Merge with major changes made by Aspect

Several new lessons added


git-svn-id: http://webgoat.googlecode.com/svn/trunk@236 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/WebContent/javascript/DOMXSS.js

@@ -0,0 +1,5 @@
+function displayGreeting(name) {
+	if (name != ''){
+		document.getElementById("greeting").innerHTML="Hello, " + name+ "!";
+	}
+}

webgoat/main/project/WebContent/javascript/clientSideFiltering.js

@@ -0,0 +1,64 @@
+var dataFetched = false;
+
+
+function selectUser(){
+
+	var newEmployeeID = document.getElementById("UserSelect").options[document.getElementById("UserSelect").selectedIndex].value;
+	
+	document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
+	
+}
+
+
+function fetchUserData(){
+	if(!dataFetched){
+		dataFetched = true;		
+		ajaxFunction(document.getElementById("userID").value);
+	}
+}
+
+
+
+
+
+function ajaxFunction(userId)
+  {
+	var xmlHttp;
+  try
+    {
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+    }
+  catch (e)
+    {
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {
+      
+      var result = xmlHttp.responseText;
+      if(xmlHttp.readyState==4)
+        {
+        	document.getElementById("hiddenEmployeeRecords").innerHTML=result 
+        	
+        }
+      }
+    xmlHttp.open("GET","lessons/Ajax/clientSideFiltering.jsp?userId=" + userId,true);
+    xmlHttp.send(null);
+  }

webgoat/main/project/WebContent/javascript/clientSideValidation.js

@@ -0,0 +1,113 @@
+var coupons = ["nvojubmq",
+"emph",
+"sfwmjt",
+"faopsc",
+"fopttfsq",
+"pxuttfsq"];
+
+
+function isValidCoupon(coupon) {
+	coupon = coupon.toUpperCase();
+	for(var i=0; i<coupons.length; i++) {
+		decrypted = decrypt(coupons[i]);
+		if(coupon == decrypted){
+			ajaxFunction(coupon);
+			return true;
+		}
+	}
+	return false;	
+}
+
+
+
+
+function decrypt(code){
+
+	code = code.toUpperCase();
+
+	alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	
+	caesar = '';
+
+	for (i = code.length ;i >= 0;i--){	
+	
+		for (j = 0;j<alpha.length;j++){		
+			
+			if(code.charAt(i) == alpha.charAt(j)){
+			
+				caesar = caesar + alpha.charAt((j+(alpha.length-1))%alpha.length);
+			}		
+		}
+	}	
+	return caesar;
+}
+
+function ajaxFunction(coupon)
+  {
+  
+  var xmlHttp;
+  try
+    {
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+    }
+  catch (e)
+    {
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {
+      if(xmlHttp.readyState==4)
+        {
+        document.form.GRANDTOT.value = document.form.SUBTOT.value * xmlHttp.responseText;
+        document.form.GRANDTOT.value = dollarRound(document.form.GRANDTOT.value);
+        }
+      }
+    xmlHttp.open("GET","lessons/Ajax/clientSideValidation.jsp?coupon=" + coupon,true);
+    xmlHttp.send(null);
+  }
+  
+  
+  function updateTotals(){
+
+	f = document.form;
+	
+	f.TOT1.value = dollarRound(f.QTY1.value * f.PRC1.value);
+	f.TOT2.value = dollarRound(f.QTY2.value * f.PRC2.value);
+	f.TOT3.value = dollarRound(f.QTY3.value * f.PRC3.value);
+	f.TOT4.value = dollarRound(f.QTY4.value * f.PRC4.value);
+	
+	f.SUBTOT.value = dollarRound(parseFloat(f.TOT1.value) + parseFloat(f.TOT2.value) + parseFloat(f.TOT3.value) + parseFloat(f.TOT4.value));
+
+	
+	f.GRANDTOT.value = f.SUBTOT.value;
+	
+	isValidCoupon(f.field1.value);
+
+}
+
+function calcTot( price,  qty){
+	
+	return parseInt(qty * price *100)/100;
+
+}
+
+function dollarRound(price){
+	return parseInt(price *100)/100;
+}

webgoat/main/project/WebContent/javascript/escape.js

@@ -0,0 +1,6 @@
+function escapeHTML (str) {
+   var div = document.createElement('div');
+   var text = document.createTextNode(str);
+   div.appendChild(text);
+   return div.innerHTML;
+}

