Replaced the tabs with spaces so we do not mess up the formatting, used the expand command from linux
This commit is contained in:
@ -52,247 +52,247 @@ import java.util.ArrayList;
|
||||
public class JSONInjection extends LessonAdapter
|
||||
{
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(30);
|
||||
private final static Integer DEFAULT_RANKING = new Integer(30);
|
||||
|
||||
private final static String TRAVEL_FROM = "travelFrom";
|
||||
private final static String TRAVEL_FROM = "travelFrom";
|
||||
|
||||
private final static String TRAVEL_TO = "travelTo";
|
||||
private final static String TRAVEL_TO = "travelTo";
|
||||
|
||||
private final static IMG MAC_LOGO = new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured")
|
||||
.setBorder(0).setHspace(0).setVspace(0);
|
||||
private final static IMG MAC_LOGO = new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured")
|
||||
.setBorder(0).setHspace(0).setVspace(0);
|
||||
|
||||
public void handleRequest(WebSession s)
|
||||
{
|
||||
public void handleRequest(WebSession s)
|
||||
{
|
||||
|
||||
try
|
||||
{
|
||||
if (s.getParser().getRawParameter("from", "").equals("ajax"))
|
||||
{
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String jsonStr = "{" + lineSep + "\"From\": \"Boston\"," + lineSep + "\"To\": \"Seattle\", " + lineSep
|
||||
+ "\"flights\": [" + lineSep
|
||||
+ "{\"stops\": \"0\", \"transit\" : \"N/A\", \"price\": \"$600\"}," + lineSep
|
||||
+ "{\"stops\": \"2\", \"transit\" : \"Newark,Chicago\", \"price\": \"$300\"} " + lineSep + "]"
|
||||
+ lineSep + "}";
|
||||
s.getResponse().setContentType("text/html");
|
||||
s.getResponse().setHeader("Cache-Control", "no-cache");
|
||||
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
|
||||
out.print(jsonStr);
|
||||
out.flush();
|
||||
out.close();
|
||||
return;
|
||||
}
|
||||
} catch (Exception ex)
|
||||
{
|
||||
ex.printStackTrace();
|
||||
}
|
||||
try
|
||||
{
|
||||
if (s.getParser().getRawParameter("from", "").equals("ajax"))
|
||||
{
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String jsonStr = "{" + lineSep + "\"From\": \"Boston\"," + lineSep + "\"To\": \"Seattle\", " + lineSep
|
||||
+ "\"flights\": [" + lineSep
|
||||
+ "{\"stops\": \"0\", \"transit\" : \"N/A\", \"price\": \"$600\"}," + lineSep
|
||||
+ "{\"stops\": \"2\", \"transit\" : \"Newark,Chicago\", \"price\": \"$300\"} " + lineSep + "]"
|
||||
+ lineSep + "}";
|
||||
s.getResponse().setContentType("text/html");
|
||||
s.getResponse().setHeader("Cache-Control", "no-cache");
|
||||
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
|
||||
out.print(jsonStr);
|
||||
out.flush();
|
||||
out.close();
|
||||
return;
|
||||
}
|
||||
} catch (Exception ex)
|
||||
{
|
||||
ex.printStackTrace();
|
||||
}
|
||||
|
||||
Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
|
||||
form.setOnSubmit("return check();");
|
||||
Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
|
||||
form.setOnSubmit("return check();");
|
||||
|
||||
form.addElement(createContent(s));
|
||||
form.addElement(createContent(s));
|
||||
|
||||
setContent(form);
|
||||
setContent(form);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Description of the Method
|
||||
*
|
||||
* @param s
|
||||
* Current WebSession
|
||||
*/
|
||||
/**
|
||||
* Description of the Method
|
||||
*
|
||||
* @param s
|
||||
* Current WebSession
|
||||
*/
|
||||
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String script = "<script>"
|
||||
+ lineSep
|
||||
+ "function getFlights() {"
|
||||
+ lineSep
|
||||
+ "var fromField = document.getElementById('"
|
||||
+ TRAVEL_FROM
|
||||
+ "');"
|
||||
+ lineSep
|
||||
+ "if (fromField.value.length < 3 || fromField.value!='BOS') { return; }"
