dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

get logout working

Browse Source 
fix issue with white screen after login
This commit is contained in:
lawson89 2014-06-19 19:43:07 -04:00
parent 80dae15f70
commit 39d5888ef3
7 changed files with 688 additions and 626 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
java/org/owasp/webgoat/HammerHead.java
View File

@ -187,7 +187,9 @@ public class HammerHead extends HttpServlet {
screen = new ErrorScreen(mySession, t); screen = new ErrorScreen(mySession, t);
} finally { } finally {
try { try {
if (screen instanceof ErrorScreen) {
this.writeScreen(mySession, screen, response); this.writeScreen(mySession, screen, response);
}
} catch (Throwable thr) { } catch (Throwable thr) {
logger.error("Could not write error screen", thr); logger.error("Could not write error screen", thr);
} }
@ -426,6 +428,7 @@ public class HammerHead extends HttpServlet {
response.setHeader("Content-Length", screen.getContentLength() + ""); response.setHeader("Content-Length", screen.getContentLength() + "");
screen.output(out); screen.output(out);
out.flush();
out.close(); out.close();
} }
} }

45
java/org/owasp/webgoat/controller/Logout.java Normal file
View File

@ -0,0 +1,45 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
/**
*
* @author rlawson
*/
@Controller
public class Logout {
final Logger logger = LoggerFactory.getLogger(Logout.class);
@RequestMapping(value = "logout.do", method = RequestMethod.GET)
public ModelAndView logout(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
logger.info("Logging user out");
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "Invalid username and password!");
}
if (logout != null) {
model.addObject("msg", "You've been logged out successfully.");
}
model.setViewName("logout");
return model;
}
}

