dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge with major changes made by Aspect

Browse Source 
Several new lessons added


git-svn-id: http://webgoat.googlecode.com/svn/trunk@236 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:12:31 +00:00
parent 137b7c813c
commit 1ce614f733
20 changed files with 2200 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

430
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java Normal file
View File

@ -0,0 +1,430 @@
package org.owasp.webgoat.lessons.ClientSideFiltering;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.Script;
import org.apache.ecs.html.Select;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
public class ClientSideFiltering extends SequentialLessonAdapter {
private final static String ANSWER = "answer";
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
protected Element createContent(WebSession s) {
return super.createStagedContent(s);
}
protected Element createMainContent(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
ec.addElement(new Script()
.setSrc("javascript/clientSideFiltering.js"));
Input input = new Input(Input.HIDDEN, "userID", 102);
input.setID("userID");
ec.addElement(input);
ec.addElement(new P().addElement("Select user:"));
ec.addElement(createDropDown());
ec.addElement(new P());
Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(1).setWidth("90%").setAlign("center");
t.setID("hiddenEmployeeRecords");
t.setStyle("display: none");
ec.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
.setWidth("90%").setAlign("center");
TR tr = new TR();
tr.addElement(new TD().addElement("UserID"));
tr.addElement(new TD().addElement("First Name"));
tr.addElement(new TD().addElement("Last Name"));
tr.addElement(new TD().addElement("SSN"));
tr.addElement(new TD().addElement("Salary"));
t.addElement(tr);
tr = new TR();
tr.setID("employeeRecord");
t.addElement(tr);
ec.addElement(t);
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Gets the category attribute of the RoleBasedAccessControl object
*
* @return The category value
*/
protected ElementContainer doStage1(WebSession s) {
ElementContainer ec = new ElementContainer();
StringBuffer answerString = null;
int answer = 0;
try {
answerString = new StringBuffer(s.getParser().getStringParameter(
ANSWER, ""));
answer = Integer.parseInt(answerString.toString());
} catch (NumberFormatException e) {
// e.printStackTrace();
}
if (answer == 450000) {
getLessonTracker(s).setStage(2);
s.setMessage("Stage 1 completed.");
// Redirect user to Stage2 content.
ec.addElement(doStage2(s));
} else {
ec.addElement(stage1Content(s));
}
return ec;
}
protected Element doStage2(WebSession s){
ElementContainer ec = new ElementContainer();
/**
* They pass iff:
*
* 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
*/
String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
String content = getFileContent(file);
if(content.indexOf("[Managers/Manager/text()") != -1)
{
makeSuccess(s);
ec.addElement(stage2Content(s));
}
else{
ec.addElement(stage2Content(s));
}
return ec;
}
protected ElementContainer stage1Content(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
ec.addElement(createMainContent(s));
ec.addElement(new BR());
ec.addElement(new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
if (s.isColor()) {
t1.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TD()
.addElement("What is Neville Bartholomew's salary? "));
tr.addElement(new TD(new Input(Input.TEXT, ANSWER, "")));
Element b = ECSFactory.makeButton("Submit Answer");
tr.addElement(new TD(b).setAlign("LEFT"));
t1.addElement(tr);
ec.addElement(t1);
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return ec;
}
protected ElementContainer stage2Content(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
ec.addElement(createMainContent(s));
ec.addElement(new BR());
ec.addElement(new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
if (s.isColor()) {
t1.setBorder(1);
}
TR tr = new TR();
/*tr.addElement(new TD()
.addElement("Press 'Submit' when you believe you have completed the lesson."));
*/
Element b = ECSFactory.makeButton("Click here when you believe you have completed the lesson.");
tr.addElement(new TD(b).setAlign("CENTER"));
t1.addElement(tr);
ec.addElement(t1);
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return ec;
}
protected Select createDropDown(){
Select select = new Select("UserSelect");
select.setID("UserSelect");
org.apache.ecs.html.Option option = new org.apache.ecs.html.Option(
"Choose Employee", "0", "Choose Employee");
select.addElement(option);
option = new org.apache.ecs.html.Option("Larry Stooge", "101",
"Larry Stooge");
select.addElement(option);
option = new org.apache.ecs.html.Option("Moe Stooge", "102",
"Moe Stooge");
select.addElement(option);
option = new org.apache.ecs.html.Option("Curly Stooge", "103",
"Curly Stooge");
select.addElement(option);
option = new org.apache.ecs.html.Option("Eric Walker", "104",
"Eric Walker");
select.addElement(option);
option = new org.apache.ecs.html.Option("Tom Cat", "105", "Tom Cat");
select.addElement(option);
option = new org.apache.ecs.html.Option("Jerry Mouse", "106",
"Jerry Mouse");
select.addElement(option);
option = new org.apache.ecs.html.Option("David Giambi", "107",
"David Giambi");
select.addElement(option);
option = new org.apache.ecs.html.Option("Bruce McGuirre", "108",
"Bruce McGuirre");
select.addElement(option);
option = new org.apache.ecs.html.Option("Sean Livingston", "109",
"Sean Livingston");
select.addElement(option);
option = new org.apache.ecs.html.Option("Joanne McDougal", "110",
"Joanne McDougal");
select.addElement(option);
option = new org.apache.ecs.html.Option("John Wayne", "111",
"John Wayne");
select.addElement(option);
select.setOnChange("selectUser()");
select.setOnFocus("fetchUserData()");
return select;
}
protected Category getDefaultCategory() {
return Category.AJAX_SECURITY;
}
/**
* Gets the hints attribute of the RoleBasedAccessControl object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
hints.add("Use Firebug to find where the information is stored on the client side.");
hints.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
hints.add("Look in the last row of the hidden table.");
hints.add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>" +
"to see what results are being returned");
hints.add("The server uses an XPath query agasinst an XML database.");
hints.add("The query currently returns all of the contents of the database.");
hints.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
hints.add("Try using a filter operator.");
hints.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
return hints;
}
public String getInstructions(WebSession s) {
String instructions = "";
if (getLessonTracker(s).getStage() == 1) {
instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Bank. "
+ "You have access to everyone in the company's information, except the CEO, "
+ "Neville Bartholomew. Or at least you shouldn't have access to the CEO's information."
+ " For this exercise, "
+ "examine the contents of the page to see what extra information you can find.";
} else if (getLessonTracker(s).getStage() == 2) {
instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return " +
"results that Moe Stooge is allowed to see.";
}
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(10);
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
/**
* Gets the resources attribute of the RoleBasedAccessControl object
*
* @param rl
* Description of the Parameter
* @return The resources value
*/
/**
* Gets the role attribute of the RoleBasedAccessControl object
*
* @param user
* Description of the Parameter
* @return The role value
*/
/**
* Gets the title attribute of the AccessControlScreen object
*
* @return The title value
*/
public String getTitle() {
return ("LAB: Client Side Filtering");
}
private String getFileContent(String content)
{
BufferedReader is = null;
StringBuffer sb = new StringBuffer();
try
{
is = new BufferedReader(new FileReader(new File(content)));
String s = null;
while((s = is.readLine()) != null)
{
sb.append(s);
}
}
catch (Exception e)
{
e.printStackTrace();
}
finally
{
if(is != null)
{
try
{
is.close();
}
catch (IOException ioe)
{
}
}
}
return sb.toString();
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}

