dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

A first attempt at internationalization of WebGoat. For complete internationalization WebGoat needs two things:

Browse Source 
1. Every text passage/label that appears in lessons must independent of the current language set for WebGoat.
2. Every lesson plan and solutions must be translated for each supported language.
Number 1 is achieved by using webgoat/util/WebgoatI18N.java and by having every output routed through this piece of code. You no longer say hints.add("Lesson Hint 1"); or ....addElement("Shopping Cart")) but you in the lesson you say hints.add(WebGoatI18N.get("Lesson Hint1")) or ....addElement(WebGoatI18N.get("Shopping Cart"). Then WebGoatI18N looks up the corresponding string for the language set as the current lanuage and returns it.
Number 2 is achieved by having subdirectories in lesson_plans corresponding to every language. That means, a lesson that has been translated to Spanish and German will be found in lesson_plans/English and lesson_plans/Spanish and lesson_plans/German.

This is how WebGoat finds out about available languages: in Course.java in loadResources() it looks for lesson plans.
Unlike before, now a lesson plan can be found multiple times in different "language" directories. So for every directory the lesson plan is found in, WebGoat associates this language with the lesson and also lets WebGoatI18N load the appropriate WebGoatLabels_$LANGAUGE$.properties file which contains the translations of labels.
So this is what you have to do for a new language:
First of all, you have to copy and translate every lesson plan that you need in the new language, and then you also have to create a WebGoatLabels_$LANGUAGE$.properties file with that labels that will be used in these lessons. Atm WebGoat crashes throws an exception when a label is missing but this can be sorted out quickly. 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@389 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mjawurek
2009-10-26 15:58:15 +00:00
parent 59abed1dde
commit 1dc6c799a7
104 changed files with 1223 additions and 488 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -10,7 +10,11 @@ import java.net.URL;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
@ -26,6 +30,8 @@ import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -95,12 +101,16 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
private String sourceFileName;
private String lessonPlanFileName;
private Map<String,String> lessonPlanFileName = new HashMap<String,String>();
private String lessonSolutionFileName;
private WebgoatContext webgoatContext;
private LinkedList<String> availableLanguages = new LinkedList<String>();
private String defaultLanguage = "English";
/**
* Constructor for the Lesson object
*/
@ -392,22 +402,29 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
*/
public String getLessonPlan(WebSession s)
{
String src = null;
StringBuffer src = new StringBuffer();
String lang = s.getCurrrentLanguage();
try
{
// System.out.println("Loading lesson plan file: " +
// getLessonPlanFileName());
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonPlanFileName()))), false);
String filename = getLessonPlanFileName(lang);
if(filename==null){
filename = getLessonPlanFileName(getDefaultLanguage());
}
src.append(readFromFile(new BufferedReader(new FileReader(s.getWebResource(filename))), false));
} catch (Exception e)
{
// s.setMessage( "Could not find lesson plan for " +
// getLessonName());
src = ("Could not find lesson plan for: " + getLessonName());
src = new StringBuffer("Could not find lesson plan for: " + getLessonName()+" and language "+lang);
}
return src;
return src.toString();
}
/**
@ -774,16 +791,27 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
return getTitle();
}
public String getLessonPlanFileName()
public String getDefaultLanguage(){
return this.defaultLanguage;
}
public String getLessonPlanFileName(String lang)
{
return lessonPlanFileName;
String ret = lessonPlanFileName.get(lang);
if(ret==null) ret = lessonPlanFileName.get(getDefaultLanguage());
return ret;
}
public void setLessonPlanFileName(String lessonPlanFileName)
public void setLessonPlanFileName(String lang, String lessonPlanFileName)
{
this.lessonPlanFileName = lessonPlanFileName;
this.lessonPlanFileName.put(lang,lessonPlanFileName);
this.availableLanguages.add(lang);
}
public List<String> getAvailableLanguages(){
return this.availableLanguages;
}
public String getLessonSolutionFileName()
{
return lessonSolutionFileName;

