dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

work on logging

Browse Source
This commit is contained in:
lawson89 2014-06-03 14:39:21 -04:00
parent c8ec75b5f2
commit 10be6757af
4 changed files with 771 additions and 781 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

912
java/org/owasp/webgoat/HammerHead.java
View File

@ -1,482 +1,430 @@
package org.owasp.webgoat;
package org.owasp.webgoat;
import java.io.IOException;
import java.io.IOException; import java.io.PrintWriter;
import java.io.PrintWriter; import java.text.SimpleDateFormat;
import java.text.SimpleDateFormat; import java.util.Date;
import java.util.Date; import java.util.Locale;
import java.util.Locale; import java.util.TimeZone;
import java.util.TimeZone; import javax.servlet.ServletContext;
import javax.servlet.ServletContext; import javax.servlet.ServletException;
import javax.servlet.ServletException; import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSession; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.WelcomeScreen;
import org.owasp.webgoat.lessons.WelcomeScreen; import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.ErrorScreen;
import org.owasp.webgoat.session.ErrorScreen; import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.Screen; import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatContext; import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/*************************************************************************************************** /**
* * *************************************************************************************************
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, *
* please see http://www.owasp.org/ * This file is part of WebGoat, an Open Web Application Security Project
* * utility. For details, please see http://www.owasp.org/
* Copyright (c) 2002 - 2007 Bruce Mayhew *
* * Copyright (c) 2002 - 2007 Bruce Mayhew
* This program is free software; you can redistribute it and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * This program is free software; you can redistribute it and/or modify it under
* License, or (at your option) any later version. * the terms of the GNU General Public License as published by the Free Software
* * Foundation; either version 2 of the License, or (at your option) any later
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * version.
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details. * This program is distributed in the hope that it will be useful, but WITHOUT
* * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* You should have received a copy of the GNU General Public License along with this program; if * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * details.
* 02111-1307, USA. *
* * You should have received a copy of the GNU General Public License along with
* Getting Source ============== * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* * Place - Suite 330, Boston, MA 02111-1307, USA.
* Source for this application is maintained at code.google.com, a repository for free software *
* projects. * Getting Source ==============
* *
* For details, please see http://code.google.com/p/webgoat/ * Source for this application is maintained at code.google.com, a repository
* * for free software projects.
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * For details, please see http://code.google.com/p/webgoat/
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> *
* @created October 28, 2003 *
*/ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
public class HammerHead extends HttpServlet * Security</a>
{ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
private static final String WELCOMED = "welcomed"; */
public class HammerHead extends HttpServlet {
/**
* final Logger logger = LoggerFactory.getLogger(HammerHead.class);
*/
private static final long serialVersionUID = 645640331343188020L;
private static final String WELCOMED = "welcomed";
/**
* Description of the Field /**
*/ *
protected static SimpleDateFormat httpDateFormat; */
private static final long serialVersionUID = 645640331343188020L;
/**
* Set the session timeout to be 2 days /**
*/ * Description of the Field
private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2; */
protected static SimpleDateFormat httpDateFormat;
// private final static int sessionTimeoutSeconds = 1;
/**
/** * Set the session timeout to be 2 days
* Properties file path */
*/ private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
public static String propertiesPath = null;
// private final static int sessionTimeoutSeconds = 1;
/** /**
* provides convenience methods for getting setup information from the ServletContext * Properties file path
*/ */
private WebgoatContext webgoatContext = null; public static String propertiesPath = null;
/** /**
* Description of the Method * provides convenience methods for getting setup information from the
* * ServletContext
* @param request */
* Description of the Parameter private WebgoatContext webgoatContext = null;
* @param response
* Description of the Parameter /**
* @exception IOException * Description of the Method
* Description of the Exception *
* @exception ServletException * @param request Description of the Parameter
* Description of the Exception * @param response Description of the Parameter
*/ * @exception IOException Description of the Exception
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException * @exception ServletException Description of the Exception
{ */
doPost(request, response); @Override
} public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
doPost(request, response);
/** }
* Description of the Method
