Reflected xss working - still have to think how to get the success criteria. Page needs some work though
This commit is contained in:
mayhew64
parent
edaadecc38
commit
32d1009390
@ -53,8 +53,21 @@ import org.springframework.web.bind.annotation.ResponseBody;
|
||||
public class CrossSiteScriptingLesson5a extends Assignment {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String account, HttpServletRequest request) throws IOException {
|
||||
return injectableQuery(account);
|
||||
public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
|
||||
@RequestParam Integer QTY2, @RequestParam Integer QTY3,
|
||||
@RequestParam Integer QTY4, @RequestParam String field1,
|
||||
@RequestParam Integer field2, HttpServletRequest request)
|
||||
throws IOException {
|
||||
System.out.println("foo");
|
||||
// Should add some QTY validation here. Someone could have fun and enter a negative quantity and get merchanidise and a refund :)
|
||||
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
|
||||
|
||||
StringBuffer cart = new StringBuffer();
|
||||
cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
|
||||
cart.append("<p>We have chaged credit card:" + field1 + "<br />");
|
||||
cart.append( " ------------------- <br />");
|
||||
cart.append( " $" + totalSale);
|
||||
return trackProgress(AttackResult.failed(cart.toString()));
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -62,169 +75,4 @@ public class CrossSiteScriptingLesson5a extends Assignment {
|
||||
return "/CrossSiteScripting/attack5a";
|
||||
}
|
||||
|
||||
|
||||
protected AttackResult injectableQuery(String accountName)
|
||||
{
|
||||
try
|
||||
{
|
||||
Connection connection = DatabaseUtilities.getConnection(getWebSession());
|
||||
String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
|
||||
|
||||
try
|
||||
{
|
||||
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
ResultSet results = statement.executeQuery(query);
|
||||
|
||||
if ((results != null) && (results.first() == true))
|
||||
{
|
||||
ResultSetMetaData resultsMetaData = results.getMetaData();
|
||||
StringBuffer output = new StringBuffer();
|
||||
|
||||
output.append(writeTable(results, resultsMetaData));
|
||||
results.last();
|
||||
|
||||
// If they get back more than one user they succeeded
|
||||
if (results.getRow() >= 6)
|
||||
{
|
||||
return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
|
||||
}
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
|
||||
|
||||
}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
return trackProgress(AttackResult.failed(sqle.getMessage()));
|
||||
}
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
|
||||
}
|
||||
}
|
||||
|
||||
public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
|
||||
SQLException
|
||||
{
|
||||
int numColumns = resultsMetaData.getColumnCount();
|
||||
results.beforeFirst();
|
||||
StringBuffer t = new StringBuffer();
|
||||
t.append("<p>");
|
||||
|
||||
if (results.next())
|
||||
{
|
||||
for (int i = 1; i < (numColumns + 1); i++)
|
||||
{
|
||||
t.append(resultsMetaData.getColumnName(i));
|
||||
t.append(", ");
|
||||
}
|
||||
|
||||
t.append("<br />");
|
||||
results.beforeFirst();
|
||||
|
||||
while (results.next())
|
||||
{
|
||||
|
||||
for (int i = 1; i < (numColumns + 1); i++)
|
||||
{
|
||||
t.append(results.getString(i));
|
||||
t.append(", ");
|
||||
}
|
||||
|
||||
t.append("<br />");
|
||||
}
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
t.append ("Query Successful; however no data was returned from this query.");
|
||||
}
|
||||
|
||||
t.append("</p>");
|
||||
return (t.toString());
|
||||
}
|
||||
//
|
||||
// protected Element parameterizedQuery(WebSession s)
|
||||
// {
|
||||
// ElementContainer ec = new ElementContainer();
|
||||
//
|
||||
// ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
|
||||
// if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
|
||||
// {
|
||||
// getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
|
||||
// return (injectableQuery(s));
|
||||
// }
|
||||
//
|
||||
// ec.addElement(new BR());
|
||||
//
|
||||
// try
|
||||
// {
|
||||
// Connection connection = DatabaseUtilities.getConnection(s);
|
||||
//
|
||||
// ec.addElement(makeAccountLine(s));
|
||||
//
|
||||
// String query = "SELECT * FROM user_data WHERE last_name = ?";
|
||||
// ec.addElement(new PRE(query));
|
||||
//
|
||||
// try
|
||||
// {
|
||||
// PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
// ResultSet.CONCUR_READ_ONLY);
|
||||
// statement.setString(1, accountName);
|
||||
// ResultSet results = statement.executeQuery();
|
||||
//
|
||||
// if ((results != null) && (results.first() == true))
|
||||
// {
|
||||
// ResultSetMetaData resultsMetaData = results.getMetaData();
|
||||
// ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
|
||||
// results.last();
|
||||
//
|
||||
// // If they get back more than one user they succeeded
|
||||
// if (results.getRow() >= 6)
|
||||
// {
|
||||
// makeSuccess(s);
|
||||
// }
|
||||
// }
|
||||
// else
|
||||
// {
|
||||
// ec.addElement(getLabelManager().get("NoResultsMatched"));
|
||||
// }
|
||||
// } catch (SQLException sqle)
|
||||
// {
|
||||
// ec.addElement(new P().addElement(sqle.getMessage()));
|
||||
// }
|
||||
// } catch (Exception e)
|
||||
// {
|
||||
// s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
|
||||
// e.printStackTrace();
|
||||
// }
|
||||
//
|
||||
// return (ec);
|
||||
// }
|
||||
//
|
||||
// protected Element makeAccountLine(WebSession s)
|
||||
// {
|
||||
// ElementContainer ec = new ElementContainer();
|
||||
// ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
|
||||
//
|
||||
// accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
|
||||
// Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
|
||||
// ec.addElement(input);
|
||||
//
|
||||
// Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
|
||||
// ec.addElement(b);
|
||||
//
|
||||
// return ec;
|
||||
//
|
||||
// }
|
||||
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
@ -139,12 +139,12 @@
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enter your credit card number:</td>
|
||||
<td><input name="field2" value="4128 3214 0002 1999"
|
||||
<td><input name="field1" value="4128 3214 0002 1999"
|
||||
type="TEXT" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enter your three digit access code:</td>
|
||||
<td><input name="field1" value="111" type="TEXT" /></td>
|
||||
<td><input name="field2" value="111" type="TEXT" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan="2" align="center"><input name="SUBMIT"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user