webgoat/main/project/WebContent/javascript/eval.js

@@ -0,0 +1,54 @@
+var http_request = false;
+
+function makeXHR(method, url, parameters) {
+	  //alert('url: ' + url + ' parameters: ' + parameters);
+      http_request = false;
+      if (window.XMLHttpRequest) { // Mozilla, Safari,...
+         http_request = new XMLHttpRequest();
+         if (http_request.overrideMimeType) {
+            http_request.overrideMimeType('text/html');
+         }
+      } else if (window.ActiveXObject) { // IE
+         try {
+            http_request = new ActiveXObject("Msxml2.XMLHTTP");
+         } catch (e) {
+            try {
+               http_request = new ActiveXObject("Microsoft.XMLHTTP");
+            } catch (e) {}
+         }
+      }
+      if (!http_request) {
+         alert('Cannot create XMLHTTP instance');
+         return false;
+      }
+      
+      // http_request.onreadystatechange = alertContents;
+      http_request.open(method, url, true);
+      http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+      http_request.setRequestHeader("Content-length", parameters.length);
+      http_request.setRequestHeader("Connection", "close");
+      
+      http_request.onreadystatechange = function() {
+      		if(http_request.readyState == 4) {
+      			var status = http_request.status;
+      			var responseText = http_request.responseText;
+      			
+      			//alert('status: ' + status);
+      			//alert('responseText: ' + responseText);
+      			
+      			eval(http_request.responseText);
+      		}
+      };
+      
+      http_request.send(parameters);
+}
+
+function purchase(url) {
+	var field1 = document.form.field1.value;
+	var field2 = document.form.field2.value;
+	
+	//alert('field1: ' + field1 + ' field2: ' + field2);
+	
+	var parameters = 'field1=' + field1 + '&field2=' + field2;
+	makeXHR('POST', url, parameters);
+}

webgoat/main/project/WebContent/javascript/instructor/DOMXSS_i.js

@@ -0,0 +1,13 @@
+function displayGreeting(name) {
+	if (name != ''){
+		document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name) + "!";
+	}
+}
+
+function escapeHTML (str) {
+   var div = document.createElement('div');
+   var text = document.createTextNode(str);
+   div.appendChild(text);
+   return div.innerHTML;
+}
+	

webgoat/main/project/WebContent/lesson_plans/DangerousEval.html

@@ -0,0 +1,9 @@
+<div align="Center">
+<p><b>Lesson Plan Title: </b>Dangerous Use of Eval</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. In this lesson, unvalidated user-supplied data is used in conjunction with a Javascript eval() call. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it. 
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script. In order to pass this lesson, you must 'alert()' document.cookie.

webgoat/main/project/WebContent/lessons/Ajax/clientSideFiltering.jsp

@@ -0,0 +1,114 @@
+
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>  
+    
+<% 
+
+	String userId = request.getParameter("userID");
+
+
+	NodeList nodes = null;
+	
+	
+
+	File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
+	
+	if(d.exists()){
+		System.out.print("File does exist");
+	}
+	else{
+		System.out.print("File DOES NOT exist");
+	}
+	
+	System.out.println(d.getAbsolutePath());
+	XPathFactory factory = XPathFactory.newInstance();
+	XPath xPath = factory.newXPath();
+	InputSource inputSource = new InputSource(new FileInputStream(d));
+
+
+
+
+
+
+StringBuffer sb = new StringBuffer();
+
+sb.append("/Employees/Employee/UserID | ");
+sb.append("/Employees/Employee/FirstName | ");
+sb.append("/Employees/Employee/LastName | ");
+sb.append("/Employees/Employee/SSN | ");
+sb.append("/Employees/Employee/Salary ");
+
+String expression = sb.toString();
+
+
+
+
+
+
+	nodes = (NodeList) xPath.evaluate(expression, inputSource,
+	XPathConstants.NODESET);
+	int nodesLength = nodes.getLength();
+
+	
+	System.out.println("nodesLength:" + nodesLength);
+
+	TR tr;
+	
+	int COLUMNS = 5;
+	
+	Table t2 = null;
+    if (nodesLength > 0)
+    {
+		t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
+			1).setWidth("90%").setAlign("center");
+		tr = new TR();	
+		tr.addElement(new TD().addElement("UserID"));
+		tr.addElement(new TD().addElement("First Name"));
+		tr.addElement(new TD().addElement("Last Name"));
+		tr.addElement(new TD().addElement("SSN"));
+		tr.addElement(new TD().addElement("Salary"));
+		t2.addElement(tr);
+    }
+    
+
+    
+    tr = new TR();
+    
+    for (int i = 0; i < nodesLength; i++)
+    {
+		Node node = nodes.item(i);
+		
+		if(i%COLUMNS==0){
+			tr = new TR();
+			tr.setID(node.getTextContent());
+			//tr.setStyle("display: none");
+		}
+		
+		tr.addElement(new TD().addElement(node.getTextContent()));
+		
+		if(i%COLUMNS==(COLUMNS-1)){
+			t2.addElement(tr);		
+		}
+    }
+    
+    if(t2 != null){
+   	 	out.println(t2.toString());
+    }
+    else{
+    	out.println("No Results");
+    }
+    
+    
+
+    
+	
+	
+	
+	
+	
+
+
+%>
+    