423
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java Normal file
View File

@ -0,0 +1,423 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.HR;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Script;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
public class ClientSideValidation extends SequentialLessonAdapter {
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
private boolean stage1FirstVisit = true;
private boolean stage2FirstVisit = true;
protected Element createContent(WebSession s) {
return super.createStagedContent(s);
}
protected Element doStage1(WebSession s) {
return evalStage1(s);
}
protected Element doStage2(WebSession s) {
return stage2Content(s);
}
protected Element evalStage1(WebSession s) {
ElementContainer ec = new ElementContainer();
String param1 = s.getParser().getRawParameter("field1", "");
//test success
if (param1.equalsIgnoreCase("platinum")
|| param1.equalsIgnoreCase("gold")
|| param1.equalsIgnoreCase("silver")
|| param1.equalsIgnoreCase("bronze")
|| param1.equalsIgnoreCase("pressone")
|| param1.equalsIgnoreCase("presstwo")) {
getLessonTracker(s).setStage(2);
//s.resetHintCount();
s.setMessage("Stage 1 completed.");
// Redirect user to Stage2 content.
ec.addElement(doStage2(s));
} else {
if (!stage1FirstVisit) {
s.setMessage("Keep looking for the coupon code.");
}
stage1FirstVisit = false;
ec.addElement(stage1Content(s));
}
return ec;
}
protected Element stage1Content(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
ec.addElement(new Script()
.setSrc("javascript/clientSideValidation.js"));
ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1()
.addElement("Shopping Cart")));
ec.addElement(createQtyTable(s));
ec.addElement(createTotalTable(s));
ec.addElement(new BR());
ec.addElement(new HR().setWidth("90%"));
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
protected Element stage2Content(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
ec.addElement(new Script()
.setSrc("javascript/clientSideValidation.js"));
ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1()
.addElement("Shopping Cart")));
ec.addElement(createQtyTable(s));
ec.addElement(createTotalTable(s));
ec.addElement(new BR());
ec.addElement(new HR().setWidth("90%"));
// test success
float grandTotal = s.getParser()
.getFloatParameter("GRANDTOT", 0.0f);
if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit) {
makeSuccess(s);
} else {
if (!stage2FirstVisit) {
s.setMessage("Your order isn't free yet.");
}
stage2FirstVisit = false;
}
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
protected ElementContainer createTotalTable(WebSession s) {
ElementContainer ec = new ElementContainer();
String param1 = s.getParser().getRawParameter("field1", "");
String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
"field2", "4128 3214 0002 1999"));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
.setWidth("90%").setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
ec.addElement(new BR());
TR tr = new TR();
tr.addElement(new TD()
.addElement("Total before coupon is applied:"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "SUBTOT", s.getParser()
.getStringParameter("SUBTOT", "0")).setReadOnly(true))
.setAlign("right"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD()
.addElement("Total to be charged to your credit card:"));
tr.addElement(new TD()
.addElement(
new Input(Input.TEXT, "GRANDTOT", s.getParser()
.getStringParameter("GRANDTOT", "0"))
.setReadOnly(true)).setAlign("right"));
t.addElement(tr);
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your credit card number:"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2",
param2)));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your coupon code:"));
Input input = new Input(Input.TEXT, "field1", param1);
input.setOnKeyUp("isValidCoupon(field1.value)");
tr.addElement(new TD().addElement(input));
t.addElement(tr);
Element b = ECSFactory.makeButton("Purchase");
tr = new TR();
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
t.addElement(tr);
ec.addElement(t);
return ec;
}
protected int getTotalQty(WebSession s) {
int quantity = 0;
quantity += s.getParser().getFloatParameter("QTY1", 0.0f);
quantity += s.getParser().getFloatParameter("QTY2", 0.0f);
quantity += s.getParser().getFloatParameter("QTY3", 0.0f);
quantity += s.getParser().getFloatParameter("QTY4", 0.0f);
return quantity;
}
protected ElementContainer createQtyTable(WebSession s) {
ElementContainer ec = new ElementContainer();
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
.setWidth("90%").setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now")
.setWidth("70%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("10%"));
tr.addElement(new TH().addElement("Total").setWidth("10%"));
t.addElement(tr);
tr = new TR();
tr
.addElement(new TD()
.addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter(
"PRC1", "69.99")).setSize(10).setReadOnly(true)).setAlign("right"));
Input input = new Input(Input.TEXT, "QTY1", s.getParser()
.getStringParameter("QTY1", "0"));
input.setOnKeyUp("updateTotals();");
input.setOnLoad("updateTotals();");
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter(
"TOT1", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter(
"PRC2", "27.99")).setSize(10).setReadOnly(true)).setAlign("right"));
input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter(
"QTY2", "0"));
input.setOnKeyUp("updateTotals();");
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter(
"TOT2", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
t.addElement(tr);
tr = new TR();
tr
.addElement(new TD()
.addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter(
"PRC3", "1599.99")).setSize(10).setReadOnly(true))
.setAlign("right"));
input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter(
"QTY3", "0"));
input.setOnKeyUp("updateTotals();");
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter(
"TOT3", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
t.addElement(tr);
tr = new TR();
tr
.addElement(new TD()
.addElement("3 - Year Performance Service Plan $1000 and Over "));
tr
.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC4", s.getParser()
.getStringParameter("PRC4", "299.99")).setSize(10)
.setReadOnly(true)).setAlign("right"));
input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter(
"QTY4", "0"));
input.setOnKeyUp("updateTotals();");
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter(
"TOT4", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
t.addElement(tr);
ec.addElement(t);
return ec;
}
protected Category getDefaultCategory() {
return Category.AJAX_SECURITY;
}
/**
* Gets the hints attribute of the AccessControlScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Use Firebug to examine the JavaScript.");
hints.add("Using Firebug, you can add breakpoints in the JavaScript.");
hints.add("Use Firebug to find the array or encrypted coupon codes, and " +
"step through the JavaScript to see the decrypted values.");
hints.add("You can use Firebug to inspect (and modify) the HTML.");
hints.add("Use Firebug to remove the 'readonly' attribute from the input next to " +
"'The total charged to your credit card:' and set the value to 0.");
return hints;
}
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s) {
String instructions = "";
if (getLessonTracker(s).getStage() == 1) {
instructions = "STAGE 1:\tFor this exercise, your mission is to discover a coupon code to receive an unintended discount.";
}
else if (getLessonTracker(s).getStage() == 2) {
instructions = "STAGE 2:\tNow, try to get your entire order for free.";
}
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(120);
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the AccessControlScreen object
*
* @return The title value
*/
public String getTitle() {
return "Client Side Validation";
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}

264
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMXSS.java Normal file
View File

