.WebgoatContext;
-
-
-/***************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2007 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at code.google.com, a repository for free software
- * projects.
- *
- * For details, please see http://code.google.com/p/webgoat/
- *
- *
- * @author Jeff Williams Aspect Security
- * @author Bruce Mayhew WebGoat
- * @created October 28, 2003
- */
-public class HammerHead extends HttpServlet
-{
-
- private static final String WELCOMED = "welcomed";
-
- /**
- *
- */
- private static final long serialVersionUID = 645640331343188020L;
-
- /**
- * Description of the Field
- */
- protected static SimpleDateFormat httpDateFormat;
-
- /**
- * Set the session timeout to be 2 days
- */
- private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
-
- // private final static int sessionTimeoutSeconds = 1;
-
- /**
- * Properties file path
- */
- public static String propertiesPath = null;
-
- /**
- * provides convenience methods for getting setup information from the ServletContext
- */
- private WebgoatContext webgoatContext = null;
-
- /**
- * Description of the Method
- *
- * @param request
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @exception IOException
- * Description of the Exception
- * @exception ServletException
- * Description of the Exception
- */
- public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
- {
- doPost(request, response);
- }
-
- /**
- * Description of the Method
- *
- * @param request
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @exception IOException
- * Description of the Exception
- * @exception ServletException
- * Description of the Exception
- */
- public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
- {
- Screen screen = null;
-
- WebSession mySession = null;
- try
- {
- // System.out.println( "HH Entering doPost: " );
- // System.out.println( " - HH request " + request);
- // System.out.println( " - HH principle: " +
- // request.getUserPrincipal() );
- // setCacheHeaders(response, 0);
- ServletContext context = getServletContext();
-
- // FIXME: If a response is written by updateSession(), do not
- // call makeScreen() and writeScreen()
- mySession = updateSession(request, response, context);
- if (response.isCommitted()) return;
-
- // Note: For the lesson to track the status, we need to update
- // the lesson tracker object
- // from the screen.createContent() method. The create content is
- // the only point
- // where the lesson "knows" what has happened. To track it at a
- // latter point would
- // require the lesson to have memory.
- screen = makeScreen(mySession); // This calls the lesson's
- // handleRequest()
- if (response.isCommitted()) return;
-
- // perform lesson-specific tracking activities
- if (screen instanceof AbstractLesson)
- {
- AbstractLesson lesson = (AbstractLesson) screen;
-
- // we do not count the initial display of the lesson screen as a visit
- if ("GET".equals(request.getMethod()))
- {
- String uri = request.getRequestURI() + "?" + request.getQueryString();
- if (!uri.endsWith(lesson.getLink())) screen.getLessonTracker(mySession).incrementNumVisits();
- }
- else if ("POST".equals(request.getMethod())
- && mySession.getPreviousScreen() == mySession.getCurrentScreen())
- {
- screen.getLessonTracker(mySession).incrementNumVisits();
- }
- }
-
- // log the access to this screen for this user
- UserTracker userTracker = UserTracker.instance();
- userTracker.update(mySession, screen);
- log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
-
- // Redirect the request to our View servlet
- String userAgent = request.getHeader("user-agent");
- String clientBrowser = "Not known!";
- if (userAgent != null)
- {
- clientBrowser = userAgent;
- }
- request.setAttribute("client.browser", clientBrowser);
- request.getSession().setAttribute("websession", mySession);
- request.getSession().setAttribute("course", mySession.getCourse());
-
- request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
- } catch (Throwable t)
- {
- t.printStackTrace();
- log("ERROR: " + t);
- screen = new ErrorScreen(mySession, t);
- } finally
- {
- try
- {
- this.writeScreen(mySession, screen, response);
- } catch (Throwable thr)
- {
- thr.printStackTrace();
- log(request, "Could not write error screen: " + thr.getMessage());
- }
- WebSession.returnConnection(mySession);
- // System.out.println( "HH Leaving doPost: " );
- }
- }
-
- private String getViewPage(WebSession webSession)
- {
- String page;
-
- // If this session has not seen the landing page yet, go there instead.
