dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

This patch contains the HTTP connector that intercepts the requests to the application and tries to communicate with OSG.

Browse Source 
It also contains the DOM Injection lesson

git-svn-id: http://webgoat.googlecode.com/svn/trunk@35 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy
2006-12-16 22:39:14 +00:00
parent 80a2add2d7
commit 296254e279
7 changed files with 664 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
webgoat/main/eclipse.bat
View File

@ -1,5 +1,7 @@
set JAVAHOME=.\java set JAVAHOME= C:\Program Files\Java\jdk1.5.0_08
set PATH=%JAVAHOME%\bin;%PATH% set PATH=%JAVAHOME%\bin;%PATH%
set ECLIPSE_HOME=.\eclipse set ECLIPSE_HOME= C:\webgoat\tools\eclipse
SET JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx768m
%ECLIPSE_HOME%\eclipse.exe -data .\workspace
%ECLIPSE_HOME%\eclipse.exe -data .\workspace

3
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -104,6 +104,8 @@ public abstract class AbstractLesson extends Screen implements Comparable
*/ */
public final static Category WEB_SERVICES = new Category( "Web Services", new Integer( 1110 ) ); public final static Category WEB_SERVICES = new Category( "Web Services", new Integer( 1110 ) );
public final static Category AJAX_SECURITY = new Category( "AJAX Security", new Integer( 1150 ) );
public final static Category NEW_LESSON = new Category ( "New Lessons" , new Integer ( 1210 ) ); public final static Category NEW_LESSON = new Category ( "New Lessons" , new Integer ( 1210 ) );
public final static Category ADMIN_FUNCTIONS = new Category( "Admin Functions", new Integer( 10 ) ); public final static Category ADMIN_FUNCTIONS = new Category( "Admin Functions", new Integer( 10 ) );
@ -162,6 +164,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
categories.add(A9); categories.add(A9);
categories.add(A10); categories.add(A10);
categories.add(WEB_SERVICES); categories.add(WEB_SERVICES);
categories.add(AJAX_SECURITY);
categories.add(NEW_LESSON); categories.add(NEW_LESSON);
categories.add(ADMIN_FUNCTIONS); categories.add(ADMIN_FUNCTIONS);
categories.add(GENERAL); categories.add(GENERAL);

163
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java Normal file
View File

@ -0,0 +1,163 @@
package org.owasp.webgoat.lessons;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.Button;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
public class DOMInjection extends LessonAdapter {
private final static Integer DEFAULT_RANKING = new Integer(10);
private final static String KEY = "key";
/*public void handleRequest( WebSession s )
{
//Setting a special action to be able to submit to redirect.jsp
Form form = new Form( "/WebGoat/lessons/AJAXSecurity/DOMInjection.jsp?" +
"Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString()
, Form.POST ).setName( "form" ).setEncType( "" );
form.addElement( createContent( s ) );
setContent(form);
}*/
protected Element createContent(WebSession s) {
String key = "K1JFWP8BSO8HI52LNPQS8F5L01N";
ElementContainer ec = new ElementContainer();
try
{
String userKey = s.getParser().getRawParameter(KEY, "");
String fromAJAX = s.getParser().getRawParameter("from" , "");
if (fromAJAX.equalsIgnoreCase("ajax") && userKey.length()!= 0 && userKey.equals(key))
{
s.getResponse().setContentType("text/html");
s.getResponse().setHeader("Cache-Control", "no-cache");
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print("document.forms[0].SUBMIT.disabled = false;");
out.flush();
out.close();
return ec;
}
if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
{
makeSuccess(s);
}
}
catch(Exception e)
{
s.setMessage( "Error generating " + this.getClass().getName() );
e.printStackTrace();
}
String lineSep = System.getProperty("line.separator");
String script = "<script>" + lineSep +
"function validate() {" + lineSep +
"alert('we are here');" + lineSep +
"var keyField = document.getElementById('key');" + lineSep +
"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +
"&from=ajax&key=' + encodeURIComponent(keyField.value);" + lineSep +
"if (typeof XMLHttpRequest != 'undefined') {" + lineSep +
"req = new XMLHttpRequest();" + lineSep +
"} else if (window.ActiveXObject) {" + lineSep +
"req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep +
" }" + lineSep +
" req.open('GET', url, true);" + lineSep +
" req.onreadystatechange = callback;" + lineSep +
" req.send(null);" + lineSep +
"}" + lineSep +
"function callback() {" + lineSep +
" if (req.readyState == 4) { " + lineSep +
" if (req.status == 200) { " + lineSep +
" var message = req.responseText;" + lineSep +
" eval(message);" + lineSep +
" }}}" + lineSep +
"</script>" + lineSep;
ec.addElement( new StringElement(script));
ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat Registration Page:")));
ec.addElement( new BR().addElement ("Please enter the license key that was emailed to you to start using the application."));
ec.addElement( new BR());
ec.addElement( new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("70%").setAlign("center");
TR tr = new TR();
tr.addElement( new TD( new StringElement( "License Key: " ) ));
Input input1 = new Input( Input.TEXT, KEY , "" );
input1.addAttribute("onkeyup", "validate();");
tr.addElement( new TD( input1 ) );
t1.addElement( tr );
tr = new TR();
tr.addElement( new TD( "&nbsp;" ).setColSpan(2));
t1.addElement( tr );
tr = new TR();
Input b = new Input();
b.setType( Input.SUBMIT );
b.setValue( "Activate!" );
b.setName("SUBMIT");
b.setDisabled(true);
tr.addElement(new TD( "&nbsp;" ));
tr.addElement( new TD( b ) );
t1.addElement(tr);
ec.addElement( t1 );
return ec ;
}
@Override
public Element getCredits() {
return new StringElement("This screen created by: Sherif Koussa");
}
@Override
protected Category getDefaultCategory() {
return AJAX_SECURITY;
}
@Override
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
@Override
protected List getHints() {
List<String> hints = new ArrayList<String>();
hints.add( "This page is using XMLHTTP to comunicate with the server." );
hints.add( "Try to find a way to inject the DOM to enable the Activate button." );
hints.add( "Intercept the reply and add document.forms[0].SUBMIT.disabled = false;" );
return hints;
}
@Override
public String getTitle() {
// TODO Auto-generated method stub
return "DOM Injection";
}
}