|
||||
+ lineSep
|
||||
+ "var toField = document.getElementById('"
|
||||
+ TRAVEL_TO
|
||||
+ "');"
|
||||
+ lineSep
|
||||
+ "if (toField.value.length < 3 || toField.value!='SEA') { return; }"
|
||||
+ lineSep
|
||||
+ "var url = '"
|
||||
+ getLink()
|
||||
+ "&from=ajax&"
|
||||
+ TRAVEL_FROM
|
||||
+ "=' + encodeURIComponent(fromField.value) +"
|
||||
+ "'&"
|
||||
+ TRAVEL_TO
|
||||
+ "=' + encodeURIComponent(toField.value);"
|
||||
+ lineSep
|
||||
+ "if (typeof XMLHttpRequest != 'undefined') {"
|
||||
+ lineSep
|
||||
+ "req = new XMLHttpRequest();"
|
||||
+ lineSep
|
||||
+ "} else if (window.ActiveXObject) {"
|
||||
+ lineSep
|
||||
+ "req = new ActiveXObject('Microsoft.XMLHTTP');"
|
||||
+ lineSep
|
||||
+ " }"
|
||||
+ lineSep
|
||||
+ " req.open('GET', url, true);"
|
||||
+ lineSep
|
||||
+ " req.onreadystatechange = callback;"
|
||||
+ lineSep
|
||||
+ " req.send(null);"
|
||||
+ lineSep
|
||||
+ "}"
|
||||
+ lineSep
|
||||
+ "function callback() {"
|
||||
+ lineSep
|
||||
+ " if (req.readyState == 4) { "
|
||||
+ lineSep
|
||||
+ " if (req.status == 200) { "
|
||||
+ lineSep
|
||||
+ " var card = eval('(' + req.responseText + ')');"
|
||||
+ lineSep
|
||||
+ " var flightsDiv = document.getElementById('flightsDiv');"
|
||||
+ lineSep
|
||||
+ " flightsDiv.innerHTML = '';"
|
||||
+ lineSep
|
||||
+ " var strHTML='';"
|
||||
+ lineSep
|
||||
+ " strHTML = '<tr><td> </td><td>No of Stops</td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + '<td>Stops</td><td>Prices</td></tr>';"
|
||||
+ lineSep
|
||||
+ " for(var i=0; i<card.flights.length; i++){"
|
||||
+ lineSep
|
||||
+ " var node = card.flights[i];"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + '<tr><td><input name=\"radio'+i+'\" type=\"radio\" id=\"radio'+i+'\"></td><td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + card.flights[i].stops + '</td><td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + card.flights[i].transit + '</td><td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + '<div name=\"priceID'+i+'\" id=\"priceID'+i+'\">' + card.flights[i].price + '</div></td></tr>';"
|
||||
+ lineSep
|
||||
+ " }"
|
||||
+ lineSep
|
||||
+ " strHTML = '<table border=\"1\">' + strHTML + '</table>';"
|
||||
+ lineSep
|
||||
+ " flightsDiv.innerHTML = strHTML;"
|
||||
+ lineSep
|
||||
+ " }}}"
|
||||
+ lineSep
|
||||
+
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String script = "<script>"
|
||||
+ lineSep
|
||||
+ "function getFlights() {"
|
||||
+ lineSep
|
||||
+ "var fromField = document.getElementById('"
|
||||
+ TRAVEL_FROM
|
||||
+ "');"
|
||||
+ lineSep
|
||||
+ "if (fromField.value.length < 3 || fromField.value!='BOS') { return; }"
|
||||
+ lineSep
|
||||
+ "var toField = document.getElementById('"
|
||||
+ TRAVEL_TO
|
||||
+ "');"
|
||||
+ lineSep
|
||||
+ "if (toField.value.length < 3 || toField.value!='SEA') { return; }"
|
||||
+ lineSep
|
||||
+ "var url = '"
|
||||
+ getLink()
|
||||
+ "&from=ajax&"
|
||||
+ TRAVEL_FROM
|
||||
+ "=' + encodeURIComponent(fromField.value) +"
|
||||
+ "'&"
|
||||
+ TRAVEL_TO
|
||||
+ "=' + encodeURIComponent(toField.value);"
|
||||
+ lineSep
|
||||
+ "if (typeof XMLHttpRequest != 'undefined') {"
|
||||
+ lineSep
|
||||
+ "req = new XMLHttpRequest();"
|
||||
+ lineSep
|
||||
+ "} else if (window.ActiveXObject) {"
|
||||
+ lineSep
|
||||
+ "req = new ActiveXObject('Microsoft.XMLHTTP');"
|
||||
+ lineSep
|
||||
+ " }"
|
||||
+ lineSep
|
||||
+ " req.open('GET', url, true);"
|
||||
+ lineSep
|
||||
+ " req.onreadystatechange = callback;"
|
||||
+ lineSep
|
||||
+ " req.send(null);"
|
||||
+ lineSep
|
||||
+ "}"
|
||||
+ lineSep
|
||||
+ "function callback() {"
|
