dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

get logout working

Browse Source 
fix issue with white screen after login
This commit is contained in:
lawson89 2014-06-19 19:43:07 -04:00
parent 80dae15f70
commit 39d5888ef3
7 changed files with 688 additions and 626 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
java/org/owasp/webgoat/HammerHead.java
View File

@ -187,7 +187,9 @@ public class HammerHead extends HttpServlet {
screen = new ErrorScreen(mySession, t);
} finally {
try {
if (screen instanceof ErrorScreen) {
this.writeScreen(mySession, screen, response);
}
} catch (Throwable thr) {
logger.error("Could not write error screen", thr);
}
@ -426,6 +428,7 @@ public class HammerHead extends HttpServlet {
response.setHeader("Content-Length", screen.getContentLength() + "");
screen.output(out);
out.flush();
out.close();
}
}

45
java/org/owasp/webgoat/controller/Logout.java Normal file
View File

@ -0,0 +1,45 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
/**
*
* @author rlawson
*/
@Controller
public class Logout {
final Logger logger = LoggerFactory.getLogger(Logout.class);
@RequestMapping(value = "logout.do", method = RequestMethod.GET)
public ModelAndView logout(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
logger.info("Logging user out");
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "Invalid username and password!");
}
if (logout != null) {
model.addObject("msg", "You've been logged out successfully.");
}
model.setViewName("logout");
return model;
}
}

147
java/org/owasp/webgoat/session/Screen.java
View File

@ -1,4 +1,3 @@
package org.owasp.webgoat.session;
import java.io.PrintWriter;
@ -11,39 +10,41 @@ import org.apache.ecs.html.Font;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.AbstractLesson;
/***************************************************************************************************
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @created October 28, 2003
*/
public abstract class Screen
{
public abstract class Screen {
/**
* Description of the Field
@ -59,9 +60,7 @@ public abstract class Screen
/**
* Constructor for the Screen object
*/
public Screen()
{
public Screen() {
}
// FIXME: Each lesson should have a role assigned to it. Each user/student
@ -75,11 +74,9 @@ public abstract class Screen
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent(WebSession s);
/**
@ -92,52 +89,43 @@ public abstract class Screen
/**
* Creates a new lessonTracker object.
*
* @param props
* The properties file that was used to persist the user data.
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker(Properties props)
{
public LessonTracker createLessonTracker(Properties props) {
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
return createLessonTracker();
}
/**
* This allows the screens to provide a custom LessonTracker object if needed.
* This allows the screens to provide a custom LessonTracker object if
* needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker()
{
public LessonTracker createLessonTracker() {
return new LessonTracker();
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @param userName
* Description of the Parameter
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s)
{
public LessonTracker getLessonTracker(WebSession s) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
public LessonTracker getLessonTracker(WebSession s, String userNameOverride) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
@ -149,8 +137,7 @@ public abstract class Screen
*/
public abstract String getTitle();
protected void setContent(Element content)
{
protected void setContent(Element content) {
this.content = content;
}
@ -159,37 +146,31 @@ public abstract class Screen
*
* @return Description of the Return Value
*/
protected Element makeLogo()
{
protected Element makeLogo() {
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
public String getSponsor()
{
public String getSponsor() {
return "Aspect Security";
}
public String getSponsorLogoResource()
{
public String getSponsorLogoResource() {
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s)
{
protected Element makeMessages(WebSession s) {
if (s == null) {
return (new StringElement("")); }
return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED);
@ -204,57 +185,44 @@ public abstract class Screen
* Returns the content length of the the html.
*
*/
public int getContentLength()
{
public int getContentLength() {
return getContent().length();
}
/**
* Description of the Method
*
* @param out
* Description of the Parameter
* @param out Description of the Parameter
*/
public void output(PrintWriter out)
{
public void output(PrintWriter out) {
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(getContent());
}
public String getContent()
{
public String getContent() {
return (content == null) ? "" : content.toString();
}
/**
* Description of the Method
*
* @param x
* Description of the Parameter
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x) {
protected static String pad(int x)
{
StringBuilder sb = new StringBuilder();
StringBuffer sb = new StringBuffer();
if (x < 10)
{
if (x < 10) {
sb.append(" ");
}
if (x < 100)
{
if (x < 100) {
sb.append(" ");
@ -268,12 +236,10 @@ public abstract class Screen
/**
* Description of the Method
*
* @param token
* Description of the Parameter
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token)
{
protected static String convertMetachars(String token) {
int mci = 0;
@ -288,8 +254,7 @@ public abstract class Screen
String[] htmlCode = {"&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>"};
String replacedString = token;
for (; mci < metaChar.length; mci += 1)
{
for (; mci < metaChar.length; mci += 1) {
replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]);
}
return (replacedString);
@ -298,22 +263,18 @@ public abstract class Screen
/**
* Description of the Method
*
* @param token
* Description of the Parameter
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token)
{
protected static String convertMetacharsJavaCode(String token) {
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
// protected abstract Element wrapForm( WebSession s );
}

59
webapp/WEB-INF/pages/logout.jsp Normal file
View File

@ -0,0 +1,59 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
<style type="text/css">
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #f5f5f5;
}
.form-signin {
max-width: 300px;
padding: 19px 29px 29px;
margin: 0 auto 20px;
background-color: #fff;
border: 1px solid #e5e5e5;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
-webkit-box-shadow: 0 1px 2px rgba(0,0,0,.05);
-moz-box-shadow: 0 1px 2px rgba(0,0,0,.05);
box-shadow: 0 1px 2px rgba(0,0,0,.05);
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin input[type="text"],
.form-signin input[type="password"] {
font-size: 16px;
height: auto;
margin-bottom: 15px;
padding: 7px 9px;
}
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<div class="container">
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
You have logged out successfully
<hr/>
Click here to <a href="<c:url value="login.do" />" > Login</a>
</div> <!-- /container -->
</body>
</html>

