- Updated a comment and removed some unused imports in HttpSplitting.java

- Added CSRF.html and CSRF.java

git-svn-id: http://webgoat.googlecode.com/svn/trunk@26 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java

@@ -0,0 +1,111 @@
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Arrays;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.B;
+import org.apache.ecs.html.H1;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
+import org.apache.ecs.html.TextArea;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+
+public class CSRF extends LessonAdapter {
+
+	private final static String MESSAGE = "message";
+	private final static String TITLE = "title";
+	
+	@Override
+	protected Element createContent(WebSession s) {
+		ElementContainer ec = new ElementContainer();
+		String emailBody = null;
+		
+		try{
+			Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
+			TR row1 = new TR();
+			TR row2 = new TR();
+			row1.addElement( new TD( new StringElement( "Title: " ) ) );
+
+			Input inputTitle = new Input( Input.TEXT, TITLE, "" );
+			row1.addElement( new TD( inputTitle ) );
+
+			TD item1 = new TD();
+			item1.setVAlign( "TOP" );
+			item1.addElement( new StringElement( "Message: " ) );
+			row2.addElement( item1 );
+
+			TD item2 = new TD();
+			TextArea ta = new TextArea( MESSAGE, 5, 60 );
+			item2.addElement( ta );
+			row2.addElement( item2 );
+			t.addElement( row1 );
+			t.addElement( row2 );
+
+			Element b = ECSFactory.makeButton( "Submit" );
+			ec = new ElementContainer();
+			ec.addElement( t );
+			ec.addElement( new P().addElement( b ) );
+			
+			emailBody = new String( s.getParser().getRawParameter( MESSAGE, "" ) );
+									
+		}
+		catch (Exception e)
+		{
+			s.setMessage( "Error generating " + this.getClass().getName() );
+			e.printStackTrace();			
+		}
+		
+		if (emailBody.length() != 0 && 
+				emailBody.indexOf( "<img" ) >=0 &&
+				emailBody.indexOf( "src=") > 0 &&
+				emailBody.indexOf( "height=\"1\"" ) > 0 &&
+				emailBody.indexOf( "width=\"1\"" ) > 0)
+		{
+			makeSuccess( s );
+		}
+		
+		return ec;
+	}
+
+	@Override	
+	protected Category getDefaultCategory() {
+		return AbstractLesson.A4;
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(140);
+	
+	@Override
+	protected Integer getDefaultRanking() {
+		
+		return DEFAULT_RANKING;
+	}
+
+	@Override	
+	protected List getHints() {
+		List hints = new ArrayList();
+		hints.add( "Enter some text and try to include an image in there." );
+		hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");		
+		hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );
+
+		return hints;
+	}
+
+	/**
+	 *  Gets the title attribute of the MessageBoardScreen object
+	 *
+	 * @return    The title value
+	 */
+	public String getTitle()
+	{
+		return ( "How to Perform Cross Site Request Forgery (CSRF)" );
+	}
+
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java

@@ -1,7 +1,5 @@
 package org.owasp.webgoat.lessons;
 import java.util.*;
-import java.net.URLDecoder;
-import java.io.UnsupportedEncodingException;
 
 import org.apache.ecs.*;
 import org.apache.ecs.html.*;
@@ -75,7 +73,7 @@ public class HttpSplitting extends LessonAdapter {
 			//Split by the line separator line.separator is platform independant
 			String[] arrTokens = lang.toString().toUpperCase().split(System.getProperty("line.separator"));
 			
-			//Check if the user ended the first request and wrote the second malcious reply
+			//Check if the user ended the first request and wrote the second malacious reply
 			if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
 					Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )	
 			{	
@@ -99,7 +97,7 @@ public class HttpSplitting extends LessonAdapter {
 		hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" );
 
 		return hints;
-		
+	
 	}
 
 	private final static Integer DEFAULT_RANKING = new Integer(10);

webgoat/main/project/WebContent/lesson_plans/CSRF.html

@@ -0,0 +1,27 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Cross Site Request Forgery. </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+ This lesson teaches how to Cross Site Request Forgery (CSRF) attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains img links like the one below: 
+
+<pre>&lt;img src="<a href="http://www.mybank.com/transferFunds.do?acctId=123456" class='external free' title="http://www.mybank.com/transferFunds.do?acctId=123456" rel="nofollow">http://www.mybank.com/sendFunds.do?acctId=123456</a>"/&gt;</pre>
+
+When the victim's browser attempts to render this page, it will issue a request to www.mybank.com to the transferFunds.do page with the specified parameters. The browser will think the link is to get an image, even though it actually is a funds transfer function. 
+
+The request will include any cookies associated with the site. Therefore, if the user has authenticated to the site, and has either a permanent cookie or even a current session cookie, the site will have no way to distinguish this from a legitimate user request. 
+
+In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, or any other function provided by the vulnerable website
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+* Your goal is to send an email to a newsgroup.<br> 
+* Try to include a 1x1 pixel image that includes a URL that transfers funds to your account.<br>
+* Whoever receives this email and happens to be authenticated at that time will be a victim.
+<!-- Stop Instructions -->