||||
+ lineSep
|
||||
+ " if (req.readyState == 4) { "
|
||||
+ lineSep
|
||||
+ " if (req.status == 200) { "
|
||||
+ lineSep
|
||||
+ " var card = eval('(' + req.responseText + ')');"
|
||||
+ lineSep
|
||||
+ " var flightsDiv = document.getElementById('flightsDiv');"
|
||||
+ lineSep
|
||||
+ " flightsDiv.innerHTML = '';"
|
||||
+ lineSep
|
||||
+ " var strHTML='';"
|
||||
+ lineSep
|
||||
+ " strHTML = '<tr><td> </td><td>No of Stops</td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + '<td>Stops</td><td>Prices</td></tr>';"
|
||||
+ lineSep
|
||||
+ " for(var i=0; i<card.flights.length; i++){"
|
||||
+ lineSep
|
||||
+ " var node = card.flights[i];"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + '<tr><td><input name=\"radio'+i+'\" type=\"radio\" id=\"radio'+i+'\"></td><td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + card.flights[i].stops + '</td><td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + card.flights[i].transit + '</td><td>';"
|
||||
+ lineSep
|
||||
+ " strHTML = strHTML + '<div name=\"priceID'+i+'\" id=\"priceID'+i+'\">' + card.flights[i].price + '</div></td></tr>';"
|
||||
+ lineSep
|
||||
+ " }"
|
||||
+ lineSep
|
||||
+ " strHTML = '<table border=\"1\">' + strHTML + '</table>';"
|
||||
+ lineSep
|
||||
+ " flightsDiv.innerHTML = strHTML;"
|
||||
+ lineSep
|
||||
+ " }}}"
|
||||
+ lineSep
|
||||
+
|
||||
|
||||
"function check(){"
|
||||
+ lineSep
|
||||
+ " if ( document.getElementById('radio0').checked )"
|
||||
+ lineSep
|
||||
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
|
||||
+ lineSep
|
||||
+ " else if ( document.getElementById('radio1').checked )"
|
||||
+ lineSep
|
||||
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
|
||||
+ lineSep + " else " + lineSep + " { alert('Please choose one flight'); return false;}" + lineSep + "}"
|
||||
+ lineSep + "</script>" + lineSep;
|
||||
ec.addElement(new StringElement(script));
|
||||
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
|
||||
"function check(){"
|
||||
+ lineSep
|
||||
+ " if ( document.getElementById('radio0').checked )"
|
||||
+ lineSep
|
||||
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
|
||||
+ lineSep
|
||||
+ " else if ( document.getElementById('radio1').checked )"
|
||||
+ lineSep
|
||||
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
|
||||
+ lineSep + " else " + lineSep + " { alert('Please choose one flight'); return false;}" + lineSep + "}"
|
||||
+ lineSep + "</script>" + lineSep;
|
||||
ec.addElement(new StringElement(script));
|
||||
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
|
||||
|
||||
TR tr = new TR();
|
||||
TR tr = new TR();
|
||||
|
||||
tr.addElement(new TD("From: "));
|
||||
Input in = new Input(Input.TEXT, TRAVEL_FROM, "");
|
||||
in.addAttribute("onkeyup", "getFlights();");
|
||||
in.addAttribute("id", TRAVEL_FROM);
|
||||
tr.addElement(new TD(in));
|
||||
tr.addElement(new TD("From: "));
|
||||
Input in = new Input(Input.TEXT, TRAVEL_FROM, "");
|
||||
in.addAttribute("onkeyup", "getFlights();");
|
||||
in.addAttribute("id", TRAVEL_FROM);
|
||||
tr.addElement(new TD(in));
|
||||
|
||||
t1.addElement(tr);
|
||||
t1.addElement(tr);
|
||||
|
||||
tr = new TR();
|
||||
tr.addElement(new TD("To: "));
|
||||
in = new Input(Input.TEXT, TRAVEL_TO, "");
|
||||
in.addAttribute("onkeyup", "getFlights();");
|
||||
in.addAttribute("id", TRAVEL_TO);
|
||||
tr.addElement(new TD(in));
|
||||
tr = new TR();
|
||||
tr.addElement(new TD("To: "));
|
||||
in = new Input(Input.TEXT, TRAVEL_TO, "");
|
||||
in.addAttribute("onkeyup", "getFlights();");
|
||||
in.addAttribute("id", TRAVEL_TO);
|
||||
tr.addElement(new TD(in));
|
||||
|
||||
t1.addElement(tr);
|
||||
ec.addElement(t1);
