work on logging

2014-06-03 14:39:21 -04:00 · 2014-06-03 14:39:21 -04:00 · 10be6757af
commit 10be6757af
parent c8ec75b5f2
4 changed files with 771 additions and 781 deletions
--- a/java/org/owasp/webgoat/HammerHead.java
+++ b/java/org/owasp/webgoat/HammerHead.java
@ -1,4 +1,3 @@
 package org.owasp.webgoat;
 import java.io.IOException;
@ -22,42 +21,49 @@ import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
+/**
-/***************************************************************************************************
+ * *************************************************************************************************
 *
 *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * This file is part of WebGoat, an Open Web Application Security Project
- * please see http://www.owasp.org/
+ * utility. For details, please see http://www.owasp.org/
 *
 * Copyright (c) 2002 - 2007 Bruce Mayhew
 *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * This program is free software; you can redistribute it and/or modify it under
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * the terms of the GNU General Public License as published by the Free Software
- * License, or (at your option) any later version.
+ * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * This program is distributed in the hope that it will be useful, but WITHOUT
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * General Public License for more details.
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 *
- * You should have received a copy of the GNU General Public License along with this program; if
+ * You should have received a copy of the GNU General Public License along with
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * 02111-1307, USA.
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Getting Source ==============
 *
- * Source for this application is maintained at code.google.com, a repository for free software
+ * Source for this application is maintained at code.google.com, a repository
- * projects.
+ * for free software projects.
 *
 * For details, please see http://code.google.com/p/webgoat/
 *
 *
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
 * Security</a>
 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
 * @created October 28, 2003
 */
-public class HammerHead extends HttpServlet
+public class HammerHead extends HttpServlet {
-{
+
    final Logger logger = LoggerFactory.getLogger(HammerHead.class);
    private static final String WELCOMED = "welcomed";
@ -77,53 +83,44 @@ public class HammerHead extends HttpServlet
    private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
 	// private final static int sessionTimeoutSeconds = 1;
    /**
     * Properties file path
     */
    public static String propertiesPath = null;
    /**
-	 * provides convenience methods for getting setup information from the ServletContext
+     * provides convenience methods for getting setup information from the
     * ServletContext
     */
    private WebgoatContext webgoatContext = null;
    /**
     * Description of the Method
     *
-	 * @param request
+     * @param request Description of the Parameter
-	 *            Description of the Parameter
+     * @param response Description of the Parameter
-	 * @param response
+     * @exception IOException Description of the Exception
-	 *            Description of the Parameter
+     * @exception ServletException Description of the Exception
 	 * @exception IOException
 	 *                Description of the Exception
 	 * @exception ServletException
 	 *                Description of the Exception
     */
-	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
+    @Override
-	{
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        doPost(request, response);
    }
    /**
     * Description of the Method
     *
-	 * @param request
+     * @param request Description of the Parameter
-	 *            Description of the Parameter
+     * @param response Description of the Parameter
-	 * @param response
+     * @exception IOException Description of the Exception
-	 *            Description of the Parameter
+     * @exception ServletException Description of the Exception
 	 * @exception IOException
 	 *                Description of the Exception
 	 * @exception ServletException
 	 *                Description of the Exception
     */
-	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
+    @Override
-	{
+    public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        Screen screen = null;
        WebSession mySession = null;
-		try
+        try {
 		{
            // System.out.println( "HH Entering doPost: " );
            // System.out.println( " - HH request " + request);
            // System.out.println( " - HH principle: " +
@ -134,7 +131,9 @@ public class HammerHead extends HttpServlet
            // FIXME: If a response is written by updateSession(), do not
            // call makeScreen() and writeScreen()
            mySession = updateSession(request, response, context);
-			if (response.isCommitted()) return;
+            if (response.isCommitted()) {
                return;
            }
            // Note: For the lesson to track the status, we need to update
            // the lesson tracker object
@ -145,22 +144,22 @@ public class HammerHead extends HttpServlet
            // require the lesson to have memory.