1
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -77,6 +77,7 @@ public class HttpSplitting extends LessonAdapter {
if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 && if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 ) Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )
{ {
ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "test");
makeSuccess( s ); makeSuccess( s );
} }
} }

112
webgoat/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java Normal file
View File

@ -0,0 +1,112 @@
/**
*
*/
package org.owasp.webgoat.util;
import java.io.IOException;
import java.io.BufferedReader;
import java.io.PrintWriter;
import java.io.InputStreamReader;
import java.net.UnknownHostException;
import java.net.Socket;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
/**
* @author sherif koussa - Macadamian Technologies
*
*/
public class Interceptor implements Filter {
private static final String OSG_SERVER_NAME = "OSGServerName";
private static final String OSG_SERVER_PORT = "OSGServerPort";
/* (non-Javadoc)
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
Socket osgSocket = null;
PrintWriter out = null;
BufferedReader in = null;
String osgServerName = req.getSession().getServletContext().getInitParameter(OSG_SERVER_NAME);
String osgServerPort = req.getSession().getServletContext().getInitParameter(OSG_SERVER_PORT);
try {
//If these parameters are not defined then no communication will happen with OSG
if (osgServerName != null && osgServerName.length() != 0 &&
osgServerPort != null && osgServerPort.length() != 0 )
{
osgSocket = new Socket(osgServerName, Integer.parseInt(osgServerPort));
if ( osgSocket != null )
{
out = new PrintWriter(osgSocket.getOutputStream(), true);
in = new BufferedReader(new InputStreamReader(
osgSocket.getInputStream()));
//String message = "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx";
//out.println(message);
//System.out.println(in.readLine());
}
}
}
catch (UnknownHostException e)
{
e.printStackTrace();
}
catch (IOException e)
{
e.printStackTrace();
}
finally
{
if (out != null)
{
out.close();
}
if (in != null)
{
in.close();
}
if (osgSocket != null)
{
osgSocket.close();
}
}
String url = req.getRequestURL().toString();
RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf("WebGoat/") + "WebGoat".length()));
disp.forward(request, response);
}
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}