- HttpSession session = webSession.getRequest().getSession();
- if (session.getAttribute(WELCOMED) == null)
- {
- session.setAttribute(WELCOMED, "true");
- page = "/webgoat.jsp";
- }
- else
- page = "/main.jsp";
-
- return page;
- }
-
- /**
- * Description of the Method
- *
- * @param date
- * Description of the Parameter
- * @return RFC 1123 http date format
- */
- protected static String formatHttpDate(Date date)
- {
- synchronized (httpDateFormat)
- {
- return httpDateFormat.format(date);
- }
- }
-
- /**
- * Return information about this servlet
- *
- * @return The servletInfo value
- */
- public String getServletInfo()
- {
- return "WebGoat is sponsored by Aspect Security.";
- }
-
- /**
- * Return properties path
- *
- * @return servlet context path + WEB_INF
- */
- public void init() throws ServletException
- {
- httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
- httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
- propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
- webgoatContext = new WebgoatContext(this);
- }
-
- /**
- * Description of the Method
- *
- * @param request
- * Description of the Parameter
- * @param message
- * Description of the Parameter
- */
- public void log(HttpServletRequest request, String message)
- {
- String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
- log(output);
- System.out.println(output);
- }
-
- /*
- * public List getLessons(Category category, String role) { Course course =
- * mySession.getCourse(); // May need to clone the List before returning it. //return new
- * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
- */
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @return Description of the Return Value
- */
- protected Screen makeScreen(WebSession s)
- {
- Screen screen = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isChallenge())
- {
- if (scr == WebSession.WELCOME)
- {
- screen = new WelcomeScreen(s);
- }
- else
- {
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
- if (lesson == null && s.isHackedAdmin())
- {
- // If admin was hacked, let the user see some of the
- // admin screens
- lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
- }
-
- if (lesson != null)
- {
- screen = lesson;
-
- // We need to do some bookkeeping for the hackable admin
- // interface.
- // This is the only place we can tell if the user
- // successfully hacked the hackable
- // admin and has actually accessed an admin screen. You
- // need BOTH pieces of information
- // in order to satisfy the remote admin lesson.
-
- s.setHasHackableAdmin(screen.getRole());
-
- lesson.handleRequest(s);
- s.setCurrentMenu(lesson.getCategory().getRanking());
- }
- else
- {
- screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
- }
- }
- }
- else if (s.isAdmin())
- {
- if (scr == WebSession.WELCOME)
- {
- screen = new WelcomeAdminScreen(s);
- }
- else
- {
- // Admin can see all roles.
- // FIXME: should be able to pass a list of roles.
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
- if (lesson == null)
- {
- lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
- }
- if (lesson == null)
- {
- lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
- }
-
- if (lesson != null)
- {
- screen = lesson;
-
- // We need to do some bookkeeping for the hackable admin
- // interface.
- // This is the only place we can tell if the user
- // successfully hacked the hackable
- // admin and has actually accessed an admin screen. You
- // need BOTH pieces of information
- // in order to satisfy the remote admin lesson.
-
- s.setHasHackableAdmin(screen.getRole());
-
- lesson.handleRequest(s);
- s.setCurrentMenu(lesson.getCategory().getRanking());
- }
- else
- {
- screen = new ErrorScreen(s,
- "Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
- }
- }
- }
-
- return (screen);
- }
-
- /**
- * This method sets the required expiration headers in the response for a given RunData object.
- * This method attempts to set all relevant headers, both for HTTP 1.0 and HTTP 1.1.