* /**
* @param request * Description of the Method
* Description of the Parameter *
* @param response * @param request Description of the Parameter
* Description of the Parameter * @param response Description of the Parameter
* @exception IOException * @exception IOException Description of the Exception
* Description of the Exception * @exception ServletException Description of the Exception
* @exception ServletException */
* Description of the Exception @Override
*/ public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException Screen screen = null;
{
Screen screen = null; WebSession mySession = null;
try {
WebSession mySession = null; // System.out.println( "HH Entering doPost: " );
try // System.out.println( " - HH request " + request);
{ // System.out.println( " - HH principle: " +
// System.out.println( "HH Entering doPost: " ); // request.getUserPrincipal() );
// System.out.println( " - HH request " + request); // setCacheHeaders(response, 0);
// System.out.println( " - HH principle: " + ServletContext context = getServletContext();
// request.getUserPrincipal() );
// setCacheHeaders(response, 0); // FIXME: If a response is written by updateSession(), do not
ServletContext context = getServletContext(); // call makeScreen() and writeScreen()
mySession = updateSession(request, response, context);
// FIXME: If a response is written by updateSession(), do not if (response.isCommitted()) {
// call makeScreen() and writeScreen() return;
mySession = updateSession(request, response, context); }
if (response.isCommitted()) return;
// Note: For the lesson to track the status, we need to update
// Note: For the lesson to track the status, we need to update // the lesson tracker object
// the lesson tracker object // from the screen.createContent() method. The create content is
// from the screen.createContent() method. The create content is // the only point
// the only point // where the lesson "knows" what has happened. To track it at a
// where the lesson "knows" what has happened. To track it at a // latter point would
// latter point would // require the lesson to have memory.
// require the lesson to have memory. screen = makeScreen(mySession); // This calls the lesson's
screen = makeScreen(mySession); // This calls the lesson's // handleRequest()
// handleRequest() if (response.isCommitted()) {
if (response.isCommitted()) return; return;
}
// perform lesson-specific tracking activities
if (screen instanceof AbstractLesson) // perform lesson-specific tracking activities
{ if (screen instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) screen; AbstractLesson lesson = (AbstractLesson) screen;
// we do not count the initial display of the lesson screen as a visit // we do not count the initial display of the lesson screen as a visit
if ("GET".equals(request.getMethod())) if ("GET".equals(request.getMethod())) {
{ String uri = request.getRequestURI() + "?" + request.getQueryString();
String uri = request.getRequestURI() + "?" + request.getQueryString(); if (!uri.endsWith(lesson.getLink())) {
if (!uri.endsWith(lesson.getLink())) screen.getLessonTracker(mySession).incrementNumVisits(); screen.getLessonTracker(mySession).incrementNumVisits();
} }
else if ("POST".equals(request.getMethod()) } else if ("POST".equals(request.getMethod())
&& mySession.getPreviousScreen() == mySession.getCurrentScreen()) && mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
{ screen.getLessonTracker(mySession).incrementNumVisits();
screen.getLessonTracker(mySession).incrementNumVisits(); }
} }
}
// log the access to this screen for this user
// log the access to this screen for this user UserTracker userTracker = UserTracker.instance();
UserTracker userTracker = UserTracker.instance(); userTracker.update(mySession, screen);
userTracker.update(mySession, screen); log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
// Redirect the request to our View servlet
// Redirect the request to our View servlet String userAgent = request.getHeader("user-agent");
String userAgent = request.getHeader("user-agent"); String clientBrowser = "Not known!";
String clientBrowser = "Not known!"; if (userAgent != null) {
if (userAgent != null) clientBrowser = userAgent;
{ }
clientBrowser = userAgent; request.setAttribute("client.browser", clientBrowser);
} request.getSession().setAttribute("websession", mySession);
request.setAttribute("client.browser", clientBrowser); request.getSession().setAttribute("course", mySession.getCourse());
request.getSession().setAttribute("websession", mySession);
request.getSession().setAttribute("course", mySession.getCourse()); request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
} catch (Throwable t) {
request.getRequestDispatcher(getViewPage(mySession)).forward(request, response); t.printStackTrace();
} catch (Throwable t) log("ERROR: " + t);
{ screen = new ErrorScreen(mySession, t);
t.printStackTrace(); } finally {
log("ERROR: " + t); try {
screen = new ErrorScreen(mySession, t); this.writeScreen(mySession, screen, response);
} finally } catch (Throwable thr) {
{ thr.printStackTrace();
try log(request, "Could not write error screen: " + thr.getMessage());
{ }
this.writeScreen(mySession, screen, response); WebSession.returnConnection(mySession);
} catch (Throwable thr) // System.out.println( "HH Leaving doPost: " );
{ }
thr.printStackTrace(); }
log(request, "Could not write error screen: " + thr.getMessage());
} private String getViewPage(WebSession webSession) {
WebSession.returnConnection(mySession); String page;
// System.out.println( "HH Leaving doPost: " );
} // If this session has not seen the landing page yet, go there instead.
