dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Formatting according to OWASP WebGoat Java Style

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@359 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
brandon.devries
2008-08-05 17:32:17 +00:00
parent 7918037066
commit 17af39e428
77 changed files with 855 additions and 1108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View File

@ -98,23 +98,25 @@ public class CrossSiteScripting extends GoatHillsFinancial
{
return Category.XSS;
}
public String getLessonSolutionFileName(WebSession s) {
public String getLessonSolutionFileName(WebSession s)
{
String solutionFileName = null;
String stage = getStage(s);
solutionFileName = "/lesson_solutions/Lab XSS/Lab " + stage + ".html";
return solutionFileName;
}
@Override
public String getSolution(WebSession s) {
public String getSolution(WebSession s)
{
String src = null;
try
{
//System.out.println("Solution: " + getLessonSolutionFileName(s));
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
// System.out.println("Solution: " + getLessonSolutionFileName(s));
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
false);
} catch (IOException e)
{
s.setMessage("Could not find the solution file");
@ -123,7 +125,7 @@ public class CrossSiteScripting extends GoatHillsFinancial
return src;
}
/**
* Gets the hints attribute of the DirectoryScreen object
*
@ -148,9 +150,9 @@ public class CrossSiteScripting extends GoatHillsFinancial
// Stage 3
// Stage 4
hints.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
hints
.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
hints.add("Stage4: There is a class called HtmlEncoder in org.owasp.webgoat.util");
// Stage 5
hints
@ -179,8 +181,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
}
else if (STAGE2.equals(stage))
{
instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>" +
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+ "Implement a fix to block the stored XSS before it can be written to the database. "
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
}
@ -192,8 +194,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
}
else if (STAGE4.equals(stage))
{
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>" +
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+ "Implement a fix to block XSS after it is read from the database. "
+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
}
@ -205,8 +207,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
}
else if (STAGE6.equals(stage))
{
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>" +
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+ "Implement a fix to block this reflected XSS attack. "
+ "Repeat step 5. Verify that the attack URL is no longer effective.";
}
@ -258,28 +260,28 @@ public class CrossSiteScripting extends GoatHillsFinancial
}
} catch (ParameterNotFoundException pnfe)
{
//System.out.println("Missing parameter");
// System.out.println("Missing parameter");
pnfe.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
} catch (ValidationException ve)
{
//System.out.println("Validation failed");
// System.out.println("Validation failed");
ve.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
} catch (UnauthenticatedException ue)
{
s.setMessage("Login failed");
//System.out.println("Authentication failure");
// System.out.println("Authentication failure");
ue.printStackTrace();
} catch (UnauthorizedException ue2)
{
s.setMessage("You are not authorized to perform this function");
//System.out.println("Authorization failure");
// System.out.println("Authorization failure");
ue2.printStackTrace();
} catch (Exception e)
{
// All other errors send the user to the generic error page
//System.out.println("handleRequest() error");
// System.out.println("handleRequest() error");
e.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}

8
main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java
View File

@ -97,8 +97,8 @@ public class EditProfile extends DefaultLessonAction
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
.getString("disciplined_notes"), answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
* profile.getLastName() + " (" + profile.getId() + ")");
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
* " " + profile.getLastName() + " (" + profile.getId() + ")");
*/}
} catch (SQLException sqle)
{
@ -141,8 +141,8 @@ public class EditProfile extends DefaultLessonAction
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
.getString("disciplined_notes"), answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
* profile.getLastName() + " (" + profile.getId() + ")");
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
* " " + profile.getLastName() + " (" + profile.getId() + ")");
*/}
} catch (SQLException sqle)
{

8
main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java
View File

@ -104,11 +104,11 @@ public class FindProfile extends DefaultLessonAction
chainedAction.handleRequest(s);
} catch (UnauthenticatedException ue1)
{
//System.out.println("Internal server error");
// System.out.println("Internal server error");
ue1.printStackTrace();
} catch (UnauthorizedException ue2)
{
//System.out.println("Internal server error");
// System.out.println("Internal server error");
ue2.printStackTrace();
}
}
@ -171,8 +171,8 @@ public class FindProfile extends DefaultLessonAction
.getString("disciplined_notes"), answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
* profile.getLastName() + " (" + profile.getId() + ")");
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
* " " + profile.getLastName() + " (" + profile.getId() + ")");
*/
setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
}

9
main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java
View File

@ -94,11 +94,11 @@ public class UpdateProfile extends DefaultLessonAction
chainedAction.handleRequest(s);
} catch (UnauthenticatedException ue1)
{
//System.out.println("Internal server error");
// System.out.println("Internal server error");
ue1.printStackTrace();
} catch (UnauthorizedException ue2)
{
//System.out.println("Internal server error");
// System.out.println("Internal server error");
ue2.printStackTrace();
}
}
@ -111,8 +111,8 @@ public class UpdateProfile extends DefaultLessonAction
{
// The input validation can be added using a parsing component
// or by using an inline regular expression. The parsing component
// is the better solution.
// is the better solution.
HttpServletRequest request = s.getRequest();
String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
@ -129,7 +129,6 @@ public class UpdateProfile extends DefaultLessonAction
String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,

19
main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java
View File

@ -4,7 +4,6 @@ package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import org.apache.ecs.xhtml.html;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
@ -16,7 +15,6 @@ import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
import com.sun.corba.se.spi.activation.Server;
@ -92,7 +90,6 @@ public class ViewProfile extends DefaultLessonAction
{
Employee profile = null;
// Query the database for the profile data of the given employee
try
{
@ -108,15 +105,15 @@ public class ViewProfile extends DefaultLessonAction
// Note: Do NOT get the password field.
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
.getString("title"), answer_results.getString("phone"),
answer_results.getString("address1"), answer_results.getString("address2"), answer_results
.getString("title"), answer_results.getString("phone"), answer_results
.getString("address1"), answer_results.getString("address2"), answer_results
.getInt("manager"), answer_results.getString("start_date"), answer_results
.getInt("salary"), answer_results.getString("ccn"), answer_results
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
.getString("disciplined_notes"), answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
* profile.getLastName() + " (" + profile.getId() + ")");
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
* " " + profile.getLastName() + " (" + profile.getId() + ")");
*/}
} catch (SQLException sqle)
{
@ -131,14 +128,13 @@ public class ViewProfile extends DefaultLessonAction
return profile;
}
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
{
// Query the database to determine if this employee has access to this function
// Query the database for the profile data of the given employee if "owned" by the given
// user
Employee profile = null;
// Query the database for the profile data of the given employee
@ -162,11 +158,10 @@ public class ViewProfile extends DefaultLessonAction
.getInt("salary"), answer_results.getString("ccn"), answer_results
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
.getString("disciplined_notes"), answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
* profile.getLastName() + " (" + profile.getId() + ")");
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
* " " + profile.getLastName() + " (" + profile.getId() + ")");
*/}
} catch (SQLException sqle)
{