|
||||
t1.addElement(tr);
|
||||
ec.addElement(t1);
|
||||
|
||||
ec.addElement(new BR());
|
||||
ec.addElement(new BR());
|
||||
Div div = new Div();
|
||||
div.addAttribute("name", "flightsDiv");
|
||||
div.addAttribute("id", "flightsDiv");
|
||||
ec.addElement(div);
|
||||
ec.addElement(new BR());
|
||||
ec.addElement(new BR());
|
||||
Div div = new Div();
|
||||
div.addAttribute("name", "flightsDiv");
|
||||
div.addAttribute("id", "flightsDiv");
|
||||
ec.addElement(div);
|
||||
|
||||
Input b = new Input();
|
||||
b.setType(Input.SUBMIT);
|
||||
b.setValue("Submit");
|
||||
b.setName("SUBMIT");
|
||||
ec.addElement(b);
|
||||
Input b = new Input();
|
||||
b.setType(Input.SUBMIT);
|
||||
b.setValue("Submit");
|
||||
b.setName("SUBMIT");
|
||||
ec.addElement(b);
|
||||
|
||||
Input price2Submit = new Input();
|
||||
price2Submit.setType(Input.HIDDEN);
|
||||
price2Submit.setName("price2Submit");
|
||||
price2Submit.setValue("");
|
||||
price2Submit.addAttribute("id", "price2Submit");
|
||||
ec.addElement(price2Submit);
|
||||
if (s.getParser().getRawParameter("radio0", "").equals("on"))
|
||||
{
|
||||
String price = s.getParser().getRawParameter("price2Submit", "");
|
||||
price = price.replace("$", "");
|
||||
if (Integer.parseInt(price) < 600)
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
s.setMessage("You are close, try to set the price for the non-stop flight to be less than $600");
|
||||
}
|
||||
}
|
||||
return ec;
|
||||
}
|
||||
Input price2Submit = new Input();
|
||||
price2Submit.setType(Input.HIDDEN);
|
||||
price2Submit.setName("price2Submit");
|
||||
price2Submit.setValue("");
|
||||
price2Submit.addAttribute("id", "price2Submit");
|
||||
ec.addElement(price2Submit);
|
||||
if (s.getParser().getRawParameter("radio0", "").equals("on"))
|
||||
{
|
||||
String price = s.getParser().getRawParameter("price2Submit", "");
|
||||
price = price.replace("$", "");
|
||||
if (Integer.parseInt(price) < 600)
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
s.setMessage("You are close, try to set the price for the non-stop flight to be less than $600");
|
||||
}
|
||||
}
|
||||
return ec;
|
||||
}
|
||||
|
||||
public Element getCredits()
|
||||
{
|
||||
return super.getCustomCredits("Created by Sherif Koussa", MAC_LOGO);
|
||||
}
|
||||
public Element getCredits()
|
||||
{
|
||||
return super.getCustomCredits("Created by Sherif Koussa", MAC_LOGO);
|
||||
}
|
||||
|
||||
protected Category getDefaultCategory()
|
||||
{
|
||||
return Category.AJAX_SECURITY;
|
||||
}
|
||||
protected Category getDefaultCategory()
|
||||
{
|
||||
return Category.AJAX_SECURITY;
|
||||
}
|
||||
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("JSON stands for JavaScript Object Notation.");
|
||||
hints.add("JSON is a way of representing data just like XML.");
|
||||
hints.add("The JSON payload is easily interceptable.");
|
||||
hints.add("Intercept the reply, change the $600 to $25.");
|
||||
return hints;
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("JSON stands for JavaScript Object Notation.");
|
||||
hints.add("JSON is a way of representing data just like XML.");
|
||||
hints.add("The JSON payload is easily interceptable.");
|
||||
hints.add("Intercept the reply, change the $600 to $25.");
|
||||
return hints;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the title attribute of the HelloScreen object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return ("JSON Injection");
|
||||
}
|
||||
/**
|
||||
* Gets the title attribute of the HelloScreen object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return ("JSON Injection");
|
||||
}
|
||||
|
||||
}
|
||||
|
Reference in New Issue
Block a user