} HttpSession session = webSession.getRequest().getSession();
if (session.getAttribute(WELCOMED) == null) {
private String getViewPage(WebSession webSession) session.setAttribute(WELCOMED, "true");
{ page = "/webgoat.jsp";
String page; } else {
page = "/main.jsp";
// If this session has not seen the landing page yet, go there instead. }
HttpSession session = webSession.getRequest().getSession();
if (session.getAttribute(WELCOMED) == null) return page;
{ }
session.setAttribute(WELCOMED, "true");
page = "/webgoat.jsp"; /**
} * Description of the Method
else *
page = "/main.jsp"; * @param date Description of the Parameter
* @return RFC 1123 http date format
return page; */
} protected static String formatHttpDate(Date date) {
synchronized (httpDateFormat) {
/** return httpDateFormat.format(date);
* Description of the Method }
* }
* @param date
* Description of the Parameter /**
* @return RFC 1123 http date format * Return information about this servlet
*/ *
protected static String formatHttpDate(Date date) * @return The servletInfo value
{ */
synchronized (httpDateFormat) @Override
{ public String getServletInfo() {
return httpDateFormat.format(date); return "WebGoat is sponsored by Aspect Security.";
} }
}
/**
/** * Return properties path
* Return information about this servlet *
* * @throws javax.servlet.ServletException
* @return The servletInfo value */
*/ @Override
public String getServletInfo() public void init() throws ServletException {
{ httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
return "WebGoat is sponsored by Aspect Security."; httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
} propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
webgoatContext = new WebgoatContext(this);
/** }
* Return properties path
* /**
* @return servlet context path + WEB_INF * Description of the Method
*/ *
public void init() throws ServletException * @param request Description of the Parameter
{ * @param message Description of the Parameter
httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US); */
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); public void log(HttpServletRequest request, String message) {
propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties"); String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
webgoatContext = new WebgoatContext(this); log(output);
} logger.debug(output);
}
/**
* Description of the Method /*
* * public List getLessons(Category category, String role) { Course course =
* @param request * mySession.getCourse(); // May need to clone the List before returning it. //return new
* Description of the Parameter * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
* @param message */
* Description of the Parameter /**
*/ * Description of the Method
public void log(HttpServletRequest request, String message) *
{ * @param s Description of the Parameter
String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message; * @return Description of the Return Value
log(output); */
System.out.println(output); protected Screen makeScreen(WebSession s) {
} Screen screen = null;
int scr = s.getCurrentScreen();
/* Course course = s.getCourse();
* public List getLessons(Category category, String role) { Course course =
* mySession.getCourse(); // May need to clone the List before returning it. //return new if (s.isUser() || s.isChallenge()) {
* ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); } if (scr == WebSession.WELCOME) {
*/ screen = new WelcomeScreen(s);
} else {
/** AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
* Description of the Method if (lesson == null && s.isHackedAdmin()) {
* // If admin was hacked, let the user see some of the
* @param s // admin screens
* Description of the Parameter lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
* @return Description of the Return Value }
*/
protected Screen makeScreen(WebSession s) if (lesson != null) {
{ screen = lesson;
Screen screen = null;
int scr = s.getCurrentScreen(); // We need to do some bookkeeping for the hackable admin
Course course = s.getCourse(); // interface.