- *
- * @param response
- * The new cacheHeaders value
- * @param expiry
- * The new cacheHeaders value
- */
- protected static void setCacheHeaders(HttpServletResponse response, int expiry)
- {
- if (expiry == 0)
- {
- response.setHeader("Pragma", "no-cache");
- response.setHeader("Cache-Control", "no-cache");
- response.setHeader("Expires", formatHttpDate(new Date()));
- }
- else
- {
- Date expiryDate = new Date(System.currentTimeMillis() + expiry);
- response.setHeader("Expires", formatHttpDate(expiryDate));
- }
- }
-
- /**
- * Description of the Method
- *
- * @param request
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @param context
- * Description of the Parameter
- * @return Description of the Return Value
- */
- protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
- throws IOException
- {
- HttpSession hs;
- hs = request.getSession(true);
-
- // System.out.println( "HH Entering Session_id: " + hs.getId() );
- // dumpSession( hs );
- // Get our session object out of the HTTP session
- WebSession session = null;
- Object o = hs.getAttribute(WebSession.SESSION);
-
- if ((o != null) && o instanceof WebSession)
- {
- session = (WebSession) o;
- }
- else
- {
- // Create new custom session and save it in the HTTP session
- // System.out.println( "HH Creating new WebSession: " );
- session = new WebSession(webgoatContext, context);
- // Ensure splash screen shows on any restart
- hs.removeAttribute(WELCOMED);
- hs.setAttribute(WebSession.SESSION, session);
- // reset timeout
- hs.setMaxInactiveInterval(sessionTimeoutSeconds);
-
- }
-
- session.update(request, response, this.getServletName());
-
- // to authenticate
- // System.out.println( "HH Leaving Session_id: " + hs.getId() );
- // dumpSession( hs );
- return (session);
- }
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @exception IOException
- * Description of the Exception
- */
- protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException
- {
- response.setContentType("text/html");
-
- PrintWriter out = response.getWriter();
-
- if (s == null)
- {
- screen = new ErrorScreen(s, "Page to display was null");
- }
-
- // set the content-length of the response.
- // Trying to avoid chunked-encoding. (Aspect required)
- response.setContentLength(screen.getContentLength());
- response.setHeader("Content-Length", screen.getContentLength() + "");
-
- screen.output(out);
- out.close();
- }
-}
+package org.owasp.webgoat;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.TimeZone;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.WelcomeScreen;
+import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.ErrorScreen;
+import org.owasp.webgoat.session.Screen;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.WebgoatContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ *
+ * @author Jeff Williams Aspect
+ * Security
+ * @author Bruce Mayhew WebGoat
+ * @created October 28, 2003
+ */
+public class HammerHead extends HttpServlet {
+
+ final Logger logger = LoggerFactory.getLogger(HammerHead.class);
+
+
+ private static final String WELCOMED = "welcomed";
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 645640331343188020L;
+
+ /**
+ * Description of the Field
+ */
+ protected static SimpleDateFormat httpDateFormat;
+
+ /**
+ * Set the session timeout to be 2 days
+ */
+ private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
+
+ // private final static int sessionTimeoutSeconds = 1;
+ /**
+ * Properties file path
+ */
+ public static String propertiesPath = null;
+
+ /**
+ * provides convenience methods for getting setup information from the
+ * ServletContext
+ */
+ private WebgoatContext webgoatContext = null;
+
+ /**
+ * Description of the Method
+ *
+ * @param request Description of the Parameter
+ * @param response Description of the Parameter
+ * @exception IOException Description of the Exception
+ * @exception ServletException Description of the Exception
+ */
+ @Override
+ public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+ doPost(request, response);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param request Description of the Parameter
+ * @param response Description of the Parameter
+ * @exception IOException Description of the Exception
+ * @exception ServletException Description of the Exception
+ */
+ @Override
+ public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+ Screen screen = null;
+
+ WebSession mySession = null;
+ try {
+ // System.out.println( "HH Entering doPost: " );
+ // System.out.println( " - HH request " + request);
+ // System.out.println( " - HH principle: " +
+ // request.getUserPrincipal() );
+ // setCacheHeaders(response, 0);
+ ServletContext context = getServletContext();
+
+ // FIXME: If a response is written by updateSession(), do not
+ // call makeScreen() and writeScreen()
+ mySession = updateSession(request, response, context);
+ if (response.isCommitted()) {
+ return;
+ }
+
+ // Note: For the lesson to track the status, we need to update
+ // the lesson tracker object
+ // from the screen.createContent() method. The create content is
+ // the only point
+ // where the lesson "knows" what has happened. To track it at a
+ // latter point would
+ // require the lesson to have memory.
