From 16803b1130331dcf7958fa493798f2fba1a5eec8 Mon Sep 17 00:00:00 2001 From: "lawson89@gmail.com" <> Date: Sat, 9 Aug 2014 20:39:38 -0400 Subject: [PATCH] added cookies service updated license info --- java/org/owasp/webgoat/HammerHead.java | 7 +- .../org/owasp/webgoat/lessons/model/Hint.java | 30 +++++++-- .../lessons/model/HttpBasicsModel.java | 27 ++++++++ .../webgoat/lessons/model/LessonMenuItem.java | 30 +++++++-- .../lessons/model/LessonMenuItemType.java | 30 +++++++-- .../owasp/webgoat/service/BaseService.java | 42 ++++++++++-- .../owasp/webgoat/service/CookieService.java | 65 +++++++++++++++++++ .../owasp/webgoat/service/DummyService.java | 30 +++++++-- .../owasp/webgoat/service/ExceptionInfo.java | 30 +++++++-- .../owasp/webgoat/service/HintService.java | 7 +- .../webgoat/service/LessonMenuService.java | 38 +++++++---- .../org/owasp/webgoat/session/WebSession.java | 27 ++++++++ 12 files changed, 320 insertions(+), 43 deletions(-) create mode 100644 java/org/owasp/webgoat/service/CookieService.java diff --git a/java/org/owasp/webgoat/HammerHead.java b/java/org/owasp/webgoat/HammerHead.java index 5a6798631..27e3f93fc 100644 --- a/java/org/owasp/webgoat/HammerHead.java +++ b/java/org/owasp/webgoat/HammerHead.java @@ -207,8 +207,8 @@ public class HammerHead extends HttpServlet { session.setAttribute(WELCOMED, "true"); page = "/webgoat.jsp"; } else { - //page = "/main.jsp"; - page = "/lesson_content.jsp"; + page = "/main.jsp"; + //page = "/lesson_content.jsp"; } return page; @@ -400,6 +400,9 @@ public class HammerHead extends HttpServlet { } session.update(request, response, this.getServletName()); + // update last attack request info (cookies, parms) + // this is so the REST services can have access to them via the session + session.updateLastAttackRequestInfo(request); // to authenticate // System.out.println( "HH Leaving Session_id: " + hs.getId() ); diff --git a/java/org/owasp/webgoat/lessons/model/Hint.java b/java/org/owasp/webgoat/lessons/model/Hint.java index 4ad2c4277..72f9bec21 100644 --- a/java/org/owasp/webgoat/lessons/model/Hint.java +++ b/java/org/owasp/webgoat/lessons/model/Hint.java @@ -1,7 +1,29 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.lessons.model; diff --git a/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java b/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java index c601eae00..24996bdda 100644 --- a/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java +++ b/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java @@ -1,3 +1,30 @@ +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ package org.owasp.webgoat.lessons.model; /** diff --git a/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java b/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java index 3d6b7a15a..928d91aed 100644 --- a/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java +++ b/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java @@ -1,7 +1,29 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.lessons.model; diff --git a/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java b/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java index 7d34d14c8..bf1d1d323 100644 --- a/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java +++ b/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java @@ -1,7 +1,29 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.lessons.model; diff --git a/java/org/owasp/webgoat/service/BaseService.java b/java/org/owasp/webgoat/service/BaseService.java index c1cbeaa64..88df27767 100644 --- a/java/org/owasp/webgoat/service/BaseService.java +++ b/java/org/owasp/webgoat/service/BaseService.java @@ -1,11 +1,35 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.service; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.owasp.webgoat.session.WebSession; import org.springframework.http.HttpStatus; import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.RequestMapping; @@ -31,4 +55,14 @@ public abstract class BaseService { return response; } + public WebSession getWebSesion(HttpSession session) { + WebSession ws; + Object o = session.getAttribute(WebSession.SESSION); + if (o == null || !