62
main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
View File

@ -13,6 +13,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -101,12 +102,12 @@ public class BasicAuthentication extends SequentialLessonAdapter
{
if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION))
{
s.setMessage("Basic Authentication header name is incorrect.");
s.setMessage(WebGoatI18N.get("BasicAuthHeaderNameIncorrect"));
}
if (headerValue.length() > 0
&& !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
{
s.setMessage("Basic Authentication header value is incorrect.");
s.setMessage(WebGoatI18N.get("BasicAuthHeaderValueIncorrect"));
}
}
@ -120,8 +121,8 @@ public class BasicAuthentication extends SequentialLessonAdapter
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new StringElement("What is the name of the authentication header: ")));
row2.addElement(new TD(new StringElement("What is the decoded value of the authentication header: ")));
row1.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsNameOfHeader"))));
row2.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsDecodedValueOfHeader"))));
row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString())));
row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString())));
@ -132,7 +133,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
ec.addElement(t);
ec.addElement(new P());
Element b = ECSFactory.makeButton("Submit");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
ec.addElement(b);
} catch (Exception e)
@ -158,7 +159,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, originalUser).setStage(1);
getLessonTracker(s, originalUser).store(s, this);
makeSuccess(s);
s.setMessage("Close your browser and login as " + originalUser + " to get your green stars back.");
s.setMessage(WebGoatI18N.get("BasicAuthenticiationGreenStars1")+ originalUser + WebGoatI18N.get("BasicAuthenticationGreenStars2"));
return ec;
}
else
@ -184,11 +185,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, BASIC).store(s, this, BASIC);
}
s.setMessage("Congratulations, you have figured out the mechanics of basic authentication.");
s.setMessage("&nbsp;&nbsp;- Now you must try to make WebGoat reauthenticate you as: ");
s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- username: basic");
s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- password: basic");
s.setMessage("Use the Basic Authentication Menu to start at login page.");
s.setMessage(WebGoatI18N.get("BasicAuthenticationStage1Completed"));
// If the auth header is different but still the original user - tell the user
// that the original cookie was posted bak and basic auth uses the cookie before the
@ -196,32 +193,28 @@ public class BasicAuthentication extends SequentialLessonAdapter
if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION)))
{
ec
.addElement("You're almost there! You've modified the "
.addElement(WebGoatI18N.get("BasicAuthenticationAlmostThere1")
+ AUTHORIZATION
+ " header but you are "
+ "still logged in as "
+ WebGoatI18N.get("BasicAuthenticationAlmostThere2")
+ s.getUserName()
+ ". Look at the request after you typed in the 'basic' "
+ "user credentials and submitted the request. Remember the order of events that occur during Basic Authentication.");
+ WebGoatI18N.get("BasicAuthenticationAlmostThere3"));
}
else if (!originalSessionId.equals(s.getCookie(JSESSIONID)))
{
ec
.addElement("You're really close! Changing the session cookie caused the server to create a new session for you. This did not cause the server to reauthenticate you. "
+ "When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>"
+ "&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> "
+ "&nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>");
.addElement(WebGoatI18N.get("BasicAuthenticationReallyClose"));
}
else
{
ec.addElement("Use the hints! One at a time...");
ec.addElement(WebGoatI18N.get("BasicAuthenticationUseTheHints"));
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -252,22 +245,19 @@ public class BasicAuthentication extends SequentialLessonAdapter
// switch ( stage )
// {
// case 1:
hints.add("Basic authentication uses a cookie to pass the credentials. "
+ "Use a proxy to intercept the request. Look at the cookies.");
hints.add("Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials.");
hints.add("Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials.");
hints.add("Use WebScarab -> Tools -> Transcoder to Base64 decode the "
+ "the value in the Authorization cookie.");
hints.add(WebGoatI18N.get("BasicAuthenticationHint1"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint2"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint3"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint4"));
// break;
// case 2:
hints.add("Basic authentication uses a cookie to pass the credentials. "
+ "Use a proxy to intercept the request. Look at the cookies.");
hints.add("Before the WebServer requests credentials from the client, the current "
+ "session is checked for validitity.");
hints.add("If the session is invalid the webserver will use the basic authentication credentials");
hints.add("If the session is invalid and the basic authentication credentials are invalid, "
+ "new credentials will be requested from the client.");
hints.add("Intercept the request and corrupt the JSESSIONID and the Authorization header.");
hints.add(WebGoatI18N.get("BasicAuthenticationHint5"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint6"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint7"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint8"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint9"));
// break;
// }

43
main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -16,6 +16,7 @@ import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.Exec;
import org.owasp.webgoat.util.ExecResults;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -78,7 +79,7 @@ public class CommandInjection extends LessonAdapter
}
index = index + 1;
int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote
System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
System.out.println(WebGoatI18N.get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase()
.equals("netstat -a")
|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir")
@ -96,9 +97,8 @@ public class CommandInjection extends LessonAdapter
}
else
{
s.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig");
s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack1"));
}
}
@ -114,9 +114,7 @@ public class CommandInjection extends LessonAdapter
}
else
{
s.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "This lesson is a command injection lesson, not access control.");
s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack2"));
}
}
else
@ -125,10 +123,10 @@ public class CommandInjection extends LessonAdapter
illegalCommand = false;
}
}
File safeDir = new File(s.getContext().getRealPath("/lesson_plans"));
File safeDir = new File(s.getContext().getRealPath("/lesson_plans/English"));
ec.addElement(new StringElement("You are currently viewing: <b>"
+ (helpFile.toString().length() == 0 ? "&lt;select file from list below&gt;" : helpFile.toString())
ec.addElement(new StringElement(WebGoatI18N.get("YouAreCurrentlyViewing")+"<b>"
+ (helpFile.toString().length() == 0 ? "&lt;"+WebGoatI18N.get("SelectFileFromListBelow")+"&gt;" : helpFile.toString())
+ "</b>"));
if (!illegalCommand)
@ -153,11 +151,11 @@ public class CommandInjection extends LessonAdapter
fileData = exec(s, cmd2);
}
ec.addElement(new P().addElement("Select the lesson plan to view: "));
ec.addElement(new P().addElement(WebGoatI18N.get("SelectLessonPlanToView")));
ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html",
"\\.help"))));
// ec.addElement( results );
Element b = ECSFactory.makeButton("View");
Element b = ECSFactory.makeButton(WebGoatI18N.get("View"));
ec.addElement(b);
// Strip out some of the extra html from the "help" file
ec.addElement(new BR());
@ -272,27 +270,14 @@ public class CommandInjection extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The application is using a system command to return the contents of a file.");
hints
.add("The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)");
hints.add("Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix.");
hints.add("Note that the server may enclose the submitted file name within quotes");
hints.add(WebGoatI18N.get("CommandInjectionHint1"));
hints.add(WebGoatI18N.get("CommandInjectionHint2"));
hints.add(WebGoatI18N.get("CommandInjectionHint3"));
hints.add(WebGoatI18N.get("CommandInjectionHint4"));
return hints;
}
/**
* Gets the instructions attribute of the ParameterInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Choose the lesson plan you would like to view. "
+ "Try to inject a command to the operating system.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(40);

