diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java index a0f6c937d..b5385f9fd 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java @@ -5,15 +5,29 @@ */ package org.owasp.webgoat.application; +import com.google.common.collect.Maps; +import org.owasp.webgoat.HammerHead; +import org.owasp.webgoat.lessons.LessonServletMapping; +import org.owasp.webgoat.plugins.PluginsLoader; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider; +import org.springframework.core.type.filter.AnnotationTypeFilter; + import javax.servlet.ServletContext; import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextListener; +import javax.servlet.ServletRegistration; import java.io.IOException; import java.io.InputStream; +import java.nio.file.Paths; import java.sql.Driver; import java.sql.DriverManager; import java.sql.SQLException; import java.util.Enumeration; +import java.util.Map; +import java.util.Set; import java.util.jar.Attributes; import java.util.jar.Manifest; @@ -25,15 +39,50 @@ import java.util.jar.Manifest; */ public class WebGoatServletListener implements ServletContextListener { - /** {@inheritDoc} */ + private static final Logger logger = LoggerFactory.getLogger(HammerHead.class); + + /** + * {@inheritDoc} + */ @Override public void contextInitialized(ServletContextEvent sce) { ServletContext context = sce.getServletContext(); context.log("WebGoat is starting"); setApplicationVariables(context); + context.log("Adding extra mappings for lessions"); + + loadPlugins(sce); + loadServlets(sce); } - /** {@inheritDoc} */ + private void loadServlets(ServletContextEvent sce) { + final ServletContext servletContext = sce.getServletContext(); + Map controllers = Maps.newHashMap(); + ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider( + false); + provider.addIncludeFilter(new AnnotationTypeFilter(LessonServletMapping.class)); + Set candidateComponents = provider.findCandidateComponents("org.owasp.webgoat"); + try { + for (BeanDefinition beanDefinition : candidateComponents) { + Class controllerClass = Class.forName(beanDefinition.getBeanClassName()); + LessonServletMapping pathAnnotation = (LessonServletMapping) controllerClass.getAnnotation(LessonServletMapping.class); + final ServletRegistration.Dynamic dynamic = servletContext.addServlet(controllerClass.getSimpleName(), controllerClass); + dynamic.addMapping(pathAnnotation.path()); + } + } catch (Exception e) { + logger.error("Error", e); + } + } + + private void loadPlugins(ServletContextEvent sce) { + String pluginPath = sce.getServletContext().getRealPath("plugin_lessons"); + String targetPath = sce.getServletContext().getRealPath("plugin_extracted"); + new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins(); + } + + /** + * {@inheritDoc} + */ @Override public void contextDestroyed(ServletContextEvent sce) { ServletContext context = sce.getServletContext(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/ExecutionException.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java similarity index 61% rename from webgoat-container/src/main/java/org/owasp/webgoat/util/ExecutionException.java rename to webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java index 6906370f8..0e2034904 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/ExecutionException.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java @@ -1,61 +1,40 @@ +package org.owasp.webgoat.lessons; -package org.owasp.webgoat.util; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; -/** - ************************************************************************************************* - * - * +/*************************************************************************************************** * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. - * + *

* You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. - * + *

* For details, please see http://webgoat.github.io * - * @author Jeff Williams Aspect Security - * @version $Id: $Id + * @author Nanne Baars + * @created December 12, 2015 */ -public class ExecutionException extends Exception -{ +@Retention(RetentionPolicy.RUNTIME) +public @interface LessonServletMapping { - /** - * - */ - private static final long serialVersionUID = 7282947463831152092L; - - /** - * Constructor for the ExecutionException object - */ - public ExecutionException() - { - super(); - } - - /** - * Constructor for the ExecutionException object - * - * @param msg - * Description of the Parameter - */ - public ExecutionException(String msg) - { - super(msg); - } + String path(); } + + diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Employee.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Employee.java deleted file mode 100644 index 0581d3955..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Employee.java +++ /dev/null @@ -1,405 +0,0 @@ - -package org.owasp.webgoat.session; - -import java.io.Serializable; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @version $Id: $Id - */ -public class Employee implements Serializable -{ - - /** - * - */ - private static final long serialVersionUID = -1901957360367218399L; - - /** Constant EMPLOYEE_ROLE="employee" */ - public final static String EMPLOYEE_ROLE = "employee"; - - /** Constant MANAGER_ROLE="manager" */ - public final static String MANAGER_ROLE = "manager"; - - /** Constant HR_ROLE="hr" */ - public final static String HR_ROLE = "hr"; - - private int id; - - private String firstName; - - private String lastName; - - private String title; - - private String ssn; - - private String phone; - - private String address1; - - private String address2; - - private int manager; - - private String startDate; - - private int salary; - - private String ccn; - - private int ccnLimit; - - private String disciplinaryActionDate; - - private String disciplinaryActionNotes; - - private String personalDescription; - - // FIXME: To be deleted - /** - *

Constructor for Employee.