// This is the only place we can tell if the user
if (s.isUser() || s.isChallenge()) // successfully hacked the hackable
{ // admin and has actually accessed an admin screen. You
if (scr == WebSession.WELCOME) // need BOTH pieces of information
{ // in order to satisfy the remote admin lesson.
screen = new WelcomeScreen(s); s.setHasHackableAdmin(screen.getRole());
}
else lesson.handleRequest(s);
{ s.setCurrentMenu(lesson.getCategory().getRanking());
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); } else {
if (lesson == null && s.isHackedAdmin()) screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
{ }
// If admin was hacked, let the user see some of the }
// admin screens } else if (s.isAdmin()) {
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE); if (scr == WebSession.WELCOME) {
} screen = new WelcomeAdminScreen(s);
} else {
if (lesson != null) // Admin can see all roles.
{ // FIXME: should be able to pass a list of roles.
screen = lesson; AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
if (lesson == null) {
// We need to do some bookkeeping for the hackable admin lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
// interface. }
// This is the only place we can tell if the user if (lesson == null) {
// successfully hacked the hackable lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
// admin and has actually accessed an admin screen. You }
// need BOTH pieces of information
// in order to satisfy the remote admin lesson. if (lesson != null) {
screen = lesson;
s.setHasHackableAdmin(screen.getRole());
// We need to do some bookkeeping for the hackable admin
lesson.handleRequest(s); // interface.
s.setCurrentMenu(lesson.getCategory().getRanking()); // This is the only place we can tell if the user
} // successfully hacked the hackable
else // admin and has actually accessed an admin screen. You
{ // need BOTH pieces of information
screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack"); // in order to satisfy the remote admin lesson.
} s.setHasHackableAdmin(screen.getRole());
}
} lesson.handleRequest(s);
else if (s.isAdmin()) s.setCurrentMenu(lesson.getCategory().getRanking());
{ } else {
if (scr == WebSession.WELCOME) screen = new ErrorScreen(s,
{ "Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
screen = new WelcomeAdminScreen(s); }
} }
else }
{
// Admin can see all roles. return (screen);
// FIXME: should be able to pass a list of roles. }
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
if (lesson == null) /**
{ * This method sets the required expiration headers in the response for a
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE); * given RunData object. This method attempts to set all relevant headers,
} * both for HTTP 1.0 and HTTP 1.1.
if (lesson == null) *
{ * @param response The new cacheHeaders value
lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); * @param expiry The new cacheHeaders value
} */
protected static void setCacheHeaders(HttpServletResponse response, int expiry) {
if (lesson != null) if (expiry == 0) {
{ response.setHeader("Pragma", "no-cache");
screen = lesson; response.setHeader("Cache-Control", "no-cache");
response.setHeader("Expires", formatHttpDate(new Date()));
// We need to do some bookkeeping for the hackable admin } else {
// interface. Date expiryDate = new Date(System.currentTimeMillis() + expiry);
// This is the only place we can tell if the user response.setHeader("Expires", formatHttpDate(expiryDate));
// successfully hacked the hackable }
// admin and has actually accessed an admin screen. You }
// need BOTH pieces of information
// in order to satisfy the remote admin lesson. /**
* Description of the Method
s.setHasHackableAdmin(screen.getRole()); *
* @param request Description of the Parameter
lesson.handleRequest(s); * @param response Description of the Parameter
s.setCurrentMenu(lesson.getCategory().getRanking()); * @param context Description of the Parameter
} * @return Description of the Return Value
else * @throws java.io.IOException
{ */
screen = new ErrorScreen(s, protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
"Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack"); throws IOException {
} HttpSession hs;
} hs = request.getSession(true);
}
// System.out.println( "HH Entering Session_id: " + hs.getId() );
return (screen); // dumpSession( hs );
} // Get our session object out of the HTTP session
WebSession session = null;
/** Object o = hs.getAttribute(WebSession.SESSION);
* This method sets the required expiration headers in the response for a given RunData object.