6
webapp/WEB-INF/spring-security.xml
View File

@ -15,7 +15,7 @@
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true">
<http use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" />
<intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
@ -27,9 +27,9 @@
authentication-failure-url="/login.do?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/logout.do" />
<logout logout-url="/j_spring_security_logout" logout-success-url="/logout.do" />
<!-- enable csrf protection -->
<csrf/>
<!--csrf/-->
</http>
<!-- Authentication Manager -->

70
webapp/main.jsp
View File

@ -37,8 +37,7 @@ List categories = course.getCategories();
StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator();
while(iter1.hasNext())
{
while (iter1.hasNext()) {
Category category = (Category) iter1.next();
buildList.append("'");
@ -52,10 +51,14 @@ StringBuffer buildList = new StringBuffer();
buildList.append(category.getRanking());
buildList.append("'");
if (iter1.hasNext())
if (iter1.hasNext()) {
buildList.append(",");
}
}%>
<body class="page" onload="setMenuMagic1(10,40,10,'menubottom',<%=buildList%>);trigMM1url('<%= menuPrefix %>',1);MM_preloadImages('images/buttons/hintLeftOver.jpg','images/buttons/hintOver.jpg','images/buttons/hintRightOver.jpg','images/buttons/paramsOver.jpg','images/buttons/htmlOver.jpg','images/buttons/cookiesOver.jpg','images/buttons/javaOver.jpg','images/buttons/plansOver.jpg','images/buttons/logout.jpg','images/buttons/helpOver.jpg'); initIframe();">
<body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
trigMM1url('<%= menuPrefix%>', 1);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();">
<div id="wrap">
<%
@ -63,11 +66,12 @@ StringBuffer buildList = new StringBuffer();
int zIndex = 105;
Iterator iter2 = categories.iterator();
while(iter2.hasNext())
{
while (iter2.hasNext()) {
Category category = (Category) iter2.next();
%>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>',1);return false" onfocus="if(this.blur)this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
return false" onfocus="if (this.blur)
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<%
topCord = topCord + 30;
zIndex = zIndex + 1;
@ -76,8 +80,7 @@ StringBuffer buildList = new StringBuffer();
int topSubMenu = 72;
Iterator iter3 = categories.iterator();
while(iter3.hasNext())
{
while (iter3.hasNext()) {
Category category = (Category) iter3.next();
List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator();
@ -88,8 +91,7 @@ StringBuffer buildList = new StringBuffer();
topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1;
while(iter4.hasNext())
{
while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next();
%><tr>
@ -116,8 +118,7 @@ StringBuffer buildList = new StringBuffer();
<div id="top"></div>
<div id="topLeft">
<div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0 )
{
<% if (currentLesson.getAvailableLanguages().size() != 0) {
%>
<form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1"
@ -126,7 +127,9 @@ StringBuffer buildList = new StringBuffer();
for (String lang : currentLesson.getAvailableLanguages()) {
%>
<option value="<%=lang%>"
<% if(webSession.getCurrrentLanguage().equals(lang)) out.println("selected" );%>><%=lang%>
<% if (webSession.getCurrrentLanguage().equals(lang)) {
out.println("selected");
}%>><%=lang%>
</option>
<%
@ -142,7 +145,7 @@ StringBuffer buildList = new StringBuffer();
%>
</div></div>
<div align="right" id="topRight">
<a href="attack?action=Logout" onmouseout="MM_swapImgRestore()"
<a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
@ -154,8 +157,7 @@ StringBuffer buildList = new StringBuffer();
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<div id="hMenuBar">
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS))
{
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
@ -189,15 +191,16 @@ StringBuffer buildList = new StringBuffer();
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a>
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE))
{
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
%>
<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin"
<a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');return false;" target="javaWin"
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
@ -209,8 +212,7 @@ StringBuffer buildList = new StringBuffer();
<div id="menuSpacer"></div>
<div id="lessonAreaTop">
<%
if (currentLesson != null)
{
if (currentLesson != null) {
%>
<div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
@ -222,28 +224,23 @@ StringBuffer buildList = new StringBuffer();
</div>
<div id="lessonArea">
<%
if (webSession.getHint() != null)
{
if (webSession.getHint() != null) {
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
out.println(printHint);
}
if (webSession.getParams() != null)
{
if (webSession.getParams() != null) {
Iterator i = webSession.getParams().iterator();
while (i.hasNext())
{
while (i.hasNext()) {
Parameter p = (Parameter) i.next();
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
out.println(printParameters);
}
}
if (webSession.getCookies() != null)
{
if (webSession.getCookies() != null) {
Iterator i = webSession.getCookies().iterator();
while (i.hasNext())
{
while (i.hasNext()) {
Cookie c = (Cookie) i.next();
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
out.println(printCookies);
@ -268,16 +265,13 @@ StringBuffer buildList = new StringBuffer();
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%
if (currentLesson.getTemplatePage(webSession) != null)
{
if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<%
}
else
{
} else {
%>
<div id="lessonContent"><%=currentLesson.getContent()%></div>
<%

4
webapp/webgoat.jsp
View File

@ -2,7 +2,7 @@
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession) session.getAttribute("websession"));
//WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@ -22,7 +22,7 @@
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].</p>
<div id="team">
<table border="0" align="center" class="lessonText">