- */ - public Employee() - { - } - - /** - *

Constructor for Employee.

- * - * @param id a int. - * @param firstName a {@link java.lang.String} object. - * @param lastName a {@link java.lang.String} object. - * @param ssn a {@link java.lang.String} object. - * @param title a {@link java.lang.String} object. - * @param phone a {@link java.lang.String} object. - * @param address1 a {@link java.lang.String} object. - * @param address2 a {@link java.lang.String} object. - * @param manager a int. - * @param startDate a {@link java.lang.String} object. - * @param salary a int. - * @param ccn a {@link java.lang.String} object. - * @param ccnLimit a int. - * @param disciplinaryActionDate a {@link java.lang.String} object. - * @param disciplinaryActionNotes a {@link java.lang.String} object. - * @param personalDescription a {@link java.lang.String} object. - */ - public Employee(int id, String firstName, String lastName, String ssn, String title, String phone, String address1, - String address2, int manager, String startDate, int salary, String ccn, int ccnLimit, - String disciplinaryActionDate, String disciplinaryActionNotes, String personalDescription) - { - this.id = id; - this.firstName = firstName; - this.lastName = lastName; - this.ssn = ssn; - this.title = title; - this.phone = phone; - this.address1 = address1; - this.address2 = address2; - this.manager = manager; - this.startDate = startDate; - this.salary = salary; - this.ccn = ccn; - this.ccnLimit = ccnLimit; - this.disciplinaryActionDate = disciplinaryActionDate; - this.disciplinaryActionNotes = disciplinaryActionNotes; - this.personalDescription = personalDescription; - } - - /** - *

Getter for the field address1.

- * - * @return a {@link java.lang.String} object. - */ - public String getAddress1() - { - return address1; - } - - /** - *

Setter for the field address1.

- * - * @param address1 a {@link java.lang.String} object. - */ - public void setAddress1(String address1) - { - this.address1 = address1; - } - - /** - *

Getter for the field address2.

- * - * @return a {@link java.lang.String} object. - */ - public String getAddress2() - { - return address2; - } - - /** - *

Setter for the field address2.

- * - * @param address2 a {@link java.lang.String} object. - */ - public void setAddress2(String address2) - { - this.address2 = address2; - } - - /** - *

Getter for the field ccn.

- * - * @return a {@link java.lang.String} object. - */ - public String getCcn() - { - return ccn; - } - - /** - *

Setter for the field ccn.

- * - * @param ccn a {@link java.lang.String} object. - */ - public void setCcn(String ccn) - { - this.ccn = ccn; - } - - /** - *

Getter for the field ccnLimit.

- * - * @return a int. - */ - public int getCcnLimit() - { - return ccnLimit; - } - - /** - *

Setter for the field ccnLimit.

- * - * @param ccnLimit a int. - */ - public void setCcnLimit(int ccnLimit) - { - this.ccnLimit = ccnLimit; - } - - /** - *

Getter for the field firstName.

- * - * @return a {@link java.lang.String} object. - */ - public String getFirstName() - { - return firstName; - } - - /** - *

Setter for the field firstName.

- * - * @param firstName a {@link java.lang.String} object. - */ - public void setFirstName(String firstName) - { - this.firstName = firstName; - } - - /** - *

Getter for the field lastName.

- * - * @return a {@link java.lang.String} object. - */ - public String getLastName() - { - return lastName; - } - - /** - *

Setter for the field lastName.

- * - * @param lastName a {@link java.lang.String} object. - */ - public void setLastName(String lastName) - { - this.lastName = lastName; - } - - /** - *

getPhoneNumber.

- * - * @return a {@link java.lang.String} object. - */ - public String getPhoneNumber() - { - return phone; - } - - /** - *

setPhoneNumber.

