dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix session timeout issue

Browse Source 
removed tiles
various small cleanups
added session service to aid in debugging session issues
This commit is contained in:
lawson89 2014-08-13 11:20:59 -04:00
parent a4807a026c
commit 354826e645
24 changed files with 316 additions and 713 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
java/org/owasp/webgoat/HammerHead.java
View File

@ -134,6 +134,12 @@ public class HammerHead extends HttpServlet {
return;
}
if ("true".equals(request.getParameter("start"))) {
logger.warn("Redirecting to start controller");
response.sendRedirect("start.mvc");
return;
}
// Note: For the lesson to track the status, we need to update
// the lesson tracker object
// from the screen.createContent() method. The create content is
@ -176,8 +182,9 @@ public class HammerHead extends HttpServlet {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
request.getSession().setAttribute("websession", mySession);
request.getSession().setAttribute("course", mySession.getCourse());
request.getSession().setAttribute(WebSession.SESSION, mySession);
// not sure why this is being set in the session?
request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
String viewPage = getViewPage(mySession);
logger.debug("Forwarding to view: " + viewPage);
logger.debug("Screen: " + screen);
@ -199,18 +206,9 @@ public class HammerHead extends HttpServlet {
}
private String getViewPage(WebSession webSession) {
String page;
// If this session has not seen the landing page yet, go there instead.
HttpSession session = webSession.getRequest().getSession();
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
page = "/webgoat.jsp";
} else {
// now always display the lesson content
String page = "/lesson_content.jsp";
//page = "/main.jsp";
page = "/lesson_content.jsp";
}
return page;
}
@ -378,7 +376,7 @@ public class HammerHead extends HttpServlet {
HttpSession hs;
hs = request.getSession(true);
// System.out.println( "HH Entering Session_id: " + hs.getId() );
logger.debug("HH Entering Session_id: " + hs.getId());
// dumpSession( hs );
// Get our session object out of the HTTP session
WebSession session = null;
@ -388,7 +386,7 @@ public class HammerHead extends HttpServlet {
session = (WebSession) o;
} else {
// Create new custom session and save it in the HTTP session
// System.out.println( "HH Creating new WebSession: " );
logger.warn("HH Creating new WebSession");
session = new WebSession(webgoatContext, context);
// Ensure splash screen shows on any restart
// rlawson - removed this since we show splash screen at login now
@ -405,8 +403,8 @@ public class HammerHead extends HttpServlet {
session.update(request, response, this.getServletName());
// to authenticate
// System.out.println( "HH Leaving Session_id: " + hs.getId() );
// dumpSession( hs );
logger.debug("HH Leaving Session_id: " + hs.getId());
//dumpSession( hs );
return (session);
}

1
java/org/owasp/webgoat/controller/Start.java
View File

@ -6,7 +6,6 @@
package org.owasp.webgoat.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

13
java/org/owasp/webgoat/controller/Welcome.java
View File

@ -7,6 +7,8 @@ package org.owasp.webgoat.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@ -20,6 +22,7 @@ import org.springframework.web.servlet.ModelAndView;
@Controller
public class Welcome {
final Logger logger = LoggerFactory.getLogger(Welcome.class);
private static final String WELCOMED = "welcomed";
@RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
@ -34,11 +37,13 @@ public class Welcome {
if (session.getAttribute(WELCOMED) == null) {
session.setAttribute(WELCOMED, "true");
}
//@TODO put stuff here the welcome page needs to access
//go ahead and send them to webgoat (skip the welcome page)
ModelAndView model = new ModelAndView();
model.setViewName("welcome");
//model.setViewName("welcome");
//model.setViewName("main_new");
model.setViewName("forward:/attack?start=true");
return model;
}
}

