dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge with major changes made by Aspect

Browse Source 
Several new lessons added


git-svn-id: http://webgoat.googlecode.com/svn/trunk@236 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
2008-01-10 10:12:31 +00:00
parent 137b7c813c
commit 1ce614f733
20 changed files with 2200 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat/main/project/WebContent/javascript/DOMXSS.js Normal file
View File

@ -0,0 +1,5 @@
function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + name+ "!";
}
}

64
webgoat/main/project/WebContent/javascript/clientSideFiltering.js Normal file
View File

@ -0,0 +1,64 @@
var dataFetched = false;
function selectUser(){
var newEmployeeID = document.getElementById("UserSelect").options[document.getElementById("UserSelect").selectedIndex].value;
document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
}
function fetchUserData(){
if(!dataFetched){
dataFetched = true;
ajaxFunction(document.getElementById("userID").value);
}
}
function ajaxFunction(userId)
{
var xmlHttp;
try
{
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e)
{
// Internet Explorer
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
try
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
alert("Your browser does not support AJAX!");
return false;
}
}
}
xmlHttp.onreadystatechange=function()
{
var result = xmlHttp.responseText;
if(xmlHttp.readyState==4)
{
document.getElementById("hiddenEmployeeRecords").innerHTML=result
}
}
xmlHttp.open("GET","lessons/Ajax/clientSideFiltering.jsp?userId=" + userId,true);
xmlHttp.send(null);
}

113
webgoat/main/project/WebContent/javascript/clientSideValidation.js Normal file
View File

@ -0,0 +1,113 @@
var coupons = ["nvojubmq",
"emph",
"sfwmjt",
"faopsc",
"fopttfsq",
"pxuttfsq"];
function isValidCoupon(coupon) {
coupon = coupon.toUpperCase();
for(var i=0; i<coupons.length; i++) {
decrypted = decrypt(coupons[i]);
if(coupon == decrypted){
ajaxFunction(coupon);
return true;
}
}
return false;
}
function decrypt(code){
code = code.toUpperCase();
alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
caesar = '';
for (i = code.length ;i >= 0;i--){
for (j = 0;j<alpha.length;j++){
if(code.charAt(i) == alpha.charAt(j)){
caesar = caesar + alpha.charAt((j+(alpha.length-1))%alpha.length);
}
}
}
return caesar;
}
function ajaxFunction(coupon)
{
var xmlHttp;
try
{
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e)
{
// Internet Explorer
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
try
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
alert("Your browser does not support AJAX!");
return false;
}
}
}
xmlHttp.onreadystatechange=function()
{
if(xmlHttp.readyState==4)
{
document.form.GRANDTOT.value = document.form.SUBTOT.value * xmlHttp.responseText;
document.form.GRANDTOT.value = dollarRound(document.form.GRANDTOT.value);
}
}
xmlHttp.open("GET","lessons/Ajax/clientSideValidation.jsp?coupon=" + coupon,true);
xmlHttp.send(null);
}
function updateTotals(){
f = document.form;
f.TOT1.value = dollarRound(f.QTY1.value * f.PRC1.value);
f.TOT2.value = dollarRound(f.QTY2.value * f.PRC2.value);
f.TOT3.value = dollarRound(f.QTY3.value * f.PRC3.value);
f.TOT4.value = dollarRound(f.QTY4.value * f.PRC4.value);
f.SUBTOT.value = dollarRound(parseFloat(f.TOT1.value) + parseFloat(f.TOT2.value) + parseFloat(f.TOT3.value) + parseFloat(f.TOT4.value));
f.GRANDTOT.value = f.SUBTOT.value;
isValidCoupon(f.field1.value);
}
function calcTot( price, qty){
return parseInt(qty * price *100)/100;
}
function dollarRound(price){
return parseInt(price *100)/100;
}

6
webgoat/main/project/WebContent/javascript/escape.js Normal file
View File

@ -0,0 +1,6 @@
function escapeHTML (str) {
var div = document.createElement('div');
var text = document.createTextNode(str);
div.appendChild(text);
return div.innerHTML;
}

54
webgoat/main/project/WebContent/javascript/eval.js Normal file
View File

@ -0,0 +1,54 @@
var http_request = false;
function makeXHR(method, url, parameters) {
//alert('url: ' + url + ' parameters: ' + parameters);
http_request = false;
if (window.XMLHttpRequest) { // Mozilla, Safari,...
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
http_request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) { // IE
try {
http_request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
if (!http_request) {
alert('Cannot create XMLHTTP instance');
return false;
}
// http_request.onreadystatechange = alertContents;
http_request.open(method, url, true);
http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");
http_request.onreadystatechange = function() {
if(http_request.readyState == 4) {
var status = http_request.status;
var responseText = http_request.responseText;
//alert('status: ' + status);
//alert('responseText: ' + responseText);
eval(http_request.responseText);
}
};
http_request.send(parameters);
}
function purchase(url) {
var field1 = document.form.field1.value;
var field2 = document.form.field2.value;
//alert('field1: ' + field1 + ' field2: ' + field2);
var parameters = 'field1=' + field1 + '&field2=' + field2;
makeXHR('POST', url, parameters);
}

13
webgoat/main/project/WebContent/javascript/instructor/DOMXSS_i.js Normal file
View File

@ -0,0 +1,13 @@
function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name) + "!";
}
}
function escapeHTML (str) {
var div = document.createElement('div');
var text = document.createTextNode(str);
div.appendChild(text);
return div.innerHTML;
}