dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

work on logging

Browse Source
This commit is contained in:
lawson89 2014-06-03 14:39:21 -04:00
parent c8ec75b5f2
commit 10be6757af
4 changed files with 771 additions and 781 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

270
java/org/owasp/webgoat/HammerHead.java
View File

@ -1,4 +1,3 @@
package org.owasp.webgoat;
import java.io.IOException;
@ -22,42 +21,49 @@ import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/***************************************************************************************************
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class HammerHead extends HttpServlet
{
public class HammerHead extends HttpServlet {
final Logger logger = LoggerFactory.getLogger(HammerHead.class);
private static final String WELCOMED = "welcomed";
@ -77,53 +83,44 @@ public class HammerHead extends HttpServlet
private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
// private final static int sessionTimeoutSeconds = 1;
/**
* Properties file path
*/
public static String propertiesPath = null;
/**
* provides convenience methods for getting setup information from the ServletContext
* provides convenience methods for getting setup information from the
* ServletContext
*/
private WebgoatContext webgoatContext = null;
/**
* Description of the Method
*
* @param request
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
* @exception ServletException
* Description of the Exception
* @param request Description of the Parameter
* @param response Description of the Parameter
* @exception IOException Description of the Exception
* @exception ServletException Description of the Exception
*/
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
doPost(request, response);
}
/**
* Description of the Method
*
* @param request
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
* @exception ServletException
* Description of the Exception
* @param request Description of the Parameter
* @param response Description of the Parameter
* @exception IOException Description of the Exception
* @exception ServletException Description of the Exception
*/
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
Screen screen = null;
WebSession mySession = null;
try
{
try {
// System.out.println( "HH Entering doPost: " );
// System.out.println( " - HH request " + request);
// System.out.println( " - HH principle: " +
@ -134,7 +131,9 @@ public class HammerHead extends HttpServlet
// FIXME: If a response is written by updateSession(), do not
// call makeScreen() and writeScreen()
mySession = updateSession(request, response, context);
if (response.isCommitted()) return;
if (response.isCommitted()) {
return;
}
// Note: For the lesson to track the status, we need to update
// the lesson tracker object
@ -145,22 +144,22 @@ public class HammerHead extends HttpServlet
// require the lesson to have memory.
screen = makeScreen(mySession); // This calls the lesson's
// handleRequest()
if (response.isCommitted()) return;
if (response.isCommitted()) {
return;
}
// perform lesson-specific tracking activities
if (screen instanceof AbstractLesson)
{
if (screen instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) screen;
// we do not count the initial display of the lesson screen as a visit
if ("GET".equals(request.getMethod()))
{
if ("GET".equals(request.getMethod())) {
String uri = request.getRequestURI() + "?" + request.getQueryString();
if (!uri.endsWith(lesson.getLink())) screen.getLessonTracker(mySession).incrementNumVisits();
if (!uri.endsWith(lesson.getLink())) {
screen.getLessonTracker(mySession).incrementNumVisits();
}
else if ("POST".equals(request.getMethod())
&& mySession.getPreviousScreen() == mySession.getCurrentScreen())
{
} else if ("POST".equals(request.getMethod())
&& mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
screen.getLessonTracker(mySession).incrementNumVisits();
}
}
@ -173,8 +172,7 @@ public class HammerHead extends HttpServlet
// Redirect the request to our View servlet
String userAgent = request.getHeader("user-agent");
String clientBrowser = "Not known!";
if (userAgent != null)
{
if (userAgent != null) {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
@ -182,18 +180,14 @@ public class HammerHead extends HttpServlet
request.getSession().setAttribute("course", mySession.getCourse());
request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
} catch (Throwable t)
{
} catch (Throwable t) {
t.printStackTrace();
log("ERROR: " + t);
screen = new ErrorScreen(mySession, t);
} finally
{
try
{
} finally {
try {
this.writeScreen(mySession, screen, response);
} catch (Throwable thr)
{
} catch (Throwable thr) {
thr.printStackTrace();
log(request, "Could not write error screen: " + thr.getMessage());
}
@ -202,19 +196,17 @@ public class HammerHead extends HttpServlet
}
}
private String getViewPage(WebSession webSession)
{
private String getViewPage(WebSession webSession) {
String page;
// If this session has not seen the landing page yet, go there instead.
HttpSession session = webSession.getRequest().getSession();
if (session.getAttribute(WELCOMED) == null)
{
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
page = "/webgoat.jsp";
}
else
} else {
page = "/main.jsp";
}
return page;
}
@ -222,14 +214,11 @@ public class HammerHead extends HttpServlet
/**
* Description of the Method
*
* @param date
* Description of the Parameter
* @param date Description of the Parameter
* @return RFC 1123 http date format
*/
protected static String formatHttpDate(Date date)
{
synchronized (httpDateFormat)
{
protected static String formatHttpDate(Date date) {
synchronized (httpDateFormat) {
return httpDateFormat.format(date);
}
}
@ -239,18 +228,18 @@ public class HammerHead extends HttpServlet
*
* @return The servletInfo value
*/
public String getServletInfo()
{
@Override
public String getServletInfo() {