107
java/org/owasp/webgoat/lessons/HttpBasicsController.java
View File

@ -1,107 +0,0 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.log4j.Logger;
import org.owasp.webgoat.lessons.model.HttpBasicsModel;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
/**
* <p>
* Handles the "HTTP Basics" lesson. Contains all
* mapping methods for that lesson as well as all helper methods
* used by those mappers.
* </p>
*
*/
@Controller
public class HttpBasicsController extends LessonAdapter {
protected static Logger logger = Logger.getLogger("controller");
// [url] path used by this lesson
private final String PAGE_PATH = "httpBasics.do";
// The (apache) tile used by this lesson, as specified in tiles-definitions.xml
private String TILE_NAME = "http-basics";
// ID attribute associated with the JSP's form.
private String FORM_NAME = "command";
/**
* @see {@link org.owasp.webgoat.lessons.AbstractLesson#getPath()}
* @see {@link org.owasp.webgoat.lessons.AbstractLesson#getLink()}
*/
protected String getPath() {
return PAGE_PATH;
}
/**
* Handles GET requests for this lesson.
* @return
*/
@RequestMapping(value = PAGE_PATH, method = RequestMethod.GET)
public ModelAndView displayPage() {
return new ModelAndView(TILE_NAME, FORM_NAME, new HttpBasicsModel());
}
/**
* Handles POST requests for this lesson. Takes the user's name and displays
* a reversed copy of it.
*
* @param httpBasicsModel
* @param model
* @return
*/
@RequestMapping(value = PAGE_PATH, method = RequestMethod.POST)
public ModelAndView processSubmit(
@ModelAttribute("")HttpBasicsModel httpBasicsModel, ModelMap model) {
StringBuffer personName = new StringBuffer(httpBasicsModel.getPersonName());
httpBasicsModel.setPersonName(personName.reverse().toString());
return new ModelAndView(TILE_NAME, FORM_NAME, httpBasicsModel);
}
public Category getCategory()
{
return Category.GENERAL;
}
/**
* Gets the hints attribute of the HelloScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Type in your name and press 'go'");
hints.add("Turn on Show Parameters or other features");
hints.add("Try to intercept the request with WebScarab");
hints.add("Press the Show Lesson Plan button to view a lesson summary");
hints.add("Press the Show Solution button to view a lesson solution");
return hints;
}
protected String getInstructions()
{
return null;
}
public String getTitle()
{
// TODO: GET RID OF THE "(Spring MVC)" BELOW LATER!!!!"
return "HTTP Basics (Spring MVC)";
}
}

47
java/org/owasp/webgoat/service/BaseService.java
View File

@ -1,27 +1,30 @@
/***************************************************************************************************
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
@ -29,7 +32,10 @@ package org.owasp.webgoat.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.controller.Welcome;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
@ -43,23 +49,26 @@ import org.springframework.web.bind.annotation.ResponseStatus;
@RequestMapping("/service")
public abstract class BaseService {
final Logger logger = LoggerFactory.getLogger(BaseService.class);
@ExceptionHandler(Exception.class)
@ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
public @ResponseBody
ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
String url = request.getRequestURL().toString();
logger.error("Exception handler for service caught exception when processing: " + url, ex);
ExceptionInfo response = new ExceptionInfo();
response.setUrl(request.getRequestURL().toString());
response.setMessage(ex.getMessage());
response.setUrl(url);
response.setMessage(ex.toString());
return response;
}
public WebSession getWebSesion(HttpSession session) {
public WebSession getWebSession(HttpSession session) {
WebSession ws;
Object o = session.getAttribute(WebSession.SESSION);
if (o == null || !(o instanceof WebSession)) {
throw new IllegalArgumentException("No valid session object found, has session timed out?");
throw new IllegalArgumentException("No valid session object found, has session timed out? [" + session.getId() + "]");
}
ws = (WebSession) o;
return ws;