151
java/org/owasp/webgoat/session/Screen.java
View File

@ -1,4 +1,3 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.PrintWriter; import java.io.PrintWriter;
@ -11,39 +10,41 @@ import org.apache.ecs.html.Font;
import org.apache.ecs.html.IMG; import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
/**
/*************************************************************************************************** * *************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, * This file is part of WebGoat, an Open Web Application Security Project
* please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 2007 Bruce Mayhew * Copyright (c) 2002 - 2007 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under the terms of the * This program is free software; you can redistribute it and/or modify it under
* GNU General Public License as published by the Free Software Foundation; either version 2 of the * the terms of the GNU General Public License as published by the Free Software
* License, or (at your option) any later version. * Foundation; either version 2 of the License, or (at your option) any later
* version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * This program is distributed in the hope that it will be useful, but WITHOUT
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* General Public License for more details. * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* *
* You should have received a copy of the GNU General Public License along with this program; if * You should have received a copy of the GNU General Public License along with
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* 02111-1307, USA. * Place - Suite 330, Boston, MA 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at code.google.com, a repository for free software * Source for this application is maintained at code.google.com, a repository
* projects. * for free software projects.
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public abstract class Screen public abstract class Screen {
{
/** /**
* Description of the Field * Description of the Field
@ -59,9 +60,7 @@ public abstract class Screen
/** /**
* Constructor for the Screen object * Constructor for the Screen object
*/ */
public Screen() {
public Screen()
{
} }
// FIXME: Each lesson should have a role assigned to it. Each user/student // FIXME: Each lesson should have a role assigned to it. Each user/student
@ -75,11 +74,9 @@ public abstract class Screen
/** /**
* Description of the Method * Description of the Method
* *
* @param s * @param s Description of the Parameter
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected abstract Element createContent(WebSession s); protected abstract Element createContent(WebSession s);
/** /**
@ -92,52 +89,43 @@ public abstract class Screen
/** /**
* Creates a new lessonTracker object. * Creates a new lessonTracker object.
* *
* @param props * @param props The properties file that was used to persist the user data.
* The properties file that was used to persist the user data.
* @return Description of the Return Value * @return Description of the Return Value
*/ */
public LessonTracker createLessonTracker(Properties props) {
public LessonTracker createLessonTracker(Properties props)
{
// If the lesson had any specialized properties in the user persisted properties, // If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out. // now would be the time to pull them out.
return createLessonTracker(); return createLessonTracker();
} }
/** /**
* This allows the screens to provide a custom LessonTracker object if needed. * This allows the screens to provide a custom LessonTracker object if
* needed.
* *
* @return Description of the Return Value * @return Description of the Return Value
*/ */
public LessonTracker createLessonTracker() public LessonTracker createLessonTracker() {
{
return new LessonTracker(); return new LessonTracker();
} }
/** /**
* Gets the lessonTracker attribute of the AbstractLesson object * Gets the lessonTracker attribute of the AbstractLesson object
* *
* @param userName * @param userName Description of the Parameter
* Description of the Parameter
* @return The lessonTracker value * @return The lessonTracker value
*/ */
public LessonTracker getLessonTracker(WebSession s) {
public LessonTracker getLessonTracker(WebSession s)
{
UserTracker userTracker = UserTracker.instance(); UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this); return userTracker.getLessonTracker(s, this);
} }
public LessonTracker getLessonTracker(WebSession s, String userNameOverride) public LessonTracker getLessonTracker(WebSession s, String userNameOverride) {
{
UserTracker userTracker = UserTracker.instance(); UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this); return userTracker.getLessonTracker(s, userNameOverride, this);
} }
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
{
UserTracker userTracker = UserTracker.instance(); UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson); return userTracker.getLessonTracker(s, lesson);
} }
@ -149,8 +137,7 @@ public abstract class Screen
*/ */
public abstract String getTitle(); public abstract String getTitle();
protected void setContent(Element content) protected void setContent(Element content) {
{
this.content = content; this.content = content;
} }
@ -159,37 +146,31 @@ public abstract class Screen
* *
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected Element makeLogo() {
protected Element makeLogo()
{
return new A("http://www.aspectsecurity.com/webgoat.html", logo); return new A("http://www.aspectsecurity.com/webgoat.html", logo);
} }
public String getSponsor() public String getSponsor() {
{
return "Aspect Security"; return "Aspect Security";
} }
public String getSponsorLogoResource() public String getSponsorLogoResource() {
{
return "images/aspectlogo-horizontal-small.jpg"; return "images/aspectlogo-horizontal-small.jpg";
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param s * @param s Description of the Parameter
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected Element makeMessages(WebSession s) {
protected Element makeMessages(WebSession s)
{
if (s == null) { if (s == null) {
return (new StringElement("")); } return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED); Font f = new Font().setColor(HtmlColor.RED);
@ -204,57 +185,44 @@ public abstract class Screen
* Returns the content length of the the html. * Returns the content length of the the html.
* *
*/ */
public int getContentLength() {
public int getContentLength()
{
return getContent().length(); return getContent().length();
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param out * @param out Description of the Parameter
* Description of the Parameter
*/ */
public void output(PrintWriter out) {
public void output(PrintWriter out)
{
// format output -- then send to printwriter // format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work // otherwise we're doing way too much SSL encryption work
out.print(getContent()); out.print(getContent());
} }
public String getContent() public String getContent() {
{
return (content == null) ? "" : content.toString(); return (content == null) ? "" : content.toString();
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param x * @param x Description of the Parameter
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected static String pad(int x) {
protected static String pad(int x) StringBuilder sb = new StringBuilder();
{
StringBuffer sb = new StringBuffer(); if (x < 10) {
if (x < 10)
{
sb.append(" "); sb.append(" ");
} }
if (x < 100) if (x < 100) {
{
sb.append(" "); sb.append(" ");
@ -268,12 +236,10 @@ public abstract class Screen
/** /**
* Description of the Method * Description of the Method
* *
* @param token * @param token Description of the Parameter
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected static String convertMetachars(String token) protected static String convertMetachars(String token) {
{
int mci = 0; int mci = 0;
@ -283,13 +249,12 @@ public abstract class Screen
* checking and only do "&nbsp" conversion in lines that won't exceed screen size, say less * checking and only do "&nbsp" conversion in lines that won't exceed screen size, say less
* than 80 characters. * than 80 characters.
*/ */
String[] metaChar = { "&", "<", ">", "\"", "\t", System.getProperty("line.separator") }; String[] metaChar = {"&", "<", ">", "\"", "\t", System.getProperty("line.separator")};
String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>" }; String[] htmlCode = {"&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>"};
String replacedString = token; String replacedString = token;
for (; mci < metaChar.length; mci += 1) for (; mci < metaChar.length; mci += 1) {
{
replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]); replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]);
} }
return (replacedString); return (replacedString);
@ -298,22 +263,18 @@ public abstract class Screen
/** /**
* Description of the Method * Description of the Method
* *
* @param token * @param token Description of the Parameter
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected static String convertMetacharsJavaCode(String token) protected static String convertMetacharsJavaCode(String token) {
{
return (convertMetachars(token).replaceAll(" ", "&nbsp;")); return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param s * @param s Description of the Parameter
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
// protected abstract Element wrapForm( WebSession s ); // protected abstract Element wrapForm( WebSession s );
} }