+ screen = makeScreen(mySession); // This calls the lesson's
+ // handleRequest()
+ if (response.isCommitted()) {
+ return;
+ }
+
+ // perform lesson-specific tracking activities
+ if (screen instanceof AbstractLesson) {
+ AbstractLesson lesson = (AbstractLesson) screen;
+
+ // we do not count the initial display of the lesson screen as a visit
+ if ("GET".equals(request.getMethod())) {
+ String uri = request.getRequestURI() + "?" + request.getQueryString();
+ if (!uri.endsWith(lesson.getLink())) {
+ screen.getLessonTracker(mySession).incrementNumVisits();
+ }
+ } else if ("POST".equals(request.getMethod())
+ && mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
+ screen.getLessonTracker(mySession).incrementNumVisits();
+ }
+ }
+
+ // log the access to this screen for this user
+ UserTracker userTracker = UserTracker.instance();
+ userTracker.update(mySession, screen);
+ log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
+
+ // Redirect the request to our View servlet
+ String userAgent = request.getHeader("user-agent");
+ String clientBrowser = "Not known!";
+ if (userAgent != null) {
+ clientBrowser = userAgent;
+ }
+ request.setAttribute("client.browser", clientBrowser);
+ request.getSession().setAttribute("websession", mySession);
+ request.getSession().setAttribute("course", mySession.getCourse());
+
+ request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
+ } catch (Throwable t) {
+ t.printStackTrace();
+ log("ERROR: " + t);
+ screen = new ErrorScreen(mySession, t);
+ } finally {
+ try {
+ this.writeScreen(mySession, screen, response);
+ } catch (Throwable thr) {
+ thr.printStackTrace();
+ log(request, "Could not write error screen: " + thr.getMessage());
+ }
+ WebSession.returnConnection(mySession);
+ // System.out.println( "HH Leaving doPost: " );
+ }
+ }
+
+ private String getViewPage(WebSession webSession) {
+ String page;
+
+ // If this session has not seen the landing page yet, go there instead.
+ HttpSession session = webSession.getRequest().getSession();
+ if (session.getAttribute(WELCOMED) == null) {
+ session.setAttribute(WELCOMED, "true");
+ page = "/webgoat.jsp";
+ } else {
+ page = "/main.jsp";
+ }
+
+ return page;
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param date Description of the Parameter
+ * @return RFC 1123 http date format
+ */
+ protected static String formatHttpDate(Date date) {
+ synchronized (httpDateFormat) {
+ return httpDateFormat.format(date);
+ }
+ }
+
+ /**
+ * Return information about this servlet
+ *
+ * @return The servletInfo value
+ */
+ @Override
+ public String getServletInfo() {
+ return "WebGoat is sponsored by Aspect Security.";
+ }
+
+ /**
+ * Return properties path
+ *
+ * @throws javax.servlet.ServletException
+ */
+ @Override
+ public void init() throws ServletException {
+ httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
+ httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
+ propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
+ webgoatContext = new WebgoatContext(this);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param request Description of the Parameter
+ * @param message Description of the Parameter
+ */
+ public void log(HttpServletRequest request, String message) {
+ String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
+ log(output);
+ logger.debug(output);
+ }
+
+ /*
+ * public List getLessons(Category category, String role) { Course course =
+ * mySession.getCourse(); // May need to clone the List before returning it. //return new
+ * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
+ */
+ /**
+ * Description of the Method
+ *
+ * @param s Description of the Parameter
+ * @return Description of the Return Value
+ */
+ protected Screen makeScreen(WebSession s) {
+ Screen screen = null;
+ int scr = s.getCurrentScreen();
+ Course course = s.getCourse();
+
+ if (s.isUser() || s.isChallenge()) {
+ if (scr == WebSession.WELCOME) {
+ screen = new WelcomeScreen(s);
+ } else {
+ AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+ if (lesson == null && s.isHackedAdmin()) {
+ // If admin was hacked, let the user see some of the
+ // admin screens
+ lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
+ }
+
+ if (lesson != null) {
+ screen = lesson;
+
+ // We need to do some bookkeeping for the hackable admin
+ // interface.