@ -0,0 +1,264 @@
package org.owasp.webgoat.lessons;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Script;
import org.owasp.webgoat.session.*;
public class DOMXSS extends SequentialLessonAdapter {
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
private final static String PERSON = "person";
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s) {
return super.createStagedContent(s);
}
protected Element doStage1(WebSession s) throws Exception {
ElementContainer ec = new ElementContainer();
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
ec.addElement(mainContent(s));
if (attackString.toString().toLowerCase().indexOf("img") != -1&& attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1) {
getLessonTracker(s).setStage(2);
s.setMessage("Stage 1 completed. ");
}
return (ec);
}
protected Element doStage2(WebSession s) throws Exception {
ElementContainer ec = new ElementContainer();
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
ec.addElement(mainContent(s));
if (attackString.toString().toLowerCase().indexOf("img") != -1 && attackString.toString().toLowerCase().indexOf("onerror") != -1 && attackString.toString().toLowerCase().indexOf("alert") != -1) {
getLessonTracker(s).setStage(3);
s.setMessage("Stage 2 completed. ");
}
return (ec);
}
protected Element doStage3(WebSession s) throws Exception {
ElementContainer ec = new ElementContainer();
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
ec.addElement(mainContent(s));
if (attackString.toString().toLowerCase().indexOf("iframe") != -1 && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) {
getLessonTracker(s).setStage(4);
s.setMessage("Stage 3 completed.");
}
return (ec);
}
protected Element doStage4(WebSession s) throws Exception {
ElementContainer ec = new ElementContainer();
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
ec.addElement(mainContent(s));
if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) {
getLessonTracker(s).setStage(5);
s.setMessage("Stage 4 completed.");
}
return (ec);
}
protected Element doStage5(WebSession s) throws Exception {
ElementContainer ec = new ElementContainer();
ec.addElement(mainContent(s));
/**
* They pass iff:
*
* 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
*/
String file = s.getWebResource("javascript/DOMXSS.js");
String content = getFileContent(file);
if(content.indexOf("escapeHTML(name)") != -1)
{
makeSuccess(s);
}
return ec;
}
protected ElementContainer mainContent(WebSession s) {
StringBuffer attackString = null;
ElementContainer ec = new ElementContainer();
try {
ec.addElement(new Script().setSrc("javascript/DOMXSS.js"));
ec.addElement(new H1().setID("greeting"));
ec.addElement(new StringElement("Enter your name: "));
attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
Input input = new Input(Input.TEXT, PERSON, attackString.toString());
input.setOnKeyUp("displayGreeting(" + PERSON + ".value)");
ec.addElement(input);
ec.addElement(new BR());
ec.addElement(new BR());
Element b = ECSFactory.makeButton("Submit Solution");
ec.addElement(b);
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return ec;
}
/**
* Gets the hints attribute of the HelloScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>();
hints.add("Try entering the following: " + "&lt;IMG SRC=\"images/logos/owasp.jpg\"/&gt;");
hints.add("Try entering the following: " + "&lt;img src=x onerror=;;alert('XSS') /&gt;");
hints.add("Try entering the following: " + "&lt;IFRAME SRC=\"javascript:alert('XSS');\"&gt;&lt;/IFRAME&gt;");
hints.add("Try entering the following: " + "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button " +
"onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;");
//Attack Strings:
//<IMG SRC="images/logos/owasp.jpg"/>
//<img src=x onerror=;;alert('XSS') />
//<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
//Please enter your password:<BR><input type = "password" name="pass"/><button onClick="javascript:alert('I have your password: ' + pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
return hints;
}
/**
* Gets the ranking attribute of the HelloScreen object
*
* @return The ranking value
*/
private final static Integer DEFAULT_RANKING = new Integer(10);
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
protected Category getDefaultCategory() {
return Category.AJAX_SECURITY;
}
/**
* Gets the title attribute of the HelloScreen object
*
* @return The title value
*/
public String getTitle() {
return ("LAB: DOM-Based cross-site scripting");
}
public String getInstructions(WebSession s) {
String instructions = "";
if (getLessonTracker(s).getStage() == 1) {
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
} else if (getLessonTracker(s).getStage() == 2) {
instructions = "STAGE 2:\tNow, try to create a pop up using the image tag";
} else if (getLessonTracker(s).getStage() == 3) {
instructions = "STAGE 3:\tNext, try to create a pop up using the IFRAME tag.";
} else if (getLessonTracker(s).getStage() == 4) {
instructions = "STAGE 4:\tUse the following to create a fake login form:<br><br>" + "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button " +
"onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;";
} else if(getLessonTracker(s).getStage() == 5) {
instructions = "STAGE 5:\tPerform client-side HTML entity encoding to mitigate the DOM XSS vulnerability. A utility method is provided for you in WebContent/javascript/escape.js.";
}
return (instructions);
}
private String getFileContent(String content)
{
BufferedReader is = null;
StringBuffer sb = new StringBuffer();
try
{
is = new BufferedReader(new FileReader(new File(content)));
String s = null;
while((s = is.readLine()) != null)
{
sb.append(s);
}
}
catch (Exception e)
{
e.printStackTrace();
}
finally
{
if(is != null)
{
try
{
is.close();
}
catch (IOException ioe)
{
}
}
}
return sb.toString();
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}

291
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java Normal file
View File

@ -0,0 +1,291 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.HR;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Eric Sheridan, Aspect Security <a href="http://www.aspectsecurity.com"/>
* @created October 28, 2003
*/
public class DangerousEval extends LessonAdapter
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
public final static String PASSED = "__DANGEROUS_EVAL_PASS";
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
String regex1 = "^[0-9]{3}$";// any three digits
Pattern pattern1 = Pattern.compile(regex1);
try
{
checkSuccess(s);
String param1 = s.getParser().getRawParameter("field1", "111");
//String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
float quantity = 1.0f;
float total = 0.0f;
float runningTotal = 0.0f;
// test input field1
if (!pattern1.matcher(param1).matches())
{
if (param1.toLowerCase().indexOf("script") != -1)
{
//makeSuccess(s);
}
s.setMessage("Whoops! You entered " + HtmlEncoder.encode(param1) + " instead of your three digit code. Please try again.");
}
// FIXME: encode output of field2, then s.setMessage( field2 );
ec.addElement("<script src=\"javascript/eval.js\"/>");
ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
tr.addElement(new TD().addElement("69.99").setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
total = quantity * 69.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
tr.addElement(new TD().addElement("27.99").setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
total = quantity * 27.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
total = quantity * 1599.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
tr.addElement(new TD().addElement("299.99").setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
total = quantity * 299.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
ec.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + runningTotal));
Input b = new Input();
b.setType(Input.BUTTON);
b.setValue("Update Cart");
b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
tr.addElement(new TD().addElement(b));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your credit card number:"));
tr.addElement(new TD().addElement("<input id='field2' name='field2' type='TEXT' value='4128 3214 0002 1999'>"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your three digit access code:"));
tr.addElement(new TD().addElement("<input id='field1' name='field1' type='TEXT' value='123'>"));
//tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
t.addElement(tr);
b = new Input();
b.setType(Input.BUTTON);
b.setValue("Purchase");
b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
tr = new TR();
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
t.addElement(tr);
ec.addElement(t);
ec.addElement(new BR());
ec.addElement(new HR().setWidth("90%"));
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Category getDefaultCategory()
{
return Category.AJAX_SECURITY;
}
/**
* Gets the hints attribute of the AccessControlScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The lesson is similar to the standard reflected cross-site scripting lesson.");
hints.add("The access code parameter is vulnerable to a reflected cross-site scripting problem.");
hints.add("The usual &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; will not work in this lesson. Why?");
hints.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the &lt; and &gt; characters.");
hints.add("In order to pass this lesson, you must 'alert' the document.cookie.");
hints.add("Try 123');alert(document.cookie);('");
return hints;
}
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script. In order to pass this lesson, you must 'alert()' document.cookie.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(120);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the AccessControlScreen object
*
* @return The title value
*/
public String getTitle()
{
return "Dangerous Use of Eval";
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
/**
* Check to see if JSP says they passed the lesson.
* @param s
*/
private void checkSuccess(WebSession s)
{
javax.servlet.http.HttpSession session = s.getRequest().getSession();
if(session.getAttribute(PASSED) != null)
{
makeSuccess(s);
session.removeAttribute(PASSED);
}
}
}