46
main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -22,6 +22,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -106,7 +107,7 @@ public class HiddenFieldTampering extends LessonAdapter
total = quantity * Float.parseFloat(price);
} catch (Exception e)
{
s.setMessage("Invaild data " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("Invaild data") + this.getClass().getName());
price = PRICE_TV;
quantity = 1.0f;
total = quantity * Float.parseFloat(PRICE_TV);
@ -115,7 +116,7 @@ public class HiddenFieldTampering extends LessonAdapter
if (price.equals(PRICE_TV))
{
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart"))));
ec.addElement(new BR());
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
@ -125,10 +126,10 @@ public class HiddenFieldTampering extends LessonAdapter
}
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%"));
t.addElement(tr);
tr = new TR();
@ -149,10 +150,10 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":"));
tr.addElement(new TD().addElement(money.format(total)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart"))));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("Purchase"), "validate()")));
t.addElement(tr);
ec.addElement(t);
@ -169,10 +170,10 @@ public class HiddenFieldTampering extends LessonAdapter
makeSuccess(s);
}
ec.addElement(new P().addElement("Your total price is:"));
ec.addElement(new P().addElement(WebGoatI18N.get("TotalPriceIs")+":"));
ec.addElement(new B("$" + total));
ec.addElement(new BR());
ec.addElement(new P().addElement("This amount will be charged to your credit card immediately."));
ec.addElement(new P().addElement(WebGoatI18N.get("ThisAmountCharged")));
}
return (ec);
@ -196,26 +197,15 @@ public class HiddenFieldTampering extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("This application is using hidden fields to transmit price information to the server.");
hints.add("Use a program to intercept and change the value in the hidden field.");
hints
.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+ PRICE_TV + " to " + PRICE_TV_HACKED + ".");
hints.add(WebGoatI18N.get("HiddenFieldTamperingHint1"));
hints.add(WebGoatI18N.get("HiddenFieldTamperingHint2"));
hints.add(WebGoatI18N.get("HiddenFieldTamperingHint3")+ PRICE_TV +WebGoatI18N.get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED );
return hints;
}
/**
* Gets the instructions attribute of the HiddenFieldTampering object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(50);

35
main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
View File

@ -19,6 +19,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -107,7 +108,7 @@ public class HtmlClues extends LessonAdapter
{
makeSuccess(s);
s.setMessage("BINGO -- admin authenticated");
s.setMessage(WebGoatI18N.get("HtmlCluesBINGO"));
ec.addElement(makeUser(s, "admin", "CREDENTIALS"));
}
else
@ -138,8 +139,8 @@ public class HtmlClues extends LessonAdapter
protected Element makeUser(WebSession s, String user, String method) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Welcome, " + user));
ec.addElement(new P().addElement("You have been authenticated with " + method));
ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser")+ user));
ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method));
return (ec);
}
@ -158,12 +159,12 @@ public class HtmlClues extends LessonAdapter
TR tr = new TR();
tr.addElement(new TH()
.addElement("Please sign in to your account. See the OWASP admin if you do not have an account.")
.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%"));
t.addElement(tr);
tr = new TR();
@ -172,8 +173,8 @@ public class HtmlClues extends LessonAdapter
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: "))));
row2.addElement(new TD(new B(new StringElement("*Password: "))));
row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")+": "))));
row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")+": "))));
Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
@ -182,7 +183,7 @@ public class HtmlClues extends LessonAdapter
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton("Login");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
t.addElement(new TR(new TD(b)));
ec.addElement(t);
@ -197,24 +198,14 @@ public class HtmlClues extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("You can view the HTML source by selecting 'view source' in the browser menu.");
hints.add("There are lots of clues in the HTML");
hints.add("Search for the word HIDDEN, look at URLs, look for comments.");
hints.add(WebGoatI18N.get("HtmlCluesHint1"));
hints.add(WebGoatI18N.get("HtmlCluesHint2"));
hints.add(WebGoatI18N.get("HtmlCluesHint3"));
return hints;
}
/**
* Gets the instructions attribute of the HtmlClues object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Below is an example of a forms based authentication form. Look for clues to help you log in.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(30);

5
main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -9,6 +9,7 @@ import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -59,7 +60,7 @@ public class HttpBasics extends LessonAdapter
StringBuffer person = null;
try
{
ec.addElement(new StringElement("Enter your name: "));
ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName")+": "));
person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
person.reverse();
@ -67,7 +68,7 @@ public class HttpBasics extends LessonAdapter
Input input = new Input(Input.TEXT, PERSON, person.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton("Go!");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b);
} catch (Exception e)
{

52
main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java
View File

@ -14,6 +14,7 @@ import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -124,28 +125,28 @@ public class JavaScriptValidation extends LessonAdapter
b.setType(Input.BUTTON);
b.setValue("Submit");
b.addAttribute("onclick", "validate();");
ec.addElement(new Div().addElement(new StringElement("Field1: exactly three lowercase characters ("
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("3LowerCase")+"("
+ regex1 + ")")));
ec.addElement(new Div().addElement(input1));
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field2: exactly three digits (" + regex2 + ")")));
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("Exactly3Digits")+"(" + regex2 + ")")));
ec.addElement(new Div().addElement(input2));
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field3: letters, numbers, and space only (" + regex3
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("LettersNumbersSpaceOnly")+"(" + regex3
+ ")")));
ec.addElement(new Div().addElement(input3));
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field4: enumeration of numbers (" + regex4 + ")")));
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("EnumerationOfNumbers")+" (" + regex4 + ")")));
ec.addElement(new Div().addElement(input4));
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field5: simple zip code (" + regex5 + ")")));
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("SimpleZipCode")+ " (" + regex5 + ")")));
ec.addElement(new Div().addElement(input5));
ec.addElement(new P());
ec.addElement(new Div()
.addElement(new StringElement("Field6: zip with optional dash four (" + regex6 + ")")));
.addElement(new StringElement(WebGoatI18N.get("ZIPDashFour")+" (" + regex6 + ")")));
ec.addElement(new Div().addElement(input6));
ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement("Field7: US phone number with or without dashes ("
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("USPhoneNumber")+ " ("
+ regex7 + ")")));
ec.addElement(new Div().addElement(input7));
ec.addElement(new P());
@ -160,43 +161,43 @@ public class JavaScriptValidation extends LessonAdapter
if (!pattern1.matcher(param1).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field1.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field1.";
}
if (!pattern2.matcher(param2).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field2.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field2.";
}
if (!pattern3.matcher(param3).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field3.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field3.";
}
if (!pattern4.matcher(param4).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field4.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field4.";
}
if (!pattern5.matcher(param5).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field5.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field5.";
}
if (!pattern6.matcher(param6).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field6.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field6.";
}
if (!pattern7.matcher(param7).matches())
{
err++;
msg += "<BR>Server side validation violation: You succeeded for Field7.";
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field7.";
}
if (err > 0)
@ -212,7 +213,7 @@ public class JavaScriptValidation extends LessonAdapter
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -237,27 +238,14 @@ public class JavaScriptValidation extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The validation is happening in your browser.");
hints.add("Try modifying the values with a proxy after they leave your browser");
hints.add("Another way is to delete the JavaScript before you view the page.");
hints.add(WebGoatI18N.get("JavaScriptValidationHint1"));
hints.add(WebGoatI18N.get("JavaScriptValidationHint2"));
hints.add(WebGoatI18N.get("JavaScriptValidationHint3"));
return hints;
}
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This website performs both client and server side validation. "
+ "For this exercise, your job is to break the client side validation and send the "
+ " website input that it wasn't expecting."
+ "<b> You must break all 7 validators at the same time. </b>";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(120);