686
webgoat/main/project/WebContent/WEB-INF/web.xml
View File

@ -1,336 +1,366 @@
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app <!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd"> "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!-- General description of your web application -->
<display-name>WebGoat</display-name>
<description>
This web application is designed to demonstrate web
application security flaws for the purpose of educating
developers and security professionals about web
application security problems. The initial version was
written by Aspect Security (info@aspectsecurity.com),
and was donated to the OWASP.
</description>
<!-- Context initialization parameters that define shared
String constants used within your application, which
can be customized by the system administrator who is
installing your application. The values actually
assigned to these parameters can be retrieved in a
servlet or JSP page by calling:
String value =
getServletContext().getInitParameter("name");
where "name" matches the <param-name> element of
one of these initialization parameters.
You can define any number of context initialization
parameters, including zero.
-->
<context-param>
<param-name>email</param-name>
<param-value>info@aspectsecurity.com</param-value>
<description>
The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
</context-param>
<web-app> <!-- Enable the following two elements if you want to integrate with
OWASP Site Generator, the OSGServerName represents the server on which the
<!-- General description of your web application --> OSG desktop application resides and the OSGServerPort represents the port it is
<display-name>WebGoat</display-name> listening to-->
<description> <!--
This web application is designed to demonstrate web <context-param>
application security flaws for the purpose of educating <param-name>OSGServerName</param-name>
developers and security professionals about web <param-value>localhost</param-value>
application security problems. The initial version was <description>Enable this element if you want to integrate with
written by Aspect Security (info@aspectsecurity.com), OWASP Site Generator
and was donated to the OWASP. </description>
</description> </context-param>
<!-- Context initialization parameters that define shared
String constants used within your application, which
can be customized by the system administrator who is
installing your application. The values actually
assigned to these parameters can be retrieved in a
servlet or JSP page by calling:
String value =
getServletContext().getInitParameter("name");
where "name" matches the <param-name> element of
one of these initialization parameters.
You can define any number of context initialization
parameters, including zero.
-->
<context-param> <context-param>
<param-name>email</param-name> <param-name>OSGServerPort</param-name>
<param-value>info@aspectsecurity.com</param-value> <param-value>4000</param-value>
<description> <description>
The EMAIL address of the administrator to whom questions The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</context-param> </context-param>
-->
<!-- Servlet definitions for the servlets that make up <!-- Servlet definitions for the servlets that make up
your web application, including initialization your web application, including initialization
parameters. With Tomcat, you can also send requests parameters. With Tomcat, you can also send requests
to servlets not listed here with a request like this: to servlets not listed here with a request like this:
http://localhost:8080/{context-path}/servlet/{classname} http://localhost:8080/{context-path}/servlet/{classname}
but this usage is not guaranteed to be portable. It also but this usage is not guaranteed to be portable. It also
makes relative references to images and other resources makes relative references to images and other resources
required by your servlet more complicated, so defining required by your servlet more complicated, so defining
all of your servlets (and defining a mapping to them with all of your servlets (and defining a mapping to them with
a servlet-mapping element) is recommended. a servlet-mapping element) is recommended.
Servlet initialization parameters can be retrieved in a Servlet initialization parameters can be retrieved in a
servlet or JSP page by calling: servlet or JSP page by calling:
String value = String value =
getServletConfig().getInitParameter("name"); getServletConfig().getInitParameter("name");
where "name" matches the <param-name> element of where "name" matches the <param-name> element of
one of these initialization parameters. one of these initialization parameters.
You can define any number of servlets, including zero. You can define any number of servlets, including zero.
--> -->
<filter>
<servlet> <filter-name>Interceptor</filter-name>