2
java/org/owasp/webgoat/service/CookieService.java
View File

@ -54,7 +54,7 @@ public class CookieService extends BaseService {
@RequestMapping(value = "/cookie.mvc", produces = "application/json")
public @ResponseBody
List<Cookie> showCookies(HttpSession session) {
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
List<Cookie> cookies = ws.getCookiesOnLastRequest();
return cookies;
}

2
java/org/owasp/webgoat/service/HintService.java
View File

@ -32,7 +32,7 @@ public class HintService extends BaseService {
public @ResponseBody
List<Hint> showHint(HttpSession session) {
List<Hint> listHints = new ArrayList<Hint>();
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
AbstractLesson l = ws.getCurrentLesson();
if (l == null) {
return listHints;

4
java/org/owasp/webgoat/service/LessonMenuService.java
View File

@ -58,9 +58,9 @@ public class LessonMenuService extends BaseService {
public @ResponseBody
List<LessonMenuItem> showLeftNav(HttpSession session) {
List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
// Get the categories, these are the main menu items
Course course = ((Course) session.getAttribute("course"));
Course course = ws.getCourse();
List<Category> categories = course.getCategories();
for (Category category : categories) {

94
java/org/owasp/webgoat/service/LessonPlanService.java Normal file
View File

@ -0,0 +1,94 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.SourceListing;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class LessonPlanService extends BaseService {
/**
* Returns source for current attack
*
* @param session
* @return
*/
@RequestMapping(value = "/lessonplan.mvc", produces = "application/json")
public @ResponseBody
SourceListing showSource(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSource(ws);
SourceListing sl = new SourceListing();
sl.setSource(source);
return sl;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getRawSource(s);
}
}
if (source == null) {
return "Source code is not available. Contact "
+ s.getWebgoatContext().getFeedbackAddressHTML();
}
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted"));
}
}

2
java/org/owasp/webgoat/service/ParameterService.java
View File

@ -62,7 +62,7 @@ public class ParameterService extends BaseService {
public @ResponseBody
List<RequestParameter> showParameters(HttpSession session) {
List<RequestParameter> listParms = new ArrayList<RequestParameter>();
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
listParms = ws.getParmsOnLastRequest();
Collections.sort(listParms);
return listParms;

57
java/org/owasp/webgoat/service/SessionService.java Normal file
View File

@ -0,0 +1,57 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.service;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class SessionService extends BaseService {
/**
* Returns hints for current lesson
*
* @param session
* @return
*/
@RequestMapping(value = "/session.mvc", produces = "application/json")
public @ResponseBody
String showSession(HttpServletRequest request, HttpSession session) {
StringBuilder sb = new StringBuilder();
sb.append("id").append(" = ").append(session.getId()).append("\n");
sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
sb.append("=====================================\n");
// get attributes
List<String> attributes = new ArrayList<String>();
Enumeration keys = session.getAttributeNames();
while (keys.hasMoreElements()) {
String name = (String) keys.nextElement();
attributes.add(name);
}
Collections.sort(attributes);
for (String attribute : attributes) {
String value = session.getAttribute(attribute) + "";
sb.append(attribute).append(" = ").append(value).append("\n");
}
return sb.toString();
}
}

85
java/org/owasp/webgoat/service/SolutionService.java Normal file
View File

@ -0,0 +1,85 @@
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.SourceListing;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
*
* @author rlawson
*/
@Controller
public class SolutionService extends BaseService {
/**
* Returns solution for current attack
*
* @param session
* @return
*/
@RequestMapping(value = "/solution.mvc", produces = "text/html")
public @ResponseBody
String showSolution(HttpSession session) {
WebSession ws = getWebSession(session);
String source = getSolution(ws);
return source;
}
protected String getSolution(WebSession s) {
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) {
source = lesson.getSolution(s);
}
}
if (source == null) {
return "Solution is not available. Contact "
+ s.getWebgoatContext().getFeedbackAddressHTML();
}
return (source);
}
}