6
main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -16,6 +16,7 @@ import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -165,9 +166,10 @@ public abstract class LessonAdapter extends AbstractLesson
public String getInstructions(WebSession s)
{
StringBuffer buff = new StringBuffer();
String lang = s.getCurrrentLanguage();
try
{
String fileName = s.getWebResource(getLessonPlanFileName());
String fileName = s.getWebResource(getLessonPlanFileName(lang));
if (fileName != null)
{
BufferedReader in = new BufferedReader(new FileReader(fileName));
@ -241,7 +243,7 @@ public abstract class LessonAdapter extends AbstractLesson
{
getLessonTracker(s).setCompleted(true);
s.setMessage("Congratulations. You have successfully completed this lesson.");
s.setMessage(WebGoatI18N.get("LessonCompleted"));
return (null);
}

21
main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -17,6 +17,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -73,15 +74,15 @@ public class LogSpoofing extends LessonAdapter
TR row2 = new TR();
TR row3 = new TR();
row1.addElement(new TD(new StringElement("Username: ")));
row1.addElement(new TD(new StringElement(WebGoatI18N.get("UserName")+":")));
Input username = new Input(Input.TEXT, USERNAME, "");
row1.addElement(new TD(username));
row2.addElement(new TD(new StringElement("Password: ")));
row2.addElement(new TD(new StringElement(WebGoatI18N.get("Password")+": ")));
Input password = new Input(Input.PASSWORD, PASSWORD, "");
row2.addElement(new TD(password));
Element b = ECSFactory.makeButton("Login");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
row3.addElement(new TD(new StringElement("&nbsp; ")));
row3.addElement(new TD(b)).setAlign("right");
@ -102,7 +103,7 @@ public class LogSpoofing extends LessonAdapter
Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row4 = new TR();
row4.addElement(new TD(new PRE("Login failed for username: " + inputUsername))).setBgColor(HtmlColor.GRAY);
row4.addElement(new TD(new PRE(WebGoatI18N.get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY);
t2.addElement(row4);
@ -111,7 +112,7 @@ public class LogSpoofing extends LessonAdapter
if (inputUsername.length() != 0
&& inputUsername.toUpperCase().indexOf(
System.getProperty("line.separator")
+ "LOGIN SUCCEEDED FOR USERNAME:") >= 0)
+ WebGoatI18N.get("LoginSucceededForUserName")+":") >= 0)
{
makeSuccess(s);
}
@ -134,12 +135,10 @@ public class LogSpoofing extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try to fool the human eye by using new lines.");
hints.add("Use CR (%0d) and LF (%0a) for a new line.");
hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
hints
.add("Try: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;");
hints.add(WebGoatI18N.get("LogSpoofingHint1"));
hints.add(WebGoatI18N.get("LogSpoofingHint2"));
hints.add(WebGoatI18N.get("LogSpoofingHint3"));
hints.add(WebGoatI18N.get("LogSpoofingHint4"));
return hints;
}