- * - * @param phone a {@link java.lang.String} object. - */ - public void setPhoneNumber(String phone) - { - this.phone = phone; - } - - /** - *

Getter for the field salary.

- * - * @return a int. - */ - public int getSalary() - { - return salary; - } - - /** - *

Setter for the field salary.

- * - * @param salary a int. - */ - public void setSalary(int salary) - { - this.salary = salary; - } - - /** - *

Getter for the field ssn.

- * - * @return a {@link java.lang.String} object. - */ - public String getSsn() - { - return ssn; - } - - /** - *

Setter for the field ssn.

- * - * @param ssn a {@link java.lang.String} object. - */ - public void setSsn(String ssn) - { - this.ssn = ssn; - } - - /** - *

Getter for the field startDate.

- * - * @return a {@link java.lang.String} object. - */ - public String getStartDate() - { - return startDate; - } - - /** - *

Setter for the field startDate.

- * - * @param startDate a {@link java.lang.String} object. - */ - public void setStartDate(String startDate) - { - this.startDate = startDate; - } - - /** - *

Getter for the field id.

- * - * @return a int. - */ - public int getId() - { - return id; - } - - /** - *

Setter for the field id.

- * - * @param id a int. - */ - public void setId(int id) - { - this.id = id; - } - - /** - *

Getter for the field title.

- * - * @return a {@link java.lang.String} object. - */ - public String getTitle() - { - return this.title; - } - - /** - *

Getter for the field manager.

- * - * @return a int. - */ - public int getManager() - { - return this.manager; - } - - /** - *

Getter for the field disciplinaryActionDate.

- * - * @return a {@link java.lang.String} object. - */ - public String getDisciplinaryActionDate() - { - return this.disciplinaryActionDate; - } - - /** - *

Getter for the field disciplinaryActionNotes.

- * - * @return a {@link java.lang.String} object. - */ - public String getDisciplinaryActionNotes() - { - return this.disciplinaryActionNotes; - } - - /** - *

Getter for the field personalDescription.

- * - * @return a {@link java.lang.String} object. - */ - public String getPersonalDescription() - { - return this.personalDescription; - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/EmployeeStub.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/EmployeeStub.java deleted file mode 100644 index aa1dbae4a..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/EmployeeStub.java +++ /dev/null @@ -1,120 +0,0 @@ - -package org.owasp.webgoat.session; - -import java.io.Serializable; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @version $Id: $Id - */ -public class EmployeeStub implements Serializable -{ - - /** - * - */ - private static final long serialVersionUID = -7109162877797765632L; - - private int id; - - private String firstName; - - private String lastName; - - private String role; - - /** - *

Constructor for EmployeeStub.

- * - * @param id a int. - * @param firstName a {@link java.lang.String} object. - * @param lastName a {@link java.lang.String} object. - */ - public EmployeeStub(int id, String firstName, String lastName) - { - this(id, firstName, lastName, Employee.EMPLOYEE_ROLE); - } - - /** - *

Constructor for EmployeeStub.

- * - * @param id a int. - * @param firstName a {@link java.lang.String} object. - * @param lastName a {@link java.lang.String} object. - * @param role a {@link java.lang.String} object. - */ - public EmployeeStub(int id, String firstName, String lastName, String role) - { - this.id = id; - this.firstName = firstName; - this.lastName = lastName; - this.role = role; - } - - /** - *

Getter for the field firstName.

- * - * @return a {@link java.lang.String} object. - */ - public String getFirstName() - { - return firstName; - } - - /** - *

Getter for the field id.

- * - * @return a int. - */ - public int getId() - { - return id; - } - - /** - *

Getter for the field lastName.

- * - * @return a {@link java.lang.String} object. - */ - public String getLastName() - { - return lastName; - } - - /** - *

Getter for the field role.