<servlet-name>AxisServlet</servlet-name> <filter-class>org.owasp.webgoat.util.Interceptor</filter-class>
<display-name>Apache-Axis Servlet</display-name> </filter>
<servlet-class> <filter-mapping>
org.apache.axis.transport.http.AxisServlet <filter-name>Interceptor</filter-name>
</servlet-class> <url-pattern>/*</url-pattern>
</servlet> </filter-mapping>
<servlet>
<servlet> <servlet-name>AxisServlet</servlet-name>
<servlet-name>AdminServlet</servlet-name> <display-name>Apache-Axis Servlet</display-name>
<display-name>Axis Admin Servlet</display-name> <servlet-class>
<servlet-class> org.apache.axis.transport.http.AxisServlet
org.apache.axis.transport.http.AdminServlet </servlet-class>
</servlet-class> </servlet>
<load-on-startup>100</load-on-startup>
</servlet> <servlet>
<servlet-name>AdminServlet</servlet-name>
<servlet> <display-name>Axis Admin Servlet</display-name>
<servlet-name>SOAPMonitorService</servlet-name> <servlet-class>
<display-name>SOAPMonitorService</display-name> org.apache.axis.transport.http.AdminServlet
<servlet-class> </servlet-class>
org.apache.axis.monitor.SOAPMonitorService <load-on-startup>100</load-on-startup>
</servlet-class> </servlet>
<init-param>
<param-name>SOAPMonitorPort</param-name> <servlet>
<param-value>5001</param-value> <servlet-name>SOAPMonitorService</servlet-name>
</init-param> <display-name>SOAPMonitorService</display-name>
<load-on-startup>100</load-on-startup> <servlet-class>
</servlet> org.apache.axis.monitor.SOAPMonitorService
</servlet-class>
<servlet> <init-param>
<servlet-name>WebGoat</servlet-name> <param-name>SOAPMonitorPort</param-name>
<description> <param-value>5001</param-value>
This servlet plays the "controller" role in the MVC architecture </init-param>
used in this application. <load-on-startup>100</load-on-startup>
</servlet>
The initialization parameter namess for this servlet are the
"servlet path" that will be received by this servlet (after the <servlet>
filename extension is removed). The corresponding value is the <servlet-name>WebGoat</servlet-name>
name of the action class that will be used to process this request. <description>
</description> This servlet plays the "controller" role in the MVC architecture
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class> used in this application.
<init-param> The initialization parameter namess for this servlet are the
<param-name>debug</param-name> "servlet path" that will be received by this servlet (after the
<param-value>false</param-value> filename extension is removed). The corresponding value is the
</init-param> name of the action class that will be used to process this request.
</description>
<init-param> <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<param-name>CookieDebug</param-name>
<param-value>true</param-value> <init-param>
</init-param> <param-name>debug</param-name>
<param-value>false</param-value>
<init-param> </init-param>
<param-name>DefuseOSCommands</param-name>
<param-value>false</param-value> <init-param>
</init-param> <param-name>CookieDebug</param-name>
<param-value>true</param-value>
<init-param> </init-param>
<param-name>Enterprise</param-name>
<param-value>true</param-value> <init-param>
</init-param> <param-name>DefuseOSCommands</param-name>
<param-value>false</param-value>
<init-param> </init-param>
<!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages --> <init-param>
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For <param-name>Enterprise</param-name>
example, replace "<" with "&lt;" and ">" with "&gt;". --> <param-value>true</param-value>
<param-name>FeedbackAddress</param-name> </init-param>
<param-value>
&lt;A HREF=mailto:webgoat@aspectsecurity.com&gt;webgoat@aspectsecurity.com&lt;/A&gt; <init-param>
</param-value> <!-- Specify an address where you would like comments to be sent. -->
</init-param> <!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For
<init-param> example, replace "<" with "&lt;" and ">" with "&gt;". -->
<param-name>DatabaseDriver</param-name> <param-name>FeedbackAddress</param-name>
<param-value> <param-value>
sun.jdbc.odbc.JdbcOdbcDriver &lt;A HREF=mailto:webgoat@aspectsecurity.com&gt;webgoat@aspectsecurity.com&lt;/A&gt;
<!--org.enhydra.instantdb.jdbc.idbDriver--> </param-value>
</param-value> </init-param>
</init-param>
<init-param>
<init-param> <param-name>DatabaseDriver</param-name>
<param-name>DatabaseConnectionString</param-name> <param-value>
<param-value> sun.jdbc.odbc.JdbcOdbcDriver
<!-- insert the word PATH where you want to insert the realpath to the base of the web context--> <!--org.enhydra.instantdb.jdbc.idbDriver-->
<!--jdbc:idb:PATH/database.prp--> </param-value>
jdbc:odbc:;DRIVER=Microsoft Access Driver (*.mdb);DBQ=PATH/webgoat.mdb;PWD=webgoat" </init-param>
</param-value>
</init-param> <init-param>
<param-name>DatabaseConnectionString</param-name>
<!-- Load this servlet at server startup time --> <param-value>