+ // This is the only place we can tell if the user
+ // successfully hacked the hackable
+ // admin and has actually accessed an admin screen. You
+ // need BOTH pieces of information
+ // in order to satisfy the remote admin lesson.
+ s.setHasHackableAdmin(screen.getRole());
+
+ lesson.handleRequest(s);
+ s.setCurrentMenu(lesson.getCategory().getRanking());
+ } else {
+ screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
+ }
+ }
+ } else if (s.isAdmin()) {
+ if (scr == WebSession.WELCOME) {
+ screen = new WelcomeAdminScreen(s);
+ } else {
+ // Admin can see all roles.
+ // FIXME: should be able to pass a list of roles.
+ AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
+ if (lesson == null) {
+ lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
+ }
+ if (lesson == null) {
+ lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+ }
+
+ if (lesson != null) {
+ screen = lesson;
+
+ // We need to do some bookkeeping for the hackable admin
+ // interface.
+ // This is the only place we can tell if the user
+ // successfully hacked the hackable
+ // admin and has actually accessed an admin screen. You
+ // need BOTH pieces of information
+ // in order to satisfy the remote admin lesson.
+ s.setHasHackableAdmin(screen.getRole());
+
+ lesson.handleRequest(s);
+ s.setCurrentMenu(lesson.getCategory().getRanking());
+ } else {
+ screen = new ErrorScreen(s,
+ "Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
+ }
+ }
+ }
+
+ return (screen);
+ }
+
+ /**
+ * This method sets the required expiration headers in the response for a
+ * given RunData object. This method attempts to set all relevant headers,
+ * both for HTTP 1.0 and HTTP 1.1.
+ *
+ * @param response The new cacheHeaders value
+ * @param expiry The new cacheHeaders value
+ */
+ protected static void setCacheHeaders(HttpServletResponse response, int expiry) {
+ if (expiry == 0) {
+ response.setHeader("Pragma", "no-cache");
+ response.setHeader("Cache-Control", "no-cache");
+ response.setHeader("Expires", formatHttpDate(new Date()));
+ } else {
+ Date expiryDate = new Date(System.currentTimeMillis() + expiry);
+ response.setHeader("Expires", formatHttpDate(expiryDate));
+ }
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param request Description of the Parameter
+ * @param response Description of the Parameter
+ * @param context Description of the Parameter
+ * @return Description of the Return Value
+ * @throws java.io.IOException
+ */
+ protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
+ throws IOException {
+ HttpSession hs;
+ hs = request.getSession(true);
+
+ // System.out.println( "HH Entering Session_id: " + hs.getId() );
+ // dumpSession( hs );
+ // Get our session object out of the HTTP session
+ WebSession session = null;
+ Object o = hs.getAttribute(WebSession.SESSION);
+
+ if ((o != null) && o instanceof WebSession) {
+ session = (WebSession) o;
+ } else {
+ // Create new custom session and save it in the HTTP session
+ // System.out.println( "HH Creating new WebSession: " );
+ session = new WebSession(webgoatContext, context);
+ // Ensure splash screen shows on any restart
+ hs.removeAttribute(WELCOMED);
+ hs.setAttribute(WebSession.SESSION, session);
+ // reset timeout
+ hs.setMaxInactiveInterval(sessionTimeoutSeconds);
+
+ }
+
+ session.update(request, response, this.getServletName());
+
+ // to authenticate
+ // System.out.println( "HH Leaving Session_id: " + hs.getId() );
+ // dumpSession( hs );
+ return (session);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param s Description of the Parameter
+ * @param screen
+ * @param response Description of the Parameter
+ * @exception IOException Description of the Exception
+ */
+ protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
+ response.setContentType("text/html");
+
+ PrintWriter out = response.getWriter();
+
+ if (s == null) {
+ screen = new ErrorScreen(s, "Page to display was null");
+ }
+
+ // set the content-length of the response.