2
java/org/owasp/webgoat/service/SourceService.java
View File

@ -57,7 +57,7 @@ public class SourceService extends BaseService {
@RequestMapping(value = "/source.mvc", produces = "application/json")
public @ResponseBody
SourceListing showSource(HttpSession session) {
WebSession ws = getWebSesion(session);
WebSession ws = getWebSession(session);
String source = getSource(ws);
SourceListing sl = new SourceListing();
sl.setSource(source);

2
java/org/owasp/webgoat/session/WebSession.java
View File

@ -92,6 +92,8 @@ public class WebSession {
*/
public final static String COLOR = "color";
public final static String COURSE = "course";
/**
* Description of the Field
*/

3
resources/log4j.properties
View File

@ -1,4 +1,5 @@
log4j.rootLogger=DEBUG, MAIN_LOG, ERROR_LOG
log4j.rootLogger=DEBUG, MAIN_LOG
#log4j.rootLogger=DEBUG, MAIN_LOG, ERROR_LOG
# MAIN - everything gets logged here
log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender

70
webapp/WEB-INF/pages/layouts/genericLesson.jsp
View File

@ -1,70 +0,0 @@
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
<%@ page
language="java"
contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*"
errorPage=""
isELIgnored="false" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title><tiles:insertAttribute name="title-content" /></title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
</head>
<body>
<%
Course course = ((Course)session.getAttribute("course"));
WebSession webSession = ((WebSession)session.getAttribute("websession"));
// pcs 8/29/2012 - HACK
//
// Legacy lessons result in a call to WebSession.update(). Among other things, that call
// sets the previous and current screens. The latter determines the title that is displayed
// in the webgoat banner.
//
// The new Spring-MVC jsps, among which is this genericLesson.jsp, are loaded via our dispatcher servlet
// and does not pass through the code path that results in that update() call.
//
// As a result, we must call update() explicitly here. If we refactor away that legacy code as part
// of webgoat 6 development, we will need to get rid of the call below.
//
webSession.update(request, response, "genericLesson");
AbstractLesson currentLesson = webSession.getCurrentLesson();
%>
<div id="header-style"><tiles:insertAttribute name="header-content" /></div>
<div><tiles:insertAttribute name="menu-content" /></div>
<div id="lessonTitle" align="right"><%= currentLesson.getTitle() %></div>
<div id="primary-style"">
<div id="lessonArea">
<tiles:insertAttribute name="hints-params-cookies" />
<div id="twoCol">
<div id="menuSpacer"></div>
<div id="lessonAreaTop">
<div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=WebGoatI18N.get("RestartLesson")%></a></div>
</div>
</div>
</div>
<div id="lessonContent">
<tiles:insertAttribute name="primary-content" />
</div>
</div>
</div>
<div id="footer-style"><tiles:insertAttribute name="footer-content" /></div>
</body>
</html>

77
webapp/WEB-INF/pages/lessons/httpBasics.jsp
View File

@ -1,77 +0,0 @@
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
<%@taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<%@ page
language="java"
contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson"
errorPage=""
isELIgnored="false" %>
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;">
<div align="Center">
<p><b>Lesson Plan Title:</b> Http Basics </p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
This lesson presents the basics for understanding the transfer of data between the browser and the web application.<br>
<div align="Left">
<p>
<b>How HTTP works:</b>
</p>
All HTTP transactions follow the same general format. Each client request and server response has three parts: the request or response line, a header section, and the entity body. The client initiates a transaction as follows: <br>
<br>
The client contacts the server and sends a document request <br>
</div>
<br>
<ul>GET /index.html?param=value HTTP/1.0</ul>
Next, the client sends optional header information to inform the server of its configuration and the document formats it will accept.<br>
<br>
<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
After sending the request and headers, the client may send additional data. This data is mostly used by CGI programs using the POST method.<br>
<p><b>General Goal(s):</b> </p>
<%-- Start Instructions --%>
Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request.
<br/><br/>
The user should become familiar with the features of WebGoat by manipulating the above
buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time.
<%-- Stop Instructions --%>
<br/>
<br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
</div>
<%
Course course = ((Course)session.getAttribute("course"));
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<%--
This form posts to httpBasics.do. However, we must append the "menu" request parameter in order
for the current submenu to display properly, hence the getLink() call to build the form's
action attribute below.
--%>
<form:form method="POST" action="<%= webSession.getCurrentLesson().getLink() %>">
<p>
Enter your name in the input field below and press "go" to submit.
The server will accept the request, reverse the input, and display it back to the user,
illustrating the basics of handling an HTTP request.
</p>
<p>
The user should become familiar with the features of WebGoat by manipulating
the above buttons to view hints, show the HTTP request parameters,
the HTTP request cookies, and the Java source code.
You may also try using WebScarab for the first time.
</p>
<p>
Enter your name:
<form:input path="personName" />
<input name="SUBMIT" type="SUBMIT" value="Go!"/>
</p>
</form:form>