- * - * @return a {@link java.lang.String} object. - */ - public String getRole() - { - return role; - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/Exec.java b/webgoat-container/src/main/java/org/owasp/webgoat/util/Exec.java deleted file mode 100644 index b0f902578..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/Exec.java +++ /dev/null @@ -1,529 +0,0 @@ - -package org.owasp.webgoat.util; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Arrays; -import java.util.BitSet; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @since October 28, 2003 - * @version $Id: $Id - */ -public class Exec -{ - - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @param input - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execInput(String command, String input) - { - return (execOptions(command, input, 0, 0, false)); - } - - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execLazy(String command) - { - return (execOptions(command, "", 0, 0, true)); - } - - /* - * Execute an OS command and capture the output in an ExecResults. All exceptions are caught and - * stored in the ExecResults. @param String command is the OS command to execute @param String - * input is piped into the OS command @param int successCode is the expected return code if the - * command completes successfully @param int timeout is the number of milliseconds to wait - * before interrupting the command @param boolean quit tells the method to exit when there is no - * more output waiting - */ - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @param input - * Description of the Parameter - * @param successCode - * Description of the Parameter - * @param timeout - * Description of the Parameter - * @param lazy - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execOptions(String[] command, String input, int successCode, int timeout, boolean lazy) - { - Process child = null; - ByteArrayOutputStream output = new ByteArrayOutputStream(); - ByteArrayOutputStream errors = new ByteArrayOutputStream(); - ExecResults results = new ExecResults(Arrays.asList(command).toString(), input, successCode, timeout); - BitSet interrupted = new BitSet(1); - boolean lazyQuit = false; - ThreadWatcher watcher; - - try - { - // start the command - child = Runtime.getRuntime().exec(command); - - // get the streams in and out of the command - InputStream processIn = child.getInputStream(); - InputStream processError = child.getErrorStream(); - OutputStream processOut = child.getOutputStream(); - - // start the clock running - if (timeout > 0) - { - watcher = new ThreadWatcher(child, interrupted, timeout); - new Thread(watcher).start(); - } - - // Write to the child process' input stream - if ((input != null) && !input.equals("")) - { - try - { - processOut.write(input.getBytes()); - processOut.flush(); - processOut.close(); - } catch (IOException e1) - { - results.setThrowable(e1); - } - } - - // Read from the child process' output stream - // The process may get killed by the watcher at any time - int c = 0; - - try - { - while (true) - { - if (interrupted.get(0) || lazyQuit) - { - break; - } - - // interrupted - c = processIn.read(); - - if (c == -1) - { - break; - } - - // end of stream - output.write(c); - - if (lazy && (processIn.available() < 1)) - { - lazyQuit = true; - } - - // if lazy and nothing then quit (after at least one read) - } - - processIn.close(); - } catch (IOException e2) - { - results.setThrowable(e2); - } finally - { - if (interrupted.get(0)) - { - results.setInterrupted(); - } - - results.setOutput(output.toString()); - } - - // Read from the child process' error stream - // The process may get killed by the watcher at any time - try - { - while (true) - { - if (interrupted.get(0) || lazyQuit) - { - break; - } - - // interrupted - c = processError.read(); - - if (c == -1) - { - break; - } - - // end of stream - output.write(c); - - if (lazy && (processError.available() < 1)) - { - lazyQuit = true; - } - - // if lazy and nothing then quit (after at least one read) - } - - processError.close(); - } catch (IOException e3) - { - results.setThrowable(e3); - } finally - { - if (interrupted.get(0)) - { - results.setInterrupted(); - } - - results.setErrors(errors.toString()); - } - - // wait for the return value of the child process. - if (!interrupted.get(0) && !lazyQuit) - { - int returnCode = child.waitFor(); - results.setReturnCode(returnCode); - - if (returnCode != successCode) - { - results.setError(ExecResults.BADRETURNCODE); - } - } - } catch (InterruptedException i) - { - results.setInterrupted(); - } catch (Throwable t) - { - results.setThrowable(t); - } finally - { - if (child != null) - { - child.destroy(); - } - } - - return (results); - } - - /* - * Execute an OS command and capture the output in an ExecResults. All exceptions are caught and - * stored in the ExecResults. @param String command is the OS command to execute @param String - * input is piped into the OS command @param int successCode is the expected return code if the - * command completes successfully @param int timeout is the number of milliseconds to wait - * before interrupting the command @param boolean quit tells the method to exit when there is no - * more output waiting - */ - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @param input - * Description of the Parameter - * @param successCode - * Description of the Parameter - * @param timeout - * Description of the Parameter - * @param lazy - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execOptions(String command, String input, int successCode, int timeout, boolean lazy) - { - Process child = null; - ByteArrayOutputStream output = new ByteArrayOutputStream(); - ByteArrayOutputStream errors = new ByteArrayOutputStream(); - ExecResults results = new ExecResults(command, input, successCode, timeout); - BitSet interrupted = new BitSet(1); - boolean lazyQuit = false; - ThreadWatcher watcher; - - try - { - // start the command - child = Runtime.getRuntime().exec(command); - - // get the streams in and out of the command - InputStream processIn = child.getInputStream(); - InputStream processError = child.getErrorStream(); - OutputStream processOut = child.getOutputStream(); - - // start the clock running - if (timeout > 0) - { - watcher = new ThreadWatcher(child, interrupted, timeout); - new Thread(watcher).start(); - } - - // Write to the child process' input stream - if ((input != null) && !input.equals("")) - { - try - { - processOut.write(input.getBytes()); - processOut.flush(); - processOut.close(); - } catch (IOException e1) - { - results.setThrowable(e1); - } - } - - // Read from the child process' output stream - // The process may get killed by the watcher at any time - int c = 0; - - try - { - while (true) - { - if (interrupted.get(0) || lazyQuit) - { - break; - } - - // interrupted - c = processIn.read(); - - if (c == -1) - { - break; - } - - // end of stream - output.write(c); - - if (lazy && (processIn.available() < 1)) - { - lazyQuit = true; - } - - // if lazy and nothing then quit (after at least one read) - } - - processIn.close(); - } catch (IOException e2) - { - results.setThrowable(e2); - } finally - { - if (interrupted.get(0)) - { - results.setInterrupted(); - } - - results.setOutput(output.toString()); - } - - // Read from the child process' error stream - // The process may get killed by the watcher at any time - try - { - while (true) - { - if (interrupted.get(0) || lazyQuit) - { - break; - } - - // interrupted - c = processError.read(); - - if (c == -1) - { - break; - } - - // end of stream - output.write(c); - - if (lazy && (processError.available() < 1)) - { - lazyQuit = true; - } - - // if lazy and nothing then quit (after at least one read) - } - - processError.close(); - } catch (IOException e3) - { - results.setThrowable(e3); - } finally - { - if (interrupted.get(0)) - { - results.setInterrupted(); - } - - results.setErrors(errors.toString()); - } - - // wait for the return value of the child process. - if (!interrupted.get(0) && !lazyQuit) - { - int returnCode = child.waitFor(); - results.setReturnCode(returnCode); - - if (returnCode != successCode) - { - results.setError(ExecResults.BADRETURNCODE); - } - } - } catch (InterruptedException i) - { - results.setInterrupted(); - } catch (Throwable t) - { - results.setThrowable(t); - } finally - { - if (child != null) - { - child.destroy(); - } - } - - return (results); - } - - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execSimple(String[] command) - { - return (execOptions(command, "", 0, 0, false)); - } - - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execSimple(String command) - { - return (execOptions(command, "", 0, 0, false)); - } - - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @param args - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execSimple(String command, String args) - { - return (execOptions(command, args, 0, 0, false)); - } - - /** - * Description of the Method - * - * @param command - * Description of the Parameter - * @param timeout - * Description of the Parameter - * @return Description of the Return Value - */ - public static ExecResults execTimeout(String command, int timeout) - { - return (execOptions(command, "", 0, timeout, false)); - } - - /** - * The main program for the Exec class - * - * @param args - * The command line arguments - */ - public static void main(String[] args) - { - ExecResults results; - String sep = System.getProperty("line.separator"); - System.out.println("-------------------------------------------" + sep + "TEST 1: execSimple"); - results = Exec.execSimple("c:/swarm-2.1.1/bin/whoami.exe"); - System.out.println(results); - System.out.println("-------------------------------------------" + sep + "TEST 2: execSimple (with search)"); - results = Exec.execSimple("netstat -r"); - System.out.println(results); - - if (results.outputContains("localhost:1031")) - { - System.out.println("ERROR: listening on 1031"); - } - - System.out.println("-------------------------------------------" + sep + "TEST 3: execInput"); - results = Exec.execInput("find \"cde\"", "abcdefg1\nhijklmnop\nqrstuv\nabcdefg2"); - System.out.println(results); - System.out.println("-------------------------------------------" + sep + "TEST 4:execTimeout"); - results = Exec.execTimeout("ping -t 127.0.0.1", 5 * 1000); - System.out.println(results); - System.out.println("-------------------------------------------" + sep + "TEST 5:execLazy"); - results = Exec.execLazy("ping -t 127.0.0.1"); - System.out.println(results); - System.out.println("-------------------------------------------" + sep - + "TEST 6:ExecTimeout process never outputs"); - results = Exec.execTimeout("c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000); - System.out.println(results); - System.out.println("-------------------------------------------" + sep - + "TEST 7:ExecTimeout process waits for input"); - results = Exec.execTimeout("c:/swarm-2.1.1/bin/cat", 5 * 1000); - System.out.println(results); - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/ExecResults.java b/webgoat-container/src/main/java/org/owasp/webgoat/util/ExecResults.java deleted file mode 100644 index 815ad5654..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/ExecResults.java +++ /dev/null @@ -1,355 +0,0 @@ - -package org.owasp.webgoat.util; - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @version $Id: $Id - */ -public class ExecResults -{ - - /** - * Description of the Field - */ - public final static int BADRETURNCODE = 2; - - /** - * Description of the Field - */ - public final static int THROWABLE = 1; - - private String myCommand; - - private boolean myError = false; - - private int myErrorType = 0; - - private String myErrors = null; - - private String myInput; - - private boolean myInterrupted = false; - - private String myOutput = null; - - private int myReturnCode = 0; - - private int mySuccessCode; - - private Throwable myThrowable = null; - - private int myTimeout; - - /** - * Constructor for the ExecResults object - * - * @param command - * Description of the Parameter - * @param input - * Description of the Parameter - * @param successCode - * Description of the Parameter - * @param timeout - * Description of the Parameter - */ - public ExecResults(String