12
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
View File

@ -107,8 +107,8 @@ public class ReflectedXSS extends LessonAdapter
TR tr = new TR();
tr.addElement(new TH().addElement(
"Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price:").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
@ -121,7 +121,7 @@ public class ReflectedXSS extends LessonAdapter
new Input(Input.TEXT, "QTY1", s.getParser()
.getStringParameter("QTY1", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY1", 1.0f);
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
total = quantity * 69.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
@ -134,7 +134,7 @@ public class ReflectedXSS extends LessonAdapter
new Input(Input.TEXT, "QTY2", s.getParser()
.getStringParameter("QTY2", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY2", 1.0f);
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
total = quantity * 27.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
@ -148,7 +148,7 @@ public class ReflectedXSS extends LessonAdapter
new Input(Input.TEXT, "QTY3", s.getParser()
.getStringParameter("QTY3", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY3", 1.0f);
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
total = quantity * 1599.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
@ -163,7 +163,7 @@ public class ReflectedXSS extends LessonAdapter
new Input(Input.TEXT, "QTY4", s.getParser()
.getStringParameter("QTY4", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY4", 1.0f);
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
total = quantity * 299.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
View File

@ -109,8 +109,8 @@ public class TraceXSS extends LessonAdapter
TR tr = new TR();
tr.addElement(new TH().addElement(
"Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price:").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);

5
webgoat/main/project/WebContent/javascript/DOMXSS.js Normal file
View File

@ -0,0 +1,5 @@
function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + name+ "!";
}
}

64
webgoat/main/project/WebContent/javascript/clientSideFiltering.js Normal file
View File

@ -0,0 +1,64 @@
var dataFetched = false;
function selectUser(){
var newEmployeeID = document.getElementById("UserSelect").options[document.getElementById("UserSelect").selectedIndex].value;
document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
}
function fetchUserData(){
if(!dataFetched){
dataFetched = true;
ajaxFunction(document.getElementById("userID").value);
}
}
function ajaxFunction(userId)
{
var xmlHttp;
try
{
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e)
{
// Internet Explorer
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
try
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
alert("Your browser does not support AJAX!");
return false;
}
}
}
xmlHttp.onreadystatechange=function()
{
var result = xmlHttp.responseText;
if(xmlHttp.readyState==4)
{
document.getElementById("hiddenEmployeeRecords").innerHTML=result
}
}
xmlHttp.open("GET","lessons/Ajax/clientSideFiltering.jsp?userId=" + userId,true);
xmlHttp.send(null);
}

113
webgoat/main/project/WebContent/javascript/clientSideValidation.js Normal file
View File

@ -0,0 +1,113 @@
var coupons = ["nvojubmq",
"emph",
"sfwmjt",
"faopsc",
"fopttfsq",
"pxuttfsq"];
function isValidCoupon(coupon) {
coupon = coupon.toUpperCase();
for(var i=0; i<coupons.length; i++) {
decrypted = decrypt(coupons[i]);
if(coupon == decrypted){
ajaxFunction(coupon);
return true;
}
}
return false;
}
function decrypt(code){
code = code.toUpperCase();
alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
caesar = '';
for (i = code.length ;i >= 0;i--){
for (j = 0;j<alpha.length;j++){
if(code.charAt(i) == alpha.charAt(j)){
caesar = caesar + alpha.charAt((j+(alpha.length-1))%alpha.length);
}
}
}
return caesar;
}
function ajaxFunction(coupon)
{
var xmlHttp;
try
{
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e)
{
// Internet Explorer
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
try
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
alert("Your browser does not support AJAX!");
return false;
}
}
}
xmlHttp.onreadystatechange=function()
{
if(xmlHttp.readyState==4)
{
document.form.GRANDTOT.value = document.form.SUBTOT.value * xmlHttp.responseText;
document.form.GRANDTOT.value = dollarRound(document.form.GRANDTOT.value);
}
}
xmlHttp.open("GET","lessons/Ajax/clientSideValidation.jsp?coupon=" + coupon,true);
xmlHttp.send(null);
}
function updateTotals(){
f = document.form;
f.TOT1.value = dollarRound(f.QTY1.value * f.PRC1.value);
f.TOT2.value = dollarRound(f.QTY2.value * f.PRC2.value);
f.TOT3.value = dollarRound(f.QTY3.value * f.PRC3.value);
f.TOT4.value = dollarRound(f.QTY4.value * f.PRC4.value);
f.SUBTOT.value = dollarRound(parseFloat(f.TOT1.value) + parseFloat(f.TOT2.value) + parseFloat(f.TOT3.value) + parseFloat(f.TOT4.value));
f.GRANDTOT.value = f.SUBTOT.value;
isValidCoupon(f.field1.value);
}
function calcTot( price, qty){
return parseInt(qty * price *100)/100;
}
function dollarRound(price){
return parseInt(price *100)/100;
}