7
webapp/WEB-INF/pages/sections/footer.jsp
View File

@ -1,7 +0,0 @@
<div id="bottom">
<div align="center">
<a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> |
<a href="reportBug.jsp">Report Bug</a>
</div>
</div>

2
webapp/WEB-INF/pages/sections/header.jsp
View File

@ -1,2 +0,0 @@
<div id="top"/>
<div id="topLeft">

45
webapp/WEB-INF/pages/sections/hintsParamsAndCookies.jsp
View File

@ -1,45 +0,0 @@
<%@ page
language="java"
contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"
import="java.util.Iterator, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*"
errorPage=""
isELIgnored="false" %>
<%
Course course = ((Course)session.getAttribute("course"));
WebSession webSession = ((WebSession)session.getAttribute("websession"));
AbstractLesson currentLesson = webSession.getCurrentLesson();
if (webSession.getHint() != null)
{
%>
<div id="hint" class="info"> <%= webSession.getHint() %> </div><br>
<%
}
if (webSession.getParams() != null)
{
Iterator i = webSession.getParams().iterator();
while (i.hasNext())
{
Parameter p = (Parameter) i.next();
%>
<div id="parameter" class="info"> <%= p.getName()%> = <%= p.getValue() %></div><br>
<%
}
}
if (webSession.getCookies() != null)
{
Iterator i = webSession.getCookies().iterator();
while (i.hasNext())
{
Cookie c = (Cookie) i.next();
%>
<div id="cookie" class="info"> <%= c.getName() %> <img src="images/icons/rightArrow.jpg" alt="\"><%= c.getValue() %></div><br>
<%
}
}
%>