return "WebGoat is sponsored by Aspect Security.";
}
/**
* Return properties path
*
* @return servlet context path + WEB_INF
* @throws javax.servlet.ServletException
*/
public void init() throws ServletException
{
@Override
public void init() throws ServletException {
httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
@ -260,16 +249,13 @@ public class HammerHead extends HttpServlet
/**
* Description of the Method
*
* @param request
* Description of the Parameter
* @param message
* Description of the Parameter
* @param request Description of the Parameter
* @param message Description of the Parameter
*/
public void log(HttpServletRequest request, String message)
{
public void log(HttpServletRequest request, String message) {
String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
log(output);
System.out.println(output);
logger.debug(output);
}
/*
@ -277,38 +263,29 @@ public class HammerHead extends HttpServlet
* mySession.getCourse(); // May need to clone the List before returning it. //return new
* ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
*/
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Screen makeScreen(WebSession s)
{
protected Screen makeScreen(WebSession s) {
Screen screen = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge())
{
if (scr == WebSession.WELCOME)
{
if (s.isUser() || s.isChallenge()) {
if (scr == WebSession.WELCOME) {
screen = new WelcomeScreen(s);
}
else
{
} else {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson == null && s.isHackedAdmin())
{
if (lesson == null && s.isHackedAdmin()) {
// If admin was hacked, let the user see some of the
// admin screens
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
if (lesson != null)
{
if (lesson != null) {
screen = lesson;
// We need to do some bookkeeping for the hackable admin
@ -318,40 +295,29 @@ public class HammerHead extends HttpServlet
// admin and has actually accessed an admin screen. You
// need BOTH pieces of information
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin(screen.getRole());
lesson.handleRequest(s);
s.setCurrentMenu(lesson.getCategory().getRanking());
}
else
{
} else {
screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack");
}
}
}
else if (s.isAdmin())
{
if (scr == WebSession.WELCOME)
{
} else if (s.isAdmin()) {
if (scr == WebSession.WELCOME) {
screen = new WelcomeAdminScreen(s);
}
else
{
} else {
// Admin can see all roles.
// FIXME: should be able to pass a list of roles.
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
if (lesson == null)
{
if (lesson == null) {
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
if (lesson == null)
{
if (lesson == null) {
lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
}
if (lesson != null)
{
if (lesson != null) {
screen = lesson;
// We need to do some bookkeeping for the hackable admin
@ -361,14 +327,11 @@ public class HammerHead extends HttpServlet
// admin and has actually accessed an admin screen. You
// need BOTH pieces of information
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin(screen.getRole());
lesson.handleRequest(s);
s.setCurrentMenu(lesson.getCategory().getRanking());
}
else
{
} else {
screen = new ErrorScreen(s,
"Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
}
@ -379,24 +342,19 @@ public class HammerHead extends HttpServlet
}
/**
* This method sets the required expiration headers in the response for a given RunData object.
* This method attempts to set all relevant headers, both for HTTP 1.0 and HTTP 1.1.
* This method sets the required expiration headers in the response for a
* given RunData object. This method attempts to set all relevant headers,
* both for HTTP 1.0 and HTTP 1.1.
*
* @param response
* The new cacheHeaders value
* @param expiry
* The new cacheHeaders value
* @param response The new cacheHeaders value
* @param expiry The new cacheHeaders value
*/
protected static void setCacheHeaders(HttpServletResponse response, int expiry)
{
if (expiry == 0)
{
protected static void setCacheHeaders(HttpServletResponse response, int expiry) {
if (expiry == 0) {
response.setHeader("Pragma", "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Expires", formatHttpDate(new Date()));
}
else
{
} else {
Date expiryDate = new Date(System.currentTimeMillis() + expiry);
response.setHeader("Expires", formatHttpDate(expiryDate));
}
@ -405,17 +363,14 @@ public class HammerHead extends HttpServlet
/**
* Description of the Method
*
* @param request
* Description of the Parameter
* @param response
* Description of the Parameter
* @param context
* Description of the Parameter
* @param request Description of the Parameter
* @param response Description of the Parameter
* @param context Description of the Parameter
* @return Description of the Return Value
* @throws java.io.IOException
*/
protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
throws IOException
{
throws IOException {
HttpSession hs;
hs = request.getSession(true);
@ -425,12 +380,9 @@ public class HammerHead extends HttpServlet
WebSession session = null;
Object o = hs.getAttribute(WebSession.SESSION);
if ((o != null) && o instanceof WebSession)
{
if ((o != null) && o instanceof WebSession) {
session = (WebSession) o;
}
else
{
} else {
// Create new custom session and save it in the HTTP session
// System.out.println( "HH Creating new WebSession: " );
session = new WebSession(webgoatContext, context);
@ -453,21 +405,17 @@ public class HammerHead extends HttpServlet
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
* @param s Description of the Parameter
* @param screen
* @param response Description of the Parameter
* @exception IOException Description of the Exception
*/
protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException
{
protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
if (s == null)
{
if (s == null) {
screen = new ErrorScreen(s, "Page to display was null");
}