6
webgoat/main/project/WebContent/javascript/escape.js Normal file
View File

@ -0,0 +1,6 @@
function escapeHTML (str) {
var div = document.createElement('div');
var text = document.createTextNode(str);
div.appendChild(text);
return div.innerHTML;
}

54
webgoat/main/project/WebContent/javascript/eval.js Normal file
View File

@ -0,0 +1,54 @@
var http_request = false;
function makeXHR(method, url, parameters) {
//alert('url: ' + url + ' parameters: ' + parameters);
http_request = false;
if (window.XMLHttpRequest) { // Mozilla, Safari,...
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
http_request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) { // IE
try {
http_request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
if (!http_request) {
alert('Cannot create XMLHTTP instance');
return false;
}
// http_request.onreadystatechange = alertContents;
http_request.open(method, url, true);
http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");
http_request.onreadystatechange = function() {
if(http_request.readyState == 4) {
var status = http_request.status;
var responseText = http_request.responseText;
//alert('status: ' + status);
//alert('responseText: ' + responseText);
eval(http_request.responseText);
}
};
http_request.send(parameters);
}
function purchase(url) {
var field1 = document.form.field1.value;
var field2 = document.form.field2.value;
//alert('field1: ' + field1 + ' field2: ' + field2);
var parameters = 'field1=' + field1 + '&field2=' + field2;
makeXHR('POST', url, parameters);
}

13
webgoat/main/project/WebContent/javascript/instructor/DOMXSS_i.js Normal file
View File

@ -0,0 +1,13 @@
function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name) + "!";
}
}
function escapeHTML (str) {
var div = document.createElement('div');
var text = document.createTextNode(str);
div.appendChild(text);
return div.innerHTML;
}

9
webgoat/main/project/WebContent/lesson_plans/DangerousEval.html Normal file
View File

@ -0,0 +1,9 @@
<div align="Center">
<p><b>Lesson Plan Title: </b>Dangerous Use of Eval</p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. In this lesson, unvalidated user-supplied data is used in conjunction with a Javascript eval() call. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
<!-- Stop Instructions -->
<p><b>General Goal(s):</b> </p>
For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script. In order to pass this lesson, you must 'alert()' document.cookie.

114
webgoat/main/project/WebContent/lessons/Ajax/clientSideFiltering.jsp Normal file
View File

@ -0,0 +1,114 @@
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>
<%
String userId = request.getParameter("userID");
NodeList nodes = null;
File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
if(d.exists()){
System.out.print("File does exist");
}
else{
System.out.print("File DOES NOT exist");
}
System.out.println(d.getAbsolutePath());
XPathFactory factory = XPathFactory.newInstance();
XPath xPath = factory.newXPath();
InputSource inputSource = new InputSource(new FileInputStream(d));
StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee/UserID | ");
sb.append("/Employees/Employee/FirstName | ");
sb.append("/Employees/Employee/LastName | ");
sb.append("/Employees/Employee/SSN | ");
sb.append("/Employees/Employee/Salary ");
String expression = sb.toString();
nodes = (NodeList) xPath.evaluate(expression, inputSource,
XPathConstants.NODESET);
int nodesLength = nodes.getLength();
System.out.println("nodesLength:" + nodesLength);
TR tr;
int COLUMNS = 5;
Table t2 = null;
if (nodesLength > 0)
{
t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
1).setWidth("90%").setAlign("center");
tr = new TR();
tr.addElement(new TD().addElement("UserID"));
tr.addElement(new TD().addElement("First Name"));
tr.addElement(new TD().addElement("Last Name"));
tr.addElement(new TD().addElement("SSN"));
tr.addElement(new TD().addElement("Salary"));
t2.addElement(tr);
}
tr = new TR();
for (int i = 0; i < nodesLength; i++)
{
Node node = nodes.item(i);
if(i%COLUMNS==0){
tr = new TR();
tr.setID(node.getTextContent());
//tr.setStyle("display: none");
}
tr.addElement(new TD().addElement(node.getTextContent()));
if(i%COLUMNS==(COLUMNS-1)){
t2.addElement(tr);
}
}
if(t2 != null){
out.println(t2.toString());
}
else{
out.println("No Results");
}
%>

30
webgoat/main/project/WebContent/lessons/Ajax/clientSideValidation.jsp Normal file
View File

