dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix session timeout issue

Browse Source 
removed tiles
various small cleanups
added session service to aid in debugging session issues
This commit is contained in:
lawson89
2014-08-13 11:20:59 -04:00
parent a4807a026c
commit 354826e645
24 changed files with 316 additions and 713 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
java/org/owasp/webgoat/HammerHead.java
View File

@ -134,6 +134,12 @@ public class HammerHead extends HttpServlet {
return;
}
if ("true".equals(request.getParameter("start"))) {
logger.warn("Redirecting to start controller");
response.sendRedirect("start.mvc");
return;
}
// Note: For the lesson to track the status, we need to update
// the lesson tracker object
// from the screen.createContent() method. The create content is
@ -176,8 +182,9 @@ public class HammerHead extends HttpServlet {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
request.getSession().setAttribute("websession", mySession);
request.getSession().setAttribute("course", mySession.getCourse());
request.getSession().setAttribute(WebSession.SESSION, mySession);
// not sure why this is being set in the session?
request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage);
logger.debug("Screen: " + screen);
@ -199,18 +206,9 @@ public class HammerHead extends HttpServlet {
}
private String getViewPage(WebSession webSession) {
String page;
// If this session has not seen the landing page yet, go there instead.
HttpSession session = webSession.getRequest().getSession();
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
page = "/webgoat.jsp";
} else {
//page = "/main.jsp";
page = "/lesson_content.jsp";
}
// now always display the lesson content
String page = "/lesson_content.jsp";
//page = "/main.jsp";
return page;
}
@ -378,7 +376,7 @@ public class HammerHead extends HttpServlet {
HttpSession hs;
hs = request.getSession(true);
// System.out.println( "HH Entering Session_id: " + hs.getId() );
logger.debug("HH Entering Session_id: " + hs.getId());
// dumpSession( hs );
// Get our session object out of the HTTP session
WebSession session = null;
@ -388,7 +386,7 @@ public class HammerHead extends HttpServlet {
session = (WebSession) o;
} else {
// Create new custom session and save it in the HTTP session
// System.out.println( "HH Creating new WebSession: " );
logger.warn("HH Creating new WebSession");
session = new WebSession(webgoatContext, context);
// Ensure splash screen shows on any restart
// rlawson - removed this since we show splash screen at login now
@ -405,8 +403,8 @@ public class HammerHead extends HttpServlet {
session.update(request, response, this.getServletName());
// to authenticate
// System.out.println( "HH Leaving Session_id: " + hs.getId() );
// dumpSession( hs );
logger.debug("HH Leaving Session_id: " + hs.getId());
//dumpSession( hs );
return (session);
}

1
java/org/owasp/webgoat/controller/Start.java
View File

@ -6,7 +6,6 @@
package org.owasp.webgoat.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

17
java/org/owasp/webgoat/controller/Welcome.java
View File

@ -7,6 +7,8 @@ package org.owasp.webgoat.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@ -19,9 +21,10 @@ import org.springframework.web.servlet.ModelAndView;
*/
@Controller
public class Welcome {
final Logger logger = LoggerFactory.getLogger(Welcome.class);
private static final String WELCOMED = "welcomed";
@RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
public ModelAndView welcome(HttpServletRequest request,
@RequestParam(value = "error", required = false) String error,
@ -34,11 +37,13 @@ public class Welcome {
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
}
//@TODO put stuff here the welcome page needs to access
//go ahead and send them to webgoat (skip the welcome page)
ModelAndView model = new ModelAndView();
model.setViewName("welcome");
//model.setViewName("welcome");
//model.setViewName("main_new");
model.setViewName("forward:/attack?start=true");
return model;
}
}