<!-- insert the word PATH where you want to insert the realpath to the base of the web context-->
<load-on-startup>5</load-on-startup> <!--jdbc:idb:PATH/database.prp-->
jdbc:odbc:;DRIVER=Microsoft Access Driver (*.mdb);DBQ=PATH/webgoat.mdb;PWD=webgoat"
</servlet> </param-value>
</init-param>
<servlet> <!-- Load this servlet at server startup time -->
<servlet-name>LessonSource</servlet-name>
<description> <load-on-startup>5</load-on-startup>
This servlet returns the Java source of the current lesson.
</description> </servlet>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet>
<servlet> <servlet>
<servlet-name>validate</servlet-name> <servlet-name>LessonSource</servlet-name>
<servlet-class>org.owasp.webgoat.servlets.ValidateServlet</servlet-class> <description>
</servlet> This servlet returns the Java source of the current lesson.
<servlet> </description>
<servlet-name>config</servlet-name> <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file> </servlet>
</servlet> <servlet>
<servlet-name>validate</servlet-name>
<!-- Define mappings that are used by the servlet container to <servlet-class>org.owasp.webgoat.servlets.ValidateServlet</servlet-class>
translate a particular request URI (context-relative) to a </servlet>
particular servlet. The examples below correspond to the <servlet>
servlet descriptions above. Thus, a request URI like: <servlet-name>config</servlet-name>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
http://localhost:8080/{contextpath}/graph </servlet>
will be mapped to the "graph" servlet, while a request like: <!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a
http://localhost:8080/{contextpath}/saveCustomer.do particular servlet. The examples below correspond to the
servlet descriptions above. Thus, a request URI like:
will be mapped to the "controller" servlet.
http://localhost:8080/{contextpath}/graph
You may define any number of servlet mappings, including zero.
It is also legal to define more than one mapping for the same will be mapped to the "graph" servlet, while a request like:
servlet, if you wish to.
--> http://localhost:8080/{contextpath}/saveCustomer.do
will be mapped to the "controller" servlet.
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name> You may define any number of servlet mappings, including zero.
<url-pattern>/servlet/AxisServlet</url-pattern> It is also legal to define more than one mapping for the same
</servlet-mapping> servlet, if you wish to.
-->
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
<servlet-mapping> </servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern>
<servlet-mapping> </servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
<!-- uncomment this if you want the admin servlet --> </servlet-mapping>
<!--
<servlet-mapping> <servlet-mapping>
<servlet-name>AdminServlet</servlet-name> <servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern> <url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping> </servlet-mapping>
-->
<!-- uncomment this if you want the admin servlet -->
<servlet-mapping> <!--
<servlet-name>WebGoat</servlet-name> <servlet-mapping>
<url-pattern>/attack</url-pattern> <servlet-name>AdminServlet</servlet-name>
</servlet-mapping> <url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping>
<servlet-mapping> -->
<servlet-name>config</servlet-name>
<url-pattern>/config</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>WebGoat</servlet-name>
<url-pattern>/attack</url-pattern>
<servlet-mapping> </servlet-mapping>
<servlet-name>validate</servlet-name>
<url-pattern>/validate</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>config</servlet-name>
<url-pattern>/config</url-pattern>
<servlet-mapping> </servlet-mapping>
<servlet-name>LessonSource</servlet-name>
<url-pattern>/source</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>validate</servlet-name>
<url-pattern>/validate</url-pattern>
</servlet-mapping>
<!-- Define the default session timeout for your application,
in minutes. From a servlet or JSP page, you can modify <servlet-mapping>
the timeout for a particular session dynamically by using <servlet-name>LessonSource</servlet-name>
HttpSession.getMaxInactiveInterval(). --> <url-pattern>/source</url-pattern>
</servlet-mapping>
<session-config>
<!-- 2 days -->
<session-timeout>2880</session-timeout> <!-- Define the default session timeout for your application,
</session-config> in minutes. From a servlet or JSP page, you can modify
the timeout for a particular session dynamically by using
<mime-mapping> HttpSession.getMaxInactiveInterval(). -->
<extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type> <session-config>
</mime-mapping> <!-- 2 days -->
<session-timeout>2880</session-timeout>
<!-- Define reference to the user database for looking up roles --> </session-config>
<resource-env-ref>
<description> <mime-mapping>