command, String input, int successCode, int timeout) - { - myCommand = command.trim(); - myInput = input.trim(); - mySuccessCode = successCode; - myTimeout = timeout; - } - - /** - * Description of the Method - * - * @param haystack - * Description of the Parameter - * @param needle - * Description of the Parameter - * @param fromIndex - * Description of the Parameter - * @return Description of the Return Value - */ - private boolean contains(String haystack, String needle, int fromIndex) - { - return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1); - } - - /** - * Description of the Method - * - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - public boolean errorsContains(String value) - { - return (errorsContains(value, 0)); - } - - /** - * Description of the Method - * - * @param value - * Description of the Parameter - * @param fromIndex - * Description of the Parameter - * @return Description of the Return Value - */ - public boolean errorsContains(String value, int fromIndex) - { - return (contains(myErrors, value, fromIndex)); - } - - /** - * Gets the error attribute of the ExecResults object - * - * @return The error value - */ - public boolean getError() - { - return (myError); - } - - /** - * Gets the errorMessage attribute of the ExecResults object - * - * @return The errorMessage value - */ - public String getErrorMessage() - { - switch (getErrorType()) - { - case THROWABLE: - return ("Exception: " + myThrowable.getMessage()); - - case BADRETURNCODE: - return ("Bad return code (expected " + mySuccessCode + ")"); - - default: - return ("Unknown error"); - } - } - - /** - * Gets the errorType attribute of the ExecResults object - * - * @return The errorType value - */ - public int getErrorType() - { - return (myErrorType); - } - - /** - * Gets the errors attribute of the ExecResults object - * - * @return The errors value - */ - public String getErrors() - { - return (myErrors); - } - - /** - * Gets the interrupted attribute of the ExecResults object - * - * @return The interrupted value - */ - public boolean getInterrupted() - { - return (myInterrupted); - } - - /** - * Gets the output attribute of the ExecResults object - * - * @return The output value - */ - public String getOutput() - { - return (myOutput); - } - - /** - * Gets the returnCode attribute of the ExecResults object - * - * @return The returnCode value - */ - public int getReturnCode() - { - return (myReturnCode); - } - - /** - * Gets the throwable attribute of the ExecResults object - * - * @return The throwable value - */ - public Throwable getThrowable() - { - return (myThrowable); - } - - /** - * Description of the Method - * - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - public boolean outputContains(String value) - { - return (outputContains(value, 0)); - } - - /** - * Description of the Method - * - * @param value - * Description of the Parameter - * @param fromIndex - * Description of the Parameter - * @return Description of the Return Value - */ - public boolean outputContains(String value, int fromIndex) - { - return (contains(myOutput, value, fromIndex)); - } - - /** - * Sets the error attribute of the ExecResults object - * - * @param value - * The new error value - */ - public void setError(int value) - { - myError = true; - myErrorType = value; - } - - /** - * Sets the errors attribute of the ExecResults object - * - * @param errors - * The new errors value - */ - public void setErrors(String errors) - { - myErrors = errors.trim(); - } - - /** - * Sets the interrupted attribute of the ExecResults object - */ - public void setInterrupted() - { - myInterrupted = true; - } - - /** - * Sets the output attribute of the ExecResults object - * - * @param value - * The new output value - */ - public void setOutput(String value) - { - myOutput = value.trim(); - } - - /** - * Sets the returnCode attribute of the ExecResults object - * - * @param value - * The new returnCode value - */ - public void setReturnCode(int value) - { - myReturnCode = value; - } - - /** - * Sets the throwable attribute of the ExecResults object - * - * @param value - * The new throwable value - */ - public void setThrowable(Throwable value) - { - setError(THROWABLE); - myThrowable = value; - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - public String toString() - { - String sep = System.getProperty("line.separator"); - StringBuffer value = new StringBuffer(); - value.append("ExecResults for \'" + myCommand + "\'" + sep); - - if ((myInput != null) && !myInput.equals("")) - { - value.append(sep + "Input..." + sep + myInput + sep); - } - - if ((myOutput != null) && !myOutput.equals("")) - { - value.append(sep + "Output..." + sep + myOutput + sep); - } - - if ((myErrors != null) && !myErrors.equals("")) - { - value.append(sep + "Errors..." + sep + myErrors + sep); - } - - value.append(sep); - - if (myInterrupted) - { - value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep); - } - - value.append("Returncode: " + myReturnCode + sep); - - if (myError) - { - value.append(getErrorMessage() + sep); - } - - return (value.toString()); - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/Interceptor.java b/webgoat-container/src/main/java/org/owasp/webgoat/util/Interceptor.java deleted file mode 100644 index bb9af6e6c..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/Interceptor.java +++ /dev/null @@ -1,149 +0,0 @@ -/** - * - */ - -package org.owasp.webgoat.util; - -import java.io.IOException; -import java.io.BufferedReader; -import java.io.PrintWriter; -import java.io.InputStreamReader; -import java.net.UnknownHostException; -import java.net.Socket; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.RequestDispatcher; -import javax.servlet.http.HttpServletRequest; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author sherif koussa - Macadamian Technologies - * @version $Id: $Id - */ -public class Interceptor implements Filter -{ - - private static final String OSG_SERVER_NAME = "OSGServerName"; - - private static final String OSG_SERVER_PORT = "OSGServerPort"; - - /* - * (non-Javadoc) - * @see javax.servlet.Filter#destroy() - */ - /** - *