59
webapp/WEB-INF/pages/logout.jsp Normal file
View File

@ -0,0 +1,59 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
<style type="text/css">
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #f5f5f5;
}
.form-signin {
max-width: 300px;
padding: 19px 29px 29px;
margin: 0 auto 20px;
background-color: #fff;
border: 1px solid #e5e5e5;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
-webkit-box-shadow: 0 1px 2px rgba(0,0,0,.05);
-moz-box-shadow: 0 1px 2px rgba(0,0,0,.05);
box-shadow: 0 1px 2px rgba(0,0,0,.05);
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin input[type="text"],
.form-signin input[type="password"] {
font-size: 16px;
height: auto;
margin-bottom: 15px;
padding: 7px 9px;
}
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<div class="container">
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
You have logged out successfully
<hr/>
Click here to <a href="<c:url value="login.do" />" > Login</a>
</div> <!-- /container -->
</body>
</html>

6
webapp/WEB-INF/spring-security.xml
View File

@ -15,7 +15,7 @@
<http pattern="/images/**" security="none"/> <http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/> <http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/> <http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true"> <http use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" /> <intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" /> <intercept-url pattern="/logout.do" access="permitAll" />
<intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" /> <intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
@ -27,9 +27,9 @@
authentication-failure-url="/login.do?error" authentication-failure-url="/login.do?error"
username-parameter="username" username-parameter="username"
password-parameter="password" /> password-parameter="password" />
<logout logout-success-url="/logout.do" /> <logout logout-url="/j_spring_security_logout" logout-success-url="/logout.do" />
<!-- enable csrf protection --> <!-- enable csrf protection -->
<csrf/> <!--csrf/-->
</http> </http>
<!-- Authentication Manager --> <!-- Authentication Manager -->