107
java/org/owasp/webgoat/lessons/HttpBasicsController.java
View File

@ -1,107 +0,0 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.log4j.Logger;
import org.owasp.webgoat.lessons.model.HttpBasicsModel;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
/**
* <p>
* Handles the "HTTP Basics" lesson. Contains all
* mapping methods for that lesson as well as all helper methods
* used by those mappers.
* </p>
*
*/
@Controller
public class HttpBasicsController extends LessonAdapter {
protected static Logger logger = Logger.getLogger("controller");
// [url] path used by this lesson
private final String PAGE_PATH = "httpBasics.do";
// The (apache) tile used by this lesson, as specified in tiles-definitions.xml
private String TILE_NAME = "http-basics";
// ID attribute associated with the JSP's form.
private String FORM_NAME = "command";
/**
* @see {@link org.owasp.webgoat.lessons.AbstractLesson#getPath()}
* @see {@link org.owasp.webgoat.lessons.AbstractLesson#getLink()}
*/
protected String getPath() {
return PAGE_PATH;
}
/**
* Handles GET requests for this lesson.
* @return
*/
@RequestMapping(value = PAGE_PATH, method = RequestMethod.GET)
public ModelAndView displayPage() {
return new ModelAndView(TILE_NAME, FORM_NAME, new HttpBasicsModel());
}
/**
* Handles POST requests for this lesson. Takes the user's name and displays
* a reversed copy of it.
*
* @param httpBasicsModel
* @param model
* @return
*/
@RequestMapping(value = PAGE_PATH, method = RequestMethod.POST)
public ModelAndView processSubmit(
@ModelAttribute("")HttpBasicsModel httpBasicsModel, ModelMap model) {
StringBuffer personName = new StringBuffer(httpBasicsModel.getPersonName());
httpBasicsModel.setPersonName(personName.reverse().toString());
return new ModelAndView(TILE_NAME, FORM_NAME, httpBasicsModel);
}
public Category getCategory()
{
return Category.GENERAL;
}
/**
* Gets the hints attribute of the HelloScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Type in your name and press 'go'");
hints.add("Turn on Show Parameters or other features");
hints.add("Try to intercept the request with WebScarab");
hints.add("Press the Show Lesson Plan button to view a lesson summary");
hints.add("Press the Show Solution button to view a lesson solution");
return hints;
}
protected String getInstructions()
{
return null;
}
public String getTitle()
{
// TODO: GET RID OF THE "(Spring MVC)" BELOW LATER!!!!"
return "HTTP Basics (Spring MVC)";
}
}

65
java/org/owasp/webgoat/service/BaseService.java
View File

@ -1,35 +1,41 @@
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.controller.Welcome;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
@ -43,23 +49,26 @@ import org.springframework.web.bind.annotation.ResponseStatus;
@RequestMapping("/service")
public abstract class BaseService {
final Logger logger = LoggerFactory.getLogger(BaseService.class);
@ExceptionHandler(Exception.class)
@ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
public @ResponseBody
ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
String url = request.getRequestURL().toString();
logger.error("Exception handler for service caught exception when processing: " + url, ex);
ExceptionInfo response = new ExceptionInfo();
response.setUrl(request.getRequestURL().toString());
response.setMessage(ex.getMessage());
response.setUrl(url);
response.setMessage(ex.toString());
return response;
}
public WebSession getWebSesion(HttpSession session) {
public WebSession getWebSession(HttpSession session) {
WebSession ws;
Object o = session.getAttribute(WebSession.SESSION);
if (o == null || !(o instanceof WebSession)) {
throw new IllegalArgumentException("No valid session object found, has session timed out?");
throw new IllegalArgumentException("No valid session object found, has session timed out? [" + session.getId() + "]");
}
ws = (WebSession) o;
return ws;

2
java/org/owasp/webgoat/service/CookieService.java
View File

@ -54,7 +54,7 @@ public class CookieService extends BaseService {
@RequestMapping(value = "/cookie.mvc", produces = "application/json")
public @ResponseBody
List<Cookie> showCookies(HttpSession session) {
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
return cookies;
}