* This method attempts to set all relevant headers, both for HTTP 1.0 and HTTP 1.1. if ((o != null) && o instanceof WebSession) {
* session = (WebSession) o;
* @param response } else {
* The new cacheHeaders value // Create new custom session and save it in the HTTP session
* @param expiry // System.out.println( "HH Creating new WebSession: " );
* The new cacheHeaders value session = new WebSession(webgoatContext, context);
*/ // Ensure splash screen shows on any restart
protected static void setCacheHeaders(HttpServletResponse response, int expiry) hs.removeAttribute(WELCOMED);
{ hs.setAttribute(WebSession.SESSION, session);
if (expiry == 0) // reset timeout
{ hs.setMaxInactiveInterval(sessionTimeoutSeconds);
response.setHeader("Pragma", "no-cache");
response.setHeader("Cache-Control", "no-cache"); }
response.setHeader("Expires", formatHttpDate(new Date()));
} session.update(request, response, this.getServletName());
else
{ // to authenticate
Date expiryDate = new Date(System.currentTimeMillis() + expiry); // System.out.println( "HH Leaving Session_id: " + hs.getId() );
response.setHeader("Expires", formatHttpDate(expiryDate)); // dumpSession( hs );
} return (session);
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param request * @param s Description of the Parameter
* Description of the Parameter * @param screen
* @param response * @param response Description of the Parameter
* Description of the Parameter * @exception IOException Description of the Exception
* @param context */
* Description of the Parameter protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
* @return Description of the Return Value response.setContentType("text/html");
*/
protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context) PrintWriter out = response.getWriter();
throws IOException
{ if (s == null) {
HttpSession hs; screen = new ErrorScreen(s, "Page to display was null");
hs = request.getSession(true); }
// System.out.println( "HH Entering Session_id: " + hs.getId() ); // set the content-length of the response.
// dumpSession( hs ); // Trying to avoid chunked-encoding. (Aspect required)
// Get our session object out of the HTTP session response.setContentLength(screen.getContentLength());
WebSession session = null; response.setHeader("Content-Length", screen.getContentLength() + "");
Object o = hs.getAttribute(WebSession.SESSION);
screen.output(out);
if ((o != null) && o instanceof WebSession) out.close();
{ }
session = (WebSession) o; }
}
else
{
// Create new custom session and save it in the HTTP session
// System.out.println( "HH Creating new WebSession: " );
session = new WebSession(webgoatContext, context);
// Ensure splash screen shows on any restart
hs.removeAttribute(WELCOMED);
hs.setAttribute(WebSession.SESSION, session);
// reset timeout
hs.setMaxInactiveInterval(sessionTimeoutSeconds);
}
session.update(request, response, this.getServletName());
// to authenticate
// System.out.println( "HH Leaving Session_id: " + hs.getId() );
// dumpSession( hs );
return (session);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
*/
protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException
{
response.setContentType("text/html");
PrintWriter out = response.getWriter();
if (s == null)
{
screen = new ErrorScreen(s, "Page to display was null");
}
// set the content-length of the response.
// Trying to avoid chunked-encoding. (Aspect required)
response.setContentLength(screen.getContentLength());
response.setHeader("Content-Length", screen.getContentLength() + "");
screen.output(out);
out.close();
}
}

604
pom.xml
View File

@ -1,320 +1,326 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>WebGoat</groupId> <groupId>WebGoat</groupId>
<artifactId>WebGoat</artifactId> <artifactId>WebGoat</artifactId>
<packaging>war</packaging> <packaging>war</packaging>
<version>6.0-SNAPSHOT</version> <version>6.0-SNAPSHOT</version>
<repositories> <repositories>
<repository> <repository>
<id>maven2-repository.dev.java.net</id> <id>maven2-repository.dev.java.net</id>
<name>Java.net Maven 2 Repository</name> <name>Java.net Maven 2 Repository</name>
<url>http://download.java.net/maven/2</url> <url>http://download.java.net/maven/2</url>
</repository> </repository>
</repositories> </repositories>
<!-- Shared version number properties --> <!-- Shared version number properties -->
<properties> <properties>
<org.springframework.version>3.2.4.RELEASE</org.springframework.version> <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<spring.security.version>3.2.4.RELEASE</spring.security.version> <spring.security.version>3.2.4.RELEASE</spring.security.version>