            screen = makeScreen(mySession); // This calls the lesson's
            // handleRequest()
-			if (response.isCommitted()) return;
+            if (response.isCommitted()) {
                return;
            }
            // perform lesson-specific tracking activities
-			if (screen instanceof AbstractLesson)
+            if (screen instanceof AbstractLesson) {
 			{
                AbstractLesson lesson = (AbstractLesson) screen;
                // we do not count the initial display of the lesson screen as a visit
-				if ("GET".equals(request.getMethod()))
+                if ("GET".equals(request.getMethod())) {
 				{
                    String uri = request.getRequestURI() + "?" + request.getQueryString();
-					if (!uri.endsWith(lesson.getLink())) screen.getLessonTracker(mySession).incrementNumVisits();
+                    if (!uri.endsWith(lesson.getLink())) {
                        screen.getLessonTracker(mySession).incrementNumVisits();
                    }
-				else if ("POST".equals(request.getMethod())
+                } else if ("POST".equals(request.getMethod())
-						&& mySession.getPreviousScreen() == mySession.getCurrentScreen())
+                        && mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
 				{
                    screen.getLessonTracker(mySession).incrementNumVisits();
                }
            }
@ -173,8 +172,7 @@ public class HammerHead extends HttpServlet
            // Redirect the request to our View servlet
            String userAgent = request.getHeader("user-agent");
            String clientBrowser = "Not known!";
-			if (userAgent != null)
+            if (userAgent != null) {
 			{
                clientBrowser = userAgent;
            }
            request.setAttribute("client.browser", clientBrowser);
@ -182,18 +180,14 @@ public class HammerHead extends HttpServlet
            request.getSession().setAttribute("course", mySession.getCourse());
            request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
-		} catch (Throwable t)
+        } catch (Throwable t) {
 		{
            t.printStackTrace();
            log("ERROR: " + t);
            screen = new ErrorScreen(mySession, t);
-		} finally
+        } finally {
-		{
+            try {
 			try
 			{
                this.writeScreen(mySession, screen, response);
-			} catch (Throwable thr)
+            } catch (Throwable thr) {
 			{
                thr.printStackTrace();
                log(request, "Could not write error screen: " + thr.getMessage());
            }
@ -202,19 +196,17 @@ public class HammerHead extends HttpServlet
        }
    }
-	private String getViewPage(WebSession webSession)
+    private String getViewPage(WebSession webSession) {
 	{
        String page;
        // If this session has not seen the landing page yet, go there instead.
        HttpSession session = webSession.getRequest().getSession();
-		if (session.getAttribute(WELCOMED) == null)
+        if (session.getAttribute(WELCOMED) == null) {
 		{
            session.setAttribute(WELCOMED, "true");
            page = "/webgoat.jsp";
-		}
+        } else {
 		else
            page = "/main.jsp";
        }
        return page;
    }
@ -222,14 +214,11 @@ public class HammerHead extends HttpServlet
    /**
     * Description of the Method
     *
-	 * @param date
+     * @param date Description of the Parameter
 	 *            Description of the Parameter
     * @return RFC 1123 http date format
     */
-	protected static String formatHttpDate(Date date)
+    protected static String formatHttpDate(Date date) {
-	{
+        synchronized (httpDateFormat) {
 		synchronized (httpDateFormat)
 		{
            return httpDateFormat.format(date);
        }
    }
@ -239,18 +228,18 @@ public class HammerHead extends HttpServlet
     *
     * @return The servletInfo value
     */
-	public String getServletInfo()
+    @Override
-	{
+    public String getServletInfo() {
        return "WebGoat is sponsored by Aspect Security.";
    }
    /**
     * Return properties path
     *
-	 * @return servlet context path + WEB_INF
+     * @throws javax.servlet.ServletException
     */
-	public void init() throws ServletException
+    @Override
-	{
+    public void init() throws ServletException {
        httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
        httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
        propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
@ -260,16 +249,13 @@ public class HammerHead extends HttpServlet
    /**
     * Description of the Method
     *
-	 * @param request
+     * @param request Description of the Parameter
-	 *            Description of the Parameter
+     * @param message Description of the Parameter
 	 * @param message
 	 *            Description of the Parameter
     */
-	public void log(HttpServletRequest request, String message)
+    public void log(HttpServletRequest request, String message) {
 	{
        String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
        log(output);
-		System.out.println(output);
+        logger.debug(output);
    }
    /*
@ -277,38 +263,29 @@ public class HammerHead extends HttpServlet
     * mySession.getCourse(); // May need to clone the List before returning it. //return new
     * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
     */
    /**
     * Description of the Method
     *
-	 * @param s
+     * @param s Description of the Parameter
 	 *            Description of the Parameter
     * @return Description of the Return Value
     */
-	protected Screen makeScreen(WebSession s)
+    protected Screen makeScreen(WebSession s) {
 	{
        Screen screen = null;
        int scr = s.getCurrentScreen();
        Course course = s.getCourse();
-		if (s.isUser() || s.isChallenge())
+        if (s.isUser() || s.isChallenge()) {
-		{
+            if (scr == WebSession.WELCOME) {
 			if (scr == WebSession.WELCOME)
 			{
                screen = new WelcomeScreen(s);
-			}
+            } else {
 			else
 			{
                AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-				if (lesson == null && s.isHackedAdmin())
+                if (lesson == null && s.isHackedAdmin()) {
 				{
 					// If admin was hacked, let the user see some of the
                    // admin screens
                    lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
                }
-				if (lesson != null)
+                if (lesson != null) {
 				{
                    screen = lesson;
 					// We need to do some bookkeeping for the hackable admin
@ -318,40 +295,29 @@ public class HammerHead extends HttpServlet
                    // admin and has actually accessed an admin screen. You
                    // need BOTH pieces of information
                    // in order to satisfy the remote admin lesson.