destroy.

- */ - public void destroy() - { - // TODO Auto-generated method stub - - } - - /** {@inheritDoc} */ - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, - ServletException - { - - HttpServletRequest req = (HttpServletRequest) request; - - Socket osgSocket = null; - PrintWriter out = null; - BufferedReader in = null; - String osgServerName = req.getSession().getServletContext().getInitParameter(OSG_SERVER_NAME); - String osgServerPort = req.getSession().getServletContext().getInitParameter(OSG_SERVER_PORT); - - try - { - // If these parameters are not defined then no communication will happen with OSG - if (osgServerName != null && osgServerName.length() != 0 && osgServerPort != null - && osgServerPort.length() != 0) - { - osgSocket = new Socket(osgServerName, Integer.parseInt(osgServerPort)); - if (osgSocket != null) - { - out = new PrintWriter(osgSocket.getOutputStream(), true); - in = new BufferedReader(new InputStreamReader(osgSocket.getInputStream())); - // String message = - // "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx"; - // out.println(message); - - // System.out.println(in.readLine()); - } - } - - } catch (UnknownHostException e) - { - e.printStackTrace(); - - } catch (IOException e) - { - e.printStackTrace(); - } finally - { - if (out != null) - { - out.close(); - } - if (in != null) - { - in.close(); - } - if (osgSocket != null) - { - osgSocket.close(); - } - } - - String url = req.getRequestURL().toString(); - - RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf(req.getContextPath() + "/") - + req.getContextPath().length())); - - disp.forward(request, response); - - } - - /* - * (non-Javadoc) - * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) - */ - /** {@inheritDoc} */ - public void init(FilterConfig arg0) throws ServletException - { - // TODO Auto-generated method stub - - } - -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/ThreadWatcher.java b/webgoat-container/src/main/java/org/owasp/webgoat/util/ThreadWatcher.java deleted file mode 100644 index 4b411ca1f..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/ThreadWatcher.java +++ /dev/null @@ -1,105 +0,0 @@ - -package org.owasp.webgoat.util; - -import java.util.BitSet; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author jwilliams@aspectsecurity.com - * @since November 6, 2002 - * @version $Id: $Id - */ -public class ThreadWatcher implements Runnable -{ - - // time to live in milliseconds - private BitSet myInterrupted; - - private Process myProcess; - - private int myTimeout; - - /** - * Constructor for the ThreadWatcher object - * - * @param p - * Description of the Parameter - * @param interrupted - * Description of the Parameter - * @param timeout - * Description of the Parameter - */ - public ThreadWatcher(Process p, BitSet interrupted, int timeout) - { - myProcess = p; - - // thread used by whoever constructed this watcher - myTimeout = timeout; - myInterrupted = interrupted; - } - - /* - * Interrupt the thread by marking the interrupted bit and killing the process - */ - - /** - * Description of the Method - */ - public void interrupt() - { - myInterrupted.set(0); - - // set interrupted bit (bit 0 of the bitset) to 1 - myProcess.destroy(); - - /* - * try { myProcess.getInputStream().close(); } catch( IOException e1 ) { / do nothing -- - * input streams are probably already closed } try { myProcess.getErrorStream().close(); } - * catch( IOException e2 ) { / do nothing -- input streams are probably already closed } - * myThread.interrupt(); - */ - } - - /** - * Main processing method for the ThreadWatcher object - */ - public void run() - { - try - { - Thread.sleep(myTimeout); - } catch (InterruptedException e) - { - // do nothing -- if watcher is interrupted, so is thread - } - - interrupt(); - } -} diff --git a/webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp b/webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp deleted file mode 100644 index 9afe2118a..000000000 --- a/webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp +++ /dev/null @@ -1,138 +0,0 @@ -<%@ page contentType="text/html; charset=ISO-8859-1" language="java" - errorPage=""%> -<%@page import="org.owasp.webgoat.session.WebSession"%> -<% - //WebSession webSession = ((WebSession) session.getAttribute("websession")); -%> - - - - - - WebGoat V5.4 - - - - - -
-
-
-