+ // Trying to avoid chunked-encoding. (Aspect required)
+ response.setContentLength(screen.getContentLength());
+ response.setHeader("Content-Length", screen.getContentLength() + "");
+
+ screen.output(out);
+ out.close();
+ }
+}
diff --git a/pom.xml b/pom.xml
index f726b45da..ddb3335d1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,320 +1,326 @@
- 4.0.0
- WebGoat
- WebGoat
- war
- 6.0-SNAPSHOT
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ 4.0.0
+ WebGoat
+ WebGoat
+ war
+ 6.0-SNAPSHOT
-
-
- maven2-repository.dev.java.net
- Java.net Maven 2 Repository
- http://download.java.net/maven/2
-
-
+
+
+ maven2-repository.dev.java.net
+ Java.net Maven 2 Repository
+ http://download.java.net/maven/2
+
+
-
-
- 3.2.4.RELEASE
- 3.2.4.RELEASE
- 2.2.2
-
+
+
+ 3.2.4.RELEASE
+ 3.2.4.RELEASE
+ 2.2.2
+
-
- ${basedir}/java
-
-
- ${basedir}/java
-
-
- ${basedir}/resources
-
-
-
-
- org.apache.maven.plugins
- maven-compiler-plugin
-
- 1.6
- 1.6
- ISO-8859-1
-
-
-
- maven-eclipse-plugin
-
- 1.5
-
- ${basedir}/java/**/*.java
-
-
-
-
- org.apache.maven.plugins
- maven-war-plugin
-
- ${basedir}/webapp
-
-
-
- org.codehaus.mojo
- tomcat-maven-plugin
-
- http://localhost:8080/manager
- ${basedir}/tomcatconf
-
-
-
-
+
+ ${basedir}/java
+
+
+ ${basedir}/java
+
+
+ ${basedir}/resources
+
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+
+ 1.6
+ 1.6
+ ISO-8859-1
+
+
+
+ maven-eclipse-plugin
+
+ 1.5
+
+ ${basedir}/java/**/*.java
+
+
+
+
+ org.apache.maven.plugins
+ maven-war-plugin
+
+ ${basedir}/webapp
+
+
+
+ org.codehaus.mojo
+ tomcat-maven-plugin
+
+ http://localhost:8080/manager
+ ${basedir}/tomcatconf
+
+
+
+
-
-
- javax.activation
- activation
- 1.1
-
-
- axis
- axis
- 1.2
-
-
- axis
- axis-saaj
- 1.2
-
-
- axis
- axis-jaxrpc
- 1.2
-
-
- axis
- axis-ant
- 1.2
-
-
- commons-fileupload
- commons-fileupload
- 1.2.1
-
-
- commons-io
- commons-io
- 1.4
-
-
- commons-collections
- commons-collections
- 3.1
-
-
- commons-digester
- commons-digester
- 1.4.1
-
-
- xml-apis
- xml-apis
-
-
-
-
- commons-logging
- commons-logging
- 1.0.4
-
-
- commons-discovery
- commons-discovery
- 0.2
-
-
- javax.mail
- mail
- 1.4.2
-
-
- javax.mail
- mailapi
- 1.4.2
-
-
- hsqldb
- hsqldb
- 1.8.0.7
-
-
- log4j
- log4j
- 1.2.8
-
-
- wsdl4j
- wsdl4j
- 1.5.1
-
-
- java2html
- j2h
- 1.3.1
-
-
- ecs
- ecs
- 1.4.2
-
-
- javax.transaction
- jta
- 1.0.1B
-
-
- net.sourceforge.jtds
- jtds
- 1.2.2
-
-
- org.apache.tomcat
- tomcat-catalina
- 7.0.27
- provided