63
main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
View File

@ -16,6 +16,7 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -66,7 +67,7 @@ public class PathBasedAccessControl extends LessonAdapter
try
{
String dir = s.getContext().getRealPath("/lesson_plans");
String dir = s.getContext().getRealPath("/lesson_plans/English");
File d = new File(dir);
Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
@ -77,8 +78,8 @@ public class PathBasedAccessControl extends LessonAdapter
}
String[] list = d.list();
String listing = " <p><B>Current Directory is:</B> " + Encoding.urlDecode(dir)
+ "<br><br> Choose the file to view:</p>";
String listing = " <p><B>"+WebGoatI18N.get("CurrentDirectory")+"</B> " + Encoding.urlDecode(dir)
+ "<br><br>"+WebGoatI18N.get("ChooseFileToView")+"</p>";
TR tr = new TR();
tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
@ -86,7 +87,7 @@ public class PathBasedAccessControl extends LessonAdapter
tr = new TR();
tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("View File")));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("ViewFile"))));
t.addElement(tr);
ec.addElement(t);
@ -105,17 +106,13 @@ public class PathBasedAccessControl extends LessonAdapter
// file
if (upDirCount(file) == 3 && !file.endsWith("LICENSE"))
{
s.setMessage("Access denied");
s.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see one file in this directory. ");
s.setMessage(WebGoatI18N.get("AccessDenied"));
s.setMessage(WebGoatI18N.get("ItAppears1"));
}
else if (upDirCount(file) > 3)
{
s.setMessage("Access denied");
s.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see files in the webgoat directory. ");
s.setMessage(WebGoatI18N.get("AccessDenied"));
s.setMessage(WebGoatI18N.get("ItAppears2"));
}
else
{
@ -134,13 +131,13 @@ public class PathBasedAccessControl extends LessonAdapter
if (s.isDebug())
{
s.setMessage("File: " + file);
s.setMessage("Dir: " + dir);
s.setMessage(WebGoatI18N.get("File") + file);
s.setMessage(WebGoatI18N.get("Dir")+ dir);
// s.setMessage("File URI: " + "file:///" +
// (Encoding.urlEncode(dir) + "\\" +
// Encoding.urlEncode(file)).replaceAll("\\\\","/"));
s.setMessage(" - isFile(): " + f.isFile());
s.setMessage(" - exists(): " + f.exists());
s.setMessage(WebGoatI18N.get("IsFile")+ f.isFile());
s.setMessage(WebGoatI18N.get("Exists") + f.exists());
}
if (!illegalCommand)
{
@ -150,21 +147,21 @@ public class PathBasedAccessControl extends LessonAdapter
// directory listing we gave them.
if (upDirCount(file) >= 1)
{
s.setMessage("Congratulations! Access to file allowed");
s.setMessage(WebGoatI18N.get("CongratsAccessToFileAllowed"));
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
makeSuccess(s);
}
else
{
s.setMessage("File is already in allowed directory - try again!");
s.setMessage(WebGoatI18N.get("FileInAllowedDirectory"));
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
}
}
else if (file != null && file.length() != 0)
{
s
.setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath())
+ "\" denied");
.setMessage(WebGoatI18N.get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath())
+ WebGoatI18N.get("AccessToFileDenied2"));
}
else
{
@ -178,11 +175,11 @@ public class PathBasedAccessControl extends LessonAdapter
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new HR().setWidth("100%"));
ec.addElement("Viewing file: " + f.getCanonicalPath());
ec.addElement(WebGoatI18N.get("ViewingFile")+ f.getCanonicalPath());
ec.addElement(new HR().setWidth("100%"));
if (f.length() > 80000) { throw new Exception("File is too large"); }
if (f.length() > 80000) { throw new Exception(WebGoatI18N.get("FileTooLarge")); }
String fileData = getFileText(new BufferedReader(new FileReader(f)), false);
if (fileData.indexOf(0x00) != -1) { throw new Exception("File is binary"); }
if (fileData.indexOf(0x00) != -1) { throw new Exception(WebGoatI18N.get("FileBinary")); }
ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)",
@ -190,13 +187,13 @@ public class PathBasedAccessControl extends LessonAdapter
} catch (Exception e)
{
ec.addElement(new BR());
ec.addElement("The following error occurred while accessing the file: <");
ec.addElement(WebGoatI18N.get("TheFollowingError"));
ec.addElement(e.getMessage());
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating")+ this.getClass().getName());
e.printStackTrace();
}
@ -233,11 +230,11 @@ public class PathBasedAccessControl extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Most operating systems allow special characters in the path.");
hints.add("Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory");
hints.add("Try .. in the path");
hints.add("Try ..\\..\\..\\LICENSE");
hints.add(WebGoatI18N.get("PathBasedAccessControlHint1"));
hints.add(WebGoatI18N.get("PathBasedAccessControlHint2"));
hints.add(WebGoatI18N.get("PathBasedAccessControlHint3"));
hints.add(WebGoatI18N.get("PathBasedAccessControlHint4"));
return hints;
}
@ -248,11 +245,7 @@ public class PathBasedAccessControl extends LessonAdapter
*/
public String getInstructions(WebSession s)
{
String instructions = "The '" + s.getUserName() + "' user has access to all the files in the "
+ "lesson_plans directory. Try to break the access control mechanism and access a "
+ "resource that is not in the listed directory. After selecting a file to view, WebGoat "
+ "will report if access to the file was granted. An interesting file to try and obtain might "
+ "be a file like tomcat/conf/tomcat-users.xml";
String instructions = WebGoatI18N.get("PathBasedAccessControlInstr1")+ s.getUserName() + WebGoatI18N.get("PathBasedAccessControlInstr2");
return (instructions);
}

52
main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
View File

@ -19,6 +19,7 @@ import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -87,13 +88,13 @@ public class ReflectedXSS extends LessonAdapter
makeSuccess(s);
}
s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code. Please try again.");
s.setMessage(WebGoatI18N.get("ReflectedXSSWhoops1")+ param1 + WebGoatI18N.get("ReflectedXSSWhoops2"));
}
// FIXME: encode output of field2, then s.setMessage( field2 );
ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart"))));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor())
@ -102,10 +103,10 @@ public class ReflectedXSS extends LessonAdapter
}
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%"));
t.addElement(tr);
tr = new TR();
@ -170,24 +171,24 @@ public class ReflectedXSS extends LessonAdapter
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":"));
tr.addElement(new TD().addElement(money.format(runningTotal)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart"))));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your credit card number:"));
tr.addElement(new TD().addElement(WebGoatI18N.get("EnterCreditCard")+":"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your three digit access code:"));
tr.addElement(new TD().addElement(WebGoatI18N.get("Enter3DigitCode")+":"));
tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
t.addElement(tr);
Element b = ECSFactory.makeButton("Purchase");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Purchase"));
tr = new TR();
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
t.addElement(tr);
@ -197,7 +198,7 @@ public class ReflectedXSS extends LessonAdapter
ec.addElement(new HR().setWidth("90%"));
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (ec);
@ -221,16 +222,12 @@ public class ReflectedXSS extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.");
hints.add("Can you get the script to disclose the JSESSIONID cookie?");
hints.add("You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie");
hints.add("Can you get the script to access the credit card form field?");
hints
.add("Try a cross site trace (XST) Command:<br>"
+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
+ "document.write(str1);}&lt;/script&gt;");
hints.add(WebGoatI18N.get("ReflectedXSSHint1"));
hints.add(WebGoatI18N.get("ReflectedXSSHint2"));
hints.add(WebGoatI18N.get("ReflectedXSSHint3"));
hints.add(WebGoatI18N.get("ReflectedXSSHint4"));
hints.add(WebGoatI18N.get("ReflectedXSSHint5"));
return hints;
}
@ -238,16 +235,7 @@ public class ReflectedXSS extends LessonAdapter
// = new
// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(120);