Link to the UserDatabase instance from which we request lists of <extension>wmv</extension>
defined role names. Typically, this will be connected to the global <mime-type>video/x-ms-wmv</mime-type>
user database with a ResourceLink element in server.xml or the context </mime-mapping>
configuration file for the Manager web application.
</description> <!-- Define reference to the user database for looking up roles -->
<resource-env-ref-name>users</resource-env-ref-name> <resource-env-ref>
<resource-env-ref-type> <description>
org.apache.catalina.UserDatabase Link to the UserDatabase instance from which we request lists of
</resource-env-ref-type> defined role names. Typically, this will be connected to the global
</resource-env-ref> user database with a ResourceLink element in server.xml or the context
configuration file for the Manager web application.
</description>
<!-- Define a Security Constraint on this Application --> <resource-env-ref-name>users</resource-env-ref-name>
<security-constraint> <resource-env-ref-type>
<web-resource-collection> org.apache.catalina.UserDatabase
<web-resource-name>WebGoat Application</web-resource-name> </resource-env-ref-type>
<url-pattern>/*</url-pattern> </resource-env-ref>
</web-resource-collection>
<auth-constraint>
<role-name>webgoat_user</role-name> <!-- Define a Security Constraint on this Application -->
<role-name>webgoat_admin</role-name> <security-constraint>
<role-name>webgoat_challenge</role-name> <web-resource-collection>
</auth-constraint> <web-resource-name>WebGoat Application</web-resource-name>
</security-constraint> <url-pattern>/*</url-pattern>
</web-resource-collection>
<security-constraint> <auth-constraint>
<web-resource-collection> <role-name>webgoat_user</role-name>
<web-resource-name>WebGoat Application Source</web-resource-name> <role-name>webgoat_admin</role-name>
<url-pattern>/JavaSource/*</url-pattern> <role-name>webgoat_challenge</role-name>
</web-resource-collection> </auth-constraint>
<auth-constraint> </security-constraint>
<role-name>server_admin</role-name>
</auth-constraint> <security-constraint>
</security-constraint> <web-resource-collection>
<web-resource-name>WebGoat Application Source</web-resource-name>
<url-pattern>/JavaSource/*</url-pattern>
<!-- Login configuration uses BASIC authentication --> </web-resource-collection>
<login-config> <auth-constraint>
<auth-method>BASIC</auth-method> <role-name>server_admin</role-name>
<realm-name>WebGoat Application</realm-name> </auth-constraint>
</login-config> </security-constraint>
<!-- Security roles referenced by this web application -->
<security-role> <!-- Login configuration uses BASIC authentication -->
<description>The role that is required to administrate WebGoat</description> <login-config>
<role-name>webgoat_admin</role-name> <auth-method>BASIC</auth-method>
</security-role> <realm-name>WebGoat Application</realm-name>
</login-config>
<security-role>
<description>The role that is required to start the challenge log viewer</description> <!-- Security roles referenced by this web application -->
<role-name>webgoat_challenge</role-name> <security-role>
</security-role> <description>The role that is required to administrate WebGoat</description>
<role-name>webgoat_admin</role-name>
<security-role> </security-role>
<description>The role that is required to use WebGoat</description>
<role-name>webgoat_user</role-name> <security-role>
</security-role> <description>The role that is required to start the challenge log viewer</description>
<role-name>webgoat_challenge</role-name>
<security-role> </security-role>
<description>This role is for admins only</description>
<role-name>server_admin</role-name> <security-role>
</security-role> <description>The role that is required to use WebGoat</description>
<role-name>webgoat_user</role-name>
</web-app> </security-role>
<security-role>
<description>This role is for admins only</description>
<role-name>server_admin</role-name>
</security-role>
</web-app>

22
webgoat/main/project/WebContent/lesson_plans/DOMInjection.html Normal file
View File

@ -0,0 +1,22 @@
<div align="Center">
<p><b>Lesson Plan Title:</b>DOM Injection. </p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
How to perform DOM injection attacks.
<br>
<div align="Left">
<p>
<b>How the attacks works:</b>
</p>
Some applications specially the ones that uses AJAX manipulates and updates the DOM
directly using javascript, DHTML and eval.<br>
An attacker may take advantage of that by intercepting the reply and try to inject some
javascript commands to exploit his attacks.
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
* Your victim is a system that takes an activatation key to allow you to use it.
* Your goal should be to try to get to enable the activate button.<br>
* Take some time to see the HTML source in order to understand how does it work.<br>
<!-- Stop Instructions -->