-
+
+
+ javax.activation
+ activation
+ 1.1
+
+
+ axis
+ axis
+ 1.2
+
+
+ axis
+ axis-saaj
+ 1.2
+
+
+ axis
+ axis-jaxrpc
+ 1.2
+
+
+ axis
+ axis-ant
+ 1.2
+
+
+ commons-fileupload
+ commons-fileupload
+ 1.2.1
+
+
+ commons-io
+ commons-io
+ 1.4
+
+
+ commons-collections
+ commons-collections
+ 3.1
+
+
+ commons-digester
+ commons-digester
+ 1.4.1
+
+
+ xml-apis
+ xml-apis
+
+
+
+
+ commons-logging
+ commons-logging
+ 1.1.3
+
+
+ org.slf4j
+ jcl-over-slf4j
+ 1.7.7
+
+
+ commons-discovery
+ commons-discovery
+ 0.2
+
+
+ javax.mail
+ mail
+ 1.4.2
+
+
+ javax.mail
+ mailapi
+ 1.4.2
+
+
+ hsqldb
+ hsqldb
+ 1.8.0.7
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
+ wsdl4j
+ wsdl4j
+ 1.5.1
+
+
+ java2html
+ j2h
+ 1.3.1
+
+
+ ecs
+ ecs
+ 1.4.2
+
+
+ javax.transaction
+ jta
+ 1.0.1B
+
+
+ net.sourceforge.jtds
+ jtds
+ 1.2.2
+
+
+ org.apache.tomcat
+ tomcat-catalina
+ 7.0.27
+ provided
+
-
+
-
-
- javax
- javaee-api
- 6.0
- provided
-
+
+
+ javax
+ javaee-api
+ 6.0
+ provided
+
-
- org.springframework
- spring-core
- ${org.springframework.version}
-
+
+ org.springframework
+ spring-core
+ ${org.springframework.version}
+
-
-
- org.springframework
- spring-webmvc
- ${org.springframework.version}
- jar
-
+
+
+ org.springframework
+ spring-webmvc
+ ${org.springframework.version}
+ jar
+
-
- org.springframework.security
- spring-security-core
- ${spring.security.version}
-
+
+ org.springframework.security
+ spring-security-core
+ ${spring.security.version}
+
-
- org.springframework.security
- spring-security-config
- ${spring.security.version}
-
+
+ org.springframework.security
+ spring-security-config
+ ${spring.security.version}
+
-
- org.springframework.security
- spring-security-web
- ${spring.security.version}
-
+
+ org.springframework.security
+ spring-security-web
+ ${spring.security.version}
+
-
-
- commons-fileupload
- commons-fileupload
- 1.2.2
-
+
+
+ commons-fileupload
+ commons-fileupload
+ 1.2.2
+
-
-
- commons-io
- commons-io
- 1.3.2
-
+
+
+ commons-io
+ commons-io
+ 1.3.2
+
-
-
- javax.servlet
- jstl
- 1.2
-
+
+
+ javax.servlet
+ jstl
+ 1.2
+
-
- taglibs
- standard
- 1.1.2
-
+
+ taglibs
+ standard
+ 1.1.2
+
-
- log4j
- log4j
- 1.2.15
-
-
- javax.jms
- jms
-
-
- com.sun.jdmk
- jmxtools
-
-
- com.sun.jmx
- jmxri
-
-
-
-
- junit
- junit
- 4.8.1
- jar
-
-
- org.apache.tiles
- tiles-core
- ${tiles.version}
- jar
-
-
- org.apache.tiles
- tiles-template
- ${tiles.version}
- jar
-
-
- org.apache.tiles