17
main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
View File

@ -6,6 +6,7 @@ import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -56,11 +57,6 @@ public class RemoteAdminFlaw extends LessonAdapter
{
makeSuccess(s);
}
else
{
ec.addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure "
+ "out how to access the administrative interface for WebGoat.");
}
return ec;
}
@ -83,12 +79,11 @@ public class RemoteAdminFlaw extends LessonAdapter
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("WebGoat has 2 admin interfaces.");
hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
hints
.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
hints.add("Follow the Source!");
hints.add("On success you will see new submenu items in the menupoint 'Admin Functions'");
hints.add(WebGoatI18N.get("RemoteAdminFlawHint1"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint2"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint3"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint4"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint5"));
return hints;
}

36
main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -22,6 +22,7 @@ import org.apache.ecs.html.Select;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -129,18 +130,15 @@ public class SqlNumericInjection extends SequentialLessonAdapter
makeSuccess(s);
getLessonTracker(s).setStage(2);
StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! ");
msg.append("This lesson has detected your successfull attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage"));
s.setMessage(msg.toString());
}
}
else
{
ec.addElement("No results matched. Try Again.");
ec.addElement(WebGoatI18N.get("NoResultsMatched"));
}
} catch (SQLException sqle)
@ -149,7 +147,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -160,8 +158,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{
ElementContainer ec = new ElementContainer();
ec.addElement("Now that you have successfully performed an SQL injection, try the same "
+ " type of attack on a parameterized query.");
ec.addElement(WebGoatI18N.get("NumericSqlInjectionSecondStage2"));
// if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart"))
// {
// getLessonTracker(s).setStage(1);
@ -205,14 +202,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
}
else
{
ec.addElement("No results matched. Try Again.");
ec.addElement(WebGoatI18N.get("NoResultsMatched"));
}
} catch (SQLException sqle)
{
ec.addElement(new P().addElement(sqle.getMessage()));
} catch (NumberFormatException npe)
{
ec.addElement(new P().addElement("Error parsing station as a number: " + npe.getMessage()));
ec.addElement(new P().addElement(WebGoatI18N.get("ErrorParsingAsNumber") + npe.getMessage()));
}
} catch (Exception e)
{
@ -227,7 +224,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Select your local weather station: "));
ec.addElement(new P().addElement(WebGoatI18N.get("SelectYourStation")));
Map<String, String> stations = getStations(s);
Select select = new Select(STATION_ID);
@ -240,7 +237,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ec.addElement(select);
ec.addElement(new P());
Element b = ECSFactory.makeButton("Go!");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b);
return ec;
@ -310,13 +307,12 @@ public class SqlNumericInjection extends SequentialLessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.");
hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+ "Try appending a SQL statement that always resolves to true.");
hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ].");
hints.add(WebGoatI18N.get("SqlNumericInjectionHint1"));
hints.add(WebGoatI18N.get("SqlNumericInjectionHint2"));
hints.add(WebGoatI18N.get("SqlNumericInjectionHint3"));
hints.add(WebGoatI18N.get("SqlNumericInjectionHint4"));
return hints;
}

33
main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -18,6 +18,7 @@ import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -113,17 +114,14 @@ public class SqlStringInjection extends SequentialLessonAdapter
StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! ");
msg.append("This lesson has detected your successful attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage1"));
s.setMessage(msg.toString());
}
}
else
{
ec.addElement("No results matched. Try Again.");
ec.addElement(WebGoatI18N.get("NoResultsMatched"));
}
} catch (SQLException sqle)
{
@ -132,7 +130,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -143,9 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
{
ElementContainer ec = new ElementContainer();
ec.addElement("Now that you have successfully performed an SQL injection, try the same "
+ " type of attack on a parameterized query. Restart the lesson if you wish "
+ " to return to the injectable query");
ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage"));
if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
{
getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
@ -184,7 +180,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
}
else
{
ec.addElement("No results matched. Try Again.");
ec.addElement(WebGoatI18N.get("NoResultsMatched"));
}
} catch (SQLException sqle)
{
@ -192,7 +188,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -202,13 +198,13 @@ public class SqlStringInjection extends SequentialLessonAdapter
protected Element makeAccountLine(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Enter your last name: "));
ec.addElement(new P().addElement(WebGoatI18N.get("EnterLastName")));
accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
ec.addElement(input);
Element b = ECSFactory.makeButton("Go!");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!"));
ec.addElement(b);
return ec;
@ -233,12 +229,11 @@ public class SqlStringInjection extends SequentialLessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+ "\"SELECT * FROM user_data WHERE last_name = \" + accountName ");
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR."
+ "Try appending a SQL statement that always resolves to true");
hints.add("Try entering [ smith' OR '1' = '1 ].");
hints.add(WebGoatI18N.get("SqlStringInjectionHint1"));
hints.add(WebGoatI18N.get("SqlStringInjectionHint2"));
hints.add(WebGoatI18N.get("SqlStringInjectionHint3"));
hints.add(WebGoatI18N.get("SqlStringInjectionHint4"));
return hints;
}