Thank you for using WebGoat! This program is a demonstration of common web application flaws. - The exercises are intended to provide hands on experience with - application penetration testing techniques.

-

The WebGoat project is led - by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].

- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
OWASP Foundation
- 		-
Aspect Security
-
-
- WebGoat Authors
-
-
- Bruce Mayhew
-
-
- Jeff Williams
-
-

- WebGoat Design Team
- 		-

- V5.4 Lesson Contributers
-
-
David Anderson
-
Laurence Casey (Graphics)
-
Rogan Dawes
-
Bruce Mayhew
- 		-
Sherif Koussa
-
Yiannis Pavlosoglou
-
- -
-
Special Thanks - for V5.4
- 		-
Documentation - Contributers
-
-
Brian Ciomei (Multitude of bug fixes)
-
To all who have sent comments
- - 		-
- Erwin Geirnaert
-
- Aung Khant
-
- Sherif Koussa -
-
-
-
-
-
-
 
-
-
-
-
 
-
 
-
 
-
WARNING
- While running this program, your machine is extremely vulnerable to - attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. -
-
- This program is for educational purposes only. Use of these techniques - without permission could lead to job termination, financial liability, - and/or criminal penalties.
-
- - diff --git a/webgoat-container/src/main/webapp/WEB-INF/web.xml b/webgoat-container/src/main/webapp/WEB-INF/web.xml index f45d4a5ab..6431ce4f7 100644 --- a/webgoat-container/src/main/webapp/WEB-INF/web.xml +++ b/webgoat-container/src/main/webapp/WEB-INF/web.xml @@ -185,10 +185,6 @@ Catcher org.owasp.webgoat.Catcher - - conf - /lessons/ConfManagement/config.jsp - mvc-dispatcher @@ -272,10 +268,6 @@ Catcher /catcher - - conf - /conf - \ No newline at end of file