190
webapp/main.jsp
View File

@ -2,44 +2,43 @@
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %> errorPage="" %>
<% <%
Course course = ((Course)session.getAttribute("course")); Course course = ((Course) session.getAttribute("course"));
WebSession webSession = ((WebSession)session.getAttribute("websession")); WebSession webSession = ((WebSession) session.getAttribute("websession"));
AbstractLesson currentLesson = webSession.getCurrentLesson(); AbstractLesson currentLesson = webSession.getCurrentLesson();
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%> <%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title><%=currentLesson.getTitle()%></title> <title><%=currentLesson.getTitle()%></title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/lesson.css" type="text/css" /> <link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" /> <link rel="stylesheet" href="css/menu.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" /> <link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
</head> </head>
<% <%
final String menuPrefix = WebSession.MENU; final String menuPrefix = WebSession.MENU;
final String submenuPrefix = "submenu"; final String submenuPrefix = "submenu";
final String mbutPrefix = "mbut"; final String mbutPrefix = "mbut";
String printHint = ""; String printHint = "";
String printParameters = ""; String printParameters = "";
String printCookies = ""; String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">"; String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories(); List categories = course.getCategories();
StringBuffer buildList = new StringBuffer(); StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator(); Iterator iter1 = categories.iterator();
while(iter1.hasNext()) while (iter1.hasNext()) {
{ Category category = (Category) iter1.next();
Category category = (Category)iter1.next();
buildList.append("'"); buildList.append("'");
buildList.append(menuPrefix); buildList.append(menuPrefix);
@ -52,10 +51,14 @@ StringBuffer buildList = new StringBuffer();
buildList.append(category.getRanking()); buildList.append(category.getRanking());
buildList.append("'"); buildList.append("'");
if (iter1.hasNext()) if (iter1.hasNext()) {
buildList.append(","); buildList.append(",");
}
}%> }%>
<body class="page" onload="setMenuMagic1(10,40,10,'menubottom',<%=buildList%>);trigMM1url('<%= menuPrefix %>',1);MM_preloadImages('images/buttons/hintLeftOver.jpg','images/buttons/hintOver.jpg','images/buttons/hintRightOver.jpg','images/buttons/paramsOver.jpg','images/buttons/htmlOver.jpg','images/buttons/cookiesOver.jpg','images/buttons/javaOver.jpg','images/buttons/plansOver.jpg','images/buttons/logout.jpg','images/buttons/helpOver.jpg'); initIframe();"> <body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
trigMM1url('<%= menuPrefix%>', 1);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();">
<div id="wrap"> <div id="wrap">
<% <%
@ -63,34 +66,33 @@ StringBuffer buildList = new StringBuffer();
int zIndex = 105; int zIndex = 105;
Iterator iter2 = categories.iterator(); Iterator iter2 = categories.iterator();
while(iter2.hasNext()) while (iter2.hasNext()) {
{ Category category = (Category) iter2.next();
Category category = (Category)iter2.next();
%> %>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>',1);return false" onfocus="if(this.blur)this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div> <div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
return false" onfocus="if (this.blur)
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<% <%
topCord=topCord + 30; topCord = topCord + 30;
zIndex=zIndex + 1; zIndex = zIndex + 1;
} }
int topSubMenu = 72; int topSubMenu = 72;
Iterator iter3 = categories.iterator(); Iterator iter3 = categories.iterator();
while(iter3.hasNext()) while (iter3.hasNext()) {
{ Category category = (Category) iter3.next();
Category category = (Category)iter3.next();
List lessons = webSession.getLessons(category); List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator(); Iterator iter4 = lessons.iterator();
%> %>
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>"> <div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><% <table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu=topSubMenu+30; topSubMenu = topSubMenu + 30;
zIndex=zIndex + 1; zIndex = zIndex + 1;
while(iter4.hasNext()) while (iter4.hasNext()) {
{ AbstractLesson lesson = (AbstractLesson) iter4.next();
AbstractLesson lesson = (AbstractLesson)iter4.next();
%><tr> %><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td> <td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
@ -99,9 +101,9 @@ StringBuffer buildList = new StringBuffer();
RandomLessonAdapter rla = (RandomLessonAdapter) lesson; RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages(); String[] stages = rla.getStages();
if (stages != null) if (stages != null)
for (int i=0; i<stages.length; i++) { for (int i = 0; i < stages.length; i++) {
%> %>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a> <tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a>
</td></tr> </td></tr>
<% <%
} }
@ -116,17 +118,18 @@ StringBuffer buildList = new StringBuffer();
<div id="top"></div> <div id="top"></div>
<div id="topLeft"> <div id="topLeft">
<div align="left"> <div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0 ) <% if (currentLesson.getAvailableLanguages().size() != 0) {
{
%> %>
<form method="get" action="attack" style="display: inline;"> <form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1" Choose another language: <select name="language" size="1"
onChange="changeLanguage();"> onChange="changeLanguage();">
<% <%
for(String lang: currentLesson.getAvailableLanguages()){ for (String lang : currentLesson.getAvailableLanguages()) {
%> %>
<option value="<%=lang%>" <option value="<%=lang%>"
<% if(webSession.getCurrrentLanguage().equals(lang)) out.println("selected" );%>><%=lang%> <% if (webSession.getCurrrentLanguage().equals(lang)) {
out.println("selected");
}%>><%=lang%>
</option> </option>
<% <%
@ -142,63 +145,63 @@ StringBuffer buildList = new StringBuffer();
%> %>
</div></div> </div></div>
<div align="right" id="topRight"> <div align="right" id="topRight">
<a href="attack?action=Logout" onmouseout="MM_swapImgRestore()" <a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout','','images/buttons/logoutOver.jpg',1)"><img onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45" src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()" height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseout="MM_swapImgRestore()" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('help','','images/buttons/helpOver.jpg',1)"><img onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img
src="images/buttons/help.jpg" alt="Help" name="help" width="22" src="images/buttons/help.jpg" alt="Help" name="help" width="22"
height="22" border="0" id="help" /></a> height="22" border="0" id="help" /></a>
</div> </div>