                    s.setHasHackableAdmin(screen.getRole());
                    lesson.handleRequest(s);
                    s.setCurrentMenu(lesson.getCategory().getRanking());
-				}
+                } else {
 				else
 				{
                    screen = new ErrorScreen(s, "Invalid screen requested.  Try: http://localhost/WebGoat/attack");
                }
            }
-		}
+        } else if (s.isAdmin()) {
-		else if (s.isAdmin())
+            if (scr == WebSession.WELCOME) {
 		{
 			if (scr == WebSession.WELCOME)
 			{
                screen = new WelcomeAdminScreen(s);
-			}
+            } else {
 			else
 			{
 				// Admin can see all roles.
                // FIXME: should be able to pass a list of roles.
                AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
-				if (lesson == null)
+                if (lesson == null) {
 				{
                    lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
                }
-				if (lesson == null)
+                if (lesson == null) {
 				{
                    lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
                }
-				if (lesson != null)
+                if (lesson != null) {
 				{
                    screen = lesson;
 					// We need to do some bookkeeping for the hackable admin
@ -361,14 +327,11 @@ public class HammerHead extends HttpServlet
                    // admin and has actually accessed an admin screen. You
                    // need BOTH pieces of information
                    // in order to satisfy the remote admin lesson.
                    s.setHasHackableAdmin(screen.getRole());
                    lesson.handleRequest(s);
                    s.setCurrentMenu(lesson.getCategory().getRanking());
-				}
+                } else {
 				else
 				{
                    screen = new ErrorScreen(s,
                            "Invalid screen requested.  Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
                }
@ -379,24 +342,19 @@ public class HammerHead extends HttpServlet
    }
    /**
-	 * This method sets the required expiration headers in the response for a given RunData object.
+     * This method sets the required expiration headers in the response for a
-	 * This method attempts to set all relevant headers, both for HTTP 1.0 and HTTP 1.1.
+     * given RunData object. This method attempts to set all relevant headers,
     * both for HTTP 1.0 and HTTP 1.1.
     *
-	 * @param response
+     * @param response The new cacheHeaders value
-	 *            The new cacheHeaders value
+     * @param expiry The new cacheHeaders value
 	 * @param expiry
 	 *            The new cacheHeaders value
     */
-	protected static void setCacheHeaders(HttpServletResponse response, int expiry)
+    protected static void setCacheHeaders(HttpServletResponse response, int expiry) {
-	{
+        if (expiry == 0) {
 		if (expiry == 0)
 		{
            response.setHeader("Pragma", "no-cache");
            response.setHeader("Cache-Control", "no-cache");
            response.setHeader("Expires", formatHttpDate(new Date()));
-		}
+        } else {
 		else
 		{
            Date expiryDate = new Date(System.currentTimeMillis() + expiry);
            response.setHeader("Expires", formatHttpDate(expiryDate));
        }
@ -405,17 +363,14 @@ public class HammerHead extends HttpServlet
    /**
     * Description of the Method
     *
-	 * @param request
+     * @param request Description of the Parameter
-	 *            Description of the Parameter
+     * @param response Description of the Parameter
-	 * @param response
+     * @param context Description of the Parameter
 	 *            Description of the Parameter
 	 * @param context
 	 *            Description of the Parameter
     * @return Description of the Return Value
     * @throws java.io.IOException
     */
    protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
-			throws IOException
+            throws IOException {
 	{
        HttpSession hs;
        hs = request.getSession(true);
@ -425,12 +380,9 @@ public class HammerHead extends HttpServlet
        WebSession session = null;
        Object o = hs.getAttribute(WebSession.SESSION);
-		if ((o != null) && o instanceof WebSession)
