diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
new file mode 100644
index 000000000..ab641b11b
--- /dev/null
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@@ -0,0 +1,111 @@
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Arrays;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.B;
+import org.apache.ecs.html.H1;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
+import org.apache.ecs.html.TextArea;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+
+public class CSRF extends LessonAdapter {
+
+ private final static String MESSAGE = "message";
+ private final static String TITLE = "title";
+
+ @Override
+ protected Element createContent(WebSession s) {
+ ElementContainer ec = new ElementContainer();
+ String emailBody = null;
+
+ try{
+ Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
+ TR row1 = new TR();
+ TR row2 = new TR();
+ row1.addElement( new TD( new StringElement( "Title: " ) ) );
+
+ Input inputTitle = new Input( Input.TEXT, TITLE, "" );
+ row1.addElement( new TD( inputTitle ) );
+
+ TD item1 = new TD();
+ item1.setVAlign( "TOP" );
+ item1.addElement( new StringElement( "Message: " ) );
+ row2.addElement( item1 );
+
+ TD item2 = new TD();
+ TextArea ta = new TextArea( MESSAGE, 5, 60 );
+ item2.addElement( ta );
+ row2.addElement( item2 );
+ t.addElement( row1 );
+ t.addElement( row2 );
+
+ Element b = ECSFactory.makeButton( "Submit" );
+ ec = new ElementContainer();
+ ec.addElement( t );
+ ec.addElement( new P().addElement( b ) );
+
+ emailBody = new String( s.getParser().getRawParameter( MESSAGE, "" ) );
+
+ }
+ catch (Exception e)
+ {
+ s.setMessage( "Error generating " + this.getClass().getName() );
+ e.printStackTrace();
+ }
+
+ if (emailBody.length() != 0 &&
+ emailBody.indexOf( "=0 &&
+ emailBody.indexOf( "src=") > 0 &&
+ emailBody.indexOf( "height=\"1\"" ) > 0 &&
+ emailBody.indexOf( "width=\"1\"" ) > 0)
+ {
+ makeSuccess( s );
+ }
+
+ return ec;
+ }
+
+ @Override
+ protected Category getDefaultCategory() {
+ return AbstractLesson.A4;
+ }
+
+ private final static Integer DEFAULT_RANKING = new Integer(140);
+
+ @Override
+ protected Integer getDefaultRanking() {
+
+ return DEFAULT_RANKING;
+ }
+
+ @Override
+ protected List getHints() {
+ List hints = new ArrayList();
+ hints.add( "Enter some text and try to include an image in there." );
+ hints.add( "The format of an image in html is
<img src=\"[URL]\" width=\"1\" height=\"1\" />"); + hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); + + return hints; + } + + /** + * Gets the title attribute of the MessageBoardScreen object + * + * @return The title value + */ + public String getTitle() + { + return ( "How to Perform Cross Site Request Forgery (CSRF)" ); + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index 833998eac..dd9650a6a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -1,7 +1,5 @@ package org.owasp.webgoat.lessons; import java.util.*; -import java.net.URLDecoder; -import java.io.UnsupportedEncodingException; import org.apache.ecs.*; import org.apache.ecs.html.*; @@ -75,7 +73,7 @@ public class HttpSplitting extends LessonAdapter { //Split by the line separator line.separator is platform independant String[] arrTokens = lang.toString().toUpperCase().split(System.getProperty("line.separator")); - //Check if the user ended the first request and wrote the second malcious reply + //Check if the user ended the first request and wrote the second malacious reply if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 && Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 ) { @@ -99,7 +97,7 @@ public class HttpSplitting extends LessonAdapter { hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" ); return hints; - + } private final static Integer DEFAULT_RANKING = new Integer(10); diff --git a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html new file mode 100644 index 000000000..9cc655e12 --- /dev/null +++ b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html @@ -0,0 +1,27 @@ +
Lesson Plan Title: Cross Site Request Forgery.
+Concept / Topic To Teach:
+ This lesson teaches how to Cross Site Request Forgery (CSRF) attacks. ++How the attacks works: +
+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains img links like the one below: + +<img src="http://www.mybank.com/sendFunds.do?acctId=123456"/>+ +When the victim's browser attempts to render this page, it will issue a request to www.mybank.com to the transferFunds.do page with the specified parameters. The browser will think the link is to get an image, even though it actually is a funds transfer function. + +The request will include any cookies associated with the site. Therefore, if the user has authenticated to the site, and has either a permanent cookie or even a current session cookie, the site will have no way to distinguish this from a legitimate user request. + +In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, or any other function provided by the vulnerable website +
General Goal(s):
+ +* Your goal is to send an email to a newsgroup.