webgoat/main/project/WebContent/lessons/Ajax/clientSideValidation.jsp

@@ -0,0 +1,30 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+    
+    
+<% String coupon = request.getParameter("coupon");
+
+if (coupon.equalsIgnoreCase("PLATINUM")){
+	out.print(".25");
+}
+else if (coupon.equalsIgnoreCase("GOLD")){
+	out.print(".5");
+}
+else if (coupon.equalsIgnoreCase("SILVER")){
+	out.print(".75");
+}
+else if (coupon.equalsIgnoreCase("BRONZE")){
+	out.print(".8");
+}
+else if (coupon.equalsIgnoreCase("PRESSONE")){
+	out.print(".9");
+}
+else if (coupon.equalsIgnoreCase("PRESSTWO")){
+	out.print(".95");
+}
+
+
+
+%>    
+    

webgoat/main/project/WebContent/lessons/Ajax/employees.xml

@@ -0,0 +1,228 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Employees>
+    <Employee >
+        <UserID>101</UserID>
+        <FirstName>Larry</FirstName>
+        <LastName>Stooge</LastName>
+        <Street>9175 Guilford Rd</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-689-0192</Phone>
+        <StartDate>1012000</StartDate>
+        <SSN>386-09-5451</SSN>
+        <Salary>55000</Salary>
+        <CreditCard>2578546969853547</CreditCard>
+        <Limit>5000</Limit>
+        <Comments>Does not work well with others</Comments>
+        <DisciplinaryExplanation>Constantly harassing coworkers</DisciplinaryExplanation>
+        <DisciplinaryDate>10106</DisciplinaryDate>
+        <Managers>
+            <Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>102</UserID>
+        <FirstName>Moe</FirstName>
+        <LastName>Stooge</LastName>
+        <Street>3013 AMD Ave</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-938-5301</Phone>
+        <StartDate>3082003</StartDate>
+        <SSN>936-18-4524</SSN>
+        <Salary>140000</Salary>
+        <CreditCard>NA</CreditCard>
+        <Limit>0</Limit>
+        <Comments>Very dominating over Larry and Curly</Comments>
+        <DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
+        <DisciplinaryDate>101013</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>103</UserID>
+        <FirstName>Curly</FirstName>
+        <LastName>Stooge</LastName>
+        <Street>1112 Crusoe Lane</Street>
+        <CS>New York, NY</CS>
+        <Phone>410-667-6654</Phone>
+        <StartDate>2122001</StartDate>
+        <SSN>961-08-0047</SSN>
+        <Salary>50000</Salary>
+        <CreditCard>NA</CreditCard>
+        <Limit>0</Limit>
+        <Comments>Owes three-thousand to company for fradulent purchases</Comments>
+        <DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
+        <DisciplinaryDate>101014</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>104</UserID>
+        <FirstName>Eric</FirstName>
+        <LastName>Walker</LastName>
+        <Street>1160 Prescott Rd</Street>
+        <CS>New York, NY</CS>
+        <Phone>410-887-1193</Phone>
+        <StartDate>12152005</StartDate>
+        <SSN>445-66-5565</SSN>
+        <Salary>13000</Salary>
+        <CreditCard>NA</CreditCard>
+        <Limit>0</Limit>
+        <Comments>Late. Always needs help. Too intern-ish.</Comments>
+        <DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
+        <DisciplinaryDate>101013</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>105</UserID>
+        <FirstName>Tom</FirstName>
+        <LastName>Cat</LastName>
+        <Street>2211 HyperThread Rd.</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-599-0762</Phone>
+        <StartDate>1011999</StartDate>
+        <SSN>792-14-6364</SSN>
+        <Salary>80000</Salary>
+        <CreditCard>5481360857968521</CreditCard>
+        <Limit>30000</Limit>
+        <Comments>Co-Owner.</Comments>
+        <DisciplinaryExplanation>NA</DisciplinaryExplanation>
+        <DisciplinaryDate>0</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>106</UserID>
+        <FirstName>Jerry</FirstName>
+        <LastName>Mouse</LastName>
+        <Street>3011 Unix Drive</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-699-3366</Phone>
+        <StartDate>1011999</StartDate>
+        <SSN>858-55-4452</SSN>
+        <Salary>70000</Salary>
+        <CreditCard>6981754825013564</CreditCard>