<tiles.version>2.2.2</tiles.version> <tiles.version>2.2.2</tiles.version>
</properties> </properties>
<build> <build>
<sourceDirectory>${basedir}/java</sourceDirectory> <sourceDirectory>${basedir}/java</sourceDirectory>
<resources> <resources>
<resource> <resource>
<directory>${basedir}/java</directory> <directory>${basedir}/java</directory>
</resource> </resource>
<resource> <resource>
<directory>${basedir}/resources</directory> <directory>${basedir}/resources</directory>
</resource> </resource>
</resources> </resources>
<plugins> <plugins>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId> <artifactId>maven-compiler-plugin</artifactId>
<configuration> <configuration>
<source>1.6</source> <source>1.6</source>
<target>1.6</target> <target>1.6</target>
<encoding>ISO-8859-1</encoding> <encoding>ISO-8859-1</encoding>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
<artifactId>maven-eclipse-plugin</artifactId> <artifactId>maven-eclipse-plugin</artifactId>
<configuration> <configuration>
<wtpversion>1.5</wtpversion> <wtpversion>1.5</wtpversion>
<sourceIncludes> <sourceIncludes>
<sourceInclude>${basedir}/java/**/*.java</sourceInclude> <sourceInclude>${basedir}/java/**/*.java</sourceInclude>
</sourceIncludes> </sourceIncludes>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId> <artifactId>maven-war-plugin</artifactId>
<configuration> <configuration>
<warSourceDirectory>${basedir}/webapp</warSourceDirectory> <warSourceDirectory>${basedir}/webapp</warSourceDirectory>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>
<groupId>org.codehaus.mojo</groupId> <groupId>org.codehaus.mojo</groupId>
<artifactId>tomcat-maven-plugin</artifactId> <artifactId>tomcat-maven-plugin</artifactId>
<configuration> <configuration>
<url>http://localhost:8080/manager</url> <url>http://localhost:8080/manager</url>
<additionalConfigFilesDir>${basedir}/tomcatconf</additionalConfigFilesDir> <additionalConfigFilesDir>${basedir}/tomcatconf</additionalConfigFilesDir>
</configuration> </configuration>
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>javax.activation</groupId> <groupId>javax.activation</groupId>
<artifactId>activation</artifactId> <artifactId>activation</artifactId>
<version>1.1</version> <version>1.1</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis</artifactId> <artifactId>axis</artifactId>
<version>1.2</version> <version>1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis-saaj</artifactId> <artifactId>axis-saaj</artifactId>
<version>1.2</version> <version>1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis-jaxrpc</artifactId> <artifactId>axis-jaxrpc</artifactId>
<version>1.2</version> <version>1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>axis</groupId> <groupId>axis</groupId>
<artifactId>axis-ant</artifactId> <artifactId>axis-ant</artifactId>
<version>1.2</version> <version>1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-fileupload</groupId> <groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId> <artifactId>commons-fileupload</artifactId>
<version>1.2.1</version> <version>1.2.1</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-io</groupId> <groupId>commons-io</groupId>
<artifactId>commons-io</artifactId> <artifactId>commons-io</artifactId>
<version>1.4</version> <version>1.4</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-collections</groupId> <groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId> <artifactId>commons-collections</artifactId>
<version>3.1</version> <version>3.1</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-digester</groupId> <groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId> <artifactId>commons-digester</artifactId>
<version>1.4.1</version> <version>1.4.1</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>xml-apis</groupId> <groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId> <artifactId>xml-apis</artifactId>
</exclusion> </exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
<version>1.0.4</version> <version>1.1.3</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-discovery</groupId> <groupId>org.slf4j</groupId>
<artifactId>commons-discovery</artifactId> <artifactId>jcl-over-slf4j</artifactId>
<version>0.2</version> <version>1.7.7</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>javax.mail</groupId> <groupId>commons-discovery</groupId>
<artifactId>mail</artifactId> <artifactId>commons-discovery</artifactId>
<version>1.4.2</version> <version>0.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>javax.mail</groupId> <groupId>javax.mail</groupId>
