Reflected xss working - still have to think how to get the success criteria. Page needs some work though

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java

@@ -53,8 +53,21 @@ import org.springframework.web.bind.annotation.ResponseBody;
 public class CrossSiteScriptingLesson5a extends Assignment {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String account, HttpServletRequest request) throws IOException {
-		return injectableQuery(account);
+	public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
+												@RequestParam Integer QTY2, @RequestParam Integer QTY3,
+												@RequestParam Integer QTY4, @RequestParam String field1,
+												@RequestParam Integer field2, HttpServletRequest request)
+			throws IOException {
+		System.out.println("foo");
+		// Should add some QTY validation here.  Someone could have fun and enter a negative quantity and get merchanidise and a refund :)
+		double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;  
+		
+       	StringBuffer cart = new StringBuffer();
+       	cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
+       	cart.append("<p>We have chaged credit card:" + field1 + "<br />");
+       	cart.append(   "                             ------------------- <br />");
+       	cart.append(   "                               $" + totalSale);
+        return trackProgress(AttackResult.failed(cart.toString()));
 	}
 
     @Override
@@ -62,169 +75,4 @@ public class CrossSiteScriptingLesson5a extends Assignment {
         return "/CrossSiteScripting/attack5a";
     }
 
-
-    protected AttackResult injectableQuery(String accountName)
-    {
-        try
-        {
-            Connection connection = DatabaseUtilities.getConnection(getWebSession());
-            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
-
-            try
-            {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                    ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
-
-                if ((results != null) && (results.first() == true))
-                {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                	StringBuffer output = new StringBuffer();
-
-                    output.append(writeTable(results, resultsMetaData));
-                    results.last();
-
-                    // If they get back more than one user they succeeded
-                    if (results.getRow() >= 6)
-                    {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
-                   } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
-                   }
-                    
-                }
-                else
-                {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
-
-                }
-            } catch (SQLException sqle)
-            {
-            	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
-            }
-        } catch (Exception e)
-        {
-        	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
-        }
-    }
-    
-    public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
-	SQLException 
-    {
-		int numColumns = resultsMetaData.getColumnCount();
-		results.beforeFirst();
-		StringBuffer t = new StringBuffer();
-		t.append("<p>");
-	
-		if (results.next())
-		{
-			for (int i = 1; i < (numColumns + 1); i++)
-			{
-				t.append(resultsMetaData.getColumnName(i));
-				t.append(", ");
-			}
-		
-			t.append("<br />");
-			results.beforeFirst();
-		
-			while (results.next())
-			{
-		
-				for (int i = 1; i < (numColumns + 1); i++)
-				{
-					t.append(results.getString(i));
-					t.append(", ");
-				}
-		
-				t.append("<br />");
-			}
-		
-		}
-		else
-		{
-			t.append ("Query Successful; however no data was returned from this query.");
-		}
-		
-		t.append("</p>");
-		return (t.toString());
-    }
-//
-//    protected Element parameterizedQuery(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//
-//        ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
-//        if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
-//        {
-//            getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
-//            return (injectableQuery(s));
-//        }
-//
-//        ec.addElement(new BR());
-//
-//        try
-//        {
-//            Connection connection = DatabaseUtilities.getConnection(s);
-//
-//            ec.addElement(makeAccountLine(s));
-//
-//            String query = "SELECT * FROM user_data WHERE last_name = ?";
-//            ec.addElement(new PRE(query));
-//
-//            try
-//            {
-//                PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-//                                                                            ResultSet.CONCUR_READ_ONLY);
-//                statement.setString(1, accountName);
-//                ResultSet results = statement.executeQuery();
-//
-//                if ((results != null) && (results.first() == true))
-//                {
-//                    ResultSetMetaData resultsMetaData = results.getMetaData();
-//                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
-//                    results.last();
-//
-//                    // If they get back more than one user they succeeded
-//                    if (results.getRow() >= 6)
-//                    {
-//                        makeSuccess(s);
-//                    }
-//                }
-//                else
-//                {
-//                    ec.addElement(getLabelManager().get("NoResultsMatched"));
-//                }
-//            } catch (SQLException sqle)
-//            {
-//                ec.addElement(new P().addElement(sqle.getMessage()));
-//            }
-//        } catch (Exception e)
-//        {
-//            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-//            e.printStackTrace();
-//        }
-//
-//        return (ec);
-//    }
-//
-//    protected Element makeAccountLine(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//        ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
-//
-//        accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
-//        Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
-//        ec.addElement(input);
-//
-//        Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
-//        ec.addElement(b);
-//
-//        return ec;
-//
-//    }
-
- 
-
 }

webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html

@@ -139,12 +139,12 @@
 							</tr>
 							<tr>
 								<td>Enter your credit card number:</td>
-								<td><input name="field2" value="4128 3214 0002 1999"
+								<td><input name="field1" value="4128 3214 0002 1999"
 									type="TEXT" /></td>
 							</tr>
 							<tr>
 								<td>Enter your three digit access code:</td>
-								<td><input name="field1" value="111" type="TEXT" /></td>
+								<td><input name="field2" value="111" type="TEXT" /></td>
 							</tr>
 							<tr>
 								<td colspan="2" align="center"><input name="SUBMIT"