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div> <div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<div id="hMenuBar"> <div id="hMenuBar">
<% <%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
{
%> %>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down','group1','hintLeft','',1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseover="MM_nbGroup('over','hintLeft','images/buttons/hintLeftOver.jpg','',1)" onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/> <img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
</a> </a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hint','',1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)"
onmouseover="MM_nbGroup('over','hint','images/buttons/hintOver.jpg','',1)" onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/> <img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a> </a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hintRight','',1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)"
onmouseover="MM_nbGroup('over','hintRight','images/buttons/hintRightOver.jpg','',1)" onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/> <img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a> </a>
<%}%> <%}%>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)"
onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)" onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="87" height="20" border="0" id="params"/> <img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/>
</a> </a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)"
onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)" onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/> <img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
</a> </a>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)" <a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)"
onmouseover="MM_nbGroup('over','plans','images/buttons/plansOver.jpg','',1)" onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/> <img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a> </a>
<% <%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
{
%> %>
<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin" <a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
onmouseover="MM_nbGroup('over','java','images/buttons/javaOver.jpg','',1)" return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/> <img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a> </a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');return false;" target="javaWin" <a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
onmouseover="MM_nbGroup('over','solutions','images/buttons/solutionsOver.jpg','',1)" return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/> <img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
</a> </a>
@ -209,8 +212,7 @@ StringBuffer buildList = new StringBuffer();
<div id="menuSpacer"></div> <div id="menuSpacer"></div>
<div id="lessonAreaTop"> <div id="lessonAreaTop">
<% <%
if (currentLesson != null) if (currentLesson != null) {
{
%> %>
<div id="training_wrap"> <div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div> <div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
@ -222,37 +224,32 @@ StringBuffer buildList = new StringBuffer();
</div> </div>
<div id="lessonArea"> <div id="lessonArea">
<% <%
if (webSession.getHint() != null) if (webSession.getHint() != null) {
{
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>"; printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
out.println(printHint); out.println(printHint);
} }
if (webSession.getParams() != null) if (webSession.getParams() != null) {
{
Iterator i = webSession.getParams().iterator(); Iterator i = webSession.getParams().iterator();
while (i.hasNext()) while (i.hasNext()) {
{
Parameter p = (Parameter) i.next(); Parameter p = (Parameter) i.next();
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>"; printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
out.println(printParameters); out.println(printParameters);
} }
} }
if (webSession.getCookies() != null) if (webSession.getCookies() != null) {
{
Iterator i = webSession.getCookies().iterator(); Iterator i = webSession.getCookies().iterator();
while (i.hasNext()) while (i.hasNext()) {
{
Cookie c = (Cookie) i.next(); Cookie c = (Cookie) i.next();
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>"; printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
out.println(printCookies); out.println(printCookies);
} }
}%> }%>
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession) %> <div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%>
<br/> <br/>
<br/> <br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a> <a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a>
</div> </div>
<div id="lessonContent"> <div id="lessonContent">
<% <%
@ -260,7 +257,7 @@ StringBuffer buildList = new StringBuffer();
if (lesson instanceof RandomLessonAdapter) { if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson; RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%> %>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1 %></div> <div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
<% <%
} }
%> %>
@ -268,16 +265,13 @@ StringBuffer buildList = new StringBuffer();
<div id="message" class="info"><%=webSession.getMessage()%></div> <div id="message" class="info"><%=webSession.getMessage()%></div>
<% <%
if (currentLesson.getTemplatePage(webSession) != null) if (currentLesson.getTemplatePage(webSession) != null) {
{
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() ); //System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession)); //System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%> %>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" /> <jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<% <%
} } else {
else
{
%> %>
<div id="lessonContent"><%=currentLesson.getContent()%></div> <div id="lessonContent"><%=currentLesson.getContent()%></div>
<% <%
@ -296,5 +290,5 @@ StringBuffer buildList = new StringBuffer();
</div> </div>
</div> </div>
</div> </div>
</body> </body>
</html> </html>

4
webapp/webgoat.jsp
View File

@ -2,7 +2,7 @@
errorPage=""%> errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%> <%@page import="org.owasp.webgoat.session.WebSession"%>
<% <%
WebSession webSession = ((WebSession) session.getAttribute("websession")); //WebSession webSession = ((WebSession) session.getAttribute("websession"));
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@ -22,7 +22,7 @@
The exercises are intended to provide hands on experience with The exercises are intended to provide hands on experience with
application penetration testing techniques. </p> application penetration testing techniques. </p>
<p>The WebGoat project is led <p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p> by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].</p>
<div id="team"> <div id="team">
<table border="0" align="center" class="lessonText"> <table border="0" align="center" class="lessonText">