<artifactId>mailapi</artifactId> <artifactId>mail</artifactId>
<version>1.4.2</version> <version>1.4.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>hsqldb</groupId> <groupId>javax.mail</groupId>
<artifactId>hsqldb</artifactId> <artifactId>mailapi</artifactId>
<version>1.8.0.7</version> <version>1.4.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>log4j</groupId> <groupId>hsqldb</groupId>
<artifactId>log4j</artifactId> <artifactId>hsqldb</artifactId>
<version>1.2.8</version> <version>1.8.0.7</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>wsdl4j</groupId> <groupId>log4j</groupId>
<artifactId>wsdl4j</artifactId> <artifactId>log4j</artifactId>
<version>1.5.1</version> <version>1.2.17</version>
</dependency> </dependency>
<dependency>
<groupId>java2html</groupId> <dependency>
<artifactId>j2h</artifactId> <groupId>wsdl4j</groupId>
<version>1.3.1</version> <artifactId>wsdl4j</artifactId>
</dependency> <version>1.5.1</version>
<dependency> </dependency>
<groupId>ecs</groupId> <dependency>
<artifactId>ecs</artifactId> <groupId>java2html</groupId>
<version>1.4.2</version> <artifactId>j2h</artifactId>
</dependency> <version>1.3.1</version>
<dependency> </dependency>
<groupId>javax.transaction</groupId> <dependency>
<artifactId>jta</artifactId> <groupId>ecs</groupId>
<version>1.0.1B</version> <artifactId>ecs</artifactId>
</dependency> <version>1.4.2</version>
<dependency> </dependency>
<groupId>net.sourceforge.jtds</groupId> <dependency>
<artifactId>jtds</artifactId> <groupId>javax.transaction</groupId>
<version>1.2.2</version> <artifactId>jta</artifactId>
</dependency> <version>1.0.1B</version>
<dependency> </dependency>
<groupId>org.apache.tomcat</groupId> <dependency>
<artifactId>tomcat-catalina</artifactId> <groupId>net.sourceforge.jtds</groupId>
<version>7.0.27</version> <artifactId>jtds</artifactId>
<scope>provided</scope> <version>1.2.2</version>
</dependency> </dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-catalina</artifactId>
<version>7.0.27</version>
<scope>provided</scope>
</dependency>
<!-- ************* spring MVC and related dependencies ************** --> <!-- ************* spring MVC and related dependencies ************** -->
<!-- servlet API --> <!-- servlet API -->
<dependency> <dependency>
<groupId>javax</groupId> <groupId>javax</groupId>
<artifactId>javaee-api</artifactId> <artifactId>javaee-api</artifactId>
<version>6.0</version> <version>6.0</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework</groupId> <groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId> <artifactId>spring-core</artifactId>
<version>${org.springframework.version}</version> <version>${org.springframework.version}</version>
</dependency> </dependency>
<!-- Spring MVC framework --> <!-- Spring MVC framework -->
<dependency> <dependency>
<groupId>org.springframework</groupId> <groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId> <artifactId>spring-webmvc</artifactId>
<version>${org.springframework.version}</version> <version>${org.springframework.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.security</groupId> <groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId> <artifactId>spring-security-core</artifactId>
<version>${spring.security.version}</version> <version>${spring.security.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.security</groupId> <groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId> <artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version> <version>${spring.security.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.security</groupId> <groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId> <artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version> <version>${spring.security.version}</version>
</dependency> </dependency>
<!-- Apache Commons Upload --> <!-- Apache Commons Upload -->
<dependency> <dependency>
<groupId>commons-fileupload</groupId> <groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId> <artifactId>commons-fileupload</artifactId>
<version>1.2.2</version> <version>1.2.2</version>
</dependency> </dependency>
<!-- Apache Commons Upload --> <!-- Apache Commons Upload -->
<dependency> <dependency>
<groupId>commons-io</groupId> <groupId>commons-io</groupId>
<artifactId>commons-io</artifactId> <artifactId>commons-io</artifactId>
<version>1.3.2</version> <version>1.3.2</version>
</dependency> </dependency>
<!-- JSTL --> <!-- JSTL -->
<dependency> <dependency>
<groupId>javax.servlet</groupId> <groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId> <artifactId>jstl</artifactId>