+        <Limit>20000</Limit>
+        <Comments>Co-Owner.</Comments>
+        <DisciplinaryExplanation>NA</DisciplinaryExplanation>
+        <DisciplinaryDate>0</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>107</UserID>
+        <FirstName>David</FirstName>
+        <LastName>Giambi</LastName>
+        <Street>5132 DIMM Avenue</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-521-8413</Phone>
+        <StartDate>5011999</StartDate>
+        <SSN>439-20-9405</SSN>
+        <Salary>100000</Salary>
+        <CreditCard>6981754825018101</CreditCard>
+        <Limit>10000</Limit>
+        <Comments>Strong work habbit. Questionable ethics.</Comments>
+        <DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
+        <DisciplinaryDate>61402</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers>         
+    </Employee>
+    <Employee>
+        <UserID>108</UserID>
+        <FirstName>Bruce</FirstName>
+        <LastName>McGuirre</LastName>
+        <Street>8899 FreeBSD Drive&lt;script&gt;alert(document.cookie)&lt;/script&gt; </Street>
+        <CS>New York, NY</CS>
+        <Phone>610-282-1103</Phone>
+        <StartDate>3012000</StartDate>
+        <SSN>707-95-9482</SSN>
+        <Salary>110000</Salary>
+        <CreditCard>6981754825854136</CreditCard>
+        <Limit>30000</Limit>
+        <Comments>Enjoys watching others struggle in exercises.</Comments>
+        <DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
+        <DisciplinaryDate>61502</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers>         
+    </Employee>
+    <Employee>
+        <UserID>109</UserID>
+        <FirstName>Sean</FirstName>
+        <LastName>Livingston</LastName>
+        <Street>6422 dFlyBSD Road</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-878-9549</Phone>
+        <StartDate>6012003</StartDate>
+        <SSN>136-55-1046</SSN>
+        <Salary>130000</Salary>
+        <CreditCard>6981754825014510</CreditCard>
+        <Limit>5000</Limit>
+        <Comments>Has some fascination with Steelers. Go Ravens.</Comments>
+        <DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
+        <DisciplinaryDate>72804</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers>         
+    </Employee>
+    <Employee>
+        <UserID>110</UserID>
+        <FirstName>Joanne</FirstName>
+        <LastName>McDougal</LastName>
+        <Street>5567 Broadband Lane</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-213-6341</Phone>
+        <StartDate>1012001</StartDate>
+        <SSN>789-54-2413</SSN>
+        <Salary>90000</Salary>
+        <CreditCard>6981754825081054</CreditCard>
+        <Limit>300</Limit>
+        <Comments>Finds it necessary to leave early every day.</Comments>
+        <DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
+        <DisciplinaryDate>112005</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>111</UserID>
+        <FirstName>John</FirstName>
+        <LastName>Wayne</LastName>
+        <Street>129 Third St</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-213-1134</Phone>
+        <StartDate>1012001</StartDate>
+        <SSN>129-69-4572</SSN>
+        <Salary>200000</Salary>
+        <CreditCard>4437334565679921</CreditCard>
+        <Limit>300</Limit>
+        <Comments></Comments>
+        <DisciplinaryExplanation></DisciplinaryExplanation>
+        <DisciplinaryDate>112005</DisciplinaryDate>
+        <Managers>
+		<Manager>102</Manager>
+        </Managers>         
+    </Employee>
+    <Employee>
+        <UserID>112</UserID>
+        <FirstName>Neville</FirstName>
+        <LastName>Bartholomew</LastName>
+        <Street>1 Corporate Headquarters</Street>
+        <CS>San Jose, CA</CS>
+        <Phone>408-587-0024</Phone>
+        <StartDate>3012000</StartDate>
+        <SSN>111-111-1111</SSN>
+        <Salary>450000</Salary>
+        <CreditCard>4803389267684109</CreditCard>
+        <Limit>300</Limit>
+        <Comments></Comments>
+        <DisciplinaryExplanation></DisciplinaryExplanation>
+        <DisciplinaryDate>112005</DisciplinaryDate>        
+    </Employee>
+</Employees>