2
java/org/owasp/webgoat/service/HintService.java
View File

@ -32,7 +32,7 @@ public class HintService extends BaseService {
public @ResponseBody
List<Hint> showHint(HttpSession session) {
List<Hint> listHints = new ArrayList<Hint>();
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
if (l == null) {
return listHints;

4
java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -58,9 +58,9 @@ public class LessonMenuService extends BaseService {
public @ResponseBody
List<LessonMenuItem> showLeftNav(HttpSession session) {
List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
// Get the categories, these are the main menu items
Course course = ((Course) session.getAttribute("course"));
Course course = ws.getCourse();
List<Category> categories = course.getCategories();
for (Category category : categories) {

94
java/org/owasp/webgoat/service/LessonPlanService.java Normal file
View File

@ -0,0 +1,94 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.SourceListing;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class LessonPlanService extends BaseService {
/**
* Returns source for current attack
*
* @param session
* @return
*/
@RequestMapping(value = "/lessonplan.mvc", produces = "application/json")
public @ResponseBody
SourceListing showSource(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSource(ws);
SourceListing sl = new SourceListing();
sl.setSource(source);
return sl;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getRawSource(s);
}
}
if (source == null) {
return "Source code is not available. Contact "
+ s.getWebgoatContext().getFeedbackAddressHTML();
}
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted"));
}
}

2
java/org/owasp/webgoat/service/ParameterService.java
View File

@ -62,7 +62,7 @@ public class ParameterService extends BaseService {
public @ResponseBody
List<RequestParameter> showParameters(HttpSession session) {
List<RequestParameter> listParms = new ArrayList<RequestParameter>();
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
listParms = ws.getParmsOnLastRequest();
Collections.sort(listParms);
return listParms;

57
java/org/owasp/webgoat/service/SessionService.java Normal file
View File

@ -0,0 +1,57 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class SessionService extends BaseService {
/**
* Returns hints for current lesson
*
* @param session
* @return
*/
@RequestMapping(value = "/session.mvc", produces = "application/json")
public @ResponseBody
String showSession(HttpServletRequest request, HttpSession session) {
StringBuilder sb = new StringBuilder();
sb.append("id").append(" = ").append(session.getId()).append("\n");
sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
sb.append("=====================================\n");
// get attributes
List<String> attributes = new ArrayList<String>();
Enumeration keys = session.getAttributeNames();
while (keys.hasMoreElements()) {
String name = (String) keys.nextElement();
attributes.add(name);
}
Collections.sort(attributes);
for (String attribute : attributes) {
String value = session.getAttribute(attribute) + "";
sb.append(attribute).append(" = ").append(value).append("\n");
}
return sb.toString();
}
}

85
java/org/owasp/webgoat/service/SolutionService.java Normal file
View File

@ -0,0 +1,85 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.SourceListing;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class SolutionService extends BaseService {
/**
* Returns solution for current attack
*
* @param session
* @return
*/
@RequestMapping(value = "/solution.mvc", produces = "text/html")
public @ResponseBody
String showSolution(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSolution(ws);
return source;
}
protected String getSolution(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getSolution(s);
}
}
if (source == null) {
return "Solution is not available. Contact "
+ s.getWebgoatContext().getFeedbackAddressHTML();
}
return (source);
}
}

2
java/org/owasp/webgoat/service/SourceService.java
View File

@ -57,7 +57,7 @@ public class SourceService extends BaseService {
@RequestMapping(value = "/source.mvc", produces = "application/json")
public @ResponseBody
SourceListing showSource(HttpSession session) {
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
String source = getSource(ws);
SourceListing sl = new SourceListing();
sl.setSource(source);

2
java/org/owasp/webgoat/session/WebSession.java
View File

@ -92,6 +92,8 @@ public class WebSession {
*/
public final static String COLOR = "color";
public final static String COURSE = "course";
/**
* Description of the Field
*/