- tiles-servlet
- ${tiles.version}
- jar
-
-
- org.apache.tiles
- tiles-jsp
- ${tiles.version}
- jar
-
-
- org.slf4j
- slf4j-api
- 1.5.8
- jar
-
-
- org.slf4j
- slf4j-log4j12
- 1.5.8
- jar
-
+
+ log4j
+ log4j
+ 1.2.17
+
+
+ javax.jms
+ jms
+
+
+ com.sun.jdmk
+ jmxtools
+
+
+ com.sun.jmx
+ jmxri
+
+
+
+
+ junit
+ junit
+ 4.8.1
+ jar
+
+
+ org.apache.tiles
+ tiles-core
+ ${tiles.version}
+ jar
+
+
+ org.apache.tiles
+ tiles-template
+ ${tiles.version}
+ jar
+
+
+ org.apache.tiles
+ tiles-servlet
+ ${tiles.version}
+ jar
+
+
+ org.apache.tiles
+ tiles-jsp
+ ${tiles.version}
+ jar
+
+
+ org.slf4j
+ slf4j-api
+ 1.7.7
+ jar
+
+
+ org.slf4j
+ slf4j-log4j12
+ 1.7.7
+ jar
+
-
+
-
+
diff --git a/resources/log4j.properties b/resources/log4j.properties
new file mode 100644
index 000000000..207c3dcde
--- /dev/null
+++ b/resources/log4j.properties
@@ -0,0 +1,32 @@
+log4j.rootLogger=INFO, MAIN_LOG, ERROR_LOG
+
+# MAIN - everything gets logged here
+log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender
+log4j.appender.MAIN_LOG.File=${catalina.home}/logs/webgoat_main.log
+log4j.appender.MAIN_LOG.layout=org.apache.log4j.PatternLayout
+log4j.appender.MAIN_LOG.layout.ConversionPattern=%d [%t] %-5p %c %x - %m%n
+log4j.appender.MAIN_LOG.MaxFileSize=10MB
+log4j.appender.MAIN_LOG.MaxBackupIndex=5
+log4j.appender.MAIN_LOG.append=true
+
+# ERROR
+log4j.appender.ERROR_LOG=org.apache.log4j.RollingFileAppender
+log4j.appender.ERROR_LOG.File=${catalina.home}/logs/webgoat_error.log
+log4j.appender.ERROR_LOG.layout=org.apache.log4j.PatternLayout
+log4j.appender.ERROR_LOG.layout.ConversionPattern=%d [%t] %-5p %x - %m%n
+log4j.appender.ERROR_LOG.MaxFileSize=10MB
+log4j.appender.ERROR_LOG.MaxBackupIndex=2
+log4j.appender.ERROR_LOG.append=true
+log4j.appender.ERROR_LOG.Threshold=ERROR
+
+# PERFORMANCE
+log4j.logger.PERF_LOG=DEBUG, PERF_LOG
+log4j.appender.PERF_LOG=org.apache.log4j.RollingFileAppender
+log4j.appender.PERF_LOG.File=${catalina.home}/logs/webgoat_perf.log
+log4j.appender.PERF_LOG.layout=org.apache.log4j.PatternLayout
+log4j.appender.PERF_LOG.layout.ConversionPattern=%m%n
+log4j.appender.PERF_LOG.MaxFileSize=10MB
+log4j.appender.PERF_LOG.MaxBackupIndex=2
+log4j.appender.PERF_LOG.append=true
+log4j.additivity.PERF_LOG = false
+
diff --git a/webapp/WEB-INF/web.xml b/webapp/WEB-INF/web.xml
index 209cf9db0..7099db92a 100644
--- a/webapp/WEB-INF/web.xml
+++ b/webapp/WEB-INF/web.xml
@@ -328,6 +328,10 @@
wmv
video/x-ms-wmv
+
+
+ login.do
+