36
main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -23,6 +23,7 @@ import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -114,7 +115,7 @@ public class StoredXss extends LessonAdapter
// like "Characters found after end of SQL statement."
if (e.getMessage().indexOf("No ResultSet was produced") == -1)
{
s.setMessage("Could not add message to database");
s.setMessage(WebGoatI18N.get("CouldNotAddMessage"));
}
e.printStackTrace();
}
@ -159,11 +160,12 @@ public class StoredXss extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("You can put HTML tags in your message.");
hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it.");
hints
.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.");
hints.add("Enter this: &lt;script&gt;alert(document.cookie);&lt;/script&gt; in the message field.");
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint1"));
return hints;
}
@ -217,14 +219,14 @@ public class StoredXss extends LessonAdapter
if ((results != null) && results.first())
{
ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL)));
ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor")+": " + results.getString(TITLE_COL)));
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(new TD(new B(new StringElement("Title:"))));
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title")+":"))));
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
t.addElement(row1);
String messageData = results.getString(MESSAGE_COL);
TR row2 = new TR(new TD(new B(new StringElement("Message:"))));
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message")+":"))));
row2.addElement(new TD(new StringElement(messageData)));
t.addElement(row2);
@ -234,7 +236,7 @@ public class StoredXss extends LessonAdapter
// message,
// they can see that the message is attributed to that user
TR row3 = new TR(new TD(new StringElement("Posted By:")));
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy")+":")));
row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
t.addElement(row3);
@ -253,12 +255,12 @@ public class StoredXss extends LessonAdapter
{
if (messageNum != 0)
{
ec.addElement(new P().addElement("Could not find message " + messageNum));
ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -277,14 +279,14 @@ public class StoredXss extends LessonAdapter
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new StringElement("Title: ")));
row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title")+": ")));
Input inputTitle = new Input(Input.TEXT, TITLE, "");
row1.addElement(new TD(inputTitle));
TD item1 = new TD();
item1.setVAlign("TOP");
item1.addElement(new StringElement("Message: "));
item1.addElement(new StringElement(WebGoatI18N.get("Message")+": "));
row2.addElement(item1);
TD item2 = new TD();
@ -294,7 +296,7 @@ public class StoredXss extends LessonAdapter
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton("Submit");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
ElementContainer ec = new ElementContainer();
ec.addElement(t);
ec.addElement(new P().addElement(b));
@ -343,11 +345,11 @@ public class StoredXss extends LessonAdapter
}
} catch (Exception e)
{
s.setMessage("Error while getting message list.");
s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
}
ElementContainer ec = new ElementContainer();
ec.addElement(new H1("Message List"));
ec.addElement(new H1(WebGoatI18N.get("MessageList")));
ec.addElement(t);
return (ec);

54
main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
View File

@ -18,6 +18,7 @@ import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -103,7 +104,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
}
else
{
s.setMessage("Invalid cookie");
s.setMessage(WebGoatI18N.get("InvalidCookie"));
s.eatCookies();
}
}
@ -141,14 +142,14 @@ public class WeakAuthenticationCookie extends LessonAdapter
if (loginID != "")
{
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage("Your identity has been remembered");
s.setMessage(WebGoatI18N.get("IdentityRemembered"));
s.getResponse().addCookie(newCookie);
return (username);
}
else
{
s.setMessage("Invalid username and password entered.");
s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword"));
}
}
@ -168,7 +169,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
if (logout)
{
s.setMessage("Goodbye! Your password has been forgotten");
s.setMessage(WebGoatI18N.get("PasswordForgotten"));
s.eatCookies();
return (makeLogin(s));
@ -185,7 +186,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); }
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
@ -250,27 +251,16 @@ public class WeakAuthenticationCookie extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The server authenticates the user using a cookie, if you send the right cookie.");
hints.add("Is the AuthCookie value guessable knowing the username and password?");
hints.add("Add 'AuthCookie=********;' to the Cookie: header using "
+ "<A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.");
hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx<br/>"
+ "After logging in as aspect a cookie is added. 65432udfqtb<br/>"
+ "Is there anything similar about the cookies and the login names?");
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4"));
return hints;
}
/**
* Gets the instructions attribute of the WeakAuthenticationCookie object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(90);
@ -300,7 +290,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
{
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("Sign In "));
ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn")));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
@ -310,12 +300,12 @@ public class WeakAuthenticationCookie extends LessonAdapter
TR tr = new TR();
tr.addElement(new TH()
.addElement("Please sign in to your account. See the OWASP admin if you do not have an account.")
.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%"));
t.addElement(tr);
tr = new TR();
@ -324,8 +314,8 @@ public class WeakAuthenticationCookie extends LessonAdapter
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: "))));
row2.addElement(new TD(new B(new StringElement("*Password: "))));
row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")))));
row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")))));
Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
@ -334,7 +324,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton("Login");
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
t.addElement(new TR(new TD(b)));
ec.addElement(t);
@ -357,10 +347,10 @@ public class WeakAuthenticationCookie extends LessonAdapter
protected Element makeUser(WebSession s, String user, String method) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Welcome, " + user));
ec.addElement(new P().addElement("You have been authenticated with " + method));
ec.addElement(new P().addElement(ECSFactory.makeLink("Logout", LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink("Refresh", "", "")));
ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user));
ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", "")));
return (ec);
}

19
main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -4,6 +4,7 @@ package org.owasp.webgoat.session;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
@ -16,6 +17,7 @@ import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
/***************************************************************************************************
*
*
@ -59,6 +61,7 @@ public class Course
private WebgoatContext webgoatContext;
public Course()
{
try
@ -71,6 +74,9 @@ public class Course
}
}
/**
* Take an absolute file and return the filename.
*
@ -368,6 +374,15 @@ public class Course
}
}
private String getLanguageFromFileName(String first, String absoluteFile){
int p1 = absoluteFile.indexOf("/",absoluteFile.indexOf(first)+1);
int p2 = absoluteFile.indexOf("/",p1+1);
String langStr=absoluteFile.substring(p1+1,p2);
return new String(langStr);
}
/**
* For each lesson, set the source file and lesson file
*/
@ -402,7 +417,9 @@ public class Course
// lesson " +
// lesson.getClass().getName());
// System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonPlanFileName(absoluteFile);
String language = getLanguageFromFileName("/lesson_plans",absoluteFile);
lesson.setLessonPlanFileName(language, absoluteFile);
this.webgoatContext.getWebgoatI18N().loadLanguage(language);
}
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName))