<version>1.2</version> <version>1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>taglibs</groupId> <groupId>taglibs</groupId>
<artifactId>standard</artifactId> <artifactId>standard</artifactId>
<version>1.1.2</version> <version>1.1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>log4j</groupId> <groupId>log4j</groupId>
<artifactId>log4j</artifactId> <artifactId>log4j</artifactId>
<version>1.2.15</version> <version>1.2.17</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>javax.jms</groupId> <groupId>javax.jms</groupId>
<artifactId>jms</artifactId> <artifactId>jms</artifactId>
</exclusion> </exclusion>
<exclusion> <exclusion>
<groupId>com.sun.jdmk</groupId> <groupId>com.sun.jdmk</groupId>
<artifactId>jmxtools</artifactId> <artifactId>jmxtools</artifactId>
</exclusion> </exclusion>
<exclusion> <exclusion>
<groupId>com.sun.jmx</groupId> <groupId>com.sun.jmx</groupId>
<artifactId>jmxri</artifactId> <artifactId>jmxri</artifactId>
</exclusion> </exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<dependency> <dependency>
<groupId>junit</groupId> <groupId>junit</groupId>
<artifactId>junit</artifactId> <artifactId>junit</artifactId>
<version>4.8.1</version> <version>4.8.1</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tiles</groupId> <groupId>org.apache.tiles</groupId>
<artifactId>tiles-core</artifactId> <artifactId>tiles-core</artifactId>
<version>${tiles.version}</version> <version>${tiles.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tiles</groupId> <groupId>org.apache.tiles</groupId>
<artifactId>tiles-template</artifactId> <artifactId>tiles-template</artifactId>
<version>${tiles.version}</version> <version>${tiles.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tiles</groupId> <groupId>org.apache.tiles</groupId>
<artifactId>tiles-servlet</artifactId> <artifactId>tiles-servlet</artifactId>
<version>${tiles.version}</version> <version>${tiles.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tiles</groupId> <groupId>org.apache.tiles</groupId>
<artifactId>tiles-jsp</artifactId> <artifactId>tiles-jsp</artifactId>
<version>${tiles.version}</version> <version>${tiles.version}</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId> <artifactId>slf4j-api</artifactId>
<version>1.5.8</version> <version>1.7.7</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId> <artifactId>slf4j-log4j12</artifactId>
<version>1.5.8</version> <version>1.7.7</version>
<type>jar</type> <type>jar</type>
</dependency> </dependency>
<!-- ************* END spring MVC and related dependencies ************** --> <!-- ************* END spring MVC and related dependencies ************** -->
</dependencies> </dependencies>
</project> </project>

32
resources/log4j.properties Normal file
View File

@ -0,0 +1,32 @@
log4j.rootLogger=INFO, MAIN_LOG, ERROR_LOG
# MAIN - everything gets logged here
log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.MAIN_LOG.File=${catalina.home}/logs/webgoat_main.log
log4j.appender.MAIN_LOG.layout=org.apache.log4j.PatternLayout
log4j.appender.MAIN_LOG.layout.ConversionPattern=%d [%t] %-5p %c %x - %m%n
log4j.appender.MAIN_LOG.MaxFileSize=10MB
log4j.appender.MAIN_LOG.MaxBackupIndex=5
log4j.appender.MAIN_LOG.append=true
# ERROR
log4j.appender.ERROR_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.ERROR_LOG.File=${catalina.home}/logs/webgoat_error.log
log4j.appender.ERROR_LOG.layout=org.apache.log4j.PatternLayout
log4j.appender.ERROR_LOG.layout.ConversionPattern=%d [%t] %-5p %x - %m%n
log4j.appender.ERROR_LOG.MaxFileSize=10MB
log4j.appender.ERROR_LOG.MaxBackupIndex=2
log4j.appender.ERROR_LOG.append=true
log4j.appender.ERROR_LOG.Threshold=ERROR
# PERFORMANCE
log4j.logger.PERF_LOG=DEBUG, PERF_LOG
log4j.appender.PERF_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.PERF_LOG.File=${catalina.home}/logs/webgoat_perf.log
log4j.appender.PERF_LOG.layout=org.apache.log4j.PatternLayout
log4j.appender.PERF_LOG.layout.ConversionPattern=%m%n
log4j.appender.PERF_LOG.MaxFileSize=10MB
log4j.appender.PERF_LOG.MaxBackupIndex=2
log4j.appender.PERF_LOG.append=true
log4j.additivity.PERF_LOG = false

4
webapp/WEB-INF/web.xml
View File

@ -328,6 +328,10 @@
<extension>wmv</extension> <extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type> <mime-type>video/x-ms-wmv</mime-type>
</mime-mapping> </mime-mapping>
<welcome-file-list>
<welcome-file>login.do</welcome-file>
</welcome-file-list>
<!-- Define reference to the user database for looking up roles --> <!-- Define reference to the user database for looking up roles -->
<!-- <!--