202
webapp/WEB-INF/pages/sections/menu.jsp
View File

@ -1,202 +0,0 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %>
<%
Course course = ((Course)session.getAttribute("course"));
WebSession webSession = ((WebSession)session.getAttribute("websession"));
AbstractLesson currentLesson = webSession.getCurrentLesson();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<%
final String menuPrefix = WebSession.MENU;
final String submenuPrefix = "submenu";
final String mbutPrefix = "mbut";
String printHint = "";
String printParameters = "";
String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories();
StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator();
while(iter1.hasNext())
{
Category category = (Category)iter1.next();
buildList.append("'");
buildList.append(menuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(submenuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(mbutPrefix);
buildList.append(category.getRanking());
buildList.append("'");
if (iter1.hasNext())
buildList.append(",");
}%>
<body class="page" onload="setMenuMagic1(10,40,10,'menubottom',<%=buildList%>);trigMM1url('<%= menuPrefix %>',1);MM_preloadImages('images/buttons/hintLeftOver.jpg','images/buttons/hintOver.jpg','images/buttons/hintRightOver.jpg','images/buttons/paramsOver.jpg','images/buttons/htmlOver.jpg','images/buttons/cookiesOver.jpg','images/buttons/javaOver.jpg','images/buttons/plansOver.jpg','images/buttons/logout.jpg','images/buttons/helpOver.jpg'); initIframe();">
<div id="wrap">
<%
int topCord = 140;
int zIndex = 105;
Iterator iter2 = categories.iterator();
while(iter2.hasNext())
{
Category category = (Category)iter2.next();
%>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>',1);return false" onfocus="if(this.blur)this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<%
topCord=topCord + 30;
zIndex=zIndex + 1;
}
int topSubMenu = 72;
Iterator iter3 = categories.iterator();
while(iter3.hasNext())
{
Category category = (Category)iter3.next();
List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator();
%>
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu=topSubMenu+30;
zIndex=zIndex + 1;
while(iter4.hasNext())
{
AbstractLesson lesson = (AbstractLesson)iter4.next();
%><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
</tr>
<% if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null)
for (int i=0; i<stages.length; i++) {
%>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
</td></tr>
<%
}
}
%>
<%
}
%>
</table>
</div><%
}%>
<div id="top"></div>
<div id="topLeft">
<div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0 )
{
%>
<form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1"
onChange="changeLanguage();">
<%
for(String lang: currentLesson.getAvailableLanguages()){
%>
<option value="<%=lang%>"
<% if(webSession.getCurrrentLanguage().equals(lang)) out.println("selected" );%>><%=lang%>
</option>
<%
}
%>
</select></form>
<%
} else {
%>
Internationalization is not available for this lesson
<%
}
%>
</div></div>
<div align="right" id="topRight">
<a href="attack?action=Logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout','','images/buttons/logoutOver.jpg',1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('help','','images/buttons/helpOver.jpg',1)"><img
src="images/buttons/help.jpg" alt="Help" name="help" width="22"
height="22" border="0" id="help" /></a>
</div>
<div id="hMenuBar">
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS))
{
%>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down','group1','hintLeft','',1)"
onmouseover="MM_nbGroup('over','hintLeft','images/buttons/hintLeftOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hint','',1)"
onmouseover="MM_nbGroup('over','hint','images/buttons/hintOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hintRight','',1)"
onmouseover="MM_nbGroup('over','hintRight','images/buttons/hintRightOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a>
<%}%>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)"
onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="87" height="20" border="0" id="params"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)"
onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
</a>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)"
onmouseover="MM_nbGroup('over','plans','images/buttons/plansOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a>
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE))
{
%>
<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin"
onmouseover="MM_nbGroup('over','java','images/buttons/javaOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');return false;" target="javaWin"
onmouseover="MM_nbGroup('over','solutions','images/buttons/solutionsOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
</a>
<%}%>
</div>
<div id="twoCol">
<div id="menuSpacer"></div>
</div>
</div>
</body>
</html>

37
webapp/WEB-INF/tiles-context.xml
View File

@ -1,37 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<!--
Note:
Spring 3.0 requires Tiles 2.1.2 or above, with explicit support for Tiles 2.2.
Tiles 2.1's EL support will be activated by default when running on JSP 2.1 or above
and when the Tiles EL module is present in the classpath.
See:
JIRA report for TilesViewResolver 2: https://jira.springsource.org/browse/SPR-5689
Apache Tiles 2: http://tiles.apache.org/
-->
<!-- Convenience subclass of UrlBasedViewResolver that supports TilesView (i.e. Tiles definitions) and custom subclasses of it. -->
<!-- Don't forget to set the order if you declared other ViewResolvers -->
<!-- See http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/tiles2/TilesViewResolver.html -->
<bean id="tilesviewResolver" class="org.springframework.web.servlet.view.tiles2.TilesViewResolver"
p:order="0"/>
<!-- Helper class to configure Tiles 2.x for the Spring Framework -->
<!-- See http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/tiles2/TilesConfigurer.html -->
<!-- The actual tiles templates are in the tiles-definitions.xml -->
<bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
<property name="definitions">
<list>
<value>/WEB-INF/tiles-definitions.xml</value>
</list>
</property>
</bean>
</beans>