16
pom.xml
View File

@ -123,7 +123,12 @@
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.0.4</version>
<version>1.1.3</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.7</version>
</dependency>
<dependency>
<groupId>commons-discovery</groupId>
@ -148,8 +153,9 @@
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.8</version>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>wsdl4j</groupId>
<artifactId>wsdl4j</artifactId>
@ -255,7 +261,7 @@
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.15</version>
<version>1.2.17</version>
<exclusions>
<exclusion>
<groupId>javax.jms</groupId>
@ -304,13 +310,13 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.5.8</version>
<version>1.7.7</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.5.8</version>
<version>1.7.7</version>
<type>jar</type>
</dependency>

32
resources/log4j.properties Normal file
View File

@ -0,0 +1,32 @@
log4j.rootLogger=INFO, MAIN_LOG, ERROR_LOG
# MAIN - everything gets logged here
log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.MAIN_LOG.File=${catalina.home}/logs/webgoat_main.log
log4j.appender.MAIN_LOG.layout=org.apache.log4j.PatternLayout
log4j.appender.MAIN_LOG.layout.ConversionPattern=%d [%t] %-5p %c %x - %m%n
log4j.appender.MAIN_LOG.MaxFileSize=10MB
log4j.appender.MAIN_LOG.MaxBackupIndex=5
log4j.appender.MAIN_LOG.append=true
# ERROR
log4j.appender.ERROR_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.ERROR_LOG.File=${catalina.home}/logs/webgoat_error.log
log4j.appender.ERROR_LOG.layout=org.apache.log4j.PatternLayout
log4j.appender.ERROR_LOG.layout.ConversionPattern=%d [%t] %-5p %x - %m%n
log4j.appender.ERROR_LOG.MaxFileSize=10MB
log4j.appender.ERROR_LOG.MaxBackupIndex=2
log4j.appender.ERROR_LOG.append=true
log4j.appender.ERROR_LOG.Threshold=ERROR
# PERFORMANCE
log4j.logger.PERF_LOG=DEBUG, PERF_LOG
log4j.appender.PERF_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.PERF_LOG.File=${catalina.home}/logs/webgoat_perf.log
log4j.appender.PERF_LOG.layout=org.apache.log4j.PatternLayout
log4j.appender.PERF_LOG.layout.ConversionPattern=%m%n
log4j.appender.PERF_LOG.MaxFileSize=10MB
log4j.appender.PERF_LOG.MaxBackupIndex=2
log4j.appender.PERF_LOG.append=true
log4j.additivity.PERF_LOG = false

4
webapp/WEB-INF/web.xml
View File

@ -329,6 +329,10 @@
<mime-type>video/x-ms-wmv</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>login.do</welcome-file>
</welcome-file-list>
<!-- Define reference to the user database for looking up roles -->
<!--
<resource-env-ref>