50
main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -23,6 +23,8 @@ import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.util.WebGoatI18N;
/***************************************************************************************************
@ -143,6 +145,8 @@ public class WebSession
public final static String DEBUG = "debug";
public final static String LANGUAGE = "language";
/**
* Description of the Field
*/
@ -198,6 +202,10 @@ public class WebSession
private int currentMenu;
private String currentLanguage = null;
/**
* Constructor for the WebSession object
*
@ -215,7 +223,9 @@ public class WebSession
showSource = webgoatContext.isShowSource();
showSolution = webgoatContext.isShowSolution();
showRequest = webgoatContext.isShowRequest();
currentLanguage = webgoatContext.getDefaultLanguage();
this.context = context;
course = new Course();
course.loadCourses(webgoatContext, context, "/");
}
@ -290,6 +300,9 @@ public class WebSession
return context;
}
public List<String> getRoles()
{
List<String> roles = new ArrayList<String>();
@ -591,20 +604,6 @@ public class WebSession
return (isAdmin);
}
/**
* Sets the admin flag - this routine is ONLY
* here to allow someone a backdoor to setting the
* user up as an admin.
*
* This is also used by the WebSession to set the admin, but the method
* should be private
*
* @param state
*/
public void setAdmin(boolean state)
{
isAdmin = state;
}
/**
* Gets the hackedAdmin attribute of the WebSession object
*
@ -728,7 +727,7 @@ public class WebSession
*/
public boolean isUser()
{
return (!isAdmin() && !isChallenge());
return (!isAdmin && !isChallenge());
}
/**
@ -834,6 +833,12 @@ public class WebSession
{
myParser.update(request);
}
if(myParser.getRawParameter(LANGUAGE,null)!=null){
this.currentLanguage=new String(myParser.getRawParameter(LANGUAGE,null));
WebGoatI18N.setCurrentLanguage(this.currentLanguage);
}
// System.out.println("Current Screen 1: " + currentScreen );
// System.out.println("Previous Screen 1: " + previousScreen );
@ -965,8 +970,8 @@ public class WebSession
}
setAdmin(request.isUserInRole(WEBGOAT_ADMIN));
isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin());
isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
if (isHackedAdmin)
{
System.out.println("Hacked admin");
@ -1005,10 +1010,7 @@ public class WebSession
{
RandomLessonAdapter rla = (RandomLessonAdapter) al;
rla.setStage(this, rla.getStages()[0]);
}
else if(al instanceof org.owasp.webgoat.lessons.MaliciousFileExecution) {
((org.owasp.webgoat.lessons.MaliciousFileExecution) al).restartLesson(this);
}
}
}
/**
@ -1093,4 +1095,10 @@ public class WebSession
{
return webgoatContext;
}
public String getCurrrentLanguage() {
return currentLanguage;
}
}

25
main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -4,6 +4,8 @@ package org.owasp.webgoat.session;
import java.util.Iterator;
import javax.servlet.http.HttpServlet;
import org.owasp.webgoat.util.WebGoatI18N;
public class WebgoatContext
{
@ -39,6 +41,8 @@ public class WebgoatContext
public final static String FEEDBACK_ADDRESS = "email";
public final static String DEBUG = "debug";
public final static String DEFAULTLANGUAGE = "DefaultLanguage";
private String databaseConnectionString;
@ -75,6 +79,10 @@ public class WebgoatContext
private String servletName;
private HttpServlet servlet;
private String defaultLanguage;
private WebGoatI18N webgoati18n = null;
public WebgoatContext(HttpServlet servlet)
{
@ -100,7 +108,10 @@ public class WebgoatContext
showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
isDebug = "true".equals(getParameter(servlet, DEBUG));
servletName = servlet.getServletName();
defaultLanguage = getParameter(servlet,DEFAULTLANGUAGE)!=null ? new String(getParameter(servlet, DEFAULTLANGUAGE)): new String("English");
webgoati18n = new WebGoatI18N(this);
}
private String getParameter(HttpServlet servlet, String key)
@ -222,4 +233,16 @@ public class WebgoatContext
return showSolution;
}
public String getDefaultLanguage() {
return defaultLanguage;
}
public void setWebgoatiI18N(WebGoatI18N webgoati18n) {
this.webgoati18n = webgoati18n;
}
public WebGoatI18N getWebgoatI18N() {
return webgoati18n;
}
}

41
main/project/JavaSource/org/owasp/webgoat/util/WebGoatI18N.java Normal file
View File

@ -0,0 +1,41 @@
package org.owasp.webgoat.util;
import java.util.HashMap;
import java.util.Locale;
import java.util.ResourceBundle;
import org.owasp.webgoat.session.WebgoatContext;
public class WebGoatI18N {
private static HashMap<String,ResourceBundle> labels= new HashMap<String,ResourceBundle>();
private static String defaultLanguage ;
private static String currentLanguage;
public WebGoatI18N(WebgoatContext context){
Locale l = new Locale(context.getDefaultLanguage());
WebGoatI18N.defaultLanguage=context.getDefaultLanguage();
labels.put(context.getDefaultLanguage(),ResourceBundle.getBundle("WebGoatLabels",l));
}
public static void loadLanguage(String language){
Locale l = new Locale(language);
labels.put(language, ResourceBundle.getBundle("WebGoatLabels",l));
}
public static void setCurrentLanguage(String language){
WebGoatI18N.currentLanguage=language;
}
public static String get(String strName) {
if(labels.containsKey(WebGoatI18N.currentLanguage)){
return labels.get(WebGoatI18N.currentLanguage).getString(strName);
}
else {
return labels.get(WebGoatI18N.defaultLanguage).getString(strName);
}
}
}