23
webapp/WEB-INF/tiles-definitions.xml
View File

@ -1,23 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE tiles-definitions PUBLIC
"-//Apache Software Foundation//DTD Tiles Configuration 2.1//EN"
"http://tiles.apache.org/dtds/tiles-config_2_1.dtd">
<tiles-definitions>
<!-- template for generic lessons -->
<definition name="generic-lesson" template="/WEB-INF/pages/layouts/genericLesson.jsp">
<put-attribute name="header-content" value="/WEB-INF/pages/sections/header.jsp" />
<put-attribute name="title-content" cascade="true" value="" />
<put-attribute name="menu-content" value="/WEB-INF/pages/sections/menu.jsp" />
<put-attribute name="hints-params-cookies" value="/WEB-INF/pages/sections/hintsParamsAndCookies.jsp" />
<put-attribute name="primary-content" value="" />
<put-attribute name="footer-content" value="/WEB-INF/pages/sections/footer.jsp" />
</definition>
<!-- vulnerability-specific lesson pages -->
<definition name="http-basics" extends="generic-lesson">
<put-attribute name="title-content" cascade="true" value="HTTP Basics"/>
<put-attribute name="primary-content" value="/WEB-INF/pages/lessons/httpBasics.jsp" />
</definition>
</tiles-definitions>

79
webapp/WEB-INF/web.xml
View File

@ -179,15 +179,11 @@
The string "${USER}" in the connection string will be replaced by the active username
when making a connection.
-->
<param-value>
jdbc:hsqldb:mem:${USER}
</param-value>
<param-value>jdbc:hsqldb:mem:${USER}</param-value>
</init-param>
<!-- Load this servlet at server startup time -->
<load-on-startup>5</load-on-startup>
</servlet>
@ -245,8 +241,6 @@
<!-- end spring security -->
<!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the
@ -318,7 +312,6 @@
in minutes. From a servlet or JSP page, you can modify
the timeout for a particular session dynamically by using
HttpSession.getMaxInactiveInterval(). -->
<session-config>
<!-- 2 days -->
<session-timeout>2880</session-timeout>
@ -333,75 +326,5 @@
<welcome-file>login.mvc</welcome-file>
</welcome-file-list>
<!-- Define reference to the user database for looking up roles -->
<!--
<resource-env-ref>
<description>
Link to the UserDatabase instance from which we request lists of
defined role names. Typically, this will be connected to the global
user database with a ResourceLink element in server.xml or the context
configuration file for the Manager web application.
</description>
<resource-env-ref-name>users</resource-env-ref-name>
<resource-env-ref-type>
org.apache.catalina.UserDatabase
</resource-env-ref-type>
</resource-env-ref>
-->
<!-- Define a Security Constraint on this Application -->
<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>WebGoat Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>webgoat_user</role-name>
<role-name>webgoat_admin</role-name>
<role-name>webgoat_challenge</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>WebGoat Application Source</web-resource-name>
<url-pattern>/JavaSource/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>server_admin</role-name>
</auth-constraint>
</security-constraint>
-->
<!-- Login configuration uses BASIC authentication -->
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebGoat Application</realm-name>
</login-config>
-->
<!-- Security roles referenced by this web application -->
<!--
<security-role>
<description>The role that is required to administrate WebGoat</description>
<role-name>webgoat_admin</role-name>
</security-role>
<security-role>
<description>The role that is required to start the challenge log viewer</description>
<role-name>webgoat_challenge</role-name>
</security-role>
<security-role>
<description>The role that is required to use WebGoat</description>
<role-name>webgoat_user</role-name>
</security-role>
<security-role>
<description>This role is for admins only</description>
<role-name>server_admin</role-name>
</security-role>
-->
</web-app>