@ -0,0 +1,30 @@
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<% String coupon = request.getParameter("coupon");
if (coupon.equalsIgnoreCase("PLATINUM")){
out.print(".25");
}
else if (coupon.equalsIgnoreCase("GOLD")){
out.print(".5");
}
else if (coupon.equalsIgnoreCase("SILVER")){
out.print(".75");
}
else if (coupon.equalsIgnoreCase("BRONZE")){
out.print(".8");
}
else if (coupon.equalsIgnoreCase("PRESSONE")){
out.print(".9");
}
else if (coupon.equalsIgnoreCase("PRESSTWO")){
out.print(".95");
}
%>

228
webgoat/main/project/WebContent/lessons/Ajax/employees.xml Normal file
View File

@ -0,0 +1,228 @@
<?xml version="1.0" encoding="UTF-8"?>
<Employees>
<Employee >
<UserID>101</UserID>
<FirstName>Larry</FirstName>
<LastName>Stooge</LastName>
<Street>9175 Guilford Rd</Street>
<CS>New York, NY</CS>
<Phone>443-689-0192</Phone>
<StartDate>1012000</StartDate>
<SSN>386-09-5451</SSN>
<Salary>55000</Salary>
<CreditCard>2578546969853547</CreditCard>
<Limit>5000</Limit>
<Comments>Does not work well with others</Comments>
<DisciplinaryExplanation>Constantly harassing coworkers</DisciplinaryExplanation>
<DisciplinaryDate>10106</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>102</UserID>
<FirstName>Moe</FirstName>
<LastName>Stooge</LastName>
<Street>3013 AMD Ave</Street>
<CS>New York, NY</CS>
<Phone>443-938-5301</Phone>
<StartDate>3082003</StartDate>
<SSN>936-18-4524</SSN>
<Salary>140000</Salary>
<CreditCard>NA</CreditCard>
<Limit>0</Limit>
<Comments>Very dominating over Larry and Curly</Comments>
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>103</UserID>
<FirstName>Curly</FirstName>
<LastName>Stooge</LastName>
<Street>1112 Crusoe Lane</Street>
<CS>New York, NY</CS>
<Phone>410-667-6654</Phone>
<StartDate>2122001</StartDate>
<SSN>961-08-0047</SSN>
<Salary>50000</Salary>
<CreditCard>NA</CreditCard>
<Limit>0</Limit>
<Comments>Owes three-thousand to company for fradulent purchases</Comments>
<DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
<DisciplinaryDate>101014</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>104</UserID>
<FirstName>Eric</FirstName>
<LastName>Walker</LastName>
<Street>1160 Prescott Rd</Street>
<CS>New York, NY</CS>
<Phone>410-887-1193</Phone>
<StartDate>12152005</StartDate>
<SSN>445-66-5565</SSN>
<Salary>13000</Salary>
<CreditCard>NA</CreditCard>
<Limit>0</Limit>
<Comments>Late. Always needs help. Too intern-ish.</Comments>
<DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>105</UserID>
<FirstName>Tom</FirstName>
<LastName>Cat</LastName>
<Street>2211 HyperThread Rd.</Street>
<CS>New York, NY</CS>
<Phone>443-599-0762</Phone>
<StartDate>1011999</StartDate>
<SSN>792-14-6364</SSN>
<Salary>80000</Salary>
<CreditCard>5481360857968521</CreditCard>
<Limit>30000</Limit>
<Comments>Co-Owner.</Comments>
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>106</UserID>
<FirstName>Jerry</FirstName>
<LastName>Mouse</LastName>
<Street>3011 Unix Drive</Street>
<CS>New York, NY</CS>
<Phone>443-699-3366</Phone>
<StartDate>1011999</StartDate>
<SSN>858-55-4452</SSN>
<Salary>70000</Salary>
<CreditCard>6981754825013564</CreditCard>
<Limit>20000</Limit>
<Comments>Co-Owner.</Comments>
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>107</UserID>
<FirstName>David</FirstName>
<LastName>Giambi</LastName>
<Street>5132 DIMM Avenue</Street>
<CS>New York, NY</CS>
<Phone>610-521-8413</Phone>
<StartDate>5011999</StartDate>
<SSN>439-20-9405</SSN>
<Salary>100000</Salary>
<CreditCard>6981754825018101</CreditCard>
<Limit>10000</Limit>
<Comments>Strong work habbit. Questionable ethics.</Comments>
<DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
<DisciplinaryDate>61402</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>108</UserID>
<FirstName>Bruce</FirstName>
<LastName>McGuirre</LastName>
<Street>8899 FreeBSD Drive&lt;script&gt;alert(document.cookie)&lt;/script&gt; </Street>
<CS>New York, NY</CS>
<Phone>610-282-1103</Phone>
<StartDate>3012000</StartDate>
<SSN>707-95-9482</SSN>
<Salary>110000</Salary>
<CreditCard>6981754825854136</CreditCard>
<Limit>30000</Limit>
<Comments>Enjoys watching others struggle in exercises.</Comments>
<DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
<DisciplinaryDate>61502</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>109</UserID>
<FirstName>Sean</FirstName>
<LastName>Livingston</LastName>
<Street>6422 dFlyBSD Road</Street>
<CS>New York, NY</CS>
<Phone>610-878-9549</Phone>
<StartDate>6012003</StartDate>
<SSN>136-55-1046</SSN>
<Salary>130000</Salary>
<CreditCard>6981754825014510</CreditCard>
<Limit>5000</Limit>
<Comments>Has some fascination with Steelers. Go Ravens.</Comments>
<DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
<DisciplinaryDate>72804</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>110</UserID>
<FirstName>Joanne</FirstName>
<LastName>McDougal</LastName>
<Street>5567 Broadband Lane</Street>
<CS>New York, NY</CS>
<Phone>610-213-6341</Phone>
<StartDate>1012001</StartDate>
<SSN>789-54-2413</SSN>
<Salary>90000</Salary>
<CreditCard>6981754825081054</CreditCard>
<Limit>300</Limit>
<Comments>Finds it necessary to leave early every day.</Comments>
<DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>111</UserID>
<FirstName>John</FirstName>
<LastName>Wayne</LastName>
<Street>129 Third St</Street>
<CS>New York, NY</CS>
<Phone>610-213-1134</Phone>
<StartDate>1012001</StartDate>
<SSN>129-69-4572</SSN>
<Salary>200000</Salary>
<CreditCard>4437334565679921</CreditCard>
<Limit>300</Limit>
<Comments></Comments>
<DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
</Employee>
<Employee>
<UserID>112</UserID>
<FirstName>Neville</FirstName>
<LastName>Bartholomew</LastName>
<Street>1 Corporate Headquarters</Street>
<CS>San Jose, CA</CS>
<Phone>408-587-0024</Phone>
<StartDate>3012000</StartDate>
<SSN>111-111-1111</SSN>
<Salary>450000</Salary>
<CreditCard>4803389267684109</CreditCard>
<Limit>300</Limit>
<Comments></Comments>
<DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
</Employee>
</Employees>