webgoat/main/project/WebContent/lessons/Ajax/eval.jsp

@@ -0,0 +1,37 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1" import="java.util.regex.*" import="org.owasp.webgoat.lessons.DangerousEval"
+    pageEncoding="ISO-8859-1"%>
+<%
+String action = request.getParameter("action");
+String field1 = request.getParameter("field1");
+String field2 = request.getParameter("field2");
+String regex1 = "^[0-9]{3}$";// any three digits
+Pattern pattern1 = Pattern.compile(regex1);
+
+if(action == null) action = "Purchase";
+if(field1 == null) field1 = "123";
+if(field2 == null) field2 = "-1";
+
+/** For security reasons, we remove all '<' and '>' characters to prevent XSS **/
+field1.replaceAll("<", "");
+field1.replaceAll(">", "");
+field2.replaceAll("<", "");
+field2.replaceAll(">", "");
+
+if("Purchase".equals(action))
+{
+	if(!pattern1.matcher(field1).matches())
+	{
+		/** If they supplied the right attack, pass them **/
+		if(field1.indexOf("');") != -1 && field1.indexOf("alert") != -1 && field1.indexOf("document.cookie") != -1)
+		{
+			session.setAttribute(DangerousEval.PASSED, "true");
+		}
+		
+		out.write("alert('Whoops: You entered an incorrect access code of \"" + field1 + "\"');");
+	}
+	else
+	{
+		out.write("alert('Purchase completed successfully with credit card \"" + field2 + "\" and access code \"" + field1 + "\"');");
+	}
+}
+%>

webgoat/main/project/WebContent/lessons/Ajax/instructor/clientSideFiltering_i.jsp

@@ -0,0 +1,111 @@
+
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>  
+    
+<% 
+
+String userId = request.getParameter("userId");
+
+
+	NodeList nodes = null;
+	
+	
+
+	File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
+	
+	if(d.exists()){
+		System.out.print("File does exist");
+	}
+	else{
+		System.out.print("File DOES NOT exist");
+	}
+	
+	System.out.println(d.getAbsolutePath());
+	XPathFactory factory = XPathFactory.newInstance();
+	XPath xPath = factory.newXPath();
+	InputSource inputSource = new InputSource(new FileInputStream(d));
+
+
+StringBuffer sb = new StringBuffer();
+
+sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/UserID | ");
+sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/FirstName | ");
+sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/LastName | ");
+sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/SSN | ");
+sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/Salary ");
+
+String expression = sb.toString();
+
+
+
+
+
+
+
+	nodes = (NodeList) xPath.evaluate(expression, inputSource,
+	XPathConstants.NODESET);
+	int nodesLength = nodes.getLength();
+
+	
+	System.out.println("nodesLength:" + nodesLength);
+
+	TR tr;
+	
+	int COLUMNS = 5;
+	
+	Table t2 = null;
+    if (nodesLength > 0)
+    {
+		t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
+			1).setWidth("90%").setAlign("center");
+		tr = new TR();	
+		tr.addElement(new TD().addElement("UserID"));
+		tr.addElement(new TD().addElement("First Name"));
+		tr.addElement(new TD().addElement("Last Name"));
+		tr.addElement(new TD().addElement("SSN"));
+		tr.addElement(new TD().addElement("Salary"));
+		t2.addElement(tr);
+    }
+    
+
+    
+    tr = new TR();
+    
+    for (int i = 0; i < nodesLength; i++)
+    {
+		Node node = nodes.item(i);
+		
+		if(i%COLUMNS==0){
+			tr = new TR();
+			tr.setID(node.getTextContent());
+			//tr.setStyle("display: none");
+		}
+		
+		tr.addElement(new TD().addElement(node.getTextContent()));
+		
+		if(i%COLUMNS==(COLUMNS-1)){
+			t2.addElement(tr);		
+		}
+    }
+    
+    if(t2 != null){
+   	 	out.println(t2.toString());
+    }
+    else{
+    	out.println("No Results");
+    }
+    
+    
+
+    
+	
+	
+	
+	
+	
+
+
+%>
+