(o instanceof WebSession)) { + throw new IllegalArgumentException("No valid session object found, has session timed out?"); + } + ws = (WebSession) o; + return ws; + } + } diff --git a/java/org/owasp/webgoat/service/CookieService.java b/java/org/owasp/webgoat/service/CookieService.java new file mode 100644 index 000000000..af08a15bb --- /dev/null +++ b/java/org/owasp/webgoat/service/CookieService.java @@ -0,0 +1,65 @@ +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +package org.owasp.webgoat.service; + +import java.util.ArrayList; +import java.util.List; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpSession; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.model.Hint; +import org.owasp.webgoat.session.WebSession; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +/** + * + * @author rlawson + */ +@Controller +public class CookieService extends BaseService { + + /** + * Returns hints for current lesson + * + * @param session + * @return + */ + @RequestMapping(value = "/cookie.mvc", produces = "application/json") + public @ResponseBody + List showCookies(HttpSession session) { + List listHints = new ArrayList(); + WebSession ws = getWebSesion(session); + List cookies = ws.getCookiesOnLastRequest(); + return cookies; + } +} diff --git a/java/org/owasp/webgoat/service/DummyService.java b/java/org/owasp/webgoat/service/DummyService.java index 0d370cae3..ae46219de 100644 --- a/java/org/owasp/webgoat/service/DummyService.java +++ b/java/org/owasp/webgoat/service/DummyService.java @@ -1,7 +1,29 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.service; diff --git a/java/org/owasp/webgoat/service/ExceptionInfo.java b/java/org/owasp/webgoat/service/ExceptionInfo.java index 33c9c849b..2a14b87f8 100644 --- a/java/org/owasp/webgoat/service/ExceptionInfo.java +++ b/java/org/owasp/webgoat/service/ExceptionInfo.java @@ -1,7 +1,29 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.service; diff --git a/java/org/owasp/webgoat/service/HintService.java b/java/org/owasp/webgoat/service/HintService.java index 5b9052eaa..5cbb48679 100644 --- a/java/org/owasp/webgoat/service/HintService.java +++ b/java/org/owasp/webgoat/service/HintService.java @@ -32,12 +32,7 @@ public class HintService extends BaseService { public @ResponseBody List showHint(HttpSession session) { List listHints = new ArrayList(); - WebSession ws; - Object o = session.getAttribute(WebSession.SESSION); - if (o == null || !(o instanceof WebSession)) { - throw new IllegalArgumentException("No valid session object found, has session timed out?"); - } - ws = (WebSession) o; + WebSession ws = getWebSesion(session); AbstractLesson l = ws.getCurrentLesson(); if (l == null) { return listHints; diff --git a/java/org/owasp/webgoat/service/LessonMenuService.java b/java/org/owasp/webgoat/service/LessonMenuService.java index bb99c5332..30e0f51cd 100644 --- a/java/org/owasp/webgoat/service/LessonMenuService.java +++ b/java/org/owasp/webgoat/service/LessonMenuService.java @@ -1,7 +1,29 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository for free software + * projects. + * + * For details, please see http://code.google.com/p/webgoat/ */ package org.owasp.webgoat.service; @@ -36,13 +58,7 @@ public class LessonMenuService extends BaseService { public @ResponseBody List showLeftNav(HttpSession session) { List menu = new ArrayList(); - WebSession ws; - Object o = session.getAttribute(WebSession.SESSION); - if (o == null || !(o instanceof WebSession)) { - throw new IllegalArgumentException("No valid session object found, has session timed out?"); - } - ws = (WebSession) o; - AbstractLesson l = ws.getCurrentLesson(); + WebSession ws = getWebSesion(session); // Get the categories, these are the main menu items Course course = ((Course) session.getAttribute("course")); List categories = course.getCategories(); diff --git a/java/org/owasp/webgoat/session/WebSession.java b/java/org/owasp/webgoat/session/WebSession.java index dcd1dc3e7..1edf607e7 100644 --- a/java/org/owasp/webgoat/session/WebSession.java +++ b/java/org/owasp/webgoat/session/WebSession.java @@ -205,6 +205,8 @@ public class WebSession { private String currentLanguage = null; + private List cookiesOnLastRequest; + /** * Constructor for the WebSession object * @@ -894,6 +896,17 @@ public class WebSession { } } + public void updateLastAttackRequestInfo(HttpServletRequest request) { + // store cookies + Cookie[] cookies = request.getCookies(); + if (cookies == null) { + this.cookiesOnLastRequest = new ArrayList(); + } else { + this.cookiesOnLastRequest = Arrays.asList(cookies); + } + + } + private void restartLesson(int lessonId) { AbstractLesson al = getLesson(lessonId); System.out.println("Restarting lesson: " + al); @@ -982,4 +995,18 @@ public class WebSession { return currentLanguage; } + /** + * @return the cookiesOnLastRequest + */ + public List getCookiesOnLastRequest() { + return cookiesOnLastRequest; + } + + /** + * @param cookiesOnLastRequest the cookiesOnLastRequest to set + */ + public void setCookiesOnLastRequest(List cookiesOnLastRequest) { + this.cookiesOnLastRequest = cookiesOnLastRequest; + } + }