37
webgoat/main/project/WebContent/lessons/Ajax/eval.jsp Normal file
View File

@ -0,0 +1,37 @@
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" import="java.util.regex.*" import="org.owasp.webgoat.lessons.DangerousEval"
pageEncoding="ISO-8859-1"%>
<%
String action = request.getParameter("action");
String field1 = request.getParameter("field1");
String field2 = request.getParameter("field2");
String regex1 = "^[0-9]{3}$";// any three digits
Pattern pattern1 = Pattern.compile(regex1);
if(action == null) action = "Purchase";
if(field1 == null) field1 = "123";
if(field2 == null) field2 = "-1";
/** For security reasons, we remove all '<' and '>' characters to prevent XSS **/
field1.replaceAll("<", "");
field1.replaceAll(">", "");
field2.replaceAll("<", "");
field2.replaceAll(">", "");
if("Purchase".equals(action))
{
if(!pattern1.matcher(field1).matches())
{
/** If they supplied the right attack, pass them **/
if(field1.indexOf("');") != -1 && field1.indexOf("alert") != -1 && field1.indexOf("document.cookie") != -1)
{
session.setAttribute(DangerousEval.PASSED, "true");
}
out.write("alert('Whoops: You entered an incorrect access code of \"" + field1 + "\"');");
}
else
{
out.write("alert('Purchase completed successfully with credit card \"" + field2 + "\" and access code \"" + field1 + "\"');");
}
}
%>

BIN
webgoat/main/project/WebContent/lessons/Ajax/images/lesson1_header.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
webgoat/main/project/WebContent/lessons/Ajax/images/lesson1_workspace.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

111
webgoat/main/project/WebContent/lessons/Ajax/instructor/clientSideFiltering_i.jsp Normal file
View File

@ -0,0 +1,111 @@
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>
<%
String userId = request.getParameter("userId");
NodeList nodes = null;
File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
if(d.exists()){
System.out.print("File does exist");
}
else{
System.out.print("File DOES NOT exist");
}
System.out.println(d.getAbsolutePath());
XPathFactory factory = XPathFactory.newInstance();
XPath xPath = factory.newXPath();
InputSource inputSource = new InputSource(new FileInputStream(d));
StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/UserID | ");
sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/FirstName | ");
sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/LastName | ");
sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/SSN | ");
sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/Salary ");
String expression = sb.toString();
nodes = (NodeList) xPath.evaluate(expression, inputSource,
XPathConstants.NODESET);
int nodesLength = nodes.getLength();
System.out.println("nodesLength:" + nodesLength);
TR tr;
int COLUMNS = 5;
Table t2 = null;
if (nodesLength > 0)
{
t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
1).setWidth("90%").setAlign("center");
tr = new TR();
tr.addElement(new TD().addElement("UserID"));
tr.addElement(new TD().addElement("First Name"));
tr.addElement(new TD().addElement("Last Name"));
tr.addElement(new TD().addElement("SSN"));
tr.addElement(new TD().addElement("Salary"));
t2.addElement(tr);
}
tr = new TR();
for (int i = 0; i < nodesLength; i++)
{
Node node = nodes.item(i);
if(i%COLUMNS==0){
tr = new TR();
tr.setID(node.getTextContent());
//tr.setStyle("display: none");
}
tr.addElement(new TD().addElement(node.getTextContent()));
if(i%COLUMNS==(COLUMNS-1)){
t2.addElement(tr);
}
}
if(t2 != null){
out.println(t2.toString());
}
else{
out.println("No Results");
}
%>