+        if ((o != null) && o instanceof WebSession) {
 		{
            session = (WebSession) o;
-		}
+        } else {
 		else
 		{
 			// Create new custom session and save it in the HTTP session
            // System.out.println( "HH Creating new WebSession: " );
            session = new WebSession(webgoatContext, context);
@ -453,21 +405,17 @@ public class HammerHead extends HttpServlet
    /**
     * Description of the Method
     *
-	 * @param s
+     * @param s Description of the Parameter
-	 *            Description of the Parameter
+     * @param screen
-	 * @param response
+     * @param response Description of the Parameter
-	 *            Description of the Parameter
+     * @exception IOException Description of the Exception
 	 * @exception IOException
 	 *                Description of the Exception
     */
-	protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException
+    protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
 	{
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
-		if (s == null)
+        if (s == null) {
 		{
            screen = new ErrorScreen(s, "Page to display was null");
        }
--- a/pom.xml
+++ b/pom.xml
@ -123,7 +123,12 @@
        <dependency>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
-			<version>1.0.4</version>
+            <version>1.1.3</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>jcl-over-slf4j</artifactId>
            <version>1.7.7</version>
        </dependency>
        <dependency>
            <groupId>commons-discovery</groupId>
@ -148,8 +153,9 @@
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
-			<version>1.2.8</version>
+            <version>1.2.17</version>
        </dependency>
        <dependency>
            <groupId>wsdl4j</groupId>
            <artifactId>wsdl4j</artifactId>
@ -255,7 +261,7 @@
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
-			<version>1.2.15</version>
+            <version>1.2.17</version>
            <exclusions>
                <exclusion>
                    <groupId>javax.jms</groupId>
@ -304,13 +310,13 @@
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
-			<version>1.5.8</version>
+            <version>1.7.7</version>
            <type>jar</type>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-log4j12</artifactId>
-			<version>1.5.8</version>
+            <version>1.7.7</version>
            <type>jar</type>
        </dependency>
--- a/resources/log4j.properties
+++ b/resources/log4j.properties
@ -0,0 +1,32 @@
 log4j.rootLogger=INFO, MAIN_LOG, ERROR_LOG
 # MAIN - everything gets logged here
 log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender
 log4j.appender.MAIN_LOG.File=${catalina.home}/logs/webgoat_main.log
 log4j.appender.MAIN_LOG.layout=org.apache.log4j.PatternLayout
 log4j.appender.MAIN_LOG.layout.ConversionPattern=%d [%t] %-5p %c %x - %m%n 
 log4j.appender.MAIN_LOG.MaxFileSize=10MB
 log4j.appender.MAIN_LOG.MaxBackupIndex=5
 log4j.appender.MAIN_LOG.append=true
 # ERROR
 log4j.appender.ERROR_LOG=org.apache.log4j.RollingFileAppender
 log4j.appender.ERROR_LOG.File=${catalina.home}/logs/webgoat_error.log
 log4j.appender.ERROR_LOG.layout=org.apache.log4j.PatternLayout
 log4j.appender.ERROR_LOG.layout.ConversionPattern=%d [%t] %-5p %x - %m%n 
 log4j.appender.ERROR_LOG.MaxFileSize=10MB
 log4j.appender.ERROR_LOG.MaxBackupIndex=2
 log4j.appender.ERROR_LOG.append=true
 log4j.appender.ERROR_LOG.Threshold=ERROR
 # PERFORMANCE
 log4j.logger.PERF_LOG=DEBUG, PERF_LOG
 log4j.appender.PERF_LOG=org.apache.log4j.RollingFileAppender
 log4j.appender.PERF_LOG.File=${catalina.home}/logs/webgoat_perf.log
 log4j.appender.PERF_LOG.layout=org.apache.log4j.PatternLayout
 log4j.appender.PERF_LOG.layout.ConversionPattern=%m%n 
 log4j.appender.PERF_LOG.MaxFileSize=10MB
 log4j.appender.PERF_LOG.MaxBackupIndex=2
 log4j.appender.PERF_LOG.append=true
 log4j.additivity.PERF_LOG = false
--- a/webapp/WEB-INF/web.xml
+++ b/webapp/WEB-INF/web.xml
@ -329,6 +329,10 @@
        <mime-type>video/x-ms-wmv</mime-type>
    </mime-mapping>
    <welcome-file-list>
        <welcome-file>login.do</welcome-file>
    </welcome-file-list>
 	<!-- Define reference to the user database for looking up